Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Looking for evidence of hacker activity


  • This topic is locked This topic is locked
7 replies to this topic

#1 Kate R

Kate R

  • Members
  • 18 posts
  • OFFLINE
  •  
  • Gender:Female
  • Local time:08:24 PM

Posted 21 August 2010 - 08:49 PM

Thanks for your help in advance.

I lost two laptops (one Compaq running Vista Premium and one Toshiba running Windows 7) due to hacker activity. The trojan(?) locked down my files and when I attempted to unlock them on the Compaq, it triggered a trojan (prolly that file called $deleteme$deleteme$deleteme when it hit the recycle bin in which three hidden files were secreted) which activated language files and filled my hard drive in seconds. It had wiped out all my restore points, but there wasn't enough room on the hard drive to restore it anyway. I wiped everything out and restored to factory condition -- this was a Vista laptop, with a recovery partition, and the trojan was in the partition. So, had the same problems again. Got so I couldn't access any of my files.

I bought the install disks and that computer is OK now.

The Toshiba was on warranty and they installed a new hard drive. It worked OK for a while until Zone Alarm took a dump and I couldn't reinstall it. I put Online Armour on there and my hackers and I played connect/disconnect for a while, until I couldn't connect to the Internet at all -- through an ethernet cable to my DSL, or by wireless to our modem/router. So I sent the laptop back to Toshiba and they installed a new mother board, a new keyboard, a new touchpad, etc., etc. but I still couldn't connect to the Internet. Bought an external wireless adapter and it works. However, I cannot install Zone Alarm. I cleaned up all old traces of ZA, even out of the registry.

I get a common APPCRASH when some tmp file doesn't work. I'm using Kool Firewall right now, but I want two things:

1. A GREAT firewall, and I'm using Windows 7, remember.
2. Reassurance that my laptop is not infected again while it's still under warranty.

Attached are the files you've asked for, and see below for the one file.

Thanks,

Kate R.


DDS (Ver_10-03-17.01) - NTFSx86
Run by My at 21:26:29.86 on Sat 08/21/2010
Internet Explorer: 8.0.7600.16385
Microsoft Windows 7 Home Premium 6.1.7600.0.1252.1.1033.18.2812.1580 [GMT -4:00]

AV: Prevx 3.0 *On-access scanning enabled* (Updated) {D486329C-1488-4CEB-9CC8-D662B732D901}
SP: Prevx 3.0 *enabled* (Updated) {D486329C-1488-4CEB-9CC8-D662B732D902}

============== Running Processes ===============

C:\windows\system32\wininit.exe
C:\Program Files\AVG\AVG9\avgchsvx.exe
C:\Program Files\AVG\AVG9\avgrsx.exe
C:\windows\system32\lsm.exe
C:\Program Files\AVG\AVG9\avgcsrvx.exe
C:\windows\system32\svchost.exe -k DcomLaunch
C:\windows\system32\svchost.exe -k RPCSS
C:\windows\system32\atiesrxx.exe
C:\windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\windows\system32\svchost.exe -k netsvcs
C:\windows\system32\svchost.exe -k LocalService
C:\windows\system32\atieclxx.exe
C:\windows\system32\svchost.exe -k NetworkService
C:\windows\System32\spoolsv.exe
C:\windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\windows\system32\Dwm.exe
C:\windows\system32\taskhost.exe
C:\windows\Explorer.EXE
C:\Program Files\Adobe\Elements Organizer 8.0\PhotoshopElementsFileAgent.exe
C:\Program Files\AVG\AVG9\avgwdsvc.exe
C:\Program Files\Prevx\prevx.exe
C:\Program Files\D-Link\DWA-125 revA\ANIWConnService.exe
C:\Program Files\IObit\IObit Security 360\IS360srv.exe
C:\windows\system32\taskeng.exe
C:\windows\system32\taskeng.exe
C:\Program Files\Google\Update\GoogleUpdate.exe
C:\Program Files\IObit\Advanced SystemCare 3\AWC.exe
C:\windows\system32\svchost.exe -k imgsvc
C:\Windows\system32\TODDSrv.exe
C:\Program Files\TOSHIBA\Power Saver\TosCoSrv.exe
C:\Program Files\TOSHIBA\TECO\TecoService.exe
C:\Program Files\AVG\AVG9\avgemc.exe
C:\Program Files\Realtek\Audio\HDA\RtHDVCpl.exe
C:\Program Files\Prevx\prevx.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\TOSHIBA\Power Saver\TPwrMain.exe
C:\Program Files\AVG\AVG9\avgcsrvx.exe
C:\Program Files\TOSHIBA\SmoothView\SmoothView.exe
C:\Program Files\TOSHIBA\FlashCards\TCrdMain.exe
C:\Program Files\TOSHIBA\TECO\TEco.exe
C:\Program Files\AVG\AVG9\avgtray.exe
C:\Program Files\D-Link\DWA-125 revA\WZCSLDR2.exe
C:\Program Files\IObit\IObit Security 360\is360tray.exe
C:\windows\system32\UI0Detect.exe
C:\windows\System32\alg.exe
C:\windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
C:\Program Files\Synaptics\SynTP\SynTPHelper.exe
C:\windows\system32\taskeng.exe
C:\Program Files\TOSHIBA\ConfigFree\NDSTray.exe
C:\Program Files\TOSHIBA\ConfigFree\CFSwMgr.exe
C:\Program Files\TOSHIBA\TPHM\TPCHSrv.exe
C:\Program Files\TOSHIBA\TPHM\TPCHWMsg.exe
C:\Program Files\TOSHIBA\ConfigFree\CFIWmxSvcs.exe
C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe
C:\Program Files\KoolFirewall\koolfirewall.exe
C:\windows\system32\svchost.exe -k SDRSVC
C:\Users\My\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Users\My\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Program Files\Windows Live\Mail\wlmail.exe
C:\Program Files\Windows Live\Contacts\wlcomm.exe
C:\Users\My\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Users\My\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Users\My\Desktop\gmer.exe
C:\windows\system32\DllHost.exe
C:\windows\system32\DllHost.exe
C:\Users\My\Downloads\dds.scr
C:\windows\system32\conhost.exe
C:\windows\system32\wbem\wmiprvse.exe

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.google.com/ig/redirectdomain?brand=TSNA&bmod=TSNA
uDefault_Page_URL = hxxp://www.google.com/ig/redirectdomain?brand=TSNA&bmod=TSNA
mDefault_Page_URL = hxxp://www.google.com/ig/redirectdomain?brand=TSNA&bmod=TSNA
mStart Page = hxxp://www.google.com/ig/redirectdomain?brand=TSNA&bmod=TSNA
uURLSearchHooks: D-Link Toolbar Search Class: {e917fc61-7f80-4f1f-a882-cdffffbe4c8d} -
mURLSearchHooks: D-Link Toolbar Search Class: {e917fc61-7f80-4f1f-a882-cdffffbe4c8d} -
BHO: {5C255C8A-E604-49b4-9D64-90988571CECB} - No File
BHO: SafeOnline BHO: {69d72956-317c-44bd-b369-8e44d4ef9801} - c:\windows\system32\PxSecure.dll
BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: D-Link Toolbar Loader: {f01858c7-2a68-4d93-9e22-502eae3917c2} - D-Link Toolbar Loader
TB: D-Link Toolbar: {61874dfa-9adf-44e5-8e61-f3913707e7d7} -
TB: {EE2AC4E5-B0B0-4EC6-88A9-BCA1A32AB107} - No File
uRun: [AWC.exe] c:\program files\iobit\advanced systemcare 3\AWC.exe
mRun: [RtHDVCpl] c:\program files\realtek\audio\hda\RtHDVCpl.exe
mRun: [SynTPEnh] %ProgramFiles%\Synaptics\SynTP\SynTPEnh.exe
mRun: [TPwrMain] %ProgramFiles%\TOSHIBA\Power Saver\TPwrMain.EXE
mRun: [SmoothView] %ProgramFiles%\Toshiba\SmoothView\SmoothView.exe
mRun: [00TCrdMain] %ProgramFiles%\TOSHIBA\FlashCards\TCrdMain.exe
mRun: [TosWaitSrv] %ProgramFiles%\TOSHIBA\TPHM\TosWaitSrv.exe
mRun: [Teco] "%ProgramFiles%\TOSHIBA\TECO\Teco.exe" /r
mRun: [AVG9_TRAY] c:\progra~1\avg\avg9\avgtray.exe
mRun: [WZCSLDR2] c:\program files\d-link\dwa-125 reva\WZCSLDR2.exe
mRun: [IObit Security 360] "c:\program files\iobit\iobit security 360\IS360tray.exe" /autostart
mPolicies-explorer: EnableShellExecuteHooks = 1 (0x1)
mPolicies-system: ConsentPromptBehaviorAdmin = 5 (0x5)
mPolicies-system: ConsentPromptBehaviorUser = 3 (0x3)
mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_14-windows-i586.cab
DPF: {95B5D20C-BD31-4489-8ABF-F8C8BE748463} - hxxp://zone.msn.com/bingame/zpagames/zpa_hrtz.cab99160.cab
DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} - hxxp://cdn2.zone.msn.com/binFramework/v10/ZPAFramework.cab102118.cab
DPF: {CAFEEFAC-0016-0000-0014-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_14-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_14-windows-i586.cab
AppInit_DLLs: avgrsstx.dll
SEH: {4F07DA45-8170-4859-9B5F-037EF2970034} - No File
mASetup: {01250B8F-D947-4F8A-9408-FE8E3EE2EC92} - c:\program files\toshiba\my toshiba\MyToshiba.exe /SETUP

================= FIREFOX ===================

FF - ProfilePath - c:\users\my\appdata\roaming\mozilla\firefox\profiles\yhscdv8k.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/
FF - plugin: c:\program files\google\google earth\plugin\npgeplugin.dll
FF - plugin: c:\program files\google\update\1.2.183.23\npGoogleOneClick8.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npdnu.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npdnupdater2.dll
FF - plugin: c:\program files\windows live\photo gallery\NPWLPG.dll
FF - plugin: c:\users\my\appdata\local\google\update\1.2.183.23\npGoogleOneClick8.dll

---- FIREFOX POLICIES ----
FF - user.js: network.protocol-handler.warn-external.dnupdate - falsec:\program files\mozilla firefox\greprefs\all.js - pref("ui.use_native_colors", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("ui.use_native_popup_windows", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.enable_click_image_resizing", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("accessibility.browsewithcaret_shortcut.enabled", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("javascript.options.mem.high_water_mark", 32);
c:\program files\mozilla firefox\greprefs\all.js - pref("javascript.options.mem.gc_frequency", 1600);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.lu", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.nu", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.nz", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbaam7a8h", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4ar", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--p1ai", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbayh7gpa", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.tel", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.proxy.type", 5);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.buffer.cache.count", 24);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.buffer.cache.size", 4096);
c:\program files\mozilla firefox\greprefs\all.js - pref("dom.ipc.plugins.timeoutSecs", 45);
c:\program files\mozilla firefox\greprefs\all.js - pref("svg.smil.enabled", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("ui.trackpoint_hack.enabled", -1);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.debug", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.agedWeight", 2);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.bucketSize", 1);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.maxTimeGroupings", 25);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.timeGroupingSize", 604800);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.boundaryWeight", 25);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.prefixWeight", 5);
c:\program files\mozilla firefox\greprefs\all.js - pref("accelerometer.enabled", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("html5.enable", false);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("app.update.download.backgroundInterval", 600);
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("app.update.url.manual", "http://www.firefox.com");
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-ja", "mozff");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add", "addons.mozilla.org");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add.36", "getpersonas.com");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("lightweightThemes.update.enabled", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.allTabs.previews", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("plugins.hide_infobar_for_outdated_plugin", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("toolbar.customization.usesheet", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.nptest.dll", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npswf32.dll", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npctrl.dll", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npqtplugin.dll", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.enable", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.max", 20);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.cachetime", 20);

============= SERVICES / DRIVERS ===============

R0 pxscan;pxscan;c:\windows\system32\drivers\pxscan.sys [2010-4-10 30320]
R1 anodlwf;ANOD Network Security Filter driver;c:\windows\system32\drivers\anodlwf.sys [2010-8-12 12800]
R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [2010-4-2 216400]
R1 AvgMfx86;AVG Free On-access Scanner Minifilter Driver x86;c:\windows\system32\drivers\avgmfx86.sys [2010-4-2 29584]
R1 AvgTdiX;AVG Free Network Redirector;c:\windows\system32\drivers\avgtdix.sys [2010-4-2 243024]
R1 vwififlt;Virtual WiFi Filter Driver;c:\windows\system32\drivers\vwififlt.sys [2009-7-13 48128]
R2 AdobeActiveFileMonitor8.0;Adobe Active File Monitor V8;c:\program files\adobe\elements organizer 8.0\PhotoshopElementsFileAgent.exe [2009-9-6 169312]
R2 AMD External Events Utility;AMD External Events Utility;c:\windows\system32\atiesrxx.exe [2010-3-28 176128]
R2 avg9emc;AVG Free E-mail Scanner;c:\program files\avg\avg9\avgemc.exe [2010-8-12 921952]
R2 avg9wd;AVG Free WatchDog;c:\program files\avg\avg9\avgwdsvc.exe [2010-8-12 308136]
R2 cfWiMAXService;ConfigFree WiMAX Service;c:\program files\toshiba\configfree\CFIWmxSvcs.exe [2009-8-10 185712]
R2 ConfigFree Service;ConfigFree Service;c:\program files\toshiba\configfree\CFSvcs.exe [2009-3-10 46448]
R2 CSIScanner;CSIScanner;c:\program files\prevx\prevx.exe [2010-4-10 6394368]
R2 D_Link_DWA-125_WPS;D_Link_DWA-125_WPS Service;c:\program files\d-link\dwa-125 reva\ANIWConnService.exe [2010-8-15 40960]
R2 IS360service;IS360service;c:\program files\iobit\iobit security 360\is360srv.exe [2010-8-20 312152]
R2 pxrts;pxrts;c:\windows\system32\drivers\pxrts.sys [2010-4-10 69736]
R2 TOSHIBA eco Utility Service;TOSHIBA eco Utility Service;c:\program files\toshiba\teco\TecoService.exe [2009-8-11 185712]
R2 TVALZFL;TOSHIBA ACPI-Based Value Added Logical and General Purpose Device Filter Driver;c:\windows\system32\drivers\TVALZFL.sys [2009-6-19 12920]
R3 FwLnk;FwLnk Driver;c:\windows\system32\drivers\FwLnk.sys [2010-3-28 7680]
R3 netr28u;D-Link dnetr28u USB Extensible Wireless LAN Card Driver;c:\windows\system32\drivers\Dnetr28u.sys [2010-8-15 807936]
R3 pxkbf;pxkbf;c:\windows\system32\drivers\pxkbf.sys [2010-4-10 24400]
R3 TPCHSrv;TPCH Service;c:\program files\toshiba\tphm\TPCHSrv.exe [2009-8-6 685424]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\microsoft.net\framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]
S2 D_Link_DWA-125;D_Link_DWA-125 Service;c:\program files\d-link\dwa-125 reva\ANIWZCSdS.exe [2010-8-15 126976]
S3 b57nd60x;Broadcom NetXtreme Gigabit Ethernet - NDIS 6.0;c:\windows\system32\drivers\b57nd60x.sys [2009-7-13 229888]
S3 nosGetPlusHelper;getPlus® Helper 3004;c:\windows\system32\svchost.exe -k nosGetPlusHelper [2009-7-13 20992]
S3 RSUSBSTOR;RtsUStor.Sys Realtek USB Card Reader;c:\windows\system32\drivers\RtsUStor.sys [2010-3-28 171520]
S3 RTL8167;Realtek 8167 NT Driver;c:\windows\system32\drivers\Rt86win7.sys [2010-3-4 277536]
S3 TMachInfo;TMachInfo;c:\program files\toshiba\toshiba service station\TMachInfo.exe [2010-3-28 51512]
S3 TOSHIBA HDD SSD Alert Service;TOSHIBA HDD SSD Alert Service;c:\program files\toshiba\toshiba hdd ssd alert\TosSmartSrv.exe [2009-8-3 111960]
S3 WatAdminSvc;Windows Activation Technologies Service;c:\windows\system32\wat\WatAdminSvc.exe [2010-4-3 1343400]

=============== Created Last 30 ================

2010-08-22 01:05:56 0 ----a-w- c:\users\my\defogger_reenable
2010-08-21 07:12:21 86016 ----a-w- c:\windows\unvise32.exe
2010-08-21 07:12:19 0 d-----w- c:\program files\KoolFirewall
2010-08-21 01:40:54 0 d-----w- c:\program files\TrendMicro
2010-08-21 01:14:19 0 d-----w- c:\programdata\CheckPoint
2010-08-21 00:58:38 0 d-----w- C:\IObit
2010-08-20 21:26:22 99176 ----a-w- c:\windows\system32\PresentationHostProxy.dll
2010-08-20 21:26:22 49472 ----a-w- c:\windows\system32\netfxperf.dll
2010-08-20 21:26:22 297808 ----a-w- c:\windows\system32\mscoree.dll
2010-08-20 21:26:22 295264 ----a-w- c:\windows\system32\PresentationHost.exe
2010-08-20 21:26:22 1130824 ----a-w- c:\windows\system32\dfshim.dll
2010-08-20 21:24:59 3955080 ----a-w- c:\windows\system32\ntkrnlpa.exe
2010-08-20 21:24:59 3899784 ----a-w- c:\windows\system32\ntoskrnl.exe
2010-08-20 21:24:57 194488 ----a-w- c:\windows\system32\drivers\fvevol.sys
2010-08-20 21:24:56 307200 ----a-w- c:\windows\system32\drivers\srv2.sys
2010-08-20 21:24:55 310784 ----a-w- c:\windows\system32\drivers\srv.sys
2010-08-20 21:24:55 113664 ----a-w- c:\windows\system32\drivers\srvnet.sys
2010-08-20 21:24:54 740864 ----a-w- c:\windows\system32\inetcomm.dll
2010-08-20 21:24:53 1286016 ----a-w- c:\windows\system32\drivers\tcpip.sys
2010-08-20 21:24:52 224256 ----a-w- c:\windows\system32\schannel.dll
2010-08-20 21:24:50 133720 ----a-w- c:\windows\system32\drivers\ksecpkg.sys
2010-08-20 21:24:50 1037312 ----a-w- c:\windows\system32\lsasrv.dll
2010-08-20 21:24:45 1286456 ----a-w- c:\windows\system32\ntdll.dll
2010-08-20 21:23:41 2048 ----a-w- c:\windows\system32\tzres.dll
2010-08-20 21:23:16 417792 ----a-w- c:\windows\system32\msdri.dll
2010-08-20 21:23:16 199680 ----a-w- c:\windows\system32\mpg2splt.ax
2010-08-20 21:23:15 204288 ----a-w- c:\windows\system32\MSNP.ax
2010-08-20 21:21:26 293888 ----a-w- c:\windows\system32\atmfd.dll
2010-08-20 21:21:25 34304 ----a-w- c:\windows\system32\atmlib.dll
2010-08-15 23:09:36 3284 ----a-w- c:\windows\system32\ANIWZCS{671B46A7-A128-4024-BF5A-D0614D458E71}
2010-08-15 23:04:55 7 ----a-w- c:\windows\system32\ANIWZCSUSERNAME{671B46A7-A128-4024-BF5A-D0614D458E71}
2010-08-15 23:02:20 807936 ----a-w- c:\windows\system32\drivers\Dnetr28u.sys
2010-08-15 23:02:19 0 d-----w- c:\program files\D-Link
2010-08-15 22:59:54 0 d-----w- c:\program files\common files\Software Update Utility
2010-08-15 22:34:57 3 ----a-w- c:\windows\system32\ANIWZCSUSERNAME{B5D2160A-E0CF-486B-9358-14F178A95029}
2010-08-15 22:24:50 3284 ----a-w- c:\windows\system32\ANIWZCS{4BF17C90-6F90-4BCF-92CE-F5BAE10210DD}
2010-08-15 22:24:41 3 ----a-w- c:\windows\system32\ANIWZCSUSERNAME{4BF17C90-6F90-4BCF-92CE-F5BAE10210DD}
2010-08-14 19:05:28 7 ----a-w- c:\windows\system32\ANIWZCSUSERNAME
2010-08-13 03:17:57 12536 ----a-w- c:\windows\system32\avgrsstx.dll
2010-08-12 23:37:06 3284 ----a-w- c:\windows\system32\ANIWZCS{12CAACCA-3BBA-42F0-962B-7AD2E0858117}
2010-08-12 23:35:18 7 ----a-w- c:\windows\system32\ANIWZCSUSERNAME{12CAACCA-3BBA-42F0-962B-7AD2E0858117}
2010-08-12 23:26:34 221184 ----a-w- c:\windows\system32\RaCoInst.dll
2010-08-12 23:26:34 12800 ----a-w- c:\windows\system32\drivers\anodlwf.sys
2010-08-12 23:10:59 65536 --sha-w- c:\users\my\ntuser.dat{9c2b4737-a58f-11df-aae8-001e33fbb58b}.TM.blf
2010-08-12 23:10:59 524288 --sha-w- c:\users\my\ntuser.dat{9c2b4737-a58f-11df-aae8-001e33fbb58b}.TMContainer00000000000000000002.regtrans-ms
2010-08-12 23:10:59 524288 --sha-w- c:\users\my\ntuser.dat{9c2b4737-a58f-11df-aae8-001e33fbb58b}.TMContainer00000000000000000001.regtrans-ms
2010-08-12 22:58:44 13931 ----a-w- c:\windows\system32\RaCoInst.dat
2010-08-11 21:30:31 65536 --sha-w- c:\users\my\ntuser.dat{50c6c8db-a58e-11df-9e1e-001e33fbb58b}.TM.blf
2010-08-11 21:30:31 524288 --sha-w- c:\users\my\ntuser.dat{50c6c8db-a58e-11df-9e1e-001e33fbb58b}.TMContainer00000000000000000002.regtrans-ms
2010-08-11 21:30:31 524288 --sha-w- c:\users\my\ntuser.dat{50c6c8db-a58e-11df-9e1e-001e33fbb58b}.TMContainer00000000000000000001.regtrans-ms

==================== Find3M ====================

2010-08-14 20:16:00 68120 ----a-w- c:\windows\system32\PxSecure.dll
2010-08-14 20:15:59 69736 ----a-w- c:\windows\system32\drivers\pxrts.sys
2010-08-14 20:15:59 30320 ----a-w- c:\windows\system32\drivers\pxscan.sys
2010-08-14 20:15:59 24400 ----a-w- c:\windows\system32\drivers\pxkbf.sys
2010-08-13 03:17:58 243024 ----a-w- c:\windows\system32\drivers\avgtdix.sys
2010-08-13 03:17:55 216400 ----a-w- c:\windows\system32\drivers\avgldx86.sys
2010-07-29 06:30:49 197632 ----a-w- c:\windows\system32\ir32_32.dll
2010-07-29 06:30:34 82944 ----a-w- c:\windows\system32\iccvid.dll
2010-06-30 06:25:31 978432 ----a-w- c:\windows\system32\wininet.dll
2010-06-19 06:23:50 37376 ----a-w- c:\windows\system32\rtutils.dll
2010-06-19 04:07:18 2326016 ----a-w- c:\windows\system32\win32k.sys
2010-06-08 06:02:06 1233920 ----a-w- c:\windows\system32\msxml3.dll
2009-07-14 04:56:42 31548 ----a-w- c:\windows\inf\perflib\0409\perfd.dat
2009-07-14 04:56:42 31548 ----a-w- c:\windows\inf\perflib\0409\perfc.dat
2009-07-14 04:56:42 291294 ----a-w- c:\windows\inf\perflib\0409\perfi.dat
2009-07-14 04:56:42 291294 ----a-w- c:\windows\inf\perflib\0409\perfh.dat
2009-07-14 04:41:57 174 --sha-w- c:\program files\desktop.ini
2009-07-14 00:34:40 291294 ----a-w- c:\windows\inf\perflib\0000\perfi.dat
2009-07-14 00:34:40 291294 ----a-w- c:\windows\inf\perflib\0000\perfh.dat
2009-07-14 00:34:38 31548 ----a-w- c:\windows\inf\perflib\0000\perfd.dat
2009-07-14 00:34:38 31548 ----a-w- c:\windows\inf\perflib\0000\perfc.dat
2009-06-10 21:26:35 9633792 --sha-r- c:\windows\fonts\StaticCache.dat
2010-04-15 22:16:51 245760 --sha-w- c:\windows\serviceprofiles\localservice\appdata\roaming\microsoft\windows\ietldcache\index.dat
2010-04-05 22:52:03 16384 --sha-w- c:\windows\serviceprofiles\networkservice\appdata\local\microsoft\windows\history\history.ie5\index.dat
2010-04-05 22:52:03 32768 --sha-w- c:\windows\serviceprofiles\networkservice\appdata\local\microsoft\windows\temporary internet files\content.ie5\index.dat
2010-04-05 22:52:03 16384 --sha-w- c:\windows\serviceprofiles\networkservice\appdata\roaming\microsoft\windows\cookies\index.dat
2010-04-05 22:52:03 245760 --sha-w- c:\windows\serviceprofiles\networkservice\appdata\roaming\microsoft\windows\ietldcache\index.dat
2010-04-02 23:11:47 15 --sh--w- c:\windows\system32\drivers\fbd.sys
2009-07-14 01:14:45 396800 --sha-w- c:\windows\winsxs\x86_microsoft-windows-mail-app_31bf3856ad364e35_6.1.7600.16385_none_f12e83abb108c86c\WinMail.exe

============= FINISH: 21:26:50.79 ===============




BC AdBot (Login to Remove)

 


#2 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:12:24 AM

Posted 27 August 2010 - 08:35 PM

Hi,

Welcome to Bleeping Computer. My name is m0le and I will be helping you with your log.
  • Please subscribe to this topic, if you haven't already. You can subscribe by clicking the Options box to the right of your topic title and selecting Track This Topic.

  • Please avoid installing/uninstalling or updating any programs and attempting any unsupervised fixes or scans. This can make helping you impossible.

  • Please reply to this post so I know you are there.
The forum is busy and we need to have replies as soon as possible. If I haven't had a reply after 3 days I will bump the topic and if you do not reply by the following day after that then I will close the topic.

Once I receive a reply then I will return with your first instructions.

Thanks thumbup2.gif

Edited by m0le, 27 August 2010 - 08:36 PM.

Posted Image
m0le is a proud member of UNITE

#3 Kate R

Kate R
  • Topic Starter

  • Members
  • 18 posts
  • OFFLINE
  •  
  • Gender:Female
  • Local time:08:24 PM

Posted 29 August 2010 - 10:01 PM

QUOTE(m0le @ Aug 27 2010, 09:35 PM) View Post
Hi,

Welcome to Bleeping Computer. My name is m0le and I will be helping you with your log.
  • Please subscribe to this topic, if you haven't already. You can subscribe by clicking the Options box to the right of your topic title and selecting Track This Topic.

  • Please avoid installing/uninstalling or updating any programs and attempting any unsupervised fixes or scans. This can make helping you impossible.

  • Please reply to this post so I know you are there.
The forum is busy and we need to have replies as soon as possible. If I haven't had a reply after 3 days I will bump the topic and if you do not reply by the following day after that then I will close the topic.

Once I receive a reply then I will return with your first instructions.

Thanks thumbup2.gif


I'm here. Thanks. Hope it's not too late.

#4 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:12:24 AM

Posted 30 August 2010 - 05:06 AM

The logs don't give me any clues so please run Sophos which will confirm this PC is clean

Please download Sophos Anti-rootkit & save it to your desktop.
alternate download link
Note: If using the vendor's download site you will be asked to register with MySophos so an email containing an activation link can be sent to your email address.

Be sure to print out and read the Sophos Anti-Rookit User Manual and Release Notes.
  • Double-click sar_15_sfx.exe to begin the installation, read the license agreement and click Accept.
  • Allow the default location of C:\Program Files\Sophos\Sophos Anti-Rootkit and click Install.
  • A message will appear "Sophos Anti-Rootkit was successfully installed. Click 'yes' to start it now".
  • Click Yes and allow the driver and its randomly named .tmp file (i.e. F.tmp) to load if asked.
  • If the scan did not start automatically, make sure the following are checked:
    • Running processes
    • Windows Registry
    • Local Hard Drives
  • Click Start scan.
  • Sophos Anti-Rootkit will scan the selected areas and display any suspicious files in the upper panel.
  • When the scan is complete, a pop-up screen will appear with "Rootkit Scan Results". Click OK to continue.
  • Click on the suspicious file to display more information about it in the lower panel which also includes whether the item is recommended for removal.
    • Files tagged as Removable: No are not marked for removal and cannot be removed.
    • Files tagged as Removable: Yes (clean up recommended) are marked for removal by default.
    • Files tagged as Removable: Yes (but clean up not recommended) are not marked for removal because Sophos did not recognize them. These files will require further investigation.
  • Select only items recommended for removal, then click "Clean up checked items". You will be asked to confirm, click Yes.
  • A pop up window will appear advising the cleanup will finish when you restart your computer. Click Restart Now.
  • After reboot, a dialog box displays the files you selected for removal and the action taken.
  • Click Empty list and then click Continue to re-scan your computer a second time to ensure everything was cleaned.
  • When done, go to Start > Run and type or copy/paste: %temp%\sarscan.log
  • This should open the log from the rootkit scan. Please post this log in your next reply. If you have a problem, you can find sarscan.log in C:\Documents and Settings\<username>\Local Settings\Temp\.
Before performing an ARK scan it is recommended to do the following to ensure more accurate results and avoid common issues that may cause false detections.
  • Disconnect from the Internet or physically unplug you Internet cable connection.
  • Clean out your temporary files.
  • Close all open programs, scheduling/updating tasks and background processes that might activate during the scan including the screensaver.
  • Temporarily disable your anti-virus and real-time anti-spyware protection.
  • After starting the scan, do not use the computer until the scan has completed.
  • When finished, re-enable your anti-virus/anti-malware (or reboot) and then you can reconnect to the Internet.


On the subject of firewalls the best option is to use Windows own - it is actually an excellent product but make sure outbound protection is enabled. Third party firewalls are an objective thing as both ZoneAlarm and Online Armor which you have tried are well regarded. Comodo consistently does well regardless of operating system but is a paid-for option. Try the PC Tools free version.

Remember that no security program is perfect, the malware will always be one step ahead of them, so don't ditch them based on one encounter.
Posted Image
m0le is a proud member of UNITE

#5 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:12:24 AM

Posted 01 September 2010 - 08:42 PM

Hi,

I have not had a reply from you for 3 days. Can you please tell me if you still need help with your computer as I am unable to help other members with their problems while I have your topic still open. The time taken between posts can also change the situation with your PC making it more difficult to help you.

If you like you can PM me.

Thanks,


m0le
Posted Image
m0le is a proud member of UNITE

#6 Kate R

Kate R
  • Topic Starter

  • Members
  • 18 posts
  • OFFLINE
  •  
  • Gender:Female
  • Local time:08:24 PM

Posted 02 September 2010 - 04:40 AM

Will it take an answer today?

#7 Kate R

Kate R
  • Topic Starter

  • Members
  • 18 posts
  • OFFLINE
  •  
  • Gender:Female
  • Local time:08:24 PM

Posted 02 September 2010 - 04:51 AM

Sorry, I tried to reply and it kept giving me an error message. I thought you had closed the topic.

The Sophos program could not check running processes, so I ran it in safe mode and shut down almost everything. It found nothing.

Then I enabled my anti-virus and malware stuff. AVG picked up 31 somethings, and IObit picked up 10 trojans, it said. Previcox found nothing.

The IObit Auto care software cleaned up about 30 problems in the registry, it said. The firewall I was using, KoolFireWall took my $19.99 and apparently went out of business since you can't down load the software any more, and the e-mail addy bounces.

I installed the most anally retentive fire wall I've ever seen (it won't let WINDOWS do anything unless I say it's ok and it runs some programs in what it calls the "Sand box") called Comodo.

In three hours of browsing, Comodo has blocked 17,190 suspicious attempts to access my computer and I have had absolutely no problems on Facebook for the first time prolly ever. So, I think I'm happy with Comodo. =)

Unless you have any suggestions or comments, I think I'm going to assume my laptop is ok and keep Comodo. It sounds from ZoneAlarm's forums that too many peeps are having compatibility issues with Windows 7 and ZA doesn't seem too concerned about fixing them. As I said, Comodo is the most restrictive firewall I've ever seen. Peeps who are recommending Online Armour should be ashamed of themselves. My FB hackers had a field day with it.

Thanks for your help. Take care.

#8 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:12:24 AM

Posted 02 September 2010 - 01:47 PM

If you're happy then I've nothing to add. I would update your Java though.

Thanks for letting me know what's happening, Kate R. I have closed the topic.

-------------------------------------

This topic has been closed.

If you're the topic starter, and need this topic reopened, please contact me via pm with the address of the thread.

Everyone else please begin a New Topic.

Edited by m0le, 02 September 2010 - 01:49 PM.

Posted Image
m0le is a proud member of UNITE




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users