Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

EDIT: I think they're watching me.


  • This topic is locked This topic is locked
2 replies to this topic

#1 xomB

xomB

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:07:48 PM

Posted 25 July 2010 - 10:03 PM

Hello Techs.

EDIT: I apologize for initially neglecting to read the posting guidelines. I have edited this post accordingly. It seems someone is VERY interested with the information on my rig. My problem began approximately one month ago, when I came across some highly sensitive information. There is no doubt in my mind that: 1) The information I have obtained is highly likely to be tracked. 2) Federal government techs are among some the best in the world.Fortunately, I have a habit of keeping my PC well optimized (erasing junk files, cleaning registry, startup, services, defragging, etc.) One day, I turned on the machine to notice an abnormality during startup. It took a repulsively long time to boot, and when it did boot, it struggled to load the AV, and anti-MW applications. When I connected an external HD, it produced a strange and unfamiliar sound, that of extreme stress. I can only assume some script had begun to cache its contents. Immediately, I disconnected it and connected to another computer. No Sound. From that moment on I have been frantically trying to quarantine the computer. I have attempted everything within my knowledge, but they continue to elude me. I began monitoring system activity whenever I connected to the internet, which showed a large spike in outbound information. I tracked the IP address' to what appears to be a cave, via Google Earth, located near Ottawa.(capital of Canada). I tried to manually block the IP's. I scanned with all programs, and of course, came up with nothing. I tried manually checking system files, and succeeded in fixing some, only to discover that I was only scratching the surface. I tried using Autoruns, and edited through the entries, only to later find out that it had been disabled. It seems whatever I do, they're always one step ahead. I'm becoming desperate, hoping to retrace my steps and hopefully find something I may have missed. Any help is greatly appreciated.

I ran both utilities in safe mode. However, some of the boxes in gmer were uncheckable. It did not detect anything. Attached is a screenshot.

________________________________________


DDS (Ver_10-03-17.01) - NTFSX64 MINIMAL
Run by xero at 18:43:57.16 on 25/07/2010
Internet Explorer: 8.0.6001.18928 BrowserJavaVersion: 1.6.0_20
Microsoft® Windows Vistaâ„¢ Home Premium 6.0.6002.2.1252.2.1033.18.4026.3487 [GMT -7:00]

SP: Windows Defender *enabled* (Updated) {D68DDC3A-831F-4FAE-9E44-DA132C1ACF46}
SP: SUPERAntiSpyware *disabled* (Updated) {222A897C-5018-402e-943F-7E7AC8560DA7}

============== Running Processes ===============

C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\svchost.exe -k rpcss
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Program Files\SUPERAntiSpyware\SASCORE64.EXE
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\Explorer.EXE
C:\Users\xero\Downloads\dds.scr
C:\Windows\system32\wbem\wmiprvse.exe

============== Pseudo HJT Report ===============

uStart Page = hxxp://google.ca/
uDefault_Page_URL = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=en_ca&c=91&bd=Pavilion&pf=cnnb
mStart Page = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=en_ca&c=91&bd=Pavilion&pf=cnnb
mDefault_Page_URL = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=en_ca&c=91&bd=Pavilion&pf=cnnb
mLocal Page = c:\windows\syswow64\blank.htm
uInternet Settings,ProxyServer = http=
mRun: [Malwarebytes' Anti-Malware] "c:\program files (x86)\malwarebytes' anti-malware\mbamgui.exe" /starttray
mPolicies-explorer: NoActiveDesktop = 1 (0x1)
mPolicies-explorer: ForceActiveDesktopOn = 0 (0x0)
mPolicies-explorer: BindDirectlyToPropertySetStorage = 0 (0x0)
mPolicies-system: EnableLUA = 0 (0x0)
mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
mPolicies-system: DisableStatusMessages = 1 (0x1)
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab
LSA: Notification Packages = scecli DPPWDFLT
mRun-x64: [egui] "c:\program files\eset\eset smart security\egui.exe" /hide /waitservice
mRun-x64: [SynTPEnh] %ProgramFiles%\Synaptics\SynTP\SynTPEnh.exe

================= FIREFOX ===================

FF - ProfilePath - c:\users\xero\appdata\roaming\mozilla\firefox\profiles\wdny6kkc.default\
FF - prefs.js: browser.startup.homepage - google.ca
FF - prefs.js: network.proxy.type - 0
FF - plugin: c:\progra~2\micros~2\office14\NPAUTHZ.DLL
FF - plugin: c:\progra~2\micros~2\office14\NPSPWRAP.DLL
FF - plugin: c:\program files (x86)\java\jre6\bin\new_plugin\npdeployJava1.dll
FF - plugin: c:\program files (x86)\opera\program\plugins\np_gp.dll
FF - plugin: c:\windows\syswow64\macromed\flash\NPSWF32.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files (x86)\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA}

---- FIREFOX POLICIES ----
FF - user.js: browser.cache.memory.capacity - 65536
FF - user.js: browser.chrome.favicons - false
FF - user.js: browser.display.show_image_placeholders - true
FF - user.js: browser.turbo.enabled - true
FF - user.js: browser.urlbar.autocomplete.enabled - true
FF - user.js: browser.urlbar.autofill - true
FF - user.js: content.interrupt.parsing - true
FF - user.js: content.max.tokenizing.time - 2250000
FF - user.js: content.notify.backoffcount - 5
FF - user.js: content.notify.interval - 750000
FF - user.js: content.notify.ontimer - true
FF - user.js: content.switch.threshold - 750000
FF - user.js: network.http.max-connections - 48
FF - user.js: network.http.max-connections-per-server - 16
FF - user.js: network.http.max-persistent-connections-per-proxy - 16
FF - user.js: network.http.max-persistent-connections-per-server - 8
FF - user.js: network.http.pipelining - true
FF - user.js: network.http.pipelining.firstrequest - true
FF - user.js: network.http.pipelining.maxrequests - 8
FF - user.js: network.http.proxy.pipelining - true
FF - user.js: network.http.request.max-start-delay - 0
FF - user.js: nglayout.initialpaint.delay - 0
FF - user.js: plugin.expose_full_path - true
FF - user.js: ui.submenuDelay - 0
c:\program files (x86)\mozilla firefox\greprefs\all.js - pref("ui.use_native_colors", true);
c:\program files (x86)\mozilla firefox\greprefs\all.js - pref("ui.use_native_popup_windows", false);
c:\program files (x86)\mozilla firefox\greprefs\all.js - pref("browser.enable_click_image_resizing", true);
c:\program files (x86)\mozilla firefox\greprefs\all.js - pref("accessibility.browsewithcaret_shortcut.enabled", true);
c:\program files (x86)\mozilla firefox\greprefs\all.js - pref("javascript.options.mem.high_water_mark", 32);
c:\program files (x86)\mozilla firefox\greprefs\all.js - pref("javascript.options.mem.gc_frequency", 1600);
c:\program files (x86)\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.lu", true);
c:\program files (x86)\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.nu", true);
c:\program files (x86)\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.nz", true);
c:\program files (x86)\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbaam7a8h", true);
c:\program files (x86)\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4ar", true);
c:\program files (x86)\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--p1ai", true);
c:\program files (x86)\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbayh7gpa", true);
c:\program files (x86)\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.tel", true);
c:\program files (x86)\mozilla firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
c:\program files (x86)\mozilla firefox\greprefs\all.js - pref("network.proxy.type", 5);
c:\program files (x86)\mozilla firefox\greprefs\all.js - pref("network.buffer.cache.count", 24);
c:\program files (x86)\mozilla firefox\greprefs\all.js - pref("network.buffer.cache.size", 4096);
c:\program files (x86)\mozilla firefox\greprefs\all.js - pref("dom.ipc.plugins.timeoutSecs", 45);
c:\program files (x86)\mozilla firefox\greprefs\all.js - pref("svg.smil.enabled", false);
c:\program files (x86)\mozilla firefox\greprefs\all.js - pref("ui.trackpoint_hack.enabled", -1);
c:\program files (x86)\mozilla firefox\greprefs\all.js - pref("browser.formfill.debug", false);
c:\program files (x86)\mozilla firefox\greprefs\all.js - pref("browser.formfill.agedWeight", 2);
c:\program files (x86)\mozilla firefox\greprefs\all.js - pref("browser.formfill.bucketSize", 1);
c:\program files (x86)\mozilla firefox\greprefs\all.js - pref("browser.formfill.maxTimeGroupings", 25);
c:\program files (x86)\mozilla firefox\greprefs\all.js - pref("browser.formfill.timeGroupingSize", 604800);
c:\program files (x86)\mozilla firefox\greprefs\all.js - pref("browser.formfill.boundaryWeight", 25);
c:\program files (x86)\mozilla firefox\greprefs\all.js - pref("browser.formfill.prefixWeight", 5);
c:\program files (x86)\mozilla firefox\greprefs\all.js - pref("accelerometer.enabled", true);
c:\program files (x86)\mozilla firefox\greprefs\all.js - pref("html5.enable", false);
c:\program files (x86)\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
c:\program files (x86)\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
c:\program files (x86)\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
c:\program files (x86)\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
c:\program files (x86)\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);
c:\program files (x86)\mozilla firefox\defaults\pref\firefox-branding.js - pref("app.update.download.backgroundInterval", 600);
c:\program files (x86)\mozilla firefox\defaults\pref\firefox-branding.js - pref("app.update.url.manual", "http://www.firefox.com");
c:\program files (x86)\mozilla firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-ja", "mozff");
c:\program files (x86)\mozilla firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
c:\program files (x86)\mozilla firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
c:\program files (x86)\mozilla firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add", "addons.mozilla.org");
c:\program files (x86)\mozilla firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add.36", "getpersonas.com");
c:\program files (x86)\mozilla firefox\defaults\pref\firefox.js - pref("lightweightThemes.update.enabled", true);
c:\program files (x86)\mozilla firefox\defaults\pref\firefox.js - pref("browser.allTabs.previews", false);
c:\program files (x86)\mozilla firefox\defaults\pref\firefox.js - pref("plugins.hide_infobar_for_outdated_plugin", false);
c:\program files (x86)\mozilla firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
c:\program files (x86)\mozilla firefox\defaults\pref\firefox.js - pref("toolbar.customization.usesheet", false);
c:\program files (x86)\mozilla firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.nptest.dll", true);
c:\program files (x86)\mozilla firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npswf32.dll", true);
c:\program files (x86)\mozilla firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npctrl.dll", true);
c:\program files (x86)\mozilla firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npqtplugin.dll", true);
c:\program files (x86)\mozilla firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled", false);
c:\program files (x86)\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.enable", false);
c:\program files (x86)\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.max", 20);
c:\program files (x86)\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.cachetime", 20);

============= SERVICES / DRIVERS ===============

R2 !SASCORE;SAS Core Service;c:\program files\superantispyware\SASCore64.exe [2010-6-7 125440]
R3 enecir;ENE CIR Receiver;c:\windows\system32\drivers\enecir.sys [2008-9-4 64000]
S1 ehdrv;ehdrv;c:\windows\system32\drivers\ehdrv.sys [2010-3-24 139704]
S1 SASDIFSV;SASDIFSV;c:\program files\superantispyware\sasdifsv64.sys [2010-2-17 14920]
S1 SASKUTIL;SASKUTIL;c:\program files\superantispyware\saskutil64.sys [2010-2-17 12360]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\microsoft.net\framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]
S2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;c:\windows\microsoft.net\framework64\v4.0.30319\mscorsvw.exe [2010-3-18 138576]
S2 eamonm;eamonm;c:\windows\system32\drivers\eamonm.sys [2010-3-24 163888]
S2 ekrn;ESET Service;c:\program files\eset\eset smart security\x86\ekrn.exe [2010-3-24 810120]
S2 epfwwfp;epfwwfp;c:\windows\system32\drivers\epfwwfp.sys [2010-3-24 50600]
S2 MBAMService;MBAMService;c:\program files (x86)\malwarebytes' anti-malware\mbamservice.exe [2010-7-17 302928]
S2 Recovery Service for Windows;Recovery Service for Windows;c:\program files (x86)\sminst\BLService.exe [2009-2-17 365952]
S2 vfsFPService;Validity Fingerprint Service;c:\windows\system32\vfsFPService.exe [2008-11-18 721712]
S3 FontCache;Windows Font Cache Service;c:\windows\system32\svchost.exe -k LocalServiceAndNoImpersonation [2008-1-20 27648]
S3 IntcHdmiAddService;Intel® High Definition Audio HDMI;c:\windows\system32\drivers\IntcHdmi.sys [2008-9-21 126464]
S3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [2010-6-25 24664]
S3 NETw3v64;Intel® PRO/Wireless 3945ABG Adapter Driver for Windows Vista 64 Bit;c:\windows\system32\drivers\NETw3v64.sys [2008-1-20 3154432]
S3 NETw5v64;Intel® Wireless WiFi Link 5000 Series Adapter Driver for Windows Vista 64 Bit;c:\windows\system32\drivers\NETw5v64.sys [2008-11-17 4751360]
S3 osppsvc;Office Software Protection Platform;c:\program files\common files\microsoft shared\officesoftwareprotectionplatform\OSPPSVC.EXE [2009-8-21 4924336]
S3 PerfHost;Performance Counter DLL Host;c:\windows\syswow64\perfhost.exe [2008-1-20 19968]
S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\microsoft.net\framework64\v4.0.30319\wpf\WPFFontCache_v0400.exe [2010-3-18 1020768]
S3 yukonx64;NDIS6.0 Miniport Driver for Marvell Yukon Ethernet Controller;c:\windows\system32\drivers\yk60x64.sys [2006-11-2 273408]
S4 clr_optimization_v2.0.50727_64;Microsoft .NET Framework NGEN v2.0.50727_X64;c:\windows\microsoft.net\framework64\v2.0.50727\mscorsvw.exe [2010-5-19 89920]
S4 hpsrv;HP Service;c:\windows\system32\hpservice.exe [2010-6-15 30520]
S4 Microsoft SharePoint Workspace Audit Service;Microsoft SharePoint Workspace Audit Service;c:\program files (x86)\microsoft office\office14\GROOVE.EXE [2009-8-21 30510960]

============== File Associations ===============

JSEFile=c:\windows\syswow64\WScript.exe "%1" %*

=============== Created Last 30 ================

2010-07-25 23:29:25 0 d-----w- c:\program files (x86)\NT Registry Optimizer
2010-07-25 13:50:34 0 d-----w- c:\program files (x86)\Soldier of Fortune II - Double Helix
2010-07-25 13:48:45 266293 ----a-w- c:\windows\syswow64\temp.000
2010-07-25 13:48:06 770 ----a-w- c:\windows\Sof2.INI
2010-07-25 12:29:17 0 d-----w- c:\program files (x86)\KMOD! NaW Diag
2010-07-23 19:02:18 0 d-----w- c:\users\xero\Incomplete
2010-07-23 15:55:34 65536 --sha-w- c:\users\xero\ntuser.dat{2dc6f1f4-95d7-11df-ab30-00238bb2c4ce}.TM.blf
2010-07-23 15:55:34 524288 --sha-w- c:\users\xero\ntuser.dat{2dc6f1f4-95d7-11df-ab30-00238bb2c4ce}.TMContainer00000000000000000002.regtrans-ms
2010-07-23 15:55:34 524288 --sha-w- c:\users\xero\ntuser.dat{2dc6f1f4-95d7-11df-ab30-00238bb2c4ce}.TMContainer00000000000000000001.regtrans-ms
2010-07-22 17:08:45 65536 --sha-w- c:\users\xero\ntuser.dat{41a508b3-95b2-11df-b006-00238bb2c4ce}.TM.blf
2010-07-22 17:08:45 524288 --sha-w- c:\users\xero\ntuser.dat{41a508b3-95b2-11df-b006-00238bb2c4ce}.TMContainer00000000000000000002.regtrans-ms
2010-07-22 17:08:45 524288 --sha-w- c:\users\xero\ntuser.dat{41a508b3-95b2-11df-b006-00238bb2c4ce}.TMContainer00000000000000000001.regtrans-ms
2010-07-22 07:24:44 0 d-----w- c:\users\xero\appdata\roaming\BSD
2010-07-22 07:24:26 0 d-----w- c:\programdata\BSD
2010-07-22 07:24:25 0 d-----w- c:\program files (x86)\common files\BSD
2010-07-22 07:24:24 1486848 ----a-w- c:\windows\bsdsetup.dll
2010-07-22 07:24:23 0 d-----w- c:\program files (x86)\Media Widget
2010-07-22 07:22:57 0 d-----w- c:\users\xero\appdata\roaming\GetRightToGo
2010-07-22 06:56:40 0 d-----w- c:\users\xero\appdata\roaming\FrostWire
2010-07-22 06:56:24 0 d-----w- c:\program files (x86)\FrostWire
2010-07-20 23:23:47 0 d-----w- c:\users\xero\MsPoinnts
2010-07-19 04:00:03 0 d-----w- c:\program files (x86)\Infinite Loop
2010-07-19 03:59:54 306688 ----a-w- c:\windows\IsUninst.exe
2010-07-18 02:29:35 43520 ----a-w- c:\windows\syswow64\CmdLineExt03.dll
2010-07-18 02:20:50 0 d-----w- c:\program files (x86)\Rockstar Games
2010-07-17 22:49:45 0 d-----w- c:\program files (x86)\Getting Up - Contents Under Pressure
2010-07-13 01:18:30 0 d-----w- c:\program files (x86)\THQ
2010-07-11 09:59:55 0 d-----w- c:\program files (x86)\VirtualDJ
2010-07-05 02:48:29 0 d-----w- c:\programdata\Apple Computer
2010-07-05 00:09:55 0 d-----w- c:\program files\Synaptics
2010-07-05 00:09:32 396584 ----a-w- c:\windows\system32\SynCOM.dll
2010-07-05 00:09:32 1721576 ----a-w- c:\windows\system32\WdfCoInstaller01009.dll
2010-07-05 00:09:32 147752 ----a-w- c:\windows\system32\SynTPCo4.dll
2010-07-05 00:09:31 214824 ----a-w- c:\windows\system32\SynTPAPI.dll
2010-07-04 23:24:09 0 d-----w- c:\users\xero\appdata\roaming\Synaptics
2010-06-29 19:27:04 0 d-----w- c:\program files (x86)\City Interactive
2010-06-28 06:44:45 0 d-----w- c:\users\xero\appdata\roaming\SUPERAntiSpyware.com
2010-06-28 06:44:45 0 d-----w- c:\programdata\SUPERAntiSpyware.com
2010-06-28 06:44:40 0 d-----w- c:\programdata\!SASCORE
2010-06-28 06:44:38 0 d-----w- c:\program files\SUPERAntiSpyware

==================== Find3M ====================

2010-07-25 16:40:14 442368 ----a-r- c:\windows\syswow64\vp6vfw.dll
2010-07-25 16:40:14 40960 ----a-w- c:\windows\syswow64\VBAME.DLL
2010-07-25 16:40:12 69632 ----a-w- c:\windows\syswow64\oemdspif.dll
2010-07-25 16:40:08 536576 ----a-w- c:\windows\syswow64\igdumdx32.dll
2010-07-25 16:40:08 3895296 ----a-w- c:\windows\syswow64\ig4icd32.dll
2010-07-25 16:40:08 3411968 ----a-w- c:\windows\syswow64\igdumd32.dll
2010-07-25 16:40:08 2359296 ----a-w- c:\windows\syswow64\ig4dev32.dll
2010-07-25 16:40:08 2256896 ----a-w- c:\windows\syswow64\igd10umd32.dll
2010-07-25 16:40:08 221184 ----a-w- c:\windows\syswow64\igfxdv32.dll
2010-07-25 16:40:04 53248 ----a-w- c:\windows\syswow64\CSVer.dll
2010-07-25 16:40:03 204800 ----a-w- c:\windows\syswow64\CogentBioSDK.dll
2010-07-25 16:39:21 442368 ----a-w- c:\windows\sttray64.exe
2010-07-25 16:34:03 57344 ----a-w- c:\windows\fonts\ARBONNIE.ttf
2010-07-25 13:49:02 684760 ----a-w- c:\windows\system32\perfh00C.dat
2010-07-25 13:49:02 131492 ----a-w- c:\windows\system32\perfc00C.dat
2010-07-17 20:24:25 51200 ----a-w- c:\windows\inf\infpub.dat
2010-07-17 20:24:25 143360 ----a-w- c:\windows\inf\infstrng.dat
2010-07-17 20:24:22 86016 ----a-w- c:\windows\inf\infstor.dat
2010-06-23 18:25:56 0 ---ha-w- c:\windows\system32\drivers\Msft_Kernel_SynTP_01009.Wdf
2010-06-23 18:25:46 0 ---ha-w- c:\windows\system32\drivers\MsftWdf_Kernel_01009_Coinstaller_Critical.Wdf
2010-06-21 07:19:18 153376 ----a-w- c:\windows\syswow64\javaws.exe
2010-06-21 07:19:18 145184 ----a-w- c:\windows\syswow64\javaw.exe
2010-06-21 07:19:17 145184 ----a-w- c:\windows\syswow64\java.exe
2010-06-21 07:19:16 411368 ----a-w- c:\windows\syswow64\deployJava1.dll
2010-06-15 23:54:06 19256 ----a-w- c:\windows\system32\HPMDPCoInst10.dll
2010-06-15 23:53:58 30008 ----a-w- c:\windows\system32\drivers\hpdskflt.sys
2010-06-15 23:53:52 30520 ----a-w- c:\windows\system32\hpservice.exe
2010-06-15 23:53:48 19256 ----a-w- c:\windows\system32\accelerometerdll.DLL
2010-06-15 23:53:42 41272 ----a-w- c:\windows\system32\drivers\Accelerometer.sys
2010-05-31 23:51:45 506624 ----a-w- c:\windows\system32\TuneUpDefragService.exe
2010-05-28 05:32:56 320560 ----a-w- c:\windows\system32\drivers\SynTP.sys
2010-05-28 05:29:42 107816 ----a-w- c:\windows\syswow64\SynTPCOM.dll
2010-05-28 05:29:28 210216 ----a-w- c:\windows\syswow64\SynCtrl.dll
2010-05-28 05:29:26 265000 ----a-w- c:\windows\system32\SynCtrl.dll
2010-05-28 05:29:26 173352 ----a-w- c:\windows\syswow64\SynCOM.dll
2010-05-26 17:23:46 48128 ----a-w- c:\windows\system32\atmlib.dll
2010-05-26 17:06:41 34304 ----a-w- c:\windows\syswow64\atmlib.dll
2010-05-26 15:10:41 366080 ----a-w- c:\windows\system32\atmfd.dll
2010-05-26 14:47:41 289792 ----a-w- c:\windows\syswow64\atmfd.dll
2010-05-19 22:25:11 665600 ----a-w- c:\windows\inf\drvindex.dat
2010-05-19 20:02:45 37665 ----a-w- c:\windows\fonts\GlobalUserInterface.CompositeFont
2010-05-06 17:36:38 270208 ------w- c:\windows\system32\MpSigStub.exe
2010-05-04 06:56:19 1147904 ----a-w- c:\windows\system32\wininet.dll
2010-05-04 06:51:49 132096 ----a-w- c:\windows\system32\iesysprep.dll
2010-05-04 06:51:48 77312 ----a-w- c:\windows\system32\iesetup.dll
2010-05-04 05:59:21 916480 ----a-w- c:\windows\syswow64\wininet.dll
2010-05-04 05:59:11 1209344 ----a-w- c:\windows\syswow64\urlmon.dll
2010-05-04 05:58:07 206848 ----a-w- c:\windows\syswow64\occache.dll
2010-05-04 05:56:49 611840 ----a-w- c:\windows\syswow64\mstime.dll
2010-05-04 05:56:28 5950976 ----a-w- c:\windows\syswow64\mshtml.dll
2010-05-04 05:56:25 599040 ----a-w- c:\windows\syswow64\msfeeds.dll
2010-05-04 05:56:25 55296 ----a-w- c:\windows\syswow64\msfeedsbs.dll
2010-05-04 05:55:56 25600 ----a-w- c:\windows\syswow64\jsproxy.dll
2010-05-04 05:55:42 71680 ----a-w- c:\windows\syswow64\iesetup.dll
2010-05-04 05:55:42 1985536 ----a-w- c:\windows\syswow64\iertutil.dll
2010-05-04 05:55:42 164352 ----a-w- c:\windows\syswow64\ieui.dll
2010-05-04 05:55:42 109056 ----a-w- c:\windows\syswow64\iesysprep.dll
2010-05-04 05:55:41 55808 ----a-w- c:\windows\syswow64\iernonce.dll
2010-05-04 05:55:41 184320 ----a-w- c:\windows\syswow64\iepeers.dll
2010-05-04 05:55:41 11076096 ----a-w- c:\windows\syswow64\ieframe.dll
2010-05-04 05:55:37 387584 ----a-w- c:\windows\syswow64\iedkcs32.dll
2010-05-04 05:01:59 162816 ----a-w- c:\windows\system32\ieUnatt.exe
2010-05-04 04:31:05 133632 ----a-w- c:\windows\syswow64\ieUnatt.exe
2010-05-04 04:30:58 173056 ----a-w- c:\windows\syswow64\ie4uinit.exe
2010-05-04 04:30:19 13312 ----a-w- c:\windows\syswow64\msfeedssync.exe
2010-05-01 14:39:56 2752000 ----a-w- c:\windows\system32\win32k.sys
2010-04-30 01:00:00 2871 ----a-w- c:\windows\checkip.dat
2009-02-17 09:54:37 37390 ----a-w- c:\windows\inf\perflib\040c\perfd.dat
2009-02-17 09:54:37 37390 ----a-w- c:\windows\inf\perflib\040c\perfc.dat
2009-02-17 09:54:37 340236 ----a-w- c:\windows\inf\perflib\040c\perfi.dat
2009-02-17 09:54:37 340236 ----a-w- c:\windows\inf\perflib\040c\perfh.dat
2008-01-21 03:21:59 174 --sha-w- c:\program files\desktop.ini
2008-01-21 03:21:59 174 --sha-w- c:\program files (x86)\desktop.ini
2006-11-02 15:14:56 30674 ----a-w- c:\windows\inf\perflib\0409\perfd.dat
2006-11-02 15:14:56 30674 ----a-w- c:\windows\inf\perflib\0409\perfc.dat
2006-11-02 15:14:56 287440 ----a-w- c:\windows\inf\perflib\0409\perfi.dat
2006-11-02 15:14:56 287440 ----a-w- c:\windows\inf\perflib\0409\perfh.dat
2006-11-02 10:52:12 287440 ----a-w- c:\windows\inf\perflib\0000\perfi.dat
2006-11-02 10:52:12 287440 ----a-w- c:\windows\inf\perflib\0000\perfh.dat
2006-11-02 10:52:10 30674 ----a-w- c:\windows\inf\perflib\0000\perfd.dat
2006-11-02 10:52:10 30674 ----a-w- c:\windows\inf\perflib\0000\perfc.dat

============= FINISH: 18:46:52.22 ===============

Attached Files

  • Attached File  gmer.jpg   30.15KB   8 downloads

Edited by xomB, 25 July 2010 - 10:15 PM.


BC AdBot (Login to Remove)

 


#2 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:02:48 AM

Posted 04 August 2010 - 08:17 PM

Hi,

Welcome to Bleeping Computer. My name is m0le and I will be helping you with your log.
  • Please subscribe to this topic, if you haven't already. You can subscribe by clicking the Options box to the right of your topic title and selecting Track This Topic.

  • Please avoid installing/uninstalling or updating any programs and attempting any unsupervised fixes or scans. This can make helping you impossible.

  • Please reply to this post so I know you are there.
The forum is busy and we need to have replies as soon as possible. If I haven't had a reply after 3 days I will bump the topic and if you do not reply by the following day after that then I will close the topic.

Once I receive a reply then I will return with your first instructions.

Thanks thumbup2.gif
Posted Image
m0le is a proud member of UNITE

#3 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:02:48 AM

Posted 09 August 2010 - 06:14 PM

This topic has been closed.

If you're the topic starter, and need this topic reopened, please contact me via pm with the address of the thread.

Everyone else please begin a New Topic.
Posted Image
m0le is a proud member of UNITE




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users