Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

virus newgina


  • This topic is locked This topic is locked
11 replies to this topic

#1 1pocket

1pocket

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:08:18 PM

Posted 09 January 2012 - 01:59 PM

I had Avast run a scan on my computer last night and it shows a few virus that it can not remove.

Attached are the DDS files. Sorry, I forgot to run the GMER log. I will do that in the morning


Computer seems to be running fine. Just very concerned about these programs.

Thanks in advance

1pocket

.
DDS (Ver_2011-08-26.01) - NTFSx86
Internet Explorer: 8.0.6001.18702
Run by dvr at 9:39:58 on 2012-01-09
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2047.1392 [GMT -7:00]
.
AV: avast! Antivirus *Enabled/Updated* {7591DB91-41F0-48A3-B128-1A293FD8233D}
.
============== Running Processes ===============
.
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\Program Files\AVAST Software\Avast\AvastSvc.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\brsvc01a.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\brss01a.exe
svchost.exe
C:\Program Files\NetSupport Manager\client32.exe
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\ATI Technologies\ATI.ACE\CLI.EXE
C:\WINDOWS\system32\RUNDLL32.EXE
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\Canon\MyPrinter\BJMyPrt.exe
C:\Program Files\Canon\Solution Menu EX\CNSEMAIN.EXE
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Program Files\Aventura Technologies\Aventura DVR Server\DvrMain.exe
C:\Program Files\Aventura Technologies\Aventura DVR Server\Softdog.exe
C:\Program Files\AVAST Software\Avast\AvastUI.exe
C:\Program Files\Google\Chrome\Application\chrome.exe
C:\Program Files\Google\Chrome\Application\chrome.exe
C:\Program Files\Google\Chrome\Application\chrome.exe
C:\Program Files\Google\Chrome\Application\chrome.exe
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://www.google.com/
uSearch Page = hxxp://www.google.com
uSearch Bar = hxxp://www.google.com/ie
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
mSearchAssistant = hxxp://www.google.com/ie
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: avast! WebRep: {8e5e2654-ad2d-48bf-ac2d-d17f00898d06} - c:\program files\avast software\avast\aswWebRepIE.dll
BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.7.7018.1622\swg.dll
TB: Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
TB: avast! WebRep: {8e5e2654-ad2d-48bf-ac2d-d17f00898d06} - c:\program files\avast software\avast\aswWebRepIE.dll
uRun: [swg] "c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe"
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
mRun: [RTHDCPL] RTHDCPL.EXE
mRun: [SkyTel] SkyTel.EXE
mRun: [Alcmtr] ALCMTR.EXE
mRun: [ATICCC] "c:\program files\ati technologies\ati.ace\CLIStart.exe"
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [nwiz] nwiz.exe /install
mRun: [NvMediaCenter] RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInit
mRun: [CanonMyPrinter] c:\program files\canon\myprinter\BJMyPrt.exe /logon
mRun: [CanonSolutionMenuEx] c:\program files\canon\solution menu ex\CNSEMAIN.EXE /logon
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
mRun: [avast] "c:\program files\avast software\avast\avastUI.exe" /nogui
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\dvrser~1.lnk - c:\windows\installer\{ee098d54-3f29-4826-a3dc-22230e320322}\_04F891D583B2ED2DFBE72F.exe
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
TCP: DhcpNameServer = 192.168.0.1 205.171.3.65
TCP: Interfaces\{BD24DB2B-4F8B-4D8E-B742-6DD30498D6BD} : DhcpNameServer = 192.168.0.1 205.171.3.65
Notify: AtiExtEvent - Ati2evxx.dll
.
============= SERVICES / DRIVERS ===============
.
R1 aswSnx;aswSnx;c:\windows\system32\drivers\aswSnx.sys [2012-1-8 435032]
R1 aswSP;aswSP;c:\windows\system32\drivers\aswSP.sys [2012-1-8 314456]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [2012-1-8 20568]
R2 avast! Antivirus;avast! Antivirus;c:\program files\avast software\avast\AvastSvc.exe [2012-1-8 44768]
R3 AtcL001;NDIS Miniport Driver for Attansic L1 Gigabit Ethernet Controller;c:\windows\system32\drivers\atl01_xp.sys [2010-6-8 38656]
R3 DS40xxDrv;Wdm Driver for DS40xx series;c:\windows\system32\drivers\Dvr.sys [2007-12-20 27328]
S2 gupdate;Google Update Service (gupdate);c:\program files\google\update\GoogleUpdate.exe [2010-6-8 136176]
S3 gupdatem;Google Update Service (gupdatem);c:\program files\google\update\GoogleUpdate.exe [2010-6-8 136176]
.
=============== Created Last 30 ================
.
2012-01-09 00:16:30 435032 ----a-w- c:\windows\system32\drivers\aswSnx.sys
2012-01-09 00:15:44 41184 ----a-w- c:\windows\avastSS.scr
2012-01-02 15:57:24 -------- d-----w- C:\BurningSoftware
2012-01-02 06:49:41 -------- d-----w- c:\program files\Aventura Technologies
2012-01-02 04:52:39 21504 -c--a-w- c:\windows\system32\dllcache\hidserv.dll
2012-01-02 04:52:39 21504 ----a-w- c:\windows\system32\hidserv.dll
2012-01-02 04:52:07 12160 -c--a-w- c:\windows\system32\dllcache\mouhid.sys
2012-01-02 04:52:07 12160 ----a-w- c:\windows\system32\drivers\mouhid.sys
2012-01-02 04:52:04 14592 -c--a-w- c:\windows\system32\dllcache\kbdhid.sys
2012-01-02 04:52:04 14592 ----a-w- c:\windows\system32\drivers\kbdhid.sys
2012-01-02 04:51:54 10368 -c--a-w- c:\windows\system32\dllcache\hidusb.sys
2012-01-02 04:51:54 10368 ----a-w- c:\windows\system32\drivers\hidusb.sys
2012-01-02 00:13:30 -------- d-----w- c:\windows\system32\wbem\repository\FS
2012-01-02 00:13:30 -------- d-----w- c:\windows\system32\wbem\Repository
2012-01-02 00:03:38 -------- d-----w- C:\BurningSoftware(2)
2012-01-01 23:06:27 -------- d-sh--w- c:\documents and settings\dvr\IECompatCache
2011-12-25 21:37:39 -------- d-----w- c:\windows\pss
2011-12-16 06:04:14 414368 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2011-12-14 21:29:54 -------- d-----w- c:\documents and settings\dvr\local settings\application data\Identities
.
==================== Find3M ====================
.
2011-11-23 13:25:32 1859584 ----a-w- c:\windows\system32\win32k.sys
2011-11-04 19:20:51 916992 ----a-w- c:\windows\system32\wininet.dll
2011-11-04 19:20:51 43520 ------w- c:\windows\system32\licmgr10.dll
2011-11-04 19:20:51 1469440 ------w- c:\windows\system32\inetcpl.cpl
2011-11-04 11:23:59 385024 ------w- c:\windows\system32\html.iec
2011-11-01 16:07:10 1288704 ----a-w- c:\windows\system32\ole32.dll
2011-10-28 05:31:48 33280 ----a-w- c:\windows\system32\csrsrv.dll
2011-10-25 13:37:08 2148864 ----a-w- c:\windows\system32\ntoskrnl.exe
2011-10-25 12:52:02 2027008 ----a-w- c:\windows\system32\ntkrnlpa.exe
2011-10-18 11:13:22 186880 ----a-w- c:\windows\system32\encdec.dll
.
============= FINISH: 9:49:08.23 ===============

Attached Files


Edited by Noviciate, 09 January 2012 - 03:33 PM.
Added DDS from attachment


BC AdBot (Login to Remove)

 


#2 1pocket

1pocket
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:08:18 PM

Posted 12 January 2012 - 05:25 PM

Here is the GMER log.

Attached Files

  • Attached File  ark.txt   100.88KB   3 downloads


#3 Shannon2012

Shannon2012

  • Security Colleague
  • 3,657 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:North Carolina, USA
  • Local time:12:18 AM

Posted 13 January 2012 - 04:10 PM

Hi,

Welcome to Bleeping Computer.

My name is Shannon and I will be working with you to remove the malware that is on your machine.

I apologize for the delay in replying to your post, but this forum is extremely busy.

Please Track this topic - On the top right on this tread, click on the Watch Topic button, click on 'Immediate Email Notification', and then click on the Proceed button at the bottom.

Do Not make any changes on your own to the infected computer.

Please set your system to show all files.
Click Start, open My Computer, select the Tools menu and click Folder Options.
Select the View Tab. Under the Hidden files and folders heading, select Show hidden files and folders.
Uncheck: Hide file extensions for known file types
Uncheck the Hide protected operating system files (recommended) option.
Click Yes to confirm.

Now, let's look more thoroughly at the infected computer -

We need to see some information about what is happening in your machine. Please perform the following scan:
  • We need to create an OTL Report
  • Please download OTL from here:
  • Main Mirror
  • Save it to your desktop.
  • Double click on the Posted Image icon on your desktop.
  • Click the "Scan All Users" checkbox.
  • Change the "Extra Registry" option to "Use SafeList"
  • Push the Posted Image button.
  • Two reports will open, copy and paste them into your reply:
  • OTL.txt <-- Will be opened
  • Extra.txt <-- Will be minimized
Please note: You may have to disable any script protection running if the scan fails to run. After downloading the tool, disconnect from the internet and disable all antivirus protection. Run the scan, enable your A/V and reconnect to the internet.

Information on A/V control HERE

Next, please download Rootkit Unhooker from one of the following links and save it to your desktop.
Link 1 (.exe file)
Link 2 (zipped file)
Link 3 (.rar file)
In order to use this tool if you downloaded from either of the second two links, you will need to extract the RKUnhookerLE.exe file using a program capable of extracing ZIP and RAR compressed files. If you don't have an extraction program, you can downlaod, install and use the free 7-zip utility.

  • Double-click on RKUnhookerLE.exe to start the program.
  • Click the Report tab, then click Scan.
  • Check Drivers, Stealth, and uncheck the rest.
  • Click OK.
  • Wait until it's finished and then go to File > Save Report.
  • Save the report to your Desktop.
  • Copy and paste the contents of the report into your next reply.
-- Note: You may get this warning...just ignore it, click OK and continue: "Rootkit Unhooker has detected a parasite inside itself! It is recommended to remove parasite, okay?".

Once you have the above logs, click on the Add Reply button below, copy in the contents of the two OTL logs and the RKU log. Also include any comments that you might have concerning the infection(s) and the infected computer.
Shannon

#4 1pocket

1pocket
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:08:18 PM

Posted 15 January 2012 - 05:24 PM

Here are the logs you requested.

Thanks again for your help,

Attached Files



#5 Shannon2012

Shannon2012

  • Security Colleague
  • 3,657 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:North Carolina, USA
  • Local time:12:18 AM

Posted 16 January 2012 - 10:52 AM

Hi-

I am not seeing any problems in the logs/reports that you sent. Is Avast still finding the infection(s)? If so, could send me the report from Avast and also the latest log from Malwarebyte's Anti-Malware (under the Logs tab)?
Shannon

#6 1pocket

1pocket
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:08:18 PM

Posted 17 January 2012 - 11:53 AM

Here is the Malwarebytes log. I am not sure how to copy the Avast log?
This computer I am running a dvr program on it. I'm not sure if this is the problem.

I will call the company today and check with them.

Thanks again,

Attached Files



#7 Shannon2012

Shannon2012

  • Security Colleague
  • 3,657 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:North Carolina, USA
  • Local time:12:18 AM

Posted 17 January 2012 - 03:05 PM

Hi-

You should be able to find the Avast log here - C:\Documents and Settings\All Users\Application Data\AVAST Software\Avast\log\aswAR.log.

Attach the log to your next reply.
Shannon

#8 1pocket

1pocket
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:08:18 PM

Posted 19 January 2012 - 11:56 AM

Here is the Avast log. I am running another scan with avast. And it looks like it has found one infection so far.

When Avast does find an infection and it cleans it. The DVR software does not work any more. So then I have to re-install it.

Thanks

Attached Files


Edited by 1pocket, 19 January 2012 - 11:59 AM.


#9 Shannon2012

Shannon2012

  • Security Colleague
  • 3,657 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:North Carolina, USA
  • Local time:12:18 AM

Posted 19 January 2012 - 02:26 PM

Let me know what it finds.
Shannon

#10 1pocket

1pocket
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:08:18 PM

Posted 23 January 2012 - 05:02 PM

Ok, Avast is showing the same infections. I contacted the DVR manufacture and they said the software opens a couple of ports. So I'm sure that is what avast is picking up. They told me just to do an exclusion for the 2 files and I should be fine... I did that and i am not having any more problems...

Thanks again for your help

#11 Shannon2012

Shannon2012

  • Security Colleague
  • 3,657 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:North Carolina, USA
  • Local time:12:18 AM

Posted 23 January 2012 - 05:41 PM

Glad you identified the problem and fixed it!!
Shannon

#12 Shannon2012

Shannon2012

  • Security Colleague
  • 3,657 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:North Carolina, USA
  • Local time:12:18 AM

Posted 23 January 2012 - 05:42 PM

It appears that this issue is resolved, therefore I am closing the topic. If that is not the case and you need or wish to continue with this topic, please send me or any Moderator a Personal Message (PM) that you would like this topic re-opened.
Shannon




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users