1. You are viewing our forum as a guest. For full access please Register. WindowsBBS.com is completely free, paid for by advertisers and donations.

Active Malware Removales Wont Run

Discussion in 'Malware and Virus Removal Archive' started by otku9, 2009/08/07.

  1. 2009/08/07
    otku9

    otku9 Inactive Thread Starter

    Joined:
    2009/08/07
    Messages:
    4
    Likes Received:
    0
    [Active] Malware Removales Wont Run

    I am defeated..

    -Google Redirects
    -Firefox/IE flickering off
    -Random Freezes
    -CHKDSK runs at every boot..
    -All MALWARE removal programs either dont do what they are supposed to or dont run.


    Needing some guidance here. Posting log...ONLY one I can get to work, and thats in safe mode.

    I'm thinking total reload and loss of all my files.




    Malwarebytes' Anti-Malware 1.40
    Database version: 2573
    Windows 5.1.2600 Service Pack 2 (Safe Mode)

    8/7/2009 12:14:22 PM
    mbam-log-2009-08-07 (12-14-17).txt

    Scan type: Quick Scan
    Objects scanned: 94212
    Time elapsed: 2 minute(s), 8 second(s)

    Memory Processes Infected: 0
    Memory Modules Infected: 0
    Registry Keys Infected: 1
    Registry Values Infected: 0
    Registry Data Items Infected: 0
    Folders Infected: 0
    Files Infected: 1

    Memory Processes Infected:
    (No malicious items detected)

    Memory Modules Infected:
    (No malicious items detected)

    Registry Keys Infected:
    HKEY_LOCAL_MACHINE\SOFTWARE\UAC (Rootkit.Trace) -> No action taken.

    Registry Values Infected:
    (No malicious items detected)

    Registry Data Items Infected:
    (No malicious items detected)

    Folders Infected:
    (No malicious items detected)
    Files Infected:
    C:\WINDOWS\system32\uacinit.dll (Trojan.Agent) -> No action taken.
     
    otku9,
    #1
  2. 2009/08/07
    otku9

    otku9 Inactive Thread Starter

    Joined:
    2009/08/07
    Messages:
    4
    Likes Received:
    0
    It appears Safe Mode w/o Networking is allowing more progs..I'll have more logs shortly. Normal boot freezes right off the bat.
     
    otku9,
    #2


  3. to hide this advert.

  4. 2009/08/07
    otku9

    otku9 Inactive Thread Starter

    Joined:
    2009/08/07
    Messages:
    4
    Likes Received:
    0
    Well thanks to the great responses I've managed to get all my adware progs running. Ran ComboFix.exe, heres an exert from the log (affected pc has not nets atm)

    Driver/Services

    -----\Legacy_TDSSserv
    -----\Service_TDSSserv
    -----\Service_UACd.sys

    HALP!
     
    otku9,
    #3
  5. 2009/08/07
    otku9

    otku9 Inactive Thread Starter

    Joined:
    2009/08/07
    Messages:
    4
    Likes Received:
    0
    Think I have it all fixt. Heres ComboFix and HJT log. Please verify for me. Thanks :D

    ComboFix 09-08-07.01 - Grr 08/07/2009 15:59.5.2 - NTFSx86
    Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.2046.1557 [GMT -5:00]
    Running from: c:\documents and settings\Grr\Desktop\sex****.exe
    .

    ((((((((((((((((((((((((( Files Created from 2009-07-07 to 2009-08-07 )))))))))))))))))))))))))))))))
    .

    2009-08-07 19:56 . 2009-08-07 20:06 -------- d-s---w- C:\ComboFix
    2009-08-07 19:12 . 2009-08-07 20:56 117760 ----a-w- c:\documents and settings\Grr\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\UIREPAIR.DLL
    2009-08-07 19:12 . 2009-08-07 19:12 -------- d-----w- c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com
    2009-08-07 19:12 . 2009-08-07 19:12 65024 ----a-r- c:\documents and settings\Grr\Application Data\Microsoft\Installer\{CDDCBBF1-2703-46BC-938B-BCC81A1EEAAA}\IconCDDCBBF15.exe
    2009-08-07 19:12 . 2009-08-07 19:12 18944 ----a-r- c:\documents and settings\Grr\Application Data\Microsoft\Installer\{CDDCBBF1-2703-46BC-938B-BCC81A1EEAAA}\IconCDDCBBF13.exe
    2009-08-07 19:12 . 2009-08-07 19:12 -------- d-----w- c:\program files\SUPERAntiSpyware
    2009-08-07 19:12 . 2009-08-07 19:12 -------- d-----w- c:\documents and settings\Grr\Application Data\SUPERAntiSpyware.com
    2009-08-07 18:58 . 2009-07-03 14:49 15688 ----a-w- c:\windows\system32\lsdelete.exe
    2009-08-07 17:01 . 2009-07-03 14:49 64160 ----a-w- c:\windows\system32\drivers\Lbd.sys
    2009-08-07 17:00 . 2009-07-08 17:28 2920112 -c--a-w- c:\documents and settings\All Users\Application Data\{EF63305C-BAD7-4144-9208-D65528260864}\Ad-AwareAE.exe
    2009-08-07 17:00 . 2009-08-07 17:00 -------- d-----w- c:\program files\Lavasoft
    2009-08-07 16:09 . 2009-08-07 16:09 -------- d-----w- c:\documents and settings\Administrator\Local Settings\Application Data\Adobe
    2009-08-07 15:36 . 2009-08-07 17:00 -------- dc-h--w- c:\documents and settings\All Users\Application Data\{EF63305C-BAD7-4144-9208-D65528260864}
    2009-08-07 15:24 . 2009-08-07 15:24 -------- d-----w- c:\documents and settings\Administrator\Application Data\vlc
    2009-08-07 13:58 . 2009-08-07 15:25 -------- d-----w- c:\program files\Spybot - Search & Destroy
    2009-08-07 13:58 . 2009-08-07 15:21 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
    2009-08-07 00:52 . 2009-08-07 00:52 -------- d-----w- c:\documents and settings\Administrator\Application Data\Malwarebytes
    2009-08-07 00:31 . 2009-08-03 18:36 38160 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
    2009-08-07 00:31 . 2009-08-03 18:36 19096 ----a-w- c:\windows\system32\drivers\mbam.sys
    2009-08-07 00:31 . 2009-08-07 00:39 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
    2009-08-06 16:03 . 2009-08-07 01:10 664 ----a-w- c:\windows\system32\d3d9caps.dat
    2009-07-28 04:11 . 2009-07-28 04:11 -------- d-----w- c:\documents and settings\Grr\Local Settings\Application Data\World in Conflict - DEMO
    2009-07-26 15:11 . 2009-07-26 15:11 -------- d-----w- c:\documents and settings\Grr\Local Settings\Application Data\Gas Powered Games
    2009-07-26 15:06 . 2009-07-26 15:06 -------- d-----w- c:\documents and settings\All Users\Application Data\Media Center Programs
    2009-07-25 21:45 . 2009-07-25 21:45 -------- d-----w- c:\program files\MSBuild
    2009-07-25 21:45 . 2009-07-25 21:45 105768 ----a-w- c:\documents and settings\LocalService\Local Settings\Application Data\FontCache3.0.0.0.dat
    2009-07-25 21:44 . 2009-07-25 21:44 -------- d-----w- c:\windows\system32\XPSViewer
    2009-07-25 21:44 . 2009-07-25 21:44 -------- d-----w- c:\program files\Reference Assemblies
    2009-07-25 21:44 . 2009-07-25 21:44 -------- d-----w- c:\program files\Microsoft Games for Windows - LIVE
    2009-07-25 21:44 . 2009-07-25 21:44 -------- d-----w- c:\windows\system32\xlive
    2009-07-25 21:43 . 2008-07-31 15:41 238088 ----a-w- c:\windows\system32\xactengine3_2.dll
    2009-07-25 21:43 . 2008-07-31 15:41 68616 ----a-w- c:\windows\system32\XAPOFX1_1.dll
    2009-07-25 21:43 . 2008-07-31 15:40 509448 ----a-w- c:\windows\system32\XAudio2_2.dll
    2009-07-25 21:43 . 2008-07-12 13:18 467984 ----a-w- c:\windows\system32\d3dx10_39.dll
    2009-07-25 21:43 . 2008-07-12 13:18 3851784 ----a-w- c:\windows\system32\D3DX9_39.dll
    2009-07-25 21:43 . 2008-07-12 13:18 1493528 ----a-w- c:\windows\system32\D3DCompiler_39.dll
    2009-07-17 22:13 . 2009-08-04 00:13 -------- d-----w- c:\documents and settings\Grr\Local Settings\Application Data\Temp
    2009-07-14 22:17 . 2009-07-14 22:17 15308440 ----a-w- c:\windows\system32\xlive.dll
    2009-07-14 22:17 . 2009-07-14 22:17 13642888 ----a-w- c:\windows\system32\xlivefnt.dll
    2009-07-10 08:44 . 2009-07-10 08:44 -------- d-----w- c:\program files\CPUID
    2009-07-10 08:44 . 2009-03-27 06:16 12672 ----a-w- c:\windows\system32\drivers\cpuz132_x32.sys
    2009-07-10 08:08 . 2008-07-08 05:45 4984 ----a-w- c:\windows\system32\drivers\nvphy.bin
    2009-07-10 08:08 . 2008-07-29 17:33 446464 ----a-w- c:\windows\system32\nvunrm.exe

    .
    (((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    2009-08-07 17:00 . 2008-09-02 23:50 -------- d-----w- c:\documents and settings\All Users\Application Data\Lavasoft
    2009-08-07 13:13 . 2008-04-16 02:18 -------- d-----w- c:\program files\Verizon Wireless
    2009-08-07 13:12 . 2007-12-26 01:06 -------- d-----w- c:\program files\Opera
    2009-08-07 13:10 . 2007-08-19 15:51 -------- d-----w- c:\program files\Common Files\Symantec Shared
    2009-08-07 13:10 . 2007-08-19 15:51 -------- d-----w- c:\documents and settings\All Users\Application Data\Symantec
    2009-08-07 13:09 . 2007-08-17 04:03 -------- d-----w- c:\documents and settings\Grr\Application Data\IGN_DLM
    2009-08-07 13:09 . 2007-08-17 04:03 -------- d-----w- c:\program files\IGN
    2009-08-07 13:05 . 2007-08-17 04:30 -------- d-----w- c:\program files\Google
    2009-08-07 13:04 . 2008-08-12 22:56 -------- d-----w- c:\program files\BroadJump
    2009-08-07 13:03 . 2008-09-19 01:36 -------- d-----w- c:\program files\Bonjour
    2009-08-06 16:08 . 2007-08-17 04:00 -------- d-----w- c:\program files\Common Files\Wise Installation Wizard
    2009-08-06 13:41 . 2008-07-12 07:42 -------- d-----w- c:\documents and settings\Grr\Application Data\uTorrent
    2009-07-30 20:54 . 2007-08-17 02:12 18240 ----a-w- c:\documents and settings\Grr\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
    2009-07-28 04:09 . 2007-08-17 03:02 -------- d--h--w- c:\program files\InstallShield Installation Information
    2009-07-10 08:17 . 2007-08-18 05:51 -------- d-----w- c:\program files\NVIDIA Corporation
    2009-07-03 08:42 . 2009-07-03 08:42 -------- d-----w- c:\documents and settings\Grr\Application Data\Remobo
    2009-06-21 13:46 . 2007-08-17 12:44 485920 ----a-w- c:\windows\system32\NVUNINST.EXE
    2009-06-11 22:24 . 2009-06-11 22:24 -------- d-----w- c:\documents and settings\Grr\Application Data\vlc
    2009-06-11 12:01 . 2009-05-07 05:35 -------- d-----w- c:\documents and settings\Grr\Application Data\Download Manager
    2009-06-11 11:50 . 2009-06-11 11:50 -------- d-----w- c:\program files\QWD1
    2009-06-11 10:41 . 2007-08-23 08:47 -------- d-----w- c:\documents and settings\Grr\Application Data\Bioshock
    2009-06-11 10:27 . 2009-06-11 10:27 8 ----a-w- c:\windows\system32\nvModes.dat
    2009-06-11 10:26 . 2009-06-11 10:26 -------- d-----w- c:\documents and settings\All Users\Application Data\nView_Profiles
    2009-06-11 10:17 . 2007-08-17 03:02 -------- d-----w- c:\program files\ATI Technologies
    2009-06-11 10:14 . 2007-10-13 09:55 -------- d-----w- c:\program files\AGEIA Technologies
    2009-06-10 13:28 . 2009-06-10 13:28 3510272 ----a-w- c:\windows\system32\nvgames.dll
    2009-06-10 13:28 . 2009-06-10 13:28 4022272 ----a-w- c:\windows\system32\nvdisps.dll
    2009-06-10 13:28 . 2009-06-10 13:28 86016 ----a-w- c:\windows\system32\nvmctray.dll
    2009-06-10 13:28 . 2009-06-10 13:28 168004 ----a-w- c:\windows\system32\nvsvc32.exe
    2009-06-10 13:28 . 2009-06-10 13:28 143360 ----a-w- c:\windows\system32\nvcolor.exe
    2009-06-10 13:28 . 2009-06-10 13:28 13758464 ----a-w- c:\windows\system32\nvcpl.dll
    2009-06-10 13:28 . 2009-06-10 13:28 229376 ----a-w- c:\windows\system32\nvmccs.dll
    2009-06-10 11:03 . 2009-06-11 10:14 457248 ----a-w- c:\windows\system32\nvudisp.exe
    2009-06-10 11:03 . 2009-05-01 03:02 9998336 ----a-w- c:\windows\system32\nvoglnt.dll
    2009-06-10 11:03 . 2009-05-01 03:02 815104 ----a-w- c:\windows\system32\nvapi.dll
    2009-06-10 11:03 . 2009-05-01 03:02 671744 ----a-w- c:\windows\system32\nvcuvid.dll
    2009-06-10 11:03 . 2009-05-01 03:02 1720320 ----a-w- c:\windows\system32\nvcuda.dll
    2009-06-10 11:03 . 2009-05-01 03:02 1580550 ----a-w- c:\windows\system32\nvdata.bin
    2009-06-10 11:03 . 2009-05-01 03:02 151552 ----a-w- c:\windows\system32\nvcodins.dll
    2009-06-10 11:03 . 2009-05-01 03:02 151552 ----a-w- c:\windows\system32\nvcod.dll
    2009-06-10 11:03 . 2009-05-01 03:02 1310720 ----a-w- c:\windows\system32\nvcuvenc.dll
    2009-06-10 11:03 . 2007-08-17 01:35 8087712 ----a-w- c:\windows\system32\drivers\nv4_mini.sys
    2009-06-10 11:03 . 2007-08-17 01:35 5908608 ----a-w- c:\windows\system32\nv4_disp.dll
    2009-05-14 22:10 . 2009-05-14 22:10 390664 ----a-w- c:\documents and settings\Grr\Application Data\Real\RealPlayer\Update\RealPlayer11.exe
    2003-12-18 16:33 . 2007-09-28 09:31 20102 ----a-w- c:\program files\Readme.txt
    2003-09-03 12:46 . 2007-09-28 09:31 10960 ----a-w- c:\program files\EULA.txt
    .

    ((((((((((((((((((((((((((((( SnapShot@2009-08-07_19.06.11 )))))))))))))))))))))))))))))))))))))))))
    .
    + 2009-08-07 20:56 . 2009-08-07 20:56 16384 c:\windows\temp\Perflib_Perfdata_654.dat
    + 2009-08-07 20:49 . 2009-08-07 20:49 8192 c:\windows\ERDNT\subs\Users\00000004\UsrClass.dat
    - 2009-08-07 19:03 . 2009-08-07 19:03 8192 c:\windows\ERDNT\subs\Users\00000004\UsrClass.dat
    - 2009-08-07 19:03 . 2009-08-07 19:03 8192 c:\windows\ERDNT\subs\Users\00000002\UsrClass.dat
    + 2009-08-07 20:49 . 2009-08-07 20:49 8192 c:\windows\ERDNT\subs\Users\00000002\UsrClass.dat
    + 2009-08-07 20:49 . 2009-08-07 20:49 815104 c:\windows\ERDNT\subs\Users\00000003\NTUSER.DAT
    + 2009-08-07 20:49 . 2009-08-07 20:49 233472 c:\windows\ERDNT\subs\Users\00000001\NTUSER.DAT
    - 2009-08-07 19:03 . 2009-08-07 19:03 233472 c:\windows\ERDNT\subs\Users\00000001\NTUSER.DAT
    + 2009-08-07 19:12 . 2009-08-07 19:12 1516544 c:\windows\Installer\70aed.msi
    .
    ((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    *Note* empty entries & legit default entries are not shown
    REGEDIT4

    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "Yahoo! Pager "= "1" [X]
    "NVIDIA nTune "= "c:\program files\NVIDIA Corporation\nTune\nTuneCmd.exe" [2007-07-03 81920]
    "SpybotSD TeaTimer "= "c:\program files\Spybot - Search & Destroy\TeaTimer.exe" [2009-03-05 2260480]
    "SUPERAntiSpyware "= "c:\program files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2009-08-05 1830128]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "UpdReg "= "c:\windows\UpdReg.EXE" [2000-05-11 90112]
    "Launch LCDMon "= "c:\program files\Common Files\Logitech\LCD Manager\lcdmon.exe" [2007-04-26 774168]
    "Launch LGDCore "= "c:\program files\Common Files\Logitech\G-series Software\LGDCore.exe" [2007-04-26 1132056]
    "Motive SmartBridge "= "c:\progra~1\SBCSEL~1\SMARTB~1\MotiveSB.exe" [2005-08-24 442455]
    "QuickTime Task "= "c:\program files\QuickTime\qttask.exe" [2008-09-06 413696]
    "iTunesHelper "= "c:\program files\iTunes\iTunesHelper.exe" [2008-09-10 289576]
    "SunJavaUpdateSched "= "c:\program files\Java\jre1.6.0_07\bin\jusched.exe" [2008-06-10 144784]
    "Adobe Reader Speed Launcher "= "c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2008-06-12 34672]
    "NvMediaCenter "= "c:\windows\system32\NvMcTray.dll" [2009-06-10 86016]
    "NvCplDaemon "= "c:\windows\system32\NvCpl.dll" [2009-06-10 13758464]
    "Kernel and Hardware Abstraction Layer "= "KHALMNPR.EXE" - c:\windows\KHALMNPR.Exe [2007-04-11 56080]
    "CTHelper "= "CTHELPER.EXE" - c:\windows\system32\CtHelper.exe [2008-02-21 19456]
    "CTxfiHlp "= "CTXFIHLP.EXE" - c:\windows\system32\Ctxfihlp.exe [2008-10-08 23552]
    "nwiz "= "nwiz.exe" - c:\windows\system32\nwiz.exe [2009-06-10 1657376]

    c:\documents and settings\All Users\Start Menu\Programs\Startup\
    Logitech SetPoint.lnk - c:\program files\Logitech\SetPoint\SetPoint.exe [2007-8-17 692224]

    [hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
    "{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA} "= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
    2008-12-22 17:05 356352 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.dll

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Lavasoft Ad-Aware Service]
    @= "Service "

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WdfLoadGroup]
    @=" "

    [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
    "DisableMonitoring "=dword:00000001

    [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
    "DisableMonitoring "=dword:00000001

    [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
    "DisableMonitoring "=dword:00000001

    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
    "EnableFirewall "= 0 (0x0)

    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
    "%windir%\\system32\\sessmgr.exe "=
    "c:\\Games\\Steam\\Steam.exe "=
    "e:\\FEAR\\FEAR.exe "=
    "e:\\FEAR\\FEARMP.exe "=
    "e:\\Games\\Unreal Tournament 3\\Binaries\\UT3.exe "=
    "e:\\Games\\Call of Duty 4\\iw3mp.exe "=
    "c:\\Program Files\\Logitech\\Logitech Harmony Remote Software 7\\HarmonyRemote.exe "=
    "c:\\Program Files\\uTorrent\\uTorrent.exe "=
    "c:\\Program Files\\Bonjour\\mDNSResponder.exe "=
    "c:\\Program Files\\iTunes\\iTunes.exe "=
    "c:\\Program Files\\Messenger\\msmsgs.exe "=
    "c:\\WINDOWS\\PCHEALTH\\HELPCTR\\Binaries\\helpctr.exe "=
    "e:\\Crysis\\Bin32\\Crysis.exe "=
    "e:\\Crysis\\Bin32\\CrysisDedicatedServer.exe "=
    "c:\\Games\\Steam\\steamapps\\common\\stalker shadow of chernobyl\\bin\\XR_3DA.exe "=
    "c:\\Program Files\\Ubisoft\\Far Cry 2\\bin\\FarCry2.exe "=
    "c:\\Program Files\\Ubisoft\\Far Cry 2\\bin\\FC2Launcher.exe "=
    "c:\\Program Files\\Ubisoft\\Far Cry 2\\bin\\FC2Editor.exe "=
    "c:\\Documents and Settings\\Grr\\Local Settings\\Application Data\\Kamuse\\KCSTrayDownloader\\KCSTrayDownloaderEngine.exe "=
    "e:\\Games\\World in Conflict - DEMO\\wic.exe "=
    "c:\\Games\\Steam\\steamapps\\common\\left 4 dead\\left4dead.exe "=

    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
    "3389:TCP "= 3389:TCP:mad:xpsp2res.dll,-22009

    R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [8/7/2009 12:01 PM 64160]
    R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [8/5/2009 4:06 PM 9968]
    R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [8/5/2009 4:06 PM 74480]
    R2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\Lavasoft\Ad-Aware\AAWService.exe [7/3/2009 9:49 AM 1029456]
    R3 CT20XUT.SYS;CT20XUT.SYS;c:\windows\system32\drivers\CT20XUT.sys [10/8/2008 1:21 AM 171032]
    R3 CTEXFIFX.SYS;CTEXFIFX.SYS;c:\windows\system32\drivers\CTEXFIFX.sys [10/8/2008 1:21 AM 1324056]
    R3 CTHWIUT.SYS;CTHWIUT.SYS;c:\windows\system32\drivers\CTHWIUT.sys [10/8/2008 1:21 AM 72728]
    R3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [8/5/2009 4:06 PM 7408]
    S2 dscpand;dscpand;c:\windows\system32\drivers\nkjh.sys --> c:\windows\system32\drivers\nkjh.sys [?]
    S2 yzsfoxqq;yzsfoxqq;c:\windows\system32\drivers\kdijrtg.sys --> c:\windows\system32\drivers\kdijrtg.sys [?]
    S3 ASPI;Advanced SCSI Programming Interface Driver;c:\windows\system32\drivers\ASPI32.SYS [1/8/2008 8:36 PM 16512]
    S3 cpuz132;cpuz132;c:\windows\system32\drivers\cpuz132_x32.sys [7/10/2009 3:44 AM 12672]
    S3 Creative Audio Engine Licensing Service;Creative Audio Engine Licensing Service;c:\program files\Common Files\Creative Labs Shared\Service\CTAELicensing.exe [4/12/2009 11:54 AM 79360]
    S3 CT20XUT;CT20XUT;c:\windows\system32\drivers\CT20XUT.sys [10/8/2008 1:21 AM 171032]
    S3 CTEXFIFX;CTEXFIFX;c:\windows\system32\drivers\CTEXFIFX.sys [10/8/2008 1:21 AM 1324056]
    S3 CTHWIUT;CTHWIUT;c:\windows\system32\drivers\CTHWIUT.sys [10/8/2008 1:21 AM 72728]
    S3 EraserUtilRebootDrv;EraserUtilRebootDrv;\??\c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys --> c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [?]
    S3 hipeer20;Remobo Instant Private Network;c:\windows\system32\drivers\remobo32.sys [4/22/2009 9:21 AM 26112]
    .
    Contents of the 'Scheduled Tasks' folder

    2009-08-07 c:\windows\Tasks\Ad-Aware Update (Weekly).job
    - c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2009-07-03 14:49]

    2009-08-03 c:\windows\Tasks\AppleSoftwareUpdate.job
    - c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 17:34]
    .
    .
    ------- Supplementary Scan -------
    .
    uStart Page = hxxp://www.bing.com/
    uInternet Settings,ProxyOverride = 127.0.0.1;*.local
    IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
    LSP: %SYSTEMROOT%\system32\nvLsp.dll
    Trusted Zone: knowledgespring.com\my
    DPF: Microsoft XML Parser for Java - file:///C:/WINDOWS/Java/classes/xmldso.cab
    .

    **************************************************************************

    catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
    Rootkit scan 2009-08-07 16:03
    Windows 5.1.2600 Service Pack 2 NTFS

    scanning hidden processes ...

    scanning hidden autostart entries ...

    HKLM\Software\Microsoft\Windows\CurrentVersion\Run
    CTxfiHlp = CTXFIHLP.EXE?

    scanning hidden files ...

    scan completed successfully
    hidden files: 0

    **************************************************************************
    .
    --------------------- LOCKED REGISTRY KEYS ---------------------

    [HKEY_USERS\S-1-5-21-725345543-583907252-2147061141-1004\Software\SecuROM\!CAUTION! NEVER A OR CHANGE ANY KEY*]
    "?? "=hex:a9,11,c6,43,a4,81,46,7b,f4,26,e5,cb,d9,ea,66,b2,25,23,d2,84,ca,a4,fd,
    79,2a,f5,bf,c4,87,60,0a,18,41,8d,7f,94,8e,8a,14,d5,73,9c,4e,d3,5a,63,dc,a2,\
    "?? "=hex:94,a6,02,25,44,bd,80,a0,37,f7,dd,ae,e1,c6,4d,03

    [HKEY_USERS\S-1-5-21-725345543-583907252-2147061141-1004\Software\SecuROM\License information*]
    "datasecu "=hex:08,22,f1,61,83,97,dc,cd,47,e1,c1,58,6f,dd,a4,6d,aa,34,43,c6,9f,
    bb,28,7a,70,28,c0,37,58,dd,24,85,c5,cd,61,73,ae,fa,ff,c0,91,11,c4,9f,9a,34,\
    "rkeysecu "=hex:fc,c0,7e,17,05,7d,fc,b5,1a,af,54,29,89,3b,60,32
    .
    --------------------- DLLs Loaded Under Running Processes ---------------------

    - - - - - - - > 'winlogon.exe'(620)
    c:\program files\SUPERAntiSpyware\SASWINLO.dll

    - - - - - - - > 'lsass.exe'(676)
    c:\windows\system32\nvLsp.dll

    - - - - - - - > 'explorer.exe'(1208)
    c:\progra~1\SBCSEL~1\SMARTB~1\SBHook.dll
    c:\program files\Logitech\SetPoint\lgscroll.dll
    c:\progra~1\WINDOW~3\wmpband.dll
    c:\program files\Common Files\Adobe\Acrobat\ActiveX\PDFShell.dll
    c:\windows\system32\WPDShServiceObj.dll
    c:\windows\system32\PortableDeviceTypes.dll
    c:\windows\system32\PortableDeviceApi.dll
    .
    Completion time: 2009-08-07 16:04
    ComboFix-quarantined-files.txt 2009-08-07 21:04
    ComboFix2.txt 2009-08-07 20:54
    ComboFix3.txt 2009-08-07 20:06
    ComboFix4.txt 2009-08-07 19:10

    Pre-Run: 21,977,792,512 bytes free
    Post-Run: 21,928,206,336 bytes free

    257 --- E O F --- 2008-12-20 03:04



    ========================
    ========================
    ========================
    ========================




    Logfile of Trend Micro HijackThis v2.0.2
    Scan saved at 4:12:09 PM, on 8/7/2009
    Platform: Windows XP SP2 (WinNT 5.01.2600)
    MSIE: Internet Explorer v7.00 (7.00.6000.16762)
    Boot mode: Normal

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\nvsvc32.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\svchost.exe
    C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\Program Files\Creative\Shared Files\CTAudSvc.exe
    C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
    C:\Program Files\Bonjour\mDNSResponder.exe
    C:\Program Files\NVIDIA Corporation\nTune\nTuneService.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\System32\dmadmin.exe
    C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin32\nSvcAppFlt.exe
    C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin32\nSvcIp.exe
    C:\WINDOWS\system32\wscntfy.exe
    C:\Program Files\Common Files\Logitech\LCD Manager\lcdmon.exe
    C:\Program Files\Common Files\Logitech\G-series Software\LGDCore.exe
    C:\PROGRA~1\SBCSEL~1\SMARTB~1\MotiveSB.exe
    C:\Program Files\iTunes\iTunesHelper.exe
    C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe
    C:\WINDOWS\system32\RUNDLL32.EXE
    C:\Program Files\Common Files\Logitech\LCD Manager\Applets\LCDClock.exe
    C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
    C:\Program Files\Logitech\SetPoint\SetPoint.exe
    C:\Program Files\Common Files\Logitech\KhalShared\KHALMNPR.EXE
    C:\Program Files\iPod\bin\iPodService.exe
    C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe
    C:\WINDOWS\system32\wuauclt.exe
    C:\WINDOWS\explorer.exe
    C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
    C:\WINDOWS\system32\notepad.exe
    C:\Program Files\Mozilla Firefox\firefox.exe
    C:\Documents and Settings\Grr\Desktop\petergriffon.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.bing.com/
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1;*.local
    O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
    O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
    O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
    O3 - Toolbar: Veoh Browser Plug-in - {D0943516-5076-4020-A3B5-AEFAF26AB263} - C:\Program Files\Veoh Networks\Veoh\Plugins\reg\VeohToolbar.dll
    O4 - HKLM\..\Run: [Kernel and Hardware Abstraction Layer] KHALMNPR.EXE
    O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
    O4 - HKLM\..\Run: [Launch LCDMon] "C:\Program Files\Common Files\Logitech\LCD Manager\lcdmon.exe "
    O4 - HKLM\..\Run: [Launch LGDCore] "C:\Program Files\Common Files\Logitech\G-series Software\LGDCore.exe" /SHOWHIDE
    O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
    O4 - HKLM\..\Run: [Motive SmartBridge] C:\PROGRA~1\SBCSEL~1\SMARTB~1\MotiveSB.exe
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
    O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe "
    O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe "
    O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe "
    O4 - HKLM\..\Run: [CTxfiHlp] CTXFIHLP.EXE
    O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
    O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
    O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
    O4 - HKCU\..\Run: [NVIDIA nTune] "C:\Program Files\NVIDIA Corporation\nTune\nTuneCmd.exe" clear
    O4 - HKCU\..\Run: [Yahoo! Pager] 1
    O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
    O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
    O4 - Global Startup: Logitech SetPoint.lnk = C:\Program Files\Logitech\SetPoint\SetPoint.exe
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
    O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
    O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
    O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
    O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
    O9 - Extra 'Tools' menuitem: Spybot - Search && Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O10 - Unknown file in Winsock LSP: c:\windows\system32\nvlsp.dll
    O10 - Unknown file in Winsock LSP: c:\windows\system32\nvlsp.dll
    O10 - Unknown file in Winsock LSP: c:\windows\system32\nvlsp.dll
    O10 - Unknown file in Winsock LSP: c:\windows\system32\nvlsp.dll
    O16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} - http://www.fileplanet.com/fpdlmgr/cabs/FPDC_2.3.2.100.cab
    O16 - DPF: {48DD0448-9209-4F81-9F6D-D83562940134} (MySpace Uploader Control) - http://lads.myspace.com/upload/MySpaceUploader1006.cab
    O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/win...ls/en/x86/client/wuweb_site.cab?1187311614533
    O16 - DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} (DivXBrowserPlugin Object) - http://download.divx.com/player/DivXBrowserPlugin.cab
    O16 - DPF: {D6E7CFB5-C074-4D1C-B647-663D1A8D96BF} (Facebook Photo Uploader 4) - http://upload.facebook.com/controls/FacebookPhotoUploader4_5.cab
    O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
    O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
    O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
    O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe (file missing)
    O23 - Service: Creative Audio Engine Licensing Service - Creative Labs - C:\Program Files\Common Files\Creative Labs Shared\Service\CTAELicensing.exe
    O23 - Service: Creative Audio Service (CTAudSvcService) - Creative Technology Ltd - C:\Program Files\Creative\Shared Files\CTAudSvc.exe
    O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
    O23 - Service: ForceWare Intelligent Application Manager (IAM) - Unknown owner - C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin32\nSvcAppFlt.exe
    O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
    O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
    O23 - Service: Lavasoft Ad-Aware Service - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
    O23 - Service: ForceWare IP service (nSvcIp) - Unknown owner - C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin32\nSvcIp.exe
    O23 - Service: nTune Service (nTuneService) - NVIDIA - C:\Program Files\NVIDIA Corporation\nTune\nTuneService.exe
    O23 - Service: NVIDIA Display Driver Service (nvsvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe

    --
    End of file - 8465 bytes
     
    otku9,
    #4
  6. 2009/08/07
    broni

    broni Moderator Malware Analyst

    Joined:
    2002/08/01
    Messages:
    21,701
    Likes Received:
    116
    I'd like to see 1st Combofix log to check what was removed. In C folder, you should see two Combofix logs.
     
    broni,
    #5

Share This Page

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Accept Learn More...