Jump to content

Recently infected with a trojan, am I clean now?


Recommended Posts

The other day I had an infection in my explorer.exe, AVG notified me that packed upack infected it, so I uploaded explorer.exe to virustotal and esafe detected it as "win32.banker" so I removed explorer.exe and restored it with my Windows XP CD, then curious I downloaded MBAM, and some other scanners, nothing else found anything but MBAM found some virtuemond viruses, and quarantined them. I just want to make sure I'm safe now, because I need to change my passwords as I had used them during these viruses..

Here's my MBAM log:

Malwarebytes' Anti-Malware 1.34Database version: 1820Windows 5.1.2600 Service Pack 3
3/5/2009 8:13:35 AMmbam-log-2009-03-05 (08-13-35).txt
Scan type: Full Scan (C:\|E:\|F:\|G:\|)Objects scanned: 189172Time elapsed: 17 minute(s), 20 second(s)
Memory Processes Infected: 0Memory Modules Infected: 0Registry Keys Infected: 0Registry Values Infected: 0Registry Data Items Infected: 0Folders Infected: 0Files Infected: 4
Memory Processes Infected:(No malicious items detected)
Memory Modules Infected:(No malicious items detected)
Registry Keys Infected:(No malicious items detected)
Registry Values Infected:(No malicious items detected)
Registry Data Items Infected:(No malicious items detected)
Folders Infected:(No malicious items detected)
Files Infected:C:\WINDOWS\system32\wextract.exe (Trojan.Vundo) -> Quarantined and deleted successfully.C:\WINDOWS\system32\dllcache\wextract.exe (Trojan.Vundo) -> Quarantined and deleted successfully.E:\@Programs\dotnetfx.exe (Trojan.Vundo) -> Quarantined and deleted successfully.G:\@Programs\dotnetfx.exe (Trojan.Vundo) -> Quarantined and deleted successfully.

HJT log:

Logfile of Trend Micro HijackThis v2.0.2Scan saved at 1:43:39 AM, on 3/6/2009Platform: Windows XP SP3 (WinNT 5.01.2600)MSIE: Internet Explorer v7.00 (7.00.6000.16791)Boot mode: Normal
Running processes:C:\WINDOWS\System32\smss.exeC:\WINDOWS\system32\winlogon.exeC:\WINDOWS\system32\services.exeC:\WINDOWS\system32\lsass.exeC:\WINDOWS\system32\svchost.exeC:\WINDOWS\System32\svchost.exeC:\Program Files\Ahead\InCD\InCDsrv.exeC:\WINDOWS\system32\ZoneLabs\vsmon.exeC:\WINDOWS\system32\spoolsv.exeC:\Program Files\AlienGUIse\wbload.exeC:\WINDOWS\Explorer.EXEC:\WINDOWS\system32\ctfmon.exeC:\Program Files\Logitech\SetPoint\SetPoint.exeC:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exeC:\Program Files\Bonjour\mDNSResponder.exeC:\Program Files\Java\jre6\bin\jqs.exeC:\WINDOWS\system32\nvsvc32.exeC:\Program Files\Sandboxie\SbieSvc.exeC:\Program Files\Common Files\Logitech\KhalShared\KHALMNPR.EXEC:\WINDOWS\System32\svchost.exeC:\Program Files\Mozilla Firefox\firefox.exeC:\HJT\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = www.alienware.com/Mothership?Comp=AWC&SysCode=PC-AURORA-7500-R4&ai=636E3D33383830303526706F3D31373033393141R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.localO2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dllO2 - BHO: (no name) - {348FE907-249E-4C65-A838-F34A193FE1D1} - (no file)O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll (file missing)O2 - BHO: Java Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dllO2 - BHO: FlashFXP Helper for Internet Explorer - {E5A1691B-D188-4419-AD02-90002030B8EE} - C:\PROGRA~1\FlashFXP\IEFlash.dllO2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dllO4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartupO4 - HKCU\..\Run: [spybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exeO4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exeO4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exeO4 - Startup: Product Registration.lnk = C:\Program Files\Common Files\LogiShared\eReg\SetPoint\eReg.exeO4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exeO4 - Global Startup: Logitech SetPoint.lnk = C:\Program Files\Logitech\SetPoint\SetPoint.exeO9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exeO9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exeO9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exeO9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exeO14 - IERESET.INF: START_PAGE_URL=http://www.alienware.comO18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll (file missing)O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dllO20 - Winlogon Notify: avgrsstarter - C:\WINDOWS\SYSTEM32\avgrsstx.dllO23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exeO23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exeO23 - Service: AVG Free8 E-mail Scanner (avg8emc) - Unknown owner - C:\PROGRA~1\AVG\AVG8\avgemc.exe (file missing)O23 - Service: AVG Free8 WatchDog (avg8wd) - Unknown owner - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe (file missing)O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exeO23 - Service: FLEXnet Licensing Service - Acresso Software Inc. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exeO23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exeO23 - Service: InCD Helper (InCDsrv) - Nero AG - C:\Program Files\Ahead\InCD\InCDsrv.exeO23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exeO23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exeO23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exeO23 - Service: Sandboxie Service (SbieSvc) - tzuk - C:\Program Files\Sandboxie\SbieSvc.exeO23 - Service: TrueVector Internet Monitor (vsmon) - Check Point Software Technologies LTD - C:\WINDOWS\system32\ZoneLabs\vsmon.exe
--End of file - 5620 bytes

also I have a combofix log.. I'm abit worried about all the system32 dllcache files that were created, do you think they're all viruses hiding or is that just from me using my windows xp cd to restore damaged system files? I used sfc /scannow option

ComboFIX LOG

ComboFix 09-03-04.01 - MiyaDV 2009-03-06  1:22:51.1 - NTFSx86Microsoft Windows XP Professional  5.1.2600.3.1252.1.1033.18.2047.1674 [GMT -5:00]Running from: c:\documents and settings\MiyaDV\Desktop\ComboFix.exe * Created a new restore point.
(((((((((((((((((((((((((   Files Created from 2009-02-06 to 2009-03-06  ))))))))))))))))))))))))))))))).
2009-03-06 01:12 . 2009-03-06 01:12	<DIR>	d--------	c:\program files\CCleaner2009-03-05 18:06 . 2009-03-05 18:06	<DIR>	d--------	C:\MGtools2009-03-05 07:15 . 2009-03-05 07:16	3,184,816	--a------	C:\ccsetup217.exe2009-03-05 06:26 . 2009-01-09 14:19	1,089,593	-----c---	c:\windows\system32\dllcache\ntprint.cat2009-03-05 06:09 . 2009-03-05 06:09	<DIR>	d--------	c:\program files\Malwarebytes' Anti-Malware2009-03-05 06:09 . 2009-02-11 10:19	38,496	--a------	c:\windows\system32\drivers\mbamswissarmy.sys2009-03-05 06:09 . 2009-02-11 10:19	15,504	--a------	c:\windows\system32\drivers\mbam.sys2009-03-05 05:10 . 2001-08-17 13:28	794,654	--a--c---	c:\windows\system32\dllcache\usr1801.sys2009-03-05 05:09 . 2001-08-17 22:36	525,568	--a--c---	c:\windows\system32\dllcache\tridxp.dll2009-03-05 05:08 . 2001-08-17 14:01	241,664	--a--c---	c:\windows\system32\dllcache\tosdvd02.sys2009-03-05 05:07 . 2001-08-17 12:18	285,760	--a--c---	c:\windows\system32\dllcache\stlnata.sys2009-03-05 05:06 . 2001-08-17 22:36	238,592	--a--c---	c:\windows\system32\dllcache\sisgrv.dll2009-03-05 05:05 . 2001-08-17 22:36	495,616	--a--c---	c:\windows\system32\dllcache\sblfx.dll2009-03-05 05:04 . 2001-08-17 13:28	899,146	--a--c---	c:\windows\system32\dllcache\r2mdkxga.sys2009-03-05 05:03 . 2008-04-14 05:42	363,520	--a--c---	c:\windows\system32\dllcache\psisdecd.dll2009-03-05 05:02 . 2001-08-17 14:05	351,616	--a--c---	c:\windows\system32\dllcache\ovcodek2.sys2009-03-05 05:01 . 2001-08-17 12:50	198,144	--a--c---	c:\windows\system32\dllcache\nv3.sys2009-03-05 05:00 . 2001-08-17 12:50	320,384	--a--c---	c:\windows\system32\dllcache\mgaum.sys2009-03-05 04:59 . 2001-08-17 13:28	802,683	--a--c---	c:\windows\system32\dllcache\ltsm.sys2009-03-05 04:58 . 2001-08-17 22:36	372,824	--a--c---	c:\windows\system32\dllcache\iconf32.dll2009-03-05 04:57 . 2008-04-14 05:41	702,845	--a--c---	c:\windows\system32\dllcache\i81xdnt5.dll2009-03-05 04:56 . 2001-08-17 14:56	1,733,120	--a--c---	c:\windows\system32\dllcache\g400d.dll2009-03-05 04:55 . 2001-08-17 12:17	629,952	--a--c---	c:\windows\system32\dllcache\eqn.sys2009-03-05 04:54 . 2001-08-17 12:14	952,007	--a--c---	c:\windows\system32\dllcache\diwan.sys2009-03-05 04:53 . 2001-08-17 12:13	980,034	--a--c---	c:\windows\system32\dllcache\cicap.sys2009-03-05 04:52 . 2001-08-17 13:28	871,388	--a--c---	c:\windows\system32\dllcache\bcmdm.sys2009-03-05 04:51 . 2001-08-17 13:28	762,780	--a--c---	c:\windows\system32\dllcache\3cwmcru.sys2009-03-05 03:54 . 2009-03-05 03:54	<DIR>	d--------	c:\program files\SUPERAntiSpyware2009-03-05 03:54 . 2009-03-05 03:54	<DIR>	d--------	c:\documents and settings\MiyaDV\Application Data\SUPERAntiSpyware.com2009-03-05 03:54 . 2009-03-05 03:54	<DIR>	d--------	c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com2009-03-05 03:41 . 2009-03-05 03:41	<DIR>	d--------	c:\documents and settings\MiyaDV\Application Data\Malwarebytes2009-03-05 03:40 . 2009-03-05 03:40	<DIR>	d--------	c:\documents and settings\All Users\Application Data\Malwarebytes2009-03-05 03:21 . 2009-03-05 03:21	<DIR>	d--h-----	c:\windows\PIF2009-03-05 02:30 . 2009-03-05 02:30	<DIR>	d--------	c:\documents and settings\MiyaDV\Application Data\Apple Computer2009-03-05 02:30 . 2008-04-17 13:12	107,368	--a------	c:\windows\system32\GEARAspi.dll2009-03-05 02:30 . 2008-04-17 13:12	15,464	--a------	c:\windows\system32\drivers\GEARAspiWDM.sys2009-03-05 02:29 . 2009-03-05 02:29	<DIR>	d--------	c:\program files\QuickTime2009-03-05 02:29 . 2009-03-05 02:29	<DIR>	d--------	c:\program files\iTunes2009-03-05 02:29 . 2009-03-05 02:29	<DIR>	d--------	c:\program files\iPod2009-03-05 02:29 . 2009-03-05 02:29	<DIR>	d--------	c:\program files\Bonjour2009-03-05 02:29 . 2009-03-05 02:29	<DIR>	d--------	c:\program files\Apple Software Update2009-03-05 02:29 . 2009-03-05 02:29	<DIR>	d--------	c:\documents and settings\All Users\Application Data\Apple Computer2009-03-05 02:29 . 2009-03-05 02:29	<DIR>	d--------	c:\documents and settings\All Users\Application Data\{3276BE95_AF08_429F_A64F_CA64CB79BCF6}2009-03-05 02:28 . 2009-03-05 02:29	<DIR>	d--------	c:\program files\Common Files\Apple2009-03-05 02:28 . 2009-03-05 02:28	<DIR>	d--------	c:\documents and settings\All Users\Application Data\Apple2009-03-05 02:25 . 2009-03-05 02:25	<DIR>	d--------	c:\documents and settings\All Users\Application Data\FLEXnet2009-03-05 02:19 . 2009-03-05 02:19	<DIR>	d--------	c:\program files\Adobe Media Player2009-03-05 02:18 . 2009-03-05 02:18	<DIR>	d--------	c:\program files\Common Files\Adobe AIR2009-03-05 02:15 . 2009-03-05 02:15	<DIR>	d--------	c:\program files\Common Files\Macrovision Shared2009-03-05 01:59 . 2009-03-05 01:59	<DIR>	d--------	C:\Sandbox2009-03-05 01:51 . 2009-03-05 07:44	1,300	--a------	c:\windows\Sandboxie.ini2009-03-05 01:50 . 2009-03-05 01:50	<DIR>	d--------	c:\program files\Sandboxie2009-03-05 01:34 . 2009-03-05 01:34	<DIR>	d--------	c:\program files\Common Files\Adobe Systems Shared2009-03-05 01:34 . 2009-03-05 01:34	<DIR>	d--------	c:\documents and settings\All Users\Application Data\Adobe Systems2009-03-05 00:40 . 2009-03-05 00:40	31	--a------	c:\windows\GunzLauncher.INI2009-03-05 00:39 . 2009-03-05 00:39	<DIR>	d--------	c:\program files\EA GAMES2009-03-05 00:27 . 2009-03-05 00:27	<DIR>	d--------	C:\ijji2009-03-05 00:27 . 2009-03-05 00:38	<DIR>	d--h-----	c:\documents and settings\MiyaDV\Application Data\ijjigame2009-03-05 00:26 . 2009-03-05 00:26	<DIR>	d--------	c:\documents and settings\All Users\Application Data\IJJIGame2009-03-04 23:57 . 2009-03-04 23:57	<DIR>	d--------	c:\documents and settings\MiyaDV\Application Data\Media Player Classic2009-03-04 23:49 . 2008-04-14 00:15	26,368	--a--c---	c:\windows\system32\dllcache\usbstor.sys2009-03-04 23:44 . 2008-11-13 15:18	1,221,008	--a------	c:\windows\system32\zpeng25.dll2009-03-04 23:38 . 2009-03-04 23:38	<DIR>	d--------	c:\windows\Downloaded Installations2009-03-04 23:38 . 2009-03-04 23:38	<DIR>	d--------	c:\program files\Pro Imaging Powertoys2009-03-04 23:37 . 2009-03-04 23:37	<DIR>	d--------	c:\program files\CoreAVC Pro2009-03-04 23:36 . 2009-03-04 23:36	<DIR>	d--------	c:\program files\Combined Community Codec Pack2009-03-04 23:32 . 2009-03-04 23:32	35,365	--a------	c:\windows\system32\uninstHelixYUV.exe2009-03-04 23:32 . 2009-03-04 23:59	116	--a------	c:\windows\NeroDigital.ini2009-03-04 23:30 . 2009-03-04 23:30	<DIR>	d--------	c:\program files\Xvid2009-03-04 23:30 . 2009-03-04 23:30	<DIR>	d--------	c:\program files\DVD Decrypter2009-03-04 23:30 . 2006-11-01 14:52	765,952	--a------	c:\windows\system32\xvidcore.dll2009-03-04 23:30 . 2006-11-01 14:54	180,224	--a------	c:\windows\system32\xvidvfw.dll2009-03-04 23:30 . 2006-11-01 15:26	77,824	--a------	c:\windows\system32\xvid.ax2009-03-04 23:29 . 2009-03-04 23:29	<DIR>	d--------	c:\program files\AviSynth 2.52009-03-04 23:28 . 2009-03-04 23:32	<DIR>	d--------	c:\program files\AMVApp2009-03-04 23:26 . 2009-03-04 23:26	<DIR>	d--------	c:\documents and settings\All Users\Application Data\Electronic Arts2009-03-04 23:20 . 2009-03-04 23:20	<DIR>	d--------	c:\windows\system32\XPSViewer2009-03-04 23:20 . 2009-03-04 23:20	<DIR>	d--------	c:\program files\Reference Assemblies2009-03-04 23:20 . 2009-03-04 23:20	<DIR>	d--------	c:\program files\MSBuild2009-03-04 23:20 . 2008-07-06 07:06	1,676,288	---------	c:\windows\system32\xpssvcs.dll2009-03-04 23:20 . 2008-07-06 07:06	1,676,288	-----c---	c:\windows\system32\dllcache\xpssvcs.dll2009-03-04 23:20 . 2008-07-06 05:50	597,504	-----c---	c:\windows\system32\dllcache\printfilterpipelinesvc.exe2009-03-04 23:20 . 2008-07-06 07:06	575,488	---------	c:\windows\system32\xpsshhdr.dll2009-03-04 23:20 . 2008-07-06 07:06	575,488	-----c---	c:\windows\system32\dllcache\xpsshhdr.dll2009-03-04 23:20 . 2008-07-06 07:06	117,760	---------	c:\windows\system32\prntvpt.dll2009-03-04 23:20 . 2008-07-06 07:06	89,088	-----c---	c:\windows\system32\dllcache\filterpipelineprintproc.dll2009-03-04 23:09 . 2009-03-04 23:09	<DIR>	d--------	c:\program files\Sonic Foundry2009-03-04 23:08 . 2009-03-04 23:08	<DIR>	d--------	c:\program files\Magic Bullet Editors 2.0 Vegas2009-03-04 23:08 . 2004-03-29 15:23	90,112	--a------	c:\windows\unvise32.exe2009-03-04 23:06 . 2009-03-04 23:06	<DIR>	d--------	c:\documents and settings\MiyaDV\Application Data\Publish Providers2009-03-04 23:00 . 2009-03-04 23:00	<DIR>	d--------	c:\program files\Velvetmatter2009-03-04 23:00 . 2009-03-05 19:53	<DIR>	d--h-----	C:\$AVG8.VAULT$2009-03-04 22:58 . 2009-03-04 22:58	<DIR>	d--------	c:\program files\Microsoft SQL Server2009-03-04 22:58 . 2009-03-04 23:06	<DIR>	d--------	c:\documents and settings\MiyaDV\Application Data\Sony2009-03-04 22:58 . 1998-10-29 15:45	306,688	--a------	c:\windows\IsUninst.exe2009-03-04 22:58 . 2002-12-17 16:23	33,340	---------	c:\windows\system32\dbmsqlgc.dll2009-03-04 22:58 . 2002-10-20 14:05	24,576	---------	c:\windows\system32\dbmsgnet.dll2009-03-04 22:57 . 2009-03-04 22:57	<DIR>	d--------	c:\program files\Vstplugins2009-03-04 22:57 . 2009-03-04 23:09	<DIR>	d--------	c:\program files\Sony2009-03-04 22:57 . 2009-03-04 22:58	<DIR>	d--------	c:\documents and settings\All Users\Application Data\Sony2009-03-04 22:52 . 2009-03-04 22:52	<DIR>	d--------	c:\program files\Sony Setup2009-03-04 22:52 . 2009-03-04 22:52	<DIR>	d--------	c:\documents and settings\MiyaDV\Application Data\Sony Setup2009-03-04 22:50 . 2009-03-04 22:50	<DIR>	d--------	c:\program files\megui2009-03-04 22:49 . 2009-03-04 22:49	<DIR>	d--------	c:\program files\Jetico2009-03-04 22:49 . 2009-03-04 22:49	<DIR>	d--------	C:\Fraps2009-03-04 22:49 . 2009-03-04 22:49	<DIR>	d--------	c:\documents and settings\All Users\Application Data\TEMP2009-03-04 22:48 . 2009-03-04 22:48	<DIR>	d--------	c:\program files\Xfire2009-03-04 22:48 . 2009-03-04 22:48	<DIR>	d--------	c:\program files\ImageShack2009-03-04 22:48 . 2009-03-04 22:48	<DIR>	d--------	c:\documents and settings\MiyaDV\Application Data\Xfire2009-03-04 22:46 . 2009-03-04 22:46	<DIR>	d--------	c:\program files\Winamp2009-03-04 22:45 . 2009-03-04 22:45	<DIR>	d--------	c:\program files\Audacity2009-03-04 22:44 . 2009-03-04 22:44	<DIR>	d--------	C:\ProgramData2009-03-04 22:44 . 2009-03-04 22:44	<DIR>	d--------	c:\program files\Electronic Arts2009-03-04 22:41 . 2009-03-04 22:41	<DIR>	d--------	c:\windows\Logs2009-03-04 22:41 . 2009-03-04 22:41	<DIR>	d--------	c:\program files\Lavalys2009-03-04 22:41 . 2009-03-04 22:41	<DIR>	d--------	c:\program files\FlashFXP2009-03-04 22:40 . 2009-03-04 22:40	<DIR>	d--------	c:\program files\Java2009-03-04 22:40 . 2009-03-04 22:40	410,984	--a------	c:\windows\system32\deploytk.dll2009-03-04 22:40 . 2009-03-04 22:40	73,728	--a------	c:\windows\system32\javacpl.cpl2009-03-04 22:34 . 2005-02-01 14:20	5,760,056	--a------	c:\windows\Darkstar.bmp2009-03-04 22:29 . 2008-12-20 18:15	6,066,688	-----c---	c:\windows\system32\dllcache\ieframe.dll2009-03-04 22:29 . 2007-04-17 04:32	2,455,488	-----c---	c:\windows\system32\dllcache\ieapfltr.dat2009-03-04 22:29 . 2007-03-08 00:10	991,232	-----c---	c:\windows\system32\dllcache\ieframe.dll.mui2009-03-04 22:29 . 2008-12-20 18:15	459,264	-----c---	c:\windows\system32\dllcache\msfeeds.dll2009-03-04 22:29 . 2008-12-20 18:15	383,488	-----c---	c:\windows\system32\dllcache\ieapfltr.dll
.((((((((((((((((((((((((((((((((((((((((   Find3M Report   )))))))))))))))))))))))))))))))))))))))))))))))))))).2009-03-05 07:21	---------	d-----w	c:\program files\Common Files\Adobe2009-03-05 03:44	---------	d--h--w	c:\program files\InstallShield Installation Information2009-03-05 03:44	---------	d-----w	c:\program files\Common Files\InstallShield2009-03-05 03:37	---------	d-----w	c:\program files\AlienGUIse2009-03-05 03:12	---------	d-----w	c:\program files\Common Files\Stardock2009-02-17 04:17	453,152	----a-w	c:\windows\system32\NVUNINST.EXE2009-01-16 23:24	70,936	----a-w	c:\windows\system32\PhysXLoader.dll2008-12-20 23:15	826,368	----a-w	c:\windows\system32\wininet.dll.
(((((((((((((((((((((((((((((((((((((   Reg Loading Points   ))))))))))))))))))))))))))))))))))))))))))))))))))..*Note* empty entries & legit default entries are not shown REGEDIT4
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]"MSConfig"="c:\windows\pchealth\helpctr\Binaries\MSCONFIG.EXE" [2008-04-14 169984]
[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]2008-12-22 11:05 356352 c:\program files\SUPERAntiSpyware\SASWINLO.dll
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\WB]2001-12-20 23:34 24576 c:\program files\AlienGUIse\fastload.dll
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]2009-03-05 00:46 10520 c:\windows\system32\avgrsstx.dll
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]"AppInit_DLLs"=wbsys.dll
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]"vidc.I420"= i420vfw.dll"VIDC.XFR1"= xfcodec.dll"VIDC.HFYU"= huffyuv.dll"VIDC.LAGS"= lagarith.dll"vidc.ffds"= c:\progra~1\COMBIN~1\Filters\FFDShow\ff_vfw.dll
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WdfLoadGroup]@=""
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnkbackup=c:\windows\pss\Adobe Reader Speed Launch.lnkCommon Startup
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Logitech SetPoint.lnk]path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Logitech SetPoint.lnkbackup=c:\windows\pss\Logitech SetPoint.lnkCommon Startup
[HKLM\~\startupfolder\C:^Documents and Settings^MiyaDV^Start Menu^Programs^Startup^Adobe Gamma.lnk]path=c:\documents and settings\MiyaDV\Start Menu\Programs\Startup\Adobe Gamma.lnkbackup=c:\windows\pss\Adobe Gamma.lnkStartup
[HKLM\~\startupfolder\C:^Documents and Settings^MiyaDV^Start Menu^Programs^Startup^Product Registration.lnk]path=c:\documents and settings\MiyaDV\Start Menu\Programs\Startup\Product Registration.lnkbackup=c:\windows\pss\Product Registration.lnkStartup
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]--a------ 2008-04-14 05:42 15360 c:\windows\system32\ctfmon.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SpybotSD TeaTimer]-rahs---- 2009-01-26 15:31 2144088 c:\program files\Spybot - Search & Destroy\TeaTimer.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]"xmlprov"=3 (0x3)"WZCSVC"=2 (0x2)"wuauserv"=2 (0x2)"wscsvc"=2 (0x2)"WmiApSrv"=3 (0x3)"Wmi"=3 (0x3)"WmdmPmSN"=3 (0x3)"winmgmt"=2 (0x2)"WebClient"=2 (0x2)"W32Time"=2 (0x2)"VSS"=3 (0x3)"vsmon"=2 (0x2)"UPS"=3 (0x3)"upnphost"=3 (0x3)"UMWdf"=2 (0x2)"TrkWks"=2 (0x2)"Themes"=2 (0x2)"TermService"=3 (0x3)"TapiSrv"=3 (0x3)"SysmonLog"=3 (0x3)"SwPrv"=3 (0x3)"stisvc"=3 (0x3)"SSDPSRV"=3 (0x3)"srservice"=2 (0x2)"SQLAgent$SONY_MEDIAMGR"=3 (0x3)"Spooler"=2 (0x2)"ShellHWDetection"=2 (0x2)"SharedAccess"=2 (0x2)"SENS"=2 (0x2)"seclogon"=2 (0x2)"Schedule"=2 (0x2)"SCardSvr"=3 (0x3)"SbieSvc"=2 (0x2)"SamSs"=2 (0x2)"RSVP"=3 (0x3)"RemoteRegistry"=2 (0x2)"RDSessMgr"=3 (0x3)"RasMan"=3 (0x3)"RasAuto"=3 (0x3)"ProtectedStorage"=2 (0x2)"PolicyAgent"=2 (0x2)"PlugPlay"=2 (0x2)"NVSvc"=2 (0x2)"NtmsSvc"=3 (0x3)"NtLmSsp"=3 (0x3)"Nla"=3 (0x3)"Netman"=3 (0x3)"Netlogon"=3 (0x3)"napagent"=3 (0x3)"MSSQLServerADHelper"=3 (0x3)"MSSQL$SONY_MEDIAMGR"=3 (0x3)"MSIServer"=3 (0x3)"MSDTC"=3 (0x3)"mnmsrvc"=3 (0x3)"LmHosts"=2 (0x2)"lanmanworkstation"=2 (0x2)"lanmanserver"=2 (0x2)"JavaQuickStarterService"=2 (0x2)"iPod Service"=3 (0x3)"InCDsrv"=2 (0x2)"ImapiService"=3 (0x3)"idsvc"=3 (0x3)"IDriverT"=3 (0x3)"HTTPFilter"=3 (0x3)"hkmsvc"=3 (0x3)"HidServ"=2 (0x2)"helpsvc"=2 (0x2)"FontCache3.0.0.0"=3 (0x3)"FLEXnet Licensing Service"=3 (0x3)"FastUserSwitchingCompatibility"=3 (0x3)"EventSystem"=3 (0x3)"Eventlog"=2 (0x2)"ERSvc"=2 (0x2)"EapHost"=3 (0x3)"Dot3svc"=3 (0x3)"Dnscache"=2 (0x2)"dmserver"=2 (0x2)"dmadmin"=3 (0x3)"Dhcp"=2 (0x2)"CryptSvc"=3 (0x3)"COMSysApp"=3 (0x3)"clr_optimization_v2.0.50727_32"=3 (0x3)"CiSvc"=3 (0x3)"Browser"=2 (0x2)"Bonjour Service"=2 (0x2)"BITS"=2 (0x2)"avg8wd"=2 (0x2)"avg8emc"=2 (0x2)"AudioSrv"=2 (0x2)"aspnet_state"=3 (0x3)"AppMgmt"=3 (0x3)"Apple Mobile Device"=2 (0x2)"ALG"=3 (0x3)"Adobe LM Service"=3 (0x3)
[HKEY_LOCAL_MACHINE\software\microsoft\security center]"AntiVirusOverride"=dword:00000001"FirewallOverride"=dword:00000001
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\ZoneLabsFirewall]"DisableMonitoring"=dword:00000001
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]"DisableNotifications"= 1 (0x1)
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]"%windir%\\system32\\sessmgr.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe"="c:\\Program Files\\FlashFXP\\FlashFXP.exe"="c:\\Program Files\\Bonjour\\mDNSResponder.exe"="c:\\Program Files\\iTunes\\iTunes.exe"=
R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [2009-03-04 325128]R1 AvgTdiX;AVG Free8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [2009-03-04 107272]R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [2009-02-17 8944]R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [2009-02-17 55024]S3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [2009-02-17 7408]S3 SbieDrv;SbieDrv;c:\program files\Sandboxie\SbieDrv.sys [2008-01-13 92160]S4 avg8emc;AVG Free8 E-mail Scanner;c:\progra~1\AVG\AVG8\avgemc.exe --> c:\progra~1\AVG\AVG8\avgemc.exe [?]S4 avg8wd;AVG Free8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe --> c:\progra~1\AVG\AVG8\avgwdsvc.exe [?]S4 BCSWAP;BCSWAP;c:\windows\system32\drivers\bcswap.sys [2007-01-25 91496]..------- Supplementary Scan -------.uStart Page = www.alienware.com/Mothership?Comp=AWC&SysCode=PC-AURORA-7500-R4&ai=636E3D33383830303526706F3D31373033393141uInternet Settings,ProxyOverride = *.localFF - ProfilePath - c:\documents and settings\MiyaDV\Application Data\Mozilla\Firefox\Profiles\nhxqztet.default\FF - plugin: c:\program files\Mozilla Firefox\plugins\npijjiCHPlugin.dllFF - plugin: c:\program files\Mozilla Firefox\plugins\npijjiFFPlugin1.dll.
**************************************************************************
catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.netRootkit scan 2009-03-06 01:25:07Windows 5.1.2600 Service Pack 3 NTFS
scanning hidden processes ...  
scanning hidden autostart entries ... 
scanning hidden files ...  
scan completed successfullyhidden files: 0
**************************************************************************.--------------------- LOCKED REGISTRY KEYS ---------------------
[HKEY_USERS\S-1-5-21-2286332400-1018542478-3563119170-1005\Software\Microsoft\Windows\CurrentVersion\Explorer\CLSID]@Denied: (Full) (LocalSystem)@SACL=.--------------------- DLLs Loaded Under Running Processes ---------------------
- - - - - - - > 'winlogon.exe'(740)c:\program files\SUPERAntiSpyware\SASWINLO.dllc:\program files\AlienGUIse\fastload.dll.Completion time: 2009-03-06  1:25:53ComboFix-quarantined-files.txt  2009-03-06 06:25:52
Pre-Run: 205,684,457,472 bytes freePost-Run: 205,669,232,640 bytes free
337
Link to post
Share on other sites

  • Root Admin

Looks like from you doing the system repair. The MBAM ones mostly look like False Positives.

Please DO NOT use CODE or QUOTE tags when posting logs, it makes it harder to read them.

Please run the following AV scanner just to make sure.

Please download to your Desktop: Dr.Web CureIt

  • After the file has downloaded, disable your current Anti-Virus and disconnect from the Internet
  • Doubleclick the drweb-cureit.exe file, then click the Start button, then the OK button to perform an Express Scan.
  • This will scan the files currently running in memory and when something is found, click the yes button when it asks you if you want to cure it.
  • Once the short scan has finished, Click on the Complete scan radio button.
  • Then click on the Settings menu on top, the select Change Settings or press the F9 key. You can also change the Language
  • Choose the Scanning tab and I recomend leaving the Heuristic analysis enabled (this can lead to False Positives though)
  • On the File types tab ensure you select All files
  • Click on the Actions tab and set the following:
    • Objects Infected objects = Cure, Incurable objects = Move, Suspicious objects = Report
    • Infected packages Archive = Move, E-mails = Report, Containers = Move
    • Malware Adware = Move, Dialers = Move, Jokes = Move, Riskware = Move, Hacktools = Move
    • Do not change the Rename extension - default is: #??
    • Leave the default save path for Moved files here: %USERPROFILE%\DoctorWeb\Quarantine\
    • Leave prompt on Action checked

    [*]On the Log file tab leave the Log to file checked.

    [*]Leave the log file path alone: %USERPROFILE%\DoctorWeb\CureIt.log

    [*]Log mode = Append

    [*]Encoding = ANSI

    [*]Details Leave Names of file packers and Statistics checked.

    [*]Limit log file size = 2048 KB and leave the check mark on the Maximum log file size.

    [*]On the General tab leave the Scan Priority on High

    [*]Click the Apply button at the bottom, and then the OK button.

    [*]On the right side under the Dr Web Anti-Virus Logo you will see 3 little buttons. Click the left VCR style Start button.

    [*]In this mode it will scan Boot sectors of all disks, All removable media, and all local drives

    [*]The more files and folders you have the longer the scan will take. On large drives it can take hours to complete.

    [*]When the Cure option is selected, an additional context menu will open. Select the necessary action of the program, if the curing fails.

    [*]Click 'Yes to all' if it asks if you want to cure/move the files.

    [*]This will move it to the %USERPROFILE%\DoctorWeb\Quarantine\ folder if it can't be cured. (in this case we need samples)

    [*]After selecting, in the Dr.Web CureIt menu on top, click file and choose save report list

    [*]Save the report to your Desktop. The report will be called DrWeb.csv

    [*]Close Dr.Web Cureit.

    [*]Reboot your computer!! Because it could be possible that files in use will be moved/deleted during reboot.

    [*]After reboot, post the contents of the log from Dr.Web you saved previously to your Desktop in your next reply with a new hijackthis log.

    drweb.jpg

Link to post
Share on other sites

  • 2 weeks later...
  • Root Admin

Due to the lack of feedback this Topic is closed to prevent others from posting here. If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this thread with your request. This applies only to the originator of this thread.

Other members who need assistance please start your own topic in a new thread. Thanks!

The fixes and advice in this thread are for this machine only. Do not apply the instructions from this thread to your own machine. Please start a new thread describing your issue and someone will be along to assist you.

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.