Jump to content


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.

Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.


Unknown Infection

  • This topic is locked This topic is locked
3 replies to this topic

#1 Watt Works

Watt Works

  • Members
  • 2 posts
  • Gender:Male
  • Location:California
  • Local time:12:44 PM

Posted 25 March 2010 - 05:17 PM

Adding in additional information from another post. ~ OB

Main symptom of infection is when I connect to internet I get 3 Symantec errors- I'll try to attach screen shots. First is "Symantec Email Proxy An encrypted email connection has been detected. Please see help on how to transmit encrypted email" This pops up as symantec behaves as if it is scanning 30- 60 emails. Outlook is not open. The next error is "Symantec Tamper Protection Alert Target C\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe.
Event Info: Open Process
Action Taken: Blocked
Actor Process: C\WINDOWS\System32\spool\DRIVERS\WX3286\3\E_S (there is more but not on my screenshot!!!)

Then the error: Symantec User Session: Symantec has encountered a problem and needs to close...etc"

I am also unable to connect to the internet via Firefox and IE- however virus programs etc update. Even when there is no real activity on my part the connection shows consistent data going out- so of course I pull the cable!

This happened after I downloaded a very nasty bug that loaded a lot of stuff on my system. One being "InternetSecurity2010". I had Fake virus warnings etc. It would not allow me to run Symantec AV or install Malwarebytes- even after renaming exe etc. Finally Stopzilla in Safe Mode ran and removed enough that I could run Malwarebytes. These programs found 100's of infections. On a PC that I believe was relatively clean before. I also installed PC Tools that removed more.

End of added content. ~ OB

Running XP Pro SP3 Dual Xeon 3.2, 4 gigs ram
About one month ago I downloaded a very nasty bug that loaded a lot of stuff on my system. One being "InternetSecurity2010". I had Fake virus warnings etc. It would not allow me to run Symantec AV or install Malwarebytes- even after renaming exe etc. Finally Stopzilla in Safe Mode ran and removed enough that I could run Malwarebytes. These programs found 100's of infections. On a PC that I believe was relatively clean before. I also installed PC Tools that removed more. This got my system running but whenever I connect to the internet- even without Outlook- running 30 or so Symantec error messages pop up. See Attached. I am connected to the internet as programs will update etc but both Firefox and IE won't connect. I really would prefer not to wipe my HD as it is an edit system and it would take me days to restore it. Any help appreciated!!!!!!


GMER - http://www.gmer.net
Rootkit scan 2010-03-25 14:43:45
Windows 5.1.2600 Service Pack 3
Running: gmer.exe; Driver: C:\DOCUME~1\WORLDC~1\LOCALS~1\Temp\uwrdipoc.sys

---- System - GMER 1.0.15 ----

SSDT 8ACC7700 ZwConnectPort
SSDT PCTCore.sys (PC Tools KDS Core Driver/PC Tools) ZwCreateKey [0xBA5CAE22] <-- ROOTKIT !!!
SSDT PCTCore.sys (PC Tools KDS Core Driver/PC Tools) ZwCreateProcess [0xBA5ABCDC] <-- ROOTKIT !!!
SSDT PCTCore.sys (PC Tools KDS Core Driver/PC Tools) ZwCreateProcessEx [0xBA5ABECE] <-- ROOTKIT !!!
SSDT PCTCore.sys (PC Tools KDS Core Driver/PC Tools) ZwDeleteKey [0xBA5CB610] <-- ROOTKIT !!!
SSDT PCTCore.sys (PC Tools KDS Core Driver/PC Tools) ZwDeleteValueKey [0xBA5CB8C4] <-- ROOTKIT !!!
SSDT 8A8E8788 ZwDuplicateObject
SSDT PCTCore.sys (PC Tools KDS Core Driver/PC Tools) ZwOpenKey [0xBA5C9B14] <-- ROOTKIT !!!
SSDT 8A5F7068 ZwOpenProcess
SSDT 8A649C58 ZwOpenThread
SSDT PCTCore.sys (PC Tools KDS Core Driver/PC Tools) ZwRenameKey [0xBA5CBD30] <-- ROOTKIT !!!
SSDT PCTCore.sys (PC Tools KDS Core Driver/PC Tools) ZwSetValueKey [0xBA5CB0E2] <-- ROOTKIT !!!
SSDT PCTCore.sys (PC Tools KDS Core Driver/PC Tools) ZwTerminateProcess [0xBA5AB982] <-- ROOTKIT !!!
SSDT \??\C:\WINDOWS\system32\Drivers\uphcleanhlp.sys ZwUnloadKey [0x9EF536D0] <-- ROOTKIT !!!

INT 0x06 \??\C:\WINDOWS\system32\drivers\Haspnt.sys (HASP Kernel Device Driver for Windows NT/Aladdin Knowledge Systems) 9FF9416D
INT 0x0E \??\C:\WINDOWS\system32\drivers\Haspnt.sys (HASP Kernel Device Driver for Windows NT/Aladdin Knowledge Systems) 9FF93FC2

---- Devices - GMER 1.0.15 ----

Device 8ACA9A10
Device Ntfs.sys (NT File System Driver/Microsoft Corporation)

AttachedDevice szkgfs.sys (STOPzilla Kernel Guard File System, x86-32 /iS3, Inc.)

Device Fastfat.SYS (Fast FAT File System Driver/Microsoft Corporation)

AttachedDevice \Driver\Tcpip \Device\Ip SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation)
AttachedDevice \Driver\Tcpip \Device\Tcp SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation)

Device \Driver\PCTSDInjDriver32 \Device\PCTSDInjDriver32 PCTSDInj32.sys

AttachedDevice \Driver\Tcpip \Device\Udp SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation)
AttachedDevice \Driver\Tcpip \Device\RawIp SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation)

Device mrxsmb.sys (Windows NT SMB Minirdr/Microsoft Corporation)
Device LtvFs.sys (Leitch Altitude File System Driver/Harris Corporation)

AttachedDevice fltmgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)

---- Services - GMER 1.0.15 ----

Service (*** hidden *** ) [BOOT] wxyujqw <-- ROOTKIT !!!

---- Registry - GMER 1.0.15 ----

Reg HKLM\SYSTEM\ControlSet001\Services\wxyujqw@Type 1
Reg HKLM\SYSTEM\ControlSet001\Services\wxyujqw@Start 0
Reg HKLM\SYSTEM\ControlSet001\Services\wxyujqw@ErrorControl 0
Reg HKLM\SYSTEM\ControlSet001\Services\wxyujqw@Group Boot Bus Extender
Reg HKLM\SYSTEM\CurrentControlSet\Services\wxyujqw@Type 1
Reg HKLM\SYSTEM\CurrentControlSet\Services\wxyujqw@Start 0
Reg HKLM\SYSTEM\CurrentControlSet\Services\wxyujqw@ErrorControl 0
Reg HKLM\SYSTEM\CurrentControlSet\Services\wxyujqw@Group Boot Bus Extender
Reg HKLM\SOFTWARE\Microsoft\Windows\Current Version\{8AC25C6A-D4B3-FF2F-2A61-C75CA1DB6116}\Install
Reg HKLM\SOFTWARE\Microsoft\Windows\Current Version\{8AC25C6A-D4B3-FF2F-2A61-C75CA1DB6116}\Install\VxDs
Reg HKLM\SOFTWARE\Microsoft\Windows\Current Version\{8AC25C6A-D4B3-FF2F-2A61-C75CA1DB6116}\Install\VxDs@CTE_32 Name 2455032:{301564B2-67A6-1A66-9C4E-A1FE91DE9752}
Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Install
Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Install\xga-1-{1131059E-AC18-DEA6-A8CE-A1F6C2F75934}
Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Install\xga-1-{1131059E-AC18-DEA6-A8CE-A1F6C2F75934}\Version 1.1
Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Install\xga-1-{1131059E-AC18-DEA6-A8CE-A1F6C2F75934}\Version 1.1@dat 806585365:{8C3250A8-0FE8-9744-0C88-E825B8DD92A5}
Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\{537D5882-9E91-5C3A-0612-4887A6646091}
Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\{537D5882-9E91-5C3A-0612-4887A6646091}\Install
Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\{537D5882-9E91-5C3A-0612-4887A6646091}\Install\xga-1
Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\{537D5882-9E91-5C3A-0612-4887A6646091}\Install\xga-1\dat
Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\{537D5882-9E91-5C3A-0612-4887A6646091}\Install\xga-1\dat@default 516231229:{7F4ECC4E-1512-37A3-94A7-E76B2108AF99}
Reg HKLM\SOFTWARE\Microsoft\Windows Install VBX
Reg HKLM\SOFTWARE\Microsoft\Windows Install VBX\Current
Reg HKLM\SOFTWARE\Microsoft\Windows Install VBX\Current\Install
Reg HKLM\SOFTWARE\Microsoft\Windows Install VBX\Current\Install\xga-1-{1131059E-AC18-DEA6-A8CE-A1F6C2F75934}
Reg HKLM\SOFTWARE\Microsoft\Windows Install VBX\Current\Install\xga-1-{1131059E-AC18-DEA6-A8CE-A1F6C2F75934}\Version 3.x
Reg HKLM\SOFTWARE\Microsoft\Windows Install VBX\Current\Install\xga-1-{1131059E-AC18-DEA6-A8CE-A1F6C2F75934}\Version 3.x@dat 1767914624:{7D89430B-EC65-0414-7A90-5D5289B28F82}
Reg HKLM\SOFTWARE\Classes\CLSID\{BEB3C0C7-B648-4257-96D9-B5D024816E27}\Version
Reg HKLM\SOFTWARE\Classes\CLSID\{BEB3C0C7-B648-4257-96D9-B5D024816E27}\Version@Version 0x2C 0x6A 0x38 0x13 ...

---- EOF - GMER 1.0.15 ----

DDS (Ver_10-03-17.01) - NTFSx86
Run by World Citizen at 14:33:40.68 on Thu 03/25/2010
Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_11
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.3071.2178 [GMT -7:00]

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
C:\WINDOWS\system32\svchost -k rpcss
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\svchost.exe -k NetworkService
C:\WINDOWS\system32\svchost.exe -k LocalService
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\Program Files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe
C:\WINDOWS\system32\svchost.exe -k LocalService
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Spyware Doctor\BDT\BDTUpdateService.exe
C:\Program Files\Common Files\InterVideo\DeviceService\DevSvc.exe
C:\Program Files\Google\Update\GoogleUpdate.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\Program Files\Google\Update\\GoogleCrashHandler.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\PC Tools\sMonitor\StartManSvc.exe
C:\Program Files\Raxco\PerfectDisk10\PDAgent.exe
C:\Program Files\CyberPower PowerPanel Personal Edition\ppped.exe
C:\Program Files\Common Files\LogiShrd\LComMgr\Communications_Helper.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.EXE
C:\Program Files\Adobe\Acrobat 9.0\Acrobat\Acrotray.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\ccc.exe
C:\Program Files\CyberPower PowerPanel Personal Edition\pppeuser.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\SUPERMICRO\SDIII\NTService.exe
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\Program Files\UPHClean\uphclean.exe
C:\Program Files\Raxco\PerfectDisk10\PDEngine.exe
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\Program Files\Raxco\PerfectDisk10\PDAgentS1.exe
C:\Program Files\Raxco\PerfectDisk10\PerfectDisk.exe
C:\Documents and Settings\World Citizen\Desktop\Defogger.exe
C:\Documents and Settings\World Citizen\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.google.com/
uInternet Settings,ProxyOverride = *.local
BHO: ContributeBHO Class: {074c1dc5-9320-4a9a-947d-c042949c6216} - c:\program files\adobe\/Adobe Contribute CS4/contributeieplugin.dll
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: PC Tools Browser Guard BHO: {2a0f3d1b-0909-4ff4-b272-609cce6054e7} - c:\program files\spyware doctor\bdt\PCTBrowserDefender.dll
BHO: SSVHelper Class: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre6\bin\ssv.dll
BHO: Adobe PDF Conversion Toolbar Helper: {ae7cd045-e861-484f-8273-0445ee161910} - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.1.1309.3572\swg.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: Google Gears Helper: {e0fefe40-fbf9-42ae-ba58-794ca7e3fb53} - c:\program files\google\google gears\internet explorer\\gears.dll
BHO: {e3215f20-3212-11d6-9f8b-00d0b743919d} - STOPzilla Browser Helper Object
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
BHO: SmartSelect Class: {f4971ee7-daa0-4053-9964-665d8ee6a077} - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll
TB: Contribute Toolbar: {517bdde4-e3a7-4570-b21e-2b52b6139fc7} - c:\program files\adobe\/Adobe Contribute CS4/contributeieplugin.dll
TB: Adobe PDF: {47833539-d0c5-4125-9fa8-0819e2eaac93} - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll
TB: PC Tools Browser Guard: {472734ea-242a-422b-adf8-83d1e48cc825} - c:\program files\spyware doctor\bdt\PCTBrowserDefender.dll
uRun: [PowerPanel Personal Edition User Interaction] "c:\program files\cyberpower powerpanel personal edition\pppeuser.exe"
mRun: [StartCCC] "c:\program files\ati technologies\ati.ace\core-static\CLIStart.exe"
mRun: [LogitechCommunicationsManager] "c:\program files\common files\logishrd\lcommgr\Communications_Helper.exe"
mRun: [Acrobat Assistant 8.0] "c:\program files\adobe\acrobat 9.0\acrobat\Acrotray.exe"
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
mRun: [SoundMan] SOUNDMAN.EXE
mRun: [NeroFilterCheck] c:\windows\system32\NeroCheck.exe
mRun: [Adobe_ID0EYTHM] c:\progra~1\common~1\adobe\adobev~1\server\bin\VERSIO~2.EXE
mRun: [Adobe_ID0ENQBO] c:\progra~1\common~1\adobe\adobev~2\server\bin\VERSIO~2.EXE
mRun: [Adobe Acrobat Speed Launcher] "c:\program files\adobe\acrobat 9.0\acrobat\Acrobat_sl.exe"
mRun: [ccApp] "c:\program files\common files\symantec shared\ccApp.exe"
mRun: [vptray] c:\progra~1\symant~1\VPTray.exe
mRun: [Auto EPSON Stylus Photo R200 Series on SUSAN] c:\windows\system32\spool\drivers\w32x86\3\e_s4i2h1.exe /p44 "auto epson stylus photo r200 series on susan" /o19 "\\susan\EPSONSUSANs" /M "Stylus Photo R200"
mRun: [\\SUSAN\EPSON Stylus Photo R200 Series] c:\windows\system32\spool\drivers\w32x86\3\e_s4i2h1.exe /p38 "\\susan\EPSON Stylus Photo R200 Series" /O6 "USB003" /M "Stylus Photo R200"
dRunOnce: [TSClientMSIUninstaller] cmd.exe /C "cscript %systemroot%\Installer\TSClientMsiTrans\tscuinst.vbs"
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\supero~1.lnk - c:\program files\supermicro\sdiii\SuperoDoctor.exe
IE: Append Link Target to Existing PDF - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Append to Existing PDF - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert Link Target to Adobe PDF - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert to Adobe PDF - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll/AcroIECapture.html
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0016-0000-0011-ABCDEFFEDCBC} - c:\program files\java\jre6\bin\jp2iexp.dll
IE: {09C04DA7-5B76-4EBC-BBEE-B25EAC5965F5} - {0B4350D1-055F-47A3-B112-5F2F2B0D6F08} - c:\program files\google\google gears\internet explorer\\gears.dll
IE: {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - {2EAF5BB0-070F-11D3-9307-00C04FAE2D4F} - c:\progra~1\micros~3\INetRepl.dll
IE: {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - {2EAF5BB0-070F-11D3-9307-00C04FAE2D4F} - c:\progra~1\micros~3\INetRepl.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office11\REFIEBAR.DLL
LSP: c:\program files\leahscape\foxyproxy video utility\FPServiceProvider.dll
DPF: {44990301-3C9D-426D-81DF-AAB636FA4345} - hxxps://www-secure.symantec.com/techsupp/asa/ss/sa/sa_cabs/tgctlsr.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0011-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab
Notify: !SASWinLogon - c:\program files\superantispyware\SASWINLO.dll
Notify: AtiExtEvent - Ati2evxx.dll
Notify: NavLogon - c:\windows\system32\NavLogon.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SSODL: sutazihoy - {71037744-2715-4313-a473-e9ebadfc1b93} -
STS: {71037744-2715-4313-a473-e9ebadfc1b93}: kupuhivus
SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:\program files\superantispyware\SASSEH.DLL
LSA: Notification Packages = scecli bokuhine.dll

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\worldc~1\applic~1\mozilla\firefox\profiles\jm0euu9t.default\
FF - component: c:\program files\google\google gears\firefox\lib\ff35\gears.dll
FF - plugin: c:\program files\google\google earth\plugin\npgeplugin.dll
FF - plugin: c:\program files\google\google updater\2.4.1536.6592\npCIDetect13.dll
FF - plugin: c:\program files\google\update\\npGoogleOneClick8.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0011-ABCDEFFEDCBA}

c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);

============= SERVICES / DRIVERS ===============

R0 adpahci;adpahci;c:\windows\system32\drivers\adpahci.sys [2008-2-23 280064]
R0 PCTCore;PCTools KDS;c:\windows\system32\drivers\PCTCore.sys [2010-2-18 207280]
R0 szkg5;szkg5;c:\windows\system32\drivers\SZKG.sys [2009-12-7 61328]
R0 szkgfs;szkgfs;c:\windows\system32\drivers\SZKGFS.sys [2010-1-27 167312]
R1 ISAIONT;ISAIONT;c:\windows\system32\drivers\IsaIoNt.sys [2008-5-4 3853]
R1 MemMapNt;MemMapNt;c:\windows\system32\drivers\memmapnt.sys [2008-5-4 3908]
R1 SASDIFSV;SASDIFSV;c:\program files\superantispyware\sasdifsv.sys [2010-1-5 9968]
R1 SASKUTIL;SASKUTIL;c:\program files\superantispyware\SASKUTIL.SYS [2010-1-5 74480]
R1 SAVRT;SAVRT;c:\program files\symantec antivirus\savrt.sys [2005-8-26 334984]
R1 SAVRTPEL;SAVRTPEL;c:\program files\symantec antivirus\Savrtpel.sys [2005-8-26 53896]
R1 SMBus;SMBus;c:\windows\system32\drivers\smbus.sys [2008-5-4 10112]
R1 superbmc;superbmc;c:\windows\system32\drivers\SUPERBMC.SYS [2008-2-28 14169]
R2 Browser Defender Update Service;Browser Defender Update Service;c:\program files\spyware doctor\bdt\BDTUpdateService.exe [2010-2-19 112592]
R2 ccEvtMgr;Symantec Event Manager;c:\program files\common files\symantec shared\ccEvtMgr.exe [2005-12-21 186016]
R2 ccSetMgr;Symantec Settings Manager;c:\program files\common files\symantec shared\ccSetMgr.exe [2005-12-21 177824]
R2 LtvFs;Leitch Altitude File System Driver;c:\windows\system32\drivers\LtvFs.sys [2008-2-24 95456]
R2 LtvService;Leitch Altitude Format Translation Service;c:\windows\system32\LtvService.exe [2008-2-24 45056]
R2 PCToolsSSDMonitorSvc;PC Tools Startup and Shutdown Monitor service;c:\program files\common files\pc tools\smonitor\StartManSvc.exe [2010-2-19 583640]
R2 SuperMicro Health Assistant;SuperMicro Health Assistant;c:\program files\supermicro\sdiii\NTService.exe [2008-5-4 143360]
R2 Symantec AntiVirus;Symantec AntiVirus;c:\program files\symantec antivirus\Rtvscan.exe [2005-12-21 1756912]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\common files\symantec shared\eengine\EraserUtilRebootDrv.sys [2010-3-13 102448]
R3 HpxDrv;Leitch Altitude Lower Driver;c:\windows\system32\drivers\HpxDrv.sys [2008-2-24 1223872]
R3 LtvAudDrv;Leitch Altitude Audio;c:\windows\system32\drivers\LtvAudDrv.sys [2008-2-24 15552]
R3 LtvDrv;Leitch Altitude Upper Driver;c:\windows\system32\drivers\LtvDrv.sys [2008-2-24 111072]
R3 NAVENG;NAVENG;c:\progra~1\common~1\symant~1\virusd~1\20100314.003\naveng.sys [2010-3-14 84912]
R3 NAVEX15;NAVEX15;c:\progra~1\common~1\symant~1\virusd~1\20100314.003\navex15.sys [2010-3-14 1324720]
S0 is3srv;is3srv;c:\windows\system32\drivers\is3srv.sys [2009-12-7 61328]
S1 RDR4WAVE;Leitch Altitude Wave Kernel Driver; [x]
S3 aawservice;Lavasoft Ad-Aware Service;c:\program files\lavasoft\ad-aware\aawservice.exe [2008-9-10 611664]
S3 Adobe Version Cue CS4;Adobe Version Cue CS4;c:\program files\common files\adobe\adobe version cue cs4\server\bin\VersionCueCS4.exe [2008-8-15 288112]
S3 ccPwdSvc;Symantec Password Validation;c:\program files\common files\symantec shared\ccPwdSvc.exe [2005-12-21 83616]
S3 DPS Connection Manager;DPS Connection Manager;c:\program files\leitch\atools\Connect.exe [2010-2-12 86016]
S3 MEMSWEEP2;MEMSWEEP2;\??\c:\windows\system32\4.tmp --> c:\windows\system32\4.tmp [?]
S3 SandraAgentSrv;SiSoftware Deployment Agent Service;c:\program files\sisoftware\sisoftware sandra lite 2009.sp2\RpcAgentSrv.exe [2009-1-20 98488]
S3 SASENUM;SASENUM;c:\program files\superantispyware\SASENUM.SYS [2010-1-5 7408]
S3 SavRoam;SAVRoam;c:\program files\symantec antivirus\SavRoam.exe [2005-12-21 169200]
S3 sdAuxService;PC Tools Auxiliary Service;c:\program files\spyware doctor\pctsAuxs.exe [2010-2-18 365280]
S3 sdCoreService;PC Tools Security Service;c:\program files\spyware doctor\pctsSvc.exe [2010-2-18 1141712]
S4 gupdate1c92ff391f71abe;Google Update Service (gupdate1c92ff391f71abe);c:\program files\google\update\GoogleUpdate.exe [2008-10-16 133104]
S4 LFIL;LFIL;c:\docume~1\worldc~1\locals~1\temp\lfil.exe --> c:\docume~1\worldc~1\locals~1\temp\LFIL.exe [?]
S4 pctgntdi;pctgntdi;c:\windows\system32\drivers\pctgntdi.sys [2010-2-18 233136]
S4 pctplsg;pctplsg;c:\windows\system32\drivers\pctplsg.sys [2010-2-18 70408]

=============== Created Last 30 ================

2010-03-25 21:30:27 0 ----a-w- c:\documents and settings\world citizen\defogger_reenable
2010-03-25 07:22:23 6144 ------w- c:\windows\system32\3.tmp
2010-03-25 07:22:16 6144 ------w- c:\windows\system32\2.tmp
2010-03-25 07:22:07 0 d-----w- c:\program files\Sophos
2010-03-15 23:01:17 3249 ----a-w- c:\windows\system32\wbem\Outlook_01cac4936b979214.mof
2010-03-14 09:01:25 0 d-----w- c:\windows\system32\NtmsData
2010-03-13 23:40:48 87768 ----a-w- c:\windows\system32\S32EVNT1.DLL
2010-03-13 23:40:48 108168 ----a-w- c:\windows\system32\drivers\SYMEVENT.SYS
2010-03-13 23:40:32 0 d-----w- c:\program files\Symantec AntiVirus

==================== Find3M ====================

2010-03-25 21:33:48 860672 ----a-w- c:\windows\system32\drivers\wxyujqw.sys
2010-02-18 18:14:55 46920 ----a-w- c:\windows\system32\drivers\kgpfr2.cfg
2010-02-18 10:16:09 142592 ----a-w- c:\windows\system32\drivers\sp_rsdrv2.sys
2010-02-13 00:47:36 160572 ----a-w- c:\windows\QuickTime DirectShow Filter for WMP Uninstaller.exe
2010-02-05 17:25:38 70408 ----a-w- c:\windows\system32\drivers\pctplsg.sys
2010-02-05 17:17:56 233136 ----a-w- c:\windows\system32\drivers\pctgntdi.sys
2010-02-04 19:21:26 17408 ----a-w- c:\windows\system32\SZIO5.dll
2010-02-04 19:18:28 540672 ----a-w- c:\windows\system32\SZComp5.dll
2010-01-27 18:19:32 167312 ----a-r- c:\windows\system32\drivers\SZKGFS.sys
2009-05-15 08:41:23 36868 ----a-w- c:\program files\uninst-Echospace.exe
2009-05-15 08:06:41 7439 ----a-w- c:\program files\mbsuite20.log
2003-11-04 00:07:06 499712 ----a-w- c:\program files\msvcp71.dll
2003-11-04 00:07:06 348160 ----a-w- c:\program files\msvcr71.dll
2003-05-30 16:22:06 344064 ----a-r- c:\program files\msvcr70.dll
2002-01-05 10:40:18 487424 ----a-w- c:\program files\msvcp70.dll
2008-10-04 22:09:33 32768 --sha-w- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012008100420081005\index.dat

============= FINISH: 14:34:28.15 ===============

Attached Files

Edited by Orange Blossom, 26 March 2010 - 10:17 PM.

BC AdBot (Login to Remove)


#2 Ltangelic


    Angel Annihilator of Malware

  • Members
  • 348 posts
  • Gender:Female
  • Location:Somewhere
  • Local time:03:44 AM

Posted 29 March 2010 - 09:02 PM

Hey Watt Works,

Welcome to Bleepingcomputer! I'm Ltangelic and I'll be helping you fix your computer problem.

Before we proceed, here are some things that you can take note of so that the cleaning up process will be more smooth and efficient. Do not worry, the points below are not any form of rules, it's just a few pointers that can ensure that you will get the best help from me. smile.gif
  • To ensure that you are informed of the latest replies to your thread, you may like to right click on Options at the top right hand corner of this page and select "Subscribe to this forum". That way, you will be notified via email when a reply was posted to your thread.
  • If you have any doubts or uncertainty about any part of my instructions, feel free to post on here and ask me about them.
  • Please do NOT attempt to run any tools or do any fixing on your own unless I tell you to, this will avoid any confusion that can occur during the cleaning process. Furthermore, fixing malware problems without sufficient knowledge can be dangerous at times and you can mess up your own computer without knowing.
  • Please do not PM me for malware removal assistance, any request for malware removal assistance should be posted in this thread only. The only time you can and should PM me is when I have not been replying to you for several days (usually around 4 days) and you need an explanation. If that's the case, just send me a message to me on here. ;)
  • Please do not start multiple topics (especially when you are already being assisted by an authorised staff). All staff are volunteers on here, starting multiple topics will waste the limited resource of manpower we have here at Bleepingcomputer and this can further hinder our ability to assist other users. Please be considerate and stick to one thread.

I'm looking at your log now and will be back with a fix soon. Thanks for your patience and understanding. smile.gif

Bleepingcomputer Malware Response Team

Posted Image

Posted Image

Please do NOT PM anyone with HJT logs, read this and post your logs here.

#3 Ltangelic


    Angel Annihilator of Malware

  • Members
  • 348 posts
  • Gender:Female
  • Location:Somewhere
  • Local time:03:44 AM

Posted 30 March 2010 - 10:02 AM

Hey Watt Works,

From your log(s), one or more of the identified infections are Backdoor Trojan and rootkit component. Rootkits and backdoor Trojan are very dangerous because they use advanced techniques (backdoors) as a means of accessing a computer system that bypasses security mechanisms and steal sensitive information which they send back to the hacker. Many rootkits can hook into the Windows 32-bit kernel, and patch several APIs to hide new registry keys and files they install. Remote attackers use backdoor Trojans and rootkits as part of an exploit to gain unauthorized access to a computer and take control of it without your knowledge. If this computer is used for online commercial means, please do the following IMMEDIATELY!

1) Call all relevant organisations (like banks, credit card companies etc) and inform them that you may be a victim of identity theft and to put a watch on your accounts or change all your account numbers.
2) From an uninfected computer, change ALL your online important personal information that you have used on this computer.

Do NOT use the infected computer for any commercial means during this while as the trojan author can still get information from it.

Due to the likelihood that your computer has already been compromised, there can be no guarantee that your computer can ever be secure again. While, it is possible to completely remove the backdoor trojans on your computer, only a reformat can ensure that your computer is completely clean.

If you would like to continue with the fixing, please do the steps below.

Please follow my instructions in the order they were given, and print out a copy of it as you may not have access to the forums during the fix.

Before we go on to run the tools, it would be advisable to temporarily disable your protection software(s) (Symantec Anti-virus and Spyware Doctor) as it/they may hinder the tools from running. Instructions is in the link below:


1) Run ComboFix

Download ComboFix from one of these locations:

Link 1
Link 2
Link 3

* IMPORTANT !!! Save ComboFix.exe to your Desktop
  • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools
  • Double click on ComboFix.exe & follow the prompts.
  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.

**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply.

2) Run OTS

To ensure that I get all the information this log will need to be attached (instructions at the end) if it is to large to attach then upload to Mediafire and post the sharing link.

Download OTS to your Desktop
  • Double-click on OTS.exe to start the program.
  • Check the box that says Scan All Users
  • Under Additional Scans check the following:
    • Reg - Shell Spawning
    • File - Lop Check
    • File - Purity Scan
    • Evnt - EvtViewer (last 10)
  • Under custom scans copy and paste the following
      %ProgramFiles%\Movie Maker\*.dll
      %PROGRAMFILES%\Internet Explorer\*.dll
      %systemroot%\system32\*.dll /lockedfiles
      %systemroot%\*. /mp /s
      %systemroot%\system32\*.dll /lockedfiles
      %systemroot%\Tasks\*.job /lockedfiles
      c:\$recycle.bin\*.* /s
  • Now click the Run Scan button on the toolbar.
  • Let it run unhindered until it finishes.
  • When the scan is complete Notepad will open with the report file loaded in it.
  • Click the Format menu and make sure that Wordwrap is not checked. If it is then click on it to uncheck it.
Please attach the log in your next post.

To attach a file, do the following:
  • Click Add Reply
  • Under the reply panel is the Attachments Panel
  • Browse for the attachment file you want to upload, then click the green Upload button
  • Once it has uploaded, click the Manage Current Attachments drop down box
  • Click on to insert the attachment into your post

Next reply (please include in your post):

OTS.txt (attached)

Bleepingcomputer Malware Response Team

Posted Image

Posted Image

Please do NOT PM anyone with HJT logs, read this and post your logs here.

#4 Ltangelic


    Angel Annihilator of Malware

  • Members
  • 348 posts
  • Gender:Female
  • Location:Somewhere
  • Local time:03:44 AM

Posted 04 April 2010 - 05:55 AM

Due to lack of feedback, this topic has been closed.

If you need this topic reopened, please contact me. This applies only to the original topic starter. Everyone else please begin a New Topic.

Bleepingcomputer Malware Response Team

Posted Image

Posted Image

Please do NOT PM anyone with HJT logs, read this and post your logs here.

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users