Jump to content

Recommended Posts

Hey!

Here's an another malware removal thread.

I've recently been infected with XP antispyware (it's something like that; I'm not sure about it's exact name) which was detected and deleted by MBAM. The problem is that I'm not sure it's totally gone : 1) it was "too easy" to get rid of it 2)there is some irregularities with my PC and internet browsing (I can develop more on it if you want).

Anyway, here are some logs:

DDS.TXT LOG:

.

DDS (Ver_11-03-05.01) - NTFSx86

Run by Administrateur at 21:23:39,73 on 2011-05-03

Internet Explorer: 8.0.6001.18702

Microsoft Windows XP Professionnel 5.1.2600.3.1252.2.1036.18.2039.1057 [GMT -4:00]

.

AV: avast! Antivirus *Enabled/Updated* {7591DB91-41F0-48A3-B128-1A293FD8233D}

.

============== Running Processes ===============

.

C:\WINDOWS\system32\svchost -k DcomLaunch

svchost.exe

C:\WINDOWS\System32\svchost.exe -k netsvcs

svchost.exe

svchost.exe

C:\Program Files\Alwil Software\Avast5\AvastSvc.exe

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\RTHDCPL.EXE

C:\WINDOWS\system32\igfxpers.exe

C:\WINDOWS\system32\igfxtray.exe

C:\WINDOWS\system32\igfxsrvc.exe

C:\PROGRA~1\ALWILS~1\Avast5\avastUI.exe

C:\WINDOWS\system32\ctfmon.exe

C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe

C:\WINDOWS\system32\spoolsv.exe

svchost.exe

C:\Program Files\Fichiers communs\Apple\Mobile Device Support\AppleMobileDeviceService.exe

C:\Program Files\Bonjour\mDNSResponder.exe

C:\Program Files\Java\jre6\bin\jqs.exe

C:\WINDOWS\system32\svchost.exe -k imgsvc

C:\WINDOWS\system32\wscntfy.exe

C:\WINDOWS\system32\wbem\wmiapsrv.exe

C:\WINDOWS\System32\svchost.exe -k HTTPFilter

C:\Program Files\Mozilla Firefox\firefox.exe

C:\Program Files\Mozilla Firefox\plugin-container.exe

C:\Program Files\Adobe\Reader 9.0\Reader\AcroRd32.exe

C:\Program Files\Fichiers communs\Adobe\ARM\1.0\AdobeARM.exe

C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe

C:\Documents and Settings\Administrateur\Bureau\dds.scr

.

============== Pseudo HJT Report ===============

.

uStart Page = hxxp://www.google.com/

uInternet Connection Wizard,ShellNext = iexplore

uInternet Settings,ProxyOverride = *.local

BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\fichiers communs\adobe\acrobat\activex\AcroIEHelperShim.dll

BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybot~1\SDHelper.dll

BHO: Java Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll

BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll

uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe

uRun: [AdobeBridge]

uRun: [spybotSD TeaTimer] c:\program files\spybot - search & destroy\TeaTimer.exe

mRun: [RTHDCPL] RTHDCPL.EXE

mRun: [Persistence] c:\windows\system32\igfxpers.exe

mRun: [igfxTray] c:\windows\system32\igfxtray.exe

mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe

mRun: [Alcmtr] ALCMTR.EXE

mRun: [avast5] c:\progra~1\alwils~1\avast5\avastUI.exe /nogui

mRun: [switchBoard] c:\program files\fichiers communs\adobe\switchboard\SwitchBoard.exe

dRun: [CTFMON.EXE] c:\windows\system32\CTFMON.EXE

dRunOnce: [_nltide_3] rundll32 advpack.dll,LaunchINFSectionEx nLite.inf,C,,4,N

IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe

IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe

IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dll

DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1277485207556

DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab

DPF: {CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab

DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab

Notify: !SASWinLogon - c:\program files\superantispyware\SASWINLO.DLL

Notify: igfxcui - igfxdev.dll

SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll

SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:\program files\superantispyware\SASSEH.DLL

Hosts: 127.0.0.1 www.spywareinfo.com

.

================= FIREFOX ===================

.

FF - ProfilePath - c:\docume~1\admini~1\applic~1\mozilla\firefox\profiles\z27m1rnw.default\

FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/ig

FF - component: c:\documents and settings\administrateur\application data\mozilla\firefox\profiles\z27m1rnw.default\extensions\{e0b8c461-f8fb-49b4-8373-fe32e9252800}\platform\winnt_x86-msvc\components\enbar.dll

FF - plugin: c:\program files\java\jre6\bin\new_plugin\npdeployJava1.dll

FF - plugin: c:\program files\ma-config.com\nphardwaredetection.dll

FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\mozilla firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}

FF - Ext: Java Quick Starter: jqs@sun.com - c:\program files\java\jre6\lib\deploy\jqs\ff

FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\DotNetAssistantExtension

FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - %profile%\extensions\{20a82645-c095-46ed-80e3-08825760534b}

FF - Ext: ChatZilla: {59c81df5-4b7a-477b-912d-4e0fdf64e5f2} - %profile%\extensions\{59c81df5-4b7a-477b-912d-4e0fdf64e5f2}

FF - Ext: Canadian English Dictionary: en-CA@dictionaries.addons.mozilla.org - %profile%\extensions\en-CA@dictionaries.addons.mozilla.org

FF - Ext: Flagfox: {1018e4d6-728f-4b20-ad56-37578a4de76b} - %profile%\extensions\{1018e4d6-728f-4b20-ad56-37578a4de76b}

FF - Ext: Evernote Web Clipper: {E0B8C461-F8FB-49b4-8373-FE32E9252800} - %profile%\extensions\{E0B8C461-F8FB-49b4-8373-FE32E9252800}

FF - Ext: LeechBlock: {a95d8332-e4b4-6e7f-98ac-20b733364387} - %profile%\extensions\{a95d8332-e4b4-6e7f-98ac-20b733364387}

FF - Ext: Live HTTP Headers: {8f8fe09b-0bd3-4470-bc1b-8cad42b8203a} - %profile%\extensions\{8f8fe09b-0bd3-4470-bc1b-8cad42b8203a}

.

============= SERVICES / DRIVERS ===============

.

R1 aswSP;aswSP;c:\windows\system32\drivers\aswSP.sys [2010-6-30 165456]

R1 SASDIFSV;SASDIFSV;c:\program files\superantispyware\sasdifsv.sys [2010-2-17 12872]

R1 SASKUTIL;SASKUTIL;c:\program files\superantispyware\SASKUTIL.SYS [2010-5-10 67656]

R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [2010-6-30 17744]

R2 avast! Antivirus;avast! Antivirus;c:\program files\alwil software\avast5\AvastSvc.exe [2010-6-30 40384]

R3 avast! Mail Scanner;avast! Mail Scanner;c:\program files\alwil software\avast5\AvastSvc.exe [2010-6-30 40384]

R3 avast! Web Scanner;avast! Web Scanner;c:\program files\alwil software\avast5\AvastSvc.exe [2010-6-30 40384]

S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\microsoft.net\framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]

S3 maconfservice;Ma-Config Service;c:\program files\ma-config.com\maconfservice.exe [2010-8-13 259440]

S3 SwitchBoard;Adobe SwitchBoard;c:\program files\fichiers communs\adobe\switchboard\SwitchBoard.exe [2010-2-19 517096]

S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\microsoft.net\framework\v4.0.30319\wpf\WPFFontCache_v0400.exe [2010-3-18 753504]

.

=============== Created Last 30 ================

.

2011-05-03 21:41:00 32768 ----a-w- c:\windows\system32\PLUGIN.DLL

2011-05-03 21:41:00 210944 ----a-w- c:\windows\system32\MSVCRT10.DLL

2011-04-26 12:31:01 -------- d-----w- c:\program files\Spybot - Search & Destroy

2011-04-26 12:31:01 -------- d-----w- c:\docume~1\alluse~1\applic~1\Spybot - Search & Destroy

.

==================== Find3M ====================

.

2011-03-07 05:33:47 692736 ----a-w- c:\windows\system32\inetcomm.dll

2011-03-04 06:36:19 420864 ----a-w- c:\windows\system32\vbscript.dll

2011-03-03 13:53:37 1858048 ----a-w- c:\windows\system32\win32k.sys

2011-02-28 22:37:32 180624 ----a-w- c:\windows\system32\Primomonnt.dll

2011-02-22 23:05:48 916480 ----a-w- c:\windows\system32\wininet.dll

2011-02-22 23:05:47 43520 ----a-w- c:\windows\system32\licmgr10.dll

2011-02-22 23:05:47 1469440 ----a-w- c:\windows\system32\inetcpl.cpl

2011-02-22 11:42:13 385024 ----a-w- c:\windows\system32\html.iec

2011-02-17 12:54:06 5632 ----a-w- c:\windows\system32\xpsp4res.dll

2011-02-15 12:56:39 290432 ----a-w- c:\windows\system32\atmfd.dll

2011-02-09 13:54:09 270848 ----a-w- c:\windows\system32\sbe.dll

2011-02-09 13:54:09 186880 ----a-w- c:\windows\system32\encdec.dll

2011-02-08 13:34:11 978944 ----a-w- c:\windows\system32\mfc42.dll

2011-02-08 13:34:11 974848 ----a-w- c:\windows\system32\mfc42u.dll

.

============= FINISH: 21:24:06,42 ===============

ark.txt (GMER) and Attach.txt(DDS) were zipped and sent as an attachment.

MBAM log

Malwarebytes' Anti-Malware 1.46

www.malwarebytes.org

Version de la base de donn

Link to post
Share on other sites

Due to the lack of feedback this topic is closed to prevent others from posting here. If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this thread with your request. This applies only to the originator of this thread.

Other members who need assistance please start your own topic in a new thread. Thanks!

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.