Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

I am unsure if i am infected and we like someone to look at my HJT log. Thanks


  • This topic is locked This topic is locked
2 replies to this topic

#1 wwood83

wwood83

  • Members
  • 1 posts
  • OFFLINE
  •  
  • Local time:12:30 PM

Posted 23 January 2009 - 03:45 AM

I recently disposed of some malware with and over-the-counter remover but my computer is still coughing...
I am new and I just read the forum.. I'm adding DDS
Thanks for any help





Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 2:43:35 AM, on 1/23/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP3 (6.00.2900.5512)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\Analog Devices\Core\smax4pnp.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Common Files\AntiVirus\SBAMSvc.exe
C:\WINDOWS\system32\svchost.exe
C:\PROGRA~1\AVANQU~1\SYSTEM~1\MXTask.exe
C:\PROGRA~1\AVANQU~1\SYSTEM~1\mxtask.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ycomp/def.../search/ie.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://us.rd.yahoo.com/customize/ycomp/def...//www.yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://google.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.com/customize/ycomp/def...//www.yahoo.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\Avanquest\SystemSuite\LinkScannerIE.dll
O2 - BHO: AT&&T Toolbar - {4E7BD74F-2B8D-469E-94BE-FD60BB9AAE29} - C:\PROGRA~1\ATTTOO~1\ATTTOO~1.DLL
O2 - BHO: Data Vault - {8373ADC0-6330-11DD-9D77-22C856D89593} - C:\Program Files\Avanquest\SystemSuite\IE_ContextMenu_Vault.dll
O3 - Toolbar: AT&&T Toolbar - {4E7BD74F-2B8D-469E-94BE-FD60BB9AAE29} - C:\PROGRA~1\ATTTOO~1\ATTTOO~1.DLL
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [UpdateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\Core\smax4pnp.exe
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Sunbelt VIPRE Antivirus Service (SBAMSvc) - Sunbelt Software - C:\Program Files\Common Files\AntiVirus\SBAMSvc.exe
O23 - Service: SystemSuite Task Manager - Avanquest North America, Inc. - C:\PROGRA~1\AVANQU~1\SYSTEM~1\MXTask.exe

--
End of file - 3515 bytes




DDS (Ver_09-01-19.01) - NTFSx86
Run by USER at 2:59:50.95 on Fri 01/23/2009
Internet Explorer: 6.0.2900.5512
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1534.1145 [GMT -6:00]

AV: Avanquest SystemSuite *On-access scanning enabled* (Outdated)
FW: Avanquest NetDefense Firewall *enabled*

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\Analog Devices\Core\smax4pnp.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Common Files\AntiVirus\SBAMSvc.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\PROGRA~1\AVANQU~1\SYSTEM~1\MXTask.exe
C:\PROGRA~1\AVANQU~1\SYSTEM~1\mxtask.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\USER\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://google.com/
uSearch Page = hxxp://us.rd.yahoo.com/customize/ycomp/defaults/sp/*http://www.yahoo.com
uSearch Bar = hxxp://us.rd.yahoo.com/customize/ycomp/defaults/sb/*http://www.yahoo.com/search/ie.html
uSearchURL,(Default) = hxxp://us.rd.yahoo.com/customize/ycomp/defaults/su/*http://www.yahoo.com
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: XPL LinkScannerIE: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - c:\program files\avanquest\systemsuite\LinkScannerIE.dll
BHO: AT&&T Toolbar: {4e7bd74f-2b8d-469e-94be-fd60bb9aae29} - c:\progra~1\atttoo~1\ATTTOO~1.DLL
BHO: DataVault Object: {8373adc0-6330-11dd-9d77-22c856d89593} - c:\program files\avanquest\systemsuite\IE_ContextMenu_Vault.dll
TB: AT&&T Toolbar: {4e7bd74f-2b8d-469e-94be-fd60bb9aae29} - c:\progra~1\atttoo~1\ATTTOO~1.DLL
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
mRun: [nwiz] nwiz.exe /install
mRun: [NvMediaCenter] RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInit
mRun: [UpdateManager] "c:\program files\common files\sonic\update manager\sgtray.exe" /r
mRun: [SoundMAXPnP] c:\program files\analog devices\core\smax4pnp.exe
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\user\applic~1\mozilla\firefox\profiles\lxjqncez.default\
FF - prefs.js: browser.startup.homepage - hxxp://mail.google.com/mail/?shva=1#inbox

============= SERVICES / DRIVERS ===============

R1 sbaphd;sbaphd;c:\windows\system32\drivers\sbaphd.sys [2009-1-9 13360]
R3 KFilter;KFilter;c:\progra~1\avanqu~1\system~1\KFilter.sys [2008-8-10 54865]
R3 TFilter;TFilter;c:\progra~1\avanqu~1\system~1\TFilter.sys [2008-8-10 20225]
R4 SBAMSvc;Sunbelt VIPRE Antivirus Service;c:\program files\common files\antivirus\SBAMSvc.exe [2008-8-5 849192]
R4 sbapifs;sbapifs;c:\windows\system32\drivers\sbapifs.sys [2009-1-9 68912]
S3 SBRE;SBRE;c:\windows\system32\drivers\SBREDrv.sys [2007-11-6 87848]

=============== Created Last 30 ================

2009-01-23 02:24 <DIR> --d----- c:\program files\Trend Micro
2009-01-23 02:18 <DIR> --d----- c:\program files\Analog Devices
2009-01-23 02:05 765,952 a------- c:\windows\system\crlds3d.dll
2009-01-23 02:05 732,928 a------- c:\windows\system32\drivers\senfilt.sys
2009-01-23 02:05 311,296 a------- c:\windows\system32\Edcrypt.dll
2009-01-23 02:05 260,352 a------- c:\windows\system32\drivers\smwdm.sys
2009-01-23 02:05 23,040 a------- c:\windows\system32\PostProc.dll
2009-01-23 01:45 0 a------- c:\windows\system32\SBRC.dat
2009-01-23 01:45 0 a------- c:\windows\system32\SBFC.dat
2009-01-23 00:47 <DIR> --d----- c:\windows\nview
2009-01-17 21:10 847,920 a------- c:\windows\system32\python22.dll
2009-01-17 21:10 <DIR> --d----- C:\Python22
2009-01-10 22:06 <DIR> --d----- c:\program files\World of Warcraft
2009-01-10 22:02 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Blizzard
2009-01-10 21:50 <DIR> --d----- c:\program files\common files\Blizzard Entertainment
2009-01-10 21:25 <DIR> --d----- c:\windows\system32\scripting
2009-01-10 21:25 <DIR> --d----- c:\windows\system32\en
2009-01-10 21:25 <DIR> --d----- c:\windows\system32\bits
2009-01-10 21:25 <DIR> --d----- c:\windows\l2schemas
2009-01-10 21:24 <DIR> --d----- c:\windows\ServicePackFiles
2009-01-10 21:23 <DIR> --d----- c:\windows\network diagnostic
2009-01-10 21:21 201,050 a------- c:\windows\system32\nvapps.nvb
2009-01-10 21:21 453,152 a------- c:\windows\system32\nvuninst.exe
2009-01-10 21:19 <DIR> --d----- c:\windows\EHome
2009-01-09 20:50 6,272 a------- c:\windows\system32\drivers\splitter.sys
2009-01-09 20:50 83,072 a------- c:\windows\system32\drivers\wdmaud.sys
2009-01-09 20:50 52,864 a------- c:\windows\system32\drivers\dmusic.sys
2009-01-09 20:50 56,576 a------- c:\windows\system32\drivers\swmidi.sys
2009-01-09 20:50 142,592 a------- c:\windows\system32\drivers\aec.sys
2009-01-09 20:50 172,416 a------- c:\windows\system32\drivers\kmixer.sys
2009-01-09 20:50 2,944 a------- c:\windows\system32\drivers\drmkaud.sys
2009-01-09 20:50 60,800 a------- c:\windows\system32\drivers\sysaudio.sys
2009-01-09 20:50 7,552 a------- c:\windows\system32\drivers\mskssrv.sys
2009-01-09 20:50 4,992 a------- c:\windows\system32\drivers\mspqm.sys
2009-01-09 20:50 5,376 a------- c:\windows\system32\drivers\mspclock.sys
2009-01-09 20:49 60,032 a------- c:\windows\system32\drivers\usbaudio.sys
2009-01-09 20:49 146,048 ac------ c:\windows\system32\dllcache\portcls.sys
2009-01-09 20:49 4,096 ac------ c:\windows\system32\dllcache\ksuser.dll
2009-01-09 20:49 146,048 a------- c:\windows\system32\drivers\portcls.sys
2009-01-09 20:49 4,096 a------- c:\windows\system32\ksuser.dll
2009-01-09 20:49 129,536 ac------ c:\windows\system32\dllcache\ksproxy.ax
2009-01-09 20:49 60,160 ac------ c:\windows\system32\dllcache\drmk.sys
2009-01-09 20:49 129,536 a------- c:\windows\system32\ksproxy.ax
2009-01-09 20:49 60,160 a------- c:\windows\system32\drivers\drmk.sys
2009-01-09 04:33 701,440 -------- c:\windows\system32\drivers\ati2mtag.sys
2009-01-09 04:31 <DIR> --d----- c:\program files\MSXML 4.0
2009-01-09 04:26 453,152 a------- c:\windows\system32\nvudisp.exe
2009-01-09 04:21 272,128 -c------ c:\windows\system32\dllcache\bthport.sys
2009-01-09 04:21 272,128 -------- c:\windows\system32\drivers\bthport.sys
2009-01-09 04:21 138,496 -c------ c:\windows\system32\dllcache\afd.sys
2009-01-09 04:16 333,952 -c------ c:\windows\system32\dllcache\srv.sys
2009-01-09 04:16 666,112 -c------ c:\windows\system32\dllcache\wininet.dll
2009-01-09 04:16 619,520 -c------ c:\windows\system32\dllcache\urlmon.dll
2009-01-09 04:16 1,499,136 -c------ c:\windows\system32\dllcache\shdocvw.dll
2009-01-09 04:16 3,067,904 -c------ c:\windows\system32\dllcache\mshtml.dll
2009-01-09 04:15 1,846,400 -c------ c:\windows\system32\dllcache\win32k.sys
2009-01-09 04:15 2,189,184 -c------ c:\windows\system32\dllcache\ntoskrnl.exe
2009-01-09 04:15 2,145,280 -c------ c:\windows\system32\dllcache\ntkrnlmp.exe
2009-01-09 04:15 2,023,936 -c------ c:\windows\system32\dllcache\ntkrpamp.exe
2009-01-09 04:15 2,066,048 -c------ c:\windows\system32\dllcache\ntkrnlpa.exe
2009-01-09 04:15 203,136 -c------ c:\windows\system32\dllcache\rmcast.sys
2009-01-09 04:15 455,296 -c------ c:\windows\system32\dllcache\mrxsmb.sys
2009-01-09 04:12 691,712 -c------ c:\windows\system32\dllcache\inetcomm.dll
2009-01-09 04:11 337,408 -c------ c:\windows\system32\dllcache\netapi32.dll
2009-01-09 04:11 26,488 a------- c:\windows\system32\spupdsvc.exe
2009-01-09 04:11 <DIR> --d----- c:\windows\system32\PreInstall
2009-01-09 04:11 <DIR> --d-h--- c:\windows\$hf_mig$
2009-01-09 03:59 <DIR> --d----- c:\windows\system32\SoftwareDistribution
2009-01-09 03:40 <DIR> --d----- c:\docume~1\alluse~1\applic~1\ATTToolbar
2009-01-09 03:38 <DIR> --d----- c:\program files\ATTToolbar
2009-01-09 03:38 <DIR> --d----- c:\docume~1\user\applic~1\ATTToolbar
2009-01-09 03:37 <DIR> --d----- c:\program files\Yahoo!
2009-01-09 03:27 <DIR> --d----- c:\program files\ATT-HSI
2009-01-09 03:27 <DIR> --d----- c:\program files\common files\Motive
2009-01-09 03:20 <DIR> --d----- c:\windows\system32\ReinstallBackups
2009-01-09 03:18 <DIR> --d----- c:\windows\Downloaded Installations
2009-01-09 03:18 <DIR> --d----- c:\program files\Broadcom
2009-01-09 03:08 68,912 a------- c:\windows\system32\drivers\sbapifs.sys
2009-01-09 03:08 13,360 a------- c:\windows\system32\drivers\sbaphd.sys
2009-01-09 03:06 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Avanquest
2009-01-09 03:06 <DIR> --dshr-- C:\_Backup.RC
2009-01-09 03:06 <DIR> --d-h--- C:\_Backup
2009-01-09 03:06 <DIR> --d----- c:\docume~1\user\applic~1\Avanquest
2009-01-09 03:06 <DIR> --d----- c:\program files\Avanquest update
2009-01-09 03:06 <DIR> --d----- c:\program files\common files\AntiVirus
2009-01-09 03:06 <DIR> --d----- c:\program files\Avanquest
2009-01-07 18:34 <DIR> --d----- c:\program files\common files\Wise Installation Wizard
2009-01-06 15:16 <DIR> --d----- c:\documents and settings\USER
2009-01-06 12:01 <DIR> --ds---- c:\windows\system32\Microsoft
2009-01-05 23:25 8,192 a------- c:\windows\REGLOCS.OLD
2009-01-05 23:25 28,288 ac------ c:\windows\system32\dllcache\xjis.nls
2009-01-05 23:25 156,672 ac------ c:\windows\system32\dllcache\winzm.ime
2009-01-05 23:25 156,672 ac------ c:\windows\system32\dllcache\winsp.ime
2009-01-05 23:25 156,672 ac------ c:\windows\system32\dllcache\winpy.ime
2009-01-05 23:25 79,360 ac------ c:\windows\system32\dllcache\winar30.ime
2009-01-05 23:25 72,704 ac------ c:\windows\system32\dllcache\wingb.ime
2009-01-05 23:25 65,536 ac------ c:\windows\system32\dllcache\winime.ime
2009-01-05 23:25 48,256 ac------ c:\windows\system32\dllcache\w32.dll
2009-01-05 23:25 41,600 ac------ c:\windows\system32\dllcache\weitekp9.dll
2009-01-05 23:25 31,232 ac------ c:\windows\system32\dllcache\weitekp9.sys
2009-01-05 23:23 45,056 ac------ c:\windows\system32\dllcache\EXCH_aqadmin.dll
2009-01-05 23:23 <DIR> --dsh--- c:\documents and settings\all users\DRM
2009-01-05 23:22 <DIR> --d-h--- c:\program files\WindowsUpdate
2009-01-05 23:22 <DIR> --d----- c:\program files\common files\MSSoap
2009-01-05 23:21 <DIR> --d----- c:\program files\Online Services
2009-01-05 23:21 <DIR> --d----- c:\program files\Messenger
2009-01-05 23:21 <DIR> --d----- c:\program files\MSN Gaming Zone
2009-01-05 23:20 <DIR> --d----- c:\program files\Windows NT
2009-01-05 16:57 <DIR> --d----- c:\program files\common files\ODBC
2009-01-05 16:56 <DIR> --d----- c:\program files\common files\SpeechEngines
2009-01-05 16:56 <DIR> --d--r-- c:\documents and settings\all users\Documents

==================== Find3M ====================

2009-01-10 21:27 77,423 a------- c:\windows\pchealth\helpctr\offlinecache\index.dat
2009-01-05 23:21 21,640 a------- c:\windows\system32\emptyregdb.dat
2008-12-11 04:57 333,952 a------- c:\windows\system32\drivers\srv.sys

============= FINISH: 3:00:09.03 ===============

Edited by wwood83, 23 January 2009 - 04:00 AM.


BC AdBot (Login to Remove)

 


#2 teacup61

teacup61

    Bleepin' Texan!


  • Malware Response Team
  • 17,075 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Wills Point, Texas
  • Local time:01:30 PM

Posted 03 February 2009 - 12:11 PM

Hello wwood83,

Posted Image

Sorry about the delay.:thumbup2: If you still need help, please post a new HijackThis log to make sure nothing has changed, and I'll be happy to look at it for you.

Thanks,
tea
Please make a donation so I can keep helping people just like you.
Every little bit helps! :)
You can even use your credit card! Thank you!

Posted Image


Error reading poptart in Drive A: Delete kids y/n?

#3 teacup61

teacup61

    Bleepin' Texan!


  • Malware Response Team
  • 17,075 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Wills Point, Texas
  • Local time:01:30 PM

Posted 20 February 2009 - 12:35 PM

Due to the lack of feedback this Topic is closed.

If you need this topic reopened, please request this by sending the moderating team a PM with the address of the thread. This applies only to the original topic starter.

Everyone else please begin a New Topic
Please make a donation so I can keep helping people just like you.
Every little bit helps! :)
You can even use your credit card! Thank you!

Posted Image


Error reading poptart in Drive A: Delete kids y/n?




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users