Jump to content

I could use help with this


Recommended Posts

I got infected by Spyware Guard 2008. I was running Free AVG on my computer (Windows XP sp3) however it would crash anytime I ran a scan, Malwarebytes would not run either. Finally I was able to boot into safemode and rename mbam.exe so I could get a scan going. It removed most of the threat. When I booted back into Windows however FreeAVG would still not scan. I uninstalled it and installed Avast and did a scan. No virus' were found. However when I open IE I get redirected to spyware pages and ad's still pop up. Malwarebytes will still not open unless I rename the exe, but it does not find any threats.

I ran Hijack this and have attached the log. Any help would be greatly appreciated.

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 8:03:02 PM, on 1/14/2009

Platform: Windows XP SP2 (WinNT 5.01.2600)

MSIE: Internet Explorer v7.00 (7.00.6000.16640)

Boot mode: Normal

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\svchost.exe

C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe

C:\Program Files\Alwil Software\Avast4\ashServ.exe

C:\WINDOWS\system32\spoolsv.exe

C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe

C:\Program Files\Bonjour\mDNSResponder.exe

C:\Program Files\Common Files\Intuit\Update Service\IntuitUpdateService.exe

C:\Program Files\Common Files\LightScribe\LSSrvc.exe

C:\Program Files\Nero\Nero8\Nero BackItUp\NBService.exe

C:\WINDOWS\system32\nvsvc32.exe

C:\WINDOWS\system32\IoctlSvc.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\system32\ZuneBusEnum.exe

C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe

C:\Program Files\Alwil Software\Avast4\ashWebSv.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\RTHDCPL.EXE

C:\WINDOWS\system32\RUNDLL32.EXE

C:\Program Files\Microsoft IntelliType Pro\itype.exe

C:\Program Files\Microsoft IntelliPoint\ipoint.exe

C:\Program Files\Zune\ZuneLauncher.exe

C:\WINDOWS\Samsung\PanelMgr\SSMMgr.exe

C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe

C:\WINDOWS\system32\ctfmon.exe

C:\Program Files\Common Files\Nero\Lib\NMIndexStoreSvr.exe

C:\Program Files\DAEMON Tools Lite\daemon.exe

C:\Program Files\Microsoft IntelliPoint\dpupdchk.exe

C:\WINDOWS\system32\lxcrcoms.exe

C:\Program Files\Common Files\Nero\Lib\NMIndexingService.exe

C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,First Home Page = http://go.microsoft.com/fwlink/?LinkId=54843

R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.utorrent.com/testport.php?port=60459

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local

O2 - BHO: C:\WINDOWS\system32\rwhbfb873unjdfdg.dll - {C5BF49A2-94F3-42BD-F434-3604812C8955} - C:\WINDOWS\system32\rwhbfb873unjdfdg.dll (file missing)

O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE

O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup

O4 - HKLM\..\Run: [nwiz] nwiz.exe /install

O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit

O4 - HKLM\..\Run: [itype] "C:\Program Files\Microsoft IntelliType Pro\itype.exe"

O4 - HKLM\..\Run: [intelliPoint] "C:\Program Files\Microsoft IntelliPoint\ipoint.exe"

O4 - HKLM\..\Run: [Zune Launcher] "C:\Program Files\Zune\ZuneLauncher.exe"

O4 - HKLM\..\Run: [LXCRCATS] rundll32 C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\LXCRtime.dll,_RunDLLEntry@16

O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Nero\Lib\NeroCheck.exe

O4 - HKLM\..\Run: [NBKeyScan] "C:\Program Files\Nero\Nero8\Nero BackItUp\NBKeyScan.exe"

O4 - HKLM\..\Run: [samsung PanelMgr] C:\WINDOWS\Samsung\PanelMgr\SSMMgr.exe /autorun

O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe

O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe

O4 - HKCU\..\Run: [indxStoreSvr_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Nero\Lib\NMIndexStoreSvr.exe" ASO-616B5711-6DAE-4795-A05F-39A1E5104020

O4 - HKCU\..\Run: [DAEMON Tools Lite] "C:\Program Files\DAEMON Tools Lite\daemon.exe" -autorun

O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present

O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll

O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll

O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL

O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupd...b?1208719345109

O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftu...b?1208719501265

O20 - AppInit_DLLs: sweppy.dll

O22 - SharedTaskScheduler: jgzfkj9w38rksndfi7r4 - {C5BF49A2-94F3-42BD-F434-3604812C8955} - C:\WINDOWS\system32\rwhbfb873unjdfdg.dll (file missing)

O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe

O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe

O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe

O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe

O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe

O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe

O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe

O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe

O23 - Service: Intuit Update Service (IntuitUpdateService) - Intuit Inc. - C:\Program Files\Common Files\Intuit\Update Service\IntuitUpdateService.exe

O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe

O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe

O23 - Service: lxcr_device - - C:\WINDOWS\system32\lxcrcoms.exe

O23 - Service: Nero BackItUp Scheduler 3 - Nero AG - C:\Program Files\Nero\Nero8\Nero BackItUp\NBService.exe

O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Nero\Lib\NMIndexingService.exe

O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe

O23 - Service: PLFlash DeviceIoControl Service - Prolific Technology Inc. - C:\WINDOWS\system32\IoctlSvc.exe

--

End of file - 7806 bytes

Link to post
Share on other sites
  • Root Admin

Please run the following again and post back new logs.

When replying please click on ADDREPLY and not the REPLY button.

Update and Scan with Malwarebytes' Anti-Malware

  • Start MalwareBytes AntiMalware (Vista users must Right click and choose RunAs Admin)
  • Please DO NOT run MBAM in Safe Mode unless requested to, you MUST run it in normal Windows mode.
    • Update Malwarebytes' Anti-Malware
    • Select the Update tab
    • Click Update

    [*]When the update is complete, select the Scanner tab

    [*]Select Perform quick scan, then click Scan.

    [*]When the scan is complete, click OK, then Show Results to view the results.

    [*]Be sure that everything is checked, and click Remove Selected.

    [*]When completed, a log will open in Notepad. please copy and paste the log into your next reply

    • If you accidently close it, the log file is saved here and will be named like this:
    • C:\Documents and Settings\Username\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Logs\mbam-log-date (time).txt

Then RESTART the computer and AFTER the reboot run HJT Do a system scan and save a logfile

The post back NEW MBAM and HJT logs in that order please.

Link to post
Share on other sites

AdvancedSetup,

Thanks for your help. Right now it appears that mbam.exe does not run, and even when I rename it does not run (Unless I'm in safe mode). Is there a way to fix this? If I rename it and run it in safe mode it works but anything that needs to be removed after a reboot fails because on a reboot it tries to run mbam.exe to remove the files but that exe can't be found as it's renamed to myprogram.exe

What can I do to fix this? Thank you for your help. I sincerely appreciate it.

Link to post
Share on other sites
  • Root Admin

Please visit this webpage for instructions for downloading ComboFix to your
DESKTOP
:
how-to-use-combofix

Please ensure you read this guide carefully and install the Recovery Console first.

NOTE!!:

You must save and run
ComboFix.exe
on your DESKTOP and not from any other folder.

Also,
DO NOT
click the mouse or launch any other applications while this is running or it may stall the program

Additional links to download the tool:

Note:

The
Windows Recovery Console
will allow you to boot up into a special recovery (repair) mode. This allows us to more easily help you should your computer have a problem after an attempted removal of malware. It is a simple procedure that will only take a few moments of your time.

Once installed, you should see a blue screen prompt that says:

The Recovery Console was successfully installed.

Please continue as follows:
  • Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
  • Click
    Yes
    to allow ComboFix to continue scanning for malware.

  • When the tool is finished, it will produce a report for you.

  • Please post the
    C:\ComboFix.txt
    along with a
    new HijackThis log
    so we may continue cleaning the system.

Then see if MBAM can update and scan.

Link to post
Share on other sites

Sorry to be a pain but I can't get ComboFix.exe to run either. Other exe work fine, it appears limited to only stopping exe's that will help me.

I did open device manager, show hidden devices but I never saw anything called TDDSys or similar. Any other thoughts? Can I run ComboFix in safe mode w/networking?

Link to post
Share on other sites

The Anti-Virus rescue CD seems to have cleaned up some of the mess. I can now run ComboFix and Malwarebytes. I tried to run ComboFix but the file is not running in English, it appears to be German but I could be wrong about that too. I'm not sure why it's not running in English. Other programs appear ok and system settings have English as the language for the system.

I'm going to download the file on another machine and make sure it's english then transfer it to the bad machine. Also right now I'm running a full Malwarebytes scan to see if it helps. Once I get the file on there I will post the logs today.

Thank you for your help.

Link to post
Share on other sites

Looks like if I download ComboFix from any of the 3 links you provided I get a non English version. I can still click through and run it but I'm afraid the log that's created will not be in English and may not be of help to you. If you think you can still read it I will run it, if not do you know where I can get an English version?

Link to post
Share on other sites

I was able to run both ComboFix and HijackThis. Logs are below.

ComboFix 09-01-17.04 - Nick 2009-01-18 10:39:36.1 - NTFSx86

Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.2047.1551 [GMT -5:00]

Running from: c:\documents and settings\Nick\Desktop\ComboFix.exe

AV: avast! antivirus 4.8.1296 [VPS 090117-0] *On-access scanning disabled* (Updated)

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.

c:\documents and settings\Alesha\Local Settings\Temporary Internet Files\fbk.sts

c:\documents and settings\All Users\Application Data\Microsoft\Internet Explorer\DLLs\c.cgm

c:\documents and settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat

c:\documents and settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat

c:\windows\system32\UACfqyiabpn.log

c:\windows\system32\UACjvwqtymx.dat

c:\windows\system32\UACyqbbwnfn.dll

----- BITS: Possible infected sites -----

hxxp://download.esd.intuit.com

.

((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))

.

-------\Service_UACd.sys

((((((((((((((((((((((((( Files Created from 2008-12-18 to 2009-01-18 )))))))))))))))))))))))))))))))

.

2009-01-14 17:24 . 2009-01-14 17:24 <DIR> d-------- c:\program files\Alwil Software

2009-01-14 17:24 . 2003-03-18 16:20 1,060,864 --a------ c:\windows\system32\MFC71.dll

2009-01-14 17:22 . 2009-01-14 17:22 <DIR> d-------- c:\program files\Trend Micro

2009-01-14 17:06 . 2004-08-03 22:58 14,848 --a------ c:\windows\system32\drivers\kbdhid.sys

2009-01-14 17:06 . 2004-08-03 22:58 14,848 --a--c--- c:\windows\system32\dllcache\kbdhid.sys

2009-01-14 14:19 . 2009-01-14 16:11 38,496 --a------ c:\windows\system32\drivers\mbamswissarmy.sys

2009-01-14 14:19 . 2009-01-14 16:11 15,504 --a------ c:\windows\system32\drivers\mbam.sys

2009-01-14 14:18 . 2009-01-18 08:27 <DIR> d-------- c:\program files\Malwarebytes' Anti-Malware

2009-01-11 15:00 . 2009-01-11 15:12 139,296 --ahs---- c:\windows\system32\drivers\fidbox2.dat

2009-01-11 15:00 . 2009-01-11 15:12 2,604 --ahs---- c:\windows\system32\drivers\fidbox2.idx

2009-01-11 15:00 . 2009-01-11 15:12 32 --ahs---- c:\windows\system32\drivers\fidbox.idx

2009-01-11 15:00 . 2009-01-11 15:12 32 --ahs---- c:\windows\system32\drivers\fidbox.dat

2009-01-11 13:36 . 2009-01-11 13:36 <DIR> d-------- c:\documents and settings\Nick\Application Data\Kaspersky_Key_Finder_(KKF

2009-01-11 13:36 . 2009-01-11 15:08 <DIR> d-------- c:\documents and settings\All Users\Application Data\Kaspersky Lab Setup Files

2009-01-11 13:35 . 2009-01-14 16:55 <DIR> d-------- c:\documents and settings\All Users\Application Data\Avg8

2009-01-10 14:32 . 2009-01-10 14:32 <DIR> d-------- c:\program files\Common Files\AnswerWorks 5.0

2009-01-10 09:28 . 2009-01-10 09:28 <DIR> d-------- c:\program files\TurboTax

2008-12-29 23:01 . 2009-01-14 17:17 <DIR> d-------- c:\program files\Windows Home Server

2008-12-24 15:51 . 2007-06-20 20:46 266,088 --a------ c:\windows\system32\xactengine2_8.dll

2008-12-24 15:51 . 2007-06-20 20:45 18,280 --a------ c:\windows\system32\x3daudio1_2.dll

2008-12-24 15:42 . 2007-03-12 16:42 3,495,784 --a------ c:\windows\system32\d3dx9_33.dll

2008-12-24 15:42 . 2007-03-12 16:42 1,123,696 --a------ c:\windows\system32\D3DCompiler_33.dll

2008-12-24 15:42 . 2007-03-15 16:57 443,752 --a------ c:\windows\system32\d3dx10_33.dll

2008-12-24 15:42 . 2007-04-04 18:55 261,480 --a------ c:\windows\system32\xactengine2_7.dll

2008-12-24 15:42 . 2007-01-24 15:27 255,848 --a------ c:\windows\system32\xactengine2_6.dll

2008-12-24 12:27 . 2008-12-24 12:27 <DIR> d-------- c:\documents and settings\Administrator\Application Data\Nero

2008-12-24 12:26 . 2009-01-14 16:55 <DIR> d-------- c:\documents and settings\Administrator

2008-12-23 14:57 . 2008-12-23 14:57 <DIR> d-------- c:\program files\Guitar Pro 5

2008-12-22 10:14 . 2008-12-22 10:14 <DIR> d-------- c:\windows\Samsung

2008-12-22 10:14 . 2008-02-23 21:37 479,232 --a------ c:\windows\ssndii.exe

2008-12-22 10:14 . 2008-03-16 20:10 57,344 --a------ c:\windows\system32\ssdevm.dll

2008-12-22 10:14 . 2007-08-13 01:26 49,152 --a------ c:\windows\system32\ssusbpn.dll

2008-12-22 10:14 . 2007-08-13 01:26 44,544 --a------ c:\windows\system32\msxml4a.dll

2008-12-22 10:14 . 2007-08-13 01:26 21,776 --a------ c:\windows\system32\msxml2a.dll

2008-12-22 10:13 . 2007-08-13 04:39 151,552 --a------ c:\windows\system32\cl31cci.exe

2008-12-22 10:13 . 2007-08-13 04:39 65,536 --a------ c:\windows\system32\cl31cci.dll

2008-12-22 10:13 . 2007-08-13 04:39 22,723 --a------ c:\windows\system32\cl31cl3.dll

2008-12-22 10:13 . 2007-08-12 21:47 11,502 --------- c:\windows\Dr. Printer Icon.ico

2008-12-22 10:13 . 2007-08-13 04:39 361 --a------ c:\windows\system32\cl31cl3.smt

2008-12-22 10:12 . 2008-12-22 10:12 <DIR> d-------- c:\windows\system32\drivers\Samsung

2008-12-22 10:11 . 2008-12-22 10:11 <DIR> d-------- c:\program files\Samsung

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2009-01-18 13:13 --------- d-----w c:\program files\lx_cats

2009-01-11 20:12 --------- d-----w c:\program files\PeerGuardian2

2009-01-11 20:12 --------- d-----w c:\documents and settings\Nick\Application Data\uTorrent

2009-01-11 00:14 --------- d--h--w c:\program files\InstallShield Installation Information

2009-01-10 19:32 --------- d-----w c:\documents and settings\Nick\Application Data\Intuit

2009-01-10 19:31 --------- d-----w c:\program files\Common Files\Intuit

2009-01-10 19:31 --------- d-----w c:\documents and settings\All Users\Application Data\Intuit

2009-01-05 15:42 --------- d-----w c:\documents and settings\Alesha\Application Data\uTorrent

2008-12-23 18:13 --------- d-----w c:\program files\EPSON

2008-12-04 01:29 --------- d-----w c:\program files\Apple Software Update

2008-11-30 19:58 0 ---ha-w c:\windows\system32\drivers\MsftWdf_user_01_07_00.Wdf

2008-11-30 19:58 0 ---ha-w c:\windows\system32\drivers\Msft_User_ZuneDriver_01_07_00.Wdf

2008-11-30 19:58 0 ---ha-w c:\windows\system32\drivers\Msft_Kernel_WinUSB_01007.Wdf

2008-11-30 19:51 --------- d-----w c:\program files\Zune

2008-11-10 17:23 60,032 ----a-w c:\windows\system32\ZuneBusEnum.exe

2008-11-10 17:23 243,840 ----a-w c:\windows\system32\ZuneWlanCfgSvc.exe

2008-11-10 17:09 73,728 ----a-w c:\windows\system32\ZuneUsbTransport.dll

2008-11-10 17:09 57,344 ----a-w c:\windows\system32\ZuneRegUtil.dll

2008-11-10 17:09 310,272 ----a-w c:\windows\system32\ZuneNetProxy.dll

2008-11-10 17:09 18,944 ----a-w c:\windows\system32\ZuneTcp2Udp.dll

2008-11-10 17:09 145,920 ----a-w c:\windows\system32\ZuneMTPZ.dll

2008-11-10 17:09 12,800 ----a-w c:\windows\system32\ZunePTDNS.dll

2008-11-03 20:59 107,888 ----a-w c:\windows\system32\CmdLineExt.dll

2008-10-22 20:47 6 ----a-w c:\windows\Fonts\wfonts.key

2008-05-25 11:36 22,328 ----a-w c:\documents and settings\Nick\Application Data\PnkBstrK.sys

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2004-08-04 15360]

"IndxStoreSvr_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="c:\program files\Common Files\Nero\Lib\NMIndexStoreSvr.exe" [2008-02-28 1828136]

"DAEMON Tools Lite"="c:\program files\DAEMON Tools Lite\daemon.exe" [2008-08-08 490952]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2007-12-05 8523776]

"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2007-12-05 81920]

"itype"="c:\program files\Microsoft IntelliType Pro\itype.exe" [2007-08-31 988584]

"IntelliPoint"="c:\program files\Microsoft IntelliPoint\ipoint.exe" [2007-08-31 1037736]

"Zune Launcher"="c:\program files\Zune\ZuneLauncher.exe" [2008-11-10 157312]

"LXCRCATS"="c:\windows\System32\spool\DRIVERS\W32X86\3\LXCRtime.dll" [2006-02-24 65536]

"NeroFilterCheck"="c:\program files\Common Files\Nero\Lib\NeroCheck.exe" [2008-02-28 570664]

"NBKeyScan"="c:\program files\Nero\Nero8\Nero BackItUp\NBKeyScan.exe" [2008-02-18 2221352]

"Samsung PanelMgr"="c:\windows\Samsung\PanelMgr\SSMMgr.exe" [2008-08-08 524288]

"avast!"="c:\progra~1\ALWILS~1\Avast4\ashDisp.exe" [2008-11-26 81000]

"RTHDCPL"="RTHDCPL.EXE" [2006-10-11 c:\windows\RTHDCPL.exe]

"nwiz"="nwiz.exe" [2007-12-05 c:\windows\system32\nwiz.exe]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]

"AppInit_DLLs"=sweppy.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]

@="Driver"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Winip40.sys]

@="Driver"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]

--a------ 2008-01-11 21:16 39792 c:\program files\Adobe\Reader 8.0\Reader\reader_sl.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\EzPrint]

--a------ 2006-02-07 00:10 98304 c:\program files\Lexmark 2400 Series\ezprint.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]

--a------ 2008-06-02 10:13 267048 c:\program files\iTunes\iTunesHelper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LightScribe Control Panel]

--a------ 2008-08-22 13:13 2363392 c:\program files\Common Files\LightScribe\LightScribeControlPanel.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\lxcrmon.exe]

--a------ 2006-03-06 12:48 286720 c:\program files\Lexmark 2400 Series\lxcrmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]

--a------ 2008-05-27 09:50 413696 c:\program files\QuickTime\QTTask.exe

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]

"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"%windir%\\system32\\sessmgr.exe"=

"c:\\Program Files\\uTorrent\\uTorrent.exe"=

"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]

"3389:TCP"= 3389:TCP:@xpsp2res.dll,-22009

R1 aswSP;avast! Self Protection;c:\windows\system32\drivers\aswSP.sys [2009-01-14 111184]

R4 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [2009-01-14 20560]

R4 IntuitUpdateService;Intuit Update Service;c:\program files\Common Files\Intuit\Update Service\IntuitUpdateService.exe [2008-10-10 13088]

S0 Winip40;Winip40;c:\windows\system32\Drivers\Winip40.sys --> c:\windows\system32\Drivers\Winip40.sys [?]

S3 PYKH;PYKH;c:\docume~1\Nick\LOCALS~1\Temp\PYKH.exe --> c:\docume~1\Nick\LOCALS~1\Temp\PYKH.exe [?]

S4 SSPORT;SSPORT;\??\c:\windows\system32\Drivers\SSPORT.sys --> c:\windows\system32\Drivers\SSPORT.sys [?]

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{10880D85-AAD9-4558-ABDC-2AB1552D831F}]

"c:\program files\Common Files\LightScribe\LSRunOnce.exe"

.

Contents of the 'Scheduled Tasks' folder

2008-05-25 c:\windows\Tasks\Microsoft_Hardware_Launch_IType_exe.job

- c:\program files\Microsoft IntelliType Pro\itype.exe [2007-08-31 11:13]

.

- - - - ORPHANS REMOVED - - - -

BHO-{C5BF49A2-94F3-42BD-F434-3604812C8955} - c:\windows\system32\rwhbfb873unjdfdg.dll

SharedTaskScheduler-{C5BF49A2-94F3-42BD-F434-3604812C8955} - c:\windows\system32\rwhbfb873unjdfdg.dll

MSConfigStartUp-Antivirus - c:\program files\VAV\vav.exe

MSConfigStartUp-Ododivagoxoyiv - c:\windows\Atutulaze.dll

MSConfigStartUp-spywareguard - c:\program files\Spyware Guard 2008\spywareguard.exe

.

------- Supplementary Scan -------

.

uInternet Connection Wizard,ShellNext = hxxp://www.utorrent.com/testport.php?port=60459

uInternet Settings,ProxyOverride = *.local

FF - ProfilePath - c:\documents and settings\Nick\Application Data\Mozilla\Firefox\Profiles\2d2531wt.default\

.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2009-01-18 10:45:26

Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

HKLM\Software\Microsoft\Windows\CurrentVersion\Run

LXCRCATS = rundll32 c:\windows\System32\spool\DRIVERS\W32X86\3\LXCRtime.dll,_RunDLLEntry@16???????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????

scanning hidden files ...

scan completed successfully

hidden files: 0

**************************************************************************

.

--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-515967899-1229272821-725345543-1003\Software\SecuROM\License information*]

"datasecu"=hex:d0,c3,0f,8c,11,0c,af,30,dd,bc,2f,88,50,58,11,1d,a0,bb,67,30,1a,

c7,15,c4,53,0c,b5,d8,bf,88,45,35,d0,aa,d0,9f,29,4b,eb,83,d6,2f,59,62,52,6f,\

"rkeysecu"=hex:84,37,6b,d8,a3,7f,e0,d4,e4,5d,a6,9b,82,eb,05,a7

.

------------------------ Other Running Processes ------------------------

.

c:\program files\Alwil Software\Avast4\aswUpdSv.exe

c:\program files\Alwil Software\Avast4\ashServ.exe

c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe

c:\program files\Bonjour\mDNSResponder.exe

c:\windows\system32\rundll32.exe

c:\program files\Common Files\LightScribe\LSSrvc.exe

c:\program files\Microsoft IntelliPoint\dpupdchk.exe

c:\program files\Nero\Nero8\Nero BackItUp\NBService.exe

c:\windows\system32\nvsvc32.exe

c:\windows\system32\IoctlSvc.exe

c:\windows\system32\ZuneBusEnum.exe

c:\program files\Zune\ZuneNss.exe

c:\program files\Common Files\Nero\Lib\NMIndexingService.exe

c:\windows\system32\wscntfy.exe

c:\windows\system32\lxcrcoms.exe

.

**************************************************************************

.

Completion time: 2009-01-18 10:50:43 - machine was rebooted [Nick]

ComboFix-quarantined-files.txt 2009-01-18 15:50:40

Pre-Run: 65,052,880,896 bytes free

Post-Run: 65,714,819,072 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe

[boot loader]

timeout=2

default=multi(0)disk(0)rdisk(1)partition(1)\WINDOWS

[operating systems]

d:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons

multi(0)disk(0)rdisk(1)partition(1)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect

217

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 10:53:08 AM, on 1/18/2009

Platform: Windows XP SP2 (WinNT 5.01.2600)

MSIE: Internet Explorer v7.00 (7.00.6000.16640)

Boot mode: Normal

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\svchost.exe

C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe

C:\Program Files\Alwil Software\Avast4\ashServ.exe

C:\WINDOWS\system32\spoolsv.exe

C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe

C:\Program Files\Bonjour\mDNSResponder.exe

C:\Program Files\Common Files\Intuit\Update Service\IntuitUpdateService.exe

C:\WINDOWS\RTHDCPL.EXE

C:\WINDOWS\system32\RUNDLL32.EXE

C:\Program Files\Microsoft IntelliType Pro\itype.exe

C:\Program Files\Microsoft IntelliPoint\ipoint.exe

C:\Program Files\Zune\ZuneLauncher.exe

C:\Program Files\Common Files\LightScribe\LSSrvc.exe

C:\WINDOWS\Samsung\PanelMgr\SSMMgr.exe

C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe

C:\WINDOWS\system32\ctfmon.exe

C:\Program Files\Microsoft IntelliPoint\dpupdchk.exe

C:\Program Files\Common Files\Nero\Lib\NMIndexStoreSvr.exe

C:\Program Files\DAEMON Tools Lite\daemon.exe

C:\Program Files\Nero\Nero8\Nero BackItUp\NBService.exe

C:\WINDOWS\system32\nvsvc32.exe

C:\WINDOWS\system32\IoctlSvc.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\system32\ZuneBusEnum.exe

C:\Program Files\Common Files\Nero\Lib\NMIndexingService.exe

C:\WINDOWS\system32\wscntfy.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\lxcrcoms.exe

C:\WINDOWS\explorer.exe

C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,First Home Page = http://go.microsoft.com/fwlink/?LinkId=54843

R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.utorrent.com/testport.php?port=60459

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local

O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE

O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup

O4 - HKLM\..\Run: [nwiz] nwiz.exe /install

O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit

O4 - HKLM\..\Run: [itype] "C:\Program Files\Microsoft IntelliType Pro\itype.exe"

O4 - HKLM\..\Run: [intelliPoint] "C:\Program Files\Microsoft IntelliPoint\ipoint.exe"

O4 - HKLM\..\Run: [Zune Launcher] "C:\Program Files\Zune\ZuneLauncher.exe"

O4 - HKLM\..\Run: [LXCRCATS] rundll32 C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\LXCRtime.dll,_RunDLLEntry@16

O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Nero\Lib\NeroCheck.exe

O4 - HKLM\..\Run: [NBKeyScan] "C:\Program Files\Nero\Nero8\Nero BackItUp\NBKeyScan.exe"

O4 - HKLM\..\Run: [samsung PanelMgr] C:\WINDOWS\Samsung\PanelMgr\SSMMgr.exe /autorun

O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe

O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe

O4 - HKCU\..\Run: [indxStoreSvr_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Nero\Lib\NMIndexStoreSvr.exe" ASO-616B5711-6DAE-4795-A05F-39A1E5104020

O4 - HKCU\..\Run: [DAEMON Tools Lite] "C:\Program Files\DAEMON Tools Lite\daemon.exe" -autorun

O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll

O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll

O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL

O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupd...b?1208719345109

O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftu...b?1208719501265

O20 - AppInit_DLLs: sweppy.dll

O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe

O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe

O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe

O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe

O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe

O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe

O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe

O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe

O23 - Service: Intuit Update Service (IntuitUpdateService) - Intuit Inc. - C:\Program Files\Common Files\Intuit\Update Service\IntuitUpdateService.exe

O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe

O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe

O23 - Service: lxcr_device - - C:\WINDOWS\system32\lxcrcoms.exe

O23 - Service: Nero BackItUp Scheduler 3 - Nero AG - C:\Program Files\Nero\Nero8\Nero BackItUp\NBService.exe

O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Nero\Lib\NMIndexingService.exe

O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe

O23 - Service: PLFlash DeviceIoControl Service - Prolific Technology Inc. - C:\WINDOWS\system32\IoctlSvc.exe

O23 - Service: PYKH - Unknown owner - C:\DOCUME~1\Nick\LOCALS~1\Temp\PYKH.exe (file missing)

--

End of file - 7191 bytes

Link to post
Share on other sites
  • Root Admin

Well I'm sorry but since you have evidence of cracked / pirated software you're using on the system I have to close this topic now.

HiJack This! Forum Policy

We will not be party to obvious use of key gens, cracks, warez or other illegal means of downloading software, music, videos ect. This means no P2P evidence will be supported. Logs that show these in them, will given the option to remove the P2P items. Keygens, cracks, warez and similar will have the thread closed period. It's theft and against the law.

If you feel this information is not correct please send a Private Message to anyone of the Moderators and have them review this topic.

Link to post
Share on other sites
Guest
This topic is now closed to further replies.
  • Recently Browsing   0 members

    No registered users viewing this page.

Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.