Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Cryptor & .TDSS headache!


  • This topic is locked This topic is locked
13 replies to this topic

#1 RiXX1_7777

RiXX1_7777

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:01:57 AM

Posted 27 July 2009 - 10:35 AM

Hello,

Yesterday AVG identified 82 infections on my computer all classed as the Cryptor virus in .exe files. This coincided with a problem occurring with Google
whereby links were redirected to other sites not related to the search. From the forums it seems this virus is endemic.

After reading through more forum posts on the subject I downloaded MalwareBytes and scanned with that. It identified two infections from a .TDSS trojan which it tried to rid after a required reboot but they remained on subsequent scans.

I have tried altering the name of the folder and .exe file that Malwarebytes uses upon installing but to no avail , I have also tried running scans in safe mode again with no luck.

I have disconnected the computer and changed my passwords, and am using a seperate laptop. Below are the logs from DDS, Malwarebytes and AVG, if anyone could possibly spare the time to have a look at them and make a suggestion I would be most grateful!

With Thanks,

Richard.



________________________________________________________________________________________________________________________________


DDS (Ver_09-06-26.01) - NTFSx86
Run by Administrator at 16:18:22.59 on 27/07/2009
Internet Explorer: 6.0.2900.2180 BrowserJavaVersion: 1.6.0_11
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.958.286 [GMT 1:00]

AV: AVG Anti-Virus Free *On-access scanning enabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}

============== Running Processes ===============

C:\WINNT\system32\svchost -k DcomLaunch
svchost.exe
C:\WINNT\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINNT\System32\nvsvc32.exe
C:\WINNT\System32\svchost.exe -k imgsvc
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINNT\System32\wltrysvc.exe
C:\WINNT\System32\bcmwltry.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\PROGRA~1\AVG\AVG8\avgnsx.exe
C:\WINNT\Explorer.EXE
C:\Program Files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe
C:\WINNT\system32\spool\drivers\w32x86\3\hpztsb03.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\SyncroSoft\Pos\H2O\cledx.exe
C:\Program Files\Browser Mouse\Browser Mouse\1.1\MOUSE32A.EXE
C:\WINNT\system32\RUNDLL32.EXE
C:\Program Files\Samsung\Samsung Media Studio 5\SMSTray.exe
C:\PROGRA~1\AVG\AVG8\avgtray.exe
C:\WINNT\system32\LVCOMSX.EXE
C:\Program Files\Logitech\Video\LogiTray.exe
C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\WINNT\system32\rundll32.exe
C:\Program Files\Belkin\F5D7001v2000\Belkinwcui.exe
C:\Program Files\TerraTec\DMX 6fire\DMX6Fire.exe
C:\Program Files\Belkin\F5D7001v2000\ChkDev.exe
C:\Program Files\Logitech\Video\FxSvr2.exe
C:\WINNT\system32\wuauclt.exe
C:\Program Files\Fluff\Fluff.exe
F:\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.msn.com
BHO: AcroIEHlprObj Class: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\adobe\acrobat 7.0\activex\AcroIEHelper.dll
BHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - c:\program files\avg\avg8\avgssie.dll
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybot~1\SDHelper.dll
BHO: Java™ Plug-In SSV Helper: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre6\bin\ssv.dll
BHO: AcroIEToolbarHelper Class: {ae7cd045-e861-484f-8273-0445ee161910} - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll
BHO: {DFE29355-D1AD-4B3E-8874-9D8CCDAD40F2} - No File
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
BHO: {FC6323AF-1099-4E62-BDC5-E48FCCD2285A} - No File
TB: Adobe PDF: {47833539-d0c5-4125-9fa8-0819e2eaac93} - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll
EB: Adobe PDF: {182ec0be-5110-49c8-a062-beb1d02a220b} - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll
EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File
uRun: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "c:\program files\common files\ahead\lib\NMBgMonitor.exe"
uRun: [SpybotSD TeaTimer] c:\program files\spybot - search & destroy\TeaTimer.exe
uRun: [Uniblue RegistryBooster 2] c:\program files\uniblue\registrybooster 2\RegistryBooster.exe /S
uRun: [SUPERAntiSpyware] c:\program files\superantispyware\SUPERAntiSpyware.exe
mRun: [Synchronization Manager] mobsync.exe /logon
mRun: [FLMOFFICE4DMOUSE] c:\program files\browser mouse\mouse32a.exe
mRun: [Acrobat Assistant 7.0] "c:\program files\adobe\acrobat 7.0\distillr\Acrotray.exe"
mRun: [HPDJ Taskbar Utility] c:\winnt\system32\spool\drivers\w32x86\3\hpztsb03.exe
mRun: [NvCplDaemon] RUNDLL32.EXE c:\winnt\system32\NvCpl.dll,NvStartup
mRun: [nwiz] nwiz.exe /install
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
mRun: [NeroFilterCheck] c:\program files\common files\ahead\lib\NeroCheck.exe
mRun: [H2O] c:\program files\syncrosoft\pos\h2o\cledx.exe
mRun: [LWBMOUSE] c:\program files\browser mouse\browser mouse\1.1\MOUSE32A.EXE
mRun: [SymTray - Norton SystemWorks] c:\program files\common files\symantec shared\Symtray.exe SetReg
mRun: [NvMediaCenter] RUNDLL32.EXE c:\winnt\system32\NvMcTray.dll,NvTaskbarInit
mRun: [SMSTray] c:\program files\samsung\samsung media studio 5\SMSTray.exe
mRun: [AVG8_TRAY] c:\progra~1\avg\avg8\avgtray.exe
mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
mRun: [LVCOMSX] c:\winnt\system32\LVCOMSX.EXE
mRun: [LogitechVideoRepair] c:\program files\logitech\video\ISStart.exe
mRun: [LogitechVideoTray] c:\program files\logitech\video\LogiTray.exe
dRunOnce: [^SetupICWDesktop] c:\program files\internet explorer\connection wizard\icwconn1.exe /desktop
dRunOnce: [tscuninstall] %systemroot%\system32\tscupgrd.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\adobeg~1.lnk - c:\program files\common files\adobe\calibration\Adobe Gamma Loader.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\belkin~1.lnk - c:\program files\belkin\f5d7001v2000\Belkinwcui.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\dmx6fi~1.lnk - c:\program files\terratec\dmx 6fire\DMX6Fire.exe
IE: Convert link target to Adobe PDF - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert link target to existing PDF - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert selected links to Adobe PDF - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert selected links to existing PDF - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Convert selection to Adobe PDF - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert selection to existing PDF - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert to Adobe PDF - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert to existing PDF - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dll
LSP: c:\program files\common files\pc tools\lsp\PCTLsp.dll
DPF: DirectAnimation Java Classes - file://c:\winnt\java\classes\dajava.cab
DPF: Microsoft XML Parser for Java - file://c:\winnt\java\classes\xmldso.cab
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1163079250296
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1163085921625
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab
DPF: {CAFEEFAC-0015-0000-0011-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_11-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0004-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_04-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0011-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - c:\program files\avg\avg8\avgpp.dll
Notify: !SASWinLogon - c:\program files\superantispyware\SASWINLO.dll
Notify: avgrsstarter - avgrsstx.dll
AppInit_DLLs: c:\winnt\system32\rakujotu.dll
SEH: ShellHook Class: {88485281-8b4b-4f8d-9ede-82e29a064277} - c:\progra~1\markany\conten~1\MACSMA~1.DLL
SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:\program files\superantispyware\SASSEH.DLL
LSA: Notification Packages = scecli c:\winnt\system32\rakujotu.dll

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\admini~1\applic~1\mozilla\firefox\profiles\80neu3cy.default\
FF - component: c:\documents and settings\administrator\application data\mozilla\firefox\profiles\80neu3cy.default\extensions\{a7c6cf7f-112c-4500-a7ea-39801a327e5f}\platform\winnt_x86-msvc\components\ipc.dll
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0004-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0011-ABCDEFFEDCBA}

============= SERVICES / DRIVERS ===============

R0 Lbd;Lbd;c:\winnt\system32\drivers\Lbd.sys [2009-7-27 64160]
R1 Asapi;Asapi;c:\winnt\system32\drivers\asapi.sys [2007-11-11 11264]
R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\winnt\system32\drivers\avgldx86.sys [2009-3-8 335752]
R1 AvgMfx86;AVG Free On-access Scanner Minifilter Driver x86;c:\winnt\system32\drivers\avgmfx86.sys [2009-3-8 27784]
R1 AvgTdiX;AVG Free8 Network Redirector;c:\winnt\system32\drivers\avgtdix.sys [2009-3-8 108552]
R1 pctfw2;pctfw2;c:\winnt\system32\drivers\pctfw2.sys [2008-1-25 160792]
R1 SASDIFSV;SASDIFSV;c:\program files\superantispyware\sasdifsv.sys [2009-6-23 9968]
R1 SASKUTIL;SASKUTIL;c:\program files\superantispyware\SASKUTIL.SYS [2009-6-23 72944]
R2 avg8wd;AVG Free8 WatchDog;c:\progra~1\avg\avg8\avgwdsvc.exe [2009-3-8 298776]
R2 Symantec Core LC;Symantec Core LC;c:\program files\common files\symantec shared\ccpd-lc\symlcsvc.exe [2007-11-19 1119888]
R3 CLEDX;Team H2O CLEDX service;c:\winnt\system32\drivers\cledx.sys [2007-6-10 33792]
R3 dmxfire;DMX6fire WDM Audio;c:\winnt\system32\drivers\dmx6fire.sys [2003-8-29 148724]
R3 dmxsens;dmxsens;c:\winnt\system32\drivers\dmxsens.sys [2003-7-22 403968]
R3 MBAMSwissArmy;MBAMSwissArmy;c:\winnt\system32\drivers\mbamswissarmy.sys [2009-7-27 38160]
R3 SASENUM;SASENUM;c:\program files\superantispyware\SASENUM.SYS [2009-6-23 7408]
RUnknown crnxgb;crnxgb; [x]
S2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\lavasoft\ad-aware\AAWService.exe [2009-7-3 1029456]
S3 FXDRV;FXDRV;\??\e:\fxdrv.sys --> e:\Fxdrv.sys [?]
S3 usbhub20;USB 2.0 Root Hub Support;c:\winnt\system32\drivers\usbhub20.sys [2006-11-29 49776]

=============== Created Last 30 ================

2009-07-27 10:36 38,160 a------- c:\winnt\system32\drivers\mbamswissarmy.sys
2009-07-27 10:36 19,096 a------- c:\winnt\system32\drivers\mbam.sys
2009-07-27 10:36 <DIR> --d----- c:\program files\Fluff
2009-07-27 09:20 <DIR> --d----- c:\program files\SBla
2009-07-27 09:07 <DIR> --d----- c:\docume~1\alluse~1\applic~1\SUPERAntiSpyware.com
2009-07-27 09:07 <DIR> --d----- c:\program files\SUPERAntiSpyware
2009-07-27 09:07 <DIR> --d----- c:\docume~1\admini~1\applic~1\SUPERAntiSpyware.com
2009-07-27 09:06 15,688 a------- c:\winnt\system32\lsdelete.exe
2009-07-27 08:57 64,160 a------- c:\winnt\system32\drivers\Lbd.sys
2009-07-27 08:56 <DIR> --d----- c:\program files\Lavasoft
2009-07-27 08:50 <DIR> -cd-h--- c:\docume~1\alluse~1\applic~1\{EF63305C-BAD7-4144-9208-D65528260864}
2009-07-27 08:48 <DIR> --d----- c:\program files\SBlaster
2009-07-26 21:15 <DIR> --d----- c:\winnt\ERUNT
2009-07-26 21:13 <DIR> --d----- C:\SDFix
2009-07-26 18:02 <DIR> --d----- c:\docume~1\admini~1\applic~1\Malwarebytes
2009-07-26 18:02 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Malwarebytes
2009-07-24 23:58 <DIR> --d----- c:\program files\Kingpin
2009-07-16 14:49 32 a------- c:\winnt\system32\w3data.vss
2009-07-16 14:49 32 a------- c:\winnt\system32\msvcsv60.dll
2009-07-16 14:49 32 a------- c:\winnt\msocreg32.dat
2009-07-16 14:47 <DIR> --d----- c:\program files\common files\DigiDesign
2009-07-15 19:53 1,025 a------- c:\winnt\system32\clauth2.dll
2009-07-15 19:53 1,025 a------- c:\winnt\system32\clauth1.dll
2009-07-15 19:53 71 a------- c:\winnt\system32\ssprs.dll
2009-07-14 20:36 <DIR> --d----- c:\program files\Digidesign
2009-07-14 20:35 <DIR> --d----- c:\program files\IK Multimedia

==================== Find3M ====================

2009-07-19 13:41 335,752 a------- c:\winnt\system32\drivers\avgldx86.sys
2009-06-28 07:02 11,952 a------- c:\winnt\system32\avgrsstx.dll
2009-05-25 12:51 74,240 a------- c:\program files\l
2006-11-09 16:01 271 ---sh--- c:\program files\desktop.ini
2006-11-09 16:01 21,952 ----h--- c:\program files\folder.htt

============= FINISH: 16:19:51.98 ===============



Malwarebytes-------------------------------------------------------------------------------------------------------------------------------------------------------------------

Malwarebytes' Anti-Malware 1.39
Database version: 2510
Windows 5.1.2600 Service Pack 2

27/07/2009 14:55:56
mbam-log-2009-07-27 (14-55-51).txt

Scan type: Full Scan (C:\|D:\|X:\|)
Objects scanned: 206651
Time elapsed: 37 minute(s), 55 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 1
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 1

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
\\?\globalroot\systemroot\system32\geyekrthirwwut.dll (Trojan.TDSS) -> No action taken.

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
\\?\globalroot\systemroot\system32\geyekrthirwwut.dll (Trojan.TDSS) -> No action taken.



AVG -------------------------------------------------------------------------------------------------------------------------------------------------------------------------------

Scan "Scheduled scan" was finished.
Infections;"88";"0";"88"
Folders selected for scanning:;"Scan whole computer"
Scan started:;"27 July 2009, 12:01:44"
Scan finished:;"27 July 2009, 14:45:55 (2 hour(s) 44 minute(s) 10 second(s))"
Total object scanned:;"530992"
User who launched the scan:;"Administrator"

Infections
File;"Infection";"Result"
C:\WINNT\system32\wuauclt.exe (2404);"Virus identified Win32/Cryptor";"Infected"
C:\WINNT\system32\wltrysvc.exe (1716);"Virus identified Win32/Cryptor";"Infected"
C:\WINNT\system32\winlogon.exe (576);"Virus identified Win32/Cryptor";"Infected"
C:\WINNT\system32\services.exe (620);"Virus identified Win32/Cryptor";"Infected"
C:\WINNT\system32\rundll32.exe (2888);"Virus identified Win32/Cryptor";"Infected"
C:\WINNT\system32\svchost.exe (896);"Virus identified Win32/Cryptor";"Infected"
C:\WINNT\system32\svchost.exe (1600);"Virus identified Win32/Cryptor";"Infected"
C:\WINNT\system32\rundll32.exe (2652);"Virus identified Win32/Cryptor";"Infected"
C:\WINNT\system32\nvsvc32.exe (1496);"Virus identified Win32/Cryptor";"Infected"
C:\WINNT\system32\lsass.exe (632);"Virus identified Win32/Cryptor";"Infected"
C:\WINNT\system32\spoolsv.exe (1292);"Virus identified Win32/Cryptor";"Infected"
C:\WINNT\system32\spool\drivers\w32x86\3\hpztsb03.exe (2592);"Virus identified Win32/Cryptor";"Infected"
C:\Program Files\Syncrosoft\POS\H2O\cledx.exe (2632);"Virus identified Win32/Cryptor";"Infected"
C:\WINNT\system32\bcmwltry.exe (1740);"Virus identified Win32/Cryptor";"Infected"
C:\WINNT\explorer.exe (2328);"Virus identified Win32/Cryptor";"Infected"
C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe (1116);"Virus identified Win32/Cryptor";"Infected"
C:\Program Files\Java\jre6\bin\jusched.exe (2616);"Virus identified Win32/Cryptor";"Infected"
C:\Program Files\Java\jre6\bin\jqs.exe (1424);"Virus identified Win32/Cryptor";"Infected"
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe (1628);"Virus identified Win32/Cryptor";"Infected"
C:\Program Files\Browser MOUSE\Browser Mouse\1.1\Mouse32A.exe (2640);"Virus identified Win32/Cryptor";"Infected"
C:\Program Files\AVG\AVG8\avgrsx.exe (248);"Virus identified Win32/Cryptor";"Infected"
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe (1392);"Virus identified Win32/Cryptor";"Infected"
C:\PROGRA~1\AVG\AVG8\avgnsx.exe (268);"Virus identified Win32/Cryptor";"Infected"
\\?\globalroot\systemroot\system32\geyekrthirwwut.dll;"Virus identified Win32/Cryptor";"Infected"
\\?\globalroot\systemroot\system32\geyekrthirwwut.dll;"Virus identified Win32/Cryptor";"Infected"
C:\Program Files\Adobe\Acrobat 7.0\Distillr\acrotray.exe (2584);"Virus identified Win32/Cryptor";"Infected"
\\?\globalroot\systemroot\system32\geyekrthirwwut.dll;"Virus identified Win32/Cryptor";"Infected"
\\?\globalroot\systemroot\system32\geyekrthirwwut.dll;"Virus identified Win32/Cryptor";"Infected"
\\?\globalroot\systemroot\system32\geyekrthirwwut.dll;"Virus identified Win32/Cryptor";"Infected"
\\?\globalroot\systemroot\system32\geyekrthirwwut.dll;"Virus identified Win32/Cryptor";"Infected"
C:\WINNT\system32\notepad.exe (2232);"Virus identified Win32/Cryptor";"Infected"
C:\WINNT\system32\LVCOMSX.EXE (2692);"Virus identified Win32/Cryptor";"Infected"
C:\Program Files\TerraTec\DMX 6fire\DMX6Fire.exe (2988);"Virus identified Win32/Cryptor";"Infected"
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe (2872);"Virus identified Win32/Cryptor";"Infected"
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe (2728);"Virus identified Win32/Cryptor";"Infected"
C:\Program Files\Samsung\Samsung Media Studio 5\SMSTray.exe (2668);"Virus identified Win32/Cryptor";"Infected"
C:\Program Files\QuickTime\QTTask.exe (2684);"Virus identified Win32/Cryptor";"Infected"
C:\Program Files\Microsoft Office\Office\EXCEL.EXE (3600);"Virus identified Win32/Cryptor";"Infected"
C:\Program Files\Logitech\Video\LogiTray.exe (2700);"Virus identified Win32/Cryptor";"Infected"
C:\Program Files\Logitech\Video\FxSvr2.exe (3096);"Virus identified Win32/Cryptor";"Infected"
C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe (3636);"Virus identified Win32/Cryptor";"Infected"
C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe (2708);"Virus identified Win32/Cryptor";"Infected"
C:\Program Files\Belkin\F5D7001v2000\Belkinwcui.exe (2976);"Virus identified Win32/Cryptor";"Infected"
C:\Program Files\Belkin\F5D7001v2000\ChkDev.exe (2996);"Virus identified Win32/Cryptor";"Infected"
C:\Program Files\AVG\AVG8\avgui.exe (1948);"Virus identified Win32/Cryptor";"Infected"
C:\Program Files\AVG\AVG8\avgscanx.exe (1448);"Virus identified Win32/Cryptor";"Infected"
C:\Program Files\AVG\AVG8\avgcsrvx.exe (3032);"Virus identified Win32/Cryptor";"Infected"
C:\Program Files\AVG\AVG8\avgcsrvx.exe (2820);"Virus identified Win32/Cryptor";"Infected"
C:\Program Files\AVG\AVG8\avgcsrvx.exe (2348);"Virus identified Win32/Cryptor";"Infected"
\\?\globalroot\systemroot\system32\geyekrthirwwut.dll;"Virus identified Win32/Cryptor";"Infected"
\\?\globalroot\systemroot\system32\geyekrthirwwut.dll;"Virus identified Win32/Cryptor";"Infected"
C:\PROGRA~1\AVG\AVG8\avgtray.exe (2676);"Virus identified Win32/Cryptor";"Infected"
\\?\globalroot\systemroot\system32\geyekrthirwwut.dll;"Virus identified Win32/Cryptor";"Infected"
\\?\globalroot\systemroot\system32\geyekrthirwwut.dll;"Virus identified Win32/Cryptor";"Infected"
\\?\globalroot\systemroot\system32\geyekrthirwwut.dll;"Virus identified Win32/Cryptor";"Infected"
\\?\globalroot\systemroot\system32\geyekrthirwwut.dll;"Virus identified Win32/Cryptor";"Infected"
\\?\globalroot\systemroot\system32\geyekrthirwwut.dll;"Virus identified Win32/Cryptor";"Infected"
\\?\globalroot\systemroot\system32\geyekrthirwwut.dll;"Virus identified Win32/Cryptor";"Infected"
\\?\globalroot\systemroot\system32\geyekrthirwwut.dll;"Virus identified Win32/Cryptor";"Infected"
\\?\globalroot\systemroot\system32\geyekrthirwwut.dll;"Virus identified Win32/Cryptor";"Infected"
\\?\globalroot\systemroot\system32\geyekrthirwwut.dll;"Virus identified Win32/Cryptor";"Infected"
\\?\globalroot\systemroot\system32\geyekrthirwwut.dll;"Virus identified Win32/Cryptor";"Infected"
\\?\globalroot\systemroot\system32\geyekrthirwwut.dll;"Virus identified Win32/Cryptor";"Infected"
\\?\globalroot\systemroot\system32\geyekrthirwwut.dll;"Virus identified Win32/Cryptor";"Infected"
\\?\globalroot\systemroot\system32\geyekrthirwwut.dll;"Virus identified Win32/Cryptor";"Infected"
\\?\globalroot\systemroot\system32\geyekrthirwwut.dll;"Virus identified Win32/Cryptor";"Infected"
\\?\globalroot\systemroot\system32\geyekrthirwwut.dll;"Virus identified Win32/Cryptor";"Infected"
\\?\globalroot\systemroot\system32\geyekrthirwwut.dll;"Virus identified Win32/Cryptor";"Infected"
\\?\globalroot\systemroot\system32\geyekrthirwwut.dll;"Virus identified Win32/Cryptor";"Infected"
\\?\globalroot\systemroot\system32\geyekrthirwwut.dll;"Virus identified Win32/Cryptor";"Infected"
\\?\globalroot\systemroot\system32\geyekrthirwwut.dll;"Virus identified Win32/Cryptor";"Infected"
\\?\globalroot\systemroot\system32\geyekrthirwwut.dll;"Virus identified Win32/Cryptor";"Infected"
\\?\globalroot\systemroot\system32\geyekrthirwwut.dll;"Virus identified Win32/Cryptor";"Infected"
\\?\globalroot\systemroot\system32\geyekrthirwwut.dll;"Virus identified Win32/Cryptor";"Infected"
\\?\globalroot\systemroot\system32\geyekrthirwwut.dll;"Virus identified Win32/Cryptor";"Infected"
\\?\globalroot\systemroot\system32\geyekrthirwwut.dll;"Virus identified Win32/Cryptor";"Infected"
\\?\globalroot\systemroot\system32\geyekrthirwwut.dll;"Virus identified Win32/Cryptor";"Infected"
\\?\globalroot\systemroot\system32\geyekrthirwwut.dll;"Virus identified Win32/Cryptor";"Infected"
\\?\globalroot\systemroot\system32\geyekrthirwwut.dll;"Virus identified Win32/Cryptor";"Infected"
\\?\globalroot\systemroot\system32\geyekrthirwwut.dll;"Virus identified Win32/Cryptor";"Infected"
\\?\globalroot\systemroot\system32\geyekrthirwwut.dll;"Virus identified Win32/Cryptor";"Infected"
\\?\globalroot\systemroot\system32\geyekrthirwwut.dll;"Virus identified Win32/Cryptor";"Infected"
\\?\globalroot\systemroot\system32\geyekrthirwwut.dll;"Virus identified Win32/Cryptor";"Infected"
\\?\globalroot\systemroot\system32\geyekrthirwwut.dll;"Virus identified Win32/Cryptor";"Infected"
\\?\globalroot\systemroot\system32\geyekrthirwwut.dll;"Virus identified Win32/Cryptor";"Infected"
\\?\globalroot\systemroot\system32\geyekrthirwwut.dll;"Virus identified Win32/Cryptor";"Infected"
\\?\globalroot\systemroot\system32\geyekrthirwwut.dll;"Virus identified Win32/Cryptor";"Infected"
\\?\globalroot\systemroot\system32\geyekrthirwwut.dll;"Virus identified Win32/Cryptor";"Infected"

BC AdBot (Login to Remove)

 


#2 fenzodahl512

fenzodahl512

  • Members
  • 6,738 posts
  • OFFLINE
  •  
  • Local time:08:57 AM

Posted 28 July 2009 - 04:21 PM

Go HERE and download SysProt AntiRootkit. Unzip it to your Desktop
  • Run SysProt >> Click on the Log tab
  • Tick ALL the boxes at the "Write to log" section (Do NOT tick the "Hidden Objects Only" options)
  • Hit the Create Log button
  • When it asked for scanning option, choose Scanning all drives >> Hit Start button (Do NOT hit "Ok" button)
  • Let it scan until finish
  • Find the log.txt inside the SysProt folder and attach the log here.

Keep calm, make it simple, use your brain, don't freak out, and you'll be just fine..
Awesomeness: When I get sad, I stop being sad and be awesome instead.. True story - Barney Stinson
Posted Image Posted Image
Its gonna be legen.. wait for it.. dary! Cherish the pain, it means you're still alive


#3 RiXX1_7777

RiXX1_7777
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:01:57 AM

Posted 29 July 2009 - 02:25 PM

Hey, I'd like to thank you for taking the time to answer my query, I really do appreciate it.

Attached should be the log from SysProt you requested

Attached Files



#4 fenzodahl512

fenzodahl512

  • Members
  • 6,738 posts
  • OFFLINE
  •  
  • Local time:08:57 AM

Posted 29 July 2009 - 04:58 PM

Please make sure you disable ALL of your Antivirus/Antispyware/Firewall before running ComboFix.. Please visit HERE if you don't know how.. Please re-enable them back after performing all steps given..

Please download ComboFix by sUBs from HERE or HERE and save it to your Desktop.

During the download, rename Combofix to Combo-Fix as follows:

Posted Image

Posted Image


It is important you rename Combofix during the download, but not after.

**NOTE: If you are using Firefox, make sure that your download settings are as follows:
  • Tools->Options->Main tab
  • Set to "Always ask me where to Save the files".

After that, double-click and run Combo-Fix. Let it finish its job and post the log here

If ComboFix asked you to install Recovery Console, please do so.. It will be your best interest..

Note: DON'T do anything with your computer while ComboFix is running.. Let ComboFix finishes its job..

Keep calm, make it simple, use your brain, don't freak out, and you'll be just fine..
Awesomeness: When I get sad, I stop being sad and be awesome instead.. True story - Barney Stinson
Posted Image Posted Image
Its gonna be legen.. wait for it.. dary! Cherish the pain, it means you're still alive


#5 RiXX1_7777

RiXX1_7777
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:01:57 AM

Posted 30 July 2009 - 03:21 PM

Hello, here is the Combofix log;

ComboFix 09-07-29.04 - Administrator 30/07/2009 21:05.1.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.958.634 [GMT 1:00]
Running from: F:\Combo-Fix.exe
AV: AVG Anti-Virus Free *On-access scanning disabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\recycler\NPROTECT
c:\winnt\run.log
c:\winnt\system32\drivers\geyekrojewtsrt.sys
c:\winnt\system32\geyekrfaqpekwe.dat
c:\winnt\system32\geyekrlhrrtmlx.dat
c:\winnt\system32\geyekrltborrfu.dll
c:\winnt\system32\geyekrthirwwut.dll
c:\winnt\system32\lsprst7.dll
c:\winnt\system32\msvcsv60.dll
c:\winnt\system32\muzapp.exe
c:\winnt\system32\setup.ini
c:\winnt\system32\ssprs.dll
c:\winnt\Web\default.htt

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Service_geyekrmpyndrub
-------\Service_IAS


((((((((((((((((((((((((( Files Created from 2009-06-28 to 2009-07-30 )))))))))))))))))))))))))))))))
.

2009-07-30 19:40 . 2009-07-30 19:52 -------- d-----w- C:\ComboFix
2009-07-27 09:36 . 2009-07-13 12:36 38160 ----a-w- c:\winnt\system32\drivers\mbamswissarmy.sys
2009-07-27 09:36 . 2009-07-27 09:36 -------- d-----w- c:\program files\Fluff
2009-07-27 09:36 . 2009-07-13 12:36 19096 ----a-w- c:\winnt\system32\drivers\mbam.sys
2009-07-27 08:20 . 2009-07-27 08:20 -------- d-----w- c:\program files\SBla
2009-07-27 08:07 . 2009-07-27 08:07 -------- d-----w- c:\docume~1\ALLUSE~1\APPLIC~1\SUPERAntiSpyware.com
2009-07-27 08:07 . 2009-07-27 08:07 -------- d-----w- c:\program files\SUPERAntiSpyware
2009-07-27 08:07 . 2009-07-27 08:07 -------- d-----w- c:\documents and settings\Administrator\Application Data\SUPERAntiSpyware.com
2009-07-27 08:06 . 2009-07-03 14:49 15688 ----a-w- c:\winnt\system32\lsdelete.exe
2009-07-27 07:57 . 2009-07-27 07:57 -------- dc----w- c:\winnt\system32\DRVSTORE
2009-07-27 07:57 . 2009-07-03 14:49 64160 ----a-w- c:\winnt\system32\drivers\Lbd.sys
2009-07-27 07:56 . 2009-07-27 07:56 -------- d-----w- c:\program files\Lavasoft
2009-07-27 07:56 . 2009-07-27 07:56 -------- d-----w- c:\docume~1\ALLUSE~1\APPLIC~1\Lavasoft
2009-07-27 07:50 . 2009-07-27 07:56 -------- dc-h--w- c:\docume~1\ALLUSE~1\APPLIC~1\{EF63305C-BAD7-4144-9208-D65528260864}
2009-07-27 07:48 . 2009-07-27 07:48 -------- d-----w- c:\program files\SBlaster
2009-07-26 20:15 . 2009-07-26 20:15 -------- d-----w- c:\winnt\ERUNT
2009-07-26 20:13 . 2009-07-27 07:39 -------- d-----w- C:\SDFix
2009-07-26 17:02 . 2009-07-26 17:02 -------- d-----w- c:\documents and settings\Administrator\Application Data\Malwarebytes
2009-07-26 17:02 . 2009-07-26 17:02 -------- d-----w- c:\docume~1\ALLUSE~1\APPLIC~1\Malwarebytes
2009-07-24 22:58 . 2009-07-24 23:18 -------- d-----w- c:\program files\Kingpin
2009-07-16 13:49 . 2009-07-23 20:36 32 ----a-w- c:\winnt\msocreg32.dat
2009-07-16 13:47 . 2009-07-16 13:47 -------- d-----w- c:\program files\Common Files\DigiDesign
2009-07-15 18:53 . 2009-07-15 18:53 1025 ----a-w- c:\winnt\system32\clauth2.dll
2009-07-15 18:53 . 2009-07-15 18:53 1025 ----a-w- c:\winnt\system32\clauth1.dll
2009-07-14 19:36 . 2009-07-14 19:36 -------- d-----w- c:\program files\Digidesign
2009-07-14 19:35 . 2009-07-16 15:12 -------- d-----w- c:\program files\IK Multimedia

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-07-30 20:13 . 2009-05-19 08:04 664 ----a-w- c:\winnt\system32\d3d9caps.dat
2009-07-27 08:30 . 2007-12-14 22:11 -------- d---a-w- c:\docume~1\ALLUSE~1\APPLIC~1\TEMP
2009-07-26 21:33 . 2006-11-09 15:16 -------- d--h--w- c:\program files\InstallShield Installation Information
2009-07-26 19:34 . 2007-09-30 19:21 -------- d-----w- c:\program files\Spybot - Search & Destroy
2009-07-26 17:22 . 2007-03-11 16:26 -------- d-----w- c:\docume~1\ALLUSE~1\APPLIC~1\SecTaskMan
2009-07-26 16:59 . 2007-03-11 13:45 -------- d-----w- c:\documents and settings\Administrator\Application Data\uTorrent
2009-07-19 12:41 . 2009-03-08 10:09 335752 ----a-w- c:\winnt\system32\drivers\avgldx86.sys
2009-06-28 06:02 . 2009-03-08 10:09 11952 ----a-w- c:\winnt\system32\avgrsstx.dll
2009-06-28 06:02 . 2009-03-08 10:09 27784 ----a-w- c:\winnt\system32\drivers\avgmfx86.sys
2009-05-25 11:51 . 2009-05-25 11:51 74240 ----a-w- c:\program files\l
2009-05-04 17:36 . 2009-03-08 10:09 108552 ----a-w- c:\winnt\system32\drivers\avgtdix.sys
2006-11-09 15:01 . 2006-11-09 13:21 21952 ---h--w- c:\program files\folder.htt
2009-07-23 17:18 . 2008-12-20 15:17 134648 ----a-w- c:\program files\mozilla firefox\components\brwsrcmp.dll
2007-07-26 23:06 . 2007-07-26 23:06 479232 ----a-w- c:\program files\mozilla firefox\plugins\msvcm80.dll
2007-07-26 23:06 . 2007-07-26 23:06 548864 ----a-w- c:\program files\mozilla firefox\plugins\msvcp80.dll
2007-07-26 23:06 . 2007-07-26 23:06 626688 ----a-w- c:\program files\mozilla firefox\plugins\msvcr80.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="c:\program files\Common Files\Ahead\Lib\NMBgMonitor.exe" [2006-06-01 94208]
"SpybotSD TeaTimer"="c:\program files\Spybot - Search & Destroy\TeaTimer.exe" [2009-03-05 2260480]
"SUPERAntiSpyware"="c:\program files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2009-06-23 1830128]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"FLMOFFICE4DMOUSE"="c:\program files\Browser MOUSE\mouse32a.exe" [2006-11-12 360448]
"Acrobat Assistant 7.0"="c:\program files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe" [2004-12-14 483328]
"HPDJ Taskbar Utility"="c:\winnt\system32\spool\drivers\w32x86\3\hpztsb03.exe" [2001-07-23 200704]
"NvCplDaemon"="c:\winnt\System32\NvCpl.dll" [2005-12-01 7311360]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-03-08 136600]
"NeroFilterCheck"="c:\program files\Common Files\Ahead\Lib\NeroCheck.exe" [2006-01-12 155648]
"H2O"="c:\program files\SyncroSoft\Pos\H2O\cledx.exe" [2005-10-23 385024]
"LWBMOUSE"="c:\program files\Browser Mouse\Browser Mouse\1.1\MOUSE32A.EXE" [2001-11-20 356352]
"NvMediaCenter"="c:\winnt\System32\NvMcTray.dll" [2005-12-01 86016]
"SMSTray"="c:\program files\Samsung\Samsung Media Studio 5\SMSTray.exe" [2007-02-23 126976]
"AVG8_TRAY"="c:\progra~1\AVG\AVG8\avgtray.exe" [2009-06-28 1948440]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2009-01-05 413696]
"LVCOMSX"="c:\winnt\system32\LVCOMSX.EXE" [2004-12-14 221184]
"LogitechVideoRepair"="c:\program files\Logitech\Video\ISStart.exe" [2004-12-14 458752]
"LogitechVideoTray"="c:\program files\Logitech\Video\LogiTray.exe" [2004-12-14 217088]
"Synchronization Manager"="mobsync.exe" - c:\winnt\system32\mobsync.exe [2004-08-04 143360]
"nwiz"="nwiz.exe" - c:\winnt\system32\nwiz.exe [2005-12-01 1519616]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"^SetupICWDesktop"="c:\program files\Internet Explorer\Connection Wizard\icwconn1.exe" [2004-08-04 214528]
"tscuninstall"="c:\winnt\system32\tscupgrd.exe" [2004-08-03 44544]

c:\docume~1\ALLUSE~1\STARTM~1\Programs\Startup\
Adobe Gamma Loader.lnk - c:\program files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2006-11-11 110592]
Belkin Wireless Utility.lnk - c:\program files\Belkin\F5D7001v2000\Belkinwcui.exe [2007-10-14 1572864]
DMX 6fire 2496 ControlPanel.lnk - c:\program files\TerraTec\DMX 6fire\DMX6Fire.exe [2006-11-9 335872]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2008-12-22 11:05 356352 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]
2009-06-28 06:02 11952 ----a-w- c:\winnt\system32\avgrsstx.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Lavasoft Ad-Aware Service]
@="Service"

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"c:\\WINNT\\system32\\sessmgr.exe"=
"c:\\Documents and Settings\\Administrator\\Desktop\\utorrent.exe"=
"c:\\Program Files\\Spybot - Search & Destroy\\SpybotSD.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgupd.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgnsx.exe"=

R0 Lbd;Lbd;c:\winnt\system32\drivers\Lbd.sys [27/07/2009 08:57 64160]
R1 Asapi;Asapi;c:\winnt\system32\drivers\asapi.sys [11/11/2007 13:36 11264]
R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\winnt\system32\drivers\avgldx86.sys [08/03/2009 11:09 335752]
R1 AvgTdiX;AVG Free8 Network Redirector;c:\winnt\system32\drivers\avgtdix.sys [08/03/2009 11:09 108552]
R1 pctfw2;pctfw2;c:\winnt\system32\drivers\pctfw2.sys [25/01/2008 20:22 160792]
R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [23/06/2009 11:01 9968]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [23/06/2009 11:01 72944]
R2 avg8wd;AVG Free8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe [08/03/2009 11:08 298776]
R3 CLEDX;Team H2O CLEDX service;c:\winnt\system32\drivers\cledx.sys [10/06/2007 16:59 33792]
R3 dmxfire;DMX6fire WDM Audio;c:\winnt\system32\drivers\dmx6fire.sys [29/08/2003 10:30 148724]
R3 dmxsens;dmxsens;c:\winnt\system32\drivers\dmxsens.sys [22/07/2003 15:07 403968]
R3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [23/06/2009 11:01 7408]
S3 FXDRV;FXDRV;\??\e:\fxdrv.sys --> e:\Fxdrv.sys [?]
S3 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\Lavasoft\Ad-Aware\AAWService.exe [03/07/2009 15:49 1029456]
S3 SysProtDrv.sys;SysProtDrv.sys;c:\documents and settings\Administrator\Desktop\SysProt\SysProtDrv.sys [29/07/2009 20:07 44288]
S3 usbhub20;USB 2.0 Root Hub Support;c:\winnt\system32\drivers\usbhub20.sys [29/11/2006 18:26 49776]
.
- - - - ORPHANS REMOVED - - - -

BHO-{DFE29355-D1AD-4B3E-8874-9D8CCDAD40F2} - (no file)
BHO-{FC6323AF-1099-4E62-BDC5-E48FCCD2285A} - (no file)
HKCU-Run-Uniblue RegistryBooster 2 - c:\program files\Uniblue\RegistryBooster 2\RegistryBooster.exe
HKLM-Run-SymTray - Norton SystemWorks - c:\program files\Common Files\Symantec Shared\Symtray.exe
Notify-AtiExtEvent - (no file)
SafeBoot-sglfb.sys
SafeBoot-tga.sys


.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.msn.com
IE: Convert link target to Adobe PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert link target to existing PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert selected links to Adobe PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert selected links to existing PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Convert selection to Adobe PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert selection to existing PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert to Adobe PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert to existing PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
LSP: c:\program files\Common Files\PC Tools\LSP\PCTLsp.dll
DPF: DirectAnimation Java Classes - file://c:\winnt\Java\classes\dajava.cab
DPF: Microsoft XML Parser for Java - file://c:\winnt\Java\classes\xmldso.cab
FF - ProfilePath - c:\docume~1\ADMINI~1\APPLIC~1\Mozilla\Firefox\Profiles\80neu3cy.default\
FF - component: c:\documents and settings\Administrator\Application Data\Mozilla\Firefox\Profiles\80neu3cy.default\extensions\{a7c6cf7f-112c-4500-a7ea-39801a327e5f}\platform\WINNT_x86-msvc\components\ipc.dll
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-07-30 21:13
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(588)
c:\program files\SUPERAntiSpyware\SASWINLO.dll

- - - - - - - > 'lsass.exe'(644)
c:\program files\Common Files\PC Tools\LSP\PCTLsp.dll

- - - - - - - > 'explorer.exe'(3848)
c:\winnt\system32\nview.dll
c:\winnt\system32\nvwddi.dll
c:\winnt\System32\shdoclc.dll
c:\program files\Browser MOUSE\MOUDL32A.DLL
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Java\jre6\bin\jqs.exe
c:\winnt\system32\nvsvc32.exe
c:\program files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
c:\winnt\system32\wdfmgr.exe
c:\winnt\system32\wltrysvc.exe
c:\winnt\system32\bcmwltry.exe
c:\program files\AVG\AVG8\avgrsx.exe
c:\progra~1\AVG\AVG8\avgnsx.exe
c:\winnt\system32\wscntfy.exe
c:\winnt\system32\rundll32.exe
c:\program files\Belkin\F5D7001v2000\ChkDev.exe
c:\winnt\system32\rundll32.exe
c:\program files\Logitech\Video\FxSvr2.exe
.
**************************************************************************
.
Completion time: 2009-07-30 21:17 - machine was rebooted
ComboFix-quarantined-files.txt 2009-07-30 20:16

Pre-Run: 52,858,875,904 bytes free
Post-Run: 52,815,151,104 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINNT
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINNT="Microsoft Windows XP Professional" /fastdetect /NoExecute=OptIn

215 --- E O F --- 2007-12-12 18:51

#6 fenzodahl512

fenzodahl512

  • Members
  • 6,738 posts
  • OFFLINE
  •  
  • Local time:08:57 AM

Posted 30 July 2009 - 04:20 PM

1. Please open Notepad
  • If you don't know how, just go to Start >> Run >> copy/paste notepad.exe >> Enter
2. Now copy/paste the entire content of the codebox below into the Notepad window:

KillAll::

File::
c:\winnt\system32\clauth2.dll
c:\winnt\system32\clauth1.dll
c:\program files\l

3. Save the above as CFScript.txt

4. Then drag the CFScript.txt into ComboFix.exe as depicted in the animation below. This will start ComboFix again.

Posted Image


5. After reboot, (in case it asks to reboot), please post the following reports/logs into your next reply:
  • Combofix.txt
  • A new HijackThis log.

Keep calm, make it simple, use your brain, don't freak out, and you'll be just fine..
Awesomeness: When I get sad, I stop being sad and be awesome instead.. True story - Barney Stinson
Posted Image Posted Image
Its gonna be legen.. wait for it.. dary! Cherish the pain, it means you're still alive


#7 RiXX1_7777

RiXX1_7777
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:01:57 AM

Posted 31 July 2009 - 03:19 PM

Combi log and HJT log as requested!

ComboFix 09-07-29.04 - Administrator 31/07/2009 20:10.2.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.958.556 [GMT 1:00]
Running from: c:\documents and settings\Administrator\Desktop\Combo-Fix.exe
Command switches used :: c:\documents and settings\Administrator\Desktop\CFScript.txt
AV: AVG Anti-Virus Free *On-access scanning disabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}
* Created a new restore point

FILE ::
"c:\program files\l"
"c:\winnt\system32\clauth1.dll"
"c:\winnt\system32\clauth2.dll"
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\program files\l
c:\winnt\system32\clauth1.dll
c:\winnt\system32\clauth2.dll

.
((((((((((((((((((((((((( Files Created from 2009-06-28 to 2009-07-31 )))))))))))))))))))))))))))))))
.

2009-07-30 19:40 . 2009-07-30 19:52 -------- d-----w- C:\ComboFix
2009-07-27 09:36 . 2009-07-13 12:36 38160 ----a-w- c:\winnt\system32\drivers\mbamswissarmy.sys
2009-07-27 09:36 . 2009-07-27 09:36 -------- d-----w- c:\program files\Fluff
2009-07-27 09:36 . 2009-07-13 12:36 19096 ----a-w- c:\winnt\system32\drivers\mbam.sys
2009-07-27 08:20 . 2009-07-27 08:20 -------- d-----w- c:\program files\SBla
2009-07-27 08:07 . 2009-07-27 08:07 -------- d-----w- c:\docume~1\ALLUSE~1\APPLIC~1\SUPERAntiSpyware.com
2009-07-27 08:07 . 2009-07-27 08:07 -------- d-----w- c:\program files\SUPERAntiSpyware
2009-07-27 08:07 . 2009-07-27 08:07 -------- d-----w- c:\documents and settings\Administrator\Application Data\SUPERAntiSpyware.com
2009-07-27 08:06 . 2009-07-03 14:49 15688 ----a-w- c:\winnt\system32\lsdelete.exe
2009-07-27 07:57 . 2009-07-27 07:57 -------- dc----w- c:\winnt\system32\DRVSTORE
2009-07-27 07:57 . 2009-07-03 14:49 64160 ----a-w- c:\winnt\system32\drivers\Lbd.sys
2009-07-27 07:56 . 2009-07-27 07:56 -------- d-----w- c:\program files\Lavasoft
2009-07-27 07:56 . 2009-07-27 07:56 -------- d-----w- c:\docume~1\ALLUSE~1\APPLIC~1\Lavasoft
2009-07-27 07:50 . 2009-07-27 07:56 -------- dc-h--w- c:\docume~1\ALLUSE~1\APPLIC~1\{EF63305C-BAD7-4144-9208-D65528260864}
2009-07-27 07:48 . 2009-07-27 07:48 -------- d-----w- c:\program files\SBlaster
2009-07-26 20:15 . 2009-07-26 20:15 -------- d-----w- c:\winnt\ERUNT
2009-07-26 20:13 . 2009-07-27 07:39 -------- d-----w- C:\SDFix
2009-07-26 17:02 . 2009-07-26 17:02 -------- d-----w- c:\documents and settings\Administrator\Application Data\Malwarebytes
2009-07-26 17:02 . 2009-07-26 17:02 -------- d-----w- c:\docume~1\ALLUSE~1\APPLIC~1\Malwarebytes
2009-07-24 22:58 . 2009-07-24 23:18 -------- d-----w- c:\program files\Kingpin
2009-07-16 13:49 . 2009-07-23 20:36 32 ----a-w- c:\winnt\msocreg32.dat
2009-07-16 13:47 . 2009-07-16 13:47 -------- d-----w- c:\program files\Common Files\DigiDesign
2009-07-14 19:36 . 2009-07-14 19:36 -------- d-----w- c:\program files\Digidesign
2009-07-14 19:35 . 2009-07-16 15:12 -------- d-----w- c:\program files\IK Multimedia

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-07-31 19:17 . 2009-05-19 08:04 664 ----a-w- c:\winnt\system32\d3d9caps.dat
2009-07-27 08:30 . 2007-12-14 22:11 -------- d---a-w- c:\docume~1\ALLUSE~1\APPLIC~1\TEMP
2009-07-26 21:33 . 2006-11-09 15:16 -------- d--h--w- c:\program files\InstallShield Installation Information
2009-07-26 19:34 . 2007-09-30 19:21 -------- d-----w- c:\program files\Spybot - Search & Destroy
2009-07-26 17:22 . 2007-03-11 16:26 -------- d-----w- c:\docume~1\ALLUSE~1\APPLIC~1\SecTaskMan
2009-07-26 16:59 . 2007-03-11 13:45 -------- d-----w- c:\documents and settings\Administrator\Application Data\uTorrent
2009-07-19 12:41 . 2009-03-08 10:09 335752 ----a-w- c:\winnt\system32\drivers\avgldx86.sys
2009-06-28 06:02 . 2009-03-08 10:09 11952 ----a-w- c:\winnt\system32\avgrsstx.dll
2009-06-28 06:02 . 2009-03-08 10:09 27784 ----a-w- c:\winnt\system32\drivers\avgmfx86.sys
2009-05-04 17:36 . 2009-03-08 10:09 108552 ----a-w- c:\winnt\system32\drivers\avgtdix.sys
2006-11-09 15:01 . 2006-11-09 13:21 21952 ---h--w- c:\program files\folder.htt
2009-07-23 17:18 . 2008-12-20 15:17 134648 ----a-w- c:\program files\mozilla firefox\components\brwsrcmp.dll
2007-07-26 23:06 . 2007-07-26 23:06 479232 ----a-w- c:\program files\mozilla firefox\plugins\msvcm80.dll
2007-07-26 23:06 . 2007-07-26 23:06 548864 ----a-w- c:\program files\mozilla firefox\plugins\msvcp80.dll
2007-07-26 23:06 . 2007-07-26 23:06 626688 ----a-w- c:\program files\mozilla firefox\plugins\msvcr80.dll
.

------- Sigcheck -------

[7] 2005-03-02 18:19 577024 1800F293BCCC8EDE8A70E12B88D80036 c:\winnt\$hf_mig$\KB890859\SP2QFE\user32.dll
[-] 2007-03-08 15:48 578048 7AA4F6C00405DFC4B70ED4214E7D687B c:\winnt\$hf_mig$\KB925902\SP2QFE\user32.dll
[-] 2001-08-23 12:00 561152 BE57A5C3ABD240514B98F6BCA872FB21 c:\winnt\$NtServicePackUninstall$\user32.dll
[7] 2004-08-04 00:56 577024 C72661F8552ACE7C5C85E16A3CF505C4 c:\winnt\$NtUninstallKB890859$\user32.dll
[7] 2005-03-02 18:09 577024 DE2DB164BBB35DB061AF0997E4499054 c:\winnt\$NtUninstallKB925902$\user32.dll
[-] 2003-06-19 19:05 403216 11ED538DB87D8CF38017A63A82AA805D c:\winnt\$NtUpdateRollupPackUninstall$\user32.dll
[7] 2004-08-04 00:56 577024 C72661F8552ACE7C5C85E16A3CF505C4 c:\winnt\ServicePackFiles\i386\user32.dll
[-] 2007-03-08 15:36 577536 B409909F6E2E8A7067076ED748ABF1E7 c:\winnt\system32\user32.dll
[-] 2007-03-08 15:36 577536 B409909F6E2E8A7067076ED748ABF1E7 c:\winnt\system32\dllcache\user32.dll

[-] 2006-04-20 12:18 360576 B2220C618B42A2212A59D91EBD6FC4B4 c:\winnt\$hf_mig$\KB917953\SP2QFE\tcpip.sys
[-] 2001-08-23 12:00 327168 E7774698BB0D14B0710A9A31E209F9B6 c:\winnt\$NtServicePackUninstall$\tcpip.sys
[7] 2004-08-03 23:14 359040 9F4B36614A0FC234525BA224957DE55C c:\winnt\$NtUninstallKB917953$\tcpip.sys
[-] 2003-06-19 19:05 332144 5F1BE742B1F2196663255991AE7ACC83 c:\winnt\$NtUpdateRollupPackUninstall$\tcpip.sys
[7] 2004-08-03 23:14 359040 9F4B36614A0FC234525BA224957DE55C c:\winnt\ServicePackFiles\i386\tcpip.sys
[-] 2006-04-20 11:51 359808 1DBF125862891817F374F407626967F4 c:\winnt\system32\dllcache\tcpip.sys
[-] 2006-04-20 11:51 359808 1DBF125862891817F374F407626967F4 c:\winnt\system32\drivers\tcpip.sys

[7] 2005-03-02 00:36 2056832 D8ABA3EAB509627E707A3B14F00FBB6B c:\winnt\$hf_mig$\KB890859\SP2QFE\ntkrnlpa.exe
[-] 2007-02-28 01:15 2059392 4D3DBDCCBF97F5BA1E74F322B155C3BA c:\winnt\$hf_mig$\KB931784\SP2QFE\ntkrnlpa.exe
[-] 2001-08-23 12:00 1896704 46E2E3DCF54B819CFB2EBFE48A22B5C9 c:\winnt\$NtServicePackUninstall$\ntkrnlpa.exe
[7] 2004-08-03 22:59 2056832 947FB1D86D14AFCFFDB54BF837EC25D0 c:\winnt\$NtUninstallKB890859$\ntkrnlpa.exe
[7] 2005-03-02 00:34 2056832 81013F36B21C7F72CF784CC6731E0002 c:\winnt\$NtUninstallKB931784$\ntkrnlpa.exe
[-] 2003-06-19 19:05 1694080 541DAEF38C9C82541690AA7E6F52F654 c:\winnt\$NtUpdateRollupPackUninstall$\ntkrnlpa.exe
[-] 2007-02-28 08:38 2057600 515D30E2C90A3665A2739309334C9283 c:\winnt\Driver Cache\i386\ntkrnlpa.exe
[7] 2004-08-03 22:59 2056832 947FB1D86D14AFCFFDB54BF837EC25D0 c:\winnt\ServicePackFiles\i386\ntkrnlpa.exe
[-] 2007-02-28 08:38 2057600 515D30E2C90A3665A2739309334C9283 c:\winnt\system32\ntkrnlpa.exe
[-] 2007-02-28 08:38 2057600 515D30E2C90A3665A2739309334C9283 c:\winnt\system32\dllcache\ntkrnlpa.exe

[7] 2005-03-02 01:04 2179456 28187802B7C368C0D3AEF7D4C382AABB c:\winnt\$hf_mig$\KB890859\SP2QFE\ntoskrnl.exe
[-] 2007-02-28 09:55 2182144 5A5C8DB4AA962C714C8371FBDF189FC9 c:\winnt\$hf_mig$\KB931784\SP2QFE\ntoskrnl.exe
[-] 2001-08-23 12:00 1982208 A29222D5281056E497408FCC9062F749 c:\winnt\$NtServicePackUninstall$\ntoskrnl.exe
[7] 2004-08-03 23:20 2180992 CE218BC7088681FAA06633E218596CA7 c:\winnt\$NtUninstallKB890859$\ntoskrnl.exe
[7] 2005-03-02 00:59 2179328 4D4CF2C14550A4B7718E94A6E581856E c:\winnt\$NtUninstallKB931784$\ntoskrnl.exe
[-] 2003-06-19 19:05 1719056 61A2DCFCE1ABF5340D2128E45B5F52B7 c:\winnt\$NtUpdateRollupPackUninstall$\ntoskrnl.exe
[-] 2007-02-28 09:10 2180352 582A8DBAA58C3B1F176EB2817DAEE77C c:\winnt\Driver Cache\i386\ntoskrnl.exe
[7] 2004-08-03 23:20 2180992 CE218BC7088681FAA06633E218596CA7 c:\winnt\ServicePackFiles\i386\ntoskrnl.exe
[-] 2007-02-28 09:10 2180352 582A8DBAA58C3B1F176EB2817DAEE77C c:\winnt\system32\ntoskrnl.exe
[-] 2007-02-28 09:10 2180352 582A8DBAA58C3B1F176EB2817DAEE77C c:\winnt\system32\dllcache\ntoskrnl.exe

[-] 2005-06-11 00:17 57856 AD3D9D191AEA7B5445FE1D82FFBB4788 c:\winnt\$hf_mig$\KB896423\SP2QFE\spoolsv.exe
[-] 2001-08-23 12:00 51200 9B4155BA58192D4073082B8FC5D42612 c:\winnt\$NtServicePackUninstall$\spoolsv.exe
[7] 2004-08-04 00:56 57856 7435B108B935E42EA92CA94F59C8E717 c:\winnt\$NtUninstallKB896423$\spoolsv.exe
[7] 2004-08-04 00:56 57856 7435B108B935E42EA92CA94F59C8E717 c:\winnt\ServicePackFiles\i386\spoolsv.exe
[-] 2005-06-10 23:53 57856 DA81EC57ACD4CDC3D4C51CF3D409AF9F c:\winnt\system32\spoolsv.exe


[7] 2001-08-23 12:00 924432 DDF8D47ACF8FC3FE5F7F2B95C4D4D136 c:\winnt\$NtUninstallKB924667$\mfc40u.dll
[-] 2006-11-01 19:17 927504 925F8B61ED301A317BA850EBEECBDAA0 c:\winnt\system32\mfc40u.dll
[-] 2006-11-01 19:17 927504 925F8B61ED301A317BA850EBEECBDAA0 c:\winnt\system32\dllcache\mfc40u.dll

[-] 2001-08-23 12:00 557568 1C38C4D90DD3C07A1946E4D5005EE928 c:\winnt\$NtServicePackUninstall$\comctl32.dll
[7] 2004-08-04 00:56 611328 A77DFB85FAEE49D66C74DA6024EBC69B c:\winnt\$NtUninstallKB923191$\comctl32.dll
[7] 2004-08-04 00:56 611328 A77DFB85FAEE49D66C74DA6024EBC69B c:\winnt\ServicePackFiles\i386\comctl32.dll
[-] 2006-08-25 15:45 617472 B0124CB21D28B1C9F678B566B6B57D92 c:\winnt\system32\comctl32.dll
[-] 2006-08-25 15:45 617472 B0124CB21D28B1C9F678B566B6B57D92 c:\winnt\system32\dllcache\comctl32.dll
[7] 2001-08-23 12:00 921088 AEF3D788DBF40C7C4D204EA45EB0C505 c:\winnt\winsxs\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.0.0_x-ww_1382d70a\comctl32.dll
[7] 2004-08-04 00:57 1050624 5AF68A5E44734A082442668E9C787743 c:\winnt\winsxs\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.2180_x-ww_a84f1ff9\comctl32.dll
[-] 2006-08-25 15:45 1054208 C4E80875C1CF1222FC5EFD0314AE5C01 c:\winnt\winsxs\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.2982_x-ww_ac3f9c03\comctl32.dll
.
((((((((((((((((((((((((((((( SnapShot@2009-07-30_20.14.00 )))))))))))))))))))))))))))))))))))))))))
.
+ 2009-07-31 19:16 . 2009-07-31 19:16 16384 c:\winnt\temp\Perflib_Perfdata_564.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="c:\program files\Common Files\Ahead\Lib\NMBgMonitor.exe" [2006-06-01 94208]
"SpybotSD TeaTimer"="c:\program files\Spybot - Search & Destroy\TeaTimer.exe" [2009-03-05 2260480]
"SUPERAntiSpyware"="c:\program files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2009-06-23 1830128]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"FLMOFFICE4DMOUSE"="c:\program files\Browser MOUSE\mouse32a.exe" [2006-11-12 360448]
"Acrobat Assistant 7.0"="c:\program files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe" [2004-12-14 483328]
"HPDJ Taskbar Utility"="c:\winnt\system32\spool\drivers\w32x86\3\hpztsb03.exe" [2001-07-23 200704]
"NvCplDaemon"="c:\winnt\System32\NvCpl.dll" [2005-12-01 7311360]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-03-08 136600]
"NeroFilterCheck"="c:\program files\Common Files\Ahead\Lib\NeroCheck.exe" [2006-01-12 155648]
"H2O"="c:\program files\SyncroSoft\Pos\H2O\cledx.exe" [2005-10-23 385024]
"LWBMOUSE"="c:\program files\Browser Mouse\Browser Mouse\1.1\MOUSE32A.EXE" [2001-11-20 356352]
"NvMediaCenter"="c:\winnt\System32\NvMcTray.dll" [2005-12-01 86016]
"SMSTray"="c:\program files\Samsung\Samsung Media Studio 5\SMSTray.exe" [2007-02-23 126976]
"AVG8_TRAY"="c:\progra~1\AVG\AVG8\avgtray.exe" [2009-06-28 1948440]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2009-01-05 413696]
"LVCOMSX"="c:\winnt\system32\LVCOMSX.EXE" [2004-12-14 221184]
"LogitechVideoRepair"="c:\program files\Logitech\Video\ISStart.exe" [2004-12-14 458752]
"LogitechVideoTray"="c:\program files\Logitech\Video\LogiTray.exe" [2004-12-14 217088]
"Synchronization Manager"="mobsync.exe" - c:\winnt\system32\mobsync.exe [2004-08-04 143360]
"nwiz"="nwiz.exe" - c:\winnt\system32\nwiz.exe [2005-12-01 1519616]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"^SetupICWDesktop"="c:\program files\Internet Explorer\Connection Wizard\icwconn1.exe" [2004-08-04 214528]
"tscuninstall"="c:\winnt\system32\tscupgrd.exe" [2004-08-03 44544]

c:\docume~1\ALLUSE~1\STARTM~1\Programs\Startup\
Adobe Gamma Loader.lnk - c:\program files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2006-11-11 110592]
Belkin Wireless Utility.lnk - c:\program files\Belkin\F5D7001v2000\Belkinwcui.exe [2007-10-14 1572864]
DMX 6fire 2496 ControlPanel.lnk - c:\program files\TerraTec\DMX 6fire\DMX6Fire.exe [2006-11-9 335872]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2008-12-22 11:05 356352 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\AtiExtEvent]
[BU]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]
2009-06-28 06:02 11952 ----a-w- c:\winnt\system32\avgrsstx.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Lavasoft Ad-Aware Service]
@="Service"

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"c:\\WINNT\\system32\\sessmgr.exe"=
"c:\\Documents and Settings\\Administrator\\Desktop\\utorrent.exe"=
"c:\\Program Files\\Spybot - Search & Destroy\\SpybotSD.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgupd.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgnsx.exe"=

R0 Lbd;Lbd;c:\winnt\system32\drivers\Lbd.sys [27/07/2009 08:57 64160]
R1 Asapi;Asapi;c:\winnt\system32\drivers\asapi.sys [11/11/2007 13:36 11264]
R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\winnt\system32\drivers\avgldx86.sys [08/03/2009 11:09 335752]
R1 AvgTdiX;AVG Free8 Network Redirector;c:\winnt\system32\drivers\avgtdix.sys [08/03/2009 11:09 108552]
R1 pctfw2;pctfw2;c:\winnt\system32\drivers\pctfw2.sys [25/01/2008 20:22 160792]
R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [23/06/2009 11:01 9968]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [23/06/2009 11:01 72944]
R2 avg8wd;AVG Free8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe [08/03/2009 11:08 298776]
R3 CLEDX;Team H2O CLEDX service;c:\winnt\system32\drivers\cledx.sys [10/06/2007 16:59 33792]
R3 dmxfire;DMX6fire WDM Audio;c:\winnt\system32\drivers\dmx6fire.sys [29/08/2003 10:30 148724]
R3 dmxsens;dmxsens;c:\winnt\system32\drivers\dmxsens.sys [22/07/2003 15:07 403968]
R3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [23/06/2009 11:01 7408]
S3 FXDRV;FXDRV;\??\e:\fxdrv.sys --> e:\Fxdrv.sys [?]
S3 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\Lavasoft\Ad-Aware\AAWService.exe [03/07/2009 15:49 1029456]
S3 SysProtDrv.sys;SysProtDrv.sys;c:\documents and settings\Administrator\Desktop\SysProt\SysProtDrv.sys [29/07/2009 20:07 44288]
S3 usbhub20;USB 2.0 Root Hub Support;c:\winnt\system32\drivers\usbhub20.sys [29/11/2006 18:26 49776]
.
- - - - ORPHANS REMOVED - - - -

BHO-{DFE29355-D1AD-4B3E-8874-9D8CCDAD40F2} - (no file)
BHO-{FC6323AF-1099-4E62-BDC5-E48FCCD2285A} - (no file)


.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.msn.com
IE: Convert link target to Adobe PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert link target to existing PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert selected links to Adobe PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert selected links to existing PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Convert selection to Adobe PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert selection to existing PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert to Adobe PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert to existing PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
LSP: c:\program files\Common Files\PC Tools\LSP\PCTLsp.dll
DPF: DirectAnimation Java Classes - file://c:\winnt\Java\classes\dajava.cab
DPF: Microsoft XML Parser for Java - file://c:\winnt\Java\classes\xmldso.cab
FF - ProfilePath - c:\docume~1\ADMINI~1\APPLIC~1\Mozilla\Firefox\Profiles\80neu3cy.default\
FF - component: c:\documents and settings\Administrator\Application Data\Mozilla\Firefox\Profiles\80neu3cy.default\extensions\{a7c6cf7f-112c-4500-a7ea-39801a327e5f}\platform\WINNT_x86-msvc\components\ipc.dll
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-07-31 20:17
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(600)
c:\program files\SUPERAntiSpyware\SASWINLO.dll

- - - - - - - > 'lsass.exe'(656)
c:\program files\Common Files\PC Tools\LSP\PCTLsp.dll

- - - - - - - > 'explorer.exe'(1284)
c:\winnt\system32\nview.dll
c:\winnt\system32\nvwddi.dll
c:\winnt\System32\shdoclc.dll
c:\program files\Browser MOUSE\MOUDL32A.DLL
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Java\jre6\bin\jqs.exe
c:\winnt\system32\nvsvc32.exe
c:\program files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
c:\winnt\system32\wdfmgr.exe
c:\winnt\system32\wltrysvc.exe
c:\winnt\system32\bcmwltry.exe
c:\program files\AVG\AVG8\avgrsx.exe
c:\progra~1\AVG\AVG8\avgnsx.exe
c:\winnt\system32\wscntfy.exe
c:\winnt\system32\rundll32.exe
c:\winnt\system32\rundll32.exe
c:\program files\Belkin\F5D7001v2000\ChkDev.exe
c:\program files\Browser MOUSE\Browser Mouse\1.1\Setting.DAT
c:\program files\Logitech\Video\FxSvr2.exe
.
**************************************************************************
.
Completion time: 2009-07-31 20:20 - machine was rebooted
ComboFix-quarantined-files.txt 2009-07-31 19:20
ComboFix2.txt 2009-07-30 20:17

Pre-Run: 52,802,056,192 bytes free
Post-Run: 52,773,195,776 bytes free

254 --- E O F --- 2007-12-12 18:51



______________________________________________________________________________________________________________


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 21:12:36, on 31/07/2009
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINNT\System32\nvsvc32.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINNT\System32\wltrysvc.exe
C:\WINNT\System32\bcmwltry.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\PROGRA~1\AVG\AVG8\avgnsx.exe
C:\WINNT\system32\wscntfy.exe
C:\Program Files\Browser MOUSE\mouse32a.exe
C:\Program Files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe
C:\WINNT\system32\spool\drivers\w32x86\3\hpztsb03.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\SyncroSoft\Pos\H2O\cledx.exe
C:\WINNT\system32\RUNDLL32.EXE
C:\PROGRA~1\AVG\AVG8\avgtray.exe
C:\Program Files\QuickTime\QTTask.exe
C:\WINNT\system32\LVCOMSX.EXE
C:\Program Files\Logitech\Video\LogiTray.exe
C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\Belkin\F5D7001v2000\Belkinwcui.exe
C:\WINNT\system32\rundll32.exe
C:\Program Files\Belkin\F5D7001v2000\ChkDev.exe
C:\Program Files\Logitech\Video\FxSvr2.exe
C:\WINNT\explorer.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Java™ Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll
O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [FLMOFFICE4DMOUSE] C:\Program Files\Browser MOUSE\mouse32a.exe
O4 - HKLM\..\Run: [Acrobat Assistant 7.0] "C:\Program Files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe"
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINNT\system32\spool\drivers\w32x86\3\hpztsb03.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINNT\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [H2O] C:\Program Files\SyncroSoft\Pos\H2O\cledx.exe
O4 - HKLM\..\Run: [LWBMOUSE] C:\Program Files\Browser Mouse\Browser Mouse\1.1\MOUSE32A.EXE
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINNT\System32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [SMSTray] C:\Program Files\Samsung\Samsung Media Studio 5\SMSTray.exe
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [LVCOMSX] C:\WINNT\system32\LVCOMSX.EXE
O4 - HKLM\..\Run: [LogitechVideoRepair] C:\Program Files\Logitech\Video\ISStart.exe
O4 - HKLM\..\Run: [LogitechVideoTray] C:\Program Files\Logitech\Video\LogiTray.exe
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe"
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - HKUS\S-1-5-18\..\RunOnce: [^SetupICWDesktop] C:\Program Files\Internet Explorer\Connection Wizard\icwconn1.exe /desktop (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\RunOnce: [tscuninstall] %systemroot%\system32\tscupgrd.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\RunOnce: [^SetupICWDesktop] C:\Program Files\Internet Explorer\Connection Wizard\icwconn1.exe /desktop (User 'Default user')
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Belkin Wireless Utility.lnk = C:\Program Files\Belkin\F5D7001v2000\Belkinwcui.exe
O4 - Global Startup: DMX 6fire 2496 ControlPanel.lnk = C:\Program Files\TerraTec\DMX 6fire\DMX6Fire.exe
O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\winnt\system32\mswsock32.dll
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/...b?1163079250296
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1163085921625
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O20 - Winlogon Notify: avgrsstarter - C:\WINNT\SYSTEM32\avgrsstx.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: AVG Free8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: Lavasoft Ad-Aware Service - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINNT\System32\nvsvc32.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: Broadcom Wireless LAN Tray Service (wltrysvc) - Unknown owner - C:\WINNT\System32\wltrysvc.exe

--
End of file - 8607 bytes

#8 fenzodahl512

fenzodahl512

  • Members
  • 6,738 posts
  • OFFLINE
  •  
  • Local time:08:57 AM

Posted 31 July 2009 - 04:59 PM

Please show hidden files and folders
  • Please go to VirSCAN.org FREE on-line scan service
  • Copy and paste the following file path into the "Suspicious files to scan"box on the top of the page:
    • c:\winnt\system32\user32.dll
      c:\winnt\system32\drivers\tcpip.sys
      c:\winnt\system32\ntkrnlpa.exe
      c:\winnt\system32\ntoskrnl.exe
      c:\winnt\system32\spoolsv.exe
      c:\winnt\system32\mfc40u.dll
      c:\winnt\system32\comctl32.dll
  • Click on the Upload button
  • Once the Scan is completed, click on the "Copy to Clipboard" button. This will copy the link of the report into the Clipboard.
  • Paste the contents of the Clipboard in your next reply.
If VirScan.org server is too busy, please submit the file to VirusTotal instead.

Keep calm, make it simple, use your brain, don't freak out, and you'll be just fine..
Awesomeness: When I get sad, I stop being sad and be awesome instead.. True story - Barney Stinson
Posted Image Posted Image
Its gonna be legen.. wait for it.. dary! Cherish the pain, it means you're still alive


#9 RiXX1_7777

RiXX1_7777
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:01:57 AM

Posted 01 August 2009 - 07:25 AM

Hello, please find below results from the scans.

I have scanned using both the websites you recommended as Vir Scan was a little odd - It revealed viruses, but in the file name path it did not list the file I uploaded, it listed '1.HTML' instead and did this for a number of files.

Results via Virus Total were all clear, though when clicking on links in Firefox there is still a delay before the page connects.

Virus Total

c:\winnt\system32\user32.dll http://www.virustotal.com/analisis/3d1ef89...672f-1249126286
c:\winnt\system32\drivers\tcpip.sys http://www.virustotal.com/analisis/1e202b8...7525-1249127292
c:\winnt\system32\ntkrnlpa.exe http://www.virustotal.com/analisis/bb84930...86f6-1249127473
c:\winnt\system32\ntoskrnl.exe http://www.virustotal.com/analisis/36cbb1b...a162-1249127806
c:\winnt\system32\spoolsv.exe http://www.virustotal.com/analisis/5212574...e702-1249128164
c:\winnt\system32\mfc40u.dll http://www.virustotal.com/analisis/15ccef5...8987-1249128470
c:\winnt\system32\comctl32.dll http://www.virustotal.com/analisis/00e3ff6...fa58-1249128603


-------------------------------------------------------------------------------------------------------------------------------------------------------------------------

VirScan

c:\winnt\system32\user32.dll http://www.virscan.org/report/34d8964d4ad7...83de640f23.html
c:\winnt\system32\drivers\tcpip.sys http://www.virscan.org/report/e8541b64f8b1...5aa9dfd4d2.html
c:\winnt\system32\ntkrnlpa.exe http://www.virscan.org/report/8d058cf996dd...66904deea3.html
c:\winnt\system32\ntoskrnl.exe http://www.virscan.org/report/e8541b64f8b1...5aa9dfd4d2.html
c:\winnt\system32\spoolsv.exe http://www.virscan.org/report/66e041b33b0a...74071f8eef.html
c:\winnt\system32\mfc40u.dll http://www.virscan.org/report/e8541b64f8b1...5aa9dfd4d2.html

#10 fenzodahl512

fenzodahl512

  • Members
  • 6,738 posts
  • OFFLINE
  •  
  • Local time:08:57 AM

Posted 01 August 2009 - 07:56 AM

1. Please open Notepad
  • If you don't know how, just go to Start >> Run >> copy/paste notepad.exe >> Enter
2. Now copy/paste the entire content of the codebox below into the Notepad window:

KillAll::

FCopy::
c:\winnt\ServicePackFiles\i386\user32.dll | c:\winnt\system32\user32.dll
c:\winnt\ServicePackFiles\i386\tcpip.sys | c:\winnt\system32\drivers\tcpip.sys
c:\winnt\ServicePackFiles\i386\ntkrnlpa.exe | c:\winnt\system32\ntkrnlpa.exe
c:\winnt\ServicePackFiles\i386\ntoskrnl.exe | c:\winnt\system32\ntoskrnl.exe
c:\winnt\ServicePackFiles\i386\spoolsv.exe | c:\winnt\system32\spoolsv.exe
c:\winnt\$NtUninstallKB924667$\mfc40u.dll | c:\winnt\system32\mfc40u.dll
c:\winnt\ServicePackFiles\i386\comctl32.dll | c:\winnt\system32\comctl32.dll

3. Save the above as CFScript.txt

4. Then drag the CFScript.txt into ComboFix.exe as depicted in the animation below. This will start ComboFix again.

Posted Image


5. After reboot, (in case it asks to reboot), please post the following reports/logs into your next reply:
  • Combofix.txt
  • A new HijackThis log.

Edited by fenzodahl512, 01 August 2009 - 07:56 AM.

Keep calm, make it simple, use your brain, don't freak out, and you'll be just fine..
Awesomeness: When I get sad, I stop being sad and be awesome instead.. True story - Barney Stinson
Posted Image Posted Image
Its gonna be legen.. wait for it.. dary! Cherish the pain, it means you're still alive


#11 RiXX1_7777

RiXX1_7777
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:01:57 AM

Posted 01 August 2009 - 08:47 AM

ComboFix 09-07-29.04 - Administrator 01/08/2009 14:21.3.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.958.513 [GMT 1:00]
Running from: c:\documents and settings\Administrator\Desktop\Combo-Fix.exe
Command switches used :: c:\documents and settings\Administrator\Desktop\CFScript.txt
AV: AVG Anti-Virus Free *On-access scanning disabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

.
--------------- FCopy ---------------

c:\winnt\ServicePackFiles\i386\user32.dll --> c:\winnt\system32\user32.dll
c:\winnt\ServicePackFiles\i386\tcpip.sys --> c:\winnt\system32\drivers\tcpip.sys
c:\winnt\ServicePackFiles\i386\ntkrnlpa.exe --> c:\winnt\system32\ntkrnlpa.exe
c:\winnt\ServicePackFiles\i386\ntoskrnl.exe --> c:\winnt\system32\ntoskrnl.exe
c:\winnt\ServicePackFiles\i386\spoolsv.exe --> c:\winnt\system32\spoolsv.exe
c:\winnt\$NtUninstallKB924667$\mfc40u.dll --> c:\winnt\system32\mfc40u.dll
c:\winnt\ServicePackFiles\i386\comctl32.dll --> c:\winnt\system32\comctl32.dll
.
((((((((((((((((((((((((( Files Created from 2009-07-01 to 2009-08-01 )))))))))))))))))))))))))))))))
.

2009-07-31 20:12 . 2009-07-31 20:12 -------- d-----w- c:\program files\Trend Micro
2009-07-30 19:40 . 2009-07-30 19:52 -------- d-----w- C:\ComboFix
2009-07-27 09:36 . 2009-07-13 12:36 38160 ----a-w- c:\winnt\system32\drivers\mbamswissarmy.sys
2009-07-27 09:36 . 2009-07-27 09:36 -------- d-----w- c:\program files\Fluff
2009-07-27 09:36 . 2009-07-13 12:36 19096 ----a-w- c:\winnt\system32\drivers\mbam.sys
2009-07-27 08:20 . 2009-07-27 08:20 -------- d-----w- c:\program files\SBla
2009-07-27 08:07 . 2009-07-27 08:07 -------- d-----w- c:\docume~1\ALLUSE~1\APPLIC~1\SUPERAntiSpyware.com
2009-07-27 08:07 . 2009-07-27 08:07 -------- d-----w- c:\program files\SUPERAntiSpyware
2009-07-27 08:07 . 2009-07-27 08:07 -------- d-----w- c:\documents and settings\Administrator\Application Data\SUPERAntiSpyware.com
2009-07-27 08:06 . 2009-07-03 14:49 15688 ----a-w- c:\winnt\system32\lsdelete.exe
2009-07-27 07:57 . 2009-07-27 07:57 -------- dc----w- c:\winnt\system32\DRVSTORE
2009-07-27 07:57 . 2009-07-03 14:49 64160 ----a-w- c:\winnt\system32\drivers\Lbd.sys
2009-07-27 07:56 . 2009-07-27 07:56 -------- d-----w- c:\program files\Lavasoft
2009-07-27 07:56 . 2009-07-27 07:56 -------- d-----w- c:\docume~1\ALLUSE~1\APPLIC~1\Lavasoft
2009-07-27 07:50 . 2009-07-27 07:56 -------- dc-h--w- c:\docume~1\ALLUSE~1\APPLIC~1\{EF63305C-BAD7-4144-9208-D65528260864}
2009-07-27 07:48 . 2009-07-27 07:48 -------- d-----w- c:\program files\SBlaster
2009-07-26 20:15 . 2009-07-26 20:15 -------- d-----w- c:\winnt\ERUNT
2009-07-26 20:13 . 2009-07-27 07:39 -------- d-----w- C:\SDFix
2009-07-26 17:02 . 2009-07-26 17:02 -------- d-----w- c:\documents and settings\Administrator\Application Data\Malwarebytes
2009-07-26 17:02 . 2009-07-26 17:02 -------- d-----w- c:\docume~1\ALLUSE~1\APPLIC~1\Malwarebytes
2009-07-24 22:58 . 2009-07-24 23:18 -------- d-----w- c:\program files\Kingpin
2009-07-16 13:49 . 2009-07-23 20:36 32 ----a-w- c:\winnt\msocreg32.dat
2009-07-16 13:47 . 2009-07-16 13:47 -------- d-----w- c:\program files\Common Files\DigiDesign
2009-07-14 19:36 . 2009-07-14 19:36 -------- d-----w- c:\program files\Digidesign
2009-07-14 19:35 . 2009-07-16 15:12 -------- d-----w- c:\program files\IK Multimedia

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-08-01 10:26 . 2009-05-19 08:04 664 ----a-w- c:\winnt\system32\d3d9caps.dat
2009-07-27 08:30 . 2007-12-14 22:11 -------- d---a-w- c:\docume~1\ALLUSE~1\APPLIC~1\TEMP
2009-07-26 21:33 . 2006-11-09 15:16 -------- d--h--w- c:\program files\InstallShield Installation Information
2009-07-26 19:34 . 2007-09-30 19:21 -------- d-----w- c:\program files\Spybot - Search & Destroy
2009-07-26 17:22 . 2007-03-11 16:26 -------- d-----w- c:\docume~1\ALLUSE~1\APPLIC~1\SecTaskMan
2009-07-26 16:59 . 2007-03-11 13:45 -------- d-----w- c:\documents and settings\Administrator\Application Data\uTorrent
2009-07-19 12:41 . 2009-03-08 10:09 335752 ----a-w- c:\winnt\system32\drivers\avgldx86.sys
2009-06-28 06:02 . 2009-03-08 10:09 11952 ----a-w- c:\winnt\system32\avgrsstx.dll
2009-06-28 06:02 . 2009-03-08 10:09 27784 ----a-w- c:\winnt\system32\drivers\avgmfx86.sys
2009-05-04 17:36 . 2009-03-08 10:09 108552 ----a-w- c:\winnt\system32\drivers\avgtdix.sys
2006-11-09 15:01 . 2006-11-09 13:21 21952 ---h--w- c:\program files\folder.htt
2009-07-23 17:18 . 2008-12-20 15:17 134648 ----a-w- c:\program files\mozilla firefox\components\brwsrcmp.dll
2007-07-26 23:06 . 2007-07-26 23:06 479232 ----a-w- c:\program files\mozilla firefox\plugins\msvcm80.dll
2007-07-26 23:06 . 2007-07-26 23:06 548864 ----a-w- c:\program files\mozilla firefox\plugins\msvcp80.dll
2007-07-26 23:06 . 2007-07-26 23:06 626688 ----a-w- c:\program files\mozilla firefox\plugins\msvcr80.dll
.

((((((((((((((((((((((((((((( SnapShot@2009-07-30_20.14.00 )))))))))))))))))))))))))))))))))))))))))
.
+ 2009-08-01 13:26 . 2009-08-01 13:26 16384 c:\winnt\temp\Perflib_Perfdata_628.dat
+ 2001-08-23 12:00 . 2004-08-04 00:56 57856 c:\winnt\system32\dllcache\spoolsv.exe
+ 2001-08-23 12:00 . 2004-08-04 00:56 577024 c:\winnt\system32\dllcache\user32.dll
+ 2001-08-23 12:00 . 2004-08-03 23:14 359040 c:\winnt\system32\dllcache\tcpip.sys
+ 2001-08-23 12:00 . 2001-08-23 12:00 924432 c:\winnt\system32\dllcache\mfc40u.dll
+ 2001-08-23 12:00 . 2004-08-04 00:56 611328 c:\winnt\system32\dllcache\comctl32.dll
+ 2001-08-23 12:00 . 2004-08-03 23:20 2180992 c:\winnt\system32\dllcache\ntoskrnl.exe
+ 2001-08-17 13:48 . 2004-08-03 22:59 2056832 c:\winnt\system32\dllcache\ntkrnlpa.exe
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="c:\program files\Common Files\Ahead\Lib\NMBgMonitor.exe" [2006-06-01 94208]
"SpybotSD TeaTimer"="c:\program files\Spybot - Search & Destroy\TeaTimer.exe" [2009-03-05 2260480]
"SUPERAntiSpyware"="c:\program files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2009-06-23 1830128]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"FLMOFFICE4DMOUSE"="c:\program files\Browser MOUSE\mouse32a.exe" [2006-11-12 360448]
"Acrobat Assistant 7.0"="c:\program files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe" [2004-12-14 483328]
"HPDJ Taskbar Utility"="c:\winnt\system32\spool\drivers\w32x86\3\hpztsb03.exe" [2001-07-23 200704]
"NvCplDaemon"="c:\winnt\System32\NvCpl.dll" [2005-12-01 7311360]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-03-08 136600]
"NeroFilterCheck"="c:\program files\Common Files\Ahead\Lib\NeroCheck.exe" [2006-01-12 155648]
"H2O"="c:\program files\SyncroSoft\Pos\H2O\cledx.exe" [2005-10-23 385024]
"LWBMOUSE"="c:\program files\Browser Mouse\Browser Mouse\1.1\MOUSE32A.EXE" [2001-11-20 356352]
"NvMediaCenter"="c:\winnt\System32\NvMcTray.dll" [2005-12-01 86016]
"SMSTray"="c:\program files\Samsung\Samsung Media Studio 5\SMSTray.exe" [2007-02-23 126976]
"AVG8_TRAY"="c:\progra~1\AVG\AVG8\avgtray.exe" [2009-06-28 1948440]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2009-01-05 413696]
"LVCOMSX"="c:\winnt\system32\LVCOMSX.EXE" [2004-12-14 221184]
"LogitechVideoRepair"="c:\program files\Logitech\Video\ISStart.exe" [2004-12-14 458752]
"LogitechVideoTray"="c:\program files\Logitech\Video\LogiTray.exe" [2004-12-14 217088]
"Synchronization Manager"="mobsync.exe" - c:\winnt\system32\mobsync.exe [2004-08-04 143360]
"nwiz"="nwiz.exe" - c:\winnt\system32\nwiz.exe [2005-12-01 1519616]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"^SetupICWDesktop"="c:\program files\Internet Explorer\Connection Wizard\icwconn1.exe" [2004-08-04 214528]
"tscuninstall"="c:\winnt\system32\tscupgrd.exe" [2004-08-03 44544]

c:\docume~1\ALLUSE~1\STARTM~1\Programs\Startup\
Adobe Gamma Loader.lnk - c:\program files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2006-11-11 110592]
Belkin Wireless Utility.lnk - c:\program files\Belkin\F5D7001v2000\Belkinwcui.exe [2007-10-14 1572864]
DMX 6fire 2496 ControlPanel.lnk - c:\program files\TerraTec\DMX 6fire\DMX6Fire.exe [2006-11-9 335872]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2008-12-22 11:05 356352 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\AtiExtEvent]
[BU]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]
2009-06-28 06:02 11952 ----a-w- c:\winnt\system32\avgrsstx.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Lavasoft Ad-Aware Service]
@="Service"

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"c:\\WINNT\\system32\\sessmgr.exe"=
"c:\\Documents and Settings\\Administrator\\Desktop\\utorrent.exe"=
"c:\\Program Files\\Spybot - Search & Destroy\\SpybotSD.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgupd.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgnsx.exe"=

R0 Lbd;Lbd;c:\winnt\system32\drivers\Lbd.sys [27/07/2009 08:57 64160]
R1 Asapi;Asapi;c:\winnt\system32\drivers\asapi.sys [11/11/2007 13:36 11264]
R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\winnt\system32\drivers\avgldx86.sys [08/03/2009 11:09 335752]
R1 AvgTdiX;AVG Free8 Network Redirector;c:\winnt\system32\drivers\avgtdix.sys [08/03/2009 11:09 108552]
R1 pctfw2;pctfw2;c:\winnt\system32\drivers\pctfw2.sys [25/01/2008 20:22 160792]
R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [23/06/2009 11:01 9968]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [23/06/2009 11:01 72944]
R2 avg8wd;AVG Free8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe [08/03/2009 11:08 298776]
R3 CLEDX;Team H2O CLEDX service;c:\winnt\system32\drivers\cledx.sys [10/06/2007 16:59 33792]
R3 dmxfire;DMX6fire WDM Audio;c:\winnt\system32\drivers\dmx6fire.sys [29/08/2003 10:30 148724]
R3 dmxsens;dmxsens;c:\winnt\system32\drivers\dmxsens.sys [22/07/2003 15:07 403968]
R3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [23/06/2009 11:01 7408]
S3 FXDRV;FXDRV;\??\e:\fxdrv.sys --> e:\Fxdrv.sys [?]
S3 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\Lavasoft\Ad-Aware\AAWService.exe [03/07/2009 15:49 1029456]
S3 SysProtDrv.sys;SysProtDrv.sys;c:\documents and settings\Administrator\Desktop\SysProt\SysProtDrv.sys [29/07/2009 20:07 44288]
S3 usbhub20;USB 2.0 Root Hub Support;c:\winnt\system32\drivers\usbhub20.sys [29/11/2006 18:26 49776]
.
- - - - ORPHANS REMOVED - - - -

BHO-{DFE29355-D1AD-4B3E-8874-9D8CCDAD40F2} - (no file)
BHO-{FC6323AF-1099-4E62-BDC5-E48FCCD2285A} - (no file)


.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.msn.com
IE: Convert link target to Adobe PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert link target to existing PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert selected links to Adobe PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert selected links to existing PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Convert selection to Adobe PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert selection to existing PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert to Adobe PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert to existing PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
LSP: c:\program files\Common Files\PC Tools\LSP\PCTLsp.dll
DPF: DirectAnimation Java Classes - file://c:\winnt\Java\classes\dajava.cab
DPF: Microsoft XML Parser for Java - file://c:\winnt\Java\classes\xmldso.cab
FF - ProfilePath - c:\docume~1\ADMINI~1\APPLIC~1\Mozilla\Firefox\Profiles\80neu3cy.default\
FF - component: c:\documents and settings\Administrator\Application Data\Mozilla\Firefox\Profiles\80neu3cy.default\extensions\{a7c6cf7f-112c-4500-a7ea-39801a327e5f}\platform\WINNT_x86-msvc\components\ipc.dll
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-08-01 14:36
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(592)
c:\program files\SUPERAntiSpyware\SASWINLO.dll

- - - - - - - > 'lsass.exe'(648)
c:\program files\Common Files\PC Tools\LSP\PCTLsp.dll

- - - - - - - > 'explorer.exe'(2996)
c:\winnt\system32\nview.dll
c:\winnt\system32\nvwddi.dll
c:\winnt\System32\shdoclc.dll
c:\program files\Browser MOUSE\MOUDL32A.DLL
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Java\jre6\bin\jqs.exe
c:\winnt\system32\nvsvc32.exe
c:\program files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
c:\winnt\system32\wdfmgr.exe
c:\winnt\system32\wltrysvc.exe
c:\winnt\system32\bcmwltry.exe
c:\program files\AVG\AVG8\avgrsx.exe
c:\progra~1\AVG\AVG8\avgnsx.exe
c:\winnt\system32\wscntfy.exe
c:\winnt\system32\rundll32.exe
c:\winnt\system32\rundll32.exe
c:\program files\Browser MOUSE\Browser Mouse\1.1\Setting.DAT
c:\program files\Logitech\Video\FxSvr2.exe
c:\program files\Belkin\F5D7001v2000\ChkDev.exe
.
**************************************************************************
.
Completion time: 2009-08-01 14:39 - machine was rebooted
ComboFix-quarantined-files.txt 2009-08-01 13:39
ComboFix2.txt 2009-07-31 19:20
ComboFix3.txt 2009-07-30 20:17

Pre-Run: 52,865,425,408 bytes free
Post-Run: 52,823,375,872 bytes free

210 --- E O F --- 2007-12-12 18:51


______________________________________________________________________________________________________


Hijack This log

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 14:44:09, on 01/08/2009
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINNT\System32\nvsvc32.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINNT\System32\wltrysvc.exe
C:\WINNT\System32\bcmwltry.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\PROGRA~1\AVG\AVG8\avgnsx.exe
C:\WINNT\system32\wscntfy.exe
C:\Program Files\Browser MOUSE\mouse32a.exe
C:\Program Files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe
C:\WINNT\system32\spool\drivers\w32x86\3\hpztsb03.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\SyncroSoft\Pos\H2O\cledx.exe
C:\WINNT\system32\RUNDLL32.EXE
C:\PROGRA~1\AVG\AVG8\avgtray.exe
C:\Program Files\QuickTime\QTTask.exe
C:\WINNT\system32\LVCOMSX.EXE
C:\Program Files\Logitech\Video\LogiTray.exe
C:\WINNT\system32\rundll32.exe
C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe
C:\Program Files\Browser Mouse\Browser Mouse\1.1\SETTING.DAT
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\Belkin\F5D7001v2000\Belkinwcui.exe
C:\Program Files\Logitech\Video\FxSvr2.exe
C:\Program Files\Belkin\F5D7001v2000\ChkDev.exe
C:\WINNT\explorer.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Java™ Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll
O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [FLMOFFICE4DMOUSE] C:\Program Files\Browser MOUSE\mouse32a.exe
O4 - HKLM\..\Run: [Acrobat Assistant 7.0] "C:\Program Files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe"
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINNT\system32\spool\drivers\w32x86\3\hpztsb03.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINNT\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [H2O] C:\Program Files\SyncroSoft\Pos\H2O\cledx.exe
O4 - HKLM\..\Run: [LWBMOUSE] C:\Program Files\Browser Mouse\Browser Mouse\1.1\MOUSE32A.EXE
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINNT\System32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [SMSTray] C:\Program Files\Samsung\Samsung Media Studio 5\SMSTray.exe
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [LVCOMSX] C:\WINNT\system32\LVCOMSX.EXE
O4 - HKLM\..\Run: [LogitechVideoRepair] C:\Program Files\Logitech\Video\ISStart.exe
O4 - HKLM\..\Run: [LogitechVideoTray] C:\Program Files\Logitech\Video\LogiTray.exe
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe"
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - HKUS\S-1-5-18\..\RunOnce: [^SetupICWDesktop] C:\Program Files\Internet Explorer\Connection Wizard\icwconn1.exe /desktop (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\RunOnce: [tscuninstall] %systemroot%\system32\tscupgrd.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\RunOnce: [^SetupICWDesktop] C:\Program Files\Internet Explorer\Connection Wizard\icwconn1.exe /desktop (User 'Default user')
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Belkin Wireless Utility.lnk = C:\Program Files\Belkin\F5D7001v2000\Belkinwcui.exe
O4 - Global Startup: DMX 6fire 2496 ControlPanel.lnk = C:\Program Files\TerraTec\DMX 6fire\DMX6Fire.exe
O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\winnt\system32\mswsock32.dll
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/...b?1163079250296
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1163085921625
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O20 - Winlogon Notify: avgrsstarter - C:\WINNT\SYSTEM32\avgrsstx.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: AVG Free8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: Lavasoft Ad-Aware Service - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINNT\System32\nvsvc32.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: Broadcom Wireless LAN Tray Service (wltrysvc) - Unknown owner - C:\WINNT\System32\wltrysvc.exe

--
End of file - 8669 bytes

#12 fenzodahl512

fenzodahl512

  • Members
  • 6,738 posts
  • OFFLINE
  •  
  • Local time:08:57 AM

Posted 01 August 2009 - 01:38 PM

Please run a free online scan with the ESET Online Scanner
Note: You will need to use Internet Explorer for this scan.
  • Tick the box next to YES, I accept the Terms of Use.
  • Click Start
  • When asked, allow the ActiveX control to install
  • Click Start
  • Make sure that the options Remove found threats and the option Scan unwanted applications is checked
  • Click Scan
    Wait for the scan to finish
  • Use Notepad to open the logfile located at C:\Program Files\EsetOnlineScanner\log.txt
  • Copy and paste that log as a reply to this topic
How's the computer now? :thumbup2:

Keep calm, make it simple, use your brain, don't freak out, and you'll be just fine..
Awesomeness: When I get sad, I stop being sad and be awesome instead.. True story - Barney Stinson
Posted Image Posted Image
Its gonna be legen.. wait for it.. dary! Cherish the pain, it means you're still alive


#13 RiXX1_7777

RiXX1_7777
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:01:57 AM

Posted 01 August 2009 - 03:34 PM

ESETSmartInstaller@High as downloader log:
all ok
# version=6
# OnlineScannerApp.exe=1.0.0.1
# OnlineScanner.ocx=1.0.0.5889
# api_version=3.0.2
# EOSSerial=57f968cb4645704cba059bad36cbdbec
# end=finished
# remove_checked=true
# archives_checked=true
# unwanted_checked=true
# unsafe_checked=false
# antistealth_checked=true
# utc_time=2009-08-01 08:25:00
# local_time=2009-08-01 09:25:00 (+0000, GMT Daylight Time)
# country="United Kingdom"
# lang=1033
# osver=5.1.2600 NT Service Pack 2
# compatibility_mode=1026 37 83 100 11510150000000
# scanned=112254
# found=6
# cleaned=6
# scan_time=3157
C:\Qoobox\Quarantine\C\WINNT\system32\geyekrltborrfu.dll.vir Win32/Olmarik.KF trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\Qoobox\Quarantine\C\WINNT\system32\geyekrthirwwut.dll.vir Win32/Olmarik.JU trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\Qoobox\Quarantine\C\WINNT\system32\drivers\geyekrojewtsrt.sys.vir Win32/Olmarik.KF trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\System Volume Information\_restore{92BB59BF-2240-4A29-AB7B-B6D40FCF52E9}\RP418\A0096757.sys Win32/Olmarik.KF trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\System Volume Information\_restore{92BB59BF-2240-4A29-AB7B-B6D40FCF52E9}\RP418\A0096758.dll Win32/Olmarik.KF trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\System Volume Information\_restore{92BB59BF-2240-4A29-AB7B-B6D40FCF52E9}\RP418\A0096759.dll Win32/Olmarik.JU trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C

---------------------------------------------------------------------------------------------------------------------------------------------------------------------------

Hehe well the links seem to work on Firefox nice and snappy like they should, so I am hoping all is :thumbup2: you are are a wizard!

Does everything look ok to you?

#14 fenzodahl512

fenzodahl512

  • Members
  • 6,738 posts
  • OFFLINE
  •  
  • Local time:08:57 AM

Posted 03 August 2009 - 09:26 PM

Apology for my late reply.. Real-life issues intrude me...

Looks good to me.. Lets do some cleanup...


Please download OTC and save it to Desktop.
  • Make sure you have internet connection..
  • Double-click OTC
  • Click the CleanUp! button.
  • Select Yes when the "Begin cleanup Process?" prompt appears.
  • If you are prompted to Reboot during the cleanup, select Yes


Please read these excellent articles write by my friends:
Preventing Malware and Safe Computing by Rorschach112
What makes your machine slow? by Artellos


Also, please read these excellent articles by miekiemoes :
Help! My computer is slow!
How to prevent Malware


Read these great info's about safe internet surfing..

http://www.pcpitstop.com/spycheck/safesurfing.asp
http://bluefive.pair.com/practice_safe_surfing.htm




Please reply to this thread once more and tell us about the computer behaviour before we can close this thread :thumbup2:



Have a safe and happy computing day!


Regards
fenzodahl512

Keep calm, make it simple, use your brain, don't freak out, and you'll be just fine..
Awesomeness: When I get sad, I stop being sad and be awesome instead.. True story - Barney Stinson
Posted Image Posted Image
Its gonna be legen.. wait for it.. dary! Cherish the pain, it means you're still alive





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users