Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Antivirus 2009 Taken Over!


  • Please log in to reply
7 replies to this topic

#1 lgrichar

lgrichar

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:07:02 PM

Posted 08 August 2008 - 06:16 PM

As I understand it (too late, unfortunately), this supposed antivirus is rogueware, and has been wreaking havoc with my laptop ever since I stupidly let it install on my computer. I've tried getting rid of it everyway I know how, and ran through several malware removal tools suggested by other forums. Nothing has worked. So now I'm trying this hijackthis tool, but I have no clue how to work with the resulting log, and if I'm correct, just deleting the list is a really bad idea. I'm pretty much computer illiterate, so I'm hoping you experts can help me out. The log that came out goes like this:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 7:16:26 AM, on 8/8/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\WINDOWS\system32\cisvc.exe
C:\Program Files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe
C:\Program Files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\LogiShrd\LComMgr\Communications_Helper.exe
C:\WINDOWS\system32\rundll32.exe
C:\PROGRA~1\AVG\AVG8\avgtray.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\DNA\btdna.exe
C:\Program Files\Privacy Mantra 2.04\privacymantra.exe
C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\WINDOWS\system32\lxddcoms.exe
C:\Program Files\Common Files\Logishrd\LQCVFX\COCIManager.exe
C:\WINDOWS\system32\o2flash.exe
C:\WINDOWS\system32\svchost.exe
C:\PROGRA~1\AVG\AVG8\avgemc.exe
C:\Program Files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\cidaemon.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\Program Files\Internet Explorer\iexplore.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.ca/
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.averatec.com/
O2 - BHO: (no name) - {007C0568-5EEB-45A1-BE86-10AA7BEAB6BB} - C:\WINDOWS\system32\khfEutQk.dll (file missing)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O2 - BHO: (no name) - {E4F18CDB-7ACE-4810-B642-A3965D51767D} - C:\WINDOWS\system32\tuvUKEuT.dll
O2 - BHO: {9c4b1ea7-e361-29d9-ba44-698855020e7e} - {e7e02055-8896-44ab-9d92-163e7ae1b4c9} - C:\WINDOWS\system32\khvaju.dll
O3 - Toolbar: Easy-WebPrint - {327C2873-E90D-4c37-AA9D-10AC9BABA46C} - C:\Program Files\Canon\Easy-WebPrint\Toolband.dll
O4 - HKLM\..\Run: [LXDDCATS] rundll32 C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\LXDDtime.dll,_RunDLLEntry@16
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [LogitechCommunicationsManager] "C:\Program Files\Common Files\LogiShrd\LComMgr\Communications_Helper.exe"
O4 - HKLM\..\Run: [LogitechQuickCamRibbon] "C:\Program Files\Logitech\QuickCam\Quickcam.exe" /hide
O4 - HKLM\..\Run: [f0a42d15] rundll32.exe "C:\WINDOWS\system32\brwnyhgl.dll",b
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKLM\..\Run: [BMf3971e89] Rundll32.exe "C:\WINDOWS\system32\leuenxtn.dll",s
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [updateMgr] "C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" AcRdB7_0_9 -reboot 1
O4 - HKCU\..\Run: [BitTorrent DNA] "C:\Program Files\DNA\btdna.exe"
O4 - HKCU\..\Run: [22624118042460028130304252059233] C:\Program Files\AV9\av2009.exe
O4 - HKCU\..\Run: [com.codeode.privacymantra] "C:\Program Files\Privacy Mantra 2.04\privacymantra.exe" -minimized
O4 - HKCU\..\Policies\Explorer\Run: [{F0A42DBA-03E7-1033-0713-050927200001}] "C:\Program Files\Common Files\{F0A42DBA-03E7-1033-0713-050927200001}\Update.exe" mc-110-12-0001032
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: Logitech Desktop Messenger.lnk = C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Easy-WebPrint Add To Print List - res://C:\Program Files\Canon\Easy-WebPrint\Toolband.dll/RC_AddToList.html
O8 - Extra context menu item: Easy-WebPrint High Speed Print - res://C:\Program Files\Canon\Easy-WebPrint\Toolband.dll/RC_HSPrint.html
O8 - Extra context menu item: Easy-WebPrint Preview - res://C:\Program Files\Canon\Easy-WebPrint\Toolband.dll/RC_Preview.html
O8 - Extra context menu item: Easy-WebPrint Print - res://C:\Program Files\Canon\Easy-WebPrint\Toolband.dll/RC_Print.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra button: Skype - {77BF5300-1474-4EC7-9980-D32B190E9B07} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {9819CC0E-9669-4D01-9CD7-2C66DA43AC6C} - (no file)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {001EE746-A1F9-460E-80AD-269E088D6A01} (Infotl Control) - http://site.ebrary.com.ezproxy.lib.ucalgar...s/ebraryRdr.cab
O16 - DPF: {193C772A-87BE-4B19-A7BB-445B226FE9A1} (ewidoOnlineScan Control) - http://downloads.ewido.net/ewidoOnlineScan.cab
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.com/v5co...b?1114643208015
O16 - DPF: {7E980B9B-8AE5-466A-B6D6-DA8CF814E78A} (MJLauncherCtrl Class) - http://zone.msn.com/bingame/luxr/default/mjolauncher.cab
O18 - Protocol: bwfile-8876480 - {9462A756-7B47-47BC-8C80-C34B9B80B32B} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\GAPlugProtocol-8876480.dll
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O20 - Winlogon Notify: khfEutQk - khfEutQk.dll (file missing)
O23 - Service: AVG Free8 E-mail Scanner (avg8emc) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgemc.exe
O23 - Service: AVG Free8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: LVCOMSer - Logitech Inc. - C:\Program Files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe
O23 - Service: Process Monitor (LVPrcSrv) - Logitech Inc. - C:\Program Files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe
O23 - Service: LVSrvLauncher - Logitech Inc. - C:\Program Files\Common Files\LogiShrd\SrvLnch\SrvLnch.exe
O23 - Service: lxdd_device - - C:\WINDOWS\system32\lxddcoms.exe
O23 - Service: O2Micro Flash Memory (O2Flash) - Unknown owner - C:\WINDOWS\system32\o2flash.exe

--
End of file - 7391 bytes



Please, what am I supposed to do with this, where do I go from here??

Thanks sooooooo much

BC AdBot (Login to Remove)

 


#2 kahdah

kahdah

  • Security Colleague
  • 11,138 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Florida
  • Local time:10:02 PM

Posted 08 August 2008 - 06:52 PM

Hello lgrichar

Welcome to BleepingComputer :thumbsup:
========================
Please download Deckard's System Scanner (DSS) and save it to your Desktop.
  • Close all other windows before proceeding.
  • Double-click on dss.exe and follow the prompts.
  • When it has finished, dss will open two Notepads main.txt and extra.txt -- please copy (CTRL+A and then CTRL+C) and paste (CTRL+V) the contents of main.txt and extra.txt in your next reply.

Please do not pm for help, post it in the forums instead.

If I am helping you and have not responded for 48 hours please send me a pm as I don't always get notifications.

My help is always free, however, if you would like to make a donation to me for the help I have provided please click here Posted Image

#3 lgrichar

lgrichar
  • Topic Starter

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:07:02 PM

Posted 09 August 2008 - 02:37 PM

Hi again,

I downloaded the scanner you suggested and ran it in normal mode (I'm currently using safe mode to use the internet because my laptop keeps freezing any other way). It finished, but always (at least, the three times I tried it) freezes up before the main and extra files you mention become available to save. Can I run this scanner in safe mode, or will that be useless?

Thanks again

#4 kahdah

kahdah

  • Security Colleague
  • 11,138 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Florida
  • Local time:10:02 PM

Posted 09 August 2008 - 02:46 PM

Yes run it in Safe Mode please.
Please do not pm for help, post it in the forums instead.

If I am helping you and have not responded for 48 hours please send me a pm as I don't always get notifications.

My help is always free, however, if you would like to make a donation to me for the help I have provided please click here Posted Image

#5 lgrichar

lgrichar
  • Topic Starter

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:07:02 PM

Posted 09 August 2008 - 05:41 PM

Hello again,

This went much faster, but only the main.txt file came up. I tried it twice. So here's the main.txt file, at least:



Deckard's System Scanner v20071014.68
Run by me on 2008-08-09 16:13:39
Computer is in Safe Mode with Networking.
--------------------------------------------------------------------------------

Total Physical Memory: 504 MiB (512 MiB recommended).


-- HijackThis (run as me.exe) --------------------------------------------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 4:13:50 PM, on 8/9/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Safe mode with network support

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Documents and Settings\me\Desktop\dssscanner.exe
C:\PROGRA~1\TRENDM~1\HIJACK~1\me.exe
C:\Program Files\Adobe\Acrobat 7.0\Reader\AcroRd32Info.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.ca/
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.averatec.com/
O2 - BHO: (no name) - {007C0568-5EEB-45A1-BE86-10AA7BEAB6BB} - C:\WINDOWS\system32\khfEutQk.dll (file missing)
O2 - BHO: {81e61f5a-8fea-f77a-6374-69b200c55190} - {09155c00-2b96-4736-a77f-aef8a5f16e18} - C:\WINDOWS\system32\cnfpbt.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O2 - BHO: (no name) - {790614BA-2029-44E1-926A-DE3183CC453A} - C:\WINDOWS\system32\tuvUKEuT.dll
O3 - Toolbar: Easy-WebPrint - {327C2873-E90D-4c37-AA9D-10AC9BABA46C} - C:\Program Files\Canon\Easy-WebPrint\Toolband.dll
O4 - HKLM\..\Run: [LXDDCATS] rundll32 C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\LXDDtime.dll,_RunDLLEntry@16
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [LogitechCommunicationsManager] "C:\Program Files\Common Files\LogiShrd\LComMgr\Communications_Helper.exe"
O4 - HKLM\..\Run: [LogitechQuickCamRibbon] "C:\Program Files\Logitech\QuickCam\Quickcam.exe" /hide
O4 - HKLM\..\Run: [f0a42d15] rundll32.exe "C:\WINDOWS\system32\lxgiqnix.dll",b
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKLM\..\Run: [BMf3971e89] Rundll32.exe "C:\WINDOWS\system32\cbjqbmmp.dll",s
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [updateMgr] "C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" AcRdB7_0_9 -reboot 1
O4 - HKCU\..\Run: [22624118042460028130304252059233] C:\Program Files\AV9\av2009.exe
O4 - HKCU\..\Run: [com.codeode.privacymantra] "C:\Program Files\Privacy Mantra 2.04\privacymantra.exe" -minimized
O4 - HKCU\..\Policies\Explorer\Run: [{F0A42DBA-03E7-1033-0713-050927200001}] "C:\Program Files\Common Files\{F0A42DBA-03E7-1033-0713-050927200001}\Update.exe" mc-110-12-0001032
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: Logitech Desktop Messenger.lnk = C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Easy-WebPrint Add To Print List - res://C:\Program Files\Canon\Easy-WebPrint\Toolband.dll/RC_AddToList.html
O8 - Extra context menu item: Easy-WebPrint High Speed Print - res://C:\Program Files\Canon\Easy-WebPrint\Toolband.dll/RC_HSPrint.html
O8 - Extra context menu item: Easy-WebPrint Preview - res://C:\Program Files\Canon\Easy-WebPrint\Toolband.dll/RC_Preview.html
O8 - Extra context menu item: Easy-WebPrint Print - res://C:\Program Files\Canon\Easy-WebPrint\Toolband.dll/RC_Print.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra button: Skype - {77BF5300-1474-4EC7-9980-D32B190E9B07} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {9819CC0E-9669-4D01-9CD7-2C66DA43AC6C} - (no file)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {001EE746-A1F9-460E-80AD-269E088D6A01} (Infotl Control) - http://site.ebrary.com.ezproxy.lib.ucalgar...s/ebraryRdr.cab
O16 - DPF: {193C772A-87BE-4B19-A7BB-445B226FE9A1} (ewidoOnlineScan Control) - http://downloads.ewido.net/ewidoOnlineScan.cab
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.com/v5co...b?1114643208015
O16 - DPF: {7E980B9B-8AE5-466A-B6D6-DA8CF814E78A} (MJLauncherCtrl Class) - http://zone.msn.com/bingame/luxr/default/mjolauncher.cab
O18 - Protocol: bwfile-8876480 - {9462A756-7B47-47BC-8C80-C34B9B80B32B} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\GAPlugProtocol-8876480.dll
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O20 - Winlogon Notify: khfEutQk - khfEutQk.dll (file missing)
O23 - Service: AVG Free8 E-mail Scanner (avg8emc) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgemc.exe
O23 - Service: AVG Free8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: LVCOMSer - Logitech Inc. - C:\Program Files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe
O23 - Service: Process Monitor (LVPrcSrv) - Logitech Inc. - C:\Program Files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe
O23 - Service: LVSrvLauncher - Logitech Inc. - C:\Program Files\Common Files\LogiShrd\SrvLnch\SrvLnch.exe
O23 - Service: lxdd_device - - C:\WINDOWS\system32\lxddcoms.exe
O23 - Service: O2Micro Flash Memory (O2Flash) - Unknown owner - C:\WINDOWS\system32\o2flash.exe

--
End of file - 6427 bytes

-- Files created between 2008-07-09 and 2008-08-09 -----------------------------

2008-08-09 16:13:55 90112 --a------ C:\WINDOWS\system32\wfqfdmal.dll
2008-08-09 13:58:09 0 d-------- C:\Documents and Settings\me\Application Data\Malwarebytes
2008-08-09 13:57:38 0 d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-08-09 13:57:37 0 d-------- C:\Program Files\Malwarebytes' Anti-Malware
2008-08-09 07:16:46 80384 --a------ C:\WINDOWS\system32\lxgiqnix.dll
2008-08-09 07:13:41 2048 --a------ C:\WINDOWS\system32\qaikfcyr.exe
2008-08-09 07:10:54 96768 --a------ C:\WINDOWS\system32\cnfpbt.dll
2008-08-09 07:10:53 96768 --a------ C:\WINDOWS\system32\mpfcuird.dll
2008-08-09 07:10:44 90112 --a------ C:\WINDOWS\system32\cbjqbmmp.dll
2008-08-08 07:14:54 96256 --a------ C:\WINDOWS\system32\kjhayf.dll
2008-08-08 07:14:50 96256 --a------ C:\WINDOWS\system32\dgmdsmhb.dll
2008-08-08 07:14:37 2048 --a------ C:\WINDOWS\system32\bctwaoii.exe
2008-08-08 07:09:37 90624 --a------ C:\WINDOWS\system32\leuenxtn.dll
2008-08-06 17:38:18 0 d-------- C:\Program Files\Trend Micro
2008-08-06 17:30:17 2048 --a------ C:\WINDOWS\system32\cibsduac.exe
2008-08-06 17:27:22 95744 --a------ C:\WINDOWS\system32\khvaju.dll
2008-08-06 17:27:21 95744 --a------ C:\WINDOWS\system32\grexnnie.dll
2008-08-06 17:25:13 80896 --a------ C:\WINDOWS\system32\brwnyhgl.dll
2008-08-05 07:50:51 0 d-------- C:\WINDOWS\BDOSCAN8
2008-08-05 07:40:46 81408 --a------ C:\WINDOWS\system32\ldnkeqmm.dll
2008-08-05 07:37:46 2048 --a------ C:\WINDOWS\system32\qfsbgwqe.exe
2008-08-05 07:34:48 96768 --a------ C:\WINDOWS\system32\nikmvw.dll
2008-08-05 07:34:46 96768 --a------ C:\WINDOWS\system32\hbgergnr.dll
2008-08-05 07:33:07 0 d-------- C:\Documents and Settings\Administrator\Application Data\Macromedia
2008-08-05 07:32:32 90112 --a------ C:\WINDOWS\system32\iwdnhqxq.dll
2008-08-05 07:31:32 0 d---s---- C:\Documents and Settings\Administrator\UserData
2008-08-05 07:31:32 0 d--h----- C:\Documents and Settings\Administrator\Templates
2008-08-05 07:31:32 0 dr------- C:\Documents and Settings\Administrator\Start Menu
2008-08-05 07:31:32 0 dr-h----- C:\Documents and Settings\Administrator\SendTo
2008-08-05 07:31:32 0 dr-h----- C:\Documents and Settings\Administrator\Recent
2008-08-05 07:31:32 0 d--h----- C:\Documents and Settings\Administrator\PrintHood
2008-08-05 07:31:32 0 d--h----- C:\Documents and Settings\Administrator\NetHood
2008-08-05 07:31:32 0 dr------- C:\Documents and Settings\Administrator\My Documents
2008-08-05 07:31:32 0 d--h----- C:\Documents and Settings\Administrator\Local Settings
2008-08-05 07:31:32 0 dr------- C:\Documents and Settings\Administrator\Favorites
2008-08-05 07:31:32 0 d-------- C:\Documents and Settings\Administrator\Desktop
2008-08-05 07:31:32 0 d---s---- C:\Documents and Settings\Administrator\Cookies
2008-08-05 07:31:32 0 dr-h----- C:\Documents and Settings\Administrator\Application Data
2008-08-05 07:31:32 0 d-------- C:\Documents and Settings\Administrator\Application Data\Symantec
2008-08-05 07:31:32 0 d---s---- C:\Documents and Settings\Administrator\Application Data\Microsoft
2008-08-05 07:31:32 0 d-------- C:\Documents and Settings\Administrator\Application Data\Identities
2008-08-05 07:31:32 0 d-------- C:\Documents and Settings\Administrator\Application Data\CyberLink
2008-08-05 07:31:32 0 d-------- C:\Documents and Settings\Administrator\Application Data\Adobe
2008-08-05 07:31:31 1048576 --ah----- C:\Documents and Settings\Administrator\NTUSER.DAT
2008-08-04 23:36:06 0 d-a------ C:\Documents and Settings\All Users\Application Data\TEMP
2008-08-04 23:35:04 0 d-------- C:\Documents and Settings\me\Application Data\PC Tools
2008-08-04 19:22:53 0 d--h----- C:\$AVG8.VAULT$
2008-08-04 18:28:08 0 d-------- C:\WINDOWS\system32\drivers\Avg
2008-08-04 18:27:49 0 d-------- C:\Program Files\AVG
2008-08-04 18:27:47 0 d-------- C:\Documents and Settings\All Users\Application Data\avg8
2008-08-04 15:55:18 0 d-------- C:\Program Files\AV9
2008-08-04 07:26:32 80896 --a------ C:\WINDOWS\system32\yvrorlks.dll
2008-08-04 07:24:05 100864 --a------ C:\WINDOWS\system32\opkibx.dll
2008-08-04 07:24:03 100864 --a------ C:\WINDOWS\system32\yefkikur.dll
2008-08-04 07:23:53 90624 --a------ C:\WINDOWS\system32\sxhorrll.dll
2008-08-03 19:32:45 100864 --a------ C:\WINDOWS\system32\xlxtcuba.dll
2008-08-03 19:32:34 90624 --a------ C:\WINDOWS\system32\tdphgwvn.dll
2008-08-03 19:28:13 537 --ahs---- C:\WINDOWS\system32\TuEKUvut.ini2
2008-08-03 19:27:57 246272 --a------ C:\WINDOWS\system32\tuvUKEuT.dll
2008-08-01 12:01:03 0 d-------- C:\Documents and Settings\All Users\Application Data\MumboJumbo
2008-07-20 19:21:37 0 d-------- C:\Program Files\BitTorrent


-- Find3M Report ---------------------------------------------------------------

2008-08-04 17:50:24 0 d-------- C:\Program Files\Alwil Software
2008-07-20 21:10:13 0 d-------- C:\Documents and Settings\me\Application Data\Skype
2008-07-20 19:08:31 0 d-------- C:\Documents and Settings\me\Application Data\skypePM
2008-07-19 15:33:52 0 d-------- C:\Program Files\Lx_cats
2008-06-26 18:22:11 0 d-------- C:\Documents and Settings\me\Application Data\AdobeUM
2008-06-26 14:19:55 0 d-------- C:\Program Files\Common Files\LogiShrd
2008-06-26 14:18:51 0 d-------- C:\Program Files\Logitech
2008-06-26 14:18:50 0 d--h----- C:\Program Files\InstallShield Installation Information
2008-06-26 14:18:31 0 d-------- C:\Documents and Settings\me\Application Data\Leadertech
2008-06-26 14:15:55 0 d-------- C:\Program Files\Common Files
2008-06-25 19:11:12 56 --ah----- C:\WINDOWS\system32\ezsidmv.dat
2008-06-25 18:38:48 0 d-------- C:\Program Files\Skype
2008-06-25 18:38:43 0 d-------- C:\Program Files\Common Files\Skype


-- Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown


[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{007C0568-5EEB-45A1-BE86-10AA7BEAB6BB}]
C:\WINDOWS\system32\khfEutQk.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{09155c00-2b96-4736-a77f-aef8a5f16e18}]
08/09/2008 07:10 AM 96768 --a------ C:\WINDOWS\system32\cnfpbt.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{790614BA-2029-44E1-926A-DE3183CC453A}]
08/03/2008 07:28 PM 246272 --a------ C:\WINDOWS\system32\tuvUKEuT.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"LXDDCATS"="C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\LXDDtime.dll" [01/22/2007 04:05 PM]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [03/25/2008 10:27 AM]
"LogitechCommunicationsManager"="C:\Program Files\Common Files\LogiShrd\LComMgr\Communications_Helper.exe" [02/13/2008 02:02 PM]
"LogitechQuickCamRibbon"="C:\Program Files\Logitech\QuickCam\Quickcam.exe" [02/13/2008 02:06 PM]
"f0a42d15"="C:\WINDOWS\system32\lxgiqnix.dll" [08/09/2008 07:16 AM]
"AVG8_TRAY"="C:\PROGRA~1\AVG\AVG8\avgtray.exe" [08/04/2008 06:27 PM]
"BMf3971e89"="C:\WINDOWS\system32\wfqfdmal.dll" [08/09/2008 04:13 PM]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [08/04/2004 06:00 AM]
"updateMgr"="C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" [03/30/2006 04:45 PM]
"22624118042460028130304252059233"="C:\Program Files\AV9\av2009.exe" [08/04/2008 03:55 PM]
"com.codeode.privacymantra"="C:\Program Files\Privacy Mantra 2.04\privacymantra.exe" [07/07/2007 08:39 AM]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Logitech Desktop Messenger.lnk - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe [6/26/2008 2:19:06 PM]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer\Run]
"{F0A42DBA-03E7-1033-0713-050927200001}"="C:\Program Files\Common Files\{F0A42DBA-03E7-1033-0713-050927200001}\Update.exe" mc-110-12-0001032

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{007C0568-5EEB-45A1-BE86-10AA7BEAB6BB}"= C:\WINDOWS\system32\khfEutQk.dll [ ]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\khfEutQk]
khfEutQk.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
"Authentication Packages"= msv1_0 C:\WINDOWS\system32\tuvUKEuT

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
backup=C:\WINDOWS\pss\Adobe Reader Speed Launch.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Microsoft Office.lnk
backup=C:\WINDOWS\pss\Microsoft Office.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^me^Start Menu^Programs^Startup^U-Now Widget Student.lnk]
path=C:\Documents and Settings\me\Start Menu\Programs\Startup\U-Now Widget Student.lnk
backup=C:\WINDOWS\pss\U-Now Widget Student.lnkStartup


[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\avast!]
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\com.codeode.privacymantra]
"C:\Program Files\Privacy Mantra 2.04\privacymantra.exe" -minimized

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
C:\WINDOWS\system32\ctfmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\farstone]


[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\FaxCenterServer]
"C:\Program Files\Lexmark Fax Solutions\fm3032.exe" /s

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HotKeysCmds]
C:\WINDOWS\system32\hkcmd.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IgfxTray]
C:\WINDOWS\system32\igfxtray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\lxddamon]
"C:\Program Files\Lexmark 2500 Series\lxddamon.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\lxddmon.exe]
"C:\Program Files\Lexmark 2500 Series\lxddmon.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Power2GoExpress]
C:\Program Files\Intel\PROSetWireless\NCS\PROSet\PRONoMgr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RemoteControl]
"C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SMSERIAL]
sm56hlpr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Sony Ericsson PC Suite]
"C:\Program Files\Sony Ericsson\Mobile2\Application Launcher\Application Launcher.exe" /startoptions

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SoundMan]
SOUNDMAN.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
"C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\updateMgr]
C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe AcRdB7_0_9


[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{7648ee4c-4a00-11dc-adbc-0013d36d405b}]
AutoRun\command- E:\LaunchU3.exe -a




-- End of Deckard's System Scanner: finished at 2008-08-09 16:14:45 ------------



Should I keep trying for the extra.txt file? Thanks

#6 kahdah

kahdah

  • Security Colleague
  • 11,138 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Florida
  • Local time:10:02 PM

Posted 09 August 2008 - 06:16 PM

Please visit this web page for instructions for downloading and running Combofix >ComboFix Instructions
We now suggest that you install the Windows Recovery Console.
The Windows recovery console will allow you to boot up into a special recovery mode that allows us to help you in the case that your computer has a problem after an attempted removal of malware.

Post the log from ComboFix when you've accomplished all of that, along with a new HijackThis log.

(Note:If the Recovery Console fails to install then do not proceed rather alert me and post back here we will continue)
Please do not pm for help, post it in the forums instead.

If I am helping you and have not responded for 48 hours please send me a pm as I don't always get notifications.

My help is always free, however, if you would like to make a donation to me for the help I have provided please click here Posted Image

#7 lgrichar

lgrichar
  • Topic Starter

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:07:02 PM

Posted 09 August 2008 - 10:04 PM

Hi again,

I've run the combo fix, and since then the laptop has been working as well as before. I think the problem has been solved, but just in case here's the combofix log anyway:

ComboFix 08-08-09.03 - me 2008-08-09 19:47:39.1 - NTFSx86
Running from: C:\Documents and Settings\me\Desktop\ComboFix.exe


((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Documents and Settings\me\Application Data\macromedia\Flash Player\#SharedObjects\8RVDJ2ZK\interclick.com
C:\Documents and Settings\me\Application Data\macromedia\Flash Player\#SharedObjects\8RVDJ2ZK\interclick.com\ud.sol
C:\Documents and Settings\me\Application Data\macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#interclick.com
C:\Documents and Settings\me\Application Data\macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#interclick.com\settings.sol
C:\Program Files\Common Files\{F0A42~1
C:\WINDOWS\system32\TuEKUvut.ini
C:\WINDOWS\system32\TuEKUvut.ini2
C:\WINDOWS\system32\tuvUKEuT.dll
C:\WINDOWS\system32\uqbrlcpw.ini

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_NPF


((((((((((((((((((((((((( Files Created from 2008-07-10 to 2008-08-10 )))))))))))))))))))))))))))))))
.

2008-08-09 13:58 . 2008-08-09 13:58 <DIR> d-------- C:\Documents and Settings\me\Application Data\Malwarebytes
2008-08-09 13:57 . 2008-08-09 13:58 <DIR> d-------- C:\Program Files\Malwarebytes' Anti-Malware
2008-08-09 13:57 . 2008-08-09 13:57 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-08-09 13:57 . 2008-07-30 20:14 38,472 --a------ C:\WINDOWS\system32\drivers\mbamswissarmy.sys
2008-08-09 13:57 . 2008-07-30 20:14 17,144 --a------ C:\WINDOWS\system32\drivers\mbam.sys
2008-08-09 10:27 . 2008-08-09 10:27 <DIR> d-------- C:\Deckard
2008-08-06 17:38 . 2008-08-06 17:38 <DIR> d-------- C:\Program Files\Trend Micro
2008-08-05 07:50 . 2008-08-05 19:56 <DIR> d-------- C:\WINDOWS\BDOSCAN8
2008-08-05 07:31 . 2005-04-27 17:06 <DIR> d---s---- C:\Documents and Settings\Administrator\UserData
2008-08-05 07:31 . 2005-04-27 15:04 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\Symantec
2008-08-05 07:31 . 2005-04-29 17:11 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\CyberLink
2008-08-05 07:31 . 2008-08-05 07:31 <DIR> d-------- C:\Documents and Settings\Administrator
2008-08-04 23:36 . 2008-08-05 17:02 <DIR> d-a------ C:\Documents and Settings\All Users\Application Data\TEMP
2008-08-04 23:35 . 2008-08-04 23:35 <DIR> d-------- C:\Documents and Settings\me\Application Data\PC Tools
2008-08-04 19:22 . 2008-08-04 23:22 <DIR> d--h----- C:\$AVG8.VAULT$
2008-08-04 18:28 . 2008-08-09 10:37 <DIR> d-------- C:\WINDOWS\system32\drivers\Avg
2008-08-04 18:28 . 2008-08-04 18:28 96,520 --a------ C:\WINDOWS\system32\drivers\avgldx86.sys
2008-08-04 18:28 . 2008-08-04 18:28 76,040 --a------ C:\WINDOWS\system32\drivers\avgtdix.sys
2008-08-04 18:28 . 2008-08-04 18:28 10,520 --a------ C:\WINDOWS\system32\avgrsstx.dll
2008-08-04 18:27 . 2008-08-04 18:27 <DIR> d-------- C:\Program Files\AVG
2008-08-04 18:27 . 2008-08-04 18:27 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\avg8
2008-08-01 12:01 . 2008-08-01 12:01 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\MumboJumbo
2008-07-20 19:21 . 2008-08-09 09:38 <DIR> d-------- C:\Program Files\BitTorrent

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-08-05 05:23 --------- d-----w C:\Documents and Settings\All Users\Application Data\Logishrd
2008-08-04 23:50 0 ----a-w C:\WINDOWS\system32\drivers\lvuvc.hs
2008-08-04 23:50 0 ----a-w C:\WINDOWS\system32\drivers\logiflt.iad
2008-08-04 23:50 --------- d-----w C:\Program Files\Alwil Software
2008-07-21 03:10 --------- d-----w C:\Documents and Settings\me\Application Data\Skype
2008-07-21 01:08 --------- d-----w C:\Documents and Settings\me\Application Data\skypePM
2008-07-19 21:33 --------- d-----w C:\Program Files\Lx_cats
2008-06-27 00:22 --------- d-----w C:\Documents and Settings\me\Application Data\AdobeUM
2008-06-26 20:19 --------- d-----w C:\Program Files\Common Files\LogiShrd
2008-06-26 20:18 127,034 ------r C:\WINDOWS\bwUnin-8.1.1.50-8876480SL.exe
2008-06-26 20:18 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-06-26 20:18 --------- d-----w C:\Program Files\Logitech
2008-06-26 20:18 --------- d-----w C:\Documents and Settings\me\Application Data\Leadertech
2008-06-26 20:15 --------- d-----w C:\Documents and Settings\All Users\Application Data\Logitech
2008-06-26 00:38 --------- d-----w C:\Program Files\Skype
2008-06-26 00:38 --------- d-----w C:\Program Files\Common Files\Skype
2008-06-26 00:38 --------- d-----w C:\Documents and Settings\All Users\Application Data\Skype
2008-06-20 10:45 360,320 ----a-w C:\WINDOWS\system32\drivers\tcpip.sys
2008-06-20 10:44 138,368 ----a-w C:\WINDOWS\system32\drivers\afd.sys
2008-06-20 09:52 225,920 ----a-w C:\WINDOWS\system32\drivers\tcpip6.sys
2008-06-13 13:10 272,128 ----a-w C:\WINDOWS\system32\drivers\bthport.sys
2001-10-12 21:37 36,970 -c--a-w C:\Program Files\TCP Protocol.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 06:00 15360]
"updateMgr"="C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" [2006-03-30 16:45 313472]
"com.codeode.privacymantra"="C:\Program Files\Privacy Mantra 2.04\privacymantra.exe" [2007-07-07 08:39 917504]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"LXDDCATS"="C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\LXDDtime.dll" [2007-01-22 16:05 102400]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2008-03-25 10:27 385024]
"LogitechCommunicationsManager"="C:\Program Files\Common Files\LogiShrd\LComMgr\Communications_Helper.exe" [2008-02-13 14:02 564496]
"LogitechQuickCamRibbon"="C:\Program Files\Logitech\QuickCam\Quickcam.exe" [2008-02-13 14:06 2196240]
"AVG8_TRAY"="C:\PROGRA~1\AVG\AVG8\avgtray.exe" [2008-08-04 18:27 1232152]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\CTFMON.EXE" [2004-08-04 06:00 15360]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Logitech Desktop Messenger.lnk - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe [2008-06-26 14:19:06 66864]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"vidc.iv41"= ir41_32.dll
"msacm.clmp3enc"= C:\PROGRA~1\CYBERL~1\Power2Go\CLMP3Enc.ACM

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
backup=C:\WINDOWS\pss\Adobe Reader Speed Launch.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Microsoft Office.lnk
backup=C:\WINDOWS\pss\Microsoft Office.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^me^Start Menu^Programs^Startup^U-Now Widget Student.lnk]
path=C:\Documents and Settings\me\Start Menu\Programs\Startup\U-Now Widget Student.lnk
backup=C:\WINDOWS\pss\U-Now Widget Student.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\com.codeode.privacymantra]
--a------ 2007-07-07 08:39 917504 C:\Program Files\Privacy Mantra 2.04\privacymantra.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
--a------ 2004-08-04 06:00 15360 C:\WINDOWS\system32\ctfmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HotKeysCmds]
-ra--c--- 2004-07-13 08:07 118784 C:\WINDOWS\system32\hkcmd.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IgfxTray]
-ra--c--- 2004-07-13 08:09 155648 C:\WINDOWS\system32\igfxtray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\lxddamon]
--a------ 2007-02-05 17:32 20480 C:\Program Files\Lexmark 2500 Series\lxddamon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\lxddmon.exe]
--a--c--- 2007-02-12 17:58 291760 C:\Program Files\Lexmark 2500 Series\lxddmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RemoteControl]
--a--c--- 2004-07-15 02:07 32768 C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Sony Ericsson PC Suite]
-ra--c--- 2005-10-26 17:17 159744 C:\Program Files\Sony Ericsson\Mobile2\Application Launcher\Application Launcher.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
--a--c--- 2007-07-12 05:00 132496 C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\updateMgr]
-ra------ 2006-03-30 16:45 313472 C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SMSERIAL]
-ra--c--- 2004-11-10 00:08 540672 C:\WINDOWS\sm56hlpr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SoundMan]
--a--c--- 2005-03-24 07:20 77824 C:\WINDOWS\SOUNDMAN.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\WINDOWS\\system32\\lxddcoms.exe"=
"C:\\Program Files\\Lexmark 2500 Series\\lxddamon.exe"=
"C:\\Program Files\\Lexmark 2500 Series\\app4r.exe"=
"C:\\Program Files\\Logitech\\Desktop Messenger\\8876480\\Program\\LogitechDesktopMessenger.exe"=
"C:\\StubInstaller.exe"=
"C:\\Program Files\\Skype\\Phone\\Skype.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"23418:TCP"= 23418:TCP:*:Disabled:BitComet 23418 TCP
"23418:UDP"= 23418:UDP:*:Disabled:BitComet 23418 UDP

R0 O2MDRDR;O2MDRDR;C:\WINDOWS\system32\DRIVERS\o2media.sys [2005-03-15 16:47]
R0 O2SDRDR;O2SDRDR;C:\WINDOWS\system32\DRIVERS\o2sd.sys [2005-03-15 16:47]
R1 AvgLdx86;AVG Free AVI Loader Driver x86;C:\WINDOWS\system32\Drivers\avgldx86.sys [2008-08-04 18:28]
R2 avg8emc;AVG Free8 E-mail Scanner;C:\PROGRA~1\AVG\AVG8\avgemc.exe [2008-08-04 18:27]
R2 avg8wd;AVG Free8 WatchDog;C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe [2008-08-04 18:27]
R2 AvgTdiX;AVG Free8 Network Redirector;C:\WINDOWS\system32\Drivers\avgtdix.sys [2008-08-04 18:28]
R2 lxdd_device;lxdd_device;C:\WINDOWS\system32\lxddcoms.exe [2007-02-12 17:59]
R2 Machnm32;Machnm32 Driver;C:\WINDOWS\system32\Machnm32.sys [2003-08-13 01:27]
S2 IcRecUsb;IC Recorder Driver;C:\WINDOWS\system32\Drivers\IcRecUsb.sys [2001-10-02 07:37]
S3 Ktp;Elantech Touchpad;C:\WINDOWS\system32\DRIVERS\Ktp.sys [2005-01-23 13:18]
S3 PhnxVcd;PhnxVcd;C:\WINDOWS\system32\Drivers\PhnxVcd.sys [2004-10-12 16:35]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{7648ee4c-4a00-11dc-adbc-0013d36d405b}]
\Shell\AutoRun\command - E:\LaunchU3.exe -a
.
Contents of the 'Scheduled Tasks' folder
.
- - - - ORPHANS REMOVED - - - -

HKCU-Explorer_Run-{F0A42DBA-03E7-1033-0713-050927200001} - C:\Program Files\Common Files\{F0A42DBA-03E7-1033-0713-050927200001}\Update.exe
Notify-khfEutQk - khfEutQk.dll
MSConfigStartUp-avast! - C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
MSConfigStartUp-FaxCenterServer - C:\Program Files\Lexmark Fax Solutions\fm3032.exe
MSConfigStartUp-Power2GoExpress - C:\Program Files\Intel\PROSetWireless\NCS\PROSet\PRONoMgr.exe


.
------- Supplementary Scan -------
.
R0 -: HKCU-Main,Start Page = hxxp://www.google.ca/
R1 -: HKCU-Internet Connection Wizard,ShellNext = hxxp://www.averatec.com/
O8 -: Download ALL with IDA
O8 -: Download with IDA
O8 -: E&xport to Microsoft Excel - C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 -: Easy-WebPrint Add To Print List - C:\Program Files\Canon\Easy-WebPrint\Toolband.dll/RC_AddToList.html
O8 -: Easy-WebPrint High Speed Print - C:\Program Files\Canon\Easy-WebPrint\Toolband.dll/RC_HSPrint.html
O8 -: Easy-WebPrint Preview - C:\Program Files\Canon\Easy-WebPrint\Toolband.dll/RC_Preview.html
O8 -: Easy-WebPrint Print - C:\Program Files\Canon\Easy-WebPrint\Toolband.dll/RC_Print.html
O18 -: Handler: bwfile-8876480 - {9462A756-7B47-47BC-8C80-C34B9B80B32B} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\GAPlugProtocol-8876480.dll

O16 -: {193C772A-87BE-4B19-A7BB-445B226FE9A1} - hxxp://downloads.ewido.net/ewidoOnlineScan.cab
C:\WINDOWS\Downloaded Program Files\ewidoOnlineScan.dll


**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-08-09 20:55:38
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
C:\Program Files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe
C:\Program Files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe
C:\WINDOWS\system32\o2flash.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\Program Files\Common Files\LogiShrd\LQCVFX\COCIManager.exe
.
**************************************************************************
.
Completion time: 2008-08-09 20:59:06 - machine was rebooted [me]
ComboFix-quarantined-files.txt 2008-08-10 02:59:00

Pre-Run: 36,227,174,400 bytes free
Post-Run: 36,275,625,984 bytes free

200 --- E O F --- 2008-07-25 23:07:18




And here's the hijackthis log file:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 9:04:10 PM, on 8/9/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\Program Files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe
C:\Program Files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe
C:\WINDOWS\system32\lxddcoms.exe
C:\WINDOWS\system32\o2flash.exe
C:\WINDOWS\system32\svchost.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\PROGRA~1\AVG\AVG8\avgemc.exe
C:\Program Files\Common Files\LogiShrd\LComMgr\Communications_Helper.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe
C:\Program Files\Common Files\Logishrd\LQCVFX\COCIManager.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.ca/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.averatec.com/
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O3 - Toolbar: Easy-WebPrint - {327C2873-E90D-4c37-AA9D-10AC9BABA46C} - C:\Program Files\Canon\Easy-WebPrint\Toolband.dll
O4 - HKLM\..\Run: [LXDDCATS] rundll32 C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\LXDDtime.dll,_RunDLLEntry@16
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [LogitechCommunicationsManager] "C:\Program Files\Common Files\LogiShrd\LComMgr\Communications_Helper.exe"
O4 - HKLM\..\Run: [LogitechQuickCamRibbon] "C:\Program Files\Logitech\QuickCam\Quickcam.exe" /hide
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [updateMgr] "C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" AcRdB7_0_9 -reboot 1
O4 - HKCU\..\Run: [com.codeode.privacymantra] "C:\Program Files\Privacy Mantra 2.04\privacymantra.exe" -minimized
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: Logitech Desktop Messenger.lnk = C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Easy-WebPrint Add To Print List - res://C:\Program Files\Canon\Easy-WebPrint\Toolband.dll/RC_AddToList.html
O8 - Extra context menu item: Easy-WebPrint High Speed Print - res://C:\Program Files\Canon\Easy-WebPrint\Toolband.dll/RC_HSPrint.html
O8 - Extra context menu item: Easy-WebPrint Preview - res://C:\Program Files\Canon\Easy-WebPrint\Toolband.dll/RC_Preview.html
O8 - Extra context menu item: Easy-WebPrint Print - res://C:\Program Files\Canon\Easy-WebPrint\Toolband.dll/RC_Print.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra button: Skype - {77BF5300-1474-4EC7-9980-D32B190E9B07} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {9819CC0E-9669-4D01-9CD7-2C66DA43AC6C} - (no file)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {001EE746-A1F9-460E-80AD-269E088D6A01} (Infotl Control) - http://site.ebrary.com.ezproxy.lib.ucalgar...s/ebraryRdr.cab
O16 - DPF: {193C772A-87BE-4B19-A7BB-445B226FE9A1} (ewidoOnlineScan Control) - http://downloads.ewido.net/ewidoOnlineScan.cab
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.com/v5co...b?1114643208015
O16 - DPF: {7E980B9B-8AE5-466A-B6D6-DA8CF814E78A} (MJLauncherCtrl Class) - http://zone.msn.com/bingame/luxr/default/mjolauncher.cab
O18 - Protocol: bwfile-8876480 - {9462A756-7B47-47BC-8C80-C34B9B80B32B} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\GAPlugProtocol-8876480.dll
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O23 - Service: AVG Free8 E-mail Scanner (avg8emc) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgemc.exe
O23 - Service: AVG Free8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: LVCOMSer - Logitech Inc. - C:\Program Files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe
O23 - Service: Process Monitor (LVPrcSrv) - Logitech Inc. - C:\Program Files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe
O23 - Service: LVSrvLauncher - Logitech Inc. - C:\Program Files\Common Files\LogiShrd\SrvLnch\SrvLnch.exe
O23 - Service: lxdd_device - - C:\WINDOWS\system32\lxddcoms.exe
O23 - Service: O2Micro Flash Memory (O2Flash) - Unknown owner - C:\WINDOWS\system32\o2flash.exe

--
End of file - 6498 bytes



As I said, I think the problem has been solved, so unless there appears to be something wrong in these files, don't worry about replying. Thank you so much for your help, I would never have been able to do this myself....

#8 kahdah

kahdah

  • Security Colleague
  • 11,138 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Florida
  • Local time:10:02 PM

Posted 10 August 2008 - 06:01 AM

Upgrading Java:
  • Download the latest version of Java Runtime Environment (JRE) 6 Update 7.
  • Scroll down to where it says "The J2SE Runtime Environment (JRE) allows end-users to run Java applications".
  • Click the "Download" button to the right.
  • Select your Platform and check the box that says: "I agree to the Java SE Runtime Environment 7 License Agreement.".
  • Click on Continue.
  • Click on the link to download Windows Offline Installation (jre-6u6-windows-i586-p.exe) and save it to your desktop. Do NOT use the Sun Download Manager..
  • Close any programs you may have running - especially your web browser.
  • Go to Start > Control Panel, double-click on Add/Remove programs and remove all older versions of Java.
  • Check any item with Java Runtime Environment (JRE or J2SE) in the name.
  • Click the Remove or Change/Remove button.
  • Repeat as many times as necessary to remove each Java version.
  • Reboot your computer once all Java components are removed.
  • Then from your desktop double-click on the download to install the newest version.
======================
Use a Firewall:

Install and use a firewall with outbound protection
While the firewall built into Windows XP is adequate to protect you from incoming attacks, it will not be much help in alerting you to programs already on your PC attempting to connect to remote servers
I therefore strongly recommend that you install one of the following free firewalls: Comodo Firewall or Zonealarm
See Bleepingcomputer's excellent tutorial to help using and understanding a firewall here
Note: You should only have one firewall installed at a time. Having more than one antivirus program installed at once is likely to cause conflicts and may well decrease your overall protection as well as seriously impairing the performance of your PC.
=============================
Follow these steps to uninstall Combofix and tools used in the removal of malware
  • Click START then RUN
  • Now type Combofix /u in the runbox and click OK. Note the space between the X and the U, it needs to be there.
    Posted Image
Also delete\uninstall anything that we used that is left over.
==========================================
After that your log is clean. :thumbsup:

The following is a list of tools and utilities that I like to suggest to people.
You do not have to have all or any of them they are only suggestions.
This list is full of great tools and utilities to help you understand how you got infected and how to keep from getting infected again.

Spybot Search & Destroy-Uber powerful tool which can search and annhilate nasties that make it onto your system. Now with an Immunize section that will help prevent future infections.

Spyware Blaster - Great prevention tool to keep nasties from installing on your system.

Spywareguard-Works as a Spyware "Shield" to protect your computer from getting malware in the first place.

IE-SPYAD- puts over 5000 sites in your restricted zone so you'll be protected when you visit innocent-looking sites that aren't actually innocent at all.

Windows Updates - It is very important to make sure that both Internet Explorer and Windows are kept current with the latest critical security patches from Microsoft. To do this just start Internet Explorer and select Tools > Windows Update, and follow the online instructions from there.

Tony Klein article To find out more information about how you got infected in the first place and some great guidelines to follow to prevent future infections you can read this article by Tony Klein.
Please do not pm for help, post it in the forums instead.

If I am helping you and have not responded for 48 hours please send me a pm as I don't always get notifications.

My help is always free, however, if you would like to make a donation to me for the help I have provided please click here Posted Image




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users