Welcome to MalwareRemoval.com,
What if we told you that you could get malware removal help from experts, and that it was 100% free? MalwareRemoval.com provides free support for people with infected computers. Our help, and the tools we use are always 100% free. No hidden catch. We simply enjoy helping others. You enjoy a clean, safe computer.

Malware Removal Instructions

Possible infection, please help.

MalwareRemoval.com provides free support for people with infected computers. Using plain language that anyone can understand, our community of volunteer experts will walk you through each step.

Possible infection, please help.

Unread postby sollidamra » February 21st, 2009, 7:45 am

Could you please have a look at my hijack this logs as i think i'm infected. the line i don't recognise is the one that says "Ubersoldier 2 Drivers Auto Removal (pr2anmue)". I am having no internet problems or infection warnings however. One thing that worries me is that i used my credit card for an online purchase the other day which was declined for some reason but about 30 mins after that apparently someone tried to use my card for a purchase in australia, this was also declined thankfully. Did they get my details from my pc as i typed or possibly from the website i was trying to purchase from(ebuyer).
your help is very much appreciated.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:29:02, on 21/02/2009
Platform: Windows Vista SP1 (WinNT 6.00.1905)
MSIE: Internet Explorer v7.00 (7.00.6001.18000)
Boot mode: Normal

Running processes:
C:\Windows\system32\taskeng.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Program Files\Windows Defender\MSASCui.exe
C:\Windows\RtHDVCpl.exe
C:\Program Files\AVG\AVG8\avgtray.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.exe
C:\Program Files\Windows Media Player\wmpnscfg.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CCC.exe
C:\Users\Matt\Documents\Useful Programs\HiJackThis\HiJackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll
O4 - HKLM\..\Run: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
O4 - HKLM\..\Run: [RtHDVCpl] RtHDVCpl.exe
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [StartCCC] "C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" MSRun
O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe
O4 - HKUS\S-1-5-19\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'NETWORK SERVICE')
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/s ... wflash.cab
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
O20 - AppInit_DLLs: avgrsstx.dll
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Ati External Event Utility - ATI Technologies Inc. - C:\Windows\system32\Ati2evxx.exe
O23 - Service: AVG8 E-mail Scanner (avg8emc) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgemc.exe
O23 - Service: AVG8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Ubersoldier 2 Drivers Auto Removal (pr2anmue) (pr2anmue) - Unknown owner - C:\Windows\system32\pr2anmue.exe (file missing)
O23 - Service: Steam Client Service - Valve Corporation - C:\Program Files\Common Files\Steam\SteamService.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Check Point Software Technologies LTD - C:\Windows\System32\ZoneLabs\vsmon.exe

--
End of file - 4266 bytes


StartupList report, 21/02/2009, 11:33:21
StartupList version: 1.52.2
Started from : C:\Users\Matt\Documents\Useful Programs\HiJackThis\HiJackThis.EXE
Detected: Windows Vista SP1 (WinNT 6.00.1905)
Detected: Internet Explorer v7.00 (7.00.6001.18000)
* Using default options
==================================================
Running processes:

C:\Windows\system32\taskeng.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Program Files\Windows Defender\MSASCui.exe
C:\Windows\RtHDVCpl.exe
C:\Program Files\AVG\AVG8\avgtray.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.exe
C:\Program Files\Windows Media Player\wmpnscfg.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CCC.exe
C:\Users\Matt\Documents\Useful Programs\HiJackThis\HiJackThis.exe
C:\Windows\system32\NOTEPAD.EXE
C:\Program Files\Internet Explorer\iexplore.exe
C:\Windows\system32\SearchFilterHost.exe
--------------------------------------------------
Checking Windows NT UserInit:

[HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon]
UserInit = C:\Windows\system32\userinit.exe,
--------------------------------------------------
Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run

RtHDVCpl = RtHDVCpl.exe
AVG8_TRAY = C:\PROGRA~1\AVG\AVG8\avgtray.exe
ZoneAlarm Client = "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
StartCCC = "C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" MSRun
--------------------------------------------------
Autorun entries from Registry:
HKCU\Software\Microsoft\Windows\CurrentVersion\Run

WMPNSCFG = C:\Program Files\Windows Media Player\WMPNSCFG.exe
-------------------------------------------------
Autorun entries in Registry subkeys of:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run

[OptionalComponents]
=
--------------------------------------------------
Load/Run keys from C:\Windows\WIN.INI:

load=*INI section not found*
run=*INI section not found*

Load/Run keys from Registry:

HKLM\..\Windows NT\CurrentVersion\WinLogon: load=*Registry value not found*
HKLM\..\Windows NT\CurrentVersion\WinLogon: run=*Registry value not found*
HKLM\..\Windows\CurrentVersion\WinLogon: load=*Registry key not found*
HKLM\..\Windows\CurrentVersion\WinLogon: run=*Registry key not found*
HKCU\..\Windows NT\CurrentVersion\WinLogon: load=*Registry value not found*
HKCU\..\Windows NT\CurrentVersion\WinLogon: run=*Registry value not found*
HKCU\..\Windows\CurrentVersion\WinLogon: load=*Registry key not found*
HKCU\..\Windows\CurrentVersion\WinLogon: run=*Registry key not found*
HKCU\..\Windows NT\CurrentVersion\Windows: load=
HKCU\..\Windows NT\CurrentVersion\Windows: run=*Registry value not found*
HKLM\..\Windows NT\CurrentVersion\Windows: load=*Registry value not found*
HKLM\..\Windows NT\CurrentVersion\Windows: run=*Registry value not found*
HKLM\..\Windows NT\CurrentVersion\Windows: AppInit_DLLs=avgrsstx.dll
--------------------------------------------------
Shell & screensaver key from C:\Windows\SYSTEM.INI:

Shell=*INI section not found*
SCRNSAVE.EXE=*INI section not found*
drivers=*INI section not found*

Shell & screensaver key from Registry:

Shell=explorer.exe
SCRNSAVE.EXE=*Registry value not found*
drivers=*Registry value not found*

Policies Shell key:

HKCU\..\Policies: Shell=*Registry key not found*
HKLM\..\Policies: Shell=*Registry value not found*
--------------------------------------------------
Enumerating Browser Helper Objects:

AcroIEHelperStub - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll - {18DF081C-E8AD-4283-A596-FA578C2EBDC3}
WormRadar.com IESiteBlocker.NavFilter - C:\Program Files\AVG\AVG8\avgssie.dll - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0}
--------------------------------------------------
Enumerating Download Program Files:

[Shockwave ActiveX Control]
InProcServer32 = C:\Windows\system32\Adobe\Director\SwDir.dll
CODEBASE = http://download.macromedia.com/pub/shoc ... tor/sw.cab

[{8FFBE65D-2C9C-4669-84BD-5829DC0B603C}]
CODEBASE = http://fpdownload.macromedia.com/get/fl ... rashim.cab

[Shockwave Flash Object]
InProcServer32 = C:\Windows\system32\Macromed\Flash\Flash10a.ocx
CODEBASE = http://fpdownload2.macromedia.com/get/s ... wflash.cab
--------------------------------------------------
Enumerating Winsock LSP files:

NameSpace #1: C:\Windows\system32\NLAapi.dll
NameSpace #2: C:\Windows\system32\napinsp.dll
NameSpace #3: C:\Windows\system32\pnrpnsp.dll
NameSpace #4: C:\Windows\system32\pnrpnsp.dll
NameSpace #7: C:\Program Files\Bonjour\mdnsNSP.dll
--------------------------------------------------
Enumerating ShellServiceObjectDelayLoad items:

WebCheck: C:\Windows\system32\webcheck.dll
--------------------------------------------------
End of report, 5,691 bytes
Report generated in 0.000 seconds
sollidamra
Active Member
 
Posts: 4
Joined: February 21st, 2009, 7:03 am
Advertisement
Register to Remove

Re: Possible infection, please help.

Unread postby Carolyn » March 7th, 2009, 4:10 pm

Hello and Welcome to the forums!

My name is Carolyn and I'll be glad to help you with your computer problems. HijackThis logs can take some time to research, so please be patient with me. I know that you need your computer working as quickly as possible, and I will work hard to help see that it happens.

Please do not run any other tool untill instructed to do so!
Please reply to this thread, do not start another!
Please tell me about any problems that have occurred during the fix.
Please tell me of any other symptoms you may be having as these can help also.
Please try as much as possible not to run anything while executing a fix.


If you follow these instructions, everything should go smoothly.



I am sorry that we were unable to reply to your post sooner. The forums have been very busy.

Note: Vista Users, to run tools please right-click on the program icon and select "Run as administrator"

Step 1

Image
Download DDS and save it to your desktop from here or here or here.
Disable any script blocker, and then double click dds.scr to run the tool.
  • When done, DDS will open two (2) logs:
    1. DDS.txt
    2. Attach.txt
  • Save both reports to your desktop.

Step 2

Please download gmer.zip from Gmer and save it to your desktop.

  1. Right click on gmer.zip and select Extract All....
  2. Click Next on seeing the Welcome to the Compressed (zipped) Folders Extraction Wizard.
  3. Click on the Browse button. Click on Desktop. Then click OK.
  4. Click Next. It will start extracting.
  5. Once done, check (tick) the Show extracted files box and click Finish.

Double click on gmer.exe to run it. It will start running a scan. If it detects rootkit activity, you will receive a prompt to run a full scan. Click Yes.

  • When done, you may receive another notice. Click OK.
  • Click on Save ... to save a log.
  • Copy and paste in Gmer.txt and click Save.
  • Close Gmer.

If you receive no notice, click on the Scan button.

  • It will start scanning again.
  • When done, click on Save ... to save a log.
  • Copy and paste in Gmer.txt and click Save.
  • Close Gmer.

Note: Do not run any programs while Gmer is running.

In your next reply, please post:

  1. DDS.txt
  2. Attach.txt
  3. Gmer.txt
User avatar
Carolyn
MRU Emeritus
MRU Emeritus
 
Posts: 4701
Joined: April 18th, 2007, 9:36 am
Location: Maine

Re: Possible infection, please help.

Unread postby sollidamra » March 7th, 2009, 6:16 pm

Hi Carolyn & thanks for your help.
Since posting i've been trying to fix the problem. Using AVG, anti malware & defender and running them in sequence multiple times i cleared all threats found. I then deleted the files directly using a dos utility, searched the registry and removed all references to the offending files. Not found any threats since but i would appreciate it if you could have a look at my log files anyway to get an expert opinion.

DDS.txt
DDS (Ver_09-02-01.01) - NTFSx86
Run by Matt at 21:50:27.45 on 07/03/2009
Internet Explorer: 7.0.6001.18000
Microsoft® Windows Vista™ Home Premium 6.0.6001.1.1252.44.1033.18.3326.2445 [GMT 0:00]

AV: AVG Anti-Virus Free *On-access scanning enabled* (Updated)
FW: ZoneAlarm Firewall *enabled*

============== Running Processes ===============

C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\svchost.exe -k rpcss
C:\Windows\System32\svchost.exe -k secsvcs
C:\Windows\system32\Ati2evxx.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\SLsvc.exe
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\System32\ZoneLabs\vsmon.exe
C:\Windows\system32\Ati2evxx.exe
C:\Windows\System32\spoolsv.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Windows\system32\taskeng.exe
C:\Windows\system32\taskeng.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Program Files\Windows Defender\MSASCui.exe
C:\Windows\RtHDVCpl.exe
C:\Program Files\AVG\AVG8\avgtray.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\Windows Media Player\wmpnscfg.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CCC.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
C:\Windows\system32\svchost.exe -k imgsvc
C:\Windows\System32\svchost.exe -k WerSvcGroup
C:\Windows\system32\SearchIndexer.exe
C:\PROGRA~1\AVG\AVG8\avgemc.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\PROGRA~1\AVG\AVG8\avgnsx.exe
C:\Program Files\AVG\AVG8\avgcsrvx.exe
C:\Program Files\Windows Media Player\wmpnetwk.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Windows\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\infocard.exe
C:\Users\Matt\Desktop\dds.scr
C:\Windows\system32\wbem\wmiprvse.exe

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.google.co.uk/
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - c:\program files\avg\avg8\avgssie.dll
uRun: [WMPNSCFG] c:\program files\windows media player\WMPNSCFG.exe
mRun: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
mRun: [RtHDVCpl] RtHDVCpl.exe
mRun: [AVG8_TRAY] c:\progra~1\avg\avg8\avgtray.exe
mRun: [ZoneAlarm Client] "c:\program files\zone labs\zonealarm\zlclient.exe"
mRun: [StartCCC] "c:\program files\ati technologies\ati.ace\core-static\CLIStart.exe" MSRun
mPolicies-system: EnableLUA = 0 (0x0)
mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office11\EXCEL.EXE/3000
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office11\REFIEBAR.DLL
DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://download.macromedia.com/pub/shoc ... tor/sw.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/fl ... rashim.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/s ... wflash.cab
Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - c:\program files\avg\avg8\avgpp.dll
AppInit_DLLs: avgrsstx.dll

============= SERVICES / DRIVERS ===============

R0 pe3anmue;Ubersoldier 2 Environment Driver (pe3anmue);c:\windows\system32\drivers\pe3anmue.sys [2008-2-21 65152]
R0 ps7anmue;Ubersoldier 2 Synchronization Driver (ps7anmue);c:\windows\system32\drivers\ps7anmue.sys [2008-2-21 68744]
R1 AvgLdx86;AVG AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [2008-11-4 325128]
R1 AvgTdiX;AVG8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [2009-1-29 107272]
R2 avg8emc;AVG8 E-mail Scanner;c:\progra~1\avg\avg8\avgemc.exe [2008-11-4 903960]
R2 avg8wd;AVG8 WatchDog;c:\progra~1\avg\avg8\avgwdsvc.exe [2008-11-4 298264]
R3 NVHDA;Service for NVIDIA HDMI Audio Driver;c:\windows\system32\drivers\nvhda32v.sys [2007-7-16 30752]

=============== Created Last 30 ================

2009-02-21 00:01 <DIR> --d-h--- C:\$AVG8.VAULT$
2009-02-13 22:19 15,504 a------- c:\windows\system32\drivers\mbam.sys
2009-02-13 22:19 <DIR> --d----- c:\users\matt\appdata\roaming\Malwarebytes
2009-02-13 22:19 38,496 a------- c:\windows\system32\drivers\mbamswissarmy.sys
2009-02-13 22:19 <DIR> --d----- c:\programdata\Malwarebytes
2009-02-13 22:19 <DIR> --d----- c:\program files\Malwarebytes' Anti-Malware
2009-02-13 22:19 <DIR> --d----- c:\progra~2\Malwarebytes
2009-02-13 21:46 <DIR> --d----- c:\windows\system32\Adobe
2009-02-12 00:05 622,080 a------- c:\windows\system32\icardagt.exe
2009-02-12 00:05 105,016 a------- c:\windows\system32\PresentationCFFRasterizerNative_v0300.dll
2009-02-12 00:05 97,800 a------- c:\windows\system32\infocardapi.dll
2009-02-12 00:05 43,544 a------- c:\windows\system32\PresentationHostProxy.dll
2009-02-12 00:05 37,384 a------- c:\windows\system32\infocardcpl.cpl
2009-02-12 00:05 11,264 a------- c:\windows\system32\icardres.dll
2009-02-12 00:05 781,344 a------- c:\windows\system32\PresentationNative_v0300.dll
2009-02-12 00:05 326,160 a------- c:\windows\system32\PresentationHost.exe
2009-02-12 00:00 96,760 a------- c:\windows\system32\dfshim.dll
2009-02-12 00:00 282,112 a------- c:\windows\system32\mscoree.dll
2009-02-12 00:00 41,984 a------- c:\windows\system32\netfxperf.dll
2009-02-12 00:00 158,720 a------- c:\windows\system32\mscorier.dll
2009-02-12 00:00 83,968 a------- c:\windows\system32\mscories.dll
2009-02-11 23:57 428,544 a------- c:\windows\system32\EncDec.dll
2009-02-11 23:57 217,088 a------- c:\windows\system32\psisrndr.ax
2009-02-11 23:57 293,376 a------- c:\windows\system32\psisdecd.dll
2009-02-11 23:57 177,664 a------- c:\windows\system32\mpg2splt.ax
2009-02-11 23:57 80,896 a------- c:\windows\system32\MSNP.ax
2009-02-11 19:21 827,392 a------- c:\windows\system32\wininet.dll
2009-02-11 19:21 1,383,424 a------- c:\windows\system32\mshtml.tlb

==================== Find3M ====================

2009-03-07 21:14 348,371 a---h--- c:\windows\system32\drivers\vsconfig.xml
2009-01-29 00:55 10,520 a------- c:\windows\system32\avgrsstx.dll
2009-01-29 00:55 325,128 a------- c:\windows\system32\drivers\avgldx86.sys
2009-01-29 00:55 107,272 a------- c:\windows\system32\drivers\avgtdix.sys
2008-12-26 21:03 86,016 a------- c:\windows\inf\infstrng.dat
2008-12-26 21:03 51,200 a------- c:\windows\inf\infpub.dat
2008-12-26 21:03 86,016 a------- c:\windows\inf\infstor.dat
2008-12-25 21:55 107,888 a------- c:\windows\system32\CmdLineExt.dll
2008-11-04 17:20 665,600 a------- c:\windows\inf\drvindex.dat
2008-01-21 02:43 174 a--sh--- c:\program files\desktop.ini
2006-11-02 12:42 287,440 a------- c:\windows\inf\perflib\0409\perfi.dat
2006-11-02 12:42 287,440 a------- c:\windows\inf\perflib\0409\perfh.dat
2006-11-02 12:42 30,674 a------- c:\windows\inf\perflib\0409\perfd.dat
2006-11-02 12:42 30,674 a------- c:\windows\inf\perflib\0409\perfc.dat
2006-11-02 09:20 287,440 a------- c:\windows\inf\perflib\0000\perfi.dat
2006-11-02 09:20 287,440 a------- c:\windows\inf\perflib\0000\perfh.dat
2006-11-02 09:20 30,674 a------- c:\windows\inf\perflib\0000\perfd.dat
2006-11-02 09:20 30,674 a------- c:\windows\inf\perflib\0000\perfc.dat

============= FINISH: 21:51:22.94 ===============

attach.txt
DDS (Ver_09-02-01.01)

Microsoft® Windows Vista™ Home Premium
Boot Device: \Device\HarddiskVolume1
Install Date: 04/11/2008 16:33:46
System Uptime: 03/07/2009 21:13:38 (-2832 hours ago)

Motherboard: Gigabyte Technology Co., Ltd. | | GA-73PVM-S2H
Processor: Intel(R) Core(TM)2 Duo CPU E8500 @ 3.16GHz | Socket 775 | 24333/333mhz

==== Disk Partitions =========================

A: is Removable
C: is FIXED (NTFS) - 149 GiB total, 38.821 GiB free.
D: is FIXED (NTFS) - 75 GiB total, 70.63 GiB free.
E: is CDROM (UDF)
F: is CDROM ()

==== Disabled Device Manager Items =============

==== System Restore Points ===================

RP110: 14/02/2009 22:23:42 - Scheduled Checkpoint
RP111: 17/02/2009 19:48:18 - Windows Update
RP112: 18/02/2009 20:23:33 - Scheduled Checkpoint
RP113: 19/02/2009 22:01:24 - Windows Update
RP114: 21/02/2009 13:23:33 - Scheduled Checkpoint
RP115: 23/02/2009 21:06:16 - Windows Update
RP116: 26/02/2009 23:22:56 - Windows Update
RP117: 02/03/2009 21:00:38 - Windows Update
RP118: 03/03/2009 20:27:23 - Scheduled Checkpoint
RP120: 04/03/2009 20:02:38 - Avg8 Update
RP121: 06/03/2009 19:55:56 - Windows Update

==== Installed Programs ======================

Acrobat.com
Adobe AIR
Adobe Flash Player 10 ActiveX
Adobe Reader 9
Adobe Shockwave Player 11
AGEIA PhysX v2.3.3
Apple Mobile Device Support
Apple Software Update
ATI AVIVO Codecs
ATI Catalyst Install Manager
AVG Free 8.0
Bonjour
Catalyst Control Center - Branding
Catalyst Control Center Core Implementation
Catalyst Control Center Graphics Full Existing
Catalyst Control Center Graphics Full New
Catalyst Control Center Graphics Light
Catalyst Control Center Graphics Previews Common
Catalyst Control Center Graphics Previews Vista
Catalyst Control Center HydraVision Full
Catalyst Control Center InstallProxy
ccc-core-static
ccc-utility
CCC Help English
CCleaner (remove only)
Day of Defeat: Source
EAX4 Unified Redist
EPSON Scan
Ghost Recon Advanced Warfighter
Grand Theft Auto IV
GRAW Patch 1.35
GTA San Andreas
HijackThis 2.0.2
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595)
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB958484)
HydraVision
iTunes
Malwarebytes' Anti-Malware
Microsoft .NET Framework 3.5 SP1
Microsoft Games for Windows - LIVE
Microsoft Games for Windows - LIVE Redistributable
Microsoft Office Professional Edition 2003
Microsoft Visual C++ 2005 Redistributable
NVIDIA Drivers
Paint Shop Pro 7 Try And Buy
QuickTime
Realtek High Definition Audio Driver
Rockstar Games Social Club
Skins
Steam
Tom Clancy's Splinter Cell Double Agent
TomTom HOME 2.5.2.60
VC 9.0 Runtime
VC_MergeModuleToMSI
WinRAR archiver
World of Warcraft FREE Trial
ZoneAlarm

==== Event Viewer Messages From Past Week ========

28/02/2009 20:49:51, Error: Microsoft-Windows-Dhcp-Client [1002] - The IP address lease 192.168.2.5 for the Network Card with network address 001D7DE98678 has been denied by the DHCP server 192.168.2.1 (The DHCP Server sent a DHCPNACK message).
03/03/2009 19:49:34, Error: Microsoft-Windows-Dhcp-Client [1002] - The IP address lease 192.168.2.2 for the Network Card with network address 001D7DE98678 has been denied by the DHCP server 192.168.2.1 (The DHCP Server sent a DHCPNACK message).
04/03/2009 21:32:38, Error: Microsoft-Windows-Dhcp-Client [1002] - The IP address lease 192.168.2.3 for the Network Card with network address 001D7DE98678 has been denied by the DHCP server 192.168.2.1 (The DHCP Server sent a DHCPNACK message).

==== End Of File ===========================

gmer.txt
GMER 1.0.15.14833 - http://www.gmer.net
Rootkit scan 2009-03-07 22:06:50
Windows 6.0.6001 Service Pack 1


---- System - GMER 1.0.15 ----

SSDT \SystemRoot\system32\DRIVERS\vsdatant.sys (ZoneAlarm Firewalling Driver/Check Point Software Technologies LTD) ZwAlpcConnectPort [0x8F1CF738]
SSDT \SystemRoot\system32\DRIVERS\vsdatant.sys (ZoneAlarm Firewalling Driver/Check Point Software Technologies LTD) ZwConnectPort [0x8F1CF398]
SSDT \SystemRoot\system32\DRIVERS\vsdatant.sys (ZoneAlarm Firewalling Driver/Check Point Software Technologies LTD) ZwCreateFile [0x8F1CC7C6]
SSDT \SystemRoot\system32\DRIVERS\vsdatant.sys (ZoneAlarm Firewalling Driver/Check Point Software Technologies LTD) ZwCreateKey [0x8F1D7BF8]
SSDT \SystemRoot\system32\DRIVERS\vsdatant.sys (ZoneAlarm Firewalling Driver/Check Point Software Technologies LTD) ZwCreatePort [0x8F1CFAEE]
SSDT \SystemRoot\system32\DRIVERS\vsdatant.sys (ZoneAlarm Firewalling Driver/Check Point Software Technologies LTD) ZwCreateProcess [0x8F1D55F6]
SSDT \SystemRoot\system32\DRIVERS\vsdatant.sys (ZoneAlarm Firewalling Driver/Check Point Software Technologies LTD) ZwCreateProcessEx [0x8F1D5810]
SSDT \SystemRoot\system32\DRIVERS\vsdatant.sys (ZoneAlarm Firewalling Driver/Check Point Software Technologies LTD) ZwCreateSection [0x8F1D9528]
SSDT \SystemRoot\system32\DRIVERS\vsdatant.sys (ZoneAlarm Firewalling Driver/Check Point Software Technologies LTD) ZwCreateWaitablePort [0x8F1CFB96]
SSDT \SystemRoot\system32\DRIVERS\vsdatant.sys (ZoneAlarm Firewalling Driver/Check Point Software Technologies LTD) ZwDeleteFile [0x8F1CCCA6]
SSDT \SystemRoot\system32\DRIVERS\vsdatant.sys (ZoneAlarm Firewalling Driver/Check Point Software Technologies LTD) ZwDeleteKey [0x8F1D84F4]
SSDT \SystemRoot\system32\DRIVERS\vsdatant.sys (ZoneAlarm Firewalling Driver/Check Point Software Technologies LTD) ZwDeleteValueKey [0x8F1D8270]
SSDT \SystemRoot\system32\DRIVERS\vsdatant.sys (ZoneAlarm Firewalling Driver/Check Point Software Technologies LTD) ZwDuplicateObject [0x8F1D4FF6]
SSDT \SystemRoot\system32\DRIVERS\vsdatant.sys (ZoneAlarm Firewalling Driver/Check Point Software Technologies LTD) ZwLoadKey [0x8F1D8A22]
SSDT \SystemRoot\system32\DRIVERS\vsdatant.sys (ZoneAlarm Firewalling Driver/Check Point Software Technologies LTD) ZwLoadKey2 [0x8F1D8A9A]
SSDT \SystemRoot\system32\DRIVERS\vsdatant.sys (ZoneAlarm Firewalling Driver/Check Point Software Technologies LTD) ZwLoadKeyEx [0x8F1D8B12]
SSDT \SystemRoot\system32\DRIVERS\vsdatant.sys (ZoneAlarm Firewalling Driver/Check Point Software Technologies LTD) ZwOpenFile [0x8F1CCB3E]
SSDT \SystemRoot\system32\DRIVERS\vsdatant.sys (ZoneAlarm Firewalling Driver/Check Point Software Technologies LTD) ZwOpenProcess [0x8F1D6D6E]
SSDT \SystemRoot\system32\DRIVERS\vsdatant.sys (ZoneAlarm Firewalling Driver/Check Point Software Technologies LTD) ZwOpenThread [0x8F1D6B6C]
SSDT \SystemRoot\system32\DRIVERS\vsdatant.sys (ZoneAlarm Firewalling Driver/Check Point Software Technologies LTD) ZwRenameKey [0x8F1D9154]
SSDT \SystemRoot\system32\DRIVERS\vsdatant.sys (ZoneAlarm Firewalling Driver/Check Point Software Technologies LTD) ZwReplaceKey [0x8F1D8B8A]
SSDT \SystemRoot\system32\DRIVERS\vsdatant.sys (ZoneAlarm Firewalling Driver/Check Point Software Technologies LTD) ZwRequestWaitReplyPort [0x8F1CF022]
SSDT \SystemRoot\system32\DRIVERS\vsdatant.sys (ZoneAlarm Firewalling Driver/Check Point Software Technologies LTD) ZwRestoreKey [0x8F1D8F94]
SSDT \SystemRoot\system32\DRIVERS\vsdatant.sys (ZoneAlarm Firewalling Driver/Check Point Software Technologies LTD) ZwSecureConnectPort [0x8F1CF538]
SSDT \SystemRoot\system32\DRIVERS\vsdatant.sys (ZoneAlarm Firewalling Driver/Check Point Software Technologies LTD) ZwSetInformationFile [0x8F1CCE94]
SSDT \SystemRoot\system32\DRIVERS\vsdatant.sys (ZoneAlarm Firewalling Driver/Check Point Software Technologies LTD) ZwSetValueKey [0x8F1D7F76]
SSDT \SystemRoot\system32\DRIVERS\vsdatant.sys (ZoneAlarm Firewalling Driver/Check Point Software Technologies LTD) ZwSystemDebugControl [0x8F1D5F84]
SSDT \SystemRoot\system32\DRIVERS\vsdatant.sys (ZoneAlarm Firewalling Driver/Check Point Software Technologies LTD) ZwTerminateProcess [0x8F1D5E60]
SSDT \SystemRoot\system32\DRIVERS\vsdatant.sys (ZoneAlarm Firewalling Driver/Check Point Software Technologies LTD) ZwCreateUserProcess [0x8F1D5A2E]

---- Kernel code sections - GMER 1.0.15 ----

.text ntkrnlpa.exe!KeSetTimerEx + 370 81EBA934 4 Bytes [38, F7, 1C, 8F] {CMP BH, DH; SBB AL, 0x8f}
.text ntkrnlpa.exe!KeSetTimerEx + 3F4 81EBA9B8 4 Bytes [98, F3, 1C, 8F]
.text ntkrnlpa.exe!KeSetTimerEx + 40C 81EBA9D0 4 Bytes [C6, C7, 1C, 8F]
.text ntkrnlpa.exe!KeSetTimerEx + 41C 81EBA9E0 4 Bytes [F8, 7B, 1D, 8F]
.text ntkrnlpa.exe!KeSetTimerEx + 438 81EBA9FC 12 Bytes [EE, FA, 1C, 8F, F6, 55, 1D, ...]
.text ...

---- Devices - GMER 1.0.15 ----

AttachedDevice \Driver\tdx \Device\Tcp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
AttachedDevice \Driver\tdx \Device\Tcp ntkrnlpa.exe (NT Kernel & System/Microsoft Corporation)
AttachedDevice \Driver\tdx \Device\Udp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
AttachedDevice \Driver\tdx \Device\Udp ntkrnlpa.exe (NT Kernel & System/Microsoft Corporation)
AttachedDevice \Driver\tdx \Device\RawIp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
AttachedDevice \Driver\tdx \Device\RawIp ntkrnlpa.exe (NT Kernel & System/Microsoft Corporation)

---- EOF - GMER 1.0.15 ----
sollidamra
Active Member
 
Posts: 4
Joined: February 21st, 2009, 7:03 am

Re: Possible infection, please help.

Unread postby Carolyn » March 8th, 2009, 9:01 am

Hi,

Those logs look clean. Let's do an online scan just to be certain nothing has been missed.

Please make sure that all programs are closed when installing Java.

  1. Click here to visit Java's website.
  2. Scroll down to Java Runtime Environment (JRE) 6 Update 12. Click on Download.
  3. Select Windows from the drop-down list for Platform.
  4. Select Multi-language from the drop-down list for Language.
  5. Check (tick) I agree to the Java SE Runtime Environment 6 License Agreement box and click on Continue.
  6. Click on jre-6u12-windows-i586-p.exe link to download it and save this to a convenient location.
  7. Right click on jre-6u12-windows-i586-p.exe and select Run As Administrator to install Java.
  8. After the Java installation has finished, right click on your favourite web browser (Internet Explorer, Firefox, etc) and select Run As Administrator to run it.
  9. Go to Kaspersky website and perform an online antivirus scan.
  10. Read through the requirements and privacy statement and click on Accept button.
  11. It will start downloading and installing the scanner and virus definitions. You will be prompted to install an application from Kaspersky. Click Run.
  12. When the downloads have finished, click on Settings.
  13. Make sure these boxes are checked (ticked). If they are not, please tick them and click on the Save button:
      Spyware, Adware, Dialers, and other potentially dangerous programs
      Archives
      Mail databases
  14. Click on My Computer under Scan.
  15. Once the scan is complete, it will display the results. Click on View Scan Report.
  16. You will see a list of infected items there. Click on Save Report As....
  17. Save this report to a convenient place. Change the Files of type to Text file (.txt) before clicking on the Save button.
  18. Please post this log in your next reply along with a fresh DDS log.
User avatar
Carolyn
MRU Emeritus
MRU Emeritus
 
Posts: 4701
Joined: April 18th, 2007, 9:36 am
Location: Maine

Re: Possible infection, please help.

Unread postby sollidamra » March 10th, 2009, 8:43 pm

Hi, i've posted my logs below, the 6 infections found are for programs i know about and are meant to be there.

--------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER 7 REPORT
Wednesday, March 11, 2009
Operating System: Microsoft Windows Vista Home Premium Edition, 32-bit Service Pack 1 (build 6001)
Kaspersky Online Scanner 7 version: 7.0.25.0
Program database last update: Tuesday, March 10, 2009 22:55:20
Records in database: 1887115
--------------------------------------------------------------------------------

Scan settings:
Scan using the following database: extended
Scan archives: yes
Scan mail databases: yes

Scan area - My Computer:
A:\
C:\
D:\
E:\
F:\

Scan statistics:
Files scanned: 121152
Threat name: 2
Infected objects: 6
Suspicious objects: 0
Duration of the scan: 01:23:46


File name / Threat name / Threats count
C:\Users\Matt\Documents\Useful Programs\IP Scan\ipscan.ajh Infected: not-a-virus:NetTool.Win32.Portscan.c 1
C:\Users\Matt\Documents\Useful Programs\IP Scan\ipscan.exe Infected: not-a-virus:NetTool.Win32.Portscan.c 1
C:\Users\Matt\Documents\Useful Programs\VNC\vnc-3.3.6-x86_win32.exe Infected: not-a-virus:RemoteAdmin.Win32.WinVNC-based.c 1
C:\Users\Matt\Documents\Useful Programs\VNC\vnc-3.3.6-x86_win32.zip Infected: not-a-virus:RemoteAdmin.Win32.WinVNC-based.c 1
D:\LAPTOP BACKUP\Documents and Settings\Chris\Desktop\Misc. progs\IP Scan\ipscan.exe Infected: not-a-virus:NetTool.Win32.Portscan.c 1
D:\LAPTOP BACKUP\Documents and Settings\Chris\Desktop\TKMAXX\IP Scan\ipscan.exe Infected: not-a-virus:NetTool.Win32.Portscan.c 1

The selected area was scanned.


DDS (Ver_09-02-01.01) - NTFSx86
Run by Matt at 0:34:12.15 on 11/03/2009
Internet Explorer: 7.0.6001.18000
Microsoft® Windows Vista™ Home Premium 6.0.6001.1.1252.44.1033.18.3326.2114 [GMT 0:00]

AV: AVG Anti-Virus Free *On-access scanning enabled* (Updated)
FW: ZoneAlarm Firewall *enabled*

============== Running Processes ===============

C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\svchost.exe -k rpcss
C:\Windows\System32\svchost.exe -k secsvcs
C:\Windows\system32\Ati2evxx.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\SLsvc.exe
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\System32\ZoneLabs\vsmon.exe
C:\Windows\system32\Ati2evxx.exe
C:\Windows\System32\spoolsv.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Windows\system32\taskeng.exe
C:\Windows\system32\taskeng.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Program Files\Windows Defender\MSASCui.exe
C:\Windows\RtHDVCpl.exe
C:\Program Files\AVG\AVG8\avgtray.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.exe
C:\Program Files\Windows Media Player\wmpnscfg.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CCC.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
C:\Windows\system32\svchost.exe -k imgsvc
C:\Windows\System32\svchost.exe -k WerSvcGroup
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\Windows\system32\SearchIndexer.exe
C:\PROGRA~1\AVG\AVG8\avgnsx.exe
C:\PROGRA~1\AVG\AVG8\avgemc.exe
C:\Program Files\AVG\AVG8\avgcsrvx.exe
C:\Program Files\Windows Media Player\wmpnetwk.exe
C:\Windows\system32\vssvc.exe
C:\Windows\System32\svchost.exe -k swprv
C:\Program Files\Internet Explorer\iexplore.exe
C:\Users\Matt\Desktop\dds.com
C:\Windows\system32\wbem\wmiprvse.exe

============== Pseudo HJT Report ===============

uStart Page = www.google.co.uk/
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - c:\program files\avg\avg8\avgssie.dll
BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
uRun: [WMPNSCFG] c:\program files\windows media player\WMPNSCFG.exe
mRun: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
mRun: [RtHDVCpl] RtHDVCpl.exe
mRun: [AVG8_TRAY] c:\progra~1\avg\avg8\avgtray.exe
mRun: [ZoneAlarm Client] "c:\program files\zone labs\zonealarm\zlclient.exe"
mRun: [StartCCC] "c:\program files\ati technologies\ati.ace\core-static\CLIStart.exe" MSRun
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
mPolicies-system: EnableLUA = 0 (0x0)
mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office11\EXCEL.EXE/3000
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office11\REFIEBAR.DLL
DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://download.macromedia.com/pub/shoc ... tor/sw.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinsta ... s-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/fl ... rashim.cab
DPF: {CAFEEFAC-0016-0000-0012-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinsta ... s-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinsta ... s-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/s ... wflash.cab
Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - c:\program files\avg\avg8\avgpp.dll
AppInit_DLLs: avgrsstx.dll

============= SERVICES / DRIVERS ===============

R0 pe3anmue;Ubersoldier 2 Environment Driver (pe3anmue);c:\windows\system32\drivers\pe3anmue.sys [2008-2-21 65152]
R0 ps7anmue;Ubersoldier 2 Synchronization Driver (ps7anmue);c:\windows\system32\drivers\ps7anmue.sys [2008-2-21 68744]
R1 AvgLdx86;AVG AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [2008-11-4 325128]
R1 AvgTdiX;AVG8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [2009-1-29 107272]
R2 avg8emc;AVG8 E-mail Scanner;c:\progra~1\avg\avg8\avgemc.exe [2008-11-4 903960]
R2 avg8wd;AVG8 WatchDog;c:\progra~1\avg\avg8\avgwdsvc.exe [2008-11-4 298264]
R3 NVHDA;Service for NVIDIA HDMI Audio Driver;c:\windows\system32\drivers\nvhda32v.sys [2007-7-16 30752]

=============== Created Last 30 ================

2009-03-08 23:44 410,984 a------- c:\windows\system32\deploytk.dll
2009-03-08 00:13 <DIR> a-d----- c:\programdata\TEMP
2009-03-07 23:49 <DIR> --d----- c:\program files\Enigma Software Group
2009-02-21 00:01 <DIR> --d-h--- C:\$AVG8.VAULT$
2009-02-13 22:19 15,504 a------- c:\windows\system32\drivers\mbam.sys
2009-02-13 22:19 <DIR> --d----- c:\users\matt\appdata\roaming\Malwarebytes
2009-02-13 22:19 38,496 a------- c:\windows\system32\drivers\mbamswissarmy.sys
2009-02-13 22:19 <DIR> --d----- c:\programdata\Malwarebytes
2009-02-13 22:19 <DIR> --d----- c:\program files\Malwarebytes' Anti-Malware
2009-02-13 22:19 <DIR> --d----- c:\progra~2\Malwarebytes
2009-02-13 21:46 <DIR> --d----- c:\windows\system32\Adobe
2009-02-12 00:05 622,080 a------- c:\windows\system32\icardagt.exe
2009-02-12 00:05 105,016 a------- c:\windows\system32\PresentationCFFRasterizerNative_v0300.dll
2009-02-12 00:05 97,800 a------- c:\windows\system32\infocardapi.dll
2009-02-12 00:05 43,544 a------- c:\windows\system32\PresentationHostProxy.dll
2009-02-12 00:05 37,384 a------- c:\windows\system32\infocardcpl.cpl
2009-02-12 00:05 11,264 a------- c:\windows\system32\icardres.dll
2009-02-12 00:05 781,344 a------- c:\windows\system32\PresentationNative_v0300.dll
2009-02-12 00:05 326,160 a------- c:\windows\system32\PresentationHost.exe
2009-02-12 00:00 96,760 a------- c:\windows\system32\dfshim.dll
2009-02-12 00:00 282,112 a------- c:\windows\system32\mscoree.dll
2009-02-12 00:00 41,984 a------- c:\windows\system32\netfxperf.dll
2009-02-12 00:00 158,720 a------- c:\windows\system32\mscorier.dll
2009-02-12 00:00 83,968 a------- c:\windows\system32\mscories.dll
2009-02-11 23:57 428,544 a------- c:\windows\system32\EncDec.dll
2009-02-11 23:57 217,088 a------- c:\windows\system32\psisrndr.ax
2009-02-11 23:57 293,376 a------- c:\windows\system32\psisdecd.dll
2009-02-11 23:57 177,664 a------- c:\windows\system32\mpg2splt.ax
2009-02-11 23:57 80,896 a------- c:\windows\system32\MSNP.ax
2009-02-11 19:21 827,392 a------- c:\windows\system32\wininet.dll
2009-02-11 19:21 1,383,424 a------- c:\windows\system32\mshtml.tlb

==================== Find3M ====================

2009-03-10 20:57 348,371 a---h--- c:\windows\system32\drivers\vsconfig.xml
2009-01-29 00:55 10,520 a------- c:\windows\system32\avgrsstx.dll
2009-01-29 00:55 325,128 a------- c:\windows\system32\drivers\avgldx86.sys
2009-01-29 00:55 107,272 a------- c:\windows\system32\drivers\avgtdix.sys
2008-12-26 21:03 86,016 a------- c:\windows\inf\infstrng.dat
2008-12-26 21:03 51,200 a------- c:\windows\inf\infpub.dat
2008-12-26 21:03 86,016 a------- c:\windows\inf\infstor.dat
2008-12-25 21:55 107,888 a------- c:\windows\system32\CmdLineExt.dll
2008-11-04 17:20 665,600 a------- c:\windows\inf\drvindex.dat
2008-01-21 02:43 174 a--sh--- c:\program files\desktop.ini
2006-11-02 12:42 287,440 a------- c:\windows\inf\perflib\0409\perfi.dat
2006-11-02 12:42 287,440 a------- c:\windows\inf\perflib\0409\perfh.dat
2006-11-02 12:42 30,674 a------- c:\windows\inf\perflib\0409\perfd.dat
2006-11-02 12:42 30,674 a------- c:\windows\inf\perflib\0409\perfc.dat
2006-11-02 09:20 287,440 a------- c:\windows\inf\perflib\0000\perfi.dat
2006-11-02 09:20 287,440 a------- c:\windows\inf\perflib\0000\perfh.dat
2006-11-02 09:20 30,674 a------- c:\windows\inf\perflib\0000\perfd.dat
2006-11-02 09:20 30,674 a------- c:\windows\inf\perflib\0000\perfc.dat

============= FINISH: 0:34:51.83 ===============

DDS (Ver_09-02-01.01)

Microsoft® Windows Vista™ Home Premium
Boot Device: \Device\HarddiskVolume1
Install Date: 04/11/2008 16:33:46
System Uptime: 03/10/2009 20:57:25 (-4964 hours ago)

Motherboard: Gigabyte Technology Co., Ltd. | | GA-73PVM-S2H
Processor: Intel(R) Core(TM)2 Duo CPU E8500 @ 3.16GHz | Socket 775 | 24333/333mhz

==== Disk Partitions =========================

A: is Removable
C: is FIXED (NTFS) - 149 GiB total, 37.708 GiB free.
D: is FIXED (NTFS) - 75 GiB total, 70.63 GiB free.
E: is CDROM (UDF)
F: is CDROM ()

==== Disabled Device Manager Items =============

==== System Restore Points ===================

RP114: 21/02/2009 13:23:33 - Scheduled Checkpoint
RP115: 23/02/2009 21:06:16 - Windows Update
RP116: 26/02/2009 23:22:56 - Windows Update
RP117: 02/03/2009 21:00:38 - Windows Update
RP118: 03/03/2009 20:27:23 - Scheduled Checkpoint
RP120: 04/03/2009 20:02:38 - Avg8 Update
RP121: 06/03/2009 19:55:56 - Windows Update
RP122: 08/03/2009 13:15:05 - Scheduled Checkpoint
RP123: 08/03/2009 18:57:49 - Windows Update
RP124: 08/03/2009 18:58:48 - Windows Update
RP125: 08/03/2009 23:43:35 - Installed Java(TM) 6 Update 12
RP126: 09/03/2009 17:54:31 - Windows Update
RP127: 10/03/2009 21:17:58 - Windows Update
RP129: 10/03/2009 21:26:29 - Windows Defender Checkpoint

==== Installed Programs ======================

Acrobat.com
Adobe AIR
Adobe Flash Player 10 ActiveX
Adobe Reader 9
Adobe Shockwave Player 11
AGEIA PhysX v2.3.3
Apple Mobile Device Support
Apple Software Update
ATI AVIVO Codecs
ATI Catalyst Install Manager
AVG Free 8.0
Bonjour
Catalyst Control Center - Branding
Catalyst Control Center Core Implementation
Catalyst Control Center Graphics Full Existing
Catalyst Control Center Graphics Full New
Catalyst Control Center Graphics Light
Catalyst Control Center Graphics Previews Common
Catalyst Control Center Graphics Previews Vista
Catalyst Control Center HydraVision Full
Catalyst Control Center InstallProxy
ccc-core-static
ccc-utility
CCC Help English
CCleaner (remove only)
Day of Defeat: Source
EAX4 Unified Redist
EPSON Scan
Ghost Recon Advanced Warfighter
Grand Theft Auto IV
GRAW Patch 1.35
GTA San Andreas
HijackThis 2.0.2
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595)
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB958484)
HydraVision
iTunes
Java(TM) 6 Update 12
Malwarebytes' Anti-Malware
Microsoft .NET Framework 3.5 SP1
Microsoft Games for Windows - LIVE
Microsoft Games for Windows - LIVE Redistributable
Microsoft Office Professional Edition 2003
Microsoft Visual C++ 2005 Redistributable
NVIDIA Drivers
Paint Shop Pro 7 Try And Buy
Portal
QuickTime
Realtek High Definition Audio Driver
Rockstar Games Social Club
Skins
Steam
Tom Clancy's Splinter Cell Double Agent
TomTom HOME 2.5.2.60
VC 9.0 Runtime
VC_MergeModuleToMSI
WinRAR archiver
World of Warcraft FREE Trial
ZoneAlarm

==== Event Viewer Messages From Past Week ========

04/03/2009 20:00:56, Error: Microsoft-Windows-Dhcp-Client [1002] - The IP address lease 192.168.2.2 for the Network Card with network address 001D7DE98678 has been denied by the DHCP server 192.168.2.1 (The DHCP Server sent a DHCPNACK message).
04/03/2009 21:32:38, Error: Microsoft-Windows-Dhcp-Client [1002] - The IP address lease 192.168.2.3 for the Network Card with network address 001D7DE98678 has been denied by the DHCP server 192.168.2.1 (The DHCP Server sent a DHCPNACK message).
08/03/2009 15:06:12, Error: EventLog [6008] - The previous system shutdown at 15:04:14 on 08/03/2009 was unexpected.
08/03/2009 15:07:50, Error: Service Control Manager [7009] - A timeout was reached (30000 milliseconds) while waiting for the Steam Client Service service to connect.
08/03/2009 15:07:50, Error: Service Control Manager [7000] - The Steam Client Service service failed to start due to the following error: The service did not respond to the start or control request in a timely fashion.
08/03/2009 18:58:46, Error: Microsoft-Windows-WindowsUpdateClient [20] - Installation Failure: Windows failed to install the following update with error 0x800f020b: NVIDIA driver update for NVIDIA GeForce 7100 / NVIDIA nForce 630i.
09/03/2009 17:50:53, Error: Microsoft-Windows-PrintSpooler [19] - The print spooler failed to share printer Microsoft Office Document Image Writer with shared resource name Microsoft Office Document Image Writer. Error 2114. The printer cannot be used by others on the network.

==== End Of File ===========================
sollidamra
Active Member
 
Posts: 4
Joined: February 21st, 2009, 7:03 am

Re: Possible infection, please help.

Unread postby Carolyn » March 12th, 2009, 11:34 am

This is my general post for when your logs show no signs of malware ;)- Please let me know if you are having any problems with your computer and what these problems are

Your log now appears to be clean. Congratulations!

You can get rid of the tools we used:
  • Please delete DDS.exe from your computer
  • Go to Start --> Run and copy/paste C:\WINDOWS\gmer_uninstall.cmd into the run window, click Okay. When that process completes, please reboot your computer.

Protection Programs
Don't forget to re-enable any protection programs we disabled during your fix.

General Security and Computer Health
Below are some steps to follow in order to dramatically lower the chances of reinfection. You may have already implemented some of the steps below, however you should follow any steps that you have not already implemented.

  • Clear Infected System Restore Points
    Turn off System Restore-Vista
    • Click the Vista/Start icon.
    • Right Click >> Computer
    • Click Properties.
    • Click the System Protection tab.
    • Uncheck All drives
    • Click "Turn Off System Restore" at the prompt then click "Apply".
    • Restart your computer.

    Turn ON System Restore-Vista
    • Click the Vista/Start icon
    • Right Click >> Computer
    • Click Properties.
    • Click the System Protection tab.
    • Checkmark All drives that were selected previously then click "Apply".


  • Set correct settings for files
    • Click Start > Computer > Organize menu (at top of page) > Folder and Search Options > View tab.
    • Under Hidden files and folders if necessary select Do not show hidden files and folders.
    • If unchecked please check Hide protected operating system files (Recommended)
    • If necessary check Display content of system folders
    • If necessary Uncheck Hide file extensions for known file types.
    • Click OK


  • Make sure that you keep your antivirus updated
    New viruses come out every minute, so it is essential that you have the latest signatures for your antivirus program to provide you with the best possible protection from malicious software.
    Note: You should only have one antivirus installed at a time. Having more than one antivirus program installed at once is likely to cause conflicts and may well decrease your overall protection as well as impairing the performance of your PC.


  • Security Updates for Windows, Internet Explorer & Microsoft Office
    Whenever a security problem in its software is found, Microsoft will usually create a patch so that after the patch is installed, attackers can't use the vulnerability to install malicious software on your PC. Keeping up with these patches will help to prevent malicious software being installed on your PC. Ensure you are registered for Windows updates via Start > right-click on My Computer > Properties > Automatic Updates tab.

  • Update Non-Microsoft Programs
    Microsoft isn't the only company whose products can contain security vulnerabilities. To check whether other programs running on your PC are in need of an update, you can use the Secunia Software Inspector - I suggest that you run it at least once a month.

  • Make Internet Explorer More Secure
    You are using Internet Explorer v. 7. Therefore please read and follow the recommendations at this SITE


Recommended Programs

I would recommend the download and installation of some or all of the following programs (if not already present), and the updating of them on a regular basis.

  • WinPatrol
    As a robust security monitor, WinPatrol will alert you to hijackings, malware attacks and critical changes made to your computer without your permission. WinPatrol takes snapshot of your critical system resources and alerts you to any changes that may occur without your knowledge. For more information, please visit HERE.

  • Malwarebytes' Anti-Malware
    Malwarebytes' Anti-Malware is an anti-malware application that can thoroughly remove even the most advanced malware. It includes a number of features, including a built in protection monitor that blocks malicious processes before they even start.You can download Malwarebytes' Anti-Malware from HERE. You can find a tutorial HERE.

  • Hosts File
    For added protection you may also like to add a host file. A simple explanation of what a Hosts file does is HERE and for more information regarding host files read HERE.

    Be sure to disable the service "DNS Client" FIRST to allow the use of large HOSTS files without slowdowns.
    If this isn't done first, the next reboot may take a VERY LONG TIME.
    This is how to do it. First be sure you are signed in as a user with administrative privileges:
    Stop and Disable the DNS Client Service
    Go to Start, in the Start Search box type Run, when the run window opens type Services.msc and click OK.
    Under the Extended Tab, Scroll down and find this service.
    DNS Client
    Right-Click on the DNS Client Service. Choose Properties
    Select the General tab. Click on the Stop button.
    Click the Arrow-down tab on the right-hand side at the Start-up Type box.
    From the drop-down menu, click on Manual
    Click the Apply tab, then click OK


  • Use an alternative Internet Browser
    Many of the exploits are directed to users of Internet Explorer. Try using a different browser instead:
    Firefox
    Opera


Finally I am trying to make one point very clear. It is absolutely essential to keep all of your security programs up to date.

Also please read this great article by Tony Klein So How Did I Get Infected In First Place

I'd be grateful if you could reply to this post so that I know you have read it and, if you've no other questions, the thread can be closed.
User avatar
Carolyn
MRU Emeritus
MRU Emeritus
 
Posts: 4701
Joined: April 18th, 2007, 9:36 am
Location: Maine

Re: Possible infection, please help.

Unread postby sollidamra » March 12th, 2009, 11:55 am

hi and thanks for your help.
Will certainly implement the tips for future security.

matt
sollidamra
Active Member
 
Posts: 4
Joined: February 21st, 2009, 7:03 am

Re: Possible infection, please help.

Unread postby NonSuch » March 12th, 2009, 12:20 pm

As this issue is resolved, this topic is now closed.

We are pleased we could help you resolve your computer's malware issues.

If you would like to make a comment or leave a compliment regarding the help you have received, please see Feedback for Our Helpers - Say "Thanks" Here.
User avatar
NonSuch
Administrator
Administrator
 
Posts: 28747
Joined: February 23rd, 2005, 7:08 am
Location: California
Advertisement
Register to Remove


  • Similar Topics
    Replies
    Views
    Last post

Return to Infected? Virus, malware, adware, ransomware, oh my!



Who is online

Users browsing this forum: No registered users and 487 guests

Contact us:

Advertisements do not imply our endorsement of that product or service. Register to remove all ads. The forum is run by volunteers who donate their time and expertise. We make every attempt to ensure that the help and advice posted is accurate and will not cause harm to your computer. However, we do not guarantee that they are accurate and they are to be used at your own risk. All trademarks are the property of their respective owners.

Member site: UNITE Against Malware