Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Itermittent Browser Hijack - Possibly Related to TR/Crypt.ZPACK.Gen Trojan


  • This topic is locked This topic is locked
2 replies to this topic

#1 theinsomnianiac

theinsomnianiac

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Location:UK
  • Local time:07:43 PM

Posted 27 April 2010 - 12:29 PM

Hello,

I have been experiencing an intermittent browser hijack.

It usually happens when I click on a Google search result but sometimes it opens new tabs by itself. The pages it goes to appear random & it happens whether I use Firefox or IE or my portable Firefox so I think it is something on my computer somewhere.

I am not sure if it is related but the day it began Avira Antivir Pro kept reporting finding TR/Crypt.ZPACK.Gen Trojan in the URL:
hxxp://lenina66.com/a.exe - this happened probably every half hour all day long but hasn't happened since.
Needless to say this wasn't a URL I was trying to access - in fact it was happening even when I wasn't using the internet at all.

The exact text of the detection was as follows;

"When accessing data from the URL, "http://lenina66.com/a.exe" a virus or unwanted program 'TR/Crypt.ZPACK.Gen' [trojan] was found.
Action taken: Blocked file"

Anyway, I have run all the usual spyware scans but have found nothing unusual so I have followed your instructions under "Preparation Guide For Use Before Using Malware Removal Tools and Requesting Help" and am now posting my DDS.txt & attaching my Attach.txt & Ark.txt in the hope someone might be able to help me.
Here is my DDS.txt :

DDS (Ver_10-03-17.01) - NTFSx86
Run by Administrator at 16:02:35.68 on 27/04/2010
Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_20
Microsoft Windows XP Professional 5.1.2600.3.1252.44.1033.18.2047.1485 [GMT 1:00]

AV: AntiVir Desktop *On-access scanning enabled* (Updated) {B02B524A-0C22-45DD-A6D1-70C7010CE58E}

============== Running Processes ===============

C:\WINDOWS.1\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS.1\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS.1\Explorer.EXE
C:\WINDOWS.1\system32\ctfmon.exe
C:\WINDOWS.1\system32\spoolsv.exe
C:\Program Files\Avira\AntiVir Desktop\sched.exe
svchost.exe
C:\Program Files\Avira\AntiVir Desktop\avgnt.exe
C:\Program Files\Unlocker\UnlockerAssistant.exe
C:\Program Files\A4Tech\Mouse\Amoumain.exe
C:\Program Files\a-squared Free\a2service.exe
C:\WINDOWS.1\system32\devldr32.exe
C:\Program Files\Adobe\Photoshop Elements 7.0\PhotoshopElementsFileAgent.exe
C:\Program Files\Avira\AntiVir Desktop\avguard.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Avira\AntiVir Desktop\avshadow.exe
C:\Program Files\Avira\AntiVir Desktop\avmailc.exe
C:\Program Files\Avira\AntiVir Desktop\AVWEBGRD.EXE
C:\Program Files\Mozilla Firefox\firefox.exe
D:\Software\Security\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.google.co.uk/
mWinlogon: SfcDisable=-99 (0xffffff9d)
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybot~1\SDHelper.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
uRun: [ctfmon.exe] c:\windows.1\system32\ctfmon.exe
mRun: [avgnt] "c:\program files\avira\antivir desktop\avgnt.exe" /min
mRun: [UnlockerAssistant] "c:\program files\unlocker\UnlockerAssistant.exe"
mRun: [WheelMouse] c:\program files\a4tech\mouse\Amoumain.exe
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
uPolicies-explorer: NoSMConfigurePrograms = 1 (0x1)
dPolicies-explorer: NoSMHelp = 1 (0x1)
dPolicies-explorer: NoSMConfigurePrograms = 1 (0x1)
IE: E&xport to Microsoft Excel - c:\progra~1\micros~1\office12\EXCEL.EXE/3000
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~1\micros~1\office12\ONBttnIE.dll
LSP: c:\program files\avira\antivir desktop\avsda.dll
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0018-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_18-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows.1\system32\wpdshserviceobj.dll
SEH: Groove GFS Stub Execution Hook: {b5a7f190-dda6-4420-b3ba-52453494e6cd} - c:\progra~1\micros~1\office12\GRA8E1~1.DLL
Hosts: 127.0.0.1 www.spywareinfo.com

================= FIREFOX ===================

FF - ProfilePath - c:\users\admini~1\applic~1\mozilla\firefox\profiles\siivj0rl.mine\
FF - prefs.js: browser.search.selectedEngine - AskOxford
FF - prefs.js: browser.startup.homepage - hxxp://www.google.co.uk/
FF - plugin: c:\program files\java\jre6\bin\new_plugin\npdeployJava1.dll
FF - plugin: c:\program files\mozilla firefox\plugins\np32asw.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npFoxitReaderPlugin.dll
FF - plugin: c:\users\administrator\application data\mozilla\firefox\profiles\siivj0rl.mine\extensions\{38ab6a6c-cc4c-4f9e-a3dd-3c5681ef18a1}\plugins\npsoe.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows.1\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA}

---- FIREFOX POLICIES ----
c:\program files\mozilla firefox\greprefs\all.js - pref("ui.use_native_colors", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("ui.use_native_popup_windows", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.enable_click_image_resizing", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("accessibility.browsewithcaret_shortcut.enabled", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("javascript.options.mem.high_water_mark", 32);
c:\program files\mozilla firefox\greprefs\all.js - pref("javascript.options.mem.gc_frequency", 1600);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("svg.smil.enabled", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("ui.trackpoint_hack.enabled", -1);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.debug", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.agedWeight", 2);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.bucketSize", 1);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.maxTimeGroupings", 25);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.timeGroupingSize", 604800);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.boundaryWeight", 25);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.prefixWeight", 5);
c:\program files\mozilla firefox\greprefs\all.js - pref("html5.enable", false);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("app.update.download.backgroundInterval", 600);
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("app.update.url.manual", "http://www.firefox.com");
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-ja", "mozff");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add", "addons.mozilla.org");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add.36", "getpersonas.com");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("lightweightThemes.update.enabled", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.allTabs.previews", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("plugins.hide_infobar_for_outdated_plugin", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("toolbar.customization.usesheet", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.enable", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.max", 20);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.cachetime", 20);

============= SERVICES / DRIVERS ===============

R1 avgio;avgio;c:\program files\avira\antivir desktop\avgio.sys [2010-3-18 11608]
R2 a2free;a-squared Free Service;c:\program files\a-squared free\a2service.exe [2010-4-22 1872320]
R2 AdobeActiveFileMonitor7.0;Adobe Active File Monitor V7;c:\program files\adobe\photoshop elements 7.0\PhotoshopElementsFileAgent.exe [2008-9-16 169312]
R2 AntiVirMailService;Avira AntiVir MailGuard;c:\program files\avira\antivir desktop\avmailc.exe [2010-3-18 337064]
R2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\avira\antivir desktop\sched.exe [2010-3-18 135336]
R2 AntiVirService;Avira AntiVir Guard;c:\program files\avira\antivir desktop\avguard.exe [2010-3-18 267432]
R2 AntiVirWebService;Avira AntiVir WebGuard;c:\program files\avira\antivir desktop\avwebgrd.exe [2010-3-18 405672]
R2 avgntflt;avgntflt;c:\windows.1\system32\drivers\avgntflt.sys [2010-2-9 60936]
R3 seehcri;Sony Ericsson seehcri Device Driver;c:\windows.1\system32\drivers\seehcri.sys [2010-4-14 27632]
S3 ggflt;SEMC USB Flash Driver Filter;c:\windows.1\system32\drivers\ggflt.sys [2010-4-14 13224]
S3 gggen;Generic USB Flash Driver;c:\windows.1\system32\drivers\gggen.sys [2010-4-13 11648]
S3 uti3otu1;AVZ Kernel Driver;c:\windows.1\system32\drivers\uti3otu1.sys [2010-4-23 7168]

============== File Associations ===============

.txt=NFOPad

=============== Created Last 30 ================

2010-04-24 08:20:01 0 d-----w- c:\users\admini~1\applic~1\LEGO Company
2010-04-23 19:05:55 0 dc----w- C:\ComboFix
2010-04-23 18:20:58 7168 ----a-w- c:\windows.1\system32\drivers\uti3otu1.sys
2010-04-23 16:18:24 10 ----a-w- c:\windows.1\WININIT.INI
2010-04-23 13:13:09 20 ----a-w- c:\users\administrator\defogger_reenable
2010-04-23 03:07:21 0 d-----w- c:\program files\XVI32
2010-04-23 02:25:55 411368 ----a-w- c:\windows.1\system32\deployJava1.dll
2010-04-23 02:17:00 0 d-----w- c:\program files\Windows Installer Clean Up
2010-04-23 02:16:44 0 d-----w- c:\program files\MSECACHE
2010-04-23 00:15:22 5632 --sha-w- c:\windows.1\system32\Thumbs.db
2010-04-22 23:21:02 0 d-----w- c:\program files\Lupas Rename 2000
2010-04-22 22:42:25 0 d-----w- c:\program files\a-squared Free
2010-04-22 22:00:41 20992 --sha-w- c:\users\administrator\Thumbs.db
2010-04-22 21:46:46 0 dc----w- C:\WinDDK
2010-04-22 20:34:56 2266 ----a-w- c:\windows.1\system32\.crusader
2010-04-22 20:14:35 15944 ----a-w- c:\windows.1\system32\drivers\hitmanpro35.sys
2010-04-22 20:14:13 0 d-----w- c:\users\alluse~1.1\applic~1\Hitman Pro
2010-04-22 20:14:12 0 d-----w- c:\program files\Hitman Pro 3.5
2010-04-22 19:27:59 0 d-----w- c:\windows.1\system32\LogFiles
2010-04-22 19:27:03 0 d-----w- c:\windows.1\pss
2010-04-22 19:21:09 161296 ----a-w- c:\windows.1\system32\drivers\tmcomm.sys
2010-04-22 19:04:36 0 d-----w- c:\program files\Trend Micro
2010-04-22 13:47:50 0 d-----w- c:\users\admini~1\applic~1\Printer Info Cache
2010-04-22 13:47:38 0 d-----w- c:\program files\common files\HP
2010-04-22 13:47:35 0 d-----w- c:\program files\HP
2010-04-22 12:11:13 0 d-----w- c:\program files\a-squared HiJackFree
2010-04-22 11:49:25 0 d-----w- c:\users\admini~1\applic~1\Malwarebytes
2010-04-22 11:46:38 0 d-----w- c:\users\alluse~1.1\applic~1\Spybot - Search & Destroy
2010-04-22 11:46:38 0 d-----w- c:\program files\Spybot - Search & Destroy
2010-04-22 10:20:32 0 d-----w- c:\program files\Dictionary
2010-04-22 10:18:45 0 d-----w- c:\program files\A4Tech
2010-04-22 07:44:46 0 d-----w- c:\users\admini~1\applic~1\Avira
2010-04-21 21:37:47 12 -c--a-w- C:\acecpl.sav
2010-04-21 21:36:46 20 -c--a-w- C:\first.sav
2010-04-21 21:12:39 0 d-----w- c:\program files\Pixarra
2010-04-21 21:02:53 0 d-----w- c:\program files\Microsoft SQL Server
2010-04-21 20:53:35 0 d-----w- c:\program files\Pencil
2010-04-21 20:38:13 8 --sh--r- c:\users\alluse~1.1\applic~1\A3C13798BC.sys
2010-04-21 20:38:13 3140 --sha-w- c:\users\alluse~1.1\applic~1\KGyGaAvL.sys
2010-04-21 20:20:22 90112 ----a-w- c:\windows.1\unvise32.exe
2010-04-21 20:12:47 0 d-----w- c:\users\admini~1\applic~1\e frontier
2010-04-21 20:06:30 0 d-----w- c:\program files\e frontier
2010-04-21 19:24:30 0 d-----w- c:\users\admini~1\applic~1\Ambient Design
2010-04-21 19:22:55 0 d-----w- c:\program files\Ambient Design
2010-04-21 13:48:15 14336 --sha-w- c:\windows.1\Thumbs.db
2010-04-21 11:32:06 0 d-----w- c:\windows.1\Acecad
2010-04-21 11:26:37 20 ----a-w- c:\windows.1\VIEWER.INI
2010-04-21 11:26:09 0 d-----w- c:\program files\Art Dabbler
2010-04-21 11:25:47 299520 ----a-w- c:\windows.1\uninst.exe
2010-04-20 21:31:43 0 d-----w- c:\program files\Yahoo!
2010-04-20 18:14:02 17664 ----a-w- c:\windows.1\system32\drivers\sermouse.sys
2010-04-20 18:11:13 43264 ----a-w- c:\windows.1\system32\drivers\ser2pl.sys
2010-04-20 16:32:29 0 d-----w- c:\program files\common files\Sony Shared
2010-04-20 16:28:32 0 d-----w- c:\program files\Sony
2010-04-17 09:40:56 0 d-----w- c:\program files\LEGO Company
2010-04-16 10:25:03 101120 ----a-w- c:\windows.1\system32\drivers\bthpan.sys
2010-04-16 10:24:54 59136 ----a-w- c:\windows.1\system32\drivers\rfcomm.sys
2010-04-16 10:24:53 8192 ----a-w- c:\windows.1\system32\wshirda.dll
2010-04-16 10:24:53 17024 ----a-w- c:\windows.1\system32\drivers\BthEnum.sys
2010-04-16 10:24:52 28160 ----a-w- c:\windows.1\system32\irmon.dll
2010-04-16 10:24:52 151552 ----a-w- c:\windows.1\system32\irftp.exe
2010-04-16 10:24:34 18944 ----a-w- c:\windows.1\system32\drivers\BTHUSB.SYS
2010-04-16 09:42:23 0 d-----w- c:\users\alluse~1.1\applic~1\PACE Anti-Piracy
2010-04-16 09:42:23 0 d-----w- c:\program files\common files\PACE Anti-Piracy
2010-04-16 09:38:51 0 d-----w- c:\program files\Unity
2010-04-16 08:57:31 0 d-----w- c:\program files\IZArc2Go
2010-04-15 06:46:59 0 d-----w- c:\program files\MSXML 4.0
2010-04-15 05:31:11 0 d-----w- c:\program files\Unlocker
2010-04-14 09:00:41 0 ---ha-w- c:\windows.1\system32\drivers\Msft_Kernel_ggflt_01007.Wdf
2010-04-14 09:00:40 0 ---ha-w- c:\windows.1\system32\drivers\Msft_Kernel_ggsemc_01007.Wdf
2010-04-14 09:00:39 0 ---ha-w- c:\windows.1\system32\drivers\MsftWdf_Kernel_01007_Coinstaller_Critical.Wdf
2010-04-14 09:00:33 14640 ------w- c:\windows.1\system32\spmsgXP_2k3.dll
2010-04-14 08:57:35 27632 ----a-w- c:\windows.1\system32\drivers\seehcri.sys
2010-04-14 08:57:22 13224 ----a-w- c:\windows.1\system32\drivers\ggflt.sys
2010-04-14 08:57:22 1112288 ----a-w- c:\windows.1\system32\WdfCoInstaller01007.dll
2010-04-14 01:34:32 100488 ----a-r- c:\windows.1\system32\drivers\s125mgmt.sys
2010-04-14 01:34:28 98696 ----a-r- c:\windows.1\system32\drivers\s125obex.sys
2010-04-14 01:34:15 15112 ----a-r- c:\windows.1\system32\drivers\s125mdfl.sys
2010-04-14 01:34:15 12424 ----a-r- c:\windows.1\system32\drivers\s125cmnt.sys
2010-04-14 01:34:15 12424 ----a-r- c:\windows.1\system32\drivers\s125cm.sys
2010-04-14 01:34:15 108680 ----a-r- c:\windows.1\system32\drivers\s125mdm.sys
2010-04-14 01:34:10 83336 ----a-r- c:\windows.1\system32\drivers\s125bus.sys
2010-04-14 01:34:10 12424 ----a-r- c:\windows.1\system32\drivers\s125whnt.sys
2010-04-14 01:34:10 12424 ----a-r- c:\windows.1\system32\drivers\s125wh.sys
2010-04-14 01:32:48 0 d-----w- c:\users\admini~1\applic~1\Teleca
2010-04-13 23:22:42 0 d-----w- c:\program files\common files\Sony Ericsson Shared
2010-04-13 23:22:41 0 d-----w- c:\program files\common files\Teleca Shared
2010-04-13 23:22:12 0 d-----w- c:\windows.1\Downloaded Installations
2010-04-13 23:21:14 0 d-----w- c:\users\alluse~1.1\applic~1\Teleca
2010-04-13 19:37:48 11648 ----a-w- c:\windows.1\system32\drivers\gggen.sys
2010-04-13 19:37:11 0 d-----w- c:\program files\Sony Ericsson
2010-04-13 17:25:09 32128 ----a-w- c:\windows.1\system32\drivers\usbccgp.sys
2010-04-13 16:34:35 25512 ----a-w- c:\windows.1\system32\drivers\ggsemc.sys
2010-04-08 15:35:03 116 ----a-w- c:\windows.1\NeroDigital.ini
2010-04-07 21:15:19 6097 ----a-w- c:\windows.1\system32\drivers\sonyhcb.sys
2010-04-07 21:15:19 53248 ----a-w- c:\windows.1\system32\SONYHCY.DLL
2010-04-07 21:15:19 38739 ----a-w- c:\windows.1\system32\drivers\sonyhcc.sys
2010-04-07 21:15:19 3654 ----a-w- c:\windows.1\system32\drivers\Sonyhcp.dll
2010-04-07 21:15:19 299923 ----a-w- c:\windows.1\system32\drivers\sonyhcs.sys
2010-04-07 21:15:19 102220 ----a-w- c:\windows.1\system32\drivers\sonypvs1.sys
2010-04-07 21:15:19 0 dc----w- C:\Drivers
2010-04-05 16:31:18 141236 ------w- c:\windows.1\UNNeroVision.cfg
2010-04-05 16:31:17 2682880 ------w- c:\windows.1\UNNeroVision.exe
2010-04-05 16:31:17 24064 ------w- c:\windows.1\system32\msxml3a.dll
2010-04-05 16:31:02 38912 ------w- c:\windows.1\system32\picn20.dll
2010-04-05 16:31:02 364544 ------w- c:\windows.1\system32\TwnLib4.dll
2010-04-05 16:28:47 5504 ------w- c:\windows.1\system32\drivers\imagedrv.sys
2010-04-05 16:28:47 125184 ------w- c:\windows.1\system32\drivers\imagesrv.sys
2010-04-05 16:28:29 106496 ------w- c:\windows.1\system32\TwnLib20.dll
2010-04-05 16:28:28 476320 ------w- c:\windows.1\system32\ImagXpr7.dll
2010-04-05 16:28:28 471040 ------w- c:\windows.1\system32\ImagXRA7.dll
2010-04-05 16:28:28 262144 ------w- c:\windows.1\system32\ImagXR7.dll
2010-04-05 16:28:27 1568768 ------w- c:\windows.1\system32\ImagX7.dll
2010-04-05 16:28:27 155648 ----a-w- c:\windows.1\system32\NeroCheck.exe
2010-04-03 20:12:56 0 d-----w- c:\users\alluse~1.1\applic~1\VirginMedia
2010-04-03 20:11:06 2767872 ----a-w- c:\windows.1\system32\Redemption.dll
2010-04-03 20:11:04 0 d-----w- c:\program files\VirginMedia
2010-03-31 10:57:08 0 d-----w- c:\users\administrator\Saved Games
2010-03-31 01:55:32 712 ----a-w- c:\windows.1\fox.lnk
2010-03-29 18:41:53 598 ----a-w- c:\windows.1\siw.lnk
2010-03-29 18:36:57 710 ----a-w- c:\windows.1\skype.lnk
2010-03-29 18:36:57 670 ----a-w- c:\windows.1\xps.lnk
2010-03-29 18:36:57 642 ----a-w- c:\windows.1\tunes.lnk

==================== Find3M ====================

2010-04-25 11:56:48 23040 ----a-w- c:\windows.1\system32\drivers\mouclass.sys
2010-04-22 10:17:44 8704 ----a-w- c:\windows.1\system32\drivers\Amfilter.sys
2010-04-22 10:17:44 36864 ----a-w- c:\windows.1\system32\Amhooker.dll
2010-04-22 10:17:44 14336 ----a-w- c:\windows.1\system32\drivers\Amusbprt.sys
2010-04-22 10:17:44 14336 ----a-w- c:\windows.1\system32\drivers\Amps2prt.sys
2010-03-10 06:15:52 420352 ----a-w- c:\windows.1\system32\vbscript.dll
2010-03-10 06:15:52 420352 ----a-w- c:\windows.1\system32\dllcache\vbscript.dll
2010-03-08 09:32:08 9464 ------w- c:\windows.1\system32\drivers\cdralw2k.sys
2010-03-08 09:32:08 9336 ------w- c:\windows.1\system32\drivers\cdr4_xp.sys
2010-03-08 09:32:08 129784 ------w- c:\windows.1\system32\pxafs.dll
2010-03-08 09:32:07 43528 ------w- c:\windows.1\system32\drivers\PxHelp20.sys
2010-03-08 09:32:07 116472 ------w- c:\windows.1\system32\pxcpyi64.exe
2010-03-08 09:32:06 118520 ------w- c:\windows.1\system32\pxinsi64.exe
2010-03-02 14:02:57 87608 ----a-w- c:\users\admini~1\applic~1\inst.exe
2010-03-02 14:02:57 47360 ----a-w- c:\windows.1\system32\drivers\pcouffin.sys
2010-03-02 14:02:57 47360 ----a-w- c:\users\admini~1\applic~1\pcouffin.sys
2010-02-28 21:49:57 1306 ----a-w- c:\program files\UNINST.LOG
2010-02-25 10:54:36 11070976 ----a-w- c:\windows.1\system32\dllcache\ieframe.dll
2010-02-24 13:11:07 455680 ----a-w- c:\windows.1\system32\dllcache\mrxsmb.sys
2010-02-24 09:54:25 173056 ----a-w- c:\windows.1\system32\dllcache\ie4uinit.exe
2010-02-17 08:10:28 2189952 ----a-w- c:\windows.1\system32\ntoskrnl.exe
2010-02-17 08:10:28 2189952 ----a-w- c:\windows.1\system32\dllcache\ntoskrnl.exe
2010-02-16 14:08:49 2146304 ----a-w- c:\windows.1\system32\dllcache\ntkrnlmp.exe
2010-02-16 13:25:04 2066816 ----a-w- c:\windows.1\system32\ntkrnlpa.exe
2010-02-16 13:25:04 2066816 ----a-w- c:\windows.1\system32\dllcache\ntkrnlpa.exe
2010-02-16 13:25:04 2024448 ----a-w- c:\windows.1\system32\dllcache\ntkrpamp.exe
2010-02-12 10:03:03 293376 ------w- c:\windows.1\system32\browserchoice.exe
2010-02-12 04:33:11 100864 ----a-w- c:\windows.1\system32\6to4svc.dll
2010-02-12 04:33:11 100864 ------w- c:\windows.1\system32\dllcache\6to4svc.dll
2010-02-11 12:02:15 226880 ----a-w- c:\windows.1\system32\dllcache\tcpip6.sys
2010-02-09 21:06:27 21640 ----a-w- c:\windows.1\system32\emptyregdb.dat
2010-02-09 20:49:07 32768 ----a-w- c:\windows.1\~DF86C2.tmp
2010-02-09 20:49:05 32768 ----a-w- c:\windows.1\~DF7BFA.tmp
2010-02-09 20:48:47 65536 ----a-w- c:\windows.1\~DF7729.tmp
2010-02-09 13:34:22 148736 ----a-w- c:\users\alluse~1.1\applic~1\hpe5D.dll
2010-02-02 18:00:00 85504 ----a-w- c:\windows.1\system32\ff_vfw.dll
2001-12-20 15:41:00 53760 ------w- c:\program files\UNINST.EXE
2001-12-20 15:39:24 157184 ------w- c:\program files\UNINST.DLL
1999-07-07 00:00:00 6 --sh--r- c:\windows.1\@@desktop.dat

============= FINISH: 16:04:10.35 ===============

& I have attached my Attach.txt & ark.txt as requested.

Thanks in advance for your time & attention,

Take care,
g.x

Attached Files


Edited by Orange Blossom, 28 April 2010 - 11:35 PM.
Deactivate link. ~ OB


BC AdBot (Login to Remove)

 


#2 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:07:43 PM

Posted 01 May 2010 - 07:25 PM

Hi,

Welcome to Bleeping Computer. My name is m0le and I will be helping you with your log.
  • Please subscribe to this topic, if you haven't already. You can subscribe by clicking the Options box to the right of your topic title and selecting Track This Topic.

  • Please avoid installing/uninstalling or updating any programs and attempting any unsupervised fixes or scans. This can make helping you impossible.

  • Please reply to this post so I know you are there.
The forum is busy and we need to have replies as soon as possible. If I haven't had a reply after 3 days I will bump the topic and if you do not reply by the following day after that then I will close the topic.

Once I receive a reply then I will return with your first instructions.

Thanks thumbup2.gif
Posted Image
m0le is a proud member of UNITE

#3 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:07:43 PM

Posted 06 May 2010 - 08:18 PM

This topic has been closed.

If you're the topic starter, and need this topic reopened, please contact me via pm with the address of the thread.

Everyone else please begin a New Topic.
Posted Image
m0le is a proud member of UNITE




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users