Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Avg Threat Detected - Trojan Horse Clicker.ndn


  • This topic is locked This topic is locked
13 replies to this topic

#1 lanrat

lanrat

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:04:12 PM

Posted 06 May 2008 - 01:14 PM

Hi,

Could somebody please help with the removal of this pesky Trojan Horse. AVG does *not* " heal" or "Move to Vault" and Trend Micro HouseCalls does not even find it and an older version of HJT also did not remove the file identified. (have not tried with this version yet)

Thanks in advance for any assistance! MH


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:05:43 AM, on 06/05/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device
Support\bin\AppleMobileDeviceService.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\WINDOWS\system32\lxczcoms.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\Program Files\Lexmark 1200 Series\lxczbmgr.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\system32\lexpps.exe
C:\Program Files\Lexmark 1200 Series\lxczbmon.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\CrossLoop\CrossLoopConnect.exe
C:\Program Files\CrossLoop\winvnc.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLLoginProxy.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
http://runonce.msn.com/?v=msgrv75
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program
Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program
Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: (no name) - {8718BEFD-35CE-48C3-A8E3-D09ACA6A73B5} -
c:\windows\system32\ctl3d32n.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} -
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: ST - {9394EDE7-C8B5-483E-8773-474BF36AF6E4} - C:\Program Files\MSN
Apps\ST\01.03.0000.1005\en-xu\stmain.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program
files\google\googletoolbar3.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} -
C:\Program Files\Google\GoogleToolbarNotifier\3.0.1225.9868\swg.dll
O2 - BHO: MSNToolBandBHO - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program
Files\MSN Apps\MSN Toolbar\01.02.5000.1021\en-us\msntb.dll
O3 - Toolbar: MSN - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN
Apps\MSN Toolbar\01.02.5000.1021\en-us\msntb.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program
files\google\googletoolbar3.dll
O4 - HKLM\..\Run: [REGSHAVE] C:\Program Files\REGSHAVE\REGSHAVE.EXE /AUTORUN
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program
Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKLM\..\Run: [lxczbmgr.exe] "C:\Program Files\Lexmark 1200 Series\lxczbmgr.exe"
O4 - HKLM\..\Run: [FaxCenterServer] "C:\Program Files\Lexmark Fax
Solutions\fm3032.exe" /s
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe"
-atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [swg] C:\Program
Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL
SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE
(User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK
SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User
'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default
user')
O8 - Extra context menu item: E&xport to Microsoft Excel -
res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program
Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console -
{08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program
Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} -
C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} -
C:\Program Files\PartyGaming\PartyPoker\RunApp.exe (file missing)
O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1}
- C:\Program Files\PartyGaming\PartyPoker\RunApp.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program
Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger -
{FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0742B9EF-8C83-41CA-BFBA-830A59E23533} (Microsoft Data Collection Control)
- https://support.microsoft.com/OAS/ActiveX/MSDcode.cab
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O20 - Winlogon Notify: gnvfupxv - C:\WINDOWS\SYSTEM32\ctl3d32n.dll
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common
Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. -
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. -
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program
Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation -
C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. -
C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: lxcz_device - - C:\WINDOWS\system32\lxczcoms.exe

--
End of file - 6443 bytes

BC AdBot (Login to Remove)

 


#2 Buckeye_Sam

Buckeye_Sam

    Malware Expert


  • Members
  • 17,382 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Pickerington, Ohio
  • Local time:06:12 PM

Posted 07 May 2008 - 01:33 AM

Hi and welcome to Bleeping Computer! My name is Sam and I will be helping you. :thumbsup:

Please go to this page and scroll down to step 6.
http://www.bleepingcomputer.com/forums/t/34773/preparation-guide-for-use-before-using-malware-removal-tools-and-requesting-help/

Follow the directions there to run DSS and then post those logs back here in your next reply.
Posted Image If I have helped you in any way, please consider a donation to help me continue the fight against malware.


Failing to respond back to the person that is giving up their own time to help you not only is insensitive and disrespectful, but it guarantees that you will never receive help from me again. Please thank your helpers and there will always be help here when you need it!


========================================================

#3 lanrat

lanrat
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:04:12 PM

Posted 08 May 2008 - 01:23 PM

Hi Sam,

Thanks for your help. Sorry for the delay in getting back to you. Below is the Deckard Scan logfile you requested - hope this can help us find the varmit! - MH

Deckard's System Scanner v20071014.68
Run by Michel on 2008-05-08 11:10:21
Computer is in Normal Mode.
--------------------------------------------------------------------------------

-- System Restore --------------------------------------------------------------

System Restore is disabled; attempting to re-enable...success.


-- Last 1 Restore Point(s) --
1: 2008-05-08 18:10:26 UTC - RP1 - System Checkpoint


Backed up registry hives.
Performed disk cleanup.



-- HijackThis (run as Michel.exe) ----------------------------------------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:11:49 AM, on 08/05/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\WINDOWS\system32\lxczcoms.exe
C:\WINDOWS\system32\svchost.exe
C:\PROGRA~1\Grisoft\AVG7\avgw.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\Program Files\Lexmark 1200 Series\lxczbmgr.exe
C:\Program Files\Lexmark 1200 Series\lxczbmon.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\system32\lexpps.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\CrossLoop\CrossLoopConnect.exe
C:\Program Files\CrossLoop\winvnc.exe
D:\Utitilities\dss.exe
C:\PROGRA~1\TRENDM~1\HIJACK~1\Michel.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =

http://runonce.msn.com/?v=msgrv75
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program

Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program

Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: (no name) - {8718BEFD-35CE-48C3-A8E3-D09ACA6A73B5} -

c:\windows\system32\ctl3d32n.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program

Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: ST - {9394EDE7-C8B5-483E-8773-474BF36AF6E4} - C:\Program Files\MSN

Apps\ST\01.03.0000.1005\en-xu\stmain.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program

files\google\googletoolbar3.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program

Files\Google\GoogleToolbarNotifier\3.0.1225.9868\swg.dll
O2 - BHO: MSNToolBandBHO - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN

Apps\MSN Toolbar\01.02.5000.1021\en-us\msntb.dll
O3 - Toolbar: MSN - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN

Toolbar\01.02.5000.1021\en-us\msntb.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program

files\google\googletoolbar3.dll
O4 - HKLM\..\Run: [REGSHAVE] C:\Program Files\REGSHAVE\REGSHAVE.EXE /AUTORUN
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKLM\..\Run: [lxczbmgr.exe] "C:\Program Files\Lexmark 1200 Series\lxczbmgr.exe"
O4 - HKLM\..\Run: [FaxCenterServer] "C:\Program Files\Lexmark Fax Solutions\fm3032.exe" /s
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [swg] C:\Program

Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL

SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK

SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O8 - Extra context menu item: E&xport to Microsoft Excel -

res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program

Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} -

C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} -

C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program

Files\PartyGaming\PartyPoker\RunApp.exe (file missing)
O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} -

C:\Program Files\PartyGaming\PartyPoker\RunApp.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program

Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} -

C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0742B9EF-8C83-41CA-BFBA-830A59E23533} (Microsoft Data Collection Control) -

https://support.microsoft.com/OAS/ActiveX/MSDcode.cab
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O20 - Winlogon Notify: gnvfupxv - C:\WINDOWS\SYSTEM32\ctl3d32n.dll
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile

Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. -

C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. -

C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google

Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program

Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. -

C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: lxcz_device - - C:\WINDOWS\system32\lxczcoms.exe

--
End of file - 6328 bytes

-- File Associations -----------------------------------------------------------

All associations okay.


-- Drivers: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled ---------------------

R0 ccsgtjqp - c:\windows\system32\drivers\tigyeahn.dat
R3 SASENUM - c:\program files\superantispyware\sasenum.sys <Not Verified; SuperAdBlocker,

Inc.; SuperAntiSpyware>

S3 cmpci (C-Media PCI Audio Driver (WDM)) - c:\windows\system32\drivers\cmaudio.sys (file

missing)


-- Services: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled --------------------

R2 Apple Mobile Device - "c:\program files\common files\apple\mobile device

support\bin\applemobiledeviceservice.exe" <Not Verified; Apple, Inc.; Apple Mobile Device

Service>


-- Device Manager: Disabled ----------------------------------------------------

Class GUID: {D45B1C18-C8FA-11D1-9F77-0000F805F530}
Description: NT Apm/Legacy Interface Node
Device ID: ROOT\NTAPM\0000
Manufacturer: Microsoft
Name: NT Apm/Legacy Interface Node
PNP Device ID: ROOT\NTAPM\0000
Service: NtApm

Class GUID:
Description: Multimedia Audio Controller
Device ID: PCI\VEN_13F6&DEV_0111&SUBSYS_011113F6&REV_10\2&EBB567F&0&68
Manufacturer:
Name: Multimedia Audio Controller
PNP Device ID: PCI\VEN_13F6&DEV_0111&SUBSYS_011113F6&REV_10\2&EBB567F&0&68
Service:

Class GUID: {4D36E97E-E325-11CE-BFC1-08002BE10318}
Description: PCI Simple Communications Controller
Device ID: PCI\VEN_13F6&DEV_0211&SUBSYS_021113F6&REV_10\2&EBB567F&0&69
Manufacturer:
Name: PCI Simple Communications Controller
PNP Device ID: PCI\VEN_13F6&DEV_0211&SUBSYS_021113F6&REV_10\2&EBB567F&0&69
Service:

Class GUID: {4D36E96B-E325-11CE-BFC1-08002BE10318}
Description: PC/AT PS/2 Keyboard (84-Key)
Device ID: ROOT\*PNP0301\1_0_22_0_32_0
Manufacturer: (Standard keyboards)
Name: PC/AT PS/2 Keyboard (84-Key)
PNP Device ID: ROOT\*PNP0301\1_0_22_0_32_0
Service: i8042prt


-- Scheduled Tasks -------------------------------------------------------------

2008-05-08 10:39:50 436 --a------ C:\WINDOWS\Tasks\At1.job
2008-04-25 17:28:04 284 --a------ C:\WINDOWS\Tasks\AppleSoftwareUpdate.job


-- Files created between 2008-04-08 and 2008-05-08 -----------------------------

2008-05-06 11:05:28 0 d-------- C:\Program Files\Trend Micro
2008-05-06 10:10:54 0 d-------- C:\Program Files\CrossLoop
2008-05-05 17:54:11 0 d-------- C:\Documents and Settings\All Users\Application

Data\SUPERAntiSpyware.com
2008-05-05 17:53:51 0 d-------- C:\Program Files\SUPERAntiSpyware
2008-05-05 17:53:51 0 d-------- C:\Documents and Settings\TEMP\Application

Data\SUPERAntiSpyware.com
2008-05-05 17:53:26 0 d-------- C:\Program Files\Common Files\Wise Installation Wizard
2008-05-05 17:45:08 0 dr-h----- C:\Documents and Settings\TEMP\Recent
2008-05-05 17:27:56 0 d-------- C:\Documents and Settings\TEMP\Application

Data\Lavasoft
2008-05-05 09:07:17 0 d-------- C:\Program Files\ORL
2008-05-03 13:16:45 0 d-------- C:\Documents and Settings\TEMP\.housecall6.6
2008-05-03 13:15:49 0 d-------- C:\Documents and Settings\TEMP\Application Data\Sun
2008-05-02 08:34:09 0 d-------- C:\Documents and Settings\Guest\Application Data\Adobe
2008-05-02 08:32:29 0 d-------- C:\Documents and Settings\Guest\Application Data\AVG7
2008-05-02 08:32:22 0 d-------- C:\Documents and Settings\Guest\Application

Data\FaxCtr
2008-05-02 08:28:29 0 d-------- C:\Documents and Settings\TEMP\Application

Data\Macromedia
2008-05-02 08:28:28 0 d-------- C:\Documents and Settings\TEMP\Application Data\Adobe
2008-05-02 08:27:51 0 d-------- C:\Documents and Settings\TEMP\Application Data\Google
2008-05-02 08:23:43 0 d-------- C:\Documents and Settings\TEMP\Application Data\FaxCtr
2008-05-02 08:23:43 0 d-------- C:\Documents and Settings\TEMP\Application Data\AVG7
2008-05-02 08:22:58 0 d-------- C:\Documents and Settings\TEMP\Application

Data\Identities
2008-05-02 08:19:29 0 d--h----- C:\Documents and Settings\TEMP\Templates
2008-05-02 08:19:29 0 dr------- C:\Documents and Settings\TEMP\Start Menu
2008-05-02 08:19:29 0 dr-h----- C:\Documents and Settings\TEMP\SendTo
2008-05-02 08:19:29 0 d--h----- C:\Documents and Settings\TEMP\PrintHood
2008-05-02 08:19:29 0 d--h----- C:\Documents and Settings\TEMP\NetHood
2008-05-02 08:19:29 0 dr------- C:\Documents and Settings\TEMP\My Documents
2008-05-02 08:19:29 0 d--h----- C:\Documents and Settings\TEMP\Local Settings
2008-05-02 08:19:29 0 dr------- C:\Documents and Settings\TEMP\Favorites
2008-05-02 08:19:29 0 d-------- C:\Documents and Settings\TEMP\Desktop
2008-05-02 08:19:29 0 d---s---- C:\Documents and Settings\TEMP\Cookies
2008-05-02 08:19:29 0 dr-h----- C:\Documents and Settings\TEMP\Application Data
2008-05-02 08:19:29 0 d---s---- C:\Documents and Settings\TEMP\Application

Data\Microsoft
2008-05-02 08:19:28 1048576 --ah----- C:\Documents and Settings\TEMP\NTUSER.DAT
2008-04-26 12:32:37 12219983 -----n--- C:\avg7qt.dat
2008-04-24 18:25:22 0 d-------- C:\Program Files\Common Files\Mozilla Shared
2008-04-24 18:25:18 20608 --a------ C:\WINDOWS\system32\drivers\tigyeahn.dat


-- Find3M Report ---------------------------------------------------------------

2008-05-05 17:53:26 0 d-------- C:\Program Files\Common Files
2008-05-01 08:36:23 2068 --a------ C:\WINDOWS\system32\d3d9caps.dat
2008-04-06 14:39:03 1956 --a------ C:\WINDOWS\system32\d3d8caps.dat
2008-03-26 23:34:28 0 d-------- C:\Program Files\PokerStars.NET
2008-03-26 23:16:22 0 d-------- C:\Program Files\PartyGaming


-- Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown


[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{8718BEFD-35CE-48C3-A8E3-D09ACA6A73B5}]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"REGSHAVE"="C:\Program Files\REGSHAVE\REGSHAVE.exe" [04/02/2002 10:32 PM]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe" [25/09/2007 02:11 AM]
"lxczbmgr.exe"="C:\Program Files\Lexmark 1200 Series\lxczbmgr.exe" [08/02/2007 03:52 PM]
"FaxCenterServer"="C:\Program Files\Lexmark Fax Solutions\fm3032.exe" [08/02/2007 03:56 PM]
"AVG7_CC"="C:\PROGRA~1\Grisoft\AVG7\avgcc.exe" [17/04/2008 11:13 AM]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [11/12/2007 11:56 AM]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [11/12/2007 01:10 PM]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\ctfmon.exe" [04/08/2004 05:00 AM]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [13/10/2004 09:24 AM]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [08/07/2007

11:30 PM]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= C:\Program Files\SUPERAntiSpyware\SASSEH.DLL

[20/12/2006 12:55 PM 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
C:\Program Files\SUPERAntiSpyware\SASWINLO.dll 19/04/2007 12:41 PM 294912 C:\Program

Files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\gnvfupxv]
ctl3d32n.dll 04/08/2004 05:00 AM 82432 C:\WINDOWS\system32\ctl3d32n.dll

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
espoqgdu




-- End of Deckard's System Scanner: finished at 2008-05-08 11:13:40 ------------

#4 Buckeye_Sam

Buckeye_Sam

    Malware Expert


  • Members
  • 17,382 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Pickerington, Ohio
  • Local time:06:12 PM

Posted 08 May 2008 - 04:43 PM

Please download the OTMoveIt2 by OldTimer.
  • Save it to your desktop.
  • Please double-click OTMoveIt2.exe to run it.
  • Copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy):

    C:\WINDOWS\system32\ctl3d32n.dll
    HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\gnvfupxv
    C:\WINDOWS\Tasks\At1.job
  • Return to OTMoveIt2, right click in the "Paste List of Files/Folders to Move" window (under the light Yellow bar) and choose Paste.
  • Click the red Moveit! button.
  • A log of files and folders moved will be created in the c:\_OTMoveIt\MovedFiles folder in the form of Date and Time (mmddyyyy_hhmmss.log). Please open this log in Notepad and post its contents in your next reply.
  • Close OTMoveIt2
If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes.


After rebooting, please post a new DSS log and the log from OTMoveIt.
Posted Image If I have helped you in any way, please consider a donation to help me continue the fight against malware.


Failing to respond back to the person that is giving up their own time to help you not only is insensitive and disrespectful, but it guarantees that you will never receive help from me again. Please thank your helpers and there will always be help here when you need it!


========================================================

#5 lanrat

lanrat
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:04:12 PM

Posted 08 May 2008 - 05:06 PM

Hey Sam, Thanks for the prompt reply - I'll get rigth on it and post back. MH :^)

#6 lanrat

lanrat
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:04:12 PM

Posted 08 May 2008 - 05:32 PM

Hi Sam,

This is the log *before* re-booting the machine -

--- OTMoveIt2 log ---
LoadLibrary failed for C:\WINDOWS\system32\ctl3d32n.dll
C:\WINDOWS\system32\ctl3d32n.dll NOT unregistered.
File move failed. C:\WINDOWS\system32\ctl3d32n.dll scheduled to be moved on reboot.
< HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\gnvfupxv >
Unable to delete registry key HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\gnvfupxv\\ .
C:\WINDOWS\Tasks\At1.job moved successfully.

OTMoveIt2 by OldTimer - Version 1.0.4.1 log created on 05082008_151128
--- End OTMoveIT log ---

Machine rebooted as requested...

Deckard's System Scanner v20071014.68
Run by Michel on 2008-05-08 15:30:46
Computer is in Normal Mode.
--------------------------------------------------------------------------------



-- HijackThis (run as Michel.exe) ----------------------------------------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 3:31:00 PM, on 08/05/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\WINDOWS\system32\lxczcoms.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\notepad.exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\Program Files\Lexmark 1200 Series\lxczbmgr.exe
C:\Program Files\Lexmark 1200 Series\lxczbmon.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\CrossLoop\CrossLoopConnect.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\CrossLoop\winvnc.exe
D:\Utitilities\dss.exe
C:\PROGRA~1\TRENDM~1\HIJACK~1\Michel.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://runonce.msn.com/?v=msgrv75
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: (no name) - {8718BEFD-35CE-48C3-A8E3-D09ACA6A73B5} - c:\windows\system32\ctl3d32n.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: ST - {9394EDE7-C8B5-483E-8773-474BF36AF6E4} - C:\Program Files\MSN Apps\ST\01.03.0000.1005\en-xu\stmain.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar3.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\3.0.1225.9868\swg.dll
O2 - BHO: MSNToolBandBHO - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\01.02.5000.1021\en-us\msntb.dll
O3 - Toolbar: MSN - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\01.02.5000.1021\en-us\msntb.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar3.dll
O4 - HKLM\..\Run: [REGSHAVE] C:\Program Files\REGSHAVE\REGSHAVE.EXE /AUTORUN
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKLM\..\Run: [lxczbmgr.exe] "C:\Program Files\Lexmark 1200 Series\lxczbmgr.exe"
O4 - HKLM\..\Run: [FaxCenterServer] "C:\Program Files\Lexmark Fax Solutions\fm3032.exe" /s
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyGaming\PartyPoker\RunApp.exe (file missing)
O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyGaming\PartyPoker\RunApp.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0742B9EF-8C83-41CA-BFBA-830A59E23533} (Microsoft Data Collection Control) - https://support.microsoft.com/OAS/ActiveX/MSDcode.cab
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O20 - Winlogon Notify: gnvfupxv - C:\WINDOWS\SYSTEM32\ctl3d32n.dll
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: lxcz_device - - C:\WINDOWS\system32\lxczcoms.exe

--
End of file - 6316 bytes

-- Files created between 2008-04-08 and 2008-05-08 -----------------------------

2008-05-06 11:05:28 0 d-------- C:\Program Files\Trend Micro
2008-05-06 10:10:54 0 d-------- C:\Program Files\CrossLoop
2008-05-05 17:54:11 0 d-------- C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com
2008-05-05 17:53:51 0 d-------- C:\Program Files\SUPERAntiSpyware
2008-05-05 17:53:51 0 d-------- C:\Documents and Settings\TEMP\Application Data\SUPERAntiSpyware.com
2008-05-05 17:53:26 0 d-------- C:\Program Files\Common Files\Wise Installation Wizard
2008-05-05 17:45:08 0 dr-h----- C:\Documents and Settings\TEMP\Recent
2008-05-05 17:27:56 0 d-------- C:\Documents and Settings\TEMP\Application Data\Lavasoft
2008-05-05 09:07:17 0 d-------- C:\Program Files\ORL
2008-05-03 13:16:45 0 d-------- C:\Documents and Settings\TEMP\.housecall6.6
2008-05-03 13:15:49 0 d-------- C:\Documents and Settings\TEMP\Application Data\Sun
2008-05-02 08:34:09 0 d-------- C:\Documents and Settings\Guest\Application Data\Adobe
2008-05-02 08:32:29 0 d-------- C:\Documents and Settings\Guest\Application Data\AVG7
2008-05-02 08:32:22 0 d-------- C:\Documents and Settings\Guest\Application Data\FaxCtr
2008-05-02 08:28:29 0 d-------- C:\Documents and Settings\TEMP\Application Data\Macromedia
2008-05-02 08:28:28 0 d-------- C:\Documents and Settings\TEMP\Application Data\Adobe
2008-05-02 08:27:51 0 d-------- C:\Documents and Settings\TEMP\Application Data\Google
2008-05-02 08:23:43 0 d-------- C:\Documents and Settings\TEMP\Application Data\FaxCtr
2008-05-02 08:23:43 0 d-------- C:\Documents and Settings\TEMP\Application Data\AVG7
2008-05-02 08:22:58 0 d-------- C:\Documents and Settings\TEMP\Application Data\Identities
2008-05-02 08:19:29 0 d--h----- C:\Documents and Settings\TEMP\Templates
2008-05-02 08:19:29 0 dr------- C:\Documents and Settings\TEMP\Start Menu
2008-05-02 08:19:29 0 dr-h----- C:\Documents and Settings\TEMP\SendTo
2008-05-02 08:19:29 0 d--h----- C:\Documents and Settings\TEMP\PrintHood
2008-05-02 08:19:29 0 d--h----- C:\Documents and Settings\TEMP\NetHood
2008-05-02 08:19:29 0 dr------- C:\Documents and Settings\TEMP\My Documents
2008-05-02 08:19:29 0 d--h----- C:\Documents and Settings\TEMP\Local Settings
2008-05-02 08:19:29 0 dr------- C:\Documents and Settings\TEMP\Favorites
2008-05-02 08:19:29 0 d-------- C:\Documents and Settings\TEMP\Desktop
2008-05-02 08:19:29 0 d---s---- C:\Documents and Settings\TEMP\Cookies
2008-05-02 08:19:29 0 dr-h----- C:\Documents and Settings\TEMP\Application Data
2008-05-02 08:19:29 0 d---s---- C:\Documents and Settings\TEMP\Application Data\Microsoft
2008-05-02 08:19:28 1048576 --ah----- C:\Documents and Settings\TEMP\NTUSER.DAT
2008-04-26 12:32:37 12219983 -----n--- C:\avg7qt.dat
2008-04-24 18:25:22 0 d-------- C:\Program Files\Common Files\Mozilla Shared
2008-04-24 18:25:18 20608 --a------ C:\WINDOWS\system32\drivers\tigyeahn.dat


-- Find3M Report ---------------------------------------------------------------

2008-05-05 17:53:26 0 d-------- C:\Program Files\Common Files
2008-05-01 08:36:23 2068 --a------ C:\WINDOWS\system32\d3d9caps.dat
2008-04-06 14:39:03 1956 --a------ C:\WINDOWS\system32\d3d8caps.dat
2008-03-26 23:34:28 0 d-------- C:\Program Files\PokerStars.NET
2008-03-26 23:16:22 0 d-------- C:\Program Files\PartyGaming


-- Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown


[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{8718BEFD-35CE-48C3-A8E3-D09ACA6A73B5}]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"REGSHAVE"="C:\Program Files\REGSHAVE\REGSHAVE.exe" [04/02/2002 10:32 PM]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe" [25/09/2007 02:11 AM]
"lxczbmgr.exe"="C:\Program Files\Lexmark 1200 Series\lxczbmgr.exe" [08/02/2007 03:52 PM]
"FaxCenterServer"="C:\Program Files\Lexmark Fax Solutions\fm3032.exe" [08/02/2007 03:56 PM]
"AVG7_CC"="C:\PROGRA~1\Grisoft\AVG7\avgcc.exe" [17/04/2008 11:13 AM]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [11/12/2007 11:56 AM]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [11/12/2007 01:10 PM]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\ctfmon.exe" [04/08/2004 05:00 AM]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [13/10/2004 09:24 AM]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [08/07/2007 11:30 PM]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= C:\Program Files\SUPERAntiSpyware\SASSEH.DLL [20/12/2006 12:55 PM 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
C:\Program Files\SUPERAntiSpyware\SASWINLO.dll 19/04/2007 12:41 PM 294912 C:\Program Files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\gnvfupxv]
ctl3d32n.dll 04/08/2004 05:00 AM 82432 C:\WINDOWS\system32\ctl3d32n.dll

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
espoqgdu




-- End of Deckard's System Scanner: finished at 2008-05-08 15:31:47 ------------

#7 Buckeye_Sam

Buckeye_Sam

    Malware Expert


  • Members
  • 17,382 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Pickerington, Ohio
  • Local time:06:12 PM

Posted 09 May 2008 - 07:55 AM

Please download ComboFix and save it to your desktop.
Prior to running Combofix.exe you should disable your antivirus program and disconnect from the internet.

Double click combofix.exe and follow the prompts.
When it's done running it will produce a log for you. Please post that log in your next reply.

Important Note - Do not mouseclick combofix's window whilst it's running. That may cause it to stall.
Posted Image If I have helped you in any way, please consider a donation to help me continue the fight against malware.


Failing to respond back to the person that is giving up their own time to help you not only is insensitive and disrespectful, but it guarantees that you will never receive help from me again. Please thank your helpers and there will always be help here when you need it!


========================================================

#8 lanrat

lanrat
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:04:12 PM

Posted 09 May 2008 - 12:16 PM

Morning Sam,

Below is the log from running "ComboFix".

I should mention that the infected PC is a friends that I am trying to help remotely hence the reason for the "Remote Support Listener" and "C:\\Program Files\\CrossLoop\\CrossLoopConnect.exe" entries.

Having said that I talked him through the ComboFix execution after I got him to disconnect from the 'net.

I see that the infected file "C:\WINDOWS\system32\ctl3d32n.dll " is still there - pesky varmit!!

Please advise if you think it's a better idea to totally isolate the machine and work on it directly and I will make arrangements to get it to me. Thanks again for the help. MH

PS - the reason for the "Recovery Console" msg is because I had disabled 'System Recovery' earlier in my attempts and have not as yet re-enabled it - pls advise if this is a problem.

------------ log.txt --------------
ComboFix 08-05-08.1 - Michel 2008-05-09 9:35:52.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.490 [GMT -7:00]
Running from: C:\Documents and Settings\Michel\Desktop\ComboFix.exe
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\WINDOWS\Downloaded Program Files\ODCTOOLS
C:\WINDOWS\system32\ctl3d32n.dll . . . . failed to delete

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_ESPOQGDU
-------\Service_espoqgdu


((((((((((((((((((((((((( Files Created from 2008-04-09 to 2008-05-09 )))))))))))))))))))))))))))))))
.

2008-05-09 09:45 . 2008-05-09 09:45 <DIR> d-------- C:\WINDOWS\LastGood
2008-05-09 09:28 . 2008-05-09 09:29 <DIR> d-------- C:\Program Files\Remote Support System
2008-05-08 17:38 . 2008-05-08 17:38 34,304 --a------ C:\WINDOWS\system32\NTSVC.ocx
2008-05-08 15:11 . 2008-05-08 15:11 <DIR> d-------- C:\_OTMoveIt
2008-05-08 11:10 . 2008-05-08 11:10 <DIR> d-------- C:\Deckard
2008-05-06 11:05 . 2008-05-06 11:05 <DIR> d-------- C:\Program Files\Trend Micro
2008-05-06 10:10 . 2008-05-08 15:26 <DIR> d-------- C:\Program Files\CrossLoop
2008-05-05 17:54 . 2008-05-05 17:54 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com
2008-05-05 17:53 . 2008-05-05 19:15 <DIR> d-------- C:\Program Files\SUPERAntiSpyware
2008-05-05 17:53 . 2008-05-05 17:53 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2008-05-05 17:53 . 2008-05-05 17:53 <DIR> d-------- C:\Documents and Settings\TEMP\Application Data\SUPERAntiSpyware.com
2008-05-05 17:27 . 2008-05-05 17:27 <DIR> d-------- C:\Documents and Settings\TEMP\Application Data\Lavasoft
2008-05-05 09:29 . 2008-05-03 13:17 102,664 --a------ C:\WINDOWS\system32\drivers\tmcomm.sys
2008-05-05 09:27 . 2008-05-05 09:27 268 --ah----- C:\sqmdata19.sqm
2008-05-05 09:27 . 2008-05-05 09:27 244 --ah----- C:\sqmnoopt19.sqm
2008-05-05 09:07 . 2008-05-09 09:33 <DIR> d-------- C:\Program Files\ORL
2008-05-04 23:41 . 2008-05-04 23:41 268 --ah----- C:\sqmdata18.sqm
2008-05-04 23:41 . 2008-05-04 23:41 244 --ah----- C:\sqmnoopt18.sqm
2008-05-04 08:28 . 2008-05-04 08:28 268 --ah----- C:\sqmdata17.sqm
2008-05-04 08:28 . 2008-05-04 08:28 244 --ah----- C:\sqmnoopt17.sqm
2008-05-03 22:07 . 2008-05-03 22:07 268 --ah----- C:\sqmdata16.sqm
2008-05-03 22:07 . 2008-05-03 22:07 244 --ah----- C:\sqmnoopt16.sqm
2008-05-03 13:16 . 2008-05-05 11:02 <DIR> d-------- C:\Documents and Settings\TEMP\.housecall6.6
2008-05-03 13:13 . 2008-05-03 13:13 244 --ah----- C:\sqmnoopt15.sqm
2008-05-03 13:13 . 2008-05-03 13:13 232 --ah----- C:\sqmdata15.sqm
2008-05-03 13:11 . 2008-05-03 13:11 244 --ah----- C:\sqmnoopt14.sqm
2008-05-03 13:11 . 2008-05-03 13:11 232 --ah----- C:\sqmdata14.sqm
2008-05-02 08:32 . 2008-05-02 08:32 <DIR> d-------- C:\Documents and Settings\Guest\Application Data\FaxCtr
2008-05-02 08:32 . 2008-05-02 08:32 <DIR> d-------- C:\Documents and Settings\Guest\Application Data\AVG7
2008-05-02 08:23 . 2008-05-02 08:23 <DIR> d-------- C:\Documents and Settings\TEMP\Application Data\FaxCtr
2008-05-02 08:23 . 2008-05-05 17:18 <DIR> d-------- C:\Documents and Settings\TEMP\Application Data\AVG7
2008-05-02 08:19 . 2008-05-05 17:45 <DIR> d-------- C:\Documents and Settings\TEMP
2008-05-02 08:19 . 2008-05-09 09:41 1,024 --ah----- C:\Documents and Settings\TEMP\NTUSER.DAT.LOG
2008-04-26 12:32 . 2008-04-26 12:32 12,219,983 --------- C:\avg7qt.dat
2008-04-24 18:25 . 2008-04-24 18:25 <DIR> d-------- C:\Program Files\Common Files\Mozilla Shared
2008-04-24 18:25 . 2008-04-24 18:25 1,015,808 --a------ C:\WINDOWS\system32\libeay32.dll
2008-04-24 18:25 . 2008-04-24 18:25 196,608 --a------ C:\WINDOWS\system32\libssl32.dll
2008-04-24 18:25 . 20,608 C:\WINDOWS\system32\drivers\tigyeahn.dat

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-05-09 15:00 --------- d-----w C:\Documents and Settings\All Users\Application Data\Avg7
2008-05-02 15:33 --------- d-----w C:\Documents and Settings\Guest\Application Data\LimeWire
2008-04-14 06:57 --------- d-----w C:\Documents and Settings\Josh\Application Data\LimeWire
2008-04-12 17:30 --------- d-----w C:\Documents and Settings\Josh\Application Data\AVG7
2008-03-27 06:34 --------- d-----w C:\Program Files\PokerStars.NET
2008-03-27 06:16 --------- d-----w C:\Program Files\PartyGaming
2008-03-11 04:55 --------- d-----w C:\Documents and Settings\Josh\Application Data\uTorrent
2006-07-13 17:04 1,694,668 ----a-w C:\Documents and Settings\Guest\AssociateThis_Setup.exe
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{8718BEFD-35CE-48C3-A8E3-D09ACA6A73B5}]
2004-08-04 05:00 82432 --a------ c:\windows\system32\ctl3d32n.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 05:00 15360]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2004-10-13 09:24 1694208]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-07-08 23:30 68856]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"REGSHAVE"="C:\Program Files\REGSHAVE\REGSHAVE.exe" [2002-02-04 22:32 53248]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe" [2007-09-25 02:11 132496]
"lxczbmgr.exe"="C:\Program Files\Lexmark 1200 Series\lxczbmgr.exe" [2007-02-08 15:52 74672]
"FaxCenterServer"="C:\Program Files\Lexmark Fax Solutions\fm3032.exe" [2007-02-08 15:56 295856]
"AVG7_CC"="C:\PROGRA~1\Grisoft\AVG7\avgcc.exe" [2008-04-17 11:13 579584]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2007-12-11 11:56 286720]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2007-12-11 13:10 267048]
"Remote Support Listener"="C:\Program Files\Remote Support System\Listener.exe" [2007-03-07 00:23 294912]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\CTFMON.EXE" [2004-08-04 05:00 15360]
"AVG7_Run"="C:\PROGRA~1\Grisoft\AVG7\avgw.exe" [2007-11-29 09:31 219136]

C:\Documents and Settings\Guest\Start Menu\Programs\Startup\
LimeWire On Startup.lnk - C:\Program Files\LimeWire\LimeWire.exe [2007-08-16 15:00:00 147456]

C:\Documents and Settings\Josh\Start Menu\Programs\Startup\
LimeWire On Startup.lnk - C:\Program Files\LimeWire\LimeWire.exe [2007-08-16 15:00:00 147456]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= C:\Program Files\SUPERAntiSpyware\SASSEH.DLL [2006-12-20 12:55 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
C:\Program Files\SUPERAntiSpyware\SASWINLO.dll 2007-04-19 12:41 294912 C:\Program Files\SUPERAntiSpyware\SASWINLO.dll

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\WINDOWS\\system32\\LEXPPS.EXE"=
"C:\\Program Files\\LimeWire\\LimeWire.exe"=
"C:\\WINDOWS\\pchealth\\helpctr\\binaries\\HelpCtr.exe"=
"C:\\WINDOWS\\system32\\spool\\drivers\\w32x86\\3\\lxblpswx.exe"=
"D:\\StubInstaller.exe"=
"C:\\Program Files\\MSN Messenger\\msnmsgr.exe"=
"C:\\Program Files\\MSN Messenger\\livecall.exe"=
"C:\\WINDOWS\\system32\\lxczcoms.exe"=
"C:\\Program Files\\Grisoft\\AVG7\\avginet.exe"=
"C:\\Program Files\\Grisoft\\AVG7\\avgamsvr.exe"=
"C:\\Program Files\\Grisoft\\AVG7\\avgcc.exe"=
"C:\\Program Files\\iTunes\\iTunes.exe"=
"D:\\Josh\\My Documents\\utorrent.exe"=
"C:\\Program Files\\CrossLoop\\CrossLoopConnect.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"135:TCP"= 135:TCP:TCP Port 135
"5000:TCP"= 5000:TCP:TCP Port 5000
"5001:TCP"= 5001:TCP:TCP Port 5001
"5002:TCP"= 5002:TCP:TCP Port 5002
"5003:TCP"= 5003:TCP:TCP Port 5003
"5004:TCP"= 5004:TCP:TCP Port 5004
"5005:TCP"= 5005:TCP:TCP Port 5005
"5006:TCP"= 5006:TCP:TCP Port 5006
"5007:TCP"= 5007:TCP:TCP Port 5007
"5008:TCP"= 5008:TCP:TCP Port 5008
"5009:TCP"= 5009:TCP:TCP Port 5009
"5010:TCP"= 5010:TCP:TCP Port 5010
"5011:TCP"= 5011:TCP:TCP Port 5011
"5012:TCP"= 5012:TCP:TCP Port 5012
"5013:TCP"= 5013:TCP:TCP Port 5013
"5014:TCP"= 5014:TCP:TCP Port 5014
"5015:TCP"= 5015:TCP:TCP Port 5015
"5016:TCP"= 5016:TCP:TCP Port 5016
"5017:TCP"= 5017:TCP:TCP Port 5017
"5018:TCP"= 5018:TCP:TCP Port 5018
"5019:TCP"= 5019:TCP:TCP Port 5019
"5020:TCP"= 5020:TCP:TCP Port 5020

R0 ccsgtjqp;ccsgtjqp;C:\WINDOWS\system32\drivers\tigyeahn.dat []
R2 lxcz_device;lxcz_device;C:\WINDOWS\system32\lxczcoms.exe [2007-02-08 15:50]
S1 lusbaudio;Logitech USB Microphone;C:\WINDOWS\system32\drivers\OVSound2.sys [2001-08-17 14:05]
S3 NtApm;NT Apm/Legacy Interface Driver;C:\WINDOWS\system32\DRIVERS\NtApm.sys [2004-08-04 05:00]
S3 QCEmerald;Logitech QuickCam Web;C:\WINDOWS\system32\DRIVERS\OVCE.sys [2001-08-17 14:05]

.
Contents of the 'Scheduled Tasks' folder
"2008-04-26 00:28:04 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
.
**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-05-09 09:49:11
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\ccsgtjqp]
"ImagePath"="system32\drivers\tigyeahn.dat"
.
------------------------ Other Running Processes ------------------------
.
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\LEXPPS.EXE
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Lexmark 1200 Series\LXCZbmon.exe
C:\Program Files\iPod\bin\iPodService.exe
.
**************************************************************************
.
Completion time: 2008-05-09 9:51:58 - machine was rebooted
ComboFix-quarantined-files.txt 2008-05-09 16:51:47

Pre-Run: 21,140,299,776 bytes free
Post-Run: 21,362,929,664 bytes free

177 --- E O F --- 2008-05-08 17:42:03

Edited by lanrat, 09 May 2008 - 12:18 PM.


#9 Buckeye_Sam

Buckeye_Sam

    Malware Expert


  • Members
  • 17,382 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Pickerington, Ohio
  • Local time:06:12 PM

Posted 10 May 2008 - 06:58 AM

We should be ok. Let's see where this next step gets us.

Copy and paste ALL the following text in the Quote box below into Notepad.
Click on File(in the menu at the top)>Save as../Save as Type: 'All Files' /File name: CFScript to your desktop.

Driver::
ccsgtjqp

File::
C:\WINDOWS\system32\drivers\tigyeahn.dat
c:\windows\system32\ctl3d32n.dll

Registry::
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{8718BEFD-35CE-48C3-A8E3-D09ACA6A73B5}]
Prior to running Combofix.exe you should disable your antivirus program and disconnect from the internet.

Now drag then drop the CFScript file onto ComboFix.exe as seen in the image below.

Posted Image

This will start ComboFix again.
After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply.
Posted Image If I have helped you in any way, please consider a donation to help me continue the fight against malware.


Failing to respond back to the person that is giving up their own time to help you not only is insensitive and disrespectful, but it guarantees that you will never receive help from me again. Please thank your helpers and there will always be help here when you need it!


========================================================

#10 lanrat

lanrat
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:04:12 PM

Posted 20 May 2008 - 12:43 PM

Hi Sam,
Sorry for the 10 days of no response - hope you're still checking in.

Will postresults in next hour.

Thnks

#11 Buckeye_Sam

Buckeye_Sam

    Malware Expert


  • Members
  • 17,382 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Pickerington, Ohio
  • Local time:06:12 PM

Posted 20 May 2008 - 01:20 PM

No problem, just post back when you can.
I'll be around. :thumbsup:
Posted Image If I have helped you in any way, please consider a donation to help me continue the fight against malware.


Failing to respond back to the person that is giving up their own time to help you not only is insensitive and disrespectful, but it guarantees that you will never receive help from me again. Please thank your helpers and there will always be help here when you need it!


========================================================

#12 lanrat

lanrat
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:04:12 PM

Posted 21 May 2008 - 11:37 AM

Hi Sam,

Here's the log. Looks like we just might have got it this time. Scan with AVG after the reboot did not come up with any errors and the offending file (c:\windows\system32\ctl3d32n.dll) was successfully deleted.

Look forward to your review. :^)


-------- log ---------
ComboFix 08-05-19.4 - Michel 2008-05-20 11:14:38.2 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.487 [GMT -7:00]
Running from: C:\Documents and Settings\Michel\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Michel\Desktop\CFScript.txt
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!

FILE ::
c:\windows\system32\ctl3d32n.dll
C:\WINDOWS\system32\drivers\tigyeahn.dat
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\system32\ctl3d32n.dll
C:\WINDOWS\system32\drivers\tigyeahn.dat

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_CCSGTJQP
-------\Service_ccsgtjqp


((((((((((((((((((((((((( Files Created from 2008-04-20 to 2008-05-20 )))))))))))))))))))))))))))))))
.

2008-05-09 09:28 . 2008-05-09 09:29 <DIR> d-------- C:\Program Files\Remote Support System
2008-05-08 17:38 . 2008-05-08 17:38 34,304 --a------ C:\WINDOWS\system32\NTSVC.ocx
2008-05-08 15:11 . 2008-05-08 15:11 <DIR> d-------- C:\_OTMoveIt
2008-05-08 11:10 . 2008-05-08 11:10 <DIR> d-------- C:\Deckard
2008-05-06 11:05 . 2008-05-06 11:05 <DIR> d-------- C:\Program Files\Trend Micro
2008-05-06 10:10 . 2008-05-08 15:26 <DIR> d-------- C:\Program Files\CrossLoop
2008-05-05 17:54 . 2008-05-05 17:54 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com
2008-05-05 17:53 . 2008-05-05 19:15 <DIR> d-------- C:\Program Files\SUPERAntiSpyware
2008-05-05 17:53 . 2008-05-05 17:53 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2008-05-05 17:53 . 2008-05-05 17:53 <DIR> d-------- C:\Documents and Settings\TEMP\Application Data\SUPERAntiSpyware.com
2008-05-05 17:27 . 2008-05-05 17:27 <DIR> d-------- C:\Documents and Settings\TEMP\Application Data\Lavasoft
2008-05-05 09:29 . 2008-05-03 13:17 102,664 --a------ C:\WINDOWS\system32\drivers\tmcomm.sys
2008-05-05 09:27 . 2008-05-05 09:27 268 --ah----- C:\sqmdata19.sqm
2008-05-05 09:27 . 2008-05-05 09:27 244 --ah----- C:\sqmnoopt19.sqm
2008-05-05 09:07 . 2008-05-20 11:07 <DIR> d-------- C:\Program Files\ORL
2008-05-04 23:41 . 2008-05-04 23:41 268 --ah----- C:\sqmdata18.sqm
2008-05-04 23:41 . 2008-05-04 23:41 244 --ah----- C:\sqmnoopt18.sqm
2008-05-04 08:28 . 2008-05-04 08:28 268 --ah----- C:\sqmdata17.sqm
2008-05-04 08:28 . 2008-05-04 08:28 244 --ah----- C:\sqmnoopt17.sqm
2008-05-03 22:07 . 2008-05-03 22:07 268 --ah----- C:\sqmdata16.sqm
2008-05-03 22:07 . 2008-05-03 22:07 244 --ah----- C:\sqmnoopt16.sqm
2008-05-03 13:16 . 2008-05-05 11:02 <DIR> d-------- C:\Documents and Settings\TEMP\.housecall6.6
2008-05-03 13:13 . 2008-05-03 13:13 244 --ah----- C:\sqmnoopt15.sqm
2008-05-03 13:13 . 2008-05-03 13:13 232 --ah----- C:\sqmdata15.sqm
2008-05-03 13:11 . 2008-05-03 13:11 244 --ah----- C:\sqmnoopt14.sqm
2008-05-03 13:11 . 2008-05-03 13:11 232 --ah----- C:\sqmdata14.sqm
2008-05-02 08:32 . 2008-05-02 08:32 <DIR> d-------- C:\Documents and Settings\Guest\Application Data\FaxCtr
2008-05-02 08:32 . 2008-05-02 08:32 <DIR> d-------- C:\Documents and Settings\Guest\Application Data\AVG7
2008-05-02 08:23 . 2008-05-02 08:23 <DIR> d-------- C:\Documents and Settings\TEMP\Application Data\FaxCtr
2008-05-02 08:23 . 2008-05-05 17:18 <DIR> d-------- C:\Documents and Settings\TEMP\Application Data\AVG7
2008-05-02 08:19 . 2008-05-05 17:45 <DIR> d-------- C:\Documents and Settings\TEMP
2008-05-02 08:19 . 2008-05-20 11:19 1,024 --ah----- C:\Documents and Settings\TEMP\NTUSER.DAT.LOG
2008-04-26 12:32 . 2008-04-26 12:32 12,219,983 --------- C:\avg7qt.dat
2008-04-24 18:25 . 2008-04-24 18:25 <DIR> d-------- C:\Program Files\Common Files\Mozilla Shared
2008-04-24 18:25 . 2008-04-24 18:25 1,015,808 --a------ C:\WINDOWS\system32\libeay32.dll
2008-04-24 18:25 . 2008-04-24 18:25 196,608 --a------ C:\WINDOWS\system32\libssl32.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-05-20 16:58 --------- d-----w C:\Documents and Settings\All Users\Application Data\Avg7
2008-05-02 15:33 --------- d-----w C:\Documents and Settings\Guest\Application Data\LimeWire
2008-04-14 06:57 --------- d-----w C:\Documents and Settings\Josh\Application Data\LimeWire
2008-04-12 17:30 --------- d-----w C:\Documents and Settings\Josh\Application Data\AVG7
2008-03-27 06:34 --------- d-----w C:\Program Files\PokerStars.NET
2008-03-27 06:16 --------- d-----w C:\Program Files\PartyGaming
2006-07-13 17:04 1,694,668 ----a-w C:\Documents and Settings\Guest\AssociateThis_Setup.exe
.

((((((((((((((((((((((((((((( snapshot@2008-05-09_ 9.51.15.26 )))))))))))))))))))))))))))))))))))))))))
.
- 2008-05-09 16:41:43 2,048 --s-a-w C:\WINDOWS\bootstat.dat
+ 2008-05-20 18:19:47 2,048 --s-a-w C:\WINDOWS\bootstat.dat
- 2000-08-31 15:00:00 73,728 ----a-w C:\WINDOWS\fdsv.exe
+ 2000-08-31 15:00:00 89,504 ----a-w C:\WINDOWS\fdsv.exe
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 05:00 15360]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2004-10-13 09:24 1694208]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-07-08 23:30 68856]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"REGSHAVE"="C:\Program Files\REGSHAVE\REGSHAVE.exe" [2002-02-04 22:32 53248]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe" [2007-09-25 02:11 132496]
"lxczbmgr.exe"="C:\Program Files\Lexmark 1200 Series\lxczbmgr.exe" [2007-02-08 15:52 74672]
"FaxCenterServer"="C:\Program Files\Lexmark Fax Solutions\fm3032.exe" [2007-02-08 15:56 295856]
"AVG7_CC"="C:\PROGRA~1\Grisoft\AVG7\avgcc.exe" [2008-04-17 11:13 579584]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2007-12-11 11:56 286720]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2007-12-11 13:10 267048]
"Remote Support Listener"="C:\Program Files\Remote Support System\Listener.exe" [2007-03-07 00:23 294912]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\CTFMON.EXE" [2004-08-04 05:00 15360]
"AVG7_Run"="C:\PROGRA~1\Grisoft\AVG7\avgw.exe" [2007-11-29 09:31 219136]

C:\Documents and Settings\Guest\Start Menu\Programs\Startup\
LimeWire On Startup.lnk - C:\Program Files\LimeWire\LimeWire.exe [2007-08-16 15:00:00 147456]

C:\Documents and Settings\Josh\Start Menu\Programs\Startup\
LimeWire On Startup.lnk - C:\Program Files\LimeWire\LimeWire.exe [2007-08-16 15:00:00 147456]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= C:\Program Files\SUPERAntiSpyware\SASSEH.DLL [2006-12-20 12:55 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
C:\Program Files\SUPERAntiSpyware\SASWINLO.dll 2007-04-19 12:41 294912 C:\Program Files\SUPERAntiSpyware\SASWINLO.dll

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\WINDOWS\\system32\\LEXPPS.EXE"=
"C:\\Program Files\\LimeWire\\LimeWire.exe"=
"C:\\WINDOWS\\pchealth\\helpctr\\binaries\\HelpCtr.exe"=
"C:\\WINDOWS\\system32\\spool\\drivers\\w32x86\\3\\lxblpswx.exe"=
"D:\\StubInstaller.exe"=
"C:\\Program Files\\MSN Messenger\\msnmsgr.exe"=
"C:\\Program Files\\MSN Messenger\\livecall.exe"=
"C:\\WINDOWS\\system32\\lxczcoms.exe"=
"C:\\Program Files\\Grisoft\\AVG7\\avginet.exe"=
"C:\\Program Files\\Grisoft\\AVG7\\avgamsvr.exe"=
"C:\\Program Files\\Grisoft\\AVG7\\avgcc.exe"=
"C:\\Program Files\\iTunes\\iTunes.exe"=
"D:\\Josh\\My Documents\\utorrent.exe"=
"C:\\Program Files\\CrossLoop\\CrossLoopConnect.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"135:TCP"= 135:TCP:TCP Port 135
"5000:TCP"= 5000:TCP:TCP Port 5000
"5001:TCP"= 5001:TCP:TCP Port 5001
"5002:TCP"= 5002:TCP:TCP Port 5002
"5003:TCP"= 5003:TCP:TCP Port 5003
"5004:TCP"= 5004:TCP:TCP Port 5004
"5005:TCP"= 5005:TCP:TCP Port 5005
"5006:TCP"= 5006:TCP:TCP Port 5006
"5007:TCP"= 5007:TCP:TCP Port 5007
"5008:TCP"= 5008:TCP:TCP Port 5008
"5009:TCP"= 5009:TCP:TCP Port 5009
"5010:TCP"= 5010:TCP:TCP Port 5010
"5011:TCP"= 5011:TCP:TCP Port 5011
"5012:TCP"= 5012:TCP:TCP Port 5012
"5013:TCP"= 5013:TCP:TCP Port 5013
"5014:TCP"= 5014:TCP:TCP Port 5014
"5015:TCP"= 5015:TCP:TCP Port 5015
"5016:TCP"= 5016:TCP:TCP Port 5016
"5017:TCP"= 5017:TCP:TCP Port 5017
"5018:TCP"= 5018:TCP:TCP Port 5018
"5019:TCP"= 5019:TCP:TCP Port 5019
"5020:TCP"= 5020:TCP:TCP Port 5020

R2 lxcz_device;lxcz_device;C:\WINDOWS\system32\lxczcoms.exe [2007-02-08 15:50]
S1 lusbaudio;Logitech USB Microphone;C:\WINDOWS\system32\drivers\OVSound2.sys [2001-08-17 14:05]
S3 NtApm;NT Apm/Legacy Interface Driver;C:\WINDOWS\system32\DRIVERS\NtApm.sys [2004-08-04 05:00]
S3 QCEmerald;Logitech QuickCam Web;C:\WINDOWS\system32\DRIVERS\OVCE.sys [2001-08-17 14:05]

.
Contents of the 'Scheduled Tasks' folder
"2008-05-10 00:28:02 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
.
**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-05-20 11:20:58
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\LEXPPS.EXE
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\Program Files\Lexmark 1200 Series\LXCZbmon.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\SoftwareDistribution\Download\32e99364da67a7850c38a7a4e067a1ed\update\update.exe
.
**************************************************************************
.
Completion time: 2008-05-20 11:24:54 - machine was rebooted [Michel]
ComboFix-quarantined-files.txt 2008-05-20 18:24:45
ComboFix2.txt 2008-05-09 16:52:01

Pre-Run: 21,118,771,200 bytes free
Post-Run: 21,153,161,216 bytes free

181 --- E O F --- 2008-05-20 17:00:00

#13 Buckeye_Sam

Buckeye_Sam

    Malware Expert


  • Members
  • 17,382 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Pickerington, Ohio
  • Local time:06:12 PM

Posted 22 May 2008 - 09:07 AM

Your log looks good to me!

Just a few last things and you should be good to go! :)


First, your log shows that you don't have the recovery console installed.
Check this link for more info on the recovery console and how to get it installed.

How to install and use the Windows XP Recovery Console



===================



Next, let's remove Combofix now that we're done with it and clean up a few other things.
  • Click START then RUN
  • Now type Combofix /u in the runbox and click OK

    • Posted Image
  • When shown the disclaimer, Select "2"



==================



Now that you are clean, please follow these simple steps in order to keep your computer clean and secure:
  • Disable and Enable System Restore. - If you are using Windows ME or XP then you should disable and reenable system restore to make sure there are no infected files found in a restore point left over from what we have just cleaned.

    You can find instructions on how to enable and reenable system restore here:

    Windows XP System Restore Guide

    Renable system restore with instructions from tutorial above

  • Make your Internet Explorer more secure - This can be done by following these simple instructions:
    • From within Internet Explorer click on the Tools menu and then click on Options.
    • Click once on the Security tab
    • Click once on the Internet icon so it becomes highlighted.
    • Click once on the Custom Level button.
      • Change the Download signed ActiveX controls to Prompt
      • Change the Download unsigned ActiveX controls to Disable
      • Change the Initialize and script ActiveX controls not marked as safe to Disable
      • Change the Installation of desktop items to Prompt
      • Change the Launching programs and files in an IFRAME to Prompt
      • Change the Navigate sub-frames across different domains to Prompt
      • When all these settings have been made, click on the OK button.
      • If it prompts you as to whether or not you want to save the settings, press the Yes button.
    • Next press the Apply button and then the OK to exit the Internet Properties page.
  • Use an AntiVirus Software - It is very important that your computer has an anti-virus software running on your machine. This alone can save you a lot of trouble with malware in the future.

    See this link for a listing of some online & their stand-alone antivirus programs:

    Virus, Spyware, and Malware Protection and Removal Resources

  • Update your AntiVirus Software - It is imperitive that you update your Antivirus software at least once a week (Even more if you wish). If you do not update your antivirus software then it will not be able to catch any of the new variants that may come out.

  • Use a Firewall - I can not stress how important it is that you use a Firewall on your computer. Without a firewall your computer is succeptible to being hacked and taken over. I am very serious about this and see it happen almost every day with my clients. Simply using a Firewall in its default configuration can lower your risk greatly.

    For a tutorial on Firewalls and a listing of some available ones see the link below:

    Understanding and Using Firewalls

  • Visit Microsoft's Windows Update Site Frequently - It is important that you visit http://www.windowsupdate.com regularly. This will ensure your computer has always the latest security updates available installed on your computer. If there are new updates to install, install them immediately, reboot your computer, and revisit the site until there are no more critical updates.

  • Install Spybot - Search and Destroy - Install and download Spybot - Search and Destroy with its TeaTimer option. This will provide realtime spyware & hijacker protection on your computer alongside your virus protection. You should also scan your computer with program on a regular basis just as you would an antivirus software.

    A tutorial on installing & using this product can be found here:

    Using Spybot - Search & Destroy to remove Spyware , Malware, and Hijackers

  • Install Ad-Aware - Install and download Ad-Aware. ou should also scan your computer with program on a regular basis just as you would an antivirus software in conjunction with Spybot.

    A tutorial on installing & using this product can be found here:

    Using Ad-aware to remove Spyware, Malware, & Hijackers from Your Computer

  • Install SpywareBlaster - SpywareBlaster will added a large list of programs and sites into your Internet Explorer settings that will protect you from running and downloading known malicious programs.

    A tutorial on installing & using this product can be found here:

    Using SpywareBlaster to protect your computer from Spyware and Malware

  • Update all these programs regularly - Make sure you update all the programs I have listed regularly. Without regular updates you WILL NOT be protected when new malicious programs are released.
Follow this list and your potential for being infected again will reduce dramatically.

:thumbsup: :thumbsup:
Posted Image If I have helped you in any way, please consider a donation to help me continue the fight against malware.


Failing to respond back to the person that is giving up their own time to help you not only is insensitive and disrespectful, but it guarantees that you will never receive help from me again. Please thank your helpers and there will always be help here when you need it!


========================================================

#14 Buckeye_Sam

Buckeye_Sam

    Malware Expert


  • Members
  • 17,382 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Pickerington, Ohio
  • Local time:06:12 PM

Posted 14 June 2008 - 11:32 AM

Now that your problem appears to be resolved, this thread will be closed. If you need this topic reopened, please contact a member of the HJT Team and we will reopen it for you. Include the address of this thread in your request.
Posted Image If I have helped you in any way, please consider a donation to help me continue the fight against malware.


Failing to respond back to the person that is giving up their own time to help you not only is insensitive and disrespectful, but it guarantees that you will never receive help from me again. Please thank your helpers and there will always be help here when you need it!


========================================================




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users