Jump to content

Welcome to Geeks to Go - Register now for FREE

Need help with your computer or device? Want to learn new tech skills? You're in the right place!
Geeks to Go is a friendly community of tech experts who can solve any problem you have. Just create a free account and post your question. Our volunteers will reply quickly and guide you through the steps. Don't let tech troubles stop you. Join Geeks to Go now and get the support you need!

How it Works Create Account
Photo

Hoping you can check my logs to see if I am clean

Started by scoooter , Mar 06 2010 07:47 AM

  • Please log in to reply

#1
scoooter
Posted 06 March 2010 - 07:47 AM

scoooter

    New Member

  • Member
  • Pip
  • 1 posts
Got the Anti-virus soft virus more then a couple of weeks ago and was pretty sure I got it all. One of the things it did was attack my Hotmail account and send emails out to everyone in my contact list and my girlfriend got the (something) essentials 2010. (I might post about that later if I have problems. I was going to use the Hirens 10.2 boot disk and see if I could finish it off.) After I thought I was clean I received an email from her with a couple of pictures of the kids. I opened one but not the other. The problem is she didn’t send me the email.Some varous scans came up with a few trojans an malware. I have used various spy-ware and malware removal tools and have the logs if you want to see them. So I am hoping you can take a look at my logs and see if you see any discrepancies. I'm want to make sure I don't have anything hiding.

I have used the basics and quarantined quit a bit of trojans and others. I have used Malwarebytes (Which I used first and didn't completely remove Anti-virus Soft.) SuperAntiSpyware, HyjackThis, Spybot, RootKitBuster, (I wasn't sure how interpret the log and what to do) SpyWareBuster, Combofix, a-squared Free, (Which I uninstalled because I could not remove the a2squared.exe from my start-up list) Dr.Web, (I had a warning on Combofix about a possible Varuit but it didn't find one) Norman Malware Cleaner, CCleaner, ATF Cleaner, Ran scans with Trend Micro Housecall and Avast (uninstalled avast and all remnants of past anti-virus software.) I think that’s it. I have the logs if you wish to see them.


DDS (Ver_09-12-01.01) - NTFSx86
Run by Owner at 2:23:36.06 on Wed 03/03/2010
Internet Explorer: 7.0.5730.11 BrowserJavaVersion: 1.6.0_18
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1791.1005 [GMT -8:00]

AV: AntiVir Desktop *On-access scanning enabled* (Updated) {AD166499-45F9-482A-A743-FDD3350758C7}

============== Running Processes ===============

C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\WINDOWS\system32\lxdxcoms.exe
C:\WINDOWS\System32\svchost.exe -k imgsvc
C:\WINDOWS\Explorer.EXE
C:\Program Files\Lexmark 3600-4600 Series\lxdxmon.exe
C:\Program Files\Lexmark 3600-4600 Series\lxdxMsdMon.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\Avira\AntiVir Desktop\sched.exe
C:\Program Files\Avira\AntiVir Desktop\avgnt.exe
C:\Program Files\Avira\AntiVir Desktop\avguard.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Avira\AntiVir Desktop\avscan.exe
C:\Documents and Settings\Owner\My Documents\My Downloads\dds(2).scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.google.com/
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
mLocal Page = hxxp://news.google.com
mStart Page = hxxp://news.google.com
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
BHO: Control Popups in Internet Explorer: {41353f8b-78ce-48a5-be44-153ed293d192} - c:\progra~1\popupp~1\PopLib.dll
TB: {4E7BD74F-2B8D-469E-CCB0-B130EEDBE97C} - No File
EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File
mRun: [lxdxmon.exe] "c:\program files\lexmark 3600-4600 series\lxdxmon.exe"
mRun: [lxdxamon] "c:\program files\lexmark 3600-4600 series\lxdxamon.exe"
mRun: [NvMediaCenter] RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInit
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [avgnt] "c:\program files\avira\antivir desktop\avgnt.exe" /min
mRun: [Adobe Photo Downloader] "c:\program files\adobe\photoshop album starter edition\3.0\apps\apdproxy.exe"
DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} - hxxp://www.apple.com/qtactivex/qtplugin.cab
DPF: {05CA9FB0-3E3E-4B36-BF41-0E3A5CAA8CD8} - hxxp://download.microsoft.com/download/e/4/9/e494c802-dd90-4c6b-a074-469358f075a6/OGAControl.cab
DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
DPF: {3E68E405-C6DE-49FF-83AE-41EE9F4C36CE} - hxxp://office.microsoft.com/officeupdate/content/opuc3.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_18-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/polarbear/ultrashim.cab
DPF: {C7DB51B4-BCF7-4923-8874-7F1A0DC92277} - hxxp://office.microsoft.com/officeupdate/content/opuc4.cab
DPF: {CAFEEFAC-0015-0000-0007-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_07-windows-i586.cab
DPF: {CAFEEFAC-0015-0000-0010-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_10-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0018-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_18-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_18-windows-i586.cab
SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:\program files\superantispyware\SASSEH.DLL

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\owner\applic~1\mozilla\firefox\profiles\lm9qw8v9.default\
FF - prefs.js: browser.search.selectedEngine - Yahoo
FF - prefs.js: browser.startup.homepage - hxxp://news.google.com/nwshp?hl=en&tab=wn&q=
FF - prefs.js: keyword.URL - hxxp://search.yahoo.com/search?ei=utf-8&fr=megaup&p=
FF - component: c:\documents and settings\owner\application data\mozilla\firefox\profiles\lm9qw8v9.default\extensions\{e001c731-5e37-4538-a5cb-8168736a2360}\components\qscanff.dll
FF - plugin: c:\documents and settings\owner\application data\mozilla\firefox\profiles\lm9qw8v9.default\extensions\{e001c731-5e37-4538-a5cb-8168736a2360}\plugins\npqscan.dll
FF - plugin: c:\documents and settings\owner\local settings\application data\google\update\1.2.145.5\npGoogleOneClick8.dll
FF - plugin: c:\program files\google\google updater\2.4.1739.5352\npCIDetect13.dll
FF - plugin: c:\program files\mozilla firefox\plugins\NPTURNMED.dll
FF - plugin: c:\program files\veoh networks\veohwebplayer\NPVeohTVPlugin.dll
FF - plugin: c:\program files\veoh networks\veohwebplayer\npWebPlayerVideoPluginATL.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0016-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0018-ABCDEFFEDCBA}

---- FIREFOX POLICIES ----
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);

============= SERVICES / DRIVERS ===============

R0 SI3112r;Silicon Image SiI 3112 SATARaid Controller;c:\windows\system32\drivers\SI3112r.sys [2004-8-27 116264]
R1 SASDIFSV;SASDIFSV;c:\program files\superantispyware\SASDIFSV.SYS [2009-10-12 12872]
R1 SASKUTIL;SASKUTIL;c:\program files\superantispyware\SASKUTIL.SYS [2009-10-12 66632]
R2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\avira\antivir desktop\sched.exe [2010-3-2 108289]
R2 AntiVirService;Avira AntiVir Guard;c:\program files\avira\antivir desktop\avguard.exe [2010-3-2 185089]
R2 avgntflt;avgntflt;c:\windows\system32\drivers\avgntflt.sys [2009-11-11 56816]
R2 lxdx_device;lxdx_device;c:\windows\system32\lxdxcoms.exe -service --> c:\windows\system32\lxdxcoms.exe -service [?]
S0 Lbd;Lbd;c:\windows\system32\drivers\lbd.sys --> c:\windows\system32\drivers\Lbd.sys [?]
S1 avgio;avgio;c:\program files\avira\antivir desktop\avgio.sys [2010-3-2 11608]
S2 lxdxCATSCustConnectService;lxdxCATSCustConnectService;c:\windows\system32\spool\drivers\w32x86\3\lxdxserv.exe [2009-4-9 94208]
S3 ASUSHWIO;ASUSHWIO;\??\c:\windows\system32\drivers\asushwio.sys --> c:\windows\system32\drivers\ASUSHWIO.sys [?]
S3 SASENUM;SASENUM;c:\program files\superantispyware\SASENUM.SYS [2009-10-12 12872]
S4 vsdatant;vsdatant; [x]

=============== Created Last 30 ================

2010-03-03 04:29:49 0 dc----w- c:\program files\Avira
2010-03-03 04:29:49 0 dc----w- c:\docume~1\alluse~1.win\applic~1\Avira
2010-03-03 03:15:08 0 dcs---w- C:\gogo
2010-03-02 07:56:39 0 dc----w- c:\program files\VirusTotalUploader2
2010-03-02 07:35:29 0 dc----w- c:\docume~1\owner\applic~1\QuickScan
2010-03-01 10:44:41 0 -c--a-w- c:\documents and settings\owner\defogger_reenable
2010-02-28 12:28:50 0 dc----w- c:\documents and settings\owner\DoctorWeb
2010-02-27 18:59:26 38224 -c--a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-02-27 18:59:23 19160 -c--a-w- c:\windows\system32\drivers\mbam.sys
2010-02-27 18:59:23 0 dc----w- c:\program files\Malwarebytes' Anti-Malware
2010-02-27 18:18:19 7380 -c--a-w- c:\windows\system32\winspy.tlb
2010-02-27 00:05:17 0 dc----w- c:\program files\a-squared Free
2010-02-24 22:52:11 0 dc----w- c:\program files\SpywareBlaster
2010-02-24 03:59:47 0 dc----w- C:\!KillBox
2010-02-22 07:56:27 130 -c--a-w- c:\documents and settings\owner\webct_upload_applet.properties
2010-02-19 20:35:49 0 dc----w- c:\program files\JRE
2010-02-18 00:52:04 0 dcsha-r- C:\cmdcons
2010-02-18 00:51:22 98816 -c--a-w- c:\windows\sed.exe
2010-02-18 00:51:22 77312 -c--a-w- c:\windows\MBR.exe
2010-02-18 00:51:22 261632 -c--a-w- c:\windows\PEV.exe
2010-02-18 00:51:22 161792 -c--a-w- c:\windows\SWREG.exe
2010-02-18 00:16:25 25699 -c--a-w- c:\windows\system32\nvdisp.nvu
2010-02-18 00:16:25 0 dc----w- c:\windows\nview
2010-02-17 23:49:11 0 dc----w- c:\windows\NV6561000.TMP
2010-02-17 21:29:39 0 dc----w- C:\ppchjt
2010-02-17 20:27:20 0 dc----w- c:\windows\NV5601636.TMP
2010-02-17 20:05:23 0 dc----w- c:\windows\nView-nv14756
2010-02-12 02:06:21 0 dc----w- c:\docume~1\alluse~1.win\applic~1\NVIDIA Corporation
2010-02-12 01:53:40 471552 -c----w- c:\windows\system32\dllcache\aclayers.dll
2010-02-11 02:08:09 389120 -c--a-w- c:\windows\system32\CF30762.exe
2010-02-11 02:01:17 0 dc----w- C:\SDFix
2010-02-10 04:02:51 0 dc----w- c:\docume~1\owner\applic~1\Malwarebytes
2010-02-10 04:02:39 0 dc----w- c:\docume~1\alluse~1.win\applic~1\Malwarebytes

==================== Find3M ====================

2010-03-03 04:49:59 56816 -c--a-w- c:\windows\system32\drivers\avgntflt.sys
2010-01-12 06:17:44 278120 -c--a-w- c:\windows\system32\nvmccs.dll
2010-01-12 06:17:44 154216 -c--a-w- c:\windows\system32\nvsvc32.exe
2010-01-12 06:17:44 145000 -c--a-w- c:\windows\system32\nvcolor.exe
2010-01-12 06:17:44 13666408 -c--a-w- c:\windows\system32\nvcpl.dll
2010-01-12 06:17:44 110696 -c--a-w- c:\windows\system32\nvmctray.dll
2010-01-12 06:17:40 81920 -c--a-w- c:\windows\system32\nvwddi.dll
2010-01-05 10:00:29 832512 -c----w- c:\windows\system32\wininet.dll
2010-01-05 10:00:21 78336 -c--a-w- c:\windows\system32\ieencode.dll
2010-01-05 10:00:20 17408 -c--a-w- c:\windows\system32\corpol.dll
2009-12-18 01:14:00 411368 -c--a-w- c:\windows\system32\deploytk.dll
2009-12-16 18:43:27 343040 -c--a-w- c:\windows\system32\mspaint.exe
2009-12-14 07:08:23 33280 -c--a-w- c:\windows\system32\csrsrv.dll
2009-12-08 19:27:51 2189184 -c----w- c:\windows\system32\ntoskrnl.exe
2009-12-08 18:43:50 2066048 -c----w- c:\windows\system32\ntkrnlpa.exe
2008-08-03 20:51:42 32768 -csha-w- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012008080320080804\index.dat

============= FINISH: 2:24:17.92 ===============

GMER 1.0.15.15281 - http://www.gmer.net
Rootkit scan 2010-03-03 17:41:34
Windows 5.1.2600 Service Pack 3
Running: gmer.exe; Driver: C:\DOCUME~1\Owner\LOCALS~1\Temp\fxtdypow.sys


---- System - GMER 1.0.15 ----

SSDT F7AA5316 ZwCreateKey
SSDT F7AA530C ZwCreateThread
SSDT F7AA531B ZwDeleteKey
SSDT F7AA5325 ZwDeleteValueKey
SSDT F7AA532A ZwLoadKey
SSDT F7AA52F8 ZwOpenProcess
SSDT F7AA52FD ZwOpenThread
SSDT F7AA5334 ZwReplaceKey
SSDT F7AA532F ZwRestoreKey
SSDT F7AA5320 ZwSetValueKey
SSDT F7AA5307 ZwTerminateProcess

---- Devices - GMER 1.0.15 ----

AttachedDevice \FileSystem\Ntfs \Ntfs SiWinAcc.sys (Windows Accelerator Driver/Silicon Image, Inc)
AttachedDevice \FileSystem\Fastfat \Fat SiWinAcc.sys (Windows Accelerator Driver/Silicon Image, Inc)
AttachedDevice \FileSystem\Fastfat \Fat fltmgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)

---- Registry - GMER 1.0.15 ----

Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@DeviceNotSelectedTimeout 15
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@GDIProcessHandleQuota 10000
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@Spooler yes
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@swapdisk
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@TransmissionRetryTimeout 300
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@USERProcessHandleQuota 10000

---- EOF - GMER 1.0.15 ----

Attached Files


  • 0

Advertisements

Back to Virus, Spyware, Malware Removal · Next Unread Topic →




Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

  1. Geeks to Go Community
  2. Security
  3. Virus, Spyware, Malware Removal

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP