Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Nasty Infection Of Trojan-downloader.win32.agent.nsl


  • This topic is locked This topic is locked
2 replies to this topic

#1 Loongy22

Loongy22

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:05:17 AM

Posted 04 May 2008 - 11:26 PM

I got this trojan when accessing a website and now, it disables my symantec antivirus as well as any new antivirus I try installing, such as f-secure. Another thing to note is that I cannot access Safe Mode as it will BSOD me everytime I attempt to go into safe mode. The problematic files appear to be csw22.sys, winnt32.dll. Besides that, there is the win????.tmp files(inside the tmp folder, which keeps coming back every hour or so)(where ? is a random character)

Deckard System Scanner(main.txt):
Deckard's System Scanner v20071014.68
Run by User on 2008-05-05 12:15:09
Computer is in Normal Mode.
--------------------------------------------------------------------------------

System Drive C: has 0.52 GiB (less than 15%) free.


-- HijackThis (run as User.exe) ------------------------------------------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:17, on 2008-05-05
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16640)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
c:\program files\common files\logishrd\lvmvfm\LVPrcSrv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\NVIDIA Corporation\nTune\nTuneService.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe
C:\Program Files\SigmaTel\C-Major Audio\WDM\STacSV.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Unlocker\UnlockerAssistant.exe
C:\Program Files\F-Secure Internet Security\Common\FSM32.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\F-Secure Internet Security\Common\FSMB32.EXE
C:\Program Files\Windows Live\Messenger\usnsvc.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\FlashGet\flashget.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\User\Desktop\dss.exe
C:\WINDOWS\system32\wscntfy.exe
C:\PROGRA~1\TRENDM~1\HIJACK~1\User.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: IeCatch5 Class - {2F364306-AA45-47B5-9F9D-39A8B94E7EF7} - C:\PROGRA~1\FlashGet\jccatch.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\3.0.1225.9868\swg.dll
O2 - BHO: FlashFXP Helper for Internet Explorer - {E5A1691B-D188-4419-AD02-90002030B8EE} - C:\PROGRA~1\FlashFXP\IEFlash.dll
O2 - BHO: gFlash Class - {F156768E-81EF-470C-9057-481BA8380DBA} - C:\PROGRA~1\FlashGet\getflash.dll
O3 - Toolbar: FlashGet Bar - {E0E899AB-F487-11D5-8D29-0050BA6940E3} - C:\PROGRA~1\FlashGet\fgiebar.dll
O4 - HKLM\..\Run: [Azureus] "C:\Program Files\Azureus\Azureus.exe"
O4 - HKLM\..\Run: [UnlockerAssistant] "C:\Program Files\Unlocker\UnlockerAssistant.exe"
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [F-Secure Manager] "C:\Program Files\F-Secure Internet Security\Common\FSM32.EXE" /splash
O4 - HKLM\..\Run: [F-Secure TNB] "C:\Program Files\F-Secure Internet Security\FSGUI\TNBUtil.exe" /CHECKALL /WAITFORSW
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\Windows Live\Messenger\msnmsgr.exe" /background
O8 - Extra context menu item: Download All by FlashGet - C:\Program Files\FlashGet\jc_all.htm
O8 - Extra context menu item: Download using FlashGet - C:\Program Files\FlashGet\jc_link.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\PROGRA~1\FlashGet\flashget.exe
O9 - Extra 'Tools' menuitem: &FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\PROGRA~1\FlashGet\flashget.exe
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {05D44720-58E3-49E6-BDF6-D00330E511D3} (StagingUI Object) - http://zone.msn.com/binFrameWork/v10/StagingUI.cab55579.cab
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partner/d...can_unicode.cab
O16 - DPF: {3BB54395-5982-4788-8AF4-B5388FFDD0D8} (MSN Games – Buddy Invite) - http://zone.msn.com/BinFrameWork/v10/ZBuddy.cab55579.cab
O16 - DPF: {5736C456-EA94-4AAC-BB08-917ABDD035B3} (ZonePAChat Object) - http://zone.msn.com/binframework/v10/ZPAChat.cab55579.cab
O16 - DPF: {80B626D6-BC34-4BCF-B5A1-7149E4FD9CFA} (UnoCtrl Class) - http://zone.msn.com/bingame/zpagames/GAME_UNO1.cab60096.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (MSN Games - Installer) - http://cdn2.zone.msn.com/binFramework/v10/...ro.cab56649.cab
O16 - DPF: {BDBDE413-7B1C-4C68-A8FF-C5B2B4090876} (F-Secure Online Scanner 3.3) - http://support.f-secure.com/ols/fscax.cab
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...nt.cab56907.cab
O16 - DPF: {DA2AA6CF-5C7A-4B71-BC3B-C771BB369937} (MSN Games – Game Communicator) - http://zone.msn.com/binframework/v10/StProxy.cab55579.cab
O16 - DPF: {F5A7706B-B9C0-4C89-A715-7A0C6B05DD48} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary/MineS...er.cab56986.cab
O20 - Winlogon Notify: WinNt32 - WinNt32.dll (file missing)
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: F-Secure Automatic Update Agent (FSAUA) - F-Secure Corporation - C:\Program Files\F-Secure Internet Security\FSAUA\program\fsaua.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: Process Monitor (LVPrcSrv) - Logitech Inc. - c:\program files\common files\logishrd\lvmvfm\LVPrcSrv.exe
O23 - Service: LVSrvLauncher - Logitech Inc. - C:\Program Files\Common Files\LogiShrd\SrvLnch\SrvLnch.exe
O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
O23 - Service: nTune Service (nTuneService) - NVIDIA - C:\Program Files\NVIDIA Corporation\nTune\nTuneService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: ServiceLayer - Nokia. - C:\Program Files\PC Connectivity Solution\ServiceLayer.exe
O23 - Service: Symantec Network Access Control (SNAC) - Symantec Corporation - C:\Program Files\Symantec\Symantec Endpoint Protection\SNAC.EXE
O23 - Service: SigmaTel Audio Service (STacSV) - SigmaTel, Inc. - C:\Program Files\SigmaTel\C-Major Audio\WDM\STacSV.exe
O23 - Service: Symantec Endpoint Protection (Symantec AntiVirus) - Unknown owner - C:\Program Files\Symantec\Symantec Endpoint Protection\Rtvscan.exe (file missing)

--
End of file - 8531 bytes

-- Files created between 2008-04-05 and 2008-05-05 -----------------------------

2008-05-05 01:01:00 0 d-------- C:\Documents and Settings\User\Application Data\F-Secure
2008-05-04 15:16:44 0 d-------- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab
2008-05-04 15:16:43 0 d-------- C:\WINDOWS\system32\Kaspersky Lab
2008-05-04 12:54:53 0 d-------- C:\Documents and Settings\User\.housecall6.6
2008-05-04 12:46:10 0 d-------- C:\Documents and Settings\User\Application Data\Desktopicon
2008-05-04 10:35:16 68096 --a------ C:\WINDOWS\zip.exe
2008-05-04 10:35:16 49152 --a------ C:\WINDOWS\VFind.exe
2008-05-04 10:35:16 212480 --a------ C:\WINDOWS\swxcacls.exe <Not Verified; SteelWerX; SteelWerX Extended Configurator ACLists>
2008-05-04 10:35:16 136704 --a------ C:\WINDOWS\swsc.exe <Not Verified; SteelWerX; SteelWerX Service Controller>
2008-05-04 10:35:16 161792 --a------ C:\WINDOWS\swreg.exe <Not Verified; SteelWerX; SteelWerX Registry Editor>
2008-05-04 10:35:16 98816 --a------ C:\WINDOWS\sed.exe
2008-05-04 10:35:16 80412 --a------ C:\WINDOWS\grep.exe
2008-05-04 10:35:16 73728 --a------ C:\WINDOWS\fdsv.exe <Not Verified; Smallfrogs Studio; >
2008-05-04 10:33:51 445952 --a------ C:\WINDOWS\system32\CF17924.exe <Not Verified; Microsoft Corporation; Microsoft® Windows® Operating System>
2008-05-04 10:23:44 0 d-------- C:\Program Files\RootKit Hook Analyzer
2008-05-04 10:06:56 0 d-------- C:\Documents and Settings\User\Pavark
2008-05-04 01:21:42 0 d-------- C:\Documents and Settings\User\Application Data\Malwarebytes
2008-05-04 01:21:39 0 d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-05-04 01:21:38 0 d-------- C:\Program Files\Malwarebytes' Anti-Malware
2008-05-04 00:57:49 0 d-------- C:\VundoFix Backups
2008-05-04 00:55:56 4152 --a------ C:\WINDOWS\system32\tmp.reg
2008-05-04 00:55:23 25600 --a------ C:\WINDOWS\system32\WS2Fix.exe
2008-05-04 00:55:23 289144 --a------ C:\WINDOWS\system32\VCCLSID.exe <Not Verified; S!Ri; >
2008-05-04 00:55:23 86528 --a------ C:\WINDOWS\system32\VACFix.exe <Not Verified; S!Ri.URZ; VACFix>
2008-05-04 00:55:23 288417 --a------ C:\WINDOWS\system32\SrchSTS.exe <Not Verified; S!Ri; SrchSTS>
2008-05-04 00:55:23 53248 --a------ C:\WINDOWS\system32\Process.exe <Not Verified; http://www.beyondlogic.org; Command Line Process Utility>
2008-05-04 00:55:23 82944 --a------ C:\WINDOWS\system32\IEDFix.exe <Not Verified; S!Ri.URZ; IEDFix>
2008-05-04 00:55:23 82944 --a------ C:\WINDOWS\system32\404Fix.exe <Not Verified; S!Ri.URZ; IEDFix>
2008-05-04 00:55:21 0 d-------- C:\Documents and Settings\User\SmitfraudFix
2008-05-04 00:42:18 0 d-------- C:\Program Files\Trend Micro
2008-05-03 23:22:59 0 d-------- C:\Program Files\Avira GmbH
2008-05-03 21:06:05 0 d-------- C:\Documents and Settings\All Users\Application Data\F-Secure
2008-05-03 21:05:26 0 d-------- C:\Program Files\F-Secure Internet Security
2008-05-03 21:04:01 0 d-------- C:\Documents and Settings\All Users\Application Data\fssg
2008-05-03 20:47:59 0 d-------- C:\Program Files\Network Associates
2008-05-03 19:45:33 0 d-------- C:\Program Files\BPK
2008-05-03 19:44:18 31232 --a------ C:\WINDOWS\system32\crypts.dll
2008-05-03 19:44:10 14976 --a------ C:\WINDOWS\system32\drivers\Csw22.sys
2008-05-02 04:54:35 24476 --ah----- C:\WINDOWS\system32\mlfcache.dat
2008-04-29 12:57:02 135 --a------ C:\WINDOWS\system\MSIDLLCOM.DAT
2008-04-29 12:52:46 3307391 --a------ C:\WINDOWS\system32\mscache.sys
2008-04-27 17:17:23 0 d-------- C:\Documents and Settings\User\Application Data\Ubisoft
2008-04-27 17:17:23 0 d-------- C:\Documents and Settings\All Users\Application Data\Ubisoft
2008-04-27 10:47:53 0 d-------- C:\Program Files\iPod
2008-04-27 10:47:49 0 d-------- C:\Program Files\iTunes
2008-04-27 10:47:22 0 d-------- C:\Program Files\Bonjour
2008-04-27 10:46:50 0 d-------- C:\Program Files\QuickTime
2008-04-20 23:42:54 0 d-------- C:\Documents and Settings\User\Application Data\Datalayer
2008-04-20 23:41:09 0 d-------- C:\Program Files\Common Files\PCSuite
2008-04-20 23:41:09 0 d-------- C:\Program Files\Common Files\Nokia
2008-04-20 23:25:50 0 d-------- C:\Documents and Settings\LocalService\Application Data\PC Suite
2008-04-20 23:23:26 0 d-------- C:\Documents and Settings\User\Phone Browser
2008-04-10 17:21:56 0 d-------- C:\Program Files\SystemRequirementsLab
2008-04-10 17:21:38 0 d-------- C:\Documents and Settings\User\Application Data\SystemRequirementsLab
2008-04-09 19:54:15 1 --a------ C:\WINDOWS\system32\SI.bin


-- Find3M Report ---------------------------------------------------------------

2008-05-05 12:16:49 0 d-------- C:\Program Files\FlashGet
2008-05-05 10:17:06 0 d-------- C:\Program Files\Windows NT
2008-05-05 09:35:31 0 d-------- C:\Program Files\Movie Maker
2008-05-05 06:46:15 0 d-------- C:\Program Files\M33
2008-05-05 05:43:40 0 d-------- C:\Program Files\Fotosizer
2008-05-05 05:24:01 0 d-------- C:\Program Files\Common Files\Symantec Shared
2008-05-05 04:50:58 0 d-------- C:\Program Files\CCleaner
2008-05-05 01:41:12 0 d-------- C:\Documents and Settings\User\Application Data\Xfire
2008-05-05 01:28:54 0 d-------- C:\Documents and Settings\User\Application Data\Azureus
2008-05-03 23:22:59 0 d--h----- C:\Program Files\InstallShield Installation Information
2008-05-02 21:22:59 0 d-------- C:\Program Files\Xfire
2008-05-02 09:58:20 0 d-------- C:\Program Files\mIRC
2008-05-01 18:29:25 0 d-------- C:\Documents and Settings\User\Application Data\U3
2008-04-25 07:17:54 0 d-------- C:\Documents and Settings\User\Application Data\Kingston
2008-04-23 19:04:03 0 d-------- C:\Documents and Settings\User\Application Data\LimeWire
2008-04-20 23:42:56 0 d-------- C:\Documents and Settings\User\Application Data\Nokia
2008-04-20 23:41:52 0 d-------- C:\Documents and Settings\User\Application Data\PC Suite
2008-04-20 23:41:10 0 d-------- C:\Program Files\Nokia
2008-04-20 23:41:09 0 d-------- C:\Program Files\Common Files
2008-04-16 14:09:04 0 d-------- C:\Program Files\Azureus
2008-04-15 18:49:50 0 d-------- C:\Program Files\Hamachi
2008-04-11 17:30:25 0 d-------- C:\Program Files\Java
2008-04-09 19:33:44 24040 --a------ C:\Documents and Settings\User\Application Data\GDIPFONTCACHEV1.DAT
2008-04-01 16:57:14 0 d-------- C:\Program Files\Common Files\Merge Modules
2008-04-01 16:56:37 0 d-------- C:\Program Files\Microsoft Visual Studio 8
2008-04-01 16:56:21 0 d-------- C:\Program Files\MSBuild
2008-04-01 10:40:46 0 d-------- C:\Program Files\Microsoft SQL Server
2008-03-31 22:21:23 0 d-------- C:\Program Files\Microsoft Baseline Security Analyzer 2
2008-03-31 22:02:40 0 d-------- C:\Program Files\Microsoft.NET
2008-03-31 21:59:29 0 d-------- C:\Program Files\Microsoft Device Emulator
2008-03-31 21:59:22 0 d-------- C:\Program Files\Microsoft SQL Server 2005 Mobile Edition
2008-03-31 21:55:09 0 d-------- C:\Program Files\HTML Help Workshop
2008-03-31 21:46:41 0 d-------- C:\Program Files\Common Files\Business Objects
2008-03-31 21:45:42 0 d-------- C:\Program Files\CE Remote Tools
2008-03-31 21:32:57 0 d-------- C:\Program Files\FolderSizes
2008-03-31 21:31:24 0 d-------- C:\Program Files\LucasArts
2008-03-29 15:39:59 0 d-------- C:\Documents and Settings\User\Application Data\Media Player Classic
2008-03-29 15:39:50 0 d-------- C:\Program Files\Real Alternative
2008-03-29 15:39:49 0 d-------- C:\Documents and Settings\User\Application Data\Real
2008-03-27 01:22:32 0 d-------- C:\Documents and Settings\User\Application Data\X-NetStat
2008-03-26 18:35:30 0 d-------- C:\Program Files\Razer
2008-03-25 15:24:43 0 d-------- C:\Documents and Settings\User\Application Data\Command & Conquer 3 Kane's Wrath
2008-03-25 10:50:23 0 d-------- C:\Documents and Settings\User\Application Data\NSeries
2008-03-19 00:33:21 0 d-------- C:\Program Files\ZhuWorks
2008-03-13 20:39:55 0 d-------- C:\Program Files\DIFX
2008-03-13 20:39:47 0 d-------- C:\Program Files\PC Connectivity Solution
2008-03-12 17:40:13 0 d-------- C:\Program Files\Digital Corsair Entertainment
2008-03-12 17:40:13 0 d-------- C:\Program Files\BigPOP


-- Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Azureus"="C:\Program Files\Azureus\Azureus.exe" [2008-03-07 17:02]
"UnlockerAssistant"="C:\Program Files\Unlocker\UnlockerAssistant.exe" [2008-05-02 12:15]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2007-10-29 05:52]
"F-Secure Manager"="C:\Program Files\F-Secure Internet Security\Common\FSM32.exe" [2007-05-25 21:12]
"F-Secure TNB"="C:\Program Files\F-Secure Internet Security\FSGUI\TNBUtil.exe" []

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 07:56]
"msnmsgr"="C:\Program Files\Windows Live\Messenger\msnmsgr.exe" [2007-10-18 11:34]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableLUA"=0 (0x0)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"disableregistrytools"=0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\WinNt32]
WinNt32.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
SecurityProviders msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll,

SafeBoot registry key needs repairs. This machine cannot enter Safe Mode.

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\File system]
@="Driver Group"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\RpcSs]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\vgasave.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{4D36E967-E325-11CE-BFC1-08002BE10318}]
@="DiskDrive"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{4D36E96A-E325-11CE-BFC1-08002BE10318}]
@="Hdc"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{4D36E96B-E325-11CE-BFC1-08002BE10318}]
@="Keyboard"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{4D36E96F-E325-11CE-BFC1-08002BE10318}]
@="Mouse"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{4D36E97D-E325-11CE-BFC1-08002BE10318}]
@="System"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{71A27CDD-812A-11D0-BEC7-08002BE2092F}]
@="Volume"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Digital Imaging Monitor.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\HP Digital Imaging Monitor.lnk
backup=C:\WINDOWS\pss\HP Digital Imaging Monitor.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Microsoft Office.lnk
backup=C:\WINDOWS\pss\Microsoft Office.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
"C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ccApp]
"C:\Program Files\Common Files\Symantec Shared\ccApp.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
C:\WINDOWS\system32\ctfmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DataLayer]
C:\Program Files\Common Files\PCSuite\DataLayer\DataLayer.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DeathAdder]
C:\Program Files\Razer\DeathAdder\razerhid.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\F-Secure Manager]
"C:\Program Files\F-Secure Internet Security\Common\FSM32.EXE" /splash

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\F-Secure TNB]
"C:\Program Files\F-Secure Internet Security\FSGUI\TNBUtil.exe" /CHECKALL /WAITFORSW

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Software Update]
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
"C:\Program Files\iTunes\iTunesHelper.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LogitechCommunicationsManager]
"C:\Program Files\Common Files\LogiShrd\LComMgr\Communications_Helper.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LogitechQuickCamRibbon]
"C:\Program Files\Logitech\QuickCam10\QuickCam10.exe" /hide

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
"C:\Program Files\Messenger\msmsgs.exe" /background

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MsnMsgr]
"C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe" /background

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvCplDaemon]
RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NVIDIA nTune]
"C:\Program Files\NVIDIA Corporation\nTune\nTuneCmd.exe" clear

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvMediaCenter]
RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\nwiz]
nwiz.exe /install

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PCSuiteTrayApplication]
C:\Program Files\Nokia\Nokia PC Suite 6\LaunchApplication.exe -onlytray

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PcSync]
C:\Program Files\Nokia\Nokia PC Suite 6\PcSync2.exe /NoDialog

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
"C:\Program Files\QuickTime\QTTask.exe" -atboottime

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SigmatelSysTrayApp]
sttray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
"C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\swg]
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe


[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{73be290f-8245-11dc-bdf7-0019d1934e48}]
AutoRun\command- H:\LaunchU3.exe -a

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{bcc29771-fe02-11dc-abbf-0019d1934e48}]
AutoRun\command- H:\LaunchU3.exe -a




-- End of Deckard's System Scanner: finished at 2008-05-05 12:18:04 ------------



Kaspersky Report:

KASPERSKY ONLINE SCANNER REPORT
2008-05-05 12:10
Operating System: Microsoft Windows XP Professional, Service Pack 2 (Build 2600)
Kaspersky Online Scanner version: 5.0.98.0
Kaspersky Anti-Virus database last update: 5/05/2008
Kaspersky Anti-Virus database records: 740231
Scan Settings
Scan using the following antivirus database extended
Scan Archives true
Scan Mail Bases true
Scan Target Critical Areas
C:\WINDOWS
C:\DOCUME~1\User\LOCALS~1\Temp\
Scan Statistics
Total number of scanned objects 17726
Number of viruses found 2
Number of infected objects 2
Number of suspicious objects 0
Duration of the scan process 00:09:18

Infected Object Name Virus Name Last Action
C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped
C:\WINDOWS\SchedLgU.Txt Object is locked skipped
C:\WINDOWS\SoftwareDistribution\EventCache\{43308DFF-60EB-4C77-A360-891A0598BB4F}.bin Object is locked skipped
C:\WINDOWS\SoftwareDistribution\ReportingEvents.log Object is locked skipped
C:\WINDOWS\Sti_Trace.log Object is locked skipped
C:\WINDOWS\system32\CatRoot2\edb.log Object is locked skipped
C:\WINDOWS\system32\CatRoot2\tmp.edb Object is locked skipped
C:\WINDOWS\system32\config\AppEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\default Object is locked skipped
C:\WINDOWS\system32\config\default.LOG Object is locked skipped
C:\WINDOWS\system32\config\Internet.evt Object is locked skipped
C:\WINDOWS\system32\config\SAM Object is locked skipped
C:\WINDOWS\system32\config\SAM.LOG Object is locked skipped
C:\WINDOWS\system32\config\SecEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\SECURITY Object is locked skipped
C:\WINDOWS\system32\config\SECURITY.LOG Object is locked skipped
C:\WINDOWS\system32\config\software Object is locked skipped
C:\WINDOWS\system32\config\software.LOG Object is locked skipped
C:\WINDOWS\system32\config\SysEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\system Object is locked skipped
C:\WINDOWS\system32\config\system.LOG Object is locked skipped
C:\WINDOWS\system32\crypts.dll Infected: Trojan-Downloader.Win32.Small.vea skipped
C:\WINDOWS\system32\drivers\Csw22.sys Infected: Trojan-Downloader.Win32.Agent.nsl skipped
C:\WINDOWS\system32\drivers\sptd.sys Object is locked skipped
C:\WINDOWS\system32\h323log.txt Object is locked skipped
C:\WINDOWS\system32\LogFiles\WUDF\WUDFTrace.etl Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.BTR Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING.VER Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING1.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING2.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.DATA Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.MAP Object is locked skipped
C:\WINDOWS\Temp\Perflib_Perfdata_12c.dat Object is locked skipped
C:\WINDOWS\wiadebug.log Object is locked skipped
C:\WINDOWS\wiaservc.log Object is locked skipped
C:\WINDOWS\WindowsUpdate.log Object is locked skipped
C:\DOCUME~1\User\LOCALS~1\Temp\hsperfdata_User\3020 Object is locked skipped
C:\DOCUME~1\User\LOCALS~1\Temp\xx2 Object is locked skipped
C:\DOCUME~1\User\LOCALS~1\Temp\xx3 Object is locked skipped
C:\DOCUME~1\User\LOCALS~1\Temp\xx4 Object is locked skipped
C:\DOCUME~1\User\LOCALS~1\Temp\xx5 Object is locked skipped
C:\DOCUME~1\User\LOCALS~1\Temp\xx6 Object is locked skipped
Scan process completed.


===Additional Info from virustotal on crypts.dll===
crypts.dll : [http://www.virustotal.com/analisis/64dd9fb7b6ddeec9e825c57b77c47dd2]

Edited by Loongy22, 04 May 2008 - 11:34 PM.


BC AdBot (Login to Remove)

 


#2 teacup61

teacup61

    Bleepin' Texan!


  • Malware Response Team
  • 17,075 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Wills Point, Texas
  • Local time:05:17 AM

Posted 23 May 2008 - 07:49 PM

Hello Loongy22,

Welcome to Bleeping Computer :)

Sorry about the delay.:thumbsup: If you still need help, please post a new HijackThis log to make sure nothing has changed, and I'll be happy to look at it for you.

Thanks,
tea
Please make a donation so I can keep helping people just like you.
Every little bit helps! :)
You can even use your credit card! Thank you!

Posted Image


Error reading poptart in Drive A: Delete kids y/n?

#3 teacup61

teacup61

    Bleepin' Texan!


  • Malware Response Team
  • 17,075 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Wills Point, Texas
  • Local time:05:17 AM

Posted 04 June 2008 - 01:38 PM

Due to the lack of feedback this Topic is closed.

If you need this topic reopened, please request this by sending the moderating team a PM with the address of the thread. This applies only to the original topic starter.

Everyone else please begin a New Topic
Please make a donation so I can keep helping people just like you.
Every little bit helps! :)
You can even use your credit card! Thank you!

Posted Image


Error reading poptart in Drive A: Delete kids y/n?




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users