Inactive [InActive] c:\windows\system32\drivers\service.exe + System Shutdown error

mrkool · 2008/11/04

Hi everyone,

I have a virus / trojan which i thought was similar to this user:

http://www.windowsbbs.com/malware-v...manager-system-restore-has-been-disabled.html

I followed the instructions you guys gave them. ie. I ran Spybot, Ad-aware, SDFix, HJT and SilentRunners. These programs fixed some of the original problems but I have new ones.

When i log into my computer, the error msg "Cannot find c:\windows\system32\drivers\service.exe" always appears. After a few minutes the System Shutdown window appears and I have to change the date in order to use my computer for longer. Occasionally the Task Manager becomes disabled. Sometimes the computer won't let me paste text.

When I ran Hijackthis the first time, I deleted this line:
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
as per the thread's helpful instructions.

This is my current Hijackthis.log:

Logfile of HijackThis v1.99.1
Scan saved at 9:09:56 PM, on 11/3/2008
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\WINDOWS\Explorer.exe
C:\Program Files\Microsoft Hardware\Keyboard\type32.exe
C:\Program Files\Microsoft Hardware\Mouse\point32.exe
C:\WINDOWS\System32\SiSAudUt.exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\WINDOWS\system32\spoolsv.exe
c:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Java\jre1.6.0_03\bin\jucheck.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\hms.exe
C:\WINDOWS\SYSTEM32\winmine.exe
C:\WINDOWS\SYSTEM32\notepad.exe
C:\Program Files\Hijackthis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,SearchAssistant = about:blank
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = \blank.htm
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\SYSTEM\blank.htm
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
F2 - REG:system.ini: Shell=Explorer.exe %WINDIR%\system32\drivers\service.exe
F2 - REG:system.ini: UserInit=userinit.exe
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [IntelliType] "C:\Program Files\Microsoft Hardware\Keyboard\type32.exe "
O4 - HKLM\..\Run: [POINTER] point32.exe
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [SiS7012Utility] C:\WINDOWS\System32\SiSAudUt.exe -wdm
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe "
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\K-Lite Codec Pack\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [KONICA MINOLTA PagePro 1400W STD] C:\WINDOWS\System32\MSTMON_Y.EXE STARTUP
O4 - HKCU\..\Run: [inloader] C:\WINDOWS\System32\inloader.exe
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [test] C:\WINDOWS\System32\test.exe
O4 - HKCU\..\Run: [shell32] C:\WINDOWS\System32\shell32.exe
O4 - HKCU\..\Run: [imzw] C:\PROGRA~1\COMMON~1\imzw\imzwm.exe
O8 - Extra context menu item: &WordWeb... - res://C:\WINDOWS\wweb32.dll/lookup.html
O8 - Extra context menu item: Download all by Net Transport - C:\Program Files\NetTransport 2\NTAddList.html
O8 - Extra context menu item: Download by Net Transport - C:\Program Files\NetTransport 2\NTAddLink.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/win...ls/en/x86/client/wuweb_site.cab?1199586432577
O16 - DPF: {CAFEEFAC-0014-0001-0001-ABCDEFFEDCBA} (Java Runtime Environment 1.4.1_01) -
O16 - DPF: {CAFEEFAC-0014-0001-0007-ABCDEFFEDCBA} (Java Runtime Environment 1.4.1_07) -
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O18 - Filter: text/html - {06A57921-509D-4DAE-B3E9-A63AA2E762FC} - C:\Documents and Settings\TV\Local Settings\Application Data\microsoft\internet explorer\V0.39.dat
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Lexar Secure II (LxrSII1s) - Unknown owner - LxrSII1s.exe (file missing)
O23 - Service: MySql - Unknown owner - C:/Program Files/MySQL4/bin/mysqld-nt.exe (file missing)
O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\PROGRA~1\COMMON~1\SONYSH~1\AVLib\Sptisrv.exe

Can anybody please help me? I realise many Americans may be busy/excited whatever at this current time. Thanks for any help.

noahdfear · 2008/11/05

Welcome to WindowsBBS mrkool

You are using an outdated version of HijackThis. Lets run another tool that will both update your version and give us a bit more detailed information at the same time.

Download RSIT by random/random and save it to your desktop.

Double click RSIT.exe to start the tool.

At the disclaimer, please use the drop down box to select 3 months for the file/folder search, then click Continue.

When the scan completes it will open a log named log.txt maximized, and a log named info.txt minimized.

Please post the contents of log.txt here in your next reply.

mrkool · 2008/11/06

Hi thanks for your reply,

This is my new hijackthis log:

Logfile of random's system information tool 1.04 (written by random/random)
Run by TV at 2008-11-06 21:26:49
Microsoft Windows XP Professional
System drive C: has 10 GB (27%) free of 38 GB
Total RAM: 224 MB (11% free)

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 9:27:01 PM, on 11/6/2008
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2600.0000)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\WINDOWS\Explorer.exe
C:\Program Files\Microsoft Hardware\Keyboard\type32.exe
C:\Program Files\Microsoft Hardware\Mouse\point32.exe
C:\WINDOWS\System32\SiSAudUt.exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\WINDOWS\system32\spoolsv.exe
c:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Outlook Express\msimn.exe
C:\PROGRA~1\MOZILL~1\FIREFOX.EXE
C:\Program Files\Java\jre1.6.0_03\bin\jucheck.exe
C:\Documents and Settings\TV\Desktop\RSIT.exe
C:\Program Files\trend micro\TV.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,SearchAssistant = about:blank
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = \blank.htm
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\SYSTEM\blank.htm
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
F2 - REG:system.ini: Shell=Explorer.exe %WINDIR%\system32\drivers\service.exe
F2 - REG:system.ini: UserInit=userinit.exe
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [IntelliType] "C:\Program Files\Microsoft Hardware\Keyboard\type32.exe "
O4 - HKLM\..\Run: [POINTER] point32.exe
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [SiS7012Utility] C:\WINDOWS\System32\SiSAudUt.exe -wdm
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe "
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\K-Lite Codec Pack\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [KONICA MINOLTA PagePro 1400W STD] C:\WINDOWS\System32\MSTMON_Y.EXE STARTUP
O4 - HKCU\..\Run: [inloader] C:\WINDOWS\System32\inloader.exe
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [test] C:\WINDOWS\System32\test.exe
O4 - HKCU\..\Run: [shell32] C:\WINDOWS\System32\shell32.exe
O4 - HKCU\..\Run: [imzw] C:\PROGRA~1\COMMON~1\imzw\imzwm.exe
O4 - HKUS\S-1-5-18\..\RunOnce: [RunNarrator] (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\RunOnce: [RunNarrator] (User 'Default user')
O8 - Extra context menu item: &WordWeb... - res://C:\WINDOWS\wweb32.dll/lookup.html
O8 - Extra context menu item: Download all by Net Transport - C:\Program Files\NetTransport 2\NTAddList.html
O8 - Extra context menu item: Download by Net Transport - C:\Program Files\NetTransport 2\NTAddLink.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/win...ls/en/x86/client/wuweb_site.cab?1199586432577
O16 - DPF: {CAFEEFAC-0014-0001-0001-ABCDEFFEDCBA} (Java Runtime Environment 1.4.1_01) -
O16 - DPF: {CAFEEFAC-0014-0001-0007-ABCDEFFEDCBA} (Java Runtime Environment 1.4.1_07) -
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O18 - Filter hijack: text/html - {06A57921-509D-4DAE-B3E9-A63AA2E762FC} - C:\Documents and Settings\TV\Local Settings\Application Data\microsoft\internet explorer\V0.39.dat
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Lexar Secure II (LxrSII1s) - Unknown owner - LxrSII1s.exe (file missing)
O23 - Service: MySql - Unknown owner - C:/Program Files/MySQL4/bin/mysqld-nt.exe (file missing)
O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\PROGRA~1\COMMON~1\SONYSH~1\AVLib\Sptisrv.exe

--
End of file - 4697 bytes

======Scheduled tasks folder======

C:\WINDOWS\tasks\Tune-up Application Start.job

======Registry dump======

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}]
SSVHelper Class - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll [2007-09-25 501136]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
{8E718888-423F-11D2-876E-00A0C9082467} - &Radio - C:\WINDOWS\System32\msdxm.ocx [2001-08-23 843804]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run]
"IntelliType "=C:\Program Files\Microsoft Hardware\Keyboard\type32.exe [2002-03-22 102400]
"POINTER "=point32.exe []
"NeroCheck "=C:\WINDOWS\system32\NeroCheck.exe [2001-07-09 163840]
"SiS7012Utility "=C:\WINDOWS\System32\SiSAudUt.exe [2001-11-21 303104]
"WMC_AutoUpdate "= []
"SunJavaUpdateSched "=C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe [2007-09-25 132496]
"QuickTime Task "=C:\Program Files\K-Lite Codec Pack\QuickTime\qttask.exe [2007-10-19 294912]
"KONICA MINOLTA PagePro 1400W STD "=C:\WINDOWS\System32\MSTMON_Y.EXE [2006-01-18 192512]

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
"inloader "=C:\WINDOWS\System32\inloader.exe []
"msnmsgr "=C:\Program Files\MSN Messenger\msnmsgr.exe [2007-01-19 5674352]
"test "=C:\WINDOWS\System32\test.exe []
"shell32 "=C:\WINDOWS\System32\shell32.exe []
"imzw "=C:\PROGRA~1\COMMON~1\imzw\imzwm.exe []

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
UPnPMonitor - {e57ce738-33e8-4c51-8354-bb4de9d215d1} - C:\WINDOWS\System32\upnpui.dll [2001-08-23 231424]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\aawservice]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\aawservice]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\nm]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\nm.sys]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\UploadMgr]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System]
"dontdisplaylastusername "=0
"legalnoticecaption "=
"legalnoticetext "=
"shutdownwithoutlogon "=1
"undockwithoutlogon "=1

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\explorer]
"NoDriveTypeAutoRun "=145

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]
"\??\C:\WINDOWS\system32\winlogon.exe "= "\??\C:\WINDOWS\system32\winlogon.exe:*:enabledshell32.dll,-1 "

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]

======List of files/folders created in the last 3 months======

2008-11-06 21:26:49 ----D---- C:\rsit
2008-11-06 21:26:49 ----D---- C:\Program Files\trend micro
2008-11-04 20:52:48 ----A---- C:\WINDOWS\System32\hms.exe
2008-11-04 20:43:15 ----A---- C:\WINDOWS\System32\gfi.exe
2008-11-04 20:15:14 ----A---- C:\WINDOWS\System32\agb.exe
2008-11-04 20:14:51 ----A---- C:\WINDOWS\System32\dqo.exe
2008-11-04 18:53:10 ----SHD---- C:\FOUND.001
2008-11-01 23:27:28 ----A---- C:\j4c8t8b5l3a6.exe
2008-11-01 01:30:29 ----D---- C:\Program Files\Hijackthis
2008-10-31 23:28:20 ----A---- C:\WINDOWS\System32\bxn.exe
2008-10-30 22:53:49 ----D---- C:\Program Files\Lavasoft
2008-10-30 22:53:48 ----D---- C:\Documents and Settings\All Users\Application Data\Lavasoft
2008-10-30 22:38:29 ----A---- C:\WINDOWS\System32\hlr.exe
2008-10-30 18:36:54 ----D---- C:\WINDOWS\ERUNT
2008-10-30 18:35:07 ----A---- C:\WINDOWS\ntbtlog.txt
2008-10-30 18:07:26 ----A---- C:\z6k9s7g8x1n9.exe
2008-10-27 20:03:01 ----A---- C:\WINDOWS\System32\jbs.exe
2008-10-27 19:43:00 ----A---- C:\5e2q6u2f9.exe
2008-10-27 19:39:40 ----A---- C:\WINDOWS\System32\zpm.exe
2008-10-18 01:12:11 ----A---- C:\WINDOWS\System32\MUINST_Y.EXE
2008-10-18 01:12:11 ----A---- C:\WINDOWS\System32\MTAG32_Y.DLL
2008-10-18 01:12:11 ----A---- C:\WINDOWS\System32\MSTMON_Y.EXE
2008-10-18 01:12:11 ----A---- C:\WINDOWS\System32\MSTMON_Y.DLL
2008-10-18 01:12:11 ----A---- C:\WINDOWS\System32\MSPOOL_Y.DLL
2008-10-18 01:12:11 ----A---- C:\WINDOWS\System32\MLMON__Y.DLL
2008-10-18 01:12:11 ----A---- C:\WINDOWS\System32\MIMF32_Y.DLL
2008-10-18 01:12:11 ----A---- C:\WINDOWS\System32\MICM___Y.DLL
2008-10-18 01:12:11 ----A---- C:\WINDOWS\System32\MGDI32_Y.DLL
2008-10-18 01:12:11 ----A---- C:\WINDOWS\System32\MCOINS_Y.DLL
2008-10-18 01:12:11 ----A---- C:\WINDOWS\System32\MCMM___Y.DLL
2008-10-18 01:12:11 ----A---- C:\WINDOWS\MSUMLT_Y.INI
2008-10-18 01:12:11 ----A---- C:\WINDOWS\MSTMON_Y.INI
2008-10-18 01:12:11 ----A---- C:\WINDOWS\MREADM_Y.TXT
2008-09-15 19:15:26 ----D---- C:\Program Files\uTorrent
2008-09-15 19:15:18 ----D---- C:\Documents and Settings\TV\Application Data\uTorrent
2008-08-10 16:51:37 ----SHD---- C:\WINDOWS\ftpcache

======List of files/folders modified in the last 3 months======

2008-11-06 20:59:10 ----A---- C:\WINDOWS\SchedLog.Txt
2008-11-04 20:53:12 ----A---- C:\WINDOWS\System32\ftp.exe
2008-11-01 01:35:08 ----A---- C:\WINDOWS\System32\sfc_os.dll
2008-10-30 23:01:42 ----A---- C:\WINDOWS\CLASSICZAP.INI
2008-10-30 22:51:44 ----A---- C:\WINDOWS\WORDZAP.INI
2008-10-09 21:08:00 ----A---- C:\WINDOWS\CDPlayer.ini
2008-08-31 21:00:24 ----A---- C:\WINDOWS\win.ini

======List of drivers (R=Running, S=Stopped, 0=Boot, 1=System, 2=Auto, 3=Demand, 4=Disabled)======

R1 StarOpen;StarOpen; C:\WINDOWS\System32\drivers\StarOpen.sys [2006-07-24 5632]
R2 LxrSII1d;Secure II Driver; \??\C:\WINDOWS\System32\Drivers\LxrSII1d.sys []
R3 HidUsb;Microsoft HID Class Driver; C:\WINDOWS\System32\DRIVERS\hidusb.sys [2001-08-17 9600]
R3 IPFilter;Microsoft IntelliPoint Features driver; C:\WINDOWS\System32\DRIVERS\IPFilter.sys [2002-04-12 11136]
R3 mouhid;Mouse HID Driver; C:\WINDOWS\System32\DRIVERS\mouhid.sys [2001-08-17 12160]
R3 SiS315;SiS315; C:\WINDOWS\System32\DRIVERS\sisgrp.sys [2002-02-06 177792]
R3 SiS7012;Service for AC'97 Sample Driver (WDM); C:\WINDOWS\system32\drivers\sis7012.sys [2001-11-27 165760]
R3 SISNIC;SiS PCI Fast Ethernet Adapter Driver; C:\WINDOWS\System32\DRIVERS\sisnic.sys [2001-08-17 31232]
R3 usbhub;USB2 Enabled Hub; C:\WINDOWS\System32\DRIVERS\usbhub.sys [2001-08-23 50688]
R3 usbohci;Microsoft USB Open Host Controller Miniport Driver; C:\WINDOWS\System32\DRIVERS\usbohci.sys [2001-08-23 15616]
S1 kbdhid;Keyboard HID Driver; C:\WINDOWS\System32\DRIVERS\kbdhid.sys [2001-08-17 13952]
S3 Bridge;MAC Bridge; C:\WINDOWS\System32\DRIVERS\bridge.sys [2001-08-23 53376]
S3 BridgeMP;MAC Bridge Miniport; C:\WINDOWS\System32\DRIVERS\bridge.sys [2001-08-23 53376]
S3 catchme;catchme; \??\C:\DOCUME~1\TV\LOCALS~1\Temp\catchme.sys []
S3 NETMDUSB;Net MD; C:\WINDOWS\System32\Drivers\NETMDUSB.sys [2002-08-08 38951]
S3 ROOTMODEM;Microsoft Legacy Modem Driver; C:\WINDOWS\System32\Drivers\RootMdm.sys [2001-08-23 5888]
S3 rtl8180;Belkin 11Mbps Wireless Desktop Network Card Driver; C:\WINDOWS\System32\DRIVERS\Bel6001.sys [2003-07-11 168448]
S3 SiS300i;SiS300i; C:\WINDOWS\System32\DRIVERS\sis300ip.sys [2001-08-17 101760]
S3 SjyPkt;SjyPkt; \??\C:\WINDOWS\System32\Drivers\SjyPkt.sys []
S3 ss_bus;SAMSUNG Mobile USB Device 1.0 driver (WDM); C:\WINDOWS\System32\DRIVERS\ss_bus.sys [2005-08-30 58320]
S3 ss_mdfl;SAMSUNG Mobile USB Modem 1.0 Filter; C:\WINDOWS\System32\DRIVERS\ss_mdfl.sys [2005-08-30 8304]
S3 ss_mdm;SAMSUNG Mobile USB Modem 1.0 Drivers; C:\WINDOWS\System32\DRIVERS\ss_mdm.sys [2005-08-30 94000]
S3 usbprint;Microsoft USB PRINTER Class; C:\WINDOWS\System32\DRIVERS\usbprint.sys [2001-08-17 24832]
S3 usbscan;USB Scanner Driver; C:\WINDOWS\System32\DRIVERS\usbscan.sys [2001-08-17 13824]
S3 USBSTOR;USB Mass Storage Driver; C:\WINDOWS\System32\DRIVERS\USBSTOR.SYS [2001-08-17 21760]
S4 IntelIde;IntelIde; C:\WINDOWS\System32\drivers\IntelIde.sys []
S4 sr;System Restore Filter Driver; C:\WINDOWS\System32\DRIVERS\sr.sys [2001-08-23 70400]
S4 WS2IFSL;Windows Socket 2.0 Non-IFS Service Provider Support Environment; C:\WINDOWS\System32\drivers\ws2ifsl.sys [2001-08-23 12032]

======List of services (R=Running, S=Stopped, 0=Boot, 1=System, 2=Auto, 3=Demand, 4=Disabled)======

R2 aawservice;Lavasoft Ad-Aware Service; C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe [2008-05-12 611664]
R2 MDM;Machine Debug Manager; c:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe [2003-03-19 344064]
S2 LxrSII1s;Lexar Secure II; LxrSII1s.exe []
S2 MySql;MySql; C:/Program Files/MySQL4/bin/mysqld-nt.exe []
S3 IDriverT;InstallDriver Table Manager; C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe [2005-04-04 77824]
S3 SPTISRV;Sony SPTI Service; C:\PROGRA~1\COMMON~1\SONYSH~1\AVLib\Sptisrv.exe [2002-07-23 73728]
S3 UMWdf;Windows User Mode Driver Framework; C:\WINDOWS\System32\wdfmgr.exe [2005-01-28 46080]
S3 usnjsvc;Messenger Sharing Folders USN Journal Reader service; C:\Program Files\MSN Messenger\usnsvc.exe [2007-01-19 97136]

-----------------EOF-----------------

noahdfear · 2008/11/06

Download ComboFix by sUBs from here, saving the file to your desktop.

Please disable realtime protection applications as they sometimes interfere with the tool. Check this link for your applicable programs.

Close all open programs and windows

Double click ComboFix.exe and follow the prompts.

It may reboot your computer and resume running when you logon. Wait for it to complete. When finished, it will open a log for you. Post that log and a new RSIT log in your next reply.

Note: Do not mouseclick combofix's window while its running. That may cause it to stall

I'll check on your progress this evening.

mrkool · 2008/11/07

Ok this is my Combofix log:

ComboFix 08-11-07.01 - TV 2008-11-08 11:14:47.1 - FAT32x86
Microsoft Windows XP Professional 5.1.2600.0.1252.1.1033.18.109 [GMT 10:00]
Running from: c:\documents and settings\TV\Desktop\ComboFix.exe
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\TV\Cookies\MM2048.DAT
c:\documents and settings\TV\Cookies\MM256.DAT
c:\program files\Common Files\misc001
c:\windows\Downloaded Program Files\temp
c:\windows\Downloaded Program Files\UWFX5_0001_N57M2811NetInstaller.exe
c:\windows\start.exe
c:\windows\system32\Cache
c:\windows\system32\instsrv.exe
c:\windows\system32\Microsoft\backup.ftp
c:\windows\Web\default.htt

.
((((((((((((((((((((((((( Files Created from 2008-10-08 to 2008-11-08 )))))))))))))))))))))))))))))))
.

2008-11-06 21:26 . 2008-11-06 21:26 <DIR> d-------- C:\rsit
2008-11-06 21:26 . 2008-11-06 21:26 <DIR> d-------- c:\program files\trend micro
2008-11-04 20:52 . 2008-11-04 20:53 166,912 --a------ c:\windows\SYSTEM32\hms.exe
2008-11-04 20:43 . 2008-11-04 20:43 174,080 --a------ c:\windows\SYSTEM32\gfi.exe
2008-11-04 20:15 . 2008-11-03 20:15 166,912 --a------ c:\windows\SYSTEM32\agb.exe
2008-11-04 20:14 . 2008-11-04 20:15 166,912 --a------ c:\windows\SYSTEM32\dqo.exe
2008-11-04 18:53 . 2008-11-04 18:53 <DIR> d--hs---- C:\FOUND.001
2008-11-01 23:27 . 2008-11-04 17:48 174,080 --a------ C:\j4c8t8b5l3a6.exe
2008-10-31 23:28 . 2008-10-31 23:28 169,472 --a------ c:\windows\SYSTEM32\bxn.exe
2008-10-30 22:53 . 2008-10-30 22:53 <DIR> d-------- c:\program files\Lavasoft
2008-10-30 22:53 . 2008-10-30 22:53 <DIR> d-------- c:\documents and settings\All Users\Application Data\Lavasoft
2008-10-30 22:38 . 2008-10-30 22:38 417,792 --a------ c:\windows\SYSTEM32\hlr.exe
2008-10-30 18:36 . 2008-10-30 18:36 <DIR> d-------- c:\windows\ERUNT
2008-10-30 18:36 . 2001-08-18 12:00 1,688 --a------ c:\windows\SYSTEM32\AUTOEXEC.NT
2008-10-30 18:07 . 2008-10-30 18:25 84,992 --a------ C:\z6k9s7g8x1n9.exe
2008-10-27 20:03 . 2008-10-27 20:03 84,992 --a------ c:\windows\SYSTEM32\jbs.exe
2008-10-27 19:43 . 2008-10-26 20:04 69,632 --a------ C:\5e2q6u2f9.exe
2008-10-27 19:39 . 2008-10-27 19:40 169,472 --a------ c:\windows\SYSTEM32\zpm.exe

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-11-04 10:53 47,616 ----a-w c:\windows\SYSTEM32\ftp.exe
2008-11-04 10:53 47,616 ----a-w c:\windows\SYSTEM32\dllcache\ftp.exe
2008-10-31 15:35 132,608 ----a-w c:\windows\SYSTEM32\sfc_os.dll
2008-09-15 09:15 --------- d-----w c:\program files\uTorrent
2008-09-15 09:15 --------- d-----w c:\documents and settings\TV\Application Data\uTorrent
2008-03-18 08:57 32 ----a-w c:\documents and settings\All Users\Application Data\ezsid.dat
2005-09-04 10:59 18,792 ----a-w c:\documents and settings\TV\Application Data\GDIPFONTCACHEV1.DAT
2004-09-15 13:00 30,208 --sha-w c:\program files\Thumbs.db
2004-05-03 06:52 0 ---ha-w c:\program files\Default.rdp
2003-03-06 09:50 266 --sh--w c:\program files\desktop.ini
2003-03-06 09:50 11,079 ---h--w c:\program files\folder.htt
2001-08-23 12:00 158,720 --sh--r c:\windows\SYSTEM32\vxnuoamvfiu.exe
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\SlowFile Icon Overlay]
@= "{7D688A77-C613-11D0-999B-00C04FD655E1} "
[HKEY_CLASSES_ROOT\CLSID\{7D688A77-C613-11D0-999B-00C04FD655E1}]
2001-08-23 22:00 8322560 --a------ c:\windows\SYSTEM32\SHELL32.DLL

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"msnmsgr "= "c:\program files\MSN Messenger\msnmsgr.exe" [2007-01-19 5674352]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IntelliType "= "c:\program files\Microsoft Hardware\Keyboard\type32.exe" [2002-03-22 102400]
"NeroCheck "= "c:\windows\system32\NeroCheck.exe" [2001-07-09 163840]
"SiS7012Utility "= "c:\windows\System32\SiSAudUt.exe" [2001-11-21 303104]
"SunJavaUpdateSched "= "c:\program files\Java\jre1.6.0_03\bin\jusched.exe" [2007-09-25 132496]
"QuickTime Task "= "c:\program files\K-Lite Codec Pack\QuickTime\qttask.exe" [2007-10-19 294912]
"KONICA MINOLTA PagePro 1400W STD "= "c:\windows\System32\MSTMON_Y.EXE" [2006-01-18 192512]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"vidc.3iv2 "= 3ivxVfWCodec.dll
"msacm.divxa32 "= divxa32.acm
"VIDC.HFYU "= huffyuv.dll
"VIDC.VP31 "= vp31vfw.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\setup\disabledrunkeys]
"LoadPowerProfile "=Rundll32.exe powrprof.dll,LoadCurrentPwrScheme

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"UpdatesDisableNotify "=dword:00000001
"AntiVirusDisableNotify "=dword:00000001
"AntiVirusOverride "=dword:00000001
"FirewallOverride "=dword:00000001

R2 LxrSII1d;Secure II Driver;c:\windows\System32\Drivers\LxrSII1d.sys [2005-05-19 70016]
R3 SiS7012;Service for AC'97 Sample Driver (WDM);c:\windows\System32\drivers\sis7012.sys [2001-11-27 165760]
S3 rtl8180;Belkin 11Mbps Wireless Desktop Network Card Driver;c:\windows\System32\DRIVERS\Bel6001.sys [2003-07-11 168448]
S3 SjyPkt;SjyPkt;c:\windows\System32\Drivers\SjyPkt.sys [ ]
S3 ss_bus;SAMSUNG Mobile USB Device 1.0 driver (WDM);c:\windows\System32\DRIVERS\ss_bus.sys [2005-08-30 58320]
S3 ss_mdfl;SAMSUNG Mobile USB Modem 1.0 Filter;c:\windows\System32\DRIVERS\ss_mdfl.sys [2005-08-30 8304]
S3 ss_mdm;SAMSUNG Mobile USB Modem 1.0 Drivers;c:\windows\System32\DRIVERS\ss_mdm.sys [2005-08-30 94000]

*Newly Created Service* - PROCEXP90
.
Contents of the 'Scheduled Tasks' folder
.
- - - - ORPHANS REMOVED - - - -

HKCU-Run-inloader - c:\windows\System32\inloader.exe
HKCU-Run-test - c:\windows\System32\test.exe
HKCU-Run-shell32 - c:\windows\System32\shell32.exe
HKCU-Run-imzw - c:\progra~1\COMMON~1\imzw\imzwm.exe
HKLM-Run-POINTER - point32.exe
HKLM-Run-WMC_AutoUpdate - (no file)
HKU-Default-RunOnce-RunNarrator - (no file)

.
------- Supplementary Scan -------
.
FireFox -: Profile - c:\documents and settings\TV\Application Data\Mozilla\Firefox\Profiles\xmieurl6.default\
FireFox -: prefs.js - STARTUP.HOMEPAGE - hxxp://www.goodsearch.com/default.aspx
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-11-08 11:16:11
Windows 5.1.2600 FAT NTAPI

detected NTDLL code modification:
ZwOpenFile

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\system\ControlSet003\Services\MySql]
"ImagePath "= "C:/Program Files/MySQL4/bin/mysqld-nt.exe "

[HKEY_LOCAL_MACHINE\system\ControlSet003\Services\MySql]
"ImagePath "= "C:/Program Files/MySQL4/bin/mysqld-nt.exe "
.
Completion time: 2008-11-08 11:16:46
ComboFix-quarantined-files.txt 2008-11-08 01:16:44

Pre-Run: 10,739,941,376 bytes free
Post-Run: 10,902,601,728 bytes free

WinXP_EN_PRO_BF.EXE
[boot loader]
timeout = 30
default = multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT= "Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS = "Microsoft Windows XP Professional" /fastdetect

137

RSIT log:
Logfile of random's system information tool 1.04 (written by random/random)
Run by TV at 2008-11-08 11:22:46
Microsoft Windows XP Professional
System drive C: has 10 GB (27%) free of 38 GB
Total RAM: 224 MB (21% free)

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:22:51 AM, on 11/8/2008
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2600.0000)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\Program Files\Microsoft Hardware\Keyboard\type32.exe
C:\Program Files\Microsoft Hardware\Mouse\point32.exe
C:\WINDOWS\System32\SiSAudUt.exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\WINDOWS\system32\spoolsv.exe
c:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Java\jre1.6.0_03\bin\jucheck.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\TV\Desktop\RSIT.exe
C:\Program Files\trend micro\TV.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,SearchAssistant = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = \blank.htm
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\SYSTEM\blank.htm
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [IntelliType] "C:\Program Files\Microsoft Hardware\Keyboard\type32.exe "
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [SiS7012Utility] C:\WINDOWS\System32\SiSAudUt.exe -wdm
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe "
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\K-Lite Codec Pack\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [KONICA MINOLTA PagePro 1400W STD] C:\WINDOWS\System32\MSTMON_Y.EXE STARTUP
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O8 - Extra context menu item: &WordWeb... - res://C:\WINDOWS\wweb32.dll/lookup.html
O8 - Extra context menu item: Download all by Net Transport - C:\Program Files\NetTransport 2\NTAddList.html
O8 - Extra context menu item: Download by Net Transport - C:\Program Files\NetTransport 2\NTAddLink.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/win...ls/en/x86/client/wuweb_site.cab?1199586432577
O16 - DPF: {CAFEEFAC-0014-0001-0001-ABCDEFFEDCBA} (Java Runtime Environment 1.4.1_01) -
O16 - DPF: {CAFEEFAC-0014-0001-0007-ABCDEFFEDCBA} (Java Runtime Environment 1.4.1_07) -
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Lexar Secure II (LxrSII1s) - Unknown owner - LxrSII1s.exe (file missing)
O23 - Service: MySql - Unknown owner - C:/Program Files/MySQL4/bin/mysqld-nt.exe (file missing)
O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\PROGRA~1\COMMON~1\SONYSH~1\AVLib\Sptisrv.exe

--
End of file - 4259 bytes

======Scheduled tasks folder======

C:\WINDOWS\tasks\Tune-up Application Start.job

======Registry dump======

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}]
SSVHelper Class - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll [2007-09-25 501136]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
{8E718888-423F-11D2-876E-00A0C9082467} - &Radio - C:\WINDOWS\System32\msdxm.ocx [2001-08-23 843804]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run]
"IntelliType "=C:\Program Files\Microsoft Hardware\Keyboard\type32.exe [2002-03-22 102400]
"NeroCheck "=C:\WINDOWS\system32\NeroCheck.exe [2001-07-09 163840]
"SiS7012Utility "=C:\WINDOWS\System32\SiSAudUt.exe [2001-11-21 303104]
"SunJavaUpdateSched "=C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe [2007-09-25 132496]
"QuickTime Task "=C:\Program Files\K-Lite Codec Pack\QuickTime\qttask.exe [2007-10-19 294912]
"KONICA MINOLTA PagePro 1400W STD "=C:\WINDOWS\System32\MSTMON_Y.EXE [2006-01-18 192512]

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
"msnmsgr "=C:\Program Files\MSN Messenger\msnmsgr.exe [2007-01-19 5674352]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
UPnPMonitor - {e57ce738-33e8-4c51-8354-bb4de9d215d1} - C:\WINDOWS\System32\upnpui.dll [2001-08-23 231424]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\aawservice]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\aawservice]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\nm]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\nm.sys]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\UploadMgr]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System]
"dontdisplaylastusername "=0
"legalnoticecaption "=
"legalnoticetext "=
"shutdownwithoutlogon "=1
"undockwithoutlogon "=1

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\explorer]
"NoDrives "=0

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\explorer]
"NoDriveTypeAutoRun "=
"NoDrives "=
"NoDriveAutoRun "=

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]

======List of files/folders created in the last 3 months======

2008-11-08 11:16:51 ----D---- C:\WINDOWS\temp
2008-11-08 11:16:47 ----A---- C:\ComboFix.txt
2008-11-08 11:14:14 ----A---- C:\Boot.bak
2008-11-08 11:14:10 ----RASHD---- C:\cmdcons
2008-11-08 11:12:06 ----A---- C:\WINDOWS\zip.exe
2008-11-08 11:12:06 ----A---- C:\WINDOWS\VFIND.exe
2008-11-08 11:12:06 ----A---- C:\WINDOWS\SWXCACLS.exe
2008-11-08 11:12:06 ----A---- C:\WINDOWS\SWSC.exe
2008-11-08 11:12:06 ----A---- C:\WINDOWS\SWREG.exe
2008-11-08 11:12:06 ----A---- C:\WINDOWS\sed.exe
2008-11-08 11:12:06 ----A---- C:\WINDOWS\NIRCMD.exe
2008-11-08 11:12:06 ----A---- C:\WINDOWS\grep.exe
2008-11-08 11:12:06 ----A---- C:\WINDOWS\fdsv.exe
2008-11-08 11:11:49 ----D---- C:\WINDOWS\ERDNT
2008-11-08 11:11:49 ----D---- C:\Qoobox
2008-11-06 21:26:49 ----D---- C:\rsit
2008-11-06 21:26:49 ----D---- C:\Program Files\trend micro
2008-11-04 20:52:48 ----A---- C:\WINDOWS\System32\hms.exe
2008-11-04 20:43:15 ----A---- C:\WINDOWS\System32\gfi.exe
2008-11-04 20:15:14 ----A---- C:\WINDOWS\System32\agb.exe
2008-11-04 20:14:51 ----A---- C:\WINDOWS\System32\dqo.exe
2008-11-04 18:53:10 ----SHD---- C:\FOUND.001
2008-11-01 23:27:28 ----A---- C:\j4c8t8b5l3a6.exe
2008-11-01 01:30:29 ----D---- C:\Program Files\Hijackthis
2008-10-31 23:28:20 ----A---- C:\WINDOWS\System32\bxn.exe
2008-10-30 22:53:49 ----D---- C:\Program Files\Lavasoft
2008-10-30 22:53:48 ----D---- C:\Documents and Settings\All Users\Application Data\Lavasoft
2008-10-30 22:38:29 ----A---- C:\WINDOWS\System32\hlr.exe
2008-10-30 18:36:54 ----D---- C:\WINDOWS\ERUNT
2008-10-30 18:35:07 ----A---- C:\WINDOWS\ntbtlog.txt
2008-10-30 18:07:26 ----A---- C:\z6k9s7g8x1n9.exe
2008-10-27 20:03:01 ----A---- C:\WINDOWS\System32\jbs.exe
2008-10-27 19:43:00 ----A---- C:\5e2q6u2f9.exe
2008-10-27 19:39:40 ----A---- C:\WINDOWS\System32\zpm.exe
2008-10-18 01:12:11 ----A---- C:\WINDOWS\System32\MUINST_Y.EXE
2008-10-18 01:12:11 ----A---- C:\WINDOWS\System32\MTAG32_Y.DLL
2008-10-18 01:12:11 ----A---- C:\WINDOWS\System32\MSTMON_Y.EXE
2008-10-18 01:12:11 ----A---- C:\WINDOWS\System32\MSTMON_Y.DLL
2008-10-18 01:12:11 ----A---- C:\WINDOWS\System32\MSPOOL_Y.DLL
2008-10-18 01:12:11 ----A---- C:\WINDOWS\System32\MLMON__Y.DLL
2008-10-18 01:12:11 ----A---- C:\WINDOWS\System32\MIMF32_Y.DLL
2008-10-18 01:12:11 ----A---- C:\WINDOWS\System32\MICM___Y.DLL
2008-10-18 01:12:11 ----A---- C:\WINDOWS\System32\MGDI32_Y.DLL
2008-10-18 01:12:11 ----A---- C:\WINDOWS\System32\MCOINS_Y.DLL
2008-10-18 01:12:11 ----A---- C:\WINDOWS\System32\MCMM___Y.DLL
2008-10-18 01:12:11 ----A---- C:\WINDOWS\MSUMLT_Y.INI
2008-10-18 01:12:11 ----A---- C:\WINDOWS\MSTMON_Y.INI
2008-10-18 01:12:11 ----A---- C:\WINDOWS\MREADM_Y.TXT
2008-09-15 19:15:26 ----D---- C:\Program Files\uTorrent
2008-09-15 19:15:18 ----D---- C:\Documents and Settings\TV\Application Data\uTorrent
2008-08-10 16:51:37 ----SHD---- C:\WINDOWS\ftpcache

======List of files/folders modified in the last 3 months======

2008-11-08 11:16:12 ----A---- C:\WINDOWS\system.ini
2008-11-08 11:14:16 ----RASH---- C:\boot.ini
2008-11-08 11:12:42 ----A---- C:\WINDOWS\SchedLog.Txt
2008-11-04 20:53:12 ----A---- C:\WINDOWS\System32\ftp.exe
2008-11-01 01:35:08 ----A---- C:\WINDOWS\System32\sfc_os.dll
2008-10-30 23:01:42 ----A---- C:\WINDOWS\CLASSICZAP.INI
2008-10-30 22:51:44 ----A---- C:\WINDOWS\WORDZAP.INI
2008-10-09 21:08:00 ----A---- C:\WINDOWS\CDPlayer.ini
2008-08-31 21:00:24 ----A---- C:\WINDOWS\win.ini

======List of drivers (R=Running, S=Stopped, 0=Boot, 1=System, 2=Auto, 3=Demand, 4=Disabled)======

R1 StarOpen;StarOpen; C:\WINDOWS\System32\drivers\StarOpen.sys [2006-07-24 5632]
R2 LxrSII1d;Secure II Driver; \??\C:\WINDOWS\System32\Drivers\LxrSII1d.sys []
R3 HidUsb;Microsoft HID Class Driver; C:\WINDOWS\System32\DRIVERS\hidusb.sys [2001-08-17 9600]
R3 IPFilter;Microsoft IntelliPoint Features driver; C:\WINDOWS\System32\DRIVERS\IPFilter.sys [2002-04-12 11136]
R3 mouhid;Mouse HID Driver; C:\WINDOWS\System32\DRIVERS\mouhid.sys [2001-08-17 12160]
R3 SiS315;SiS315; C:\WINDOWS\System32\DRIVERS\sisgrp.sys [2002-02-06 177792]
R3 SiS7012;Service for AC'97 Sample Driver (WDM); C:\WINDOWS\system32\drivers\sis7012.sys [2001-11-27 165760]
R3 SISNIC;SiS PCI Fast Ethernet Adapter Driver; C:\WINDOWS\System32\DRIVERS\sisnic.sys [2001-08-17 31232]
R3 usbhub;USB2 Enabled Hub; C:\WINDOWS\System32\DRIVERS\usbhub.sys [2001-08-23 50688]
R3 usbohci;Microsoft USB Open Host Controller Miniport Driver; C:\WINDOWS\System32\DRIVERS\usbohci.sys [2001-08-23 15616]
S1 kbdhid;Keyboard HID Driver; C:\WINDOWS\System32\DRIVERS\kbdhid.sys [2001-08-17 13952]
S3 Bridge;MAC Bridge; C:\WINDOWS\System32\DRIVERS\bridge.sys [2001-08-23 53376]
S3 BridgeMP;MAC Bridge Miniport; C:\WINDOWS\System32\DRIVERS\bridge.sys [2001-08-23 53376]
S3 NETMDUSB;Net MD; C:\WINDOWS\System32\Drivers\NETMDUSB.sys [2002-08-08 38951]
S3 ROOTMODEM;Microsoft Legacy Modem Driver; C:\WINDOWS\System32\Drivers\RootMdm.sys [2001-08-23 5888]
S3 rtl8180;Belkin 11Mbps Wireless Desktop Network Card Driver; C:\WINDOWS\System32\DRIVERS\Bel6001.sys [2003-07-11 168448]
S3 SiS300i;SiS300i; C:\WINDOWS\System32\DRIVERS\sis300ip.sys [2001-08-17 101760]
S3 SjyPkt;SjyPkt; \??\C:\WINDOWS\System32\Drivers\SjyPkt.sys []
S3 ss_bus;SAMSUNG Mobile USB Device 1.0 driver (WDM); C:\WINDOWS\System32\DRIVERS\ss_bus.sys [2005-08-30 58320]
S3 ss_mdfl;SAMSUNG Mobile USB Modem 1.0 Filter; C:\WINDOWS\System32\DRIVERS\ss_mdfl.sys [2005-08-30 8304]
S3 ss_mdm;SAMSUNG Mobile USB Modem 1.0 Drivers; C:\WINDOWS\System32\DRIVERS\ss_mdm.sys [2005-08-30 94000]
S3 usbprint;Microsoft USB PRINTER Class; C:\WINDOWS\System32\DRIVERS\usbprint.sys [2001-08-17 24832]
S3 usbscan;USB Scanner Driver; C:\WINDOWS\System32\DRIVERS\usbscan.sys [2001-08-17 13824]
S3 USBSTOR;USB Mass Storage Driver; C:\WINDOWS\System32\DRIVERS\USBSTOR.SYS [2001-08-17 21760]
S4 IntelIde;IntelIde; C:\WINDOWS\System32\drivers\IntelIde.sys []
S4 WS2IFSL;Windows Socket 2.0 Non-IFS Service Provider Support Environment; C:\WINDOWS\System32\drivers\ws2ifsl.sys [2001-08-23 12032]

======List of services (R=Running, S=Stopped, 0=Boot, 1=System, 2=Auto, 3=Demand, 4=Disabled)======

R2 aawservice;Lavasoft Ad-Aware Service; C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe [2008-05-12 611664]
R2 MDM;Machine Debug Manager; c:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe [2003-03-19 344064]
S2 LxrSII1s;Lexar Secure II; LxrSII1s.exe []
S2 MySql;MySql; C:/Program Files/MySQL4/bin/mysqld-nt.exe []
S3 IDriverT;InstallDriver Table Manager; C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe [2005-04-04 77824]
S3 SPTISRV;Sony SPTI Service; C:\PROGRA~1\COMMON~1\SONYSH~1\AVLib\Sptisrv.exe [2002-07-23 73728]
S3 UMWdf;Windows User Mode Driver Framework; C:\WINDOWS\System32\wdfmgr.exe [2005-01-28 46080]
S3 usnjsvc;Messenger Sharing Folders USN Journal Reader service; C:\Program Files\MSN Messenger\usnsvc.exe [2007-01-19 97136]

-----------------EOF-----------------

noahdfear · 2008/11/07

Once again, please disable any realtime protection applications. Highlight and copy the contents of the code box below and paste it into a blank notepad, then save it to your desktop as;

Filename: CFScript.txt
Save As Type: All Files (*.*)
Code:
http://www.windowsbbs.com/malware-virus-removal/78404-active-c-windows-system32-drivers-service-exe-system-shutdown-error.html#post425540

Suspect::[22]
C:\j4c8t8b5l3a6.exe
C:\5e2q6u2f9.exe
C:\z6k9s7g8x1n9.exe
c:\windows\SYSTEM32\agb.exe
c:\windows\SYSTEM32\bxn.exe
c:\windows\SYSTEM32\dqo.exe
c:\windows\SYSTEM32\gfi.exe
c:\windows\SYSTEM32\hlr.exe
c:\windows\SYSTEM32\hms.exe
c:\windows\SYSTEM32\jbs.exe
c:\windows\SYSTEM32\vxnuoamvfiu.exe
c:\windows\SYSTEM32\zpm.exe
Close all other windows and programs. Now drag the CFScript.txt onto ComboFix.exe and drop it, using the left mouse button. Combofix should run and may reboot the computer when it's done. A log will open when it's complete. Post the contents of that log here.

Please do not click on the ComboFix window while it is running a scan. This can cause it to stall.

Please note that I have instructed CFScript to collect some files for analysis. This means that when ComboFix finishes, you will be prompted to allow ComboFix to upload a zip file that was created. The zip contains the aforementioned files. Please copy the path shown in the prompt and paste it into the box, then click Send.
Thanks!

Once you've completed the above, please double click the clock on your taskbar then set the date to 2 months prior. Now run RSIT again, selecting a 3 month scan at the disclaimer. Post the new log.txt file here as well.

mrkool · 2008/11/08

Hi again, thanks so much for your help. I hope I did this right.

Combofix log:
ComboFix 08-11-07.01 - TV 2008-11-08 16:28:56.2 - FAT32x86
Microsoft Windows XP Professional 5.1.2600.0.1252.1.1033.18.71 [GMT 10:00]
Running from: c:\documents and settings\TV\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\TV\Desktop\CFScript.txt
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\system32\drivers\csrss.exe
c:\windows\system32\Microsoft\backup.ftp

.
((((((((((((((((((((((((( Files Created from 2008-10-08 to 2008-11-08 )))))))))))))))))))))))))))))))
.

2008-11-08 13:53 . 2008-11-08 13:53 <DIR> d--hs---- C:\FOUND.002
2008-11-06 21:26 . 2008-11-06 21:26 <DIR> d-------- C:\rsit
2008-11-06 21:26 . 2008-11-06 21:26 <DIR> d-------- c:\program files\trend micro
2008-11-04 20:52 . 2008-11-04 20:53 166,912 --a------ c:\windows\SYSTEM32\hms.exe
2008-11-04 20:43 . 2008-11-04 20:43 174,080 --a------ c:\windows\SYSTEM32\gfi.exe
2008-11-04 20:15 . 2008-11-03 20:15 166,912 --a------ c:\windows\SYSTEM32\agb.exe
2008-11-04 20:14 . 2008-11-04 20:15 166,912 --a------ c:\windows\SYSTEM32\dqo.exe
2008-11-04 18:53 . 2008-11-04 18:53 <DIR> d--hs---- C:\FOUND.001
2008-11-01 23:27 . 2008-11-04 17:48 174,080 --a------ C:\j4c8t8b5l3a6.exe
2008-10-31 23:28 . 2008-10-31 23:28 169,472 --a------ c:\windows\SYSTEM32\bxn.exe
2008-10-30 22:53 . 2008-10-30 22:53 <DIR> d-------- c:\program files\Lavasoft
2008-10-30 22:53 . 2008-10-30 22:53 <DIR> d-------- c:\documents and settings\All Users\Application Data\Lavasoft
2008-10-30 22:38 . 2008-10-30 22:38 417,792 --a------ c:\windows\SYSTEM32\hlr.exe
2008-10-30 18:36 . 2008-10-30 18:36 <DIR> d-------- c:\windows\ERUNT
2008-10-30 18:36 . 2001-08-18 12:00 1,688 --a------ c:\windows\SYSTEM32\AUTOEXEC.NT
2008-10-30 18:07 . 2008-10-30 18:25 84,992 --a------ C:\z6k9s7g8x1n9.exe
2008-10-27 20:03 . 2008-10-27 20:03 84,992 --a------ c:\windows\SYSTEM32\jbs.exe
2008-10-27 19:43 . 2008-10-26 20:04 69,632 --a------ C:\5e2q6u2f9.exe
2008-10-27 19:39 . 2008-10-27 19:40 169,472 --a------ c:\windows\SYSTEM32\zpm.exe

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-11-08 05:45 47,616 ----a-w c:\windows\SYSTEM32\ftp.exe
2008-11-08 05:45 47,616 ----a-w c:\windows\SYSTEM32\dllcache\ftp.exe
2008-10-31 15:35 132,608 ----a-w c:\windows\SYSTEM32\sfc_os.dll
2008-09-15 09:15 --------- d-----w c:\program files\uTorrent
2008-09-15 09:15 --------- d-----w c:\documents and settings\TV\Application Data\uTorrent
2008-03-18 08:57 32 ----a-w c:\documents and settings\All Users\Application Data\ezsid.dat
2005-09-04 10:59 18,792 ----a-w c:\documents and settings\TV\Application Data\GDIPFONTCACHEV1.DAT
2004-09-15 13:00 30,208 --sha-w c:\program files\Thumbs.db
2004-05-03 06:52 0 ---ha-w c:\program files\Default.rdp
2003-03-06 09:50 266 --sh--w c:\program files\desktop.ini
2003-03-06 09:50 11,079 ---h--w c:\program files\folder.htt
2001-08-23 12:00 158,720 --sh--r c:\windows\SYSTEM32\vxnuoamvfiu.exe
.

((((((((((((((((((((((((((((( snapshot@2008-11-08_11.16.19.84 )))))))))))))))))))))))))))))))))))))))))
.
- 2008-11-08 00:09:42 16,384 ----a-w c:\windows\SYSTEM32\config\systemprofile\Cookies\index.dat
+ 2008-11-08 06:31:40 16,384 ----a-w c:\windows\SYSTEM32\config\systemprofile\Cookies\index.dat
- 2008-11-08 00:09:42 32,768 ----a-w c:\windows\SYSTEM32\config\systemprofile\Local Settings\History\History.IE5\index.dat
+ 2008-11-08 06:31:40 32,768 ----a-w c:\windows\SYSTEM32\config\systemprofile\Local Settings\History\History.IE5\index.dat
- 2008-11-08 00:09:42 49,152 ----a-w c:\windows\SYSTEM32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat
+ 2008-11-08 06:31:40 49,152 ----a-w c:\windows\SYSTEM32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\SlowFile Icon Overlay]
@= "{7D688A77-C613-11D0-999B-00C04FD655E1} "
[HKEY_CLASSES_ROOT\CLSID\{7D688A77-C613-11D0-999B-00C04FD655E1}]
2001-08-23 22:00 8322560 --a------ c:\windows\SYSTEM32\SHELL32.DLL

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"msnmsgr "= "c:\program files\MSN Messenger\msnmsgr.exe" [2007-01-19 5674352]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IntelliType "= "c:\program files\Microsoft Hardware\Keyboard\type32.exe" [2002-03-22 102400]
"NeroCheck "= "c:\windows\system32\NeroCheck.exe" [2001-07-09 163840]
"SiS7012Utility "= "c:\windows\System32\SiSAudUt.exe" [2001-11-21 303104]
"SunJavaUpdateSched "= "c:\program files\Java\jre1.6.0_03\bin\jusched.exe" [2007-09-25 132496]
"QuickTime Task "= "c:\program files\K-Lite Codec Pack\QuickTime\qttask.exe" [2007-10-19 294912]
"KONICA MINOLTA PagePro 1400W STD "= "c:\windows\System32\MSTMON_Y.EXE" [2006-01-18 192512]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"vidc.3iv2 "= 3ivxVfWCodec.dll
"msacm.divxa32 "= divxa32.acm
"VIDC.HFYU "= huffyuv.dll
"VIDC.VP31 "= vp31vfw.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\setup\disabledrunkeys]
"LoadPowerProfile "=Rundll32.exe powrprof.dll,LoadCurrentPwrScheme

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"UpdatesDisableNotify "=dword:00000001
"AntiVirusDisableNotify "=dword:00000001
"AntiVirusOverride "=dword:00000001
"FirewallOverride "=dword:00000001

R2 LxrSII1d;Secure II Driver;c:\windows\System32\Drivers\LxrSII1d.sys [2005-05-19 70016]
R3 SiS7012;Service for AC'97 Sample Driver (WDM);c:\windows\System32\drivers\sis7012.sys [2001-11-27 165760]
S3 rtl8180;Belkin 11Mbps Wireless Desktop Network Card Driver;c:\windows\System32\DRIVERS\Bel6001.sys [2003-07-11 168448]
S3 SjyPkt;SjyPkt;c:\windows\System32\Drivers\SjyPkt.sys [ ]
S3 ss_bus;SAMSUNG Mobile USB Device 1.0 driver (WDM);c:\windows\System32\DRIVERS\ss_bus.sys [2005-08-30 58320]
S3 ss_mdfl;SAMSUNG Mobile USB Modem 1.0 Filter;c:\windows\System32\DRIVERS\ss_mdfl.sys [2005-08-30 8304]
S3 ss_mdm;SAMSUNG Mobile USB Modem 1.0 Drivers;c:\windows\System32\DRIVERS\ss_mdm.sys [2005-08-30 94000]
.
Contents of the 'Scheduled Tasks' folder
.
- - - - ORPHANS REMOVED - - - -

HKLM-Run-csrss.exe - c:\windows\system32\drivers\csrss.exe

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-11-08 16:32:17
Windows 5.1.2600 FAT NTAPI

detected NTDLL code modification:
ZwOpenFile

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet003\Services\MySql]
"ImagePath "= "C:/Program Files/MySQL4/bin/mysqld-nt.exe "

[HKEY_LOCAL_MACHINE\System\ControlSet003\Services\MySql]
"ImagePath "= "C:/Program Files/MySQL4/bin/mysqld-nt.exe "
.
------------------------ Other Running Processes ------------------------
.
c:\windows\SYSTEM32\LOGONUI.EXE
c:\program files\LAVASOFT\AD-AWARE\AAWSERVICE.EXE
c:\program files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
.
**************************************************************************
.
Completion time: 2008-11-08 16:33:54 - machine was rebooted
ComboFix-quarantined-files.txt 2008-11-08 06:33:50
ComboFix2.txt 2008-11-08 01:16:48

Pre-Run: 10,746,363,904 bytes free
Post-Run: 10,707,107,840 bytes free

129

-----
RSIT log with date change:
Logfile of random's system information tool 1.04 (written by random/random)
Run by TV at 2008-09-08 16:41:06
Microsoft Windows XP Professional
System drive C: has 10 GB (27%) free of 38 GB
Total RAM: 224 MB (15% free)

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 4:41:11 PM, on 9/8/2008
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2600.0000)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\logonui.exe
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
c:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Microsoft Hardware\Keyboard\type32.exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\notepad.exe
C:\PROGRA~1\MOZILL~1\FIREFOX.EXE
C:\WINDOWS\System32\algs.exe
C:\Documents and Settings\TV\Desktop\RSIT.exe
C:\Program Files\trend micro\TV.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,SearchAssistant = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = \blank.htm
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\SYSTEM\blank.htm
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [IntelliType] "C:\Program Files\Microsoft Hardware\Keyboard\type32.exe "
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [SiS7012Utility] C:\WINDOWS\System32\SiSAudUt.exe -wdm
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe "
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\K-Lite Codec Pack\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [KONICA MINOLTA PagePro 1400W STD] C:\WINDOWS\System32\MSTMON_Y.EXE STARTUP
O4 - HKLM\..\Run: [Application Layer Gateway Service] C:\WINDOWS\System32\algs.exe
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O8 - Extra context menu item: &WordWeb... - res://C:\WINDOWS\wweb32.dll/lookup.html
O8 - Extra context menu item: Download all by Net Transport - C:\Program Files\NetTransport 2\NTAddList.html
O8 - Extra context menu item: Download by Net Transport - C:\Program Files\NetTransport 2\NTAddLink.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/win...ls/en/x86/client/wuweb_site.cab?1199586432577
O16 - DPF: {CAFEEFAC-0014-0001-0001-ABCDEFFEDCBA} (Java Runtime Environment 1.4.1_01) -
O16 - DPF: {CAFEEFAC-0014-0001-0007-ABCDEFFEDCBA} (Java Runtime Environment 1.4.1_07) -
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Lexar Secure II (LxrSII1s) - Unknown owner - LxrSII1s.exe (file missing)
O23 - Service: MySql - Unknown owner - C:/Program Files/MySQL4/bin/mysqld-nt.exe (file missing)
O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\PROGRA~1\COMMON~1\SONYSH~1\AVLib\Sptisrv.exe

--
End of file - 4329 bytes

======Scheduled tasks folder======

C:\WINDOWS\tasks\Tune-up Application Start.job

======Registry dump======

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}]
SSVHelper Class - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll [2007-09-25 501136]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
{8E718888-423F-11D2-876E-00A0C9082467} - &Radio - C:\WINDOWS\System32\msdxm.ocx [2001-08-23 843804]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run]
"IntelliType "=C:\Program Files\Microsoft Hardware\Keyboard\type32.exe [2002-03-22 102400]
"NeroCheck "=C:\WINDOWS\system32\NeroCheck.exe [2001-07-09 163840]
"SiS7012Utility "=C:\WINDOWS\System32\SiSAudUt.exe [2001-11-21 303104]
"SunJavaUpdateSched "=C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe [2007-09-25 132496]
"QuickTime Task "=C:\Program Files\K-Lite Codec Pack\QuickTime\qttask.exe [2007-10-19 294912]
"KONICA MINOLTA PagePro 1400W STD "=C:\WINDOWS\System32\MSTMON_Y.EXE [2006-01-18 192512]
"Application Layer Gateway Service "=C:\WINDOWS\System32\algs.exe [2001-08-23 65536]

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
"msnmsgr "=C:\Program Files\MSN Messenger\msnmsgr.exe [2007-01-19 5674352]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
UPnPMonitor - {e57ce738-33e8-4c51-8354-bb4de9d215d1} - C:\WINDOWS\System32\upnpui.dll [2001-08-23 231424]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\aawservice]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\aawservice]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\nm]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\nm.sys]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\UploadMgr]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System]
"dontdisplaylastusername "=0
"legalnoticecaption "=
"legalnoticetext "=
"shutdownwithoutlogon "=1
"undockwithoutlogon "=1

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\explorer]
"NoDrives "=0

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\explorer]
"NoDriveTypeAutoRun "=
"NoDrives "=
"NoDriveAutoRun "=

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]

======List of files/folders created in the last 3 months======

2008-11-08 16:34:51 ----D---- C:\WINDOWS\temp
2008-11-08 16:33:55 ----A---- C:\ComboFix.txt
2008-11-08 16:30:24 ----A---- C:\WINDOWS\PSEXESVC.EXE
2008-11-08 13:53:52 ----SHD---- C:\FOUND.002
2008-11-08 11:14:14 ----A---- C:\Boot.bak
2008-11-08 11:14:10 ----RASHD---- C:\cmdcons
2008-11-08 11:12:06 ----A---- C:\WINDOWS\zip.exe
2008-11-08 11:12:06 ----A---- C:\WINDOWS\VFIND.exe
2008-11-08 11:12:06 ----A---- C:\WINDOWS\SWXCACLS.exe
2008-11-08 11:12:06 ----A---- C:\WINDOWS\SWSC.exe
2008-11-08 11:12:06 ----A---- C:\WINDOWS\SWREG.exe
2008-11-08 11:12:06 ----A---- C:\WINDOWS\sed.exe
2008-11-08 11:12:06 ----A---- C:\WINDOWS\NIRCMD.exe
2008-11-08 11:12:06 ----A---- C:\WINDOWS\grep.exe
2008-11-08 11:12:06 ----A---- C:\WINDOWS\fdsv.exe
2008-11-08 11:11:49 ----D---- C:\WINDOWS\ERDNT
2008-11-08 11:11:49 ----D---- C:\Qoobox
2008-11-06 21:26:49 ----D---- C:\rsit
2008-11-06 21:26:49 ----D---- C:\Program Files\trend micro
2008-11-04 20:52:48 ----A---- C:\WINDOWS\System32\hms.exe
2008-11-04 20:43:15 ----A---- C:\WINDOWS\System32\gfi.exe
2008-11-04 20:15:14 ----A---- C:\WINDOWS\System32\agb.exe
2008-11-04 20:14:51 ----A---- C:\WINDOWS\System32\dqo.exe
2008-11-04 18:53:10 ----SHD---- C:\FOUND.001
2008-11-01 23:27:28 ----A---- C:\j4c8t8b5l3a6.exe
2008-11-01 01:30:29 ----D---- C:\Program Files\Hijackthis
2008-10-31 23:28:20 ----A---- C:\WINDOWS\System32\bxn.exe
2008-10-30 22:53:49 ----D---- C:\Program Files\Lavasoft
2008-10-30 22:53:48 ----D---- C:\Documents and Settings\All Users\Application Data\Lavasoft
2008-10-30 22:38:29 ----A---- C:\WINDOWS\System32\hlr.exe
2008-10-30 18:36:54 ----D---- C:\WINDOWS\ERUNT
2008-10-30 18:35:07 ----A---- C:\WINDOWS\ntbtlog.txt
2008-10-30 18:07:26 ----A---- C:\z6k9s7g8x1n9.exe
2008-10-27 20:03:01 ----A---- C:\WINDOWS\System32\jbs.exe
2008-10-27 19:43:00 ----A---- C:\5e2q6u2f9.exe
2008-10-27 19:39:40 ----A---- C:\WINDOWS\System32\zpm.exe
2008-10-18 01:12:11 ----A---- C:\WINDOWS\System32\MUINST_Y.EXE
2008-10-18 01:12:11 ----A---- C:\WINDOWS\System32\MTAG32_Y.DLL
2008-10-18 01:12:11 ----A---- C:\WINDOWS\System32\MSTMON_Y.EXE
2008-10-18 01:12:11 ----A---- C:\WINDOWS\System32\MSTMON_Y.DLL
2008-10-18 01:12:11 ----A---- C:\WINDOWS\System32\MSPOOL_Y.DLL
2008-10-18 01:12:11 ----A---- C:\WINDOWS\System32\MLMON__Y.DLL
2008-10-18 01:12:11 ----A---- C:\WINDOWS\System32\MIMF32_Y.DLL
2008-10-18 01:12:11 ----A---- C:\WINDOWS\System32\MICM___Y.DLL
2008-10-18 01:12:11 ----A---- C:\WINDOWS\System32\MGDI32_Y.DLL
2008-10-18 01:12:11 ----A---- C:\WINDOWS\System32\MCOINS_Y.DLL
2008-10-18 01:12:11 ----A---- C:\WINDOWS\System32\MCMM___Y.DLL
2008-10-18 01:12:11 ----A---- C:\WINDOWS\MSUMLT_Y.INI
2008-10-18 01:12:11 ----A---- C:\WINDOWS\MSTMON_Y.INI
2008-10-18 01:12:11 ----A---- C:\WINDOWS\MREADM_Y.TXT
2008-09-15 19:15:26 ----D---- C:\Program Files\uTorrent
2008-09-15 19:15:18 ----D---- C:\Documents and Settings\TV\Application Data\uTorrent
2008-08-10 16:51:37 ----SHD---- C:\WINDOWS\ftpcache
2008-07-28 22:44:02 ----SHD---- C:\FOUND.000
2008-06-15 17:49:33 ----D---- C:\Program Files\Apple Software Update
2008-06-15 17:49:32 ----D---- C:\Documents and Settings\All Users\Application Data\Apple
2008-06-15 17:47:22 ----D---- C:\Documents and Settings\TV\Application Data\FUJIFILM
2008-06-15 17:46:21 ----A---- C:\WINDOWS\System32\FFTIFF16.dll
2008-06-15 17:46:21 ----A---- C:\WINDOWS\System32\FFRafShellEx.dll
2008-06-15 17:46:21 ----A---- C:\WINDOWS\System32\FFRAFLIB.DLL
2008-06-15 17:44:12 ----A---- C:\WINDOWS\System32\ptpusb.dll

======List of files/folders modified in the last 3 months======

2008-11-08 16:32:14 ----A---- C:\WINDOWS\system.ini
2008-11-08 16:28:24 ----A---- C:\WINDOWS\SchedLog.Txt
2008-11-08 16:20:30 ----A---- C:\WINDOWS\CLASSICZAP.INI
2008-11-08 15:45:30 ----A---- C:\WINDOWS\System32\ftp.exe
2008-11-08 11:14:16 ----RASH---- C:\boot.ini
2008-11-01 01:35:08 ----A---- C:\WINDOWS\System32\sfc_os.dll
2008-10-30 22:51:44 ----A---- C:\WINDOWS\WORDZAP.INI
2008-10-09 21:08:00 ----A---- C:\WINDOWS\CDPlayer.ini
2008-08-31 21:00:24 ----A---- C:\WINDOWS\win.ini

======List of drivers (R=Running, S=Stopped, 0=Boot, 1=System, 2=Auto, 3=Demand, 4=Disabled)======

R1 StarOpen;StarOpen; C:\WINDOWS\System32\drivers\StarOpen.sys [2006-07-24 5632]
R2 LxrSII1d;Secure II Driver; \??\C:\WINDOWS\System32\Drivers\LxrSII1d.sys []
R3 HidUsb;Microsoft HID Class Driver; C:\WINDOWS\System32\DRIVERS\hidusb.sys [2001-08-17 9600]
R3 IPFilter;Microsoft IntelliPoint Features driver; C:\WINDOWS\System32\DRIVERS\IPFilter.sys [2002-04-12 11136]
R3 mouhid;Mouse HID Driver; C:\WINDOWS\System32\DRIVERS\mouhid.sys [2001-08-17 12160]
R3 SiS315;SiS315; C:\WINDOWS\System32\DRIVERS\sisgrp.sys [2002-02-06 177792]
R3 SiS7012;Service for AC'97 Sample Driver (WDM); C:\WINDOWS\system32\drivers\sis7012.sys [2001-11-27 165760]
R3 SISNIC;SiS PCI Fast Ethernet Adapter Driver; C:\WINDOWS\System32\DRIVERS\sisnic.sys [2001-08-17 31232]
R3 usbhub;USB2 Enabled Hub; C:\WINDOWS\System32\DRIVERS\usbhub.sys [2001-08-23 50688]
R3 usbohci;Microsoft USB Open Host Controller Miniport Driver; C:\WINDOWS\System32\DRIVERS\usbohci.sys [2001-08-23 15616]
R4 catchme;catchme; \??\C:\ComboFix\catchme.sys []
S1 kbdhid;Keyboard HID Driver; C:\WINDOWS\System32\DRIVERS\kbdhid.sys [2001-08-17 13952]
S3 Bridge;MAC Bridge; C:\WINDOWS\System32\DRIVERS\bridge.sys [2001-08-23 53376]
S3 BridgeMP;MAC Bridge Miniport; C:\WINDOWS\System32\DRIVERS\bridge.sys [2001-08-23 53376]
S3 NETMDUSB;Net MD; C:\WINDOWS\System32\Drivers\NETMDUSB.sys [2002-08-08 38951]
S3 ROOTMODEM;Microsoft Legacy Modem Driver; C:\WINDOWS\System32\Drivers\RootMdm.sys [2001-08-23 5888]
S3 rtl8180;Belkin 11Mbps Wireless Desktop Network Card Driver; C:\WINDOWS\System32\DRIVERS\Bel6001.sys [2003-07-11 168448]
S3 SiS300i;SiS300i; C:\WINDOWS\System32\DRIVERS\sis300ip.sys [2001-08-17 101760]
S3 SjyPkt;SjyPkt; \??\C:\WINDOWS\System32\Drivers\SjyPkt.sys []
S3 ss_bus;SAMSUNG Mobile USB Device 1.0 driver (WDM); C:\WINDOWS\System32\DRIVERS\ss_bus.sys [2005-08-30 58320]
S3 ss_mdfl;SAMSUNG Mobile USB Modem 1.0 Filter; C:\WINDOWS\System32\DRIVERS\ss_mdfl.sys [2005-08-30 8304]
S3 ss_mdm;SAMSUNG Mobile USB Modem 1.0 Drivers; C:\WINDOWS\System32\DRIVERS\ss_mdm.sys [2005-08-30 94000]
S3 usbprint;Microsoft USB PRINTER Class; C:\WINDOWS\System32\DRIVERS\usbprint.sys [2001-08-17 24832]
S3 usbscan;USB Scanner Driver; C:\WINDOWS\System32\DRIVERS\usbscan.sys [2001-08-17 13824]
S3 USBSTOR;USB Mass Storage Driver; C:\WINDOWS\System32\DRIVERS\USBSTOR.SYS [2001-08-17 21760]
S4 IntelIde;IntelIde; C:\WINDOWS\System32\drivers\IntelIde.sys []
S4 WS2IFSL;Windows Socket 2.0 Non-IFS Service Provider Support Environment; C:\WINDOWS\System32\drivers\ws2ifsl.sys [2001-08-23 12032]

======List of services (R=Running, S=Stopped, 0=Boot, 1=System, 2=Auto, 3=Demand, 4=Disabled)======

R2 aawservice;Lavasoft Ad-Aware Service; C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe [2008-05-12 611664]
R2 MDM;Machine Debug Manager; c:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe [2003-03-19 344064]
S2 LxrSII1s;Lexar Secure II; LxrSII1s.exe []
S2 MySql;MySql; C:/Program Files/MySQL4/bin/mysqld-nt.exe []
S3 IDriverT;InstallDriver Table Manager; C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe [2005-04-04 77824]
S3 SPTISRV;Sony SPTI Service; C:\PROGRA~1\COMMON~1\SONYSH~1\AVLib\Sptisrv.exe [2002-07-23 73728]
S3 UMWdf;Windows User Mode Driver Framework; C:\WINDOWS\System32\wdfmgr.exe [2005-01-28 46080]
S3 usnjsvc;Messenger Sharing Folders USN Journal Reader service; C:\Program Files\MSN Messenger\usnsvc.exe [2007-01-19 97136]

-----------------EOF-----------------

noahdfear · 2008/11/08

Your system is infected with a polymorphic file infector called Virut. Virut is capable of infecting all the machine's executable files (.exe) and screensaver files (.scr). However, the problem is that the virus has a number of bugs in its code, and as a result, it may misinfect a proportion of executable files and therefore, the files are corrupted beyond repair. As of now, security experts suggest that a clean reformat is the only way to clean the infection and it is the only way to return the machine to its normal working state.

Backup all your documents and important items (personal data, work documents, etc) only. DO NOT backup any executable files (softwares) and screensavers (*.scr). It attempts to infect any accessed .exe or .scr files by appending itself to the executable.

Also, try to avoid backing up compressed files (zip/cab/rar) files that have .exe or .scr files inside them. Virut can penetrate and infect .exe files inside compressed files too.

If you want to attempt cleaning the system, AVG has created a Virut removal tool, though in my own testing the tool left my system unbootable. That can be attributed to the corruption introduced into the system files, not the tool itself. Should you decide to run it, make sure to backup your important files first.

mrkool · 2008/11/08

that is bad news oh well thank you for figuring it out. i will do the thing and let you know. thanks again!

noahdfear · 2008/11/08

You're most welcome. I'll mark this topic inactive for now. You will still be able to respond to it for 30 days, if you do indeed post back with any update/info.

mrkool · 2008/11/15

Hi again,

I am now having problems formatting my c:\ !!

After googling "format c" i think that my BIOS is not setup to boot from CD so I put my XP cd in, boot-up my computer and used the Windows Recovery Console to type in "format c: /fs:ntfs ". It says "Are you sure?" and i type in "y" and after a few seconds it returns to the <c:\windows> prompt without having formatted my computer.

I tried using diskpart to delete my single partition but it wouldn't let me saying that there were temporary setup files on that partition.

Is my inability to format my computer related to the virus corrupting my hard drive?

I'm so terrible at computers I really need help!

noahdfear · 2008/11/15

I'm a bit confused ...... you were able to boot to the Recovery Console with the cd. Did you not select the Recovery Console from the setup screen?

Insert the cd, start/restart the computer and press any key to boot to the cd when prompted.
You should see files being loaded by Setup then a welcome to Windows Setup.
Press Enter to continue.
Press the F8 ket to accept the agreement.
When the installation is displayed, make sure the C:\ partition is selected then press D to delete the partition.
Press Enter to confirm.
Press L to confirm once more.
Back at the setup screen, press C to create a partition.
Press Enter
Again on the setup screen, press Enter to setup XP on the created partition.
Select Format with NTFS and press Enter (do not select the quick format)
Setup will begin after the format is complete, then it will restart your computer and continue upon reboot.

Log in or Sign up

Inactive [InActive] c:\windows\system32\drivers\service.exe + System Shutdown error

mrkool Inactive Thread Starter

noahdfear Inactive

mrkool Inactive Thread Starter

noahdfear Inactive

mrkool Inactive Thread Starter

noahdfear Inactive

mrkool Inactive Thread Starter

noahdfear Inactive

mrkool Inactive Thread Starter

noahdfear Inactive

mrkool Inactive Thread Starter

noahdfear Inactive

Share This Page

Log in or Sign up

Inactive [InActive] c:\windows\system32\drivers\service.exe + System Shutdown error

mrkool Inactive Thread Starter

noahdfear Inactive

mrkool Inactive Thread Starter

noahdfear Inactive

mrkool Inactive Thread Starter

noahdfear Inactive

mrkool Inactive Thread Starter

noahdfear Inactive

mrkool Inactive Thread Starter

noahdfear Inactive

mrkool Inactive Thread Starter

noahdfear Inactive

Share This Page

Useful Searches