Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Oh I think this is a BIG one. Please help!


  • This topic is locked This topic is locked
2 replies to this topic

#1 papo08

papo08

  • Members
  • 1 posts
  • OFFLINE
  •  
  • Local time:09:55 PM

Posted 27 October 2008 - 02:06 PM

OK, the other boards have told me they dont know what to do so....



XP Pro. AVG/AVAST/SPYBOT/MALWAREBYTES

C Drive missing ( found via explore )

CD drive not visable, nor working.

Start menu mostly missing, resets if I put stuff in there.

If I try to adjust ( in tools ) the folder option to show hidden files and folders it flashes rapidly after I click apply and does not take my request.

C:\ doesnt have most of my files anymore. They are now in C:\c

If I try to access C, C:\c, or program files, it keeps flashing back and forth to "this section contains files and folders that you sould not access, etc etc blah blah" in order to keep me out of it.

c:\c has 30+ notepads full of reg edits and such. They are saved as notpad only,

Cannot system restore. The calendar is gone, no options to choose from. Plus I believe the restore that is coming up, is one made by the virus.

hkey_local has been messed with for sure as I lost my software permissions, but I was able to reset those so I could use malwarebytes and spypot.

None of the above kisted virus/malware scanners have picked up ANYTHING!


Im trying to show a screen shot of C:\c but of course, its blocked me from doing a print screen. Its also hid my notepad. And everything else useful. UGH!



in my newly aquired c:\c where all those text files are, is a ton of notepads called "concerto ensamble pro" and the other notepads I talked about are all named KB986743 or similar. There are also hidden files. Uninstallers for all of those KB files! This happened after I reconnected my LAN for a minute. Im sure I helped the replication along quite a bit when I did that, but it did uncover some lil secrets that I didnt see before as the scripting was going to work.



AVG, Avast, malwarebytes, spybot...none of them are picking up anything. I have combofix and hijack this logs if you would like to see.


ComboFix 08-10-24.02 - Papo 10/24/2008 17:40:32.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1494 [GMT -5:00]
Running from: C:\Documents and Settings\Papo.PAPO-PC.017\Desktop\ComboFix.exe
* Created a new restore point
.
((((((((((((((((((((((((( Files Created from 2008-09-24 to 2008-10-24 )))))))))))))))))))))))))))))))
.
No new files created in this timespan
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-10-24 22:34 --------- d-----w C:\Documents and Settings\All Users.C\Application Data\ParentalControl
2008-10-24 07:15 --------- d-----w C:\Program Files\lx_cats
2008-10-24 04:59 --------- d-----w C:\Documents and Settings\Papo.PAPO-PC.017\Application Data\ParentalControl
2008-10-24 04:59 --------- d-----w C:\Documents and Settings\Papo.PAPO-PC.017\Application Data\FaxCtr
2008-10-24 04:43 97,928 ----a-w C:\C\system32\drivers\avgldx86.sys
2008-10-24 04:43 10,520 ----a-w C:\C\system32\avgrsstx.dll
2008-10-24 04:43 --------- d-----w C:\Documents and Settings\All Users.C\Application Data\avg8
2008-10-24 04:27 --------- d-----w C:\Program Files\Trend Micro
2008-10-24 04:08 --------- d-----w C:\Documents and Settings\All Users.C\Application Data\Microsoft Help
2008-10-24 03:09 --------- d-----w C:\Documents and Settings\All Users.C\Application Data\Spybot - Search & Destroy
2008-10-24 02:44 --------- d-----w C:\Documents and Settings\Papo.PAPO-PC.017\Application Data\Malwarebytes
2008-10-24 02:43 --------- d-----w C:\Program Files\Malwarebytes' Anti-Malware
2008-10-24 02:43 --------- d-----w C:\Documents and Settings\All Users.C\Application Data\Malwarebytes
2008-10-24 02:16 599 ----a-w C:\1.reg
2008-10-24 01:03 --------- d-----w C:\Documents and Settings\Papo.PAPO-PC.017\Application Data\Apple Computer
2008-10-24 01:03 --------- d-----w C:\Documents and Settings\All Users.C\Application Data\Apple Computer
2008-10-22 21:10 38,496 ----a-w C:\C\system32\drivers\mbamswissarmy.sys
2008-10-22 21:10 15,504 ----a-w C:\C\system32\drivers\mbam.sys
2008-10-22 17:39 --------- d-----w C:\Documents and Settings\mike\Application Data\Apple Computer
2008-10-22 17:27 --------- d-----w C:\Documents and Settings\mike\Application Data\ParentalControl
2008-10-22 17:27 --------- d-----w C:\Documents and Settings\mike\Application Data\FaxCtr
2008-10-21 12:24 --------- d-----w C:\Documents and Settings\Test\Application Data\ParentalControl
2008-10-21 12:24 --------- d-----w C:\Documents and Settings\Test\Application Data\FaxCtr
2008-10-21 06:21 8,092 ----a-w C:\C\system32\pitvm4.sys
2008-10-21 06:21 --------- d-----w C:\Program Files\Common Files\Symantec Shared
2008-10-21 06:21 --------- d-----w C:\Documents and Settings\Test\Application Data\Symantec
2008-10-21 06:21 --------- d-----w C:\Documents and Settings\mike\Application Data\Symantec
2008-10-21 06:20 --------- d-----w C:\Documents and Settings\All Users.C\Application Data\Symantec
2008-10-21 05:32 --------- d-----w C:\Program Files\AVG
2008-10-21 05:31 --------- d-----w C:\Program Files\Grisoft(2)
2008-10-21 05:29 --------- d-----w C:\Program Files\Grisoft(3)
2008-10-21 05:19 --------- d-----w C:\Program Files\Common Files\Panda Software
2008-10-21 00:35 --------- d-----w C:\Program Files\Panda Security
2008-10-20 22:57 12,187,343 ----a-w C:\avg7qt(3).dat
2008-10-20 12:29 12,187,343 ----a-w C:\avg7qt(2).dat
2008-10-20 12:05 241,664 ----a-w C:\C\system32\config\systemprofile\NTUSER(3).DAT
2008-10-20 12:05 --------- d-----w C:\Program Files\Symantec
2008-10-20 02:14 241,664 ----a-w C:\C\system32\config\systemprofile\NTUSER(2).DAT
2008-10-16 12:15 1,832 ----a-w C:\C\pchealth\helpctr\Config\incstore.bin
2008-10-14 11:45 --------- d-----w C:\Program Files\Audacity
2008-10-11 18:40 --------- d-----w C:\Program Files\QuickTime
2008-10-11 18:40 --------- d-----w C:\Program Files\iTunes
2008-10-11 18:40 --------- d-----w C:\Program Files\iPod
2008-10-11 18:40 --------- d-----w C:\Program Files\Bonjour
2008-10-11 18:39 --------- d-----w C:\Program Files\Common Files\Apple
2008-10-11 18:39 --------- d-----w C:\Program Files\Apple Software Update
2008-10-11 18:31 --------- d-----w C:\Program Files\Common Files\DVDVideoSoft
2008-10-11 18:21 --------- d-----w C:\Program Files\LimeWire
2008-10-11 14:50 --------- d-----w C:\Program Files\Citrix
2008-10-11 00:38 --------- d-----w C:\Program Files\Parental Control
2008-10-08 12:01 --------- d-----w C:\Program Files\Audio Recorder for Free
2008-10-01 18:01 32,000 ----a-w C:\C\system32\drivers\usbaapl.sys
2008-09-29 05:30 --------- d-----w C:\Program Files\Lexmark Fax Solutions
2008-09-26 09:20 --------- d-----w C:\Program Files\BitTorrent
2008-09-24 20:59 --------- d-----w C:\Program Files\OpenOffice.org 2.4
2008-09-24 20:59 --------- d-----w C:\Program Files\Java
2008-09-18 00:44 --------- d-----w C:\Program Files\Lexmark 3400 Series
2008-09-13 05:40 --------- d-----w C:\Program Files\UltraISO
2008-09-13 05:40 --------- d-----w C:\Program Files\Common Files\EZB Systems
2008-09-11 17:43 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-09-03 20:49 --------- d-----w C:\Program Files\AIM6
2008-09-03 20:49 --------- d-----w C:\Program Files\AIM Search
2008-09-03 20:48 --------- d-----w C:\Program Files\Viewpoint
2008-09-03 01:35 73,216 ----a-w C:\C\ST6UNST.EXE
2008-09-03 01:35 249,856 ------w C:\C\Setup1.exe
2008-09-02 17:09 --------- d-----w C:\Program Files\Cisco Systems
2008-09-02 14:57 36,944 ----a-w C:\C\system32\stcevent.dll
2008-09-02 12:02 --------- d-----w C:\Program Files\NOS
2008-09-02 11:00 --------- d-----w C:\Program Files\NetWaiting
2008-09-02 10:37 --------- d-----w C:\Program Files\Common Files\Adobe AIR
2008-09-02 10:36 --------- d-----w C:\Program Files\Common Files\Adobe
2008-09-02 10:26 5 ----a-w C:\C\system32\drivers\DELL_INS_530.MRK
2008-09-02 10:26 5 ----a-w C:\C\system32\drivers\1028_DELL_INS_530.MRK
2008-09-02 10:10 315,392 ----a-w C:\C\HideWin.exe
2008-09-02 10:10 --------- d-----w C:\Program Files\Realtek
2008-09-02 10:07 --------- d-----w C:\Program Files\Intel
2008-09-02 10:05 --------- d-----w C:\Program Files\Dell
2008-09-02 09:37 --------- d-----w C:\Program Files\microsoft frontpage
2008-09-02 07:30 --------- d-----w C:\Program Files\DNA
2008-08-31 08:05 --------- d-----w C:\Program Files\curl-7.18.2
2008-08-31 07:14 --------- d-----w C:\Program Files\Netflix
2008-08-30 15:56 --------- d-----w C:\Program Files\DVDVideoSoft
2008-08-30 15:38 --------- d-----w C:\Program Files\Safari
2008-08-29 15:18 87,336 ----a-w C:\C\system32\dns-sd.exe
2008-08-29 14:53 61,440 ----a-w C:\C\system32\dnssd.dll
2008-08-20 05:38 659,456 ----a-w C:\C\system32\SET6.tmp
2008-08-20 05:38 615,936 ----a-w C:\C\system32\SET7.tmp
2008-08-20 05:38 474,112 ----a-w C:\C\system32\SET8.tmp
2008-08-20 05:38 449,024 ----a-w C:\C\system32\SETD.tmp
2008-08-20 05:38 39,424 ----a-w C:\C\system32\SETA.tmp
2008-08-20 05:38 357,888 ----a-w C:\C\system32\SET13.tmp
2008-08-20 05:38 3,060,224 ----a-w C:\C\system32\SETE.tmp
2008-08-20 05:38 251,392 ----a-w C:\C\system32\SET11.tmp
2008-08-20 05:38 205,312 ----a-w C:\C\system32\SET12.tmp
2008-08-20 05:38 1,494,528 ----a-w C:\C\system32\SET9.tmp
2008-08-20 05:38 1,023,488 ----a-w C:\C\system32\SET16.tmp
2008-08-19 09:20 351,744 ------w C:\C\system32\SET18.tmp
2008-07-10 08:18 174 --sh--w C:\Program Files\desktop.ini
2008-09-26 18:08 13,824 ----a-w C:\Program Files\mozilla firefox\plugins\atgpcdec.dll
2008-09-26 18:08 94,208 ----a-w C:\Program Files\mozilla firefox\plugins\atgpcext.dll
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\C\system32\ctfmon.exe" [08/04/2004 07:00 AM 15360]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [06/12/2008 02:38 AM 34672]
"lxcymon.exe"="C:\Program Files\Lexmark 3400 Series\lxcymon.exe" [06/25/2007 10:34 AM 291504]
"EzPrint"="C:\Program Files\Lexmark 3400 Series\ezprint.exe" [06/25/2007 10:34 AM 82608]
"FaxCenterServer"="C:\Program Files\Lexmark Fax Solutions\fm3032.exe" [11/29/2006 12:57 PM 295856]
"LXCYCATS"="C:\C\System32\spool\DRIVERS\W32X86\3\LXCYtime.dll" [11/21/2006 01:27 PM 106496]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe" [06/10/2008 04:27 AM 144784]
"ParentalControl"="C:\Program Files\Parental Control\ParentalControl.exe" [04/01/2008 12:02 AM 6096384]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [09/06/2008 03:09 PM 413696]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [10/01/2008 06:57 PM 289576]
"AVG8_TRAY"="C:\PROGRA~1\AVG\AVG8\avgtray.exe" [10/23/2008 11:43 PM 1234712]
"RTHDCPL"="RTHDCPL.EXE" [04/26/2007 02:27 PM 16132608 C:\C\RTHDCPL.exe]
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\C\system32\ctfmon.exe" [08/04/2004 07:00 AM 15360]
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"DisableClock"= 0 (0x0)
[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\syst em]
"DisableClock"= 0 (0x0)
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explor er]
"NoMultiIE"= 0 (0x0)
"LWA"= 0 (0x0)
"LWB"= 0 (0x0)
"LWC"= 0 (0x0)
"LWD"= 0 (0x0)
"LWE"= 0 (0x0)
"LWF"= 0 (0x0)
"LWG"= 0 (0x0)
"LWH"= 0 (0x0)
"LWI"= 0 (0x0)
"LWJ"= 0 (0x0)
"LWK"= 0 (0x0)
"LWL"= 0 (0x0)
"LWM"= 0 (0x0)
"LWN"= 0 (0x0)
"LWO"= 0 (0x0)
"LWP"= 0 (0x0)
"LWQ"= 0 (0x0)
"LWR"= 0 (0x0)
"LWS"= 0 (0x0)
"LWT"= 0 (0x0)
"LWU"= 0 (0x0)
"LWV"= 0 (0x0)
"LWW"= 0 (0x0)
"LWX"= 0 (0x0)
"LWY"= 0 (0x0)
"LWZ"= 0 (0x0)
[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\expl orer]
"NoMultiIE"= 0 (0x0)
"LWA"= 0 (0x0)
"LWB"= 0 (0x0)
"LWC"= 0 (0x0)
"LWD"= 0 (0x0)
"LWE"= 0 (0x0)
"LWF"= 0 (0x0)
"LWG"= 0 (0x0)
"LWH"= 0 (0x0)
"LWI"= 0 (0x0)
"LWJ"= 0 (0x0)
"LWK"= 0 (0x0)
"LWL"= 0 (0x0)
"LWM"= 0 (0x0)
"LWN"= 0 (0x0)
"LWO"= 0 (0x0)
"LWP"= 0 (0x0)
"LWQ"= 0 (0x0)
"LWR"= 0 (0x0)
"LWS"= 0 (0x0)
"LWT"= 0 (0x0)
"LWU"= 0 (0x0)
"LWV"= 0 (0x0)
"LWW"= 0 (0x0)
"LWX"= 0 (0x0)
"LWY"= 0 (0x0)
"LWZ"= 0 (0x0)
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\PCANotify]
09/05/2006 12:02 PM 8704 C:\C\system32\PCANotify.dll
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=avgrsstx.dll
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\Auth orizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\C\\system32\\dpvsetup.exe"=
"C:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"C:\\Program Files\\AIM6\\aim6.exe"=
"C:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"C:\\C\\system32\\lxcycoms.exe"=
"C:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"C:\\Program Files\\Parental Control\\ParentalControl.exe"=
"C:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"C:\\Program Files\\iTunes\\iTunes.exe"=
"C:\\Program Files\\AVG\\AVG8\\avgupd.exe"=
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\Glob allyOpenPorts\List]
"7000:TCP"= 7000:TCPlum
"135:TCP"= 135:TCP:TCP Port 135
"5000:TCP"= 5000:TCP:TCP Port 5000
"5001:TCP"= 5001:TCP:TCP Port 5001
"5002:TCP"= 5002:TCP:TCP Port 5002
"5003:TCP"= 5003:TCP:TCP Port 5003
"5004:TCP"= 5004:TCP:TCP Port 5004
"5005:TCP"= 5005:TCP:TCP Port 5005
"5006:TCP"= 5006:TCP:TCP Port 5006
"5007:TCP"= 5007:TCP:TCP Port 5007
"5008:TCP"= 5008:TCP:TCP Port 5008
"5009:TCP"= 5009:TCP:TCP Port 5009
"5010:TCP"= 5010:TCP:TCP Port 5010
"5011:TCP"= 5011:TCP:TCP Port 5011
"5012:TCP"= 5012:TCP:TCP Port 5012
"5013:TCP"= 5013:TCP:TCP Port 5013
"5014:TCP"= 5014:TCP:TCP Port 5014
"5015:TCP"= 5015:TCP:TCP Port 5015
"5016:TCP"= 5016:TCP:TCP Port 5016
"5017:TCP"= 5017:TCP:TCP Port 5017
"5018:TCP"= 5018:TCP:TCP Port 5018
"5019:TCP"= 5019:TCP:TCP Port 5019
"5020:TCP"= 5020:TCP:TCP Port 5020
R1 AvgLdx86;AVG Free AVI Loader Driver x86;C:\C\system32\Drivers\avgldx86.sys [10/23/2008 11:43 PM 97928]
R1 cp_drv;Crawler Parental Control Driver;C:\Documents and Settings\All Users.C\Application Data\ParentalControl\cp_drv.sys [10/24/2008 05:34 PM 13952]
R1 cp_tdifw_drv;cp_tdifw_drv;C:\Documents and Settings\All Users.C\Application Data\ParentalControl\cp_tdifw_drv.sys [10/24/2008 05:34 PM 26240]
R2 lxcy_device;lxcy_device;C:\C\system32\lxcycoms.exe [06/20/2007 06:28 AM 537264]
R2 Viewpoint Manager Service;Viewpoint Manager Service;C:\Program Files\Viewpoint\Common\ViewpointService.exe [01/04/2007 04:38 PM 24652]
S2 avg8wd;AVG Free8 WatchDog;C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe [10/23/2008 11:43 PM 231704]
S3 CSVirtA;Cisco Systems SSL VPN Adapter;C:\C\system32\DRIVERS\CSVirtA.sys [ ]
S3 vpnva;Cisco AnyConnect VPN Virtual Miniport Adapter for Windows;C:\C\system32\DRIVERS\vpnva.sys [ ]
*Newly Created Service* - PROCEXP90
.
Contents of the 'Scheduled Tasks' folder
2008-10-22 C:\C\Tasks\AppleSoftwareUpdate.job
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe [07/30/2008 12:34 PM]
.
.
------- Supplementary Scan -------
.
O8 -: E&xport to Microsoft Excel - C:\PROGRA~1\MICROS~3\Office12\EXCEL.EXE/3000
.
**************************************************************************
catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-10-24 17:41:23
Windows 5.1.2600 Service Pack 2 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
HKLM\Software\Microsoft\Windows\CurrentVersion\Run
LXCYCATS = rundll32 C:\C\System32\spool\DRIVERS\W32X86\3\LXCYtime.dll,_RunDLLEntry@16?????????? ??????????????????????????????????????????????????????????????????????????? ??????????????????????????????????????????????????????????????????????????? ?????????????????????????
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
.
Completion time: 10/24/2008 17:42:50
ComboFix-quarantined-files.txt 2008-10-24 22:42:02
Pre-Run: 89,486,893,056 bytes free
Post-Run: 89,581,199,360 bytes free
WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(3)\C
[operating systems]
C:\CMDCONS\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(3)\C="Microsoft Windows XP Professional" /noexecute=optin /fastdetect
278 --- E O F --- 2008-09-14 21:18:22









hijack...


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 5:48:04 PM, on 10/24/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal
Running processes:
C:\C\System32\smss.exe
C:\C\system32\winlogon.exe
C:\C\system32\services.exe
C:\C\system32\lsass.exe
C:\C\system32\svchost.exe
C:\C\System32\svchost.exe
C:\C\system32\spoolsv.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\C\system32\lxcycoms.exe
C:\C\system32\svchost.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\C\System32\svchost.exe
C:\C\RTHDCPL.EXE
C:\Program Files\Lexmark 3400 Series\lxcymon.exe
C:\C\system32\ctfmon.exe
C:\C\system32\wscntfy.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\C\system32\wuauclt.exe
C:\C\explorer.exe
C:\C\system32\NOTEPAD.EXE
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - I:\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: AOL Search Enhancement - {54EB34EA-E6BE-4CFD-9F4F-C4A0C2EAFA22} - C:\Program Files\AIM Search\AOLSearch.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O2 - BHO: AOL Toolbar Launcher - {7C554162-8CB7-45A4-B8F4-8EA1C75885F9} - C:\Program Files\AOL\AIM Toolbar 5.0\aoltb.dll
O3 - Toolbar: AIM Toolbar - {DE9C389F-3316-41A7-809B-AA305ED9D922} - C:\Program Files\AOL\AIM Toolbar 5.0\aoltb.dll
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [lxcymon.exe] "C:\Program Files\Lexmark 3400 Series\lxcymon.exe"
O4 - HKLM\..\Run: [EzPrint] "C:\Program Files\Lexmark 3400 Series\ezprint.exe"
O4 - HKLM\..\Run: [FaxCenterServer] "C:\Program Files\Lexmark Fax Solutions\fm3032.exe" /s
O4 - HKLM\..\Run: [LXCYCATS] rundll32 C:\C\System32\spool\DRIVERS\W32X86\3\LXCYtime.dll,_RunDLLEntry@16
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe"
O4 - HKLM\..\Run: [ParentalControl] C:\Program Files\Parental Control\ParentalControl.exe /SERVICE
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\C\system32\ctfmon.exe
O4 - HKUS\S-1-5-18\..\Run: [ctfmon.exe] C:\C\system32\ctfmon.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [ctfmon.exe] C:\C\system32\ctfmon.exe (User 'Default user')
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office12\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~3\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~3\Office12\ONBttnIE.dll
O9 - Extra button: AIM Toolbar - {3369AF0D-62E9-4bda-8103-B4C75499B578} - C:\Program Files\AOL\AIM Toolbar 5.0\aoltb.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\Office12\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {8BBDC81D-81B3-49EE-87E8-47B7A707FAE8} (GoToMeeting/GoToWebinar Web Starter) - https://www1.gotomeeting.com/default...ts/g2mdlax.cab
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
O20 - AppInit_DLLs: avgrsstx.dll
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: AVG Free8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: Symantec pcAnywhere Host Service (awhost32) - Symantec Corporation - C:\Program Files\Symantec\pcAnywhere\awhost32.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: lxcy_device - - C:\C\system32\lxcycoms.exe
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe

BC AdBot (Login to Remove)

 


#2 PropagandaPanda

PropagandaPanda


  • Malware Response Team
  • 10,433 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:10:55 PM

Posted 12 November 2008 - 03:23 PM

Hello. I am PropagandaPanda (Panda or PP for short), and I will be helping you with your log.

I apologize for the delay in response. We get overwhelmed with logs at times, but we are trying our best to keep up. If you have since resolved the original problem you were having, we would appreciate you letting us know. If you still need help, post a new HijackThis log.

You may want to keep the link to this topic in your favourites. Alternatively, you can click the Posted Image button at the top bar of this topic and Track this Topic, where you can choose email notifications. The topics you are tracking are shown here.

Please take note of some guidelines for this fix:
  • Refrain from making any changes to your computer including installing/uninstall programs, deleting files, modifying the registry, and running scanners or tools. Doing so could cause changes to the directions I have to give you and prolong the time required. Further more, you should not be taking any advice relating to this computer from any other source throughout the course of this fix.
  • If you do not understand any step(s) provided, please do not hesitate to ask before continuing. I would much rather clarify instructions or explain them differently than have something important broken.
  • Even if things appear to be better, it might not mean we are finished. Please continue to follow my instructions and reply back until I give you the "all clean". We do not want to clean you part-way, only to have the system re-infect itself.
  • Finally, please reply using the Posted Image button in the lower right hand corner of your screen. Do not start a new topic. The logs that you post should be pasted directly into the reply. Only attach them if requested or if they do not fit into the post.
Run Scan with Kaspersky
Please do a scan with Kaspersky Online Scanner. If for some reason you cannot complete this scan, skip it.

This scan is for Internet Explorer Only.

If you are using Windows Vista, open your browser by right-clicking on its icon and select Run as administrator to perform this scan.

  • Please disable your realtime protection software before proceeding. Refer to this page if you are unsure how.
  • Open the Kaspersky Scanner page.
  • Click on Accept and install any components it needs.
  • The program will install and then begin downloading the latest definition files.
  • After the files have been downloaded on the left side of the page in the Scan section select My Computer
  • This will start the program and scan your system.
  • The scan will take a while, so be patient and let it run.
  • Once the scan is complete, click on View scan report
  • Now, click on the Save Report as button.
  • Save the file to your desktop.
  • Copy and paste that information in your next post.
You can refer to this animation by sundavis.

This scanner will only scan. It does not remove any malware it finds.

Save Uninstall List with HijackThis
  • Double click the HijackThis icon on your desktop.
  • If you see a while screen, click Main Menu at the middle bottom of the window, otherwise move onto the next step.
  • Click Open the Misc Tools section.
  • Under System tools, select Uninstall Manager....
  • Near the bottom right, click Save list... and save uninstall_list.txt onto your desktop.
  • Close out of HijackThis.
  • Post back with uninstall_list.txt.


Post back with:
-the Kaspersky log
-the uninstall list
-a new HijackThis log

Please also tell me of any changes you have made to your computer since your topic was started.

If you do not make a reply in 5 days, we will need to close your topic.

With Regards,
The Panda

Important Note to Other Users Reading this Topic: The instructions provided in this topic below this point are for the original topic starter only. Even if you have similar problems or log entries to those given here, please do not follow the directions, especially those involving specific tools and scripts. Doing so can result in serious damage to your computer. Instead, please start your own topic. Feel free to link to any relevant topics as needed.

#3 PropagandaPanda

PropagandaPanda


  • Malware Response Team
  • 10,433 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:10:55 PM

Posted 17 November 2008 - 12:02 PM

Hello.

There had been no reply from the topic starter in 5 days. Due to inactivity, this topic is now closed.
If you are the topic starter and need this topic reopened, send me a message.

Everyone else, please begin a new topic.

With Regards,
The Panda




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users