Buy Malwarebytes antimalware











This site is hosted at Hostgator.com




Sponsored Adverts

Sponsored Ads

These adverts come direct from Google adsense



Welcome to The Spykiller

You need to register to  get help with malware cleaning on your computer or take part in the general discussion forums and to upload files that have been requested from other forums. Unfortunately we are getting massive spam attacks from allowing guest postings to uploads
It takes a very long time and a lot of hard work on our part to read all the logs posted here and research and prepare the fixes for you. In many cases each part of the fix takes about 30 minutes to prepare so a large part of our time is spent helping you

 INSTRUCTIONS - Read This Before Posting For Malware Removal Help
« previous next »
Pages: [1]   Go Down

Author Topic: High Risk Worm Infection  (Read 1782 times)

Offline ap09

  • *
  • Posts: 31
High Risk Worm Infection
« on: July 25, 2010, 14:18:04 »
Hi,

Last night i noticed that the homepage in Internet Explorer 8 had been changed from the MSN homepage to a poorly constructed website http: //a2articles. com/
A deep scan with Prevx 3.0 found no threats, however a scan with Hitman Pro (Trial Expired) found a bunch of tracking cookies and a few suspicious entries, 3 of which could be false positives. (See Image)

" title="Hosted by imgur.com

The file was then uploaded to VirusTotal’s online service, which generated a report found online: http://www.virustotal.com/analisis/f84bf99fd47bc40e7983ba599406dcb4a90af491695bf13dc5ad7abbc8f3ba1d-1280063057

I am currently running Windows 7 64Bit and there are 7 users accounts on my computer with two being administrator accounts. My antivirus (NOD32) did not show any dialog screens during any scanning process. EDIT: I forgot to add that yesterday, before i noticed the change in IE homepage, Windows Live Messenger continually loaded up from the taskbar. Killing the process via Task Manager did not stop it from loading up. I then uninstalled the application thinking it was a software bug.

The DDS reports have been posted and attached as requested. However, when running GMER as an Admin, i recieved the following message: C:\Windows\system32\config\system: The system cannot find the file specified

A scan could still be carried out however the log file was blank after having saved it.



DDS LOG:


DDS (Ver_10-03-17.01) - NTFSX64  
Run by Suleman at 13:53:14.03 on 25/07/2010
Internet Explorer: 8.0.7600.16385 BrowserJavaVersion: 1.6.0_20
Microsoft Windows 7 Home Premium   6.1.7600.0.1252.44.1033.18.4095.2734 [GMT 1:00]


============== Running Processes ===============

C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\svchost.exe -k RPCSS
C:\Windows\system32\atiesrxx.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\system32\atieclxx.exe
C:\Windows\System32\spoolsv.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Windows\system32\svchost.exe -k apphost
C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files (x86)\Bonjour\mDNSResponder.exe
C:\Program Files\ESET\ESET NOD32 Antivirus\x86\ekrn.exe
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
c:\Program Files (x86)\Microsoft SQL Server\MSSQL10_50.SQLEXPRESS\MSSQL\Binn\sqlservr.exe
C:\Program Files\MySQL\MySQL Server 5.1\bin\mysqld.exe
c:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe
C:\Windows\system32\svchost.exe -k imgsvc
C:\Program Files (x86)\TuneUp Utilities 2010\TuneUpUtilitiesService64.exe
C:\Windows\system32\svchost.exe -k iissvcs
C:\Program Files (x86)\Winstep\WsxService.exe
C:\Program Files (x86)\TuneUp Utilities 2010\TuneUpUtilitiesApp64.exe
C:\Windows\system32\taskhost.exe
C:\Windows\system32\Dwm.exe
C:\Windows\system32\taskeng.exe
C:\Windows\Explorer.EXE
C:\Program Files (x86)\ASUS\EPU-4 Engine\FourEngine.exe
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe
C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe
C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\MOM.exe
C:\Users\Public\jusched.exe
C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CCC.exe
C:\Windows\system32\SearchIndexer.exe
C:\Program Files\Windows Media Player\wmpnetwk.exe
C:\Windows\System32\svchost.exe -k LocalServicePeerNet
C:\Windows\System32\svchost.exe -k secsvcs
C:\Windows\SysWow64\Macromed\Flash\FlashUtil10c.exe
C:\Program Files\Prevx\prevx.exe
C:\Program Files\Prevx\prevx.exe
C:\Windows\system32\taskhost.exe
C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe
C:\Users\Suleman\Desktop\dds.scr
C:\Windows\system32\conhost.exe
C:\Windows\system32\wbem\wmiprvse.exe

============== Pseudo HJT Report ===============

uStart Page = hxxp://a2articles.com
mLocal Page = c:\windows\syswow64\blank.htm
mWinlogon: Userinit=userinit.exe
BHO: Octh Class: {000123b4-9b42-4900-b3f7-f4b073efc214} - c:\program files (x86)\orbitdownloader\orbitcth.dll
BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files (x86)\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files (x86)\java\jre6\bin\jp2ssv.dll
TB: Grab Pro: {c55bbcd6-41ad-48ad-9953-3609c48eacc7} - c:\program files (x86)\orbitdownloader\GrabPro.dll
uRun: [DriverMax_RESTART]
mRun: [StartCCC] "c:\program files (x86)\ati technologies\ati.ace\core-static\CLIStart.exe" MSRun
mRun: [Java developer Script Browse] c:\users\public\jusched.exe
mPolicies-explorer: NoActiveDesktop = 1 (0x1)
mPolicies-explorer: NoActiveDesktopChanges = 1 (0x1)
mPolicies-explorer: ForceActiveDesktopOn = 0 (0x0)
mPolicies-system: ConsentPromptBehaviorAdmin = 5 (0x5)
mPolicies-system: ConsentPromptBehaviorUser = 3 (0x3)
mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
IE: &Download by Orbit - c:\program files (x86)\orbitdownloader\orbitmxt.dll/201
IE: &Grab video by Orbit - c:\program files (x86)\orbitdownloader\orbitmxt.dll/204
IE: Do&wnload selected by Orbit - c:\program files (x86)\orbitdownloader\orbitmxt.dll/203
IE: Down&load all by Orbit - c:\program files (x86)\orbitdownloader\orbitmxt.dll/202
IE: E&xport to Microsoft Excel - c:\progra~2\micros~3\office11\EXCEL.EXE/3000
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~2\micros~3\office11\REFIEBAR.DLL
DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
DPF: {40F576AD-8680-4F9E-9490-99D069CD665F} - hxxp://srtest-cdn.systemrequirementslab.com.s3.amazonaws.com/bin/sysreqlabdetect.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
TCP: {9F208E12-F95B-4571-96D0-DA0C9D67E6A1} = 194.168.4.100,194.168.8.100
STS: Windows DreamScene: {e31004d1-a431-41b8-826f-e902f9d95c81} - %SystemRoot%\SysWow64\DreamScene.dll
BHO-X64: Java(tm) Plug-In 2 SSV Helper: {DBC80044-A445-435b-BC74-9C25C1C588A9} - c:\program files\java\jre6\bin\jp2ssv.dll
TB-X64: {C55BBCD6-41AD-48AD-9953-3609C48EACC7} - No File
mRun-x64: [RtHDVCpl] c:\program files\realtek\audio\hda\RAVCpl64.exe
mRun-x64: [Skytel] c:\program files\realtek\audio\hda\Skytel.exe
mRun-x64: [egui] "c:\program files\eset\eset nod32 antivirus\egui.exe" /hide /waitservice
STS-X64: Windows DreamScene: {E31004D1-A431-41B8-826F-E902F9D95C81} - %SystemRoot%\System32\DreamScene.dll

================= FIREFOX ===================

FF - ProfilePath - c:\users\suleman\appdata\roaming\mozilla\firefox\profiles\69wowzxb.default\
FF - component: c:\program files (x86)\orbitdownloader\addons\oneclickyoutubedownloader\components\GrabXpcom.dll
FF - plugin: c:\program files (x86)\google\update\1.2.183.23\npGoogleOneClick8.dll
FF - plugin: c:\program files (x86)\java\jre6\bin\new_plugin\npdeployJava1.dll
FF - plugin: c:\program files (x86)\mozilla firefox\plugins\npFoxitReaderPlugin.dll
FF - plugin: c:\program files (x86)\opera\program\plugins\np_gp.dll
FF - plugin: c:\users\suleman\appdata\local\google\update\1.2.183.29\npGoogleOneClick8.dll
FF - plugin: c:\users\suleman\appdata\roaming\mozilla\firefox\profiles\69wowzxb.default\extensions\{e2883e8f-472f-4fb0-9522-ac9bf37916a7}\plugins\np_gp.dll
FF - plugin: c:\windows\syswow64\macromed\flash\NPSWF32.dll
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files (x86)\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA}

---- FIREFOX POLICIES ----
c:\program files (x86)\mozilla firefox\greprefs\all.js - pref("ui.use_native_colors", true);
c:\program files (x86)\mozilla firefox\greprefs\all.js - pref("ui.use_native_popup_windows", false);
c:\program files (x86)\mozilla firefox\greprefs\all.js - pref("browser.enable_click_image_resizing", true);
c:\program files (x86)\mozilla firefox\greprefs\all.js - pref("accessibility.browsewithcaret_shortcut.enabled", true);
c:\program files (x86)\mozilla firefox\greprefs\all.js - pref("javascript.options.mem.high_water_mark", 32);
c:\program files (x86)\mozilla firefox\greprefs\all.js - pref("javascript.options.mem.gc_frequency",   1600);
c:\program files (x86)\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.lu", true);
c:\program files (x86)\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.nu", true);
c:\program files (x86)\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.nz", true);
c:\program files (x86)\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbaam7a8h", true);
c:\program files (x86)\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4ar", true);
c:\program files (x86)\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--p1ai", true);
c:\program files (x86)\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbayh7gpa", true);
c:\program files (x86)\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.tel", true);
c:\program files (x86)\mozilla firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
c:\program files (x86)\mozilla firefox\greprefs\all.js - pref("network.proxy.type",                  5);
c:\program files (x86)\mozilla firefox\greprefs\all.js - pref("network.buffer.cache.count", 24);
c:\program files (x86)\mozilla firefox\greprefs\all.js - pref("network.buffer.cache.size",  4096);
c:\program files (x86)\mozilla firefox\greprefs\all.js - pref("dom.ipc.plugins.timeoutSecs", 45);
c:\program files (x86)\mozilla firefox\greprefs\all.js - pref("svg.smil.enabled", false);
c:\program files (x86)\mozilla firefox\greprefs\all.js - pref("ui.trackpoint_hack.enabled", -1);
c:\program files (x86)\mozilla firefox\greprefs\all.js - pref("browser.formfill.debug",            false);
c:\program files (x86)\mozilla firefox\greprefs\all.js - pref("browser.formfill.agedWeight",       2);
c:\program files (x86)\mozilla firefox\greprefs\all.js - pref("browser.formfill.bucketSize",       1);
c:\program files (x86)\mozilla firefox\greprefs\all.js - pref("browser.formfill.maxTimeGroupings", 25);
c:\program files (x86)\mozilla firefox\greprefs\all.js - pref("browser.formfill.timeGroupingSize", 604800);
c:\program files (x86)\mozilla firefox\greprefs\all.js - pref("browser.formfill.boundaryWeight",   25);
c:\program files (x86)\mozilla firefox\greprefs\all.js - pref("browser.formfill.prefixWeight",     5);
c:\program files (x86)\mozilla firefox\greprefs\all.js - pref("accelerometer.enabled", true);
c:\program files (x86)\mozilla firefox\greprefs\all.js - pref("html5.enable", false);
c:\program files (x86)\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
c:\program files (x86)\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
c:\program files (x86)\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
c:\program files (x86)\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation",  false);
c:\program files (x86)\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);
c:\program files (x86)\mozilla firefox\defaults\pref\firefox-branding.js - pref("app.update.download.backgroundInterval", 600);
c:\program files (x86)\mozilla firefox\defaults\pref\firefox-branding.js - pref("app.update.url.manual", "http://www.firefox.com");
c:\program files (x86)\mozilla firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-ja", "mozff");
c:\program files (x86)\mozilla firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
c:\program files (x86)\mozilla firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
c:\program files (x86)\mozilla firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add", "addons.mozilla.org");
c:\program files (x86)\mozilla firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add.36", "getpersonas.com");
c:\program files (x86)\mozilla firefox\defaults\pref\firefox.js - pref("lightweightThemes.update.enabled", true);
c:\program files (x86)\mozilla firefox\defaults\pref\firefox.js - pref("browser.allTabs.previews", false);
c:\program files (x86)\mozilla firefox\defaults\pref\firefox.js - pref("plugins.hide_infobar_for_outdated_plugin", false);
c:\program files (x86)\mozilla firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
c:\program files (x86)\mozilla firefox\defaults\pref\firefox.js - pref("toolbar.customization.usesheet", false);
c:\program files (x86)\mozilla firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.nptest.dll", true);
c:\program files (x86)\mozilla firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npswf32.dll", true);
c:\program files (x86)\mozilla firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npctrl.dll", true);
c:\program files (x86)\mozilla firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npqtplugin.dll", true);
c:\program files (x86)\mozilla firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled", false);
c:\program files (x86)\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.enable", false);
c:\program files (x86)\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.max", 20);
c:\program files (x86)\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.cachetime", 20);

============= SERVICES / DRIVERS ===============

R0 pxscan;pxscan;c:\windows\system32\drivers\pxscan.sys [2009-12-9 34696]
R2 AMD External Events Utility;AMD External Events Utility;c:\windows\system32\atiesrxx.exe [2009-11-4 202752]
R2 CSIScanner;CSIScanner;c:\program files\prevx\prevx.exe [2009-12-12 6718336]
R2 ekrn;ESET Service;c:\program files\eset\eset nod32 antivirus\x86\ekrn.exe [2009-9-11 735960]
R2 epfwwfpr;epfwwfpr;c:\windows\system32\drivers\epfwwfpr.sys [2009-9-11 123200]
R2 pxrts;pxrts;c:\windows\system32\drivers\pxrts.sys [2009-12-9 56320]
R2 TuneUp.UtilitiesSvc;TuneUp Utilities Service;c:\program files (x86)\tuneup utilities 2010\TuneUpUtilitiesService64.exe [2009-11-13 1353544]
R2 Winstep Xtreme Service;Winstep Xtreme Service;c:\program files (x86)\winstep\wsxservice --> c:\program files (x86)\winstep\WsxService [?]
R3 pxkbf;pxkbf;c:\windows\system32\drivers\pxkbf.sys [2009-12-9 22336]
R3 TuneUpUtilitiesDrv;TuneUpUtilitiesDrv;c:\program files (x86)\tuneup utilities 2010\TuneUpUtilitiesDriver64.sys [2009-10-14 11856]
S2 SIMUL8Parallel;SIMUL8 Parallel Processor;c:\program files (x86)\simul8\SIMUL8_ParallelSVC.exe [2010-3-22 502272]
S3 nmwcdcx64;Nokia USB Generic;c:\windows\system32\drivers\ccdcmbox64.sys [2007-11-29 22528]
S3 nmwcdx64;Nokia USB Phone Parent;c:\windows\system32\drivers\ccdcmbx64.sys [2007-11-29 17920]
S3 pbfilter;pbfilter;c:\program files\peerblock\pbfilter.sys [2010-2-18 19544]
S3 USBAAPL64;Apple Mobile USB Driver;c:\windows\system32\drivers\usbaapl64.sys [2009-8-28 49152]
S3 WatAdminSvc;Windows Activation Technologies Service;c:\windows\system32\wat\WatAdminSvc.exe [2010-6-8 1255736]
S4 MSSQLServerADHelper100;SQL Active Directory Helper Service;c:\program files (x86)\microsoft sql server\100\shared\sqladhlp.exe [2010-4-3 44896]
S4 SQLAgent$SQLEXPRESS;SQL Server Agent (SQLEXPRESS);c:\program files (x86)\microsoft sql server\mssql10_50.sqlexpress\mssql\binn\SQLAGENT.EXE [2010-4-3 367456]

=============== Created Last 30 ================

2010-07-25 01:43:40   0   d-----w-   c:\programdata\Innovative Solutions
2010-07-25 01:43:33   0   d-----w-   c:\program files (x86)\Innovative Solutions
2010-07-18 20:26:57   0   d-----w-   c:\program files (x86)\myphotobook
2010-07-17 21:02:03   0   d-----w-   C:\air freshner
2010-07-13 21:02:58   144384   ----a-w-   c:\windows\system32\cdd.dll

==================== Find3M  ====================

2010-07-25 12:33:29   19528   ----a-w-   c:\windows\system32\drivers\hitmanpro35.sys
2010-07-25 12:29:52   56320   ----a-w-   c:\windows\system32\drivers\pxrts.sys
2010-07-25 12:29:52   34696   ----a-w-   c:\windows\system32\drivers\pxscan.sys
2010-07-25 12:29:51   22336   ----a-w-   c:\windows\system32\drivers\pxkbf.sys
2010-06-01 17:57:59   0   ---ha-w-   c:\windows\system32\drivers\Msft_User_WpdMtpDr_01_09_00.Wdf
2010-05-28 01:45:53   153376   ----a-w-   c:\windows\syswow64\javaws.exe
2010-05-28 01:45:53   145184   ----a-w-   c:\windows\syswow64\javaw.exe
2010-05-28 01:45:52   411368   ----a-w-   c:\windows\syswow64\deployJava1.dll
2010-05-28 01:45:52   145184   ----a-w-   c:\windows\syswow64\java.exe
2010-05-27 07:24:13   34304   ----a-w-   c:\windows\syswow64\atmlib.dll
2010-05-27 06:34:09   46080   ----a-w-   c:\windows\system32\atmlib.dll
2010-05-27 04:11:32   366080   ----a-w-   c:\windows\system32\atmfd.dll
2010-05-27 03:49:37   293888   ----a-w-   c:\windows\syswow64\atmfd.dll
2010-05-21 13:14:28   270208   ------w-   c:\windows\system32\MpSigStub.exe
2010-05-21 05:52:30   1192960   ----a-w-   c:\windows\system32\wininet.dll
2010-05-21 05:18:06   977920   ----a-w-   c:\windows\syswow64\wininet.dll
2010-05-21 05:14:50   48128   ----a-w-   c:\windows\syswow64\jsproxy.dll
2010-05-09 09:46:00   961024   ----a-w-   c:\windows\system32\CPFilters.dll
2010-05-09 09:45:57   552960   ----a-w-   c:\windows\system32\msdri.dll
2010-05-09 09:14:55   641536   ----a-w-   c:\windows\syswow64\CPFilters.dll
2010-05-06 12:42:05   1225216   ----a-w-   c:\windows\syswow64\urlmon.dll
2010-05-06 12:41:55   606208   ----a-w-   c:\windows\syswow64\mstime.dll
2010-05-06 12:41:53   64512   ----a-w-   c:\windows\syswow64\msfeedsbs.dll
2010-05-06 12:41:53   5970944   ----a-w-   c:\windows\syswow64\mshtml.dll
2010-05-06 12:41:49   381440   ----a-w-   c:\windows\syswow64\iedkcs32.dll
2010-05-06 12:41:49   10984448   ----a-w-   c:\windows\syswow64\ieframe.dll
2010-05-01 15:07:05   3122176   ----a-w-   c:\windows\system32\win32k.sys
2009-07-14 05:37:38   31548   ----a-w-   c:\windows\inf\perflib\0409\perfd.dat
2009-07-14 05:37:38   31548   ----a-w-   c:\windows\inf\perflib\0409\perfc.dat
2009-07-14 05:37:38   291294   ----a-w-   c:\windows\inf\perflib\0409\perfi.dat
2009-07-14 05:37:38   291294   ----a-w-   c:\windows\inf\perflib\0409\perfh.dat
2009-07-14 04:54:24   174   --sha-w-   c:\program files\desktop.ini
2009-07-14 04:54:24   174   --sha-w-   c:\program files (x86)\desktop.ini
2009-07-14 01:00:34   291294   ----a-w-   c:\windows\inf\perflib\0000\perfi.dat
2009-07-14 01:00:34   291294   ----a-w-   c:\windows\inf\perflib\0000\perfh.dat
2009-07-14 01:00:32   31548   ----a-w-   c:\windows\inf\perflib\0000\perfd.dat
2009-07-14 01:00:32   31548   ----a-w-   c:\windows\inf\perflib\0000\perfc.dat
2009-06-10 20:44:08   9633792   --sha-r-   c:\windows\fonts\StaticCache.dat
2010-01-22 12:20:52   245760   --sha-w-   c:\windows\serviceprofiles\networkservice\appdata\roaming\microsoft\windows\ietldcache\index.dat
2010-01-22 12:20:49   245760   --sha-w-   c:\windows\system32\config\systemprofile\appdata\roaming\microsoft\windows\ietldcache\index.dat
2009-07-14 01:39:53   398848   --sha-w-   c:\windows\winsxs\amd64_microsoft-windows-mail-app_31bf3856ad364e35_6.1.7600.16385_none_4d4d1f2f696639a2\WinMail.exe
2009-07-14 01:14:45   396800   --sha-w-   c:\windows\winsxs\x86_microsoft-windows-mail-app_31bf3856ad364e35_6.1.7600.16385_none_f12e83abb108c86c\WinMail.exe

============= FINISH: 13:53:44.38 ===============



[attachment deleted by admin]
« Last Edit: July 25, 2010, 17:32:15 by ap09 »
Logged

Offline Derek

  • Administrator
  • *****
  • Posts: 11929
Re: High Risk Worm Infection
« Reply #1 on: July 25, 2010, 17:35:54 »
gmer & most other (all) antirootkit detectors don't run on a 64 bit system because none of them have signed drivers which 64 bit insist on

The liklihood of any serious infiltration to a 64 bit system is very low at thsi time and standard antiviruses do deal with them very well

The best solution is to do a system restore to a date before this happened, so pick 2 days ago

for the future set UAC to the highest level so you are warned everytime somethig tries to install which would have prevented this
Logged
Derek
Microsoft MVP  Windows - Security
Modern Malware is so involved and difficult to fix that it takes a very long time and a lot of hard work and research to prepare the fixes for you. A large part of my time is spent helping you
Would you do all this for nothing?
 I run this site to raise funds for Hedgehog Rescue
Please donate if I have helped you or you have found this site useful.

Offline ap09

  • *
  • Posts: 31
Re: High Risk Worm Infection
« Reply #2 on: July 26, 2010, 00:32:45 »
Thanks for the reply Derek, i can remember the last time you helped me you advised me to use OTScanIt which solved the problem.

Anyway, i've carried out a System Restore and the suspicous files are now gone. A scan with Hitman Pro revealed a few false positives, but the Malware was not detected.

Logged
Pages: [1]   Go Up
« previous next »
 

Donations

You have come to The Spykiller for help because your Antivirus or Antispyware hasn't been able to fix your problem.

Modern Malware has become so involved and difficult to fix that it takes a very long time and a lot of hard work to read all the logs posted here and research and prepare the fixes for you. In many cases each part of the fix takes about 30 minutes to prepare, so a large part of my time is spent helping you

Would you do all this for nothing?

The reason I run this site is to raise funds for Hedgehog Rescue

Please donate if I have helped you or you have found this site useful.

You can donate safely and securely by using the paypal service, just click on one of the buttons below.

To donate in UK £

To donate in US$

To donate in Euro €

Any amount no matter how small is gratefully accepted and needed to ensure we keep the Rescue Centre running

To donate via paypal when the button doesn't appear or the link doesn't work: just go to www.paypal.com or your country's paypal log in page and chose send money and use help@thehedgehog.co.uk as recipient email address and select other service as the option. then follow prompts


Useful Advice and Programs

Stop killing hedgehogs with strimmers

User

Welcome, Guest. Please login or register.
Did you miss your activation email?
June 19, 2013, 11:04:04

Login with username, password and session length

secunia Software inspector


RoboForm: Learn more...

You have come to The Spykiller for help because your Antivirus or Antispyware hasn't been able to fix your problem.

Modern Malware is so involved and difficult to fix that it takes a very long time and a lot of hard work to read all the logs posted here and research and prepare the fixes for you.
In many cases each part of the fix takes about 30 minutes to prepare, so a large part of my time is spent helping you

Would you do all this for nothing?

I run this site to help raise funds for Hedgehog Rescue

Please donate if I have helped you or you have found this site useful.

You can donate safely and securely by using the PayPal service, just click on one of the buttons below.

To donate in UK £

To donate in US$

To donate in Euro €

Any amount no matter how small is gratefully accepted and needed to ensure we keep the Rescue Centre running