Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

tmp0000* files filling drivespace


  • This topic is locked This topic is locked
2 replies to this topic

#1 Guest_m661_*

Guest_m661_*

  • Guests
  • OFFLINE
  •  

Posted 02 August 2011 - 04:57 AM

Greetings everyone,

Since yesterday I have noticed a rather strange behavior regarding the creation of a few tmp files in the directory C:\Windows\Temp. I will start at the beginning of my observations as it might give some insight how this has happened. It is rather lengthy though.

About 2/3 days ago I installed a new test SQL 2008 R2 server for study purposes. After the initial server and database setup I noticed a big increase in CPU and memory usage. I related this at first to the server not being optimized yet. The next day I optimized the server with a max memory limit and configured the CPU affinity setting. However after the restart I noticed that my CPU was steadily increasing and my memory wasn't dropping either.

My next action was to check if the OS was creating restore points or shadows copies. However this wasn't the case either. Next course of action was checking if winsxs had been creating abnormal amounts of aliases by using the program TreeSize and SequoiaView. winsxs seemed fine and no file seemed out of the ordinary by size. Ran CCleaner and Auslogics Disk Defrag than reviewed my files again but nothing out of the ordinary or a significant change. Except for the fun fact that my drive space started dropping with 100mb per second without telling where it went.

At this point I started looking for the more nasty explanations. Ran MSE, MBAM, HJT, ClamWin but nothing turned up.(removed the others before running a new one)
However while checking my processes I noticed that MSE toke around 250 mb ram while I had disabled it just 5 minutes ago. After disabling it forcefully I immediately noticed new files showing up in my C:\Windows\Temp they were all labeled tmp00000* followed by random characters. When I tried to remove them I got the error that they were in use. I launched the program Unlocker and it showed me they were tied to msmpeng.exe I knew at this point a logical explanation could be it was scanning itself but the folder was excluded already. I decided not to take any changes and remove the scanner. The moment I closed it however it restarted and out of nothing it showed me Two infections Java/CVE-2010-0094.EG 2010-0094.EH they were successfully removed but I didn't like the sign of this and reinstalled Java and MSE. Downloaded them by Mac, transfered them to windows and installed them with no problem. However after excluding again MSE from itself it started again eating diskspace.

At this point I already knew part of who did it and where it happened. So I started taking a few notes. There were a total of eight tmp00000* files in the directory with 6 showing 0kb and two showing 512kb. Further scan showed the actual size was between 2,3/3GB. The 2 files showing as 512 KB changed there number every second while keeping the shown size the same. Removing MSE stopped the tmpfiles again from increasing or changing. Event log did not show anything as in errors neither did I see increase in outgoing data in my router logs. Host and DNS configs as well show nothing strange.


So to summarize.
MSE creates tmpfiles in C:\Windows\Temp without a reason eating diskspace CPU and memory.
Two infections removed Java/CVE-EH 2010-0094.EG, 2010-0094.EH
MSE, MBAM, HJT, ClamWin show clean logs aswell as eventlog, router logs.
Removing MSE halts the problem but the real problem source is still unknown. Problem can be replicated 9/10 times by reinstalling MSE.
Either this is a really nasty bug or a really nasty infection.

Special notes
Running SQL 2008 R2 Server (Can be shutdown if it is preferred.)
Prey antitheft protection (Could be recognized as rootkit/trojan: Cannot be removed)
Prey runs at C:\Windows\security\Pr3y\platform\windows\cronsvc.exe
Unable to run GMER (64bit)


.
DDS (Ver_2011-06-23.01) - NTFSAMD64
Internet Explorer: 8.0.7601.17514 BrowserJavaVersion: 1.6.0_26
Run by mdraadjer at 11:46:11 on 2011-08-02
Microsoft Windows 7 Ultimate 6.1.7601.1.1252.31.1033.18.3958.2319 [GMT 2:00]
.
AV: Microsoft Security Essentials *Enabled/Updated* {108DAC43-C256-20B7-BB05-914135DA5160}
SP: Microsoft Security Essentials *Enabled/Updated* {ABEC4DA7-E46C-2F39-81B5-AA334E5D1BDD}
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
============== Running Processes ===============
.
C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\nvvsvc.exe
C:\Windows\system32\svchost.exe -k RPCSS
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\WUDFHost.exe
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\System32\spoolsv.exe
C:\Windows\system32\nvvsvc.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
C:\Windows\system32\AppleOSSMgr.exe
C:\Windows\system32\AppleTimeSrv.exe
C:\Windows\system32\taskhost.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Program Files (x86)\Bonjour\mDNSResponder.exe
C:\Windows\security\Pr3y\platform\windows\cronsvc.exe
C:\Program Files (x86)\LogMeIn Hamachi\hamachi-2.exe
C:\Program Files\Microsoft SQL Server\100\DTS\Binn\MsDtsSrvr.exe
C:\Program Files\Boot Camp\Bootcamp.exe
C:\Program Files (x86)\LogMeIn Hamachi\hamachi-2-ui.exe
C:\Program Files (x86)\OpenDNS Updater\OpenDNSUpdater.exe
C:\Program Files\Microsoft SQL Server\MSSQL10_50.MSSQLSERVER\MSSQL\Binn\sqlservr.exe
C:\Program Files (x86)\GridMove\GridMove.exe
C:\Program Files (x86)\DivX\DivX Update\DivXUpdate.exe
C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe
C:\Program Files\Microsoft SQL Server\MSAS10_50.MSSQLSERVER\OLAP\bin\msmdsrv.exe
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
C:\Program Files\Microsoft SQL Server\MSRS10_50.MSSQLSERVER\Reporting Services\ReportServer\bin\ReportingServicesService.exe
C:\Program Files (x86)\Microsoft SQL Server\90\Shared\sqlbrowser.exe
C:\Program Files\Microsoft SQL Server\MSSQL10_50.MSSQLSERVER\MSSQL\Binn\SQLAGENT.EXE
C:\Windows\system32\conhost.exe
C:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
C:\Program Files\Microsoft SQL Server\MSSQL10_50.MSSQLSERVER\MSSQL\Binn\fdlauncher.exe
C:\Windows\system32\SearchIndexer.exe
C:\Program Files\Microsoft SQL Server\MSSQL10_50.MSSQLSERVER\MSSQL\Binn\fdhost.exe
C:\Windows\system32\conhost.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\System32\svchost.exe -k NetworkServiceAndNoImpersonation
C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamservice.exe
C:\Program Files (x86)\chrome-win32\chrome.exe
C:\Program Files (x86)\chrome-win32\chrome.exe
C:\Program Files (x86)\chrome-win32\chrome.exe
C:\Windows\system32\notepad.exe
c:\Program Files\Microsoft Security Client\Antimalware\MsMpEng.exe
C:\Program Files\Microsoft Security Client\msseces.exe
c:\Program Files\Microsoft Security Client\Antimalware\NisSrv.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\system32\vssvc.exe
C:\Windows\System32\svchost.exe -k swprv
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\conhost.exe
C:\Windows\SysWOW64\cscript.exe
.
============== Pseudo HJT Report ===============
.
uInternet Settings,ProxyOverride = *.local
mWinlogon: Userinit=userinit.exe
BHO: DivX Plus Web Player HTML5 <video>: {326e768d-4182-46fd-9c16-1449a49795f4} - C:\Program Files (x86)\DivX\DivX Plus Web Player\npdivx32.dll
BHO: DivX HiQ: {593ddec6-7468-4cdd-90e1-42dadaa222e9} - C:\Program Files (x86)\DivX\DivX Plus Web Player\npdivx32.dll
BHO: 1Password: {cb1a24da-7416-4921-a0cf-5aa1160aae2a} - C:\PROGRA~2\1PASSW~1\AGILE1~1.DLL
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - C:\Program Files (x86)\Java\jre6\bin\jp2ssv.dll
TB: {D4027C7F-154A-4066-A1AD-4243D8127440} - No File
uRun: [ccleaner] "C:\Program Files\CCleaner\CCleaner64.exe" /AUTO
uRun: [OpenDNS Updater] "C:\Program Files (x86)\OpenDNS Updater\OpenDNSUpdater.exe" /autostart
mRun: [DivXUpdate] "C:\Program Files (x86)\DivX\DivX Update\DivXUpdate.exe" /CHECKNOW
mRun: [LogMeIn Hamachi Ui] "C:\Program Files (x86)\LogMeIn Hamachi\hamachi-2-ui.exe" --auto-start
mRun: [SunJavaUpdateSched] "C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe"
mRun: [Malwarebytes' Anti-Malware] "C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamgui.exe" /starttray
StartupFolder: C:\Users\MDRAAD~1\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\GridMove.lnk - C:\Program Files (x86)\GridMove\GridMove.exe
mPolicies-explorer: NoActiveDesktop = 1 (0x1)
mPolicies-explorer: NoActiveDesktopChanges = 1 (0x1)
mPolicies-system: ConsentPromptBehaviorAdmin = 0 (0x0)
mPolicies-system: ConsentPromptBehaviorUser = 3 (0x3)
mPolicies-system: EnableLUA = 0 (0x0)
mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
mPolicies-system: PromptOnSecureDesktop = 0 (0x0)
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_26-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0026-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_26-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_26-windows-i586.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
TCP: DhcpNameServer = 208.67.222.222 208.67.220.220
TCP: Interfaces\{10450826-40A8-4820-A516-D89D27EDC58A} : DhcpNameServer = 208.67.222.222 208.67.220.220
{326E768D-4182-46FD-9C16-1449A49795F4}
{593DDEC6-7468-4cdd-90E1-42DADAA222E9}
{CB1A24DA-7416-4921-A0CF-5AA1160AAE2A}
{DBC80044-A445-435b-BC74-9C25C1C588A9}
TB-X64: {D4027C7F-154A-4066-A1AD-4243D8127440} - No File
mRun-x64: [DivXUpdate] "C:\Program Files (x86)\DivX\DivX Update\DivXUpdate.exe" /CHECKNOW
mRun-x64: [LogMeIn Hamachi Ui] "C:\Program Files (x86)\LogMeIn Hamachi\hamachi-2-ui.exe" --auto-start
mRun-x64: [SunJavaUpdateSched] "C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe"
mRun-x64: [Malwarebytes' Anti-Malware] "C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamgui.exe" /starttray
.
================= FIREFOX ===================
.
FF - ProfilePath - C:\Users\mdraadjer\AppData\Roaming\Mozilla\Firefox\Profiles\6jdb2n49.default\
FF - component: C:\Users\mdraadjer\AppData\Roaming\Mozilla\Firefox\Profiles\6jdb2n49.default\extensions\cfxHelper@Triton\components\dwmxpcom.dll
FF - plugin: C:\Program Files (x86)\DivX\DivX OVS Helper\npovshelper.dll
FF - plugin: C:\Program Files (x86)\DivX\DivX Plus Web Player\npdivx32.dll
FF - plugin: C:\Program Files (x86)\Foxit Software\Foxit Reader\plugins\npFoxitReaderPlugin.dll
FF - plugin: C:\Program Files (x86)\Java\jre6\bin\new_plugin\npdeployJava1.dll
FF - plugin: C:\Windows\SysWOW64\Macromed\Flash\NPSWF32.dll
FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - C:\Program Files (x86)\Mozilla Firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0023-ABCDEFFEDCBA} - C:\Program Files (x86)\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0023-ABCDEFFEDCBA}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA} - C:\Program Files (x86)\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0024-ABCDEFFEDCBA} - C:\Program Files (x86)\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0024-ABCDEFFEDCBA}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0026-ABCDEFFEDCBA} - C:\Program Files (x86)\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0026-ABCDEFFEDCBA}
FF - Ext: Chromifox Companion: cfxHelper@Triton - %profile%\extensions\cfxHelper@Triton
FF - Ext: Chromifox Extreme: cfxe@Triton - %profile%\extensions\cfxe@Triton
FF - Ext: WOT: {a0d7ccb3-214d-498b-b4aa-0e8fda9a7bf7} - %profile%\extensions\{a0d7ccb3-214d-498b-b4aa-0e8fda9a7bf7}
FF - Ext: NoScript: {73a6fe31-595d-460b-a920-fcc0f8843232} - %profile%\extensions\{73a6fe31-595d-460b-a920-fcc0f8843232}
FF - Ext: Vimperator: vimperator@mozdev.org - %profile%\extensions\vimperator@mozdev.org
FF - Ext: DivX Plus Web Player HTML5 &lt;video&gt;: {23fcfd51-4958-4f00-80a3-ae97e717ed8b} - C:\Program Files (x86)\DivX\DivX Plus Web Player\firefox\html5video
FF - Ext: DivX HiQ: {6904342A-8307-11DF-A508-4AE2DFD72085} - C:\Program Files (x86)\DivX\DivX Plus Web Player\firefox\wpa
.
============= SERVICES / DRIVERS ===============
.
R0 AppleHFS;AppleHFS;C:\Windows\system32\drivers\AppleHFS.sys --> C:\Windows\system32\drivers\AppleHFS.sys [?]
R0 AppleMNT;AppleMNT;C:\Windows\system32\drivers\AppleMNT.sys --> C:\Windows\system32\drivers\AppleMNT.sys [?]
R1 MpFilter;Microsoft Malware Protection Driver;C:\Windows\system32\DRIVERS\MpFilter.sys --> C:\Windows\system32\DRIVERS\MpFilter.sys [?]
R2 AppleOSSMgr;Apple OS Switch Manager;C:\Windows\system32\AppleOSSMgr.exe --> C:\Windows\system32\AppleOSSMgr.exe [?]
R2 AppleTimeSrv;Apple Time Service;C:\Windows\system32\AppleTimeSrv.exe --> C:\Windows\system32\AppleTimeSrv.exe [?]
R2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]
R2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [2010-3-18 138576]
R2 CronService;Cron Service for Prey;C:\Windows\security\Pr3y\platform\windows\cronsvc.exe [2010-9-29 18432]
R2 Hamachi2Svc;LogMeIn Hamachi 2.0 Tunneling Engine;C:\Program Files (x86)\LogMeIn Hamachi\hamachi-2.exe [2011-5-25 2275720]
R2 KeyAgent;KeyAgent;\??\C:\Windows\system32\drivers\KeyAgent.sys --> C:\Windows\system32\drivers\KeyAgent.sys [?]
R2 MacHALDriver;Mac HAL;\??\C:\Windows\system32\drivers\MacHALDriver.sys --> C:\Windows\system32\drivers\MacHALDriver.sys [?]
R2 MBAMService;MBAMService;C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamservice.exe [2011-8-1 366640]
R2 MsDtsServer100;SQL Server Integration Services 10.0;C:\Program Files\Microsoft SQL Server\100\DTS\Binn\MsDtsSrvr.exe [2010-4-3 210784]
R2 ReportServer;SQL Server Reporting Services (MSSQLSERVER);C:\Program Files\Microsoft SQL Server\MSRS10_50.MSSQLSERVER\Reporting Services\ReportServer\bin\ReportingServicesService.exe [2010-4-3 2175328]
R3 acpials;ALS Sensor Filter;C:\Windows\system32\DRIVERS\acpials.sys --> C:\Windows\system32\DRIVERS\acpials.sys [?]
R3 AppleBtBc;Apple Broadcom Built-in Bluetooth;C:\Windows\system32\DRIVERS\AppleBtBc.sys --> C:\Windows\system32\DRIVERS\AppleBtBc.sys [?]
R3 applemtm;Apple Multitouch Mouse;C:\Windows\system32\DRIVERS\applemtm.sys --> C:\Windows\system32\DRIVERS\applemtm.sys [?]
R3 applemtp;Apple Multitouch;C:\Windows\system32\DRIVERS\applemtp.sys --> C:\Windows\system32\DRIVERS\applemtp.sys [?]
R3 CirrusFilter;CS420xLowerFilter;C:\Windows\system32\DRIVERS\CS420x64.sys --> C:\Windows\system32\DRIVERS\CS420x64.sys [?]
R3 IRRemoteFlt;IR Receiver Filter Driver;C:\Windows\system32\DRIVERS\IRFilter.sys --> C:\Windows\system32\DRIVERS\IRFilter.sys [?]
R3 KeyMagic;USB Keyboard HID Filter;C:\Windows\system32\DRIVERS\KeyMagic.sys --> C:\Windows\system32\DRIVERS\KeyMagic.sys [?]
R3 MBAMProtector;MBAMProtector;\??\C:\Windows\system32\drivers\mbam.sys --> C:\Windows\system32\drivers\mbam.sys [?]
R3 MpNWMon;Microsoft Malware Protection Network Driver;C:\Windows\system32\DRIVERS\MpNWMon.sys --> C:\Windows\system32\DRIVERS\MpNWMon.sys [?]
R3 MSSQLFDLauncher;SQL Full-text Filter Daemon Launcher (MSSQLSERVER);C:\Program Files\Microsoft SQL Server\MSSQL10_50.MSSQLSERVER\MSSQL\Binn\fdlauncher.exe [2010-4-3 32096]
R3 NisDrv;Microsoft Network Inspection System;C:\Windows\system32\DRIVERS\NisDrvWFP.sys --> C:\Windows\system32\DRIVERS\NisDrvWFP.sys [?]
R3 NisSrv;Microsoft Network Inspection;C:\Program Files\Microsoft Security Client\Antimalware\NisSrv.exe [2011-4-27 288272]
R3 NVHDA;Service for NVIDIA High Definition Audio Driver;C:\Windows\system32\drivers\nvhda64v.sys --> C:\Windows\system32\drivers\nvhda64v.sys [?]
S3 RdpVideoMiniport;Remote Desktop Video Miniport Driver;C:\Windows\system32\drivers\rdpvideominiport.sys --> C:\Windows\system32\drivers\rdpvideominiport.sys [?]
S3 TsUsbFlt;TsUsbFlt;C:\Windows\system32\drivers\tsusbflt.sys --> C:\Windows\system32\drivers\tsusbflt.sys [?]
S3 USBAAPL64;Apple Mobile USB Driver;C:\Windows\system32\Drivers\usbaapl64.sys --> C:\Windows\system32\Drivers\usbaapl64.sys [?]
S3 vcd10bus;Virtual CD v10 Bus Enumerator;C:\Windows\system32\DRIVERS\vcd10bus.sys --> C:\Windows\system32\DRIVERS\vcd10bus.sys [?]
S4 cbVSCService;Cobian Backup 10 Volume Shadow Copy service;C:\Program Files (x86)\Cobian Backup 10\cbVSCService.exe --> C:\Program Files (x86)\Cobian Backup 10\cbVSCService.exe [?]
S4 CobianBackup10;Cobian Backup 10;C:\Program Files (x86)\Cobian Backup 10\cbService.exe --> C:\Program Files (x86)\Cobian Backup 10\cbService.exe [?]
S4 InspIRCd;Inspire IRC Daemon;C:\Program Files (x86)\InspIRCd\bin\inspircd.exe --> C:\Program Files (x86)\InspIRCd\bin\inspircd.exe [?]
S4 MSSQLServerADHelper100;SQL Active Directory Helper Service;C:\Program Files\Microsoft SQL Server\100\Shared\sqladhlp.exe [2010-4-7 59744]
S4 RsFx0150;RsFx0150 Driver;C:\Windows\system32\DRIVERS\RsFx0150.sys --> C:\Windows\system32\DRIVERS\RsFx0150.sys [?]
S4 TeamViewer6;TeamViewer 6;C:\Program Files (x86)\TeamViewer\Version6\TeamViewer_Service.exe [2010-12-28 2228008]
SUnknown tsusbhub;tsusbhub; [x]
.
=============== Created Last 30 ================
.
2011-08-02 09:22:29 601424 ----a-w- C:\ProgramData\Microsoft\Microsoft Antimalware\Definition Updates\{E99282DB-E080-4074-85E4-47B8BB40555A}\gapaengine.dll
2011-08-02 09:22:22 8578896 ----a-w- C:\ProgramData\Microsoft\Microsoft Antimalware\Definition Updates\{1111B76C-CC6C-48B0-B43B-9489D777AAA5}\mpengine.dll
2011-08-02 09:21:28 -------- d-----w- C:\Program Files (x86)\Microsoft Security Client
2011-08-02 09:21:23 -------- d-----w- C:\Program Files\Microsoft Security Client
2011-08-01 20:12:49 41272 ----a-w- C:\Windows\SysWow64\drivers\mbamswissarmy.sys
2011-08-01 20:12:45 -------- d-----w- C:\Program Files (x86)\Malwarebytes' Anti-Malware
2011-08-01 18:06:16 52736 ----a-w- C:\Windows\System32\drivers\usbehci.sys
2011-08-01 18:06:16 343040 ----a-w- C:\Windows\System32\drivers\usbhub.sys
2011-08-01 18:06:16 325120 ----a-w- C:\Windows\System32\drivers\usbport.sys
2011-08-01 18:06:15 98816 ----a-w- C:\Windows\System32\drivers\usbccgp.sys
2011-08-01 18:06:15 7936 ----a-w- C:\Windows\System32\drivers\usbd.sys
2011-08-01 18:06:15 30720 ----a-w- C:\Windows\System32\drivers\usbuhci.sys
2011-08-01 18:06:15 25600 ----a-w- C:\Windows\System32\drivers\usbohci.sys
2011-08-01 18:05:15 80384 ----a-w- C:\Windows\System32\drivers\BTHUSB.SYS
2011-08-01 18:05:15 552960 ----a-w- C:\Windows\System32\drivers\bthport.sys
2011-08-01 18:04:41 2565632 ----a-w- C:\Windows\System32\esent.dll
2011-08-01 18:04:40 96768 ----a-w- C:\Windows\System32\fsutil.exe
2011-08-01 18:04:40 410496 ----a-w- C:\Windows\System32\drivers\iaStorV.sys
2011-08-01 18:04:40 189824 ----a-w- C:\Windows\System32\drivers\storport.sys
2011-08-01 18:04:40 1699328 ----a-w- C:\Windows\SysWow64\esent.dll
2011-08-01 18:04:40 1659776 ----a-w- C:\Windows\System32\drivers\ntfs.sys
2011-08-01 18:04:39 74240 ----a-w- C:\Windows\SysWow64\fsutil.exe
2011-08-01 18:04:39 27008 ----a-w- C:\Windows\System32\drivers\amdxata.sys
2011-08-01 18:04:39 166272 ----a-w- C:\Windows\System32\drivers\nvstor.sys
2011-08-01 18:04:39 148352 ----a-w- C:\Windows\System32\drivers\nvraid.sys
2011-08-01 18:04:39 107904 ----a-w- C:\Windows\System32\drivers\amdsata.sys
2011-08-01 16:08:33 3584 ----a-r- C:\Users\mdraadjer\AppData\Roaming\Microsoft\Installer\{121634B0-2F4B-11D3-ADA3-00C04F52DD52}\Icon386ED4E3.exe
2011-08-01 16:08:33 -------- d-----w- C:\Program Files (x86)\Windows Installer Clean Up
2011-08-01 16:03:16 -------- d-----w- C:\Program Files (x86)\MSECACHE
2011-08-01 15:55:30 570 ----a-w- C:\FixitRegBackup.reg
2011-08-01 15:54:44 8199504 ----a-w- C:\ProgramData\Microsoft\Windows Defender\Definition Updates\Backup\mpengine.dll
2011-08-01 15:54:39 8578896 ----a-w- C:\ProgramData\Microsoft\Windows Defender\Definition Updates\{161E8A84-3602-48CD-936D-F69B2BA56AD7}\mpengine.dll
2011-08-01 15:16:08 -------- d-----w- C:\Windows\System32\SPReview
2011-08-01 15:15:39 -------- d-----w- C:\Windows\System32\EventProviders
2011-08-01 15:13:33 48976 ----a-w- C:\Windows\System32\netfxperf.dll
2011-08-01 15:13:33 1942856 ----a-w- C:\Windows\System32\dfshim.dll
2011-08-01 15:13:19 1130824 ----a-w- C:\Windows\SysWow64\dfshim.dll
2011-08-01 15:13:10 59392 ----a-w- C:\Windows\System32\drivers\TsUsbFlt.sys
2011-08-01 15:13:10 12288 ----a-w- C:\Windows\System32\TsUsbRedirectionGroupPolicyExtension.dll
2011-08-01 15:13:09 3715584 ----a-w- C:\Windows\System32\mstscax.dll
2011-08-01 15:13:08 1838080 ----a-w- C:\Windows\System32\d3d10warp.dll
2011-08-01 15:13:01 3215872 ----a-w- C:\Windows\SysWow64\mstscax.dll
2011-08-01 15:11:59 53248 ----a-w- C:\Windows\System32\LSCSHostPolicy.dll
2011-08-01 15:10:59 780008 ----a-w- C:\Windows\System32\ci.dll
2011-08-01 15:09:59 780800 ----a-w- C:\Windows\System32\ActionCenter.dll
2011-08-01 15:08:58 6656 ----a-w- C:\Windows\System32\drivers\nl-NL\rdvgkmd.sys.mui
2011-08-01 15:08:58 4608 ----a-w- C:\Windows\System32\drivers\nl-NL\tsusbhub.sys.mui
2011-08-01 15:08:58 3584 ----a-w- C:\Windows\System32\drivers\nl-NL\tsusbflt.sys.mui
2011-08-01 15:08:58 2560 ----a-w- C:\Windows\System32\drivers\nl-NL\rdpwd.sys.mui
2011-08-01 15:08:55 3072 ----a-w- C:\Windows\System32\drivers\nl-NL\Dot4usb.sys.mui
2011-08-01 15:08:53 399872 ----a-w- C:\Windows\System32\dpx.dll
2011-08-01 15:08:53 189952 ----a-w- C:\Windows\SysWow64\wdscore.dll
2011-08-01 15:08:23 606208 ----a-w- C:\Windows\SysWow64\wbem\fastprox.dll
2011-08-01 15:08:23 363008 ----a-w- C:\Windows\SysWow64\wbemcomn.dll
2011-08-01 15:05:45 529408 ----a-w- C:\Windows\System32\wbemcomn.dll
2011-08-01 13:57:43 35712 ----a-w- C:\Windows\SysWow64\drivers\BlackBox.sys
2011-08-01 13:40:10 4096 ---ha-w- C:\Users\mdraadjer\._RKUnhookerLE.EXE
2011-08-01 13:40:10 4096 ---ha-w- C:\Users\mdraadjer\._OTL.exe
2011-08-01 12:33:20 -------- dc----w- C:\Users\mdraadjer\AppData\Local\MigWiz
2011-08-01 12:27:52 759296 ----a-w- C:\Program Files (x86)\Common Files\Microsoft Shared\VGX\VGX.dll
2011-08-01 12:27:52 1110528 ----a-w- C:\Program Files\Common Files\Microsoft Shared\VGX\VGX.dll
2011-08-01 12:27:29 1923968 ----a-w- C:\Windows\System32\drivers\tcpip.sys
2011-08-01 12:27:28 499200 ----a-w- C:\Windows\System32\drivers\afd.sys
2011-08-01 12:27:27 288640 ----a-w- C:\Windows\System32\drivers\FWPKCLNT.SYS
2011-08-01 12:25:44 289280 ----a-w- C:\Windows\System32\drivers\mrxsmb10.sys
2011-08-01 12:21:34 3137536 ----a-w- C:\Windows\System32\win32k.sys
2011-08-01 12:20:09 976896 ----a-w- C:\Windows\System32\inetcomm.dll
2011-08-01 12:20:09 741376 ----a-w- C:\Windows\SysWow64\inetcomm.dll
2011-08-01 12:16:34 -------- d-----w- C:\Users\mdraadjer\AppData\Roaming\Malwarebytes
2011-08-01 12:16:25 -------- d-----w- C:\ProgramData\Malwarebytes
2011-08-01 12:16:22 25912 ----a-w- C:\Windows\System32\drivers\mbam.sys
2011-08-01 12:15:11 110384 ----a-w- C:\Windows\System32\drivers\41886739.sys
2011-07-29 21:40:26 -------- d-----w- C:\Users\mdraadjer\AppData\Roaming\Mael
2011-07-29 21:38:23 -------- d-----w- C:\Program Files (x86)\HxD
2011-07-29 18:42:30 -------- d-----w- C:\Users\mdraadjer\AppData\Roaming\JAM Software
2011-07-29 18:42:05 -------- d-----w- C:\Program Files (x86)\JAM Software
2011-07-27 09:03:34 -------- d-----w- C:\Users\mdraadjer\AppData\Local\HHD Software
2011-07-27 08:59:19 -------- d-----w- C:\Users\mdraadjer\AppData\Roaming\PE Explorer
2011-07-27 08:58:57 -------- d-----w- C:\Program Files (x86)\PE Explorer
2011-07-26 19:34:05 77664 ----a-w- C:\Windows\System32\perf-ReportServer-rsctr.dll
2011-07-26 19:34:05 47968 ----a-w- C:\Windows\SysWow64\perf-ReportServer-rsctr.dll
2011-07-26 19:32:52 47456 ----a-w- C:\Windows\SysWow64\perf-MSSQL10_50.MSSQLSERVER-sqlagtctr.dll
2011-07-26 19:32:51 77152 ----a-w- C:\Windows\System32\perf-MSSQL10_50.MSSQLSERVER-sqlagtctr.dll
2011-07-26 19:31:50 79200 ----a-w- C:\Windows\System32\perf-MSSQLSERVER-sqlctr10.50.1600.1.dll
2011-07-26 19:31:50 73568 ----a-w- C:\Windows\SysWow64\perf-MSSQLSERVER-sqlctr10.50.1600.1.dll
2011-07-26 19:18:41 -------- d-----w- C:\Program Files\Microsoft Analysis Services
2011-07-26 19:18:41 -------- d-----w- C:\Program Files (x86)\Microsoft Analysis Services
2011-07-26 19:09:59 -------- d-----w- C:\Program Files (x86)\Common Files\Merge Modules
2011-07-26 19:06:18 -------- d-----w- C:\Program Files (x86)\Microsoft Synchronization Services
2011-07-26 19:03:09 -------- d-----w- C:\Program Files (x86)\Microsoft SQL Server Compact Edition
2011-07-26 19:03:02 -------- d-----w- C:\Windows\SysWow64\1033
2011-07-26 19:03:02 -------- d-----w- C:\Windows\System32\1033
2011-07-26 18:56:10 -------- d-----w- C:\Program Files (x86)\Microsoft SQL Server
2011-07-26 18:52:34 -------- d-----w- C:\Program Files (x86)\Microsoft SQL Server 2008 R2 Upgrade Advisor
2011-07-26 18:51:13 632656 ----a-w- C:\Windows\SysWow64\msvcr80.dll
2011-07-25 19:27:19 471040 ----a-w- C:\Windows\SysWow64\SCDialer1.ocx
2011-07-25 19:27:19 323584 ----a-w- C:\Windows\SysWow64\SCDialer2.ocx
2011-07-25 19:18:00 -------- d-----w- C:\Program Files (x86)\SubaGames
2011-07-24 20:39:56 -------- d-----w- C:\Program Files (x86)\Quick Batch File Compiler
2011-07-24 19:27:12 -------- d-----w- C:\Users\mdraadjer\AppData\Local\LogMeIn Hamachi
2011-07-24 19:26:45 -------- d-----w- C:\Program Files (x86)\LogMeIn Hamachi
2011-07-24 18:45:46 -------- d-----w- C:\Windows\System32\RsFx
2011-07-24 18:44:35 -------- d-----w- C:\Users\mdraadjer\AppData\Local\Microsoft Help
2011-07-24 18:34:00 -------- d-----w- C:\Windows\PCHEALTH
2011-07-24 18:14:05 -------- d-----w- C:\Users\mdraadjer\AppData\Local\Microsoft_Corporation
2011-07-24 18:13:01 -------- d-----w- C:\Program Files\Microsoft SQL Server
2011-07-24 12:51:46 118272 ----a-w- C:\Windows\SysWow64\SX5363S.DLL
2011-07-24 12:51:46 102400 ----a-w- C:\Windows\SysWow64\RV32RTP.dll
2011-07-17 10:44:31 -------- d-----w- C:\Program Files (x86)\The Witcher 2
2011-07-16 23:43:32 -------- d-----w- C:\Users\mdraadjer\AppData\Local\The Witcher 2
2011-07-16 16:37:33 -------- d-----w- C:\Program Files (x86)\Microsoft Games
2011-07-14 15:29:58 -------- d-----w- C:\Program Files (x86)\Gw1
2011-07-11 22:19:55 -------- d-----w- C:\Users\mdraadjer\AppData\Roaming\Rovio
2011-07-07 04:47:11 579584 ----a-w- C:\Users\mdraadjer\OTL.exe
.
==================== Find3M ====================
.
2011-08-02 09:43:25 29 ----a-w- C:\Windows\SysWow64\TempWmicBatchFile.bat
2011-08-01 15:25:16 175616 ----a-w- C:\Windows\System32\msclmd.dll
2011-08-01 15:25:16 152576 ----a-w- C:\Windows\SysWow64\msclmd.dll
2011-08-01 13:33:46 139264 ----a-w- C:\Users\mdraadjer\RKUnhookerLE.EXE
2011-06-10 22:52:02 178800 ----a-w- C:\Windows\SysWow64\CmdLineExt_x64.dll
2011-06-03 06:57:45 362496 ----a-w- C:\Windows\System32\wow64win.dll
2011-06-03 06:57:45 243200 ----a-w- C:\Windows\System32\wow64.dll
2011-06-03 06:57:45 13312 ----a-w- C:\Windows\System32\wow64cpu.dll
2011-06-03 06:57:44 214528 ----a-w- C:\Windows\System32\winsrv.dll
2011-06-03 06:57:38 16384 ----a-w- C:\Windows\System32\ntvdm64.dll
2011-06-03 06:56:38 421888 ----a-w- C:\Windows\System32\KernelBase.dll
2011-06-03 06:53:33 338944 ----a-w- C:\Windows\System32\conhost.exe
2011-06-03 06:00:53 14336 ----a-w- C:\Windows\SysWow64\ntvdm64.dll
2011-06-03 05:57:52 44032 ----a-w- C:\Windows\apppatch\acwow64.dll
2011-06-03 05:57:33 25600 ----a-w- C:\Windows\SysWow64\setup16.exe
2011-06-03 05:56:12 5120 ----a-w- C:\Windows\SysWow64\wow32.dll
2011-06-03 05:56:11 272384 ----a-w- C:\Windows\SysWow64\KernelBase.dll
2011-06-03 03:53:31 7680 ----a-w- C:\Windows\SysWow64\instnm.exe
2011-06-03 03:53:31 2048 ----a-w- C:\Windows\SysWow64\user.exe
2011-06-03 03:48:32 3584 ---ha-w- C:\Windows\SysWow64\api-ms-win-core-xstate-l1-1-0.dll
2011-06-03 03:48:31 6144 ---ha-w- C:\Windows\SysWow64\api-ms-win-security-base-l1-1-0.dll
2011-06-03 03:48:31 4608 ---ha-w- C:\Windows\SysWow64\api-ms-win-core-threadpool-l1-1-0.dll
2011-06-03 03:48:31 3072 ---ha-w- C:\Windows\SysWow64\api-ms-win-core-util-l1-1-0.dll
2011-05-28 03:30:09 1638912 ----a-w- C:\Windows\System32\mshtml.tlb
2011-05-28 02:53:58 1638912 ----a-w- C:\Windows\SysWow64\mshtml.tlb
2011-05-24 17:14:10 270720 ------w- C:\Windows\System32\MpSigStub.exe
2011-05-24 11:42:55 404480 ----a-w- C:\Windows\System32\umpnpmgr.dll
2011-05-24 11:18:39 6904040 ----a-w- C:\Windows\SysWow64\SpoonUninstall.exe
2011-05-24 10:40:05 64512 ----a-w- C:\Windows\SysWow64\devobj.dll
2011-05-24 10:40:05 44544 ----a-w- C:\Windows\SysWow64\devrtl.dll
2011-05-24 10:39:38 145920 ----a-w- C:\Windows\SysWow64\cfgmgr32.dll
2011-05-24 10:37:54 252928 ----a-w- C:\Windows\SysWow64\drvinst.exe
.
============= FINISH: 11:46:43,05 ===============

Attached Files



BC AdBot (Login to Remove)

 


#2 HelpBot

HelpBot

    Bleepin' Binary Bot


  • Bots
  • 12,744 posts
  • OFFLINE
  •  
  • Gender:Male

Posted 09 August 2011 - 09:30 AM

Hello and welcome to Bleeping Computer!

I am HelpBot: an automated program designed to help the Bleeping Computer Staff better assist you! This message contains very important information, so please read through all of it before doing anything.

We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here.

To help Bleeping Computer better assist you please perform the following steps:

***************************************************

Posted Image In order to continue receiving help at BleepingComputer.com, YOU MUST tell me if you still need help or if your issue has already been resolved on your own or through another resouce! To tell me this, please click on http://www.bleepingcomputer.com/logreply/412467 and follow the instructions there. If you no longer need help, then all you needed to do was the previous instructions of telling me so. You can skip the rest of this post. If you do need help please continue with Step 2 below.

***************************************************

Posted Image If you still need help, I would like you to post a Reply to this topic (click the "Add Reply" button in the lower right hand of this page). In that reply, please include the following information:

  • If you have not done so already, include a clear description of the problems you're having, along with any steps you may have performed so far.
  • A new DDS and GMER log. For your convenience, you will find the instructions for generating these logs repeated at the bottom of this post.
    • Please do this even if you have previously posted logs for us.
    • If you were unable to produce the logs originally please try once more.
    • If you are unable to create a log please provide detailed information about your installed Windows Operating System including the Version, Edition and if it is a 32bit or a 64bit system.
    • If you are unsure about any of these characteristics just post what you can and we will guide you.
  • Please tell us if you have your original Windows CD/DVD available.
  • Upon completing the above steps and posting a reply, another staff member will review your topic and do their best to resolve your issues.

Thank you for your patience, and again sorry for the delay.

***************************************************

We need to see some information about what is happening in your machine. Please perform the following scan again:

  • Download DDS by sUBs from one of the following links if you no longer have it available. Save it to your desktop.
  • Double click on the DDS icon, allow it to run.
  • A small box will open, with an explanation about the tool. No input is needed, the scan is running.
  • Notepad will open with the results.
  • Follow the instructions that pop up for posting the results.
  • Close the program window, and delete the program from your desktop.
Please note: You may have to disable any script protection running if the scan fails to run. After downloading the tool, disconnect from the internet and disable all antivirus protection. Run the scan, enable your A/V and reconnect to the internet.

Information on A/V control HERE


We also need a new log from the GMER anti-rootkit Scanner.

Please note that if you are running a 64-bit version of Windows you will not be able to run GMER and you may skip this step.

Please first disable any CD emulation programs using the steps found in this topic:

Why we request you disable CD Emulation when receiving Malware Removal Advice


Then create another GMER log and post it as an attachment to the reply where you post your new DDS log. Instructions on how to properly create a GMER log can be found here:

How to create a GMER log


As I am just a silly little program running on the BleepingComputer.com servers, please do not send me private messages as I do not know how to read and reply to them! Thanks!

#3 HelpBot

HelpBot

    Bleepin' Binary Bot


  • Bots
  • 12,744 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:05:42 PM

Posted 10 August 2011 - 08:08 AM

You have stated that you no longer need help with this issue, therefore I am closing this topic. If that is not the case and you need or wish to continue with this topic, please send any Moderator a Personal Message (PM) that you would like this topic re-opened.

As I am just a silly little program running on the BleepingComputer.com servers, please do not send me private messages as I do not know how to read and reply to them! Thanks!




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users