Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

TDL3 Alureon rootkit variant,not detected by TDSSKiller


  • This topic is locked This topic is locked
2 replies to this topic

#1 xor0

xor0

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:11:28 AM

Posted 27 July 2010 - 07:12 PM

Hitman 3.5 shows a "Possible variant of the TDL3 (alias Alureon) rootkit detected" message but can't remove it.

eSage TDSS remover found a hidden driver but couldn't remove it.

Everything else I tried (including TDSSKiller) couldn't see anything.

It prevents MSE updates and booting into safe mode, as well as all the secondary infections (antimalware, search redirects etc)

Any help much appreciated sad.gif





DDS (Ver_10-03-17.01) - NTFSx86
Run by paul at 16:33:00.35 on Tue 07/27/2010
Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_20
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.2047.1310 [GMT -7:00]

AV: Microsoft Security Essentials *On-access scanning disabled* (Updated) {BCF43643-A118-4432-AEDE-D861FCBCFCDF}

============== Running Processes ===============

C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
c:\Program Files\Microsoft Security Essentials\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Creative\Shared Files\CTAudSvc.exe
svchost.exe
C:\WINDOWS\system32\CTsvcCDA.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\system32\PnkBstrA.exe
C:\Program Files\Creative\Shared Files\Module Loader\DLLML.exe
C:\Program Files\Creative\Sound Blaster X-Fi\Volume Panel\VolPanlu.exe
C:\WINDOWS\system32\CTHELPER.EXE
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\Program Files\Microsoft Security Essentials\msseces.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\PnkBstrB.exe
C:\WINDOWS\SYSTEM32\CTXFISPI.EXE
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\OpenOffice.org 3\program\soffice.exe
C:\Program Files\TeamViewer\Version4\TeamViewer_Service.exe
C:\Program Files\OpenOffice.org 3\program\soffice.bin
C:\Program Files\TeamViewer\Version4\TeamViewer.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\paul\Desktop\dds.scr

============== Pseudo HJT Report ===============

uSearch Page = hxxp://www.google.com
uSearch Bar = hxxp://www.google.com/ie
uStart Page = hxxp://hotmail.com/
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uInternet Settings,ProxyOverride = <local>
mSearchAssistant = hxxp://www.google.com/ie
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: {2318C2B1-4965-11D4-9B18-009027A5CD4F} - No File
TB: {31CF9EBE-5755-4A1D-AC25-2834D952D9B4} - No File
TB: {855F3B16-6D32-4FE6-8A56-BBB695989046} - No File
TB: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} -
TB: {10134636-E7AF-4AC5-A1DC-C7C44BB97D81} - No File
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
mRun: [AudioDrvEmulator] "c:\program files\creative\shared files\module loader\dllml.exe" -1 audiodrvemulator "c:\program files\creative\shared files\module loader\audio emulator\AudDrvEm.dll"
mRun: [VolPanel] "c:\program files\creative\sound blaster x-fi\volume panel\VolPanlu.exe" /r
mRun: [CTHelper] CTHELPER.EXE
mRun: [NvMediaCenter] RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInit
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
mRun: [MSSE] "c:\program files\microsoft security essentials\msseces.exe" -hide -runkey
dRun: [esrensbl] c:\documents and settings\localservice\local settings\application data\tcbxvalpb\qviuiqftssd.exe
dRunOnce: [SWHelper] "c:\windows\system32\macromed\shockwave 10\PostUpdate.exe" 1014020
StartupFolder: c:\docume~1\paul\startm~1\programs\startup\openof~1.lnk - c:\program files\openoffice.org 3\program\quickstart.exe
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
Trusted Zone: msn.com\adcenter
DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} - hxxp://www.fileplanet.com/fpdlmgr/cabs/FPDC_2.3.7.109.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
DPF: {F6ACF75C-C32C-447B-9BEF-46B766368D29} - hxxp://www.creative.com/softwareupdate/su2/ocx/15035/CTPID.cab
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\paul\applic~1\mozilla\firefox\profiles\1mn9conl.default\
FF - prefs.js: browser.startup.homepage - hxxp://hotmail.com
FF - plugin: c:\documents and settings\all users\application data\realarcade\npraclient.dll
FF - plugin: c:\program files\download manager\npfpdlm.dll
FF - plugin: c:\program files\java\jre6\bin\new_plugin\npdeployJava1.dll
FF - plugin: c:\program files\mozilla firefox\extensions\npmozax@real.com\plugins\npmozax.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npatgpc.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npdeployJava1.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npgcplug.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npmozax.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npPandoWebInst.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npraclient.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npracplug.dll
FF - plugin: c:\program files\opera\program\plugins\np_gp.dll
FF - plugin: c:\program files\real\realarcade\plugins\mozilla\npracplug.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\
FF - HiddenExtension: XULRunner: {A5AA4E40-5504-4A80-92F2-4BDA01936BEA} - c:\documents and settings\paul\local settings\application data\{A5AA4E40-5504-4A80-92F2-4BDA01936BEA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0016-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA}

---- FIREFOX POLICIES ----
FF - user.js: network.cookie.cookieBehavior - 0
FF - user.js: privacy.clearOnShutdown.cookies - false
FF - user.js: security.warn_viewing_mixed - false
FF - user.js: security.warn_viewing_mixed.show_once - false
FF - user.js: security.warn_submit_insecure - false
FF - user.js: security.warn_submit_insecure.show_once - false
c:\program files\mozilla firefox\defaults\pref\activex.js - pref("capability.policy.default.ClassID.CIDCE08D86A-A41A-410A-943C-13BABB7DC474", "AllAccess");
c:\program files\mozilla firefox\defaults\pref\activex.js - pref("capability.policy.default.ClassID.CIDA9EDC9ED-603A-4F3F-BBEA-59C8853A3236", "AllAccess");
c:\program files\mozilla firefox\defaults\pref\activex.js - pref("capability.policy.default.ClassID.CID90D10942-D952-4863-9DD6-A2BDBBAD456E", "AllAccess");
c:\program files\mozilla firefox\defaults\pref\activex.js - pref("capability.policy.default.ClassID.CID0ECEE744-7B69-4912-AB91-AE76D61ECB04", "AllAccess");
c:\program files\mozilla firefox\defaults\pref\activex.js - pref("capability.policy.default.ClassID.CIDF25635B2-1AB9-47B5-88D1-8877B22C86DE", "AllAccess");
c:\program files\mozilla firefox\defaults\pref\activex.js - pref("capability.policy.default.ClassID.CID27B7F812-4159-45B9-A389-B7A118A58DE4", "AllAccess");
c:\program files\mozilla firefox\defaults\pref\activex.js - pref("capability.policy.default.ClassID.CIDF849DF29-393B-4F8B-99D1-117A70D66FC7", "AllAccess");
c:\program files\mozilla firefox\defaults\pref\activex.js - pref("capability.policy.default.ClassID.CIDBF1E9C3D-637C-4171-BD12-28A7360B879A", "AllAccess");
c:\program files\mozilla firefox\defaults\pref\activex.js - pref("capability.policy.default.ClassID.CIDDE1C0601-7947-4D7F-A6E5-E68BF6BA1E37", "AllAccess");
c:\program files\mozilla firefox\defaults\pref\activex.js - pref("capability.policy.default.ClassID.CID4EA0DCCE-4D98-4876-9C6A-E5C563D0820A", "AllAccess");
c:\program files\mozilla firefox\defaults\pref\activex.js - pref("capability.policy.default.ClassID.CID446462BA-2AAD-4C88-BC63-5210E2F31465", "AllAccess");
c:\program files\mozilla firefox\defaults\pref\activex.js - pref("capability.policy.default.ClassID.CID0862E368-A40E-4E55-83EB-FBC5571BABA4", "AllAccess");
c:\program files\mozilla firefox\defaults\pref\activex.js - pref("capability.policy.default.ClassID.CIDD2A96E3C-FFB3-4D38-9AC3-B127527BEA35", "AllAccess");
c:\program files\mozilla firefox\defaults\pref\activex.js - pref("capability.policy.default.ClassID.CID4B05B39A-9DDC-4650-A7F8-D5B134E5FFE5", "AllAccess");
c:\program files\mozilla firefox\defaults\pref\activex.js - pref("capability.policy.default.ClassID.CIDC8E2574A-7BCE-4B93-A22E-61831DFD6DB8", "AllAccess");
c:\program files\mozilla firefox\defaults\pref\activex.js - pref("capability.policy.default.ClassID.CID659796C0-8B5D-48D7-A4EB-7E6874E26274", "AllAccess");
c:\program files\mozilla firefox\defaults\pref\activex.js - pref("capability.policy.default.ClassID.CID78071AB5-E729-414E-8D02-9C1D034F82E7", "AllAccess");
c:\program files\mozilla firefox\defaults\pref\activex.js - pref("capability.policy.default.ClassID.CIDCC3F71E1-17F3-4C5B-997D-44CA56943197", "AllAccess");
c:\program files\mozilla firefox\defaults\pref\activex.js - pref("capability.policy.default.ClassID.CIDE67D5C78-B2D4-4BA0-8D69-1C7AF4BB08B5", "AllAccess");
c:\program files\mozilla firefox\defaults\pref\activex.js - pref("capability.policy.default.ClassID.CIDFC5F3D7A-D321-412C-8A5D-9AD0C8041941", "AllAccess");
c:\program files\mozilla firefox\defaults\pref\activex.js - pref("capability.policy.default.ClassID.CID6EC5CD16-81BC-4515-9EDD-9265C906F56E", "AllAccess");
c:\program files\mozilla firefox\defaults\pref\activex.js - pref("capability.policy.default.ClassID.CID67CFB2C5-E491-4395-977B-CD45E4124655", "AllAccess");
c:\program files\mozilla firefox\defaults\pref\activex.js - pref("capability.policy.default.ClassID.CID73600569-52E6-4760-8BAB-B68202937D98", "AllAccess");
c:\program files\mozilla firefox\defaults\pref\activex.js - pref("capability.policy.default.ClassID.CIDB02EBD42-6885-401A-9389-E089F7DDC872", "AllAccess");
c:\program files\mozilla firefox\defaults\pref\activex.js - pref("capability.policy.default.ClassID.CIDBAE5CB8C-4075-4743-B2E4-78DA8D8CDC64", "AllAccess");
c:\program files\mozilla firefox\defaults\pref\activex.js - pref("capability.policy.default.ClassID.CID28B07B04-DA99-4FD3-BF27-4972F2B8142B", "AllAccess");
c:\program files\mozilla firefox\defaults\pref\activex.js - pref("capability.policy.default.ClassID.CID0D53448F-D12B-4102-8CE2-697DAE8D6643", "AllAccess");
c:\program files\mozilla firefox\defaults\pref\activex.js - pref("capability.policy.default.ClassID.CIDE3266A47-A141-47B8-AAA8-5F16FB4F8CCD", "AllAccess");
c:\program files\mozilla firefox\defaults\pref\activex.js - pref("capability.policy.default.ClassID.CIDB33AB7AF-76D7-4B1C-B709-5D6BF9E7B1C7", "AllAccess");
c:\program files\mozilla firefox\defaults\pref\activex.js - pref("capability.policy.default.ClassID.CID153B7451-0BB5-4B37-95C0-44D89E2F1F2B", "AllAccess");
c:\program files\mozilla firefox\defaults\pref\activex.js - pref("capability.policy.default.ClassID.CID3BBE8E21-0D3D-4BAA-AC6F-C7BCEF750849", "AllAccess");
c:\program files\mozilla firefox\defaults\pref\activex.js - pref("capability.policy.default.ClassID.CID9B5B4F2D-A7D9-4329-B0FE-92B301A8CAAD", "AllAccess");
c:\program files\mozilla firefox\defaults\pref\activex.js - pref("capability.policy.default.ClassID.CIDA5C42921-8CD0-4924-97C3-01B5B0610BC6", "AllAccess");
c:\program files\mozilla firefox\defaults\pref\activex.js - pref("capability.policy.default.ClassID.CID06969252-F90F-4CF2-9074-33772EB64859", "AllAccess");
c:\program files\mozilla firefox\defaults\pref\activex.js - pref("capability.policy.default.ClassID.CIDFBF37655-1236-4C0D-96C5-F94E1724841B", "AllAccess");
c:\program files\mozilla firefox\defaults\pref\activex.js - pref("capability.policy.default.ClassID.CIDC1A3F035-B68F-4B2B-9FD5-E36DAAAF26DD", "AllAccess");
c:\program files\mozilla firefox\defaults\pref\activex.js - pref("capability.policy.default.ClassID.CID368F3685-543E-4812-9FDE-96E097E453FC", "AllAccess");
c:\program files\mozilla firefox\defaults\pref\activex.js - pref("capability.policy.default.ClassID.CID43969873-56AA-4113-84CB-4AB2AEB9AA31", "AllAccess");
c:\program files\mozilla firefox\defaults\pref\activex.js - pref("capability.policy.default.ClassID.CIDA205DD80-63D4-4E41-B785-26EC3D90B97B", "AllAccess");
c:\program files\mozilla firefox\defaults\pref\activex.js - pref("capability.policy.default.ClassID.CID068D43E7-7551-4A2F-AE96-4A38A9AD1953", "AllAccess");
c:\program files\mozilla firefox\defaults\pref\activex.js - pref("capability.policy.default.ClassID.CIDF443E9CB-9EEC-456E-8AE7-F3102D5CD47D", "AllAccess");
c:\program files\mozilla firefox\defaults\pref\activex.js - pref("capability.policy.default.ClassID.CIDE36A7B16-645D-4261-BFF8-3A7E69C5F7A5", "AllAccess");
c:\program files\mozilla firefox\defaults\pref\activex.js - pref("capability.policy.default.ClassID.CID379805E3-E0E2-40DC-B51B-6DC1AE5802AA", "AllAccess");
c:\program files\mozilla firefox\defaults\pref\activex.js - pref("capability.policy.default.ClassID.CIDF6240D69-A06D-44A1-8003-8496CCEF2C53", "AllAccess");
c:\program files\mozilla firefox\defaults\pref\activex.js - pref("capability.policy.default.ClassID.CID26C3113D-5A71-4F1B-A2CB-BE59E1279DDA", "AllAccess");
c:\program files\mozilla firefox\defaults\pref\activex.js - pref("capability.policy.default.ClassID.CID92B97F2B-7565-4CE9-9AC7-0598DFD731F8", "AllAccess");
c:\program files\mozilla firefox\defaults\pref\activex.js - pref("capability.policy.default.ClassID.CID2AA5E7CF-9696-42F0-B76A-8655296EADF2", "AllAccess");
c:\program files\mozilla firefox\defaults\pref\activex.js - pref("capability.policy.default.ClassID.CID0AAACE0B-ACEF-4781-83F4-BFB52EEC995A", "AllAccess");
c:\program files\mozilla firefox\defaults\pref\activex.js - pref("capability.policy.default.ClassID.CID0D56FF58-A39D-4E8C-A40B-2E3711251772", "AllAccess");
c:\program files\mozilla firefox\defaults\pref\activex.js - pref("capability.policy.default.ClassID.CID946121C2-11F1-49DD-A7E3-CF793DE827A4", "AllAccess");
c:\program files\mozilla firefox\defaults\pref\activex.js - pref("capability.policy.default.ClassID.CIDB853303D-1BAB-43F3-9D7D-101D0DA8E7A5", "AllAccess");
c:\program files\mozilla firefox\defaults\pref\activex.js - pref("capability.policy.default.ClassID.CID9E578247-FE29-4F8C-8202-A24A5688CF2A", "AllAccess");
c:\program files\mozilla firefox\defaults\pref\activex.js - pref("capability.policy.default.ClassID.CID6D065A8F-FFC0-4A0F-B863-1D724B8C786B", "AllAccess");
c:\program files\mozilla firefox\defaults\pref\activex.js - pref("capability.policy.default.ClassID.CID4451D291-6940-42CE-9D3C-CA1D4C96549C", "AllAccess");
c:\program files\mozilla firefox\defaults\pref\activex.js - pref("capability.policy.default.ClassID.CID064B722D-079D-4EBB-B3CF-9FCBF64FFF5D", "AllAccess");
c:\program files\mozilla firefox\defaults\pref\activex.js - pref("capability.policy.default.ClassID.CID38F8AB0F-5DFB-43D9-889E-8717CC4AB59B", "AllAccess");
c:\program files\mozilla firefox\defaults\pref\activex.js - pref("capability.policy.default.ClassID.CID4EC68CD1-0EF1-4CB9-9EF1-3D64AB266149", "AllAccess");
c:\program files\mozilla firefox\defaults\pref\activex.js - pref("capability.policy.default.ClassID.CID44F96B27-CFAD-41E1-83A1-6B28040C3BDE", "AllAccess");

============= SERVICES / DRIVERS ===============

R0 rk_remover-boot;rk_remover-boot;c:\windows\system32\drivers\rk_remover.sys [2010-7-26 52736]
R1 MpFilter;Microsoft Malware Protection Driver;c:\windows\system32\drivers\MpFilter.sys [2010-3-25 151216]
R2 TeamViewer4;TeamViewer 4;c:\program files\teamviewer\version4\TeamViewer_Service.exe [2009-10-7 185640]
S0 kusigah;kusigah; [x]
S2 ccSchedulerSVC;CA Common Scheduler Service;c:\program files\ca\ca internet security suite\ccschedulersvc.exe --> c:\program files\ca\ca internet security suite\ccschedulersvc.exe [?]
S3 Revoflt;Revoflt;c:\windows\system32\drivers\revoflt.sys [2010-7-26 27064]
S3 RTLWUSB;Realtek RTL8187 Wireless 802.11g 54Mbps USB 2.0 Network Adapter;c:\windows\system32\drivers\RTL8187.sys [2006-10-10 176128]
S3 SjyPkt;SjyPkt;c:\windows\system32\drivers\SjyPkt.sys [2006-10-24 13532]

=============== Created Last 30 ================

2010-07-27 04:51:14 52736 ----a-w- c:\windows\system32\drivers\rk_remover.sys
2010-07-27 02:21:54 0 d-----w- c:\program files\Microsoft Security Essentials
2010-07-27 02:05:03 27064 ----a-w- c:\windows\system32\drivers\revoflt.sys
2010-07-27 02:05:01 0 d-----w- c:\program files\VS Revo Group
2010-07-27 02:00:48 0 d-----w- c:\docume~1\alluse~1\applic~1\CA-SupportBridge
2010-07-27 00:34:49 0 d-----w- C:\8e184e99c5078efe49dcd2d10cc9dc
2010-07-26 20:15:20 73728 ----a-w- c:\windows\system32\javacpl.cpl
2010-07-26 20:15:20 411368 ----a-w- c:\windows\system32\deployJava1.dll
2010-07-26 20:05:10 67 ----a-w- c:\windows\wininit.ini
2010-07-22 19:32:25 214 ----a-w- c:\windows\system32\.crusader
2010-07-22 18:56:06 16968 ----a-w- c:\windows\system32\drivers\hitmanpro35.sys
2010-07-22 18:55:34 0 d-----w- c:\program files\Hitman Pro 3.5
2010-07-22 18:55:34 0 d-----w- c:\docume~1\alluse~1\applic~1\Hitman Pro
2010-07-22 18:50:24 0 d-----w- c:\program files\Unlocker
2010-07-22 18:15:31 77312 ----a-w- c:\windows\system32\ztvunace26.dll
2010-07-22 18:15:31 75264 ----a-w- c:\windows\system32\unacev2.dll
2010-07-22 18:15:31 69632 ----a-w- c:\windows\system32\ztvcabinet.dll
2010-07-22 18:15:31 162304 ----a-w- c:\windows\system32\ztvunrar36.dll
2010-07-22 18:15:30 153088 ----a-w- c:\windows\system32\UNRAR3.dll
2010-07-22 18:15:30 0 d-----w- c:\program files\Trojan Remover
2010-07-22 18:15:30 0 d-----w- c:\docume~1\paul\applic~1\Simply Super Software
2010-07-22 18:15:30 0 d-----w- c:\docume~1\alluse~1\applic~1\Simply Super Software
2010-07-22 08:29:50 0 d-----w- c:\program files\IObit
2010-07-22 08:29:50 0 d-----w- c:\docume~1\paul\applic~1\IObit
2010-07-22 07:27:07 0 d-----w- c:\program files\CCleaner
2010-07-20 04:02:55 988300 ----a-w- c:\windows\system32\drivers\KmxAgent.asc
2010-07-20 02:40:23 0 d-----w- c:\docume~1\paul\applic~1\Malwarebytes
2010-07-20 02:40:00 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-07-20 02:39:58 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-07-20 02:39:58 0 d-----w- c:\docume~1\alluse~1\applic~1\Malwarebytes
2010-07-20 02:39:57 0 d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-07-20 02:06:46 120 ----a-w- c:\windows\Ygexamo.dat
2010-07-20 02:06:46 0 ----a-w- c:\windows\Mjoda.bin
2010-07-20 02:05:16 150 ----a-w- C:\zrpt.xml
2010-07-20 02:04:47 0 d-----w- c:\docume~1\paul\applic~1\5164C7C72C869D4F087B706C0A24CC44
2010-07-20 00:03:21 45 ----a-w- c:\windows\system32\drivers\kmxzone.u2k7
2010-07-20 00:03:21 45 ----a-w- c:\windows\system32\drivers\kmxzone.u2k6
2010-07-20 00:03:21 45 ----a-w- c:\windows\system32\drivers\kmxzone.u2k5
2010-07-20 00:03:21 45 ----a-w- c:\windows\system32\drivers\kmxzone.u2k4
2010-07-20 00:03:21 45 ----a-w- c:\windows\system32\drivers\kmxzone.u2k3
2010-07-20 00:03:21 45 ----a-w- c:\windows\system32\drivers\kmxzone.u2k1
2010-07-20 00:03:21 345 ----a-w- c:\windows\system32\drivers\kmxzone.u2k2
2010-07-20 00:03:21 345 ----a-w- c:\windows\system32\drivers\kmxzone.u2k0
2010-07-19 23:59:35 81 ----a-w- c:\windows\system32\drivers\kmxcfg.u2k7
2010-07-19 23:59:35 81 ----a-w- c:\windows\system32\drivers\kmxcfg.u2k6
2010-07-19 23:59:35 81 ----a-w- c:\windows\system32\drivers\kmxcfg.u2k5
2010-07-19 23:59:35 81 ----a-w- c:\windows\system32\drivers\kmxcfg.u2k4
2010-07-19 23:59:35 81 ----a-w- c:\windows\system32\drivers\kmxcfg.u2k3
2010-07-19 23:59:35 81 ----a-w- c:\windows\system32\drivers\kmxcfg.u2k1
2010-07-19 23:59:35 289 ----a-w- c:\windows\system32\drivers\kmxcfg.u2k2
2010-07-19 23:59:35 1657551 ----a-w- c:\windows\system32\drivers\kmxcfg.u2k0
2010-07-18 18:00:56 95472 ----a-w- c:\windows\system32\Vetredir.dll
2010-07-18 18:00:56 201968 ----a-w- c:\windows\system32\Isafprod.dll
2010-07-18 18:00:56 128240 ----a-w- c:\windows\system32\Isafeif.dll
2010-07-16 22:43:35 0 d-----w- c:\program files\uTorrent
2010-07-16 22:31:07 0 d-----w- c:\docume~1\paul\applic~1\uTorrent
2010-07-16 17:23:28 744448 -c----w- c:\windows\system32\dllcache\helpsvc.exe

==================== Find3M ====================

2010-07-24 05:28:35 1984 ----a-w- c:\windows\system32\d3d9caps.dat
2010-06-12 18:05:13 361600 ----a-w- c:\windows\system32\drivers\tcpip.sys
2010-05-06 10:41:53 916480 ----a-w- c:\windows\system32\wininet.dll
2010-05-02 05:22:50 1851264 ----a-w- c:\windows\system32\win32k.sys
2007-10-21 18:25:40 774144 ----a-w- c:\program files\RngInterstitial.dll
2006-10-07 19:54:40 390023 --sha-r- c:\program files\wunauclt.zip
2006-10-07 19:54:40 390023 --sha-r- c:\program files\wunauclt.tbe
2006-08-27 14:38:28 1015973 --sha-r- c:\program files\serial.zip
2006-08-27 14:38:28 1015973 --sha-r- c:\program files\serial.tde
2006-08-27 14:19:51 56239 ----a-w- c:\program files\svchosts.tbe
2005-09-28 08:56:46 185856 ----a-w- c:\program files\7za.exe
2004-08-04 12:00:00 94784 --sh--w- c:\windows\twain.dll
2008-04-14 00:12:07 50688 --sh--w- c:\windows\twain_32.dll
2008-04-14 00:11:56 1028096 --sha-w- c:\windows\system32\mfc42.dll
2008-04-14 00:12:01 57344 --sh--w- c:\windows\system32\msvcirt.dll
2008-04-14 00:12:01 413696 --sha-w- c:\windows\system32\msvcp60.dll
2008-04-14 00:12:01 343040 --sha-w- c:\windows\system32\msvcrt.dll
2008-04-14 00:12:02 551936 --sh--w- c:\windows\system32\oleaut32.dll
2008-04-14 00:12:02 84992 --sha-w- c:\windows\system32\olepro32.dll
2008-04-14 00:12:32 11776 --sh--w- c:\windows\system32\regsvr32.exe
2009-01-07 23:50:19 32768 --sha-w- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012009010720090108\index.dat

============= FINISH: 16:33:54.57 ===============

Attached Files


Edited by boopme, 27 July 2010 - 07:24 PM.


BC AdBot (Login to Remove)

 


#2 xor0

xor0
  • Topic Starter

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:11:28 AM

Posted 29 July 2010 - 02:16 PM

Sorry can't wait a week for a reply, I posted on another forum.

Please close this thread


#3 myrti

myrti

    Sillyberry


  • Malware Study Hall Admin
  • 33,766 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:At home
  • Local time:08:28 PM

Posted 29 July 2010 - 02:24 PM

Since you have posted a new topic and are being helped here: g2g, I will now close this topic.

If you need this topic re-opened please send me a PM.

Everyone else, please start a new topic.

With Regards,
myrti

Edited by myrti, 29 July 2010 - 02:24 PM.

is that a bird?  a plane? nooo it's the flying blueberry!

If I have been helping you and haven't replied in 2 days, feel free to shoot me a PM! Please don't send help request via PM, unless I am already helping you. Use the forums!

 

Follow BleepingComputer on: Facebook | Twitter | Google+





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users