Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Trojan:Win32/Ramnit infection - Help please!


  • This topic is locked This topic is locked
2 replies to this topic

#1 vitalgirl

vitalgirl

  • Members
  • 19 posts
  • OFFLINE
  •  
  • Local time:11:27 PM

Posted 06 March 2013 - 07:13 AM

Hi

 

Apparently I have a Trojan:Win32/Ramnit infection. I cannot send email as I have been blocked by spamhaus.org, and when I checked my IP I found I was listed in the XPL/CBL and PBL. The latter seemed to just require me to adjust my smpt authentication and port, but the former says I am infected with the above trojan, and prognosis is not good. They suggest reformatting the HD and reinstalling everything. I would rather not if I don't have to, so I was wondering if it was possible to fix the problem. My AV (with eset) did lapse as I was off work sick for a few months, though it is fixed and current now. Yesterday, before I found the info on spamhaus that I was infected, I tried running various things, including combofix, and eset and malware bytes when I rejoined eset. That removed some things but I don't know if it got the problem. I haven't tried delisting my IP with spamhaus yet as I'm not sure if it is fixed. They seem pessimistic about it as per this:

 

It appears to be infected with a spam sending trojan, proxy or some other form of botnet.

It was last detected at 2013-03-02 11:00 GMT (+/- 30 minutes), approximately 4 days ago.

 

 

 It appears to be infected with a spam sending trojan, proxy or some other form of botnet.

It was last detected at 2013-03-02 11:00 GMT (+/- 30 minutes), approximately 4 days ago.

This IP is infected with, or is NATting for a machine infected with Trojan:Win32/Ramnit (Microsoft).

This was detected by observing this IP attempting to make contact to a Ramnit Command and Control server, with contents unique to Ramnit C&C command protocols.

Amongst other things, Ramnit inserts malicious code into web server pages is an attempt to propagate itself.

This was detected by a TCP/IP connection from ~my IP~ on port 1318 going to IP address 87.255.51.230 (the sinkhole) on port 443.
The botnet command and control domain for this connection was "ckadkvltviespq.com".

This detection corresponds to a connection at 2013-03-02 11:13:13 (GMT - this timestamp is believed accurate to within one second).

These infections are rated as a "severe threat" by Microsoft. It is a trojan downloader, and can download and execute ANY software on the infected computer.

You will need to find and eradicate the infection before delisting the IP address.

We strongly recommend that you DO NOT simply firewall off connections to the sinkhole IP addresses given above. Those IP addresses are of sinkholes operated by malware researchers. In other words, it's a "sensor" (only) run by "the good guys". The bot "thinks" its a command and control server run by the spambot operators but it isn't. It DOES NOT actually download anything, and is not a threat. If you firewall the sinkhole addresses, your IPs will remain infected, and they will STILL be delivering your users/customers personal information, including banking information to the criminal bot operators.

If you do choose to firewall these IPs, PLEASE instrument your firewall to tell you which internal machine is connecting to them so that you can identify the infected machine yourself and fix it.

We are enhancing the instructions on how to find these infections, and more information will be given here as it becomes available.

Virtually all detections made by the CBL are of infections that do NOT leave any "tracks" for you to find in your mail server logs. This is even more important for the viruses described here - these detections are made on network-level detections of malicious behaviour and may NOT involve malicious email being sent.

 

 

The DDS Log:

 

DDS (Ver_2012-11-20.01) - NTFS_x86
Internet Explorer: 9.0.8112.16464  BrowserJavaVersion: 10.10.2
Run by Rabecca at 22:04:48 on 2013-03-06
Microsoft Windows 7 Home Premium   6.1.7601.1.1252.61.1033.18.3327.1648 [GMT 10:00]
.
AV: ESET Smart Security 4.2 *Enabled/Updated* {77DEAFED-8149-104B-25A1-21771CA47CD1}
SP: ESET Smart Security 4.2 *Enabled/Updated* {CCBF4E09-A773-1FC5-1F11-1A056723366C}
SP: Windows Defender *Enabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
FW: ESET Personal firewall *Enabled* {4FE52EC8-CB26-1113-0EFE-8842E2773BAA}
.
============== Running Processes ================
.
C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\atiesrxx.exe
C:\Program Files\Common Files\logishrd\LVMVFM\UMVPFSrv.exe
C:\Windows\system32\atieclxx.exe
C:\Windows\System32\spoolsv.exe
C:\Program Files\Common Files\Adobe\ARM\1.0\armsvc.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Common Files\Nuance\dgnsvc.exe
C:\Program Files\ESET\ESET Smart Security\ekrn.exe
C:\Windows\system32\taskeng.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Windows\system32\taskhost.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE
C:\Program Files\ASUS\GPU Boost Driver\GpuBoostServer.exe
C:\Program Files\Spybot - Search & Destroy\SDWinSec.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe
C:\Windows\Samsung\PanelMgr\SSMMgr.exe
C:\Program Files\Logitech\LWS\Webcam Software\LWS.exe
C:\Program Files\Renesas Electronics\USB 3.0 Host Controller Driver\Application\nusb3mon.exe
C:\Program Files\Realtek\Audio\HDA\RtHDVCpl.exe
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\Program Files\Logitech\SetPointP\SetPoint.exe
C:\Program Files\ESET\ESET Smart Security\egui.exe
C:\Windows\system32\SearchIndexer.exe
C:\Program Files\Common Files\LogiShrd\KHAL3\KHALMNPR.EXE
C:\Program Files\Logitech\Vid HD\Vid.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\ProgramData\FLEXnet\Connect\11\ISUSPM.exe
C:\Program Files\PC Drivers HeadQuarters\Driver Detective\DriversHQ.DriverDetective.Client.exe
C:\Program Files\Windows Live\Mail\wlmail.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Common Files\LogiShrd\sp6\LU\LULnchr.exe
C:\Program Files\Common Files\LogiShrd\sp6\LU\LogitechUpdate.exe
C:\Program Files\Mozilla Firefox\plugin-container.exe
C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_6_602_171.exe
C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_6_602_171.exe
C:\Program Files\Windows Live\Contacts\wlcomm.exe
C:\Program Files\Windows Media Player\wmpnetwk.exe
C:\Windows\servicing\TrustedInstaller.exe
C:\Windows\system32\notepad.exe
C:\Windows\system32\SearchProtocolHost.exe
C:\Windows\system32\SearchFilterHost.exe
C:\Windows\system32\conhost.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\svchost.exe -k RPCSS
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Windows\system32\svchost.exe -k imgsvc
C:\Windows\System32\svchost.exe -k secsvcs
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://www.google.com/
uURLSearchHooks: Serif PagePlus Toolbar: {1f32b6ba-1806-4e09-b750-3d61209f70f5} - c:\program files\serif_pageplus\prxtbSeri.dll
uURLSearchHooks: <No Name>:  - LocalServer32 - <no file>
mURLSearchHooks: Serif PagePlus Toolbar: {1f32b6ba-1806-4e09-b750-3d61209f70f5} - c:\program files\serif_pageplus\prxtbSeri.dll
BHO: Adobe PDF Link Helper: {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: Serif PagePlus Toolbar: {1f32b6ba-1806-4e09-b750-3d61209f70f5} - c:\program files\serif_pageplus\prxtbSeri.dll
BHO: Spybot-S&D IE Protection: {53707962-6F74-2D53-2644-206D7942484F} - c:\program files\spybot - search & destroy\SDHelper.dll
BHO: Java™ Plug-In SSV Helper: {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - c:\program files\java\jre7\bin\ssv.dll
BHO: Windows Live ID Sign-in Helper: {9030D464-4C02-4ABF-8ECC-5164760863C6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: Windows Live Messenger Companion Helper: {9FDDE16B-836F-4806-AB1F-1455CBEFF289} - c:\program files\windows live\companion\companioncore.dll
BHO: Google Toolbar Helper: {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
BHO: Skype Plug-In: {AE805869-2E5C-4ED4-8F7B-F1F7851A4497} - c:\program files\skype\toolbars\internet explorer\skypeieplugin.dll
BHO: Logitech SetPoint: {AF949550-9094-4807-95EC-D1C317803333} - c:\program files\logitech\setpointp\SetPointSmooth.dll
BHO: Java™ Plug-In 2 SSV Helper: {DBC80044-A445-435b-BC74-9C25C1C588A9} - c:\program files\java\jre7\bin\jp2ssv.dll
TB: Google Toolbar: {2318C2B1-4965-11D4-9B18-009027A5CD4F} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
TB: SpeedBit Video Downloader: {0329E7D6-6F54-462D-93F6-F5C3118BADF2} -
TB: Serif PagePlus Toolbar: {1F32B6BA-1806-4E09-B750-3D61209F70F5} - c:\program files\serif_pageplus\prxtbSeri.dll
TB: Serif PagePlus Toolbar: {1f32b6ba-1806-4e09-b750-3d61209f70f5} - c:\program files\serif_pageplus\prxtbSeri.dll
TB: Google Toolbar: {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
uRun: [Logitech Vid] "c:\program files\logitech\vid hd\Vid.exe" -bootmode
uRun: [SpybotSD TeaTimer] c:\program files\spybot - search & destroy\TeaTimer.exe
uRun: [ISUSPM] c:\programdata\flexnet\connect\11\ISUSPM.exe -scheduler
uRun: [Driver Detective] c:\program files\pc drivers headquarters\driver detective\DriversHQ.DriverDetective.Client.exe /applicationMode:systemTray /showWelcome:false
mRun: [Samsung PanelMgr] c:\windows\samsung\panelmgr\ssmmgr.exe /autorun
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
mRun: [LWS] c:\program files\logitech\lws\webcam software\LWS.exe -hide
mRun: [NUSB3MON] "c:\program files\renesas electronics\usb 3.0 host controller driver\application\nusb3mon.exe"
mRun: [DNS7reminder] "c:\program files\nuance\naturallyspeaking11\ereg\ereg.exe" -r "c:\programdata\nuance\naturallyspeaking11\Ereg.ini"
mRun: [RTHDVCPL] c:\program files\realtek\audio\hda\RtHDVCpl.exe -s
mRun: [APSDaemon] "c:\program files\common files\apple\apple application support\APSDaemon.exe"
mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
mRun: [AMD AVT] Cmd.exe /c start "AMD Accelerated Video Transcoding device initialization" /min "c:\program files\amd avt\bin\kdbsync.exe" aml
mRun: [EvtMgr6] c:\program files\logitech\setpointp\SetPoint.exe /launchGaming
mRun: [egui] "c:\program files\eset\eset smart security\egui.exe" /hide /waitservice
StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\adobeg~1.lnk - c:\program files\common files\adobe\calibration\Adobe Gamma Loader.exe
uPolicies-Explorer: NoDrives = dword:0
mPolicies-Explorer: NoDrives = dword:0
mPolicies-System: ConsentPromptBehaviorAdmin = dword:5
mPolicies-System: ConsentPromptBehaviorUser = dword:3
mPolicies-System: EnableUIADesktopToggle = dword:0
IE: {0000036B-C524-4050-81A0-243669A86B9F} - {B63DBA5F-523F-4B9C-A43D-65DF1977EAD3} - c:\program files\windows live\companion\companioncore.dll
IE: {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - {5F7B1267-94A9-47F5-98DB-E99415F33AEC} - c:\program files\windows live\writer\WriterBrowserExtension.dll
IE: {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - c:\program files\skype\toolbars\internet explorer\skypeieplugin.dll
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\program files\spybot - search & destroy\SDHelper.dll
.
INFO: HKCU has more than 50 listed domains.
If you wish to scan all of them, select the 'Force scan all domains' option.
.
.
INFO: HKLM has more than 50 listed domains.
   If you wish to scan all of them, select the 'Force scan all domains' option.
.
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.7.0/jinstall-1_7_0_09-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0000-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0026-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_26-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.7.0/jinstall-1_7_0_09-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
TCP: NameServer = 10.0.0.138
TCP: Interfaces\{8A6DD2E2-D790-4689-97BA-A74593B3AAC5} : DHCPNameServer = 10.0.0.138
Handler: skype-ie-addon-data - {91774881-D725-4E58-B298-07617B9B86A8} - c:\program files\skype\toolbars\internet explorer\skypeieplugin.dll
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\program files\common files\skype\Skype4COM.dll
Handler: wlpg - {E43EF6CD-A37A-4A9B-9E6F-83F89B8E6324} - c:\program files\windows live\photo gallery\AlbumDownloadProtocolHandler.dll
Notify: LBTWlgn - c:\program files\common files\logishrd\bluetooth\LBTWlgn.dll
SSODL: WebCheck - <orphaned>
mASetup: {8A69D345-D564-463c-AFF1-A69D9E530F96} - "c:\program files\google\chrome\application\25.0.1364.152\installer\chrmstp.exe" --configure-user-settings --verbose-logging --system-level --multi-install --chrome
.
================= FIREFOX ===================
.
FF - ProfilePath - c:\users\rabecca\appdata\roaming\mozilla\firefox\profiles\ya7cys6j.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com.au/
FF - prefs.js: keyword.URL - hxxp://ws.infospace.com/gamers_tbar/ws/redir?_iceUrl=true&user_id=59308381&tool_id=62781&qkw=
FF - prefs.js: network.proxy.gopher -
FF - prefs.js: network.proxy.gopher_port - 0
FF - prefs.js: network.proxy.type - 0
FF - plugin: c:\program files\adobe\reader 10.0\reader\air\nppdf32.dll
FF - plugin: c:\program files\google\update\1.3.21.135\npGoogleUpdate3.dll
FF - plugin: c:\program files\java\jre7\bin\plugin2\npjp2.dll
FF - plugin: c:\program files\microsoft silverlight\4.1.10329.0\npctrlui.dll
FF - plugin: c:\program files\windows live\photo gallery\NPWLPG.dll
FF - plugin: c:\windows\system32\macromed\flash\NPSWF32_11_6_602_171.dll
FF - plugin: c:\windows\system32\npDeployJava1.dll
FF - plugin: c:\windows\system32\npmproxy.dll
.
============= SERVICES / DRIVERS ===============
.
R2 AMD External Events Utility;AMD External Events Utility;c:\windows\system32\atiesrxx.exe [2012-7-4 217088]
R2 AODDriver4.1;AODDriver4.1;c:\program files\ati technologies\ati.ace\fuel\i386\aoddriver2.sys [2012-3-5 45184]
R2 DragonSvc;Dragon Service;c:\program files\common files\nuance\dgnsvc.exe [2011-6-5 296808]
R2 eamonm;eamonm;c:\windows\system32\drivers\eamonm.sys [2010-12-21 137144]
R2 ekrn;ESET Service;c:\program files\eset\eset smart security\ekrn.exe [2011-1-12 810144]
R2 epfwwfp;epfwwfp;c:\windows\system32\drivers\epfwwfp.sys [2010-12-21 41336]
R2 SBSDWSCService;SBSD Security Center Service;c:\program files\spybot - search & destroy\SDWinSec.exe [2011-9-3 1153368]
R2 SSPORT;SSPORT;c:\windows\system32\drivers\SSPORT.SYS [2011-2-18 5120]
R2 UMVPFSrv;UMVPFSrv;c:\program files\common files\logishrd\lvmvfm\UMVPFSrv.exe [2012-1-18 450848]
R3 amdiox86;AMD IO Driver;c:\windows\system32\drivers\amdiox86.sys [2011-9-3 37944]
R3 AtiHDAudioService;AMD Function Driver for HD Audio Service;c:\windows\system32\drivers\AtihdW73.sys [2012-2-23 86544]
R3 nusb3hub;Renesas Electronics USB 3.0 Hub Driver;c:\windows\system32\drivers\nusb3hub.sys [2010-12-10 62336]
R3 nusb3xhc;Renesas Electronics USB 3.0 Host Controller Driver;c:\windows\system32\drivers\nusb3xhc.sys [2010-12-10 141440]
R3 RTL8167;Realtek 8167 NT Driver;c:\windows\system32\drivers\Rt86win7.sys [2011-6-10 394856]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\microsoft.net\framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]
S2 SkypeUpdate;Skype Updater;c:\program files\skype\updater\Updater.exe [2012-7-13 160944]
S3 b57nd60x;Broadcom NetXtreme Gigabit Ethernet - NDIS 6.0;c:\windows\system32\drivers\b57nd60x.sys [2009-7-14 229888]
S3 Samsung UPD Service2;Samsung UPD Service2;c:\windows\system32\SUPDSvc2.exe [2012-12-27 129536]
S3 TsUsbFlt;TsUsbFlt;c:\windows\system32\drivers\TsUsbFlt.sys [2011-7-1 52224]
S3 WatAdminSvc;Windows Activation Technologies Service;c:\windows\system32\wat\WatAdminSvc.exe [2011-2-18 1343400]
S4 AMD FUEL Service;AMD FUEL Service;c:\program files\ati technologies\ati.ace\fuel\Fuel.Service.exe [2012-7-4 291840]
.
=============== Created Last 30 ================
.
2013-03-06 02:08:01    --------    d-----w-    c:\users\rabecca\Doctor Web
2013-03-06 01:27:40    --------    d-----w-    c:\users\rabecca\appdata\local\{F3EAF7D2-5DEC-454D-9B98-DFB5B46A9224}
2013-03-06 00:46:15    --------    d-sh--w-    C:\$RECYCLE.BIN
2013-03-06 00:36:47    98816    ----a-w-    c:\windows\sed.exe
2013-03-06 00:36:47    256000    ----a-w-    c:\windows\PEV.exe
2013-03-06 00:36:47    208896    ----a-w-    c:\windows\MBR.exe
2013-03-05 18:16:23    6954968    ----a-w-    c:\programdata\microsoft\windows defender\definition updates\{a09ca5eb-fb67-4b85-b075-8b31a5b65564}\mpengine.dll
2013-03-05 12:45:01    --------    d-----w-    c:\users\rabecca\appdata\local\Programs
2013-03-05 11:53:08    14664    ----a-w-    c:\windows\stinger.sys
2013-03-05 11:52:08    --------    d-----w-    c:\program files\stinger
2013-03-05 07:15:53    --------    d-----w-    c:\users\rabecca\appdata\local\{AB46EC76-A6FE-41A8-9FC1-657BF8BB02BA}
2013-03-04 19:15:36    --------    d-----w-    c:\users\rabecca\appdata\local\{D8FC0591-1A0A-4D04-AA22-FB58F9603AC1}
2013-03-04 07:15:25    --------    d-----w-    c:\users\rabecca\appdata\local\{A61B45A5-CBD0-4630-9FC5-4853F01F2DD4}
2013-03-03 19:15:13    --------    d-----w-    c:\users\rabecca\appdata\local\{2C39ABA2-6ABD-447A-A617-EAA2A0F38D6B}
2013-03-03 07:15:02    --------    d-----w-    c:\users\rabecca\appdata\local\{D1C6A402-D335-405E-B2DF-2A26791AC43C}
2013-03-02 19:14:51    --------    d-----w-    c:\users\rabecca\appdata\local\{A54B4112-A130-47F4-BD0C-62CA8323731F}
2013-03-02 09:53:09    --------    d-----w-    c:\users\rabecca\workspace
2013-03-02 09:49:07    --------    d-----w-    c:\users\rabecca\eclipse
2013-03-02 09:09:22    --------    d-----w-    C:\Python33
2013-03-02 09:09:02    --------    d-----w-    c:\windows\pss
2013-03-02 07:13:57    --------    d-----w-    c:\users\rabecca\appdata\local\{A8BC12FC-24E0-4D85-8012-4C202680911B}
2013-03-01 22:50:51    --------    d-----w-    c:\users\rabecca\appdata\local\{7DCECF6A-33BD-409F-BC44-BDC0A3FF051A}
2013-03-01 10:50:52    --------    d-----w-    c:\users\rabecca\appdata\local\{B92DAF42-ECBC-4707-B8B0-58ABF989A75A}
2013-02-28 00:35:35    --------    d-----w-    c:\users\rabecca\appdata\local\{AFEA7703-20CC-4D88-ABBE-3C5D31C23663}
2013-02-27 12:35:36    --------    d-----w-    c:\users\rabecca\appdata\local\{4FD682EE-CFF9-4D6B-B095-76E88DB18950}
2013-02-21 13:11:55    768000    ----a-w-    c:\program files\common files\microsoft shared\vgx\VGX.dll
2013-02-20 20:13:58    --------    d-----w-    c:\users\rabecca\appdata\local\{E54DF977-AF1F-4288-97F3-A5ACB5E1BF49}
2013-02-20 08:13:47    --------    d-----w-    c:\users\rabecca\appdata\local\{A22B8911-F394-444B-843F-D88F5BA44BF5}
2013-02-19 20:13:35    --------    d-----w-    c:\users\rabecca\appdata\local\{B628E446-415E-4336-AE65-0ADD628D8FF2}
2013-02-19 08:13:24    --------    d-----w-    c:\users\rabecca\appdata\local\{4A38C9C3-41E8-45F1-A57F-5FFF2A44C34F}
2013-02-18 20:13:13    --------    d-----w-    c:\users\rabecca\appdata\local\{95800E02-8F91-4872-9088-BC52EDA4A626}
2013-02-18 08:13:01    --------    d-----w-    c:\users\rabecca\appdata\local\{518F73DF-1C06-4C24-90FC-1089BB3C267E}
2013-02-17 20:12:50    --------    d-----w-    c:\users\rabecca\appdata\local\{D2D156A6-576B-421F-BDD1-B3BF3A7B2055}
2013-02-17 08:12:38    --------    d-----w-    c:\users\rabecca\appdata\local\{CB24139D-8D46-4F03-9F2E-9C5F16EEECE3}
2013-02-16 20:12:27    --------    d-----w-    c:\users\rabecca\appdata\local\{4D01367B-8234-4AA3-BBEE-9D823FAD234A}
2013-02-16 08:12:15    --------    d-----w-    c:\users\rabecca\appdata\local\{FEDC88F7-17A2-4F70-8811-93BB6A3DB72C}
2013-02-15 22:31:23    186432    ----a-w-    c:\program files\internet explorer\plugins\nppdf32.dll
2013-02-15 20:12:04    --------    d-----w-    c:\users\rabecca\appdata\local\{CAFB40D4-23B1-4836-9DAA-DBCF50DA1FBF}
2013-02-15 08:11:53    --------    d-----w-    c:\users\rabecca\appdata\local\{04CB887B-DF4C-4350-B8A5-E691AFC147DE}
2013-02-14 20:11:41    --------    d-----w-    c:\users\rabecca\appdata\local\{B69177CD-89AA-4771-A7DA-4BB3627599F1}
2013-02-14 08:11:30    --------    d-----w-    c:\users\rabecca\appdata\local\{C02C9A48-4614-4F53-AC0F-763D0EE0BD82}
2013-02-14 03:23:31    2347008    ----a-w-    c:\windows\system32\win32k.sys
2013-02-14 03:23:22    3967848    ----a-w-    c:\windows\system32\ntkrnlpa.exe
2013-02-14 03:23:21    3913064    ----a-w-    c:\windows\system32\ntoskrnl.exe
2013-02-14 03:23:19    187752    ----a-w-    c:\windows\system32\drivers\FWPKCLNT.SYS
2013-02-14 03:23:19    1293672    ----a-w-    c:\windows\system32\drivers\tcpip.sys
2013-02-14 03:23:17    169984    ----a-w-    c:\windows\system32\winsrv.dll
2013-02-13 20:11:18    --------    d-----w-    c:\users\rabecca\appdata\local\{F6217654-D8DF-4879-9836-EC30E2D712A6}
2013-02-13 08:11:07    --------    d-----w-    c:\users\rabecca\appdata\local\{2C54ACE1-FF95-40D3-899D-271518B4E66B}
2013-02-12 20:10:56    --------    d-----w-    c:\users\rabecca\appdata\local\{720A9641-C3C3-4F8F-BCD0-FCE87E39D4F6}
2013-02-12 08:10:44    --------    d-----w-    c:\users\rabecca\appdata\local\{310A4350-D85F-4C18-BAA4-DE684EC7BED1}
2013-02-11 20:10:33    --------    d-----w-    c:\users\rabecca\appdata\local\{513F232D-9545-4F16-9A67-8800612D0FB2}
2013-02-11 08:10:09    --------    d-----w-    c:\users\rabecca\appdata\local\{2F94EDA2-3FE6-49C7-9A8F-FA8B09184B50}
2013-02-10 20:09:58    --------    d-----w-    c:\users\rabecca\appdata\local\{7C29DB96-27B3-4E1C-9504-A900C6D349D3}
2013-02-10 08:09:47    --------    d-----w-    c:\users\rabecca\appdata\local\{EAECAD7B-BE29-45E6-8557-3F49504B81C6}
2013-02-09 20:09:35    --------    d-----w-    c:\users\rabecca\appdata\local\{542D2B30-8F00-4045-AEE6-266A1433A36A}
2013-02-09 08:09:24    --------    d-----w-    c:\users\rabecca\appdata\local\{126FBDCF-5CAA-415D-9337-07DB8E7605CD}
2013-02-08 20:09:13    --------    d-----w-    c:\users\rabecca\appdata\local\{020B6C5B-8A52-44A5-BA2E-82A46FD696FB}
2013-02-08 08:09:01    --------    d-----w-    c:\users\rabecca\appdata\local\{3ABED66D-D668-476A-8323-86FB5C8BA4F2}
2013-02-07 20:08:50    --------    d-----w-    c:\users\rabecca\appdata\local\{D9A4A37F-722F-42E0-8866-5C0F61121923}
2013-02-07 08:08:38    --------    d-----w-    c:\users\rabecca\appdata\local\{A68B18C4-06F6-4F8F-B5B5-0AD75D4BDC3F}
2013-02-06 20:08:27    --------    d-----w-    c:\users\rabecca\appdata\local\{7EC1C7C7-ED8D-4167-9354-D112292BCB8A}
2013-02-06 08:08:16    --------    d-----w-    c:\users\rabecca\appdata\local\{3F4E7822-AE79-4A1D-BC88-C34F684A5E14}
2013-02-05 20:08:04    --------    d-----w-    c:\users\rabecca\appdata\local\{62CCB5D5-DBCE-41BE-B6C1-8E0469167173}
2013-02-05 08:07:53    --------    d-----w-    c:\users\rabecca\appdata\local\{280D3619-80EA-46AB-8A4A-1FB752BDEFAF}
2013-02-04 20:07:42    --------    d-----w-    c:\users\rabecca\appdata\local\{08F31B7B-D9A1-4541-9E7A-0F1DD3E2D09C}
.
==================== Find3M  ====================
.
2013-03-02 06:31:16    71024    ----a-w-    c:\windows\system32\FlashPlayerCPLApp.cpl
2013-03-02 06:31:16    691568    ----a-w-    c:\windows\system32\FlashPlayerApp.exe
2013-01-16 15:28:58    232336    ------w-    c:\windows\system32\MpSigStub.exe
2013-01-08 22:11:21    1800704    ----a-w-    c:\windows\system32\jscript9.dll
2013-01-08 22:03:20    1129472    ----a-w-    c:\windows\system32\wininet.dll
2013-01-08 22:03:12    1427968    ----a-w-    c:\windows\system32\inetcpl.cpl
2013-01-08 21:59:02    142848    ----a-w-    c:\windows\system32\ieUnatt.exe
2013-01-08 21:58:29    420864    ----a-w-    c:\windows\system32\vbscript.dll
2013-01-08 21:56:23    2382848    ----a-w-    c:\windows\system32\mshtml.tlb
2012-12-27 09:14:30    16400    ----a-w-    c:\windows\system32\drivers\LNonPnP.sys
2012-12-24 07:06:14    93640    ----a-w-    c:\windows\system32\WindowsAccessBridge.dll
2012-12-24 07:06:13    859072    ----a-w-    c:\windows\system32\npDeployJava1.dll
2012-12-24 07:06:13    779704    ----a-w-    c:\windows\system32\deployJava1.dll
2012-12-16 14:13:28    295424    ----a-w-    c:\windows\system32\atmfd.dll
2012-12-16 14:13:20    34304    ----a-w-    c:\windows\system32\atmlib.dll
2012-12-14 06:49:28    21104    ----a-w-    c:\windows\system32\drivers\mbam.sys
2012-12-07 12:26:17    308736    ----a-w-    c:\windows\system32\Wpc.dll
2012-12-07 12:20:43    2576384    ----a-w-    c:\windows\system32\gameux.dll
.
============= FINISH: 22:05:34.31 ===============
 

 

thank you

Rebecca

Attached Files


Edited by vitalgirl, 06 March 2013 - 07:17 AM.


BC AdBot (Login to Remove)

 


#2 vitalgirl

vitalgirl
  • Topic Starter

  • Members
  • 19 posts
  • OFFLINE
  •  
  • Local time:11:27 PM

Posted 07 March 2013 - 08:39 PM

Hi

 

After reading more about it I decided to reformat and reinstall windows etc.

 

thanks

 

Rebecca



#3 Orange Blossom

Orange Blossom

    OBleepin Investigator


  • Moderator
  • 36,963 posts
  • ONLINE
  •  
  • Gender:Not Telling
  • Location:Bloomington, IN
  • Local time:12:27 AM

Posted 07 March 2013 - 08:54 PM

Thank you for letting us know. Under the circumstances, that was the best and safest choice.

Happy computing,

Orange Blossom :cherry:
Help us help you. If HelpBot replies, you MUST follow step 1 in its reply so we know you need help.

Orange Blossom

An ounce of prevention is worth a pound of cure

SpywareBlaster, WinPatrol Plus, ESET Smart Security, Malwarebytes' Anti-Malware, NoScript Firefox ext., Norton noscript




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users