Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

multiple infections waledac.c waledac.j fitmu.b securitytool


  • This topic is locked This topic is locked
2 replies to this topic

#1 Dave_J

Dave_J

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:08:51 AM

Posted 06 August 2010 - 08:45 PM

New tech "friendly guy" in the office open multiple zip viruses on second day of work clapping.gif
Forefront cleaned and used microsoft dart for standalone sweeper. seemed all clean but IDK rather not risk it due to security concerns.
gmer cannot access the system file.. what do you recommend?

Thanks for your help



DDS (Ver_10-03-17.01) - NTFSX64
Run by Admin_user at 21:16:09.97 on Fri 08/06/2010
Internet Explorer: 8.0.7600.16385
Microsoft Windows 7 Enterprise 6.1.7600.0.1252.1.1033.18.4087.2817 [GMT -4:00]


============== Running Processes ===============

C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\nvvsvc.exe
C:\Windows\system32\svchost.exe -k RPCSS
c:\Program Files\Microsoft Forefront\Client Security\Client\Antimalware\MsMpEng.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\SysWOW64\ZoneLabs\vsmon.exe
C:\Windows\system32\WLANExt.exe
C:\Windows\system32\conhost.exe
C:\Windows\System32\spoolsv.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Program Files\Broadcom\MgmtAgent\BrcmMgmtAgent.exe
C:\Program Files\Intel\WiFi\bin\EvtEng.exe
C:\Program Files\Microsoft Forefront\Client Security\Client\SSA\FcsSas.exe
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
C:\Program Files\Common Files\Intel\WirelessCommon\RegSrvc.exe
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
C:\Windows\system32\wbem\unsecapp.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\system32\nvvsvc.exe
C:\Windows\system32\taskhost.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Program Files\Microsoft Forefront\Client Security\Client\Antimalware\MSASCui.exe
C:\Program Files\DellTPad\Apoint.exe
C:\Program Files\Logitech\SetPoint\SetPoint.exe
C:\Program Files\Logitech\SetPoint\x86\SetPoint32.exe
C:\Program Files\Common Files\Logitech\KhalShared\KHALMNPR.EXE
C:\Program Files\DellTPad\ApMsgFwd.exe
C:\Program Files\DellTPad\Apntex.exe
C:\Program Files\DellTPad\HidFind.exe
C:\Windows\system32\conhost.exe
C:\Program Files (x86)\Zone Labs\ZoneAlarm\zlclient.exe
C:\Windows\system32\SearchIndexer.exe
C:\Program Files\Windows Media Player\wmpnetwk.exe
C:\Windows\system32\wuauclt.exe
C:\Program Files (x86)\Trend Micro\HijackThis\HijackThis.exe
C:\Windows\system32\NOTEPAD.EXE
C:\Windows\SysWOW64\NOTEPAD.EXE
C:\Program Files (x86)\Internet Explorer\iexplore.exe
C:\Program Files (x86)\Internet Explorer\iexplore.exe
C:\Windows\SysWOW64\Macromed\Flash\FlashUtil10h_ActiveX.exe
C:\Program Files (x86)\Internet Explorer\iexplore.exe
C:\Program Files (x86)\Internet Explorer\iexplore.exe
C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe
C:\Users\Admin_user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\1ETI7B5W\dds[1].scr
C:\Windows\system32\conhost.exe
C:\Windows\system32\wbem\wmiprvse.exe

============== Pseudo HJT Report ===============

mLocal Page = c:\windows\syswow64\blank.htm
mWinlogon: Userinit=userinit.exe
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files (x86)\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: {5C255C8A-E604-49b4-9D64-90988571CECB} - No File
BHO: Groove GFS Browser Helper: {72853161-30c5-4d22-b7f9-0bbc1d38a37e} - c:\program files (x86)\microsoft office\office12\GrooveShellExtensions.dll
BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files (x86)\common files\microsoft shared\windows live\WindowsLiveLogin.dll
mRun: [GrooveMonitor] "c:\program files (x86)\microsoft office\office12\GrooveMonitor.exe"
mRun: [Adobe Reader Speed Launcher] "c:\program files (x86)\adobe\reader 9.0\reader\Reader_sl.exe"
mRun: [Adobe ARM] "c:\program files (x86)\common files\adobe\arm\1.0\AdobeARM.exe"
mRun: [ZoneAlarm Client] "c:\program files (x86)\zone labs\zonealarm\zlclient.exe"
StartupFolder: c:\progra~3\micros~1\windows\startm~1\programs\startup\logite~1.lnk - c:\program files\logitech\setpoint\SetPoint.exe
mPolicies-explorer: NoActiveDesktop = 1 (0x1)
mPolicies-explorer: NoActiveDesktopChanges = 1 (0x1)
mPolicies-explorer: ForceActiveDesktopOn = 0 (0x0)
mPolicies-system: ConsentPromptBehaviorAdmin = 5 (0x5)
mPolicies-system: ConsentPromptBehaviorUser = 3 (0x3)
mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
IE: {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - {5F7B1267-94A9-47F5-98DB-E99415F33AEC} - c:\program files (x86)\windows live\writer\WriterBrowserExtension.dll
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~2\micros~2\office12\ONBttnIE.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~2\micros~2\office12\REFIEBAR.DLL
DPF: {1E54D648-B804-468d-BC78-4AFFED8E262F} - hxxp://www.nvidia.com/content/DriverDownload/srl/3.0.0.4/srl_bin/sysreqlab_nvd.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/flashplayer/current/swflash.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
Handler: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - c:\program files (x86)\microsoft office\office12\GrooveSystemServices.dll
SEH: Groove GFS Stub Execution Hook: {b5a7f190-dda6-4420-b3ba-52453494e6cd} - c:\program files (x86)\microsoft office\office12\GrooveShellExtensions.dll
mRun-x64: [NVHotkey] rundll32.exe c:\windows\system32\nvHotkey.dll,Start
mRun-x64: [Microsoft Forefront Client Security Antimalware Service] "c:\program files\microsoft forefront\client security\client\antimalware\MSASCui.exe" -hide
mRun-x64: [Kernel and Hardware Abstraction Layer] KHALMNPR.EXE
mRun-x64: [Apoint] c:\program files\delltpad\Apoint.exe
Hosts: 127.0.0.1 www.spywareinfo.com

============= SERVICES / DRIVERS ===============

R1 vwififlt;Virtual WiFi Filter Driver;c:\windows\system32\drivers\vwififlt.sys [2009-7-13 59904]
R2 BrcmMgmtAgent;Broadcom Management Agent;c:\program files\broadcom\mgmtagent\BrcmMgmtAgent.exe [2010-2-11 125952]
R2 FCSAM;Microsoft Forefront Client Security Antimalware Service;c:\program files\microsoft forefront\client security\client\antimalware\MsMpEng.exe [2010-1-19 16368]
R2 FcsSas;Microsoft Forefront Client Security State Assessment Service;c:\program files\microsoft forefront\client security\client\ssa\FcsSas.exe [2007-4-5 77216]
R3 MpFilter;Microsoft Malware Protection Driver;c:\windows\system32\drivers\MpFilter.sys [2010-8-1 88944]
R3 NETw5s64;Intel® Wireless WiFi Link 5000 Series Adapter Driver for Windows 7 - 64 Bit;c:\windows\system32\drivers\NETw5s64.sys [2009-9-15 6952960]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\microsoft.net\framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]
S2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;c:\windows\microsoft.net\framework64\v4.0.30319\mscorsvw.exe [2010-3-18 138576]
S3 netw5v64;Intel® Wireless WiFi Link 5000 Series Adapter Driver for Windows Vista 64 Bit;c:\windows\system32\drivers\netw5v64.sys [2009-6-10 5434368]
S3 StorSvc;Storage Service;c:\windows\system32\svchost.exe -k LocalSystemNetworkRestricted [2009-7-13 27136]
S3 WatAdminSvc;Windows Activation Technologies Service;c:\windows\system32\wat\WatAdminSvc.exe [2010-8-1 1255736]

=============== Created Last 30 ================

2010-08-07 00:57:27 58368 ----a-w- c:\windows\syswow64\vsregexp.dll
2010-08-07 00:57:07 374664 ----a-w- c:\windows\system32\drivers\netio.sys
2010-08-07 00:57:07 1898376 ----a-w- c:\windows\system32\drivers\tcpip.sys
2010-08-07 00:56:47 103936 ----a-w- c:\windows\syswow64\zlcommdb.dll
2010-08-07 00:56:46 69120 ----a-w- c:\windows\syswow64\zlcomm.dll
2010-08-07 00:56:43 43008 ----a-w- c:\windows\syswow64\vswmi.dll
2010-08-07 00:56:42 302592 ----a-w- c:\windows\syswow64\vspubapi.dll
2010-08-07 00:56:42 1238528 ----a-w- c:\windows\syswow64\zpeng25.dll
2010-08-07 00:56:42 110080 ----a-w- c:\windows\syswow64\vsxml.dll
2010-08-07 00:56:42 108032 ----a-w- c:\windows\syswow64\vsmonapi.dll
2010-08-07 00:56:42 0 d-----w- c:\windows\syswow64\ZoneLabs
2010-08-07 00:56:41 458840 ----a-w- c:\windows\system32\drivers\~GLH0023.TMP
2010-08-07 00:56:41 420800 ----a-w- c:\windows\system32\drivers\vsconfig.xml
2010-08-07 00:56:41 112128 ----a-w- c:\windows\syswow64\vsdata.dll
2010-08-07 00:56:34 458840 ------w- c:\windows\system32\drivers\vsdatant.sys
2010-08-07 00:56:33 0 d-----w- c:\program files (x86)\Zone Labs
2010-08-07 00:55:34 0 d-----w- c:\programdata\CheckPoint
2010-08-07 00:55:33 0 d-----w- c:\windows\Internet Logs
2010-08-07 00:55:32 713728 ----a-w- c:\windows\syswow64\vsutil.dll
2010-08-07 00:55:32 228864 ----a-w- c:\windows\syswow64\vsinit.dll
2010-08-07 00:14:41 0 d-----w- c:\program files (x86)\CCleaner
2010-08-06 23:59:49 0 d-----w- c:\program files (x86)\Trend Micro
2010-08-06 23:41:57 0 d-----w- c:\programdata\Spybot - Search & Destroy
2010-08-06 23:41:57 0 d-----w- c:\program files (x86)\Spybot - Search & Destroy
2010-08-06 23:19:38 65536 --sha-w- c:\users\admin_user\NTUSER.DAT{edc6f809-a1b0-11df-bd28-0025648104cb}.TM.blf
2010-08-06 23:19:38 524288 --sha-w- c:\users\admin_user\NTUSER.DAT{edc6f809-a1b0-11df-bd28-0025648104cb}.TMContainer00000000000000000002.regtrans-ms
2010-08-06 23:19:38 524288 --sha-w- c:\users\admin_user\NTUSER.DAT{edc6f809-a1b0-11df-bd28-0025648104cb}.TMContainer00000000000000000001.regtrans-ms
2010-08-06 01:05:53 0 d-----w- c:\windows\Standalone System Sweeper
2010-08-03 16:13:27 0 d-----w- c:\programdata\Adobe
2010-08-03 16:12:16 0 d-----w- c:\programdata\NOS
2010-08-03 13:05:55 12867584 ----a-w- c:\windows\syswow64\shell32.dll
2010-08-02 12:03:33 0 ---ha-w- c:\windows\system32\drivers\Msft_Kernel_LHidFilt_01005.Wdf
2010-08-02 12:03:27 0 ---ha-w- c:\windows\system32\drivers\Msft_Kernel_LMouFilt_01005.Wdf
2010-08-02 11:07:55 0 d-----w- c:\programdata\salesforce.com
2010-08-02 11:02:56 0 d-----w- c:\program files (x86)\salesforce.com
2010-08-01 21:18:35 0 d-----w- c:\program files (x86)\Microsoft Office Outlook Connector
2010-08-01 21:17:57 0 d-----w- c:\program files (x86)\Microsoft
2010-08-01 21:17:40 0 d-----w- c:\program files (x86)\Windows Live SkyDrive
2010-08-01 21:06:55 0 d-----w- c:\program files (x86)\common files\Windows Live
2010-08-01 20:38:03 0 ---ha-w- c:\windows\system32\drivers\Msft_Kernel_Apfiltr_01005.Wdf
2010-08-01 20:37:59 0 d-----w- c:\program files\DellTPad
2010-08-01 20:37:49 98816 ----a-w- c:\windows\system32\Vxdif.dll
2010-08-01 20:37:49 253488 ----a-w- c:\windows\system32\drivers\Apfiltr.sys
2010-08-01 20:06:21 72192 ----a-w- c:\windows\system32\KemXML.dll
2010-08-01 20:06:21 228864 ----a-w- c:\windows\system32\kemutb.dll
2010-08-01 20:06:21 218112 ----a-w- c:\windows\system32\KemUtil.dll
2010-08-01 20:06:21 152064 ----a-w- c:\windows\system32\KemWnd.dll
2010-08-01 20:06:09 0 d-----w- c:\programdata\Logitech
2010-08-01 20:06:07 0 d-----w- c:\program files\Logitech
2010-08-01 20:06:06 0 d-----w- c:\program files\common files\Logitech
2010-08-01 20:05:49 0 d-----w- c:\programdata\LogiShrd
2010-08-01 14:34:07 0 d-----w- c:\program files (x86)\Microsoft Forefront
2010-08-01 07:22:29 0 d-----w- c:\windows\Panther
2010-08-01 05:48:35 0 d-----w- c:\windows\PCHEALTH
2010-08-01 05:47:09 0 d-----w- c:\program files\Microsoft Office
2010-08-01 05:47:04 0 d-----w- c:\program files (x86)\Microsoft Visual Studio 8
2010-08-01 05:46:21 0 d-----w- c:\programdata\Microsoft Help
2010-08-01 05:23:28 88944 ----a-w- c:\windows\system32\drivers\MpFilter.sys
2010-08-01 05:23:18 0 d-----w- c:\program files\Microsoft Forefront
2010-08-01 05:19:10 0 d-----w- c:\programdata\NVIDIA
2010-08-01 05:17:25 0 d-----w- c:\programdata\NVIDIA Corporation
2010-08-01 05:17:24 0 d-----w- c:\program files\NVIDIA Corporation
2010-08-01 05:15:26 0 ---ha-w- c:\windows\system32\drivers\Msft_User_WpdFs_01_09_00.Wdf
2010-08-01 04:46:31 0 d-----w- c:\windows\syswow64\Macromed
2010-08-01 04:43:30 0 d-----w- c:\program files\IDT
2010-08-01 04:42:56 13312 ----a-w- c:\windows\system32\baspun.exe
2010-08-01 04:42:47 0 d-----w- c:\program files\Broadcom
2010-08-01 04:42:20 0 d-----w- c:\windows\Dell
2010-08-01 04:41:40 121344 ----a-w- c:\windows\system32\basp.dll
2010-08-01 04:41:40 120320 ----a-w- c:\windows\system32\basp.dll.bak
2010-08-01 04:41:19 131072 ----a-w- c:\windows\syswow64\DellSPMsg.dll
2010-08-01 04:40:07 0 d-----w- c:\program files\common files\Intel
2010-08-01 04:40:06 0 d-----w- c:\programdata\Intel
2010-08-01 04:40:06 0 d-----w- c:\program files\Intel
2010-08-01 04:40:06 0 d-----w- c:\program files (x86)\Cisco
2010-08-01 04:30:58 0 d-----w- c:\program files (x86)\SystemRequirementsLab
2010-08-01 04:28:58 0 ----a-w- c:\windows\invcol.tmp
2010-08-01 04:28:33 0 d-----w- c:\programdata\Dell
2010-08-01 04:28:03 0 d-----w- c:\program files (x86)\Dell
2010-08-01 04:27:28 0 d-----w- C:\Dell
2010-08-01 04:15:35 311808 ----a-w- c:\windows\system32\msv1_0.dll
2010-08-01 04:15:35 257024 ----a-w- c:\windows\syswow64\msv1_0.dll
2010-08-01 04:11:34 0 d-----w- c:\windows\syswow64\Wat
2010-08-01 04:11:34 0 d-----w- c:\windows\system32\Wat
2010-08-01 04:06:26 0 d-sh--w- c:\windows\Installer
2010-08-01 04:05:24 14336 ----a-w- c:\windows\system32\drivers\sffp_sd.sys
2010-08-01 04:05:24 109056 ----a-w- c:\windows\system32\drivers\sdbus.sys
2010-08-01 04:04:28 99176 ----a-w- c:\windows\syswow64\PresentationHostProxy.dll
2010-08-01 04:04:28 49472 ----a-w- c:\windows\syswow64\netfxperf.dll
2010-08-01 04:04:28 48960 ----a-w- c:\windows\system32\netfxperf.dll
2010-08-01 04:04:28 444752 ----a-w- c:\windows\system32\mscoree.dll
2010-08-01 04:04:28 320352 ----a-w- c:\windows\system32\PresentationHost.exe
2010-08-01 04:04:28 297808 ----a-w- c:\windows\syswow64\mscoree.dll
2010-08-01 04:04:28 295264 ----a-w- c:\windows\syswow64\PresentationHost.exe
2010-08-01 04:04:28 1942856 ----a-w- c:\windows\system32\dfshim.dll
2010-08-01 04:04:28 1130824 ----a-w- c:\windows\syswow64\dfshim.dll
2010-08-01 04:04:28 109912 ----a-w- c:\windows\system32\PresentationHostProxy.dll
2010-08-01 03:53:16 270208 ------w- c:\windows\system32\MpSigStub.exe
2010-08-01 03:53:01 96768 ----a-w- c:\windows\syswow64\sspicli.dll
2010-08-01 03:53:01 22016 ----a-w- c:\windows\syswow64\secur32.dll
2010-08-01 03:53:01 153160 ----a-w- c:\windows\system32\drivers\ksecpkg.sys
2010-08-01 03:53:01 1446912 ----a-w- c:\windows\system32\lsasrv.dll
2010-08-01 03:53:00 976896 ----a-w- c:\windows\system32\inetcomm.dll
2010-08-01 03:53:00 740864 ----a-w- c:\windows\syswow64\inetcomm.dll
2010-08-01 03:51:59 70656 ----a-w- c:\windows\syswow64\fontsub.dll
2010-08-01 03:51:59 46080 ----a-w- c:\windows\system32\atmlib.dll
2010-08-01 03:51:59 366080 ----a-w- c:\windows\system32\atmfd.dll
2010-08-01 03:51:59 34304 ----a-w- c:\windows\syswow64\atmlib.dll
2010-08-01 03:51:59 293888 ----a-w- c:\windows\syswow64\atmfd.dll
2010-08-01 03:51:59 100864 ----a-w- c:\windows\system32\fontsub.dll
2010-08-01 03:51:10 3122176 ----a-w- c:\windows\system32\win32k.sys
2010-08-01 03:50:53 464896 ----a-w- c:\windows\system32\drivers\srv.sys
2010-08-01 03:50:53 162304 ----a-w- c:\windows\system32\drivers\srvnet.sys
2010-08-01 03:31:52 220672 ----a-w- c:\windows\system32\wintrust.dll
2010-08-01 03:31:52 172032 ----a-w- c:\windows\syswow64\wintrust.dll
2010-08-01 03:31:51 139264 ----a-w- c:\windows\system32\cabview.dll
2010-08-01 03:31:51 132608 ----a-w- c:\windows\syswow64\cabview.dll
2010-08-01 03:30:01 0 d-sh--w- C:\Recovery
2010-07-09 20:17:18 61032 ----a-w- c:\windows\system32\nvshext.dll
2010-07-09 20:17:18 282728 ----a-w- c:\windows\system32\nvhotkey.dll
2010-07-09 20:17:18 1882216 ----a-w- c:\windows\system32\nvsvcr.dll
2010-07-09 20:17:18 159336 ----a-w- c:\windows\system32\nvvsvc.exe
2010-07-09 20:17:18 1585256 ----a-w- c:\windows\system32\nvsvc64.dll
2010-07-09 20:17:18 15314024 ----a-w- c:\windows\system32\nvcpl.dll
2010-07-09 20:17:18 116328 ----a-w- c:\windows\system32\nvmctray.dll

==================== Find3M ====================

2010-06-15 22:17:10 68568 ----a-w- c:\windows\syswow64\TH_BugslayerUtil.dll
2010-05-21 05:52:30 1192960 ----a-w- c:\windows\system32\wininet.dll
2010-05-21 05:18:06 977920 ----a-w- c:\windows\syswow64\wininet.dll
2010-05-21 05:14:50 48128 ----a-w- c:\windows\syswow64\jsproxy.dll
2010-05-19 19:48:12 144384 ----a-w- c:\windows\system32\cdd.dll
2010-05-09 09:46:00 961024 ----a-w- c:\windows\system32\CPFilters.dll
2010-05-09 09:45:57 552960 ----a-w- c:\windows\system32\msdri.dll
2010-05-09 09:14:55 641536 ----a-w- c:\windows\syswow64\CPFilters.dll
2009-07-14 05:37:38 31548 ----a-w- c:\windows\inf\perflib\0409\perfd.dat
2009-07-14 05:37:38 31548 ----a-w- c:\windows\inf\perflib\0409\perfc.dat
2009-07-14 05:37:38 291294 ----a-w- c:\windows\inf\perflib\0409\perfi.dat
2009-07-14 05:37:38 291294 ----a-w- c:\windows\inf\perflib\0409\perfh.dat
2009-07-14 04:54:24 174 --sha-w- c:\program files\desktop.ini
2009-07-14 04:54:24 174 --sha-w- c:\program files (x86)\desktop.ini
2009-07-14 01:00:34 291294 ----a-w- c:\windows\inf\perflib\0000\perfi.dat
2009-07-14 01:00:34 291294 ----a-w- c:\windows\inf\perflib\0000\perfh.dat
2009-07-14 01:00:32 31548 ----a-w- c:\windows\inf\perflib\0000\perfd.dat
2009-07-14 01:00:32 31548 ----a-w- c:\windows\inf\perflib\0000\perfc.dat
2009-06-10 20:44:08 9633792 --sha-r- c:\windows\fonts\StaticCache.dat
2009-07-14 01:39:53 398848 --sha-w- c:\windows\winsxs\amd64_microsoft-windows-mail-app_31bf3856ad364e35_6.1.7600.16385_none_4d4d1f2f696639a2\WinMail.exe
2009-07-14 01:14:45 396800 --sha-w- c:\windows\winsxs\x86_microsoft-windows-mail-app_31bf3856ad364e35_6.1.7600.16385_none_f12e83abb108c86c\WinMail.exe

============= FINISH: 21:17:15.99 ===============

Merged topics then posts. ~ OB

Attached Files


Edited by Orange Blossom, 06 August 2010 - 09:36 PM.


BC AdBot (Login to Remove)

 


#2 Dave_J

Dave_J
  • Topic Starter

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:08:51 AM

Posted 08 August 2010 - 04:14 PM

Oh well looks like I have to reinstall everything. I am out of time and the machine is needed early in the a.m. [Edited] Thanks for even having the forums here. Of course, you obviously get bajillions of people expecting quick fixes tec.. I'm not worried that you couldn't get to me in a day or 2. I would have just deleted, but instead i thought you might like to know the outcome, since i have to delete, and would rather nobody waste precious time trying to resolve a no longer exisiting problem. Instead, i shared my experience, in case there are others out there having the same kind of trouble. I have submitted the captured malware to MS in hopes they would add a definition entry to defeat it. I must say that its crazy we have to battle so much garbage so often, and HUGE credit to those who do this for the experience. thanks again for having the forums. Keep kiilin this crappware! smile.gif
For anyone interested, this was alot of fun. I located the remaining malware- securitytool (still telling me i needed to buy A/V) in the registry for a user account. The program had created a .exe in the AppData/Local/ folder. Zonealarm showed attempts to cnnect to foreign server/network regularly as well as the program attempting to connect to itelf through various ports while being blocked by firewall.

The kicker was when i deleted a related registry key, the app threw a a fake BSOD. Having seen that enough times in my past ;) i noticed it was ( a really good) fake and ctrl/alt/del took me to task manager and I put the page in the background. i deleted the app from AppData/Local but there are still attempts to connect to and from the machine being blocked by the firewall. I noticed also that it had installed itself with a spoof of a IE page.

Anyway, too bad nobody [edit] had time. I loathe having to reinstall everything. Its bad enough I have to school the new "Technical Product Sales Support" guy on the beauty of not opening up every random .zip file ending up in the spam folder...


FYI- I am not frustrated tongue.gif I didnt BUMP or multi-post. Your system did the multi-post for me, and I had to reinstall the entire software package to the machine, so no sense in a bump to get an answer, but rather a share of resolution. I guess you get a lot of impatient people expecting miricales immediately. Relax I'm not of that type. But anyway, PEACE. plz keep killin the malware smile.gif
===========

Hello

It isn't a matter of interest. It's a matter of volume.

While we understand your frustration at having to wait, please note that Bleeping Computer deals with several hundred requests for assistance such as yours on a daily basis. As a result, our backlog is quite large as are other comparable sites that help others with malware issues. Although our MRT Team members work on hundreds of requests each day, they are all volunteers who work logs when they can and are able to do so. No one is paid by Bleeping Computer for their assistance to our members.

Further, our malware removal staff is comprised of team members with various levels of skill and expertise to deal with thousands of malware variants, some more complex than others. Although we try to take DDS/HJT logs in order (starting with the oldest), it is often the skill level of the particular helper and sometimes the operating system that dictates which logs get selected first. Some infections are more complicated than others and require a higher skill level to remove. Without that skill level attempted removal could result in disastrous results. In other instances, the helper may not be familiar with the operating system that you are using, since they use another. In either case, neither of us want someone to assist you who is not familiar with your issue and attempt to fix it.

We ask that once you have posted your log and are waiting, please DO NOT "bump" your thread or make further replies until it has been responded to by a member of the MRT Team. The reason we ask this or do not respond to your requests is because that would remove you from the active queue that Techs and Staff have access to. The malware staff checks the forum for postings that have 0 replies as this makes it easier for them to identify those who have not been helped. If you post another response, there will be 1 reply. A team member, looking for a new log to work may assume another MRT Team member is already assisting you and not open the thread to respond.

That is why I have made an edit to your last post, instead of a reply. Please do not multiple post here, as that only pushes you further down the queue and causes confusion to the staff.

Please be patient. It may take several days to get a response but your log will be reviewed and answered as soon as possible. I advise checking your topic once a day for responses as the e-mail notification system is unreliable.

Thank you for understanding.

Orange Blossom ~ forum moderator

Edited by Dave_J, 08 August 2010 - 08:34 PM.


#3 kahdah

kahdah

  • Security Colleague
  • 11,138 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Florida
  • Local time:08:51 AM

Posted 14 August 2010 - 08:40 AM

Since this issue appears to be resolved ... this Topic has been closed.

If your the topic starter, and need this topic reopened, please contact me via pm with the address of the thread.

Everyone else please begin a New Topic.
Please do not pm for help, post it in the forums instead.

If I am helping you and have not responded for 48 hours please send me a pm as I don't always get notifications.

My help is always free, however, if you would like to make a donation to me for the help I have provided please click here Posted Image




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users