Logs from anti-virus programs
Thanks for your reply Bobeye, I've followed the above steps but I dont think the DDS program worked correctly, as it just brought up a notepad file straight away without running any scan and gave no options as to producing different logs?? Iv havent included the entire DDS notepad file as it was mostly random symbols and didnt include any actual words, plus it was huge. I've just included the only parts that made any sense! The logs are pasted below with the name of the program noted above. Thanks again for your help!
DDS
MZ ÿÿ ¸ @ € º ´ Í!¸LÍ!This program cannot be run in DOS mode.
<?xml version="1.0" encoding="UTF-8" standalone="yes"?> <assembly xmlns="urn:schemas-microsoft-com:asm.v1" manifestVersion="1.0"> <dependency> <dependentAssembly> <assemblyIdentity type="win32" name="Microsoft.Windows.Common-Controls" version="6.0.0.0" processorArchitecture="*" publicKeyToken="6595b64144ccf1df" language="*" /> </dependentAssembly> </dependency> <v3:trustInfo xmlns:v3="urn:schemas-microsoft-com:asm.v3"> <v3:security> <v3:requestedPrivileges> <!-- level can be "asInvoker", "highestAvailable", or "requireAdministrator" --> <v3:requestedExecutionLevel level="highestAvailable" /> </v3:requestedPrivileges> </v3:security> </v3:trustInfo> </assembly>
GMER
GMER 1.0.15.15281 -
http://www.gmer.net
Rootkit scan 2010-10-02 16:58:36
Windows 5.1.2600 Service Pack 2
Running: yecfkd8b.exe; Driver: C:\DOCUME~1\Richard\LOCALS~1\Temp\kxriikog.sys
---- System - GMER 1.0.15 ----
SSDT \??\C:\Program Files\SUPERAntiSpyware\SASKUTIL.sys (SASKUTIL.SYS/SUPERAdBlocker.com and SUPERAntiSpyware.com) ZwTerminateProcess [0xAA604620]
---- User code sections - GMER 1.0.15 ----
.text C:\WINDOWS\Explorer.EXE[744] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 5 Bytes JMP 00C7000A
.text C:\WINDOWS\Explorer.EXE[744] ntdll.dll!NtWriteVirtualMemory 7C90DFAE 5 Bytes JMP 00C8000A
.text C:\WINDOWS\Explorer.EXE[744] ntdll.dll!KiUserExceptionDispatcher 7C90E47C 5 Bytes JMP 00A1000C
.text C:\WINDOWS\System32\svchost.exe[1064] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 5 Bytes JMP 007E000A
.text C:\WINDOWS\System32\svchost.exe[1064] ntdll.dll!NtWriteVirtualMemory 7C90DFAE 5 Bytes JMP 007F000A
.text C:\WINDOWS\System32\svchost.exe[1064] ntdll.dll!KiUserExceptionDispatcher 7C90E47C 5 Bytes JMP 007D000C
.text C:\WINDOWS\System32\svchost.exe[1064] ole32.dll!CoCreateInstance 774FFAC3 5 Bytes JMP 00A0000A
.text C:\WINDOWS\system32\wuauclt.exe[1096] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 5 Bytes JMP 00B4000A
.text C:\WINDOWS\system32\wuauclt.exe[1096] ntdll.dll!NtWriteVirtualMemory 7C90DFAE 5 Bytes JMP 00B5000A
.text C:\WINDOWS\system32\wuauclt.exe[1096] ntdll.dll!KiUserExceptionDispatcher 7C90E47C 5 Bytes JMP 00B3000C
.text C:\Program Files\Mozilla Firefox\firefox.exe[2492] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 5 Bytes JMP 0149000A
.text C:\Program Files\Mozilla Firefox\firefox.exe[2492] ntdll.dll!NtWriteVirtualMemory 7C90DFAE 5 Bytes JMP 014A000A
.text C:\Program Files\Mozilla Firefox\firefox.exe[2492] ntdll.dll!KiUserExceptionDispatcher 7C90E47C 5 Bytes JMP 0103000C
.text C:\Program Files\Mozilla Firefox\firefox.exe[2492] ntdll.dll!LdrLoadDll 7C915CD3 5 Bytes JMP 004013F0 C:\Program Files\Mozilla Firefox\firefox.exe (Firefox/Mozilla Corporation)
.text C:\Program Files\Mozilla Firefox\plugin-container.exe[3168] USER32.dll!TrackPopupMenu 7E4650EE 5 Bytes JMP 103FDDE0 C:\Program Files\Mozilla Firefox\xul.dll (Mozilla Foundation)
---- Devices - GMER 1.0.15 ----
AttachedDevice \Driver\Tcpip \Device\Ip avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
AttachedDevice \Driver\Tcpip \Device\Tcp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
AttachedDevice \Driver\Tcpip \Device\Udp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
AttachedDevice \Driver\Tcpip \Device\RawIp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
---- EOF - GMER 1.0.15 ----
MBAM
Malwarebytes' Anti-Malware 1.46
www.malwarebytes.org
Database version: 4728
Windows 5.1.2600 Service Pack 2
Internet Explorer 6.0.2900.2180
01/10/2010 22:20:35
mbam-log-2010-10-01 (22-20-35).txt
Scan type: Full scan (C:\|)
Objects scanned: 231882
Time elapsed: 1 hour(s), 18 minute(s), 23 second(s)
Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 1
Memory Processes Infected:
(No malicious items detected)
Memory Modules Infected:
(No malicious items detected)
Registry Keys Infected:
(No malicious items detected)
Registry Values Infected:
(No malicious items detected)
Registry Data Items Infected:
(No malicious items detected)
Folders Infected:
(No malicious items detected)
Files Infected:
C:\WINDOWS\cpu.exe (Spyware.Passwords.XGen) -> Quarantined and deleted successfully.