Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Am I Still Infected? (DETAILED description inside)


  • This topic is locked This topic is locked
2 replies to this topic

#1 adiadi

adiadi

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:12:59 AM

Posted 05 September 2009 - 11:23 AM

Hey everybody!

(scroll down for the log links)
I recently managed to get my computer loaded with a number of different viruses. To make a long story short, I downloaded/ran an .exe program that I later found out was full of viruses/keyloggers.

I ran a bunch of scans (Malwarebytes, Avast, McAfee, then after I uninstalled McAfee, Kaspersky. Now everything seems to be back to normal. I'm posting this from the 'safe mode' of firefox via Kaspersky. It might just be me, but my computer still seems a tiny bit slower than it was before all this happened (I'd like to put emphasis on the possibility that it could just be me being cautious). I'm also not sure if there are any keyloggers left, so I would really appreciate it if you guys could look through my logs or not to see if I'm clean.

Known [previous?] Viruses: Right after I opened up that deadly .exe file, my links from the google results page started taking me to RANDOM pages, with nothing to do with what I searched for. Shortly after, EVERY program that I would open up would have a few "error messages" before it, with just little pop up windows saying "Error C:/blahblah", and only after I exited out of 2 or 3 of those, would the program would open.
Also, I ran a virus scan the a couple nights back after I infected my computer, and when I looked at it in the morning, "Windows Police Pro" was up. Knowing this was a fake program, I closed out of it and deleted it via HKEYblah, and the task manager (and I also deleted the WPP files on my local disk). Next morning, it was back again. Those are all the viruses that I know of that my computer had been infected with but I'm still not sure if there are any keyloggers on my computer at the moment.

Thanks for reading, & I tried to make this as descriptive as possible, so sorry for the wall of text. I would appreciate any help/confirmation that my computer is clean (optimism! :( ).

Thanks so much in advance!

DDS Log

DDS (Ver_09-07-30.01) - NTFSx86
Run by Ari at 11:12:32.23 on Sat 09/05/2009
Internet Explorer: 6.0.2900.5512 BrowserJavaVersion: 1.6.0_13
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.894.269 [GMT -4:00]

AV: Kaspersky Internet Security *On-access scanning enabled* (Updated) {2C4D4BC6-0793-4956-A9F9-E252435469C0}
FW: Kaspersky Internet Security *enabled* {2C4D4BC6-0793-4956-A9F9-E252435469C0}

============== Running Processes ===============

C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
C:\Program Files\Common Files\Logitech\Bluetooth\LBTSERV.EXE
svchost.exe
svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\Canon\MyPrinter\BJMyPrt.exe
C:\Program Files\ScanSoft\OmniPageSE4\OpwareSE4.exe
C:\Program Files\SetPoint\LBTWiz.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe
C:\Program Files\SetPoint\SetPoint.exe
C:\Program Files\Common Files\Logitech\khalshared\KHALMNPR.EXE
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Java\jre6\bin\jucheck.exe
C:\Documents and Settings\Ari\Desktop\RootRepeal.exe
C:\Documents and Settings\Ari\Desktop\dds.scr

============== Pseudo HJT Report ===============

uInternet Settings,ProxyOverride = *.local
uSearchURL,(Default) = hxxp://search.yahoo.com/search?fr=mcafee&p=%s
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: AskBar BHO: {201f27d4-3704-41d6-89c1-aa35e39143ed} - c:\program files\askbardis\bar\bin\askBar.dll
BHO: IEVkbdBHO Class: {59273ab4-e7d3-40f9-a1a8-6fa9cca1862c} - c:\program files\kaspersky lab\kaspersky internet security 2010\ievkbd.dll
BHO: {B164E929-A1B6-4A06-B104-2CD0E90A88FF} - No File
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: FilterBHO Class: {e33cf602-d945-461a-83f0-819f76a199f8} - c:\program files\kaspersky lab\kaspersky internet security 2010\klwtbbho.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: Ask Toolbar: {3041d03e-fd4b-44e0-b742-2d9b88305f98} - c:\program files\askbardis\bar\bin\askBar.dll
mRun: [RTHDCPL] RTHDCPL.EXE
mRun: [Alcmtr] ALCMTR.EXE
mRun: [CanonSolutionMenu] c:\program files\canon\solutionmenu\CNSLMAIN.exe /logon
mRun: [CanonMyPrinter] c:\program files\canon\myprinter\BJMyPrt.exe /logon
mRun: [SSBkgdUpdate] "c:\program files\common files\scansoft shared\ssbkgdupdate\SSBkgdupdate.exe" -Embedding -boot
mRun: [OpwareSE4] "c:\program files\scansoft\omnipagese4\OpwareSE4.exe"
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
mRun: [Logitech Hardware Abstraction Layer] "c:\program files\common files\logitech\khalshared\KHALMNPR.EXE"
mRun: [<NO NAME>]
mRun: [Kernel and Hardware Abstraction Layer] KHALMNPR.EXE
mRun: [Logitech BT Wizard] LBTWiz.exe -silent
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
mRun: [nwiz] c:\program files\nvidia corporation\nview\nwiz.exe /install
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [NvMediaCenter] RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInit
mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [Windows Generic Host Process] c:\documents and settings\all users\application data\scvhost.exe
mRun: [AVP] "c:\program files\kaspersky lab\kaspersky internet security 2010\avp.exe"
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\blueto~1.lnk - c:\program files\widcomm\bluetooth software\BTTray.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\setpoint.lnk - c:\program files\setpoint\SetPoint.exe
IE: Add to Anti-Banner - c:\program files\kaspersky lab\kaspersky internet security 2010\ie_banner_deny.htm
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office11\EXCEL.EXE/3000
IE: Send to &Bluetooth Device... - c:\program files\widcomm\bluetooth software\btsendto_ie_ctx.htm
IE: {CCA281CA-C863-46ef-9331-5C8D4460577F} - c:\program files\widcomm\bluetooth software\btsendto_ie.htm
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {4248FE82-7FCB-46AC-B270-339F08212110} - {4248FE82-7FCB-46AC-B270-339F08212110} - c:\program files\kaspersky lab\kaspersky internet security 2010\klwtbbho.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office11\REFIEBAR.DLL
IE: {CCF151D8-D089-449F-A5A4-D9909053F20F} - {CCF151D8-D089-449F-A5A4-D9909053F20F} - c:\program files\kaspersky lab\kaspersky internet security 2010\klwtbbho.dll
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
Notify: klogon - c:\windows\system32\klogon.dll
Notify: LBTWlgn - c:\program files\common files\logitech\bluetooth\LBTWlgn.dll
AppInit_DLLs: c:\progra~1\kasper~1\kasper~1\mzvkbd3.dll,c:\progra~1\kasper~1\kasper~1\kloehk.dll

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\ari\applic~1\mozilla\firefox\profiles\2pxnxev7.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/
FF - component: c:\program files\mozilla firefox\extensions\linkfilter@kaspersky.ru\components\KavLinkFilter.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA}

============= SERVICES / DRIVERS ===============

R0 kl1;Kl1;c:\windows\system32\drivers\kl1.sys [2009-6-15 128016]
R0 klbg;Kaspersky Lab Boot Guard Driver;c:\windows\system32\drivers\klbg.sys [2008-12-15 33808]
R1 KLIF;Kaspersky Lab Driver;c:\windows\system32\drivers\klif.sys [2009-9-4 296976]
R2 AVP;Kaspersky Internet Security;c:\program files\kaspersky lab\kaspersky internet security 2010\avp.exe [2009-7-3 303376]
R3 klim5;Kaspersky Anti-Virus NDIS Filter;c:\windows\system32\drivers\klim5.sys [2009-5-13 31760]
R3 klmouflt;Kaspersky Lab KLMOUFLT;c:\windows\system32\drivers\klmouflt.sys [2009-5-16 19472]
R3 PPJoyBus;Parallel Port Joystick Bus device driver;c:\windows\system32\drivers\PPJoyBus.sys [2004-1-23 13952]
S3 BrlAPI;BrlAPI;c:\cygwin\bin\cygrunsrv.exe --> c:\cygwin\bin\cygrunsrv.exe [?]
S3 PPortJoystick;Parallel Port Joystick device driver;c:\windows\system32\drivers\PPortJoy.sys [2004-1-23 28800]

=============== Created Last 30 ================

2009-09-04 07:05 604,140 a--sh--- c:\windows\system32\drivers\ISwift3.dat
2009-09-04 06:51 105,395 a------- c:\windows\system32\drivers\klin.dat
2009-09-04 06:51 94,643 a------- c:\windows\system32\drivers\klick.dat
2009-09-04 06:50 <DIR> --d----- c:\program files\Kaspersky Lab
2009-09-04 06:50 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Kaspersky Lab
2009-09-04 06:49 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Kaspersky Lab Setup Files
2009-09-02 16:56 664 a------- c:\windows\system32\d3d9caps.dat
2009-09-02 05:25 4,539 a------- c:\windows\system32\lkd
2009-09-02 05:21 43 a------- c:\windows\system32\rotscxldbaopyv.dat
2009-08-31 22:25 <DIR> --d----- c:\docume~1\ari\applic~1\Malwarebytes
2009-08-31 22:24 38,160 a------- c:\windows\system32\drivers\mbamswissarmy.sys
2009-08-31 22:24 19,096 a------- c:\windows\system32\drivers\mbam.sys
2009-08-31 22:24 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Malwarebytes
2009-08-31 22:24 <DIR> --d----- c:\program files\Malwarebytes' Anti-Malware
2009-08-31 22:17 <DIR> --d----- c:\windows\pss
2009-08-31 21:28 <DIR> --d----- c:\program files\Siber Systems
2009-08-31 19:57 <DIR> --d----- c:\program files\CCleaner
2009-08-31 19:09 14,639 a------- c:\windows\system32\rotscxydwhboyg.dat
2009-08-31 17:23 0 a------- C:\LOGBB3.tmp
2009-08-31 17:09 0 a------- C:\LOGBA4.tmp
2009-08-26 18:54 <DIR> --d----- c:\program files\Xiph.Org
2009-08-26 18:49 122,350 a------- c:\windows\system32\xbadpcm.acm
2009-08-26 18:49 917 a------- c:\windows\system32\xbadpcminst.inf
2009-08-26 18:49 24,848 a------- c:\windows\system32\wavdest.ax
2009-08-20 01:29 7,680 a--sh--- c:\windows\Thumbs.db
2009-08-19 00:42 <DIR> --d----- c:\program files\Paint.NET
2009-08-18 16:27 <DIR> --d----- c:\documents and settings\ari\.thumbnails
2009-08-18 16:25 <DIR> --d----- c:\documents and settings\ari\.gimp-2.6
2009-08-18 16:24 <DIR> --d----- c:\program files\GIMP-2.0
2009-08-18 02:31 388,600 a------- c:\temp\script.zip
2009-08-18 02:31 <DIR> --d----- c:\temp\script
2009-08-18 02:26 <DIR> --d----- C:\temp
2009-08-18 02:24 <DIR> --d----- c:\documents and settings\ari\wadunpack
2009-08-18 02:22 16 a------- c:\documents and settings\ari\common-key.bin
2009-08-18 02:20 <DIR> --d----- c:\program files\WADder
2009-08-18 02:10 <DIR> --d----- C:\MyMenu
2009-08-18 01:43 <DIR> --d----- C:\Wii Backup
2009-08-15 23:17 <DIR> --d----- c:\program files\iPod
2009-08-15 23:16 <DIR> --d----- c:\program files\iTunes
2009-08-15 23:16 <DIR> --d----- c:\docume~1\alluse~1\applic~1\{8CD7F5AF-ECFA-4793-BF40-D8F42DBFF906}
2009-08-15 22:32 <DIR> --d----- c:\program files\Bonjour
2009-08-15 15:39 <DIR> --d----- c:\docume~1\ari\applic~1\log
2009-08-15 15:39 87,608 a------- c:\docume~1\ari\applic~1\inst.exe
2009-08-15 15:39 47,360 a------- c:\windows\system32\drivers\pcouffin.sys
2009-08-15 15:39 47,360 a------- c:\docume~1\ari\applic~1\pcouffin.sys
2009-08-15 15:39 <DIR> --d----- c:\program files\vso
2009-08-14 01:57 <DIR> --d----- c:\windows\system32\NtmsData
2009-08-14 01:26 <DIR> --d----- c:\program files\WBFS
2009-08-14 01:02 <DIR> --d----- c:\documents and settings\ari\txtcodes
2009-08-14 01:02 <DIR> --d----- c:\documents and settings\ari\images
2009-08-14 01:02 <DIR> --d----- c:\documents and settings\ari\config
2009-08-14 01:02 <DIR> --d----- c:\documents and settings\ari\codes
2009-08-14 00:46 <DIR> --d----- C:\Old
2009-08-12 23:37 <DIR> --d----- C:\Blahhh
2009-08-11 17:59 128,512 -c------ c:\windows\system32\dllcache\dhtmled.ocx
2009-08-11 17:59 1,315,328 -c------ c:\windows\system32\dllcache\msoe.dll
2009-08-10 20:53 <DIR> --d----- c:\program files\Frets on Fire
2009-08-10 13:05 <DIR> --d----- c:\program files\3D Analyzer
2009-08-09 14:27 <DIR> --d----- c:\program files\NVIDIA Corporation
2009-08-09 14:27 <DIR> --d----- c:\docume~1\alluse~1\applic~1\NVIDIA Corporation
2009-08-09 14:24 2,189,856 a------- c:\windows\system32\nvcuvid.dll
2009-08-09 14:24 1,706,528 a------- c:\windows\system32\nvcuvenc.dll
2009-08-09 14:24 1,597,690 a------- c:\windows\system32\nvdata.bin

==================== Find3M ====================

2009-08-05 05:01 204,800 a------- c:\windows\system32\mswebdvd.dll
2009-07-17 15:01 58,880 a------- c:\windows\system32\atl.dll
2009-07-14 14:54 10,457,088 a------- c:\windows\system32\nvoglnt.dll
2009-07-14 14:54 7,741,664 a------- c:\windows\system32\drivers\nv4_mini.sys
2009-07-14 14:54 5,842,816 a------- c:\windows\system32\nv4_disp.dll
2009-07-14 14:54 2,002,944 a------- c:\windows\system32\nvcuda.dll
2009-07-14 14:54 868,352 a------- c:\windows\system32\nvapi.dll
2009-07-14 14:54 485,920 a------- c:\windows\system32\nvudisp.exe
2009-07-14 14:54 151,552 a------- c:\windows\system32\nvcodins.dll
2009-07-14 14:54 151,552 a------- c:\windows\system32\nvcod.dll
2009-07-14 13:35 2,173,472 a------- c:\windows\system32\nvcplui.exe
2009-07-14 13:35 81,920 a------- c:\windows\system32\nvwddi.dll
2009-07-14 13:35 4,026,368 a------- c:\windows\system32\nvvitvs.dll
2009-07-14 13:35 3,170,304 a------- c:\windows\system32\nvwss.dll
2009-07-14 13:34 13,877,248 a------- c:\windows\system32\nvcpl.dll
2009-07-14 13:34 4,923,392 a------- c:\windows\system32\nvdisps.dll
2009-07-14 13:34 3,547,136 a------- c:\windows\system32\nvgames.dll
2009-07-14 13:34 1,286,144 a------- c:\windows\system32\nvmobls.dll
2009-07-14 13:34 188,416 a------- c:\windows\system32\nvmccss.dll
2009-07-14 13:34 168,004 a------- c:\windows\system32\nvsvc32.exe
2009-07-14 13:34 143,360 a------- c:\windows\system32\nvcolor.exe
2009-07-14 13:34 86,016 a------- c:\windows\system32\nvmctray.dll
2009-07-14 13:34 229,376 a------- c:\windows\system32\nvmccs.dll
2009-07-12 12:21 233,472 a------- c:\windows\system32\wmpdxm.dll
2009-07-10 07:01 485,920 a------- c:\windows\system32\NVUNINST.EXE
2009-07-03 15:48 219,664 a------- c:\windows\system32\klogon.dll
2009-06-26 12:50 666,624 a------- c:\windows\system32\wininet.dll
2009-06-26 12:50 81,920 a------- c:\windows\system32\ieencode.dll
2009-06-25 04:25 730,112 a------- c:\windows\system32\lsasrv.dll
2009-06-25 04:25 301,568 a------- c:\windows\system32\kerberos.dll
2009-06-25 04:25 147,456 a------- c:\windows\system32\schannel.dll
2009-06-25 04:25 136,192 a------- c:\windows\system32\msv1_0.dll
2009-06-25 04:25 56,832 a------- c:\windows\system32\secur32.dll
2009-06-25 04:25 54,272 a------- c:\windows\system32\wdigest.dll
2009-06-16 10:36 119,808 a------- c:\windows\system32\t2embed.dll
2009-06-16 10:36 81,920 a------- c:\windows\system32\fontsub.dll
2009-06-12 08:31 80,896 a------- c:\windows\system32\tlntsess.exe
2009-06-12 08:31 76,288 a------- c:\windows\system32\telnet.exe
2009-06-10 10:13 84,992 a------- c:\windows\system32\avifil32.dll
2009-06-10 09:19 2,066,432 a------- c:\windows\system32\mstscax.dll
2009-06-10 02:14 132,096 a------- c:\windows\system32\wkssvc.dll

============= FINISH: 11:14:38.62 ===============


Thanks again!

Attached Files



BC AdBot (Login to Remove)

 


#2 adiadi

adiadi
  • Topic Starter

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:12:59 AM

Posted 06 September 2009 - 02:37 PM

If possible, please close this. I've found assistance on TSF.
Thanks anyways!

#3 Guest_The weatherman_*

Guest_The weatherman_*

  • Guests
  • OFFLINE
  •  

Posted 06 September 2009 - 06:46 PM

Thank you for letting us know adiadi. :(




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users