Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Downloader?


  • This topic is locked This topic is locked
13 replies to this topic

#1 Riprey

Riprey

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:06:34 PM

Posted 02 January 2009 - 06:53 PM

Hi, I am infected with a virus that doesn't reveal itself until you scan it with an Antivirus software, and then it tries to overload the software by dropping a huge amount of viruses. Can anyone help me remove this virus? Here is the log from D.D.S.


DDS (Version 1.1.0) - NTFSx86
Run by Bonnie at 9:29:49.75 on 03/01/2009 Sat
Internet Explorer: 8.0.6001.18241 BrowserJavaVersion: 1.6.0_11
Microsoft Windows XP Professional 5.1.2600.2.949.82.1033.18.1023.450 [GMT 10:00]

AV: Avira AntiVir PersonalEdition *On-access scanning enabled* (Updated)
AV: Norton AntiVirus *On-access scanning enabled* (Updated)

============== Running Processes ===============

C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost -k DcomLaunch
C:\WINDOWS\system32\svchost -k rpcss
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup
C:\WINDOWS\System32\svchost.exe -k NetworkService
C:\WINDOWS\System32\svchost.exe -k LocalService
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton AntiVirus\AdvTools\NPROTECT.EXE
D:\svn\bin\TSVNCache.exe
C:\Program Files\Spyware Doctor\pctsAuxs.exe
C:\Program Files\Spyware Doctor\pctsSvc.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\CyberLink DVD Solution\PowerDVD\PDVDServ.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\Unlocker\UnlockerAssistant.exe
C:\Program Files\ScanSoft\PaperPort\pptd40nt.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\Spyware Doctor\pctsTray.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe
D:\Steam\Steam.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe
C:\WINDOWS\System32\svchost.exe -k imgsvc
C:\WINDOWS\system32\Tablet.exe
C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
C:\Program Files\Windows Live\Contacts\wlcomm.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\System32\alg.exe
C:\Documents and Settings\Bonnie\Desktop\dds.scr
C:\WINDOWS\system32\conime.exe
C:\WINDOWS\System32\wbem\wmiprvse.exe

============== Pseudo HJT Report ===============

uSearch Page = hxxp://www.google.com
uStart Page = hxxp://maplestory.nexon.com/
uSearch Bar = hxxp://www.google.com/ie
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
mSearchAssistant = hxxp://www.google.com/ie
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
BHO: Skype add-on (mastermind): {22bf413b-c6d2-4d91-82a9-a0f997ba588c} - c:\program files\skype\toolbars\internet explorer\SkypeIEPlugin.dll
BHO: IeCatch5 Class: {2f364306-aa45-47b5-9f9d-39a8b94e7ef7} - c:\progra~1\flashget\jccatch.dll
BHO: {31FF080D-12A3-439A-A2EF-4BA95A3148E8} - No File
BHO: {5C255C8A-E604-49b4-9D64-90988571CECB} - No File
BHO: Search Helper: {6ebf7485-159f-4bff-a14f-b9e3aac4465b} - c:\program files\microsoft\search enhancement pack\search helper\SearchHelper.dll
BHO: Java™ Plug-In SSV Helper: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre6\bin\ssv.dll
BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: CNavExtBho Class: {bdf3e430-b101-42ad-a544-fadc6b084872} - c:\program files\norton antivirus\NavShExt.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: Windows Live Toolbar Helper: {e15a8dc0-8516-42a1-81ea-dc94ec1acf10} - c:\program files\windows live\toolbar\wltcore.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: FlashGet Bar: {e0e899ab-f487-11d5-8d29-0050ba6940e3} - c:\progra~1\flashget\fgiebar.dll
TB: Norton AntiVirus: {42cdd1bf-3ffb-4238-8ad1-7859df00b1d6} - c:\program files\norton antivirus\NavShExt.dll
TB: &Windows Live Toolbar: {21fa44ef-376d-4d53-9b0f-8a89d3229068} - c:\program files\windows live\toolbar\wltcore.dll
TB: {0B53EAC3-8D69-4B9E-9B19-A37C9A5676A7} - No File
TB: {C4069E3A-68F1-403E-B40E-20066696354B} - No File
TB: {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - No File
TB: {71B6ACF7-4F0F-4FD8-BB69-6D1A4D271CB7} - No File
TB: {515AB855-A175-436A-BC5C-0E4F50A023A5} - No File
EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File
uRun: [CTFMON.EXE] c:\windows\system32\ctfmon.exe
uRun: [msnmsgr] "c:\program files\windows live\messenger\MsnMsgr.Exe" /background
uRun: [Steam] "d:\steam\Steam.exe" -silent
mRun: [SoundMan] SOUNDMAN.EXE
mRun: [RemoteControl] "c:\program files\cyberlink dvd solution\powerdvd\PDVDServ.exe"
mRun: [IMJPMIG8.1] "c:\windows\ime\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
mRun: [MSPY2002] c:\windows\system32\ime\pintlgnt\ImScInst.exe /SYNC
mRun: [PHIME2002ASync] c:\windows\system32\ime\tintlgnt\TINTSETP.EXE /SYNC
mRun: [PHIME2002A] c:\windows\system32\ime\tintlgnt\TINTSETP.EXE /IMEName
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [HP Software Update] c:\program files\hp\hp software update\HPWuSchd2.exe
mRun: [UnlockerAssistant] "c:\program files\unlocker\UnlockerAssistant.exe"
mRun: [SSBkgdUpdate] "c:\program files\common files\scansoft shared\ssbkgdupdate\SSBkgdupdate.exe" -Embedding -boot
mRun: [PaperPort PTD] "c:\program files\scansoft\paperport\pptd40nt.exe"
mRun: [IndexSearch] "c:\program files\scansoft\paperport\IndexSearch.exe"
mRun: [PPort11reminder] "c:\program files\scansoft\paperport\ereg\ereg.exe" -r "c:\documents and settings\all users\application data\scansoft\paperport\11\config\ereg\Ereg.ini
mRun: [BrMfcWnd] c:\program files\brother\brmfcmon\BrMfcWnd.exe /AUTORUN
mRun: [ControlCenter3] c:\program files\brother\controlcenter3\brctrcen.exe /autorun
mRun: [ccApp] c:\program files\common files\symantec shared\ccApp.exe
mRun: [ccRegVfy] c:\program files\common files\symantec shared\ccRegVfy.exe
mRun: [Advanced Tools Check] c:\progra~1\norton~1\advtools\ADVCHK.EXE
mRun: [avgnt] "c:\program files\avira\antivir personaledition classic\avgnt.exe" /min
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 8.0\reader\Reader_sl.exe"
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
mRun: [ISTray] "c:\program files\spyware doctor\pctsTray.exe"
dRun: [CTFMON.EXE] c:\windows\system32\CTFMON.EXE
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\hpdigi~1.lnk - c:\program files\hp\digital imaging\bin\hpqtra08.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\micros~1.lnk - c:\program files\microsoft office\office10\OSA.EXE
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\tabuse~1.lnk - c:\windows\system32\wtablet\TabUserW.exe
IE: Add to AMV Convert Tool... - c:\program files\mp3 player utilities 4.00\amvconverter\grab.html
IE: Add to Windows &Live Favorites - http://favorites.live.com/quickadd.aspx
IE: Download All by FlashGet - c:\program files\flashget\jc_all.htm
IE: Download using FlashGet - c:\program files\flashget\jc_link.htm
IE: Download with GetRight - c:\program files\getright\GRdownload.htm
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office10\EXCEL.EXE/3000
IE: MediaManager tool grab multimedia file - c:\program files\mp3 player utilities 4.00\mediamanager\grab.html
IE: Open in new background tab - c:\program files\windows live toolbar\components\en-au\msntabres.dll.mui/229?039ab8a7f03f40b99f8ac2321fb466b2
IE: Open in new foreground tab - c:\program files\windows live toolbar\components\en-au\msntabres.dll.mui/230?039ab8a7f03f40b99f8ac2321fb466b2
IE: Open with GetRight Browser - c:\program files\getright\GRbrowse.htm
IE: Sothink SWF Catcher - c:\program files\common files\sourcetec\swf catcher\InternetExplorer.htm
IE: {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - c:\progra~1\flashget\flashget.exe
IE: {E19ADC6E-3909-43E4-9A89-B7B676377EE3} - c:\program files\common files\sourcetec\swf catcher\InternetExplorer.htm
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - {5F7B1267-94A9-47F5-98DB-E99415F33AEC} - c:\program files\windows live\writer\WriterBrowserExtension.dll
IE: {77BF5300-1474-4EC7-9980-D32B190E9B07} - {77BF5300-1474-4EC7-9980-D32B190E9B07} - c:\program files\skype\toolbars\internet explorer\SkypeIEPlugin.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office12\REFIEBAR.DLL
Handler: cdo - {CD00020A-8B95-11D1-82DB-00C04FB1625D} - c:\program files\common files\microsoft shared\web folders\PKMCDO.DLL
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL
Notify: AtiExtEvent - Ati2evxx.dll
Notify: WBSrv - c:\progra~1\stardock\object~1\window~1\wbsrv.dll
AppInit_DLLs: wbsys.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\bonnie\applic~1\mozilla\firefox\profiles\g32qgcnw.default\
FF - prefs.js: browser.startup.homepage - hxxp://my.yahoo.com/index.html
FF - plugin: c:\program files\mozilla firefox\plugins\npcnc32.dll
FF - plugin: c:\program files\mozilla firefox\plugins\NPMFireLauncher.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npmusicn.dll
FF - plugin: c:\program files\real\realone player\netscape6\nppl3260.dll
FF - plugin: c:\program files\real\realone player\netscape6\nprjplug.dll
FF - plugin: c:\program files\real\realone player\netscape6\nprpjplug.dll
FF - plugin: c:\program files\unity\webplayer\loader\npUnity3D32.dll
FF - plugin: c:\program files\windows live\photo gallery\NPWLPG.dll

============= SERVICES / DRIVERS ===============

R0 IKFileSec;File Security Driver;c:\windows\system32\drivers\ikfilesec.sys [2008-11-27 40840]
R1 avgio;avgio;\??\c:\program files\avira\antivir personaledition classic\avgio.sys [2008-10-2 11840]
R1 IKSysFlt;System Filter Driver;c:\windows\system32\drivers\iksysflt.sys [2008-11-27 66952]
R1 IKSysSec;System Security Driver;c:\windows\system32\drivers\iksyssec.sys [2008-11-27 81288]
R2 AntiVirScheduler;Avira AntiVir Personal - Free Antivirus Scheduler;"c:\program files\avira\antivir personaledition classic\sched.exe" [2008-10-2 68865]
R2 AntiVirService;Avira AntiVir Personal - Free Antivirus Guard;"c:\program files\avira\antivir personaledition classic\avguard.exe" [2008-10-2 151297]
R2 ccEvtMgr;Symantec Event Manager;"c:\program files\common files\symantec shared\ccEvtMgr.exe" [2002-8-8 308936]
R2 navapsvc;Norton AntiVirus Auto Protect Service;"c:\program files\norton antivirus\navapsvc.exe" [2002-8-19 116336]
R2 NProtectService;Norton Unerase Protection;"c:\program files\norton antivirus\advtools\NPROTECT.EXE" [2008-5-31 135168]
R2 SAVRTPEL;SAVRTPEL;\??\c:\windows\system32\drivers\SAVRTPEL.SYS [2002-7-25 35552]
R2 sdAuxService;PC Tools Auxiliary Service;c:\program files\spyware doctor\pctsAuxs.exe [2008-11-27 356920]
R2 sdCoreService;PC Tools Security Service;c:\program files\spyware doctor\pctsSvc.exe [2008-11-27 1079176]
R2 SeaPort;SeaPort;"c:\program files\microsoft\search enhancement pack\seaport\SeaPort.exe" [2008-12-4 226640]
R3 avgntflt;avgntflt;\??\c:\program files\avira\antivir personaledition classic\avgntflt.sys [2008-10-2 52032]
R3 NAVENG;NAVENG;\??\c:\progra~1\common~1\symant~1\virusd~1\20081231.003\NAVENG.Sys [2009-1-1 89104]
R3 NAVEX15;NAVEX15;\??\c:\progra~1\common~1\symant~1\virusd~1\20081231.003\NavEx15.Sys [2009-1-1 876112]
R3 SAVRT;SAVRT;\??\c:\windows\system32\drivers\SAVRT.SYS [2002-7-25 235744]
S2 SBService;ScriptBlocking Service;c:\progra~1\common~1\symant~1\script~1\SBServ.exe [2001-8-13 54408]
S3 ccPwdSvc;Symantec Password Validation Service;"c:\program files\common files\symantec shared\ccPwdSvc.exe" [2002-8-19 63176]
S3 Mkd2kfNt;Mkd2kfNt;c:\windows\system32\drivers\Mkd2kfNt.sys [2007-5-5 131072]
S3 Mkd2Nadr;Mkd2Nadr;c:\windows\system32\drivers\Mkd2Nadr.sys [2008-4-5 79104]
S3 Mkd2Usbf;Mkd2Usbf;c:\windows\system32\drivers\Mkd2Usbf.sys [2007-5-5 93440]
S3 XDva090;XDva090;\??\c:\windows\system32\XDva090.sys []
S3 XDva132;XDva132;\??\c:\windows\system32\XDva132.sys []
S3 XDva202;XDva202;\??\c:\windows\system32\XDva202.sys []

=============== Created Last 30 ================

2009-01-01 14:34 593,920 -------- c:\windows\system32\ati2sgag.exe
2008-12-29 17:34 2,557 a------- c:\windows\identitydb.obj
2008-12-29 17:34 <DIR> --d----- c:\windows\profiles
2008-12-29 13:11 <DIR> --d----- c:\program files\CCleaner
2008-12-29 13:10 <DIR> --d----- c:\program files\Trend Micro
2008-12-22 21:53 <DIR> --d----- c:\program files\VideoLAN
2008-12-22 12:38 <DIR> --d----- c:\program files\GCFScape
2008-12-16 16:54 <DIR> --d----- c:\documents and settings\bonnie\Tracing
2008-12-16 16:46 <DIR> --d----- c:\program files\Microsoft
2008-12-16 16:46 <DIR> --d----- c:\program files\Windows Live SkyDrive
2008-12-16 16:36 <DIR> --d----- c:\program files\common files\Windows Live
2008-12-08 20:22 <DIR> --dsh--- c:\documents and settings\bonnie\PrivacIE
2008-12-08 19:59 <DIR> -cd-h--- c:\windows\ie8
2008-12-04 22:55 307,560 a------- c:\windows\WLXPGSS.SCR

==================== Find3M ====================

2009-01-03 09:19 12,398 a------- c:\windows\system32\tablet.dat
2008-12-02 22:37 49,480 a------- c:\windows\system32\sirenacm.dll
2008-12-02 08:13 3,452,928 a------- c:\windows\system32\drivers\ati2mtag.sys
2008-12-02 06:52 425,984 a------- c:\windows\system32\ATIDEMGX.dll
2008-12-02 06:51 318,464 a------- c:\windows\system32\ati2dvag.dll
2008-12-02 06:46 11,304,960 a------- c:\windows\system32\atioglxx.dll
2008-12-02 06:41 188,416 a------- c:\windows\system32\atipdlxx.dll
2008-12-02 06:40 147,456 a------- c:\windows\system32\Oemdspif.dll
2008-12-02 06:40 26,112 a------- c:\windows\system32\Ati2mdxx.exe
2008-12-02 06:40 43,520 a------- c:\windows\system32\ati2edxx.dll
2008-12-02 06:40 143,360 a------- c:\windows\system32\ati2evxx.dll
2008-12-02 06:38 598,016 a------- c:\windows\system32\ati2evxx.exe
2008-12-02 06:37 53,248 a------- c:\windows\system32\ATIDDC.DLL
2008-12-02 06:27 4,120,384 a------- c:\windows\system32\ati3duag.dll
2008-12-02 06:19 307,200 a------- c:\windows\system32\atiiiexx.dll
2008-12-02 06:11 2,495,360 a------- c:\windows\system32\ativvaxx.dll
2008-12-02 06:11 3,107,788 a------- c:\windows\system32\ativvaxx.dat
2008-12-02 06:11 3,107,788 a------- c:\windows\system32\ativva5x.dat
2008-12-02 06:11 887,724 a------- c:\windows\system32\ativva6x.dat
2008-12-02 05:57 48,640 a------- c:\windows\system32\amdpcom32.dll
2008-12-02 05:53 401,408 a------- c:\windows\system32\atikvmag.dll
2008-12-02 05:53 45,056 a------- c:\windows\system32\amdcalrt.dll
2008-12-02 05:53 45,056 a------- c:\windows\system32\amdcalcl.dll
2008-12-02 05:52 86,016 a------- c:\windows\system32\atiadlxx.dll
2008-12-02 05:52 17,408 a------- c:\windows\system32\atitvo32.dll
2008-12-02 05:51 53,248 a------- c:\windows\system32\drivers\ati2erec.dll
2008-12-02 05:50 286,720 a------- c:\windows\system32\atiok3x2.dll
2008-12-02 05:50 3,252,224 a------- c:\windows\system32\Amdcaldd.dll
2008-12-02 05:45 577,536 a------- c:\windows\system32\ati2cqag.dll
2008-11-27 17:13 81,288 a------- c:\windows\system32\drivers\iksyssec.sys
2008-11-27 17:13 66,952 a------- c:\windows\system32\drivers\iksysflt.sys
2008-11-27 17:13 40,840 a------- c:\windows\system32\drivers\ikfilesec.sys
2008-11-12 18:38 348,160 a------- c:\windows\system32\msvcr71.dll
2008-11-12 18:38 499,712 a------- c:\windows\system32\msvcp71.dll
2008-11-10 05:43 410,984 a------- c:\windows\system32\deploytk.dll
2008-11-09 21:54 0 a---h--- c:\windows\system32\drivers\MsftWdf_Kernel_01005_Coinstaller_Critical.Wdf
2008-11-09 21:54 0 a---h--- c:\windows\system32\drivers\Msft_Kernel_ccdcmb_01005.Wdf
2008-10-31 00:45 180,720 a------- c:\windows\system32\atiicdxx.dat
2008-10-27 10:04 514,384 a------- c:\windows\system32\XAudio2_3.dll
2008-10-27 10:04 235,856 a------- c:\windows\system32\xactengine3_3.dll
2008-10-27 10:04 23,376 a------- c:\windows\system32\X3DAudio1_5.dll
2008-10-27 10:04 70,992 a------- c:\windows\system32\XAPOFX1_2.dll
2008-10-24 16:39 131,072 a------- c:\windows\system32\SpoonUninstall.exe
2008-10-24 16:39 36,104 a------- c:\windows\system32\SpoonUninstall-dBpowerAMP Music Converter.dat
2008-10-23 00:49 93,992 ac------ c:\docume~1\bonnie\applic~1\GDIPFONTCACHEV1.DAT
2008-10-22 04:51 118,784 a------- c:\windows\system32\atibrtmon.exe
2008-10-10 04:52 4,379,984 a------- c:\windows\system32\D3DX9_40.dll
2008-10-10 04:52 2,036,576 a------- c:\windows\system32\D3DCompiler_40.dll
2008-10-10 04:52 452,440 a------- c:\windows\system32\d3dx10_40.dll
2008-04-09 18:42 32 a------- c:\docume~1\alluse~1\applic~1\ezsid.dat
2003-12-19 20:36 40,960 ac------ c:\program files\Uninstall_CDS.exe
2008-05-31 19:34 32 a--sh--- c:\windows\{B9D0B448-6C94-4639-A1D3-83150F95B13E}.dat
2007-03-08 16:32 56 ---shr-- c:\windows\system32\38F4A01B79.sys
2005-06-22 14:37 45,568 ac-shr-- c:\windows\system32\cygz.dll
2007-03-08 16:32 848 a--sh--- c:\windows\system32\KGyGaAvL.sys
2008-09-19 17:33 692 a--sh--- c:\windows\system32\og.dll
2008-09-19 17:30 1,868 a--sh--- c:\windows\system32\ul.dll
2008-05-31 19:34 32 a--sh--- c:\windows\system32\{089317B8-828C-459C-944F-9ED5B1AAF88A}.dat

============= FINISH: 9:30:41.42 ===============

BC AdBot (Login to Remove)

 


#2 KoanYorel

KoanYorel

    Bleepin' Conundrum


  • Staff Emeritus
  • 19,461 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:65 miles due East of the &quot;Logic Free Zone&quot;, in Md, USA
  • Local time:04:34 AM

Posted 14 January 2009 - 10:02 AM

Hello and welcome to Bleeping Computer

We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help.

If you have since resolved the original problem you were having, we would appreciate you letting us know. If not please perform the following steps below so we can have a look at the current condition of your machine. If you have not done so, include a description of your problem, along with any steps you may have performed so far.

Upon completing the steps below another staff member will review and take the steps necessary with you to get your machine back in working order clean and free of malware.

If you have already posted a DDS log, please do so again, as your situation may have changed.
Use the 'Add Reply' and add the new log to this thread.


Thanks and again sorry for the delay.

We need to see some information about what is happening in your machine. Please perform the following scan:
  • Download DDS by sUBs from one of the following links. Save it to your desktop.
  • Double click on the DDS icon, allow it to run.
  • A small box will open, with an explaination about the tool. No input is needed, the scan is running.
  • Notepad will open with the results, click no to the Optional_Scan
  • Follow the instructions that pop up for posting the results.
  • Close the program window, and delete the program from your desktop.
Please note: You may have to disable any script protection running if the scan fails to run. After downloading the tool, disconnect from the internet and disable all antivirus protection. Run the scan, enable your A/V and reconnect to the internet.

Information on A/V control HERE

R,
K
The only easy day was yesterday.

...some do, some don't; some will, some won't (WR)

#3 KoanYorel

KoanYorel

    Bleepin' Conundrum


  • Staff Emeritus
  • 19,461 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:65 miles due East of the &quot;Logic Free Zone&quot;, in Md, USA
  • Local time:04:34 AM

Posted 18 January 2009 - 10:28 AM

Due to the lack of feedback this Topic is closed.

Should you need it reopened, please contact a Forum Moderator. Include the address of this thread in your request.

If you have a new issue, please start a New Topic.

This applies only to the original poster. Everyone else please begin a New Topic.
The only easy day was yesterday.

...some do, some don't; some will, some won't (WR)

#4 KoanYorel

KoanYorel

    Bleepin' Conundrum


  • Staff Emeritus
  • 19,461 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:65 miles due East of the &quot;Logic Free Zone&quot;, in Md, USA
  • Local time:04:34 AM

Posted 20 January 2009 - 06:57 PM

Open at members request.
The only easy day was yesterday.

...some do, some don't; some will, some won't (WR)

#5 PropagandaPanda

PropagandaPanda


  • Malware Response Team
  • 10,433 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:04:34 AM

Posted 21 January 2009 - 03:27 PM

Hello.

Please follow the directions Koan Yorel gave for running DDS.

In addition, also run GMER.

Download and Run Scan with GMER
We will use GMER to scan for rootkits.

Please download GMER.zip to your desktop from any of the links below:
LINK1, LINK2
  • Right click on GMER.zip and select "Extract All".
  • Close all other open programs as there is a slight chance your computer will crash.
  • Double click GMER.exe. Your security programs may detect GMER's driver trying to load. Allow it.
  • You may see a warning saying "GMER has detected rootkit activity". If so, select NO.
  • Leaving the settings at default, click Scan.
  • When the scan is complete, click Save and save the log onto your desktop.
Please include the log in your next reply.

I am infected with a virus that doesn't reveal itself until you scan it with an Antivirus software, and then it tries to overload the software by dropping a huge amount of viruses.

Could you please tell me how you came to this conclusion?

With Regards,
The Panda

#6 Riprey

Riprey
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:06:34 PM

Posted 22 January 2009 - 01:03 AM

Hi, thanks for replying.

I came to the conclusion because occasionally when I do a full scan of the computer a message would come up saying a .tmp file was infected, so after I deny access , quarantine or delete it, another .tmp pops up, and more and more. So it seems plausible that the downloader was creating all those .tmp files, and it doesn't do so until scanned.

The GMER log is attached.

Here is the DDS log

DDS (Ver_09-01-18.01) - NTFSx86
Run by Bonnie at 20:54:44.92 on 21/01/2009 Wed
Internet Explorer: 8.0.6001.18241 BrowserJavaVersion: 1.6.0_11
Microsoft Windows XP Professional 5.1.2600.2.949.82.1033.18.1023.391 [GMT 10:00]

AV: Avira AntiVir PersonalEdition *On-access scanning enabled* (Updated)
AV: Norton AntiVirus *On-access scanning enabled* (Updated)

============== Running Processes ===============

C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost -k DcomLaunch
C:\WINDOWS\system32\svchost -k rpcss
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\System32\svchost.exe -k NetworkService
C:\WINDOWS\System32\svchost.exe -k LocalService
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton AntiVirus\AdvTools\NPROTECT.EXE
C:\Program Files\Spyware Doctor\pctsAuxs.exe
C:\Program Files\Spyware Doctor\pctsSvc.exe
C:\Program Files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe
C:\WINDOWS\System32\svchost.exe -k imgsvc
C:\WINDOWS\system32\Tablet.exe
C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\wscntfy.exe
D:\svn\bin\TSVNCache.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\CyberLink DVD Solution\PowerDVD\PDVDServ.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\Unlocker\UnlockerAssistant.exe
C:\Program Files\ScanSoft\PaperPort\pptd40nt.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\Spyware Doctor\pctsTray.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe
D:\steam\steam.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\WINDOWS\system32\WTablet\TabUserW.exe
C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
C:\Program Files\Windows Live\Contacts\wlcomm.exe
C:\WINDOWS\system32\conime.exe
C:\Documents and Settings\Bonnie\Desktop\dds.scr
C:\WINDOWS\System32\wbem\wmiprvse.exe

============== Pseudo HJT Report ===============

uSearch Page = hxxp://www.google.com
uStart Page = hxxp://maplestory.nexon.com/
uSearch Bar = hxxp://www.google.com/ie
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
mSearchAssistant = hxxp://www.google.com/ie
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
BHO: Skype add-on (mastermind): {22bf413b-c6d2-4d91-82a9-a0f997ba588c} - c:\program files\skype\toolbars\internet explorer\SkypeIEPlugin.dll
BHO: IeCatch5 Class: {2f364306-aa45-47b5-9f9d-39a8b94e7ef7} - c:\progra~1\flashget\jccatch.dll
BHO: {31FF080D-12A3-439A-A2EF-4BA95A3148E8} - No File
BHO: {5C255C8A-E604-49b4-9D64-90988571CECB} - No File
BHO: Search Helper: {6ebf7485-159f-4bff-a14f-b9e3aac4465b} - c:\program files\microsoft\search enhancement pack\search helper\SearchHelper.dll
BHO: Java™ Plug-In SSV Helper: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre6\bin\ssv.dll
BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: CNavExtBho Class: {bdf3e430-b101-42ad-a544-fadc6b084872} - c:\program files\norton antivirus\NavShExt.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: Windows Live Toolbar Helper: {e15a8dc0-8516-42a1-81ea-dc94ec1acf10} - c:\program files\windows live\toolbar\wltcore.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: FlashGet Bar: {e0e899ab-f487-11d5-8d29-0050ba6940e3} - c:\progra~1\flashget\fgiebar.dll
TB: Norton AntiVirus: {42cdd1bf-3ffb-4238-8ad1-7859df00b1d6} - c:\program files\norton antivirus\NavShExt.dll
TB: &Windows Live Toolbar: {21fa44ef-376d-4d53-9b0f-8a89d3229068} - c:\program files\windows live\toolbar\wltcore.dll
TB: {0B53EAC3-8D69-4B9E-9B19-A37C9A5676A7} - No File
TB: {C4069E3A-68F1-403E-B40E-20066696354B} - No File
TB: {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - No File
TB: {71B6ACF7-4F0F-4FD8-BB69-6D1A4D271CB7} - No File
TB: {515AB855-A175-436A-BC5C-0E4F50A023A5} - No File
EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File
uRun: [CTFMON.EXE] c:\windows\system32\ctfmon.exe
uRun: [msnmsgr] "c:\program files\windows live\messenger\MsnMsgr.Exe" /background
uRun: [Steam] "d:\steam\steam.exe" -silent
mRun: [SoundMan] SOUNDMAN.EXE
mRun: [RemoteControl] "c:\program files\cyberlink dvd solution\powerdvd\PDVDServ.exe"
mRun: [IMJPMIG8.1] "c:\windows\ime\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
mRun: [MSPY2002] c:\windows\system32\ime\pintlgnt\ImScInst.exe /SYNC
mRun: [PHIME2002ASync] c:\windows\system32\ime\tintlgnt\TINTSETP.EXE /SYNC
mRun: [PHIME2002A] c:\windows\system32\ime\tintlgnt\TINTSETP.EXE /IMEName
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [HP Software Update] c:\program files\hp\hp software update\HPWuSchd2.exe
mRun: [UnlockerAssistant] "c:\program files\unlocker\UnlockerAssistant.exe"
mRun: [SSBkgdUpdate] "c:\program files\common files\scansoft shared\ssbkgdupdate\SSBkgdupdate.exe" -Embedding -boot
mRun: [PaperPort PTD] "c:\program files\scansoft\paperport\pptd40nt.exe"
mRun: [IndexSearch] "c:\program files\scansoft\paperport\IndexSearch.exe"
mRun: [PPort11reminder] "c:\program files\scansoft\paperport\ereg\ereg.exe" -r "c:\documents and settings\all users\application data\scansoft\paperport\11\config\ereg\Ereg.ini
mRun: [BrMfcWnd] c:\program files\brother\brmfcmon\BrMfcWnd.exe /AUTORUN
mRun: [ControlCenter3] c:\program files\brother\controlcenter3\brctrcen.exe /autorun
mRun: [ccApp] c:\program files\common files\symantec shared\ccApp.exe
mRun: [ccRegVfy] c:\program files\common files\symantec shared\ccRegVfy.exe
mRun: [Advanced Tools Check] c:\progra~1\norton~1\advtools\ADVCHK.EXE
mRun: [avgnt] "c:\program files\avira\antivir personaledition classic\avgnt.exe" /min
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 8.0\reader\Reader_sl.exe"
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
mRun: [ISTray] "c:\program files\spyware doctor\pctsTray.exe"
dRun: [CTFMON.EXE] c:\windows\system32\CTFMON.EXE
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\hpdigi~1.lnk - c:\program files\hp\digital imaging\bin\hpqtra08.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\micros~1.lnk - c:\program files\microsoft office\office10\OSA.EXE
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\tabuse~1.lnk - c:\windows\system32\wtablet\TabUserW.exe
IE: Add to AMV Convert Tool... - c:\program files\mp3 player utilities 4.00\amvconverter\grab.html
IE: Add to Windows &Live Favorites - http://favorites.live.com/quickadd.aspx
IE: Download All by FlashGet - c:\program files\flashget\jc_all.htm
IE: Download using FlashGet - c:\program files\flashget\jc_link.htm
IE: Download with GetRight - c:\program files\getright\GRdownload.htm
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office10\EXCEL.EXE/3000
IE: MediaManager tool grab multimedia file - c:\program files\mp3 player utilities 4.00\mediamanager\grab.html
IE: Open in new background tab - c:\program files\windows live toolbar\components\en-au\msntabres.dll.mui/229?039ab8a7f03f40b99f8ac2321fb466b2
IE: Open in new foreground tab - c:\program files\windows live toolbar\components\en-au\msntabres.dll.mui/230?039ab8a7f03f40b99f8ac2321fb466b2
IE: Open with GetRight Browser - c:\program files\getright\GRbrowse.htm
IE: Sothink SWF Catcher - c:\program files\common files\sourcetec\swf catcher\InternetExplorer.htm
IE: {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - c:\progra~1\flashget\flashget.exe
IE: {E19ADC6E-3909-43E4-9A89-B7B676377EE3} - c:\program files\common files\sourcetec\swf catcher\InternetExplorer.htm
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - {5F7B1267-94A9-47F5-98DB-E99415F33AEC} - c:\program files\windows live\writer\WriterBrowserExtension.dll
IE: {77BF5300-1474-4EC7-9980-D32B190E9B07} - {77BF5300-1474-4EC7-9980-D32B190E9B07} - c:\program files\skype\toolbars\internet explorer\SkypeIEPlugin.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office12\REFIEBAR.DLL
Handler: cdo - {CD00020A-8B95-11D1-82DB-00C04FB1625D} - c:\program files\common files\microsoft shared\web folders\PKMCDO.DLL
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL
Notify: AtiExtEvent - Ati2evxx.dll
Notify: WBSrv - c:\progra~1\stardock\object~1\window~1\wbsrv.dll
AppInit_DLLs: wbsys.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\bonnie\applic~1\mozilla\firefox\profiles\g32qgcnw.default\
FF - prefs.js: browser.startup.homepage - hxxp://my.yahoo.com/index.html
FF - plugin: c:\program files\mozilla firefox\plugins\npcnc32.dll
FF - plugin: c:\program files\mozilla firefox\plugins\NPMFireLauncher.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npmusicn.dll
FF - plugin: c:\program files\real\realone player\netscape6\nppl3260.dll
FF - plugin: c:\program files\real\realone player\netscape6\nprjplug.dll
FF - plugin: c:\program files\real\realone player\netscape6\nprpjplug.dll
FF - plugin: c:\program files\unity\webplayer\loader\npUnity3D32.dll
FF - plugin: c:\program files\windows live\photo gallery\NPWLPG.dll

============= SERVICES / DRIVERS ===============

R0 IKFileSec;File Security Driver;c:\windows\system32\drivers\ikfilesec.sys [2008-11-27 40840]
R1 avgio;avgio;c:\program files\avira\antivir personaledition classic\avgio.sys [2008-10-2 11840]
R1 IKSysFlt;System Filter Driver;c:\windows\system32\drivers\iksysflt.sys [2008-11-27 66952]
R1 IKSysSec;System Security Driver;c:\windows\system32\drivers\iksyssec.sys [2008-11-27 81288]
R3 avgntflt;avgntflt;c:\program files\avira\antivir personaledition classic\avgntflt.sys [2008-10-2 52032]
R3 NAVENG;NAVENG;c:\progra~1\common~1\symant~1\virusd~1\20090114.017\NAVENG.Sys [2009-1-21 89104]
R3 NAVEX15;NAVEX15;c:\progra~1\common~1\symant~1\virusd~1\20090114.017\NavEx15.Sys [2009-1-21 876112]
R3 SAVRT;SAVRT;c:\windows\system32\drivers\SAVRT.SYS [2002-7-25 235744]
R4 AntiVirScheduler;Avira AntiVir Personal - Free Antivirus Scheduler;c:\program files\avira\antivir personaledition classic\sched.exe [2008-10-2 68865]
R4 AntiVirService;Avira AntiVir Personal - Free Antivirus Guard;c:\program files\avira\antivir personaledition classic\avguard.exe [2008-10-2 151297]
R4 ccEvtMgr;Symantec Event Manager;c:\program files\common files\symantec shared\ccEvtMgr.exe [2002-8-8 308936]
R4 navapsvc;Norton AntiVirus Auto Protect Service;c:\program files\norton antivirus\NAVAPSVC.EXE [2002-8-19 116336]
R4 NProtectService;Norton Unerase Protection;c:\program files\norton antivirus\advtools\NPROTECT.EXE [2008-5-31 135168]
R4 SAVRTPEL;SAVRTPEL;c:\windows\system32\drivers\SAVRTPEL.SYS [2002-7-25 35552]
R4 sdAuxService;PC Tools Auxiliary Service;c:\program files\spyware doctor\pctsAuxs.exe [2008-11-27 356920]
R4 sdCoreService;PC Tools Security Service;c:\program files\spyware doctor\pctsSvc.exe [2008-11-27 1079176]
R4 SeaPort;SeaPort;c:\program files\microsoft\search enhancement pack\seaport\SeaPort.exe [2008-12-4 226640]
S3 ccPwdSvc;Symantec Password Validation Service;c:\program files\common files\symantec shared\ccPwdSvc.exe [2002-8-19 63176]
S3 Mkd2kfNt;Mkd2kfNt;c:\windows\system32\drivers\Mkd2kfNT.sys [2007-5-5 131072]
S3 Mkd2Nadr;Mkd2Nadr;c:\windows\system32\drivers\Mkd2Nadr.sys [2008-4-5 79104]
S3 Mkd2Usbf;Mkd2Usbf;c:\windows\system32\drivers\Mkd2UsbF.sys [2007-5-5 93440]
S3 XDva090;XDva090;\??\c:\windows\system32\xdva090.sys --> c:\windows\system32\XDva090.sys [?]
S3 XDva132;XDva132;\??\c:\windows\system32\xdva132.sys --> c:\windows\system32\XDva132.sys [?]
S3 XDva202;XDva202;\??\c:\windows\system32\xdva202.sys --> c:\windows\system32\XDva202.sys [?]
S4 SBService;ScriptBlocking Service;c:\progra~1\common~1\symant~1\script~1\SBServ.exe [2001-8-13 54408]

=============== Created Last 30 ================

2009-01-06 20:21 <DIR> --d----- c:\program files\Poke
2009-01-01 14:34 593,920 -------- c:\windows\system32\ati2sgag.exe
2008-12-29 17:34 2,557 a------- c:\windows\identitydb.obj
2008-12-29 17:34 <DIR> --d----- c:\windows\profiles
2008-12-29 13:11 <DIR> --d----- c:\program files\CCleaner
2008-12-29 13:10 <DIR> --d----- c:\program files\Trend Micro
2008-12-22 21:53 <DIR> --d----- c:\program files\VideoLAN

==================== Find3M ====================

2009-01-21 20:46 12,398 a------- c:\windows\system32\tablet.dat
2008-12-04 22:55 307,560 a------- c:\windows\WLXPGSS.SCR
2008-12-02 22:37 49,480 a------- c:\windows\system32\sirenacm.dll
2008-12-02 08:13 3,452,928 a------- c:\windows\system32\drivers\ati2mtag.sys
2008-12-02 06:52 425,984 a------- c:\windows\system32\ATIDEMGX.dll
2008-12-02 06:51 318,464 a------- c:\windows\system32\ati2dvag.dll
2008-12-02 06:46 11,304,960 a------- c:\windows\system32\atioglxx.dll
2008-12-02 06:41 188,416 a------- c:\windows\system32\atipdlxx.dll
2008-12-02 06:40 147,456 a------- c:\windows\system32\Oemdspif.dll
2008-12-02 06:40 26,112 a------- c:\windows\system32\Ati2mdxx.exe
2008-12-02 06:40 43,520 a------- c:\windows\system32\ati2edxx.dll
2008-12-02 06:40 143,360 a------- c:\windows\system32\ati2evxx.dll
2008-12-02 06:38 598,016 a------- c:\windows\system32\ati2evxx.exe
2008-12-02 06:37 53,248 a------- c:\windows\system32\ATIDDC.DLL
2008-12-02 06:27 4,120,384 a------- c:\windows\system32\ati3duag.dll
2008-12-02 06:19 307,200 a------- c:\windows\system32\atiiiexx.dll
2008-12-02 06:11 2,495,360 a------- c:\windows\system32\ativvaxx.dll
2008-12-02 06:11 3,107,788 a------- c:\windows\system32\ativvaxx.dat
2008-12-02 06:11 3,107,788 a------- c:\windows\system32\ativva5x.dat
2008-12-02 06:11 887,724 a------- c:\windows\system32\ativva6x.dat
2008-12-02 05:57 48,640 a------- c:\windows\system32\amdpcom32.dll
2008-12-02 05:53 401,408 a------- c:\windows\system32\atikvmag.dll
2008-12-02 05:53 45,056 a------- c:\windows\system32\amdcalrt.dll
2008-12-02 05:53 45,056 a------- c:\windows\system32\amdcalcl.dll
2008-12-02 05:52 86,016 a------- c:\windows\system32\atiadlxx.dll
2008-12-02 05:52 17,408 a------- c:\windows\system32\atitvo32.dll
2008-12-02 05:51 53,248 a------- c:\windows\system32\drivers\ati2erec.dll
2008-12-02 05:50 286,720 a------- c:\windows\system32\atiok3x2.dll
2008-12-02 05:50 3,252,224 a------- c:\windows\system32\Amdcaldd.dll
2008-12-02 05:45 577,536 a------- c:\windows\system32\ati2cqag.dll
2008-11-27 17:13 81,288 a------- c:\windows\system32\drivers\iksyssec.sys
2008-11-27 17:13 66,952 a------- c:\windows\system32\drivers\iksysflt.sys
2008-11-27 17:13 40,840 a------- c:\windows\system32\drivers\ikfilesec.sys
2008-11-12 18:38 348,160 a------- c:\windows\system32\msvcr71.dll
2008-11-12 18:38 499,712 a------- c:\windows\system32\msvcp71.dll
2008-11-10 05:43 410,984 a------- c:\windows\system32\deploytk.dll
2008-10-31 00:45 180,720 a------- c:\windows\system32\atiicdxx.dat
2008-10-27 10:04 514,384 a------- c:\windows\system32\XAudio2_3.dll
2008-10-27 10:04 235,856 a------- c:\windows\system32\xactengine3_3.dll
2008-10-27 10:04 23,376 a------- c:\windows\system32\X3DAudio1_5.dll
2008-10-27 10:04 70,992 a------- c:\windows\system32\XAPOFX1_2.dll
2008-10-24 16:39 131,072 a------- c:\windows\system32\SpoonUninstall.exe
2008-10-24 16:39 36,104 a------- c:\windows\system32\SpoonUninstall-dBpowerAMP Music Converter.dat
2008-10-23 00:49 93,992 ac------ c:\docume~1\bonnie\applic~1\GDIPFONTCACHEV1.DAT
2008-04-09 18:42 32 a------- c:\docume~1\alluse~1\applic~1\ezsid.dat
2003-12-19 20:36 40,960 ac------ c:\program files\Uninstall_CDS.exe
2008-05-31 19:34 32 a--sh--- c:\windows\{B9D0B448-6C94-4639-A1D3-83150F95B13E}.dat
2007-03-08 16:32 56 ---shr-- c:\windows\system32\38F4A01B79.sys
2005-06-22 14:37 45,568 ac-shr-- c:\windows\system32\cygz.dll
2007-03-08 16:32 848 a--sh--- c:\windows\system32\KGyGaAvL.sys
2008-09-19 17:33 692 a--sh--- c:\windows\system32\og.dll
2008-09-19 17:30 1,868 a--sh--- c:\windows\system32\ul.dll
2008-05-31 19:34 32 a--sh--- c:\windows\system32\{089317B8-828C-459C-944F-9ED5B1AAF88A}.dat

============= FINISH: 20:55:32.32 ===============

Attached Files

  • Attached File  log.log   298.5KB   20 downloads


#7 PropagandaPanda

PropagandaPanda


  • Malware Response Team
  • 10,433 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:04:34 AM

Posted 22 January 2009 - 03:35 PM

Hello.

There does not appear to be an infection.

Please tell me what items are flagged, and what the detection is.

With Regards,
The Panda

#8 Riprey

Riprey
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:06:34 PM

Posted 23 January 2009 - 06:14 PM

Hello.

There does not appear to be an infection.

Please tell me what items are flagged, and what the detection is.

With Regards,
The Panda

Really? Then I am sorry for wasting your time. I didn't notice the Am I Infected section until after posting the logs.

Again I am sorry for this.

#9 PropagandaPanda

PropagandaPanda


  • Malware Response Team
  • 10,433 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:04:34 AM

Posted 23 January 2009 - 06:17 PM

No don't be sorry.

I was wanting to know what files your antivirus said were infected.

The tools we use don't see everything.

WIth Regards,
The Panda

Edited by PropagandaPanda, 23 January 2009 - 06:17 PM.


#10 Riprey

Riprey
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:06:34 PM

Posted 24 January 2009 - 06:41 AM

Well if you wish to know it was some files in the temp folder called tmp2(randomnumber)(randomletter).tmp

But recently it found C:\WINDOWS\system32\internet.fne, C:\WINDOWS\system32\eAPI.fne, C:\WINDOWS\system32\spec.fne. These were deleted upon detection.

#11 PropagandaPanda

PropagandaPanda


  • Malware Response Team
  • 10,433 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:04:34 AM

Posted 24 January 2009 - 11:16 AM

Hello.

Let's see if an online scan turns up anything.

F-Secure Online Scan
Please run F-Secure Online Scanner.
This scan is for Internet Explorer only.
  • It is suggested that you disable security programs and close any other windows during the scan. While your security is disabled, please refrain from surfing on other sites. Refer to this page if you are unsure how.
  • Go to F-Secure Online Scanner
  • Follow the instructions here for installation.
  • Accept the License Agreement.
  • Once the ActiveX installs, click Full System Scan
  • Once the download completes, the scan will begin automatically. The scan will take some time to finish, so please be patient.
  • When the scan completes, click the Automatic cleaning (recommended) button.
  • Click the Show Report button and copy the entire report in your next reply.
  • Be sure to re-enable any security programs.

With Regards,
The Panda

#12 Riprey

Riprey
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:06:34 PM

Posted 24 January 2009 - 10:15 PM

Here you go:

Scanning Report
Sunday, January 25, 2009 13:17:30 - 14:13:17

Computer name: ADMIN-XQBH404NE
Scanning type: Scan system for malware, rootkits
Target: C:\ D:\ E:\
Result: 3 malware found
Client-IRC.Win32.mIRC (spyware)

* System

W32/Packed_Krunchy.A (virus)

* C:\DOCUMENTS AND SETTINGS\BONNIE\DESKTOP\ZSNES\SUMOTORI.EXE (Submitted)

W32/UltimateCleaner.BD (virus)

* C:\DOCUMENTS AND SETTINGS\ALL USERS\APPLICATION DATA\NEXONUS\NGM\NGMDLL.DLL (Submitted)

Statistics
Scanned:

* Files: 36164
* System: 4969
* Not scanned: 7

Actions:

* Disinfected: 0
* Renamed: 0
* Deleted: 0
* None: 3
* Submitted: 2

Files not scanned:

* C:\PAGEFILE.SYS
* C:\WINDOWS\SYSTEM32\DRIVERS\SPTD.SYS
* C:\WINDOWS\SYSTEM32\CONFIG\DEFAULT
* C:\WINDOWS\SYSTEM32\CONFIG\SAM
* C:\WINDOWS\SYSTEM32\CONFIG\SECURITY
* C:\WINDOWS\SYSTEM32\CONFIG\SOFTWARE
* C:\WINDOWS\SYSTEM32\CONFIG\SYSTEM

Options
Scanning engines:

* F-Secure USS: 3.0.0
* F-Secure Hydra: 2.8.8110, 2009-01-24
* F-Secure AVP: 7.0.171, 2009-01-24
* F-Secure Pegasus: 1.20.0, 1970-00-01
* F-Secure Blacklight: 0.0.0

Scanning options:

* Scan defined files: COM EXE SYS OV? BIN SCR DLL SHS HTM HTML HTT VBS JS INF VXD DO? XL? RTF CPL WIZ HTA PP? PWZ P?T MSO PIF . ACM ASP AX CNV CSC DRV INI MDB MPD MPP MPT OBD OBT OCX PCI TLB TSP WBK WBT WPC WSH VWP WML BOO HLP TD0 TT6 MSG ASD JSE VBE WSC CHM EML PRC SHB LNK WSF {* PDF ZL? XML ZIP XXX ANI AVB BAT CMD JOB LSP MAP MHT MIF PHP POT SWF WMF NWS TAR
* Use Advanced heuristics

Copyright 1998-2007 Product support |Send virus sample to F-Secure
F-Secure assumes no responsibility for material created or published by third parties that F-Secure World Wide Web pages have a link to. Unless you have clearly stated otherwise, by submitting material to any of our servers, for example by E-mail or via our F-Secure's CGI E-mail, you agree that the material you make available may be published in the F-Secure World Wide Pages or hard-copy publications. You will reach F-Secure public web site by clicking on underlined links. While doing this, your access will be logged to our private access statistics with your domain name.This information will not be given to any third party. You agree not to take action against us in relation to material that you submit. Unless you have clearly stated otherwise, by submitting material you warrant that F-Secure may incorporate any concepts described in it in the F-Secure products/publications without liability.

#13 PropagandaPanda

PropagandaPanda


  • Malware Response Team
  • 10,433 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:04:34 AM

Posted 25 January 2009 - 09:13 AM

Hello.

Looks clean.

Let's leave it for a couple days, and if you still get detections, tell me :thumbsup: .

With Regards,
The Panda

#14 PropagandaPanda

PropagandaPanda


  • Malware Response Team
  • 10,433 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:04:34 AM

Posted 07 February 2009 - 10:36 AM

Hello.

Since this issue appears to be resolved, this topic is now closed.
If you are the topic starter and need this topic reopened, send me a message.

Everyone else, please begin a new topic.

With Regards,
The Panda




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users