MyTechSupport.ca :: Your Computer Technical Resource Headquarters! MyTechSupport.ca :: Your Computer Technical Resource Headquarters!
HOME FORUMS RESOURCES & TOOLS ARTICLES ONLINE STORE ABOUT US
Computer Support Forums arrow Internet & Network Support arrow Security & Viruses arrow Topic: Trojan.FakeAlert, Trojan.BHO, Rogue.Multiple
June 07, 2020, 09:42:47 AM
 

Home Forum Rules Help Search Mobile Version Login Register

Welcome, Guest. Please login or register.
Did you miss your activation email?
June 07, 2020, 09:42:47 AM

Login with username, password and session length
 Featured Sites:
News
Help us help you! Help us help you by helping out! The more people know about us, the more help will be available. Click here to find out how...
  0 Members and 1 Guest are viewing this topic.
Pages: [1] 2  All Go Down Print
Author Topic: Trojan.FakeAlert, Trojan.BHO, Rogue.Multiple  (Read 4716 times)
Lizi59
Jr. Member
**

Karma: +0/-0
Offline Offline

Posts: 44


Bookmark and Share

View Profile
« on: April 10, 2009, 05:22:13 AM »

Greetings!  I have been trying to get this pc clean for 3 days now and it's become just a leeeetle bit frustrating!  Tonight I've run CCleaner, then Spybot which came up clean, then Malwarebytes Anti-Malware which found two infected files and quarantined and deleted them.  I tried to run Housecall but when it got to where it's supposed to start scanning, it went no further.  Here are the logs for Malwarebytes and HJT.


Malwarebytes' Anti-Malware 1.36
Database version: 1960
Windows 5.1.2600 Service Pack 3

4/10/2009 12:41:54 AM
mbam-log-2009-04-10 (00-41-54).txt

Scan type: Quick Scan
Objects scanned: 71252
Time elapsed: 6 minute(s), 47 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 2

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\Documents and Settings\Gene Cohn\Local Settings\Temporary Internet Files\Content.IE5\A5HBUN97\srm_free_setup[1].exe (Rogue.SpywareRemover) -> Quarantined and deleted successfully.
C:\Documents and Settings\Gene Cohn\Local Settings\Temporary Internet Files\Content.IE5\R03PETE3\srm_free_setup[2].exe (Rogue.SpywareRemover) -> Quarantined and deleted successfully.



Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 00:59:12, on 4/10/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16791)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\WINDOWS\system32\userinit.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\system32\tcpsvcs.exe
C:\WINDOWS\System32\snmp.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\AVG\AVG8\avgemc.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\PROGRA~1\AVG\AVG8\avgnsx.exe
C:\Program Files\AVG\AVG8\avgcsrvx.exe
C:\Program Files\AVG\AVG8\avgcsrvx.exe
C:\PROGRA~1\AVG\AVG8\avgtray.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\HJT\HiJackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,First Home Page = http://go.microsoft.com/fwlink/?LinkId=54843
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: Java(tm) Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKLM\..\Run: [LXCGCATS] rundll32 C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\LXCGtime.dll,_RunDLLEntry@16
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab
O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - http://cdn.scan.safety.live.com/resource/download/scanner/wlscbase8460.cab
O16 - DPF: {6944D0ED-F974-40CC-AE94-5A6ABAA2557A} (GBSolitaire Control) - http://www.gamebonus.com/dngame/gbsolitaire.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1227565111468
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} (Java Runtime Environment 1.6.0) - http://sdlc-esd.sun.com/ESD5/JSCDL/jre/6u11-b90/jinstall-6u11-windows-i586-jc.cab?AuthParam=1233104084_a564c057d23a2c47fd9bc3c99ef300a4&GroupName=JSC&FilePath=/ESD5/JSCDL/jre/6u11-b90/jinstall-6u11-windows-i586-jc.cab&File=jinstall-6u11-windows-i586-jc.cab&BHost=javadl.sun.com
O16 - DPF: {D0C0F75C-683A-4390-A791-1ACFD5599AB8} (Oberon Flash Game Host) - http://games.myspace.com/Gameshell/GameHost/1.0/OberonGameHost.cab
O16 - DPF: {F7EDBBEA-1AD2-4EBF-AA07-D453CC29EE65} (Flash Casino Helper Object) - https://casinoshare.microgaming.com/casinoshare/flashax2.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{C6C4B238-CA4D-4851-A806-B085CE8238B8}: NameServer = 24.25.5.150,24.25.5.149
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
O18 - Filter hijack: text/html - {6a2b39b8-18eb-49bf-8028-2deae6959a3f} - C:\WINDOWS\system32\dsound3dd.dll
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.DLL
O20 - Winlogon Notify: avgrsstarter - C:\WINDOWS\SYSTEM32\avgrsstx.dll
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
O23 - Service: AVG Free8 E-mail Scanner (avg8emc) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgemc.exe
O23 - Service: AVG Free8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: lxcg_device -   - C:\WINDOWS\system32\lxcgcoms.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\PROSetWired\NCS\Sync\NetSvc.exe

--
End of file - 6045 bytes

Logged
Lizi59
Jr. Member
**

Karma: +0/-0
Offline Offline

Posts: 44


Bookmark and Share

View Profile
« Reply #1 on: April 10, 2009, 07:44:53 PM »

I forgot to add that it's my husband's pc that's infected.  The one I'm using right now is not  Smiley  (so far!) 

There's been a new development - last night when the popups were coming fast, I shut down the pc.  Now when I turn it on, I'm getting "Saving your settings" and "Loading your personal settings" blinking back and forth.  I tried to get it into Safe Mode with the same result. 

This is a new one for me and I'm clueless what to do. 

Waiting patiently for help (and thanks in advance!)
Logged
Lizi59
Jr. Member
**

Karma: +0/-0
Offline Offline

Posts: 44


Bookmark and Share

View Profile
« Reply #2 on: April 10, 2009, 09:05:39 PM »

I hope I'm not being a pest!  I figure any other info I can provide will help to pinpoint and ultimately fix whatever is causing these problems.

I have tried Safe Mode (also with Command Prompt and with Network settings), and last known good configuration, all with no change.  I don't think System Restore is an option because in trying to clean the infections I had disabled Restore.

By Googling the problem, it seems that the possible cause of this is that the userinit.exe has been replaced with wsaupdater.exe, so it seems the obvious solution is to replace the userinit.exe with a clean one.

The problem with this is that I cannot get past this loop of loading/saving, etc.  This pc has XP Pro, and did not come with any CDs whatsover.  I want to say that the Recovery Console is already installed but I'm not 100% sure - and if it is, I can't seem to get to it. 

I've tried F8, F11, etc. and it does bring me to an options menu, but no matter which I select, it just goes back to the loop.  There are all kinds of suggestions out there but I don't want to do anything until I hear back from someone here because I've used this board before with great success.

My pc (the one I'm using right now) has XP Home and it did come with discs, but if I understand this correctly I can't use that disc in any other pc, right?  Or can I use it just to try to boot without having it install or repair anything?

*looks like I'm in for a LOOOONNNNGGG weekend!

« Last Edit: April 10, 2009, 09:12:54 PM by Lizi59 » Logged
Pancake
Global Moderator
Hero Member
*****

Karma: +78/-0
Offline Offline

Gender: Male
Posts: 3915


Bookmark and Share

View Profile
« Reply #3 on: April 10, 2009, 11:13:39 PM »


I see the culprit....

Ok.Lets download ComboFix.exe. This will give me a better view to the files running and also hidden on your computer and also those in the registry..Please download from one of these webpages .

http://download.bleepingcomputer.com/sUBs/ComboFix.exe
http://www.forospyware.com/sUBs/ComboFix.exe
http://subs.geekstogo.com/ComboFix.exe


* IMPORTANT !!! Save ComboFix.exe to your Desktop


Disable your AntiVirus and AntiSpyware applications, usually via a right-click on the System Tray icon. They may otherwise interfere with our tools.

Double-click on ComboFix.exe & follow the prompts.

If it will not run  rename Combofix to xxx.exe and run that.

As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.Recovery Console can be installed from your disc if you have Vista if you wish.

Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.

**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.





Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:





Click on Yes to continue scanning for malware.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply.


« Last Edit: April 10, 2009, 11:17:17 PM by Pancake » Logged

An Australian Member of

EDDY
Lizi59
Jr. Member
**

Karma: +0/-0
Offline Offline

Posts: 44


Bookmark and Share

View Profile
« Reply #4 on: April 11, 2009, 12:11:13 AM »

Thanks, Pancake!  Wish I could do what you suggest, but I'm battling something new now.  Whenever I turn on the pc I get "Saving your settings" and "Loading your personal settings" blinking back and forth. 

I have tried Safe Mode (also with Command Prompt and with Network settings), and last known good configuration, and none worked.  I googled this and from what I've read it seems the probably cause is that the userinit.exe has been replaced with wsaupdater.exe.

Recovery Console is installed.  I've tried to copy a clean userinit.exe into wsaupdater.exe but haven't been successful yet.  I've got a few more things to try so hopefully one will work and I'll be able to follow your instructions.

This infection is turning out to be a REAL pain!
Logged
Pancake
Global Moderator
Hero Member
*****

Karma: +78/-0
Offline Offline

Gender: Male
Posts: 3915


Bookmark and Share

View Profile
« Reply #5 on: April 11, 2009, 12:47:51 AM »

See if this helps.Its malware and needs to be deleted... C:\WINDOWS\system32\dsound3dd.dll (Be sure to delete dsound3dd.dll and NOT dsound3d.dll )


Logged

An Australian Member of

EDDY
Lizi59
Jr. Member
**

Karma: +0/-0
Offline Offline

Posts: 44


Bookmark and Share

View Profile
« Reply #6 on: April 11, 2009, 05:52:39 AM »

I can't do that - I can't get to Windows at all!  Just the 'Loading your personal settings" and "Saving your settings".   I can get to the recovery console and I did try to copy the userinit.exe file into the wsaupdater.exe but that did not help at all. 

Actually I have no idea what to try now.  His pc did not come with any CDs - I think everything that would be on those CDs were pre-loaded on the hard drive.

My pc did come with CDs but I am not sure if that's okay to use on his pc or how to or anything.

Just a tiny bit frustrated here! 
Logged
Pancake
Global Moderator
Hero Member
*****

Karma: +78/-0
Offline Offline

Gender: Male
Posts: 3915


Bookmark and Share

View Profile
« Reply #7 on: April 11, 2009, 06:14:17 AM »

All I can suggest is to take it to a shop and get them to do a recovery install or you can try this with your disc...

use this website ====> http://www.windowsreinstall.com/winxppro/indexreinstallguides.htm
Logged

An Australian Member of

EDDY
Lizi59
Jr. Member
**

Karma: +0/-0
Offline Offline

Posts: 44


Bookmark and Share

View Profile
« Reply #8 on: April 11, 2009, 05:54:46 PM »

Thanks Pancake!  I'm sure that when I'm able to get into Windows again, the original problem with infections will be there just waiting for me, so I'll be back.

Can we keep this open for a few days?  Or would it be better for me to start another thread?
Logged
Lizi59
Jr. Member
**

Karma: +0/-0
Offline Offline

Posts: 44


Bookmark and Share

View Profile
« Reply #9 on: April 11, 2009, 09:54:57 PM »

Okay!!!  We're back in business  Smiley  Don't ask me how, though.

Should I go ahead and do a new HJT Log and/or Malwarebytes log?  Or pick up where we left off and do the Combofix thing? 
Logged
Pancake
Global Moderator
Hero Member
*****

Karma: +78/-0
Offline Offline

Gender: Male
Posts: 3915


Bookmark and Share

View Profile
« Reply #10 on: April 11, 2009, 10:41:13 PM »

Great.Run Combofix....
Logged

An Australian Member of

EDDY
Lizi59
Jr. Member
**

Karma: +0/-0
Offline Offline

Posts: 44


Bookmark and Share

View Profile
« Reply #11 on: April 12, 2009, 03:44:20 AM »

Okay!  I had a tough time disabling AVG so I wound up uninstalling it - I was thinking of trying AVAST or another free program.  Anyway, here's the combofix log:

ComboFix 09-04-04.01 - Gene Cohn 2009-04-11 22:47:20.4 - NTFSx86
Microsoft Windows XP Home Edition  5.1.2600.3.1252.1.1033.18.510.279 [GMT -4:00]
Running from: c:\documents and settings\Gene Cohn\Desktop\ComboFix.exe
.

(((((((((((((((((((((((((   Files Created from 2009-03-12 to 2009-04-12  )))))))))))))))))))))))))))))))
.

2009-04-11 13:43 . 2002-08-28 23:41   22,016   --a------   c:\windows\system32\userinit.exe
2009-04-10 18:31 . 2009-04-10 18:31   <DIR>   d--hs----   C:\found.000
2009-04-10 16:11 . 2009-04-10 16:11   <DIR>   d--------   c:\documents and settings\Administrator
2009-04-09 04:14 . 2009-04-09 04:14   664   --a------   c:\windows\system32\d3d9caps.dat
2009-04-09 02:36 . 2009-04-09 07:31   <DIR>   d--------   c:\windows\BDOSCAN8
2009-04-03 23:04 . 2009-04-03 23:04   63   --a------   c:\windows\mdm.ini
2009-04-02 16:14 . 2009-04-07 01:10   <DIR>   d--------   c:\program files\Common

.
((((((((((((((((((((((((((((((((((((((((   Find3M Report   ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-04-12 02:45   ---------   d-----w   c:\program files\Lx_cats
2009-04-09 23:54   ---------   d-----w   c:\program files\MySpace
2009-04-08 04:59   ---------   d-----w   c:\program files\Malwarebytes' Anti-Malware
2009-04-07 07:50   ---------   d-----w   c:\program files\SUPERAntiSpyware
2009-04-07 05:08   ---------   d-----w   c:\program files\Spybot - Search & Destroy
2009-04-06 19:32   38,496   ----a-w   c:\windows\system32\drivers\mbamswissarmy.sys
2009-04-06 19:32   15,504   ----a-w   c:\windows\system32\drivers\mbam.sys
2009-03-22 17:12   ---------   d-----w   c:\program files\Silver Oak Casino
2009-03-12 03:26   ---------   d-----w   c:\program files\Casino Extreme
2009-02-09 11:13   1,846,784   ----a-w   c:\windows\system32\win32k.sys
2009-02-09 11:13   1,846,784   ------w   c:\windows\system32\dllcache\win32k.sys
2009-01-28 00:49   410,984   ----a-w   c:\windows\system32\deploytk.dll
2009-01-17 02:35   3,594,752   ----a-w   c:\windows\system32\dllcache\mshtml.dll
2006-11-04 22:47   49   ----a-w   c:\documents and settings\Gene Cohn\Application Data\internaldb41.dat
2006-11-04 22:47   382   ----a-w   c:\documents and settings\Gene Cohn\Application Data\internaldb1942.dat
2006-11-04 21:40   69,632   ----a-w   c:\documents and settings\Gene Cohn\Application Data\internaldb4827.dat
2006-11-04 21:40   151   ----a-w   c:\documents and settings\Gene Cohn\Application Data\internaldb4556.dat
2006-10-26 05:13   9,216   ----a-w   c:\documents and settings\Gene Cohn\Application Data\internaldb8467.dat
2006-01-28 00:52   4,096   ----a-w   c:\documents and settings\Gene Cohn\log.dat
2007-09-11 02:43   104   --sh--r   c:\windows\system32\26C161093B.sys
2007-09-11 02:43   4,184   --sha-w   c:\windows\system32\KGyGaAvL.sys
2008-09-13 16:18   32,768   --sha-w   c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\MSHist012008091320080914\index.dat
.

------- Sigcheck -------

2004-08-04 07:00  24576  39b1ffb03c2296323832acbae50d2aff   c:\windows\$NtServicePackUninstall$\userinit.exe
2008-04-13 20:12  26112  a93aee1928a9d7ce3e16d24ec7380f89   c:\windows\ServicePackFiles\i386\userinit.exe
2002-08-28 23:41  22016  e931e0a2b8bf0019db902e98d03662cb   c:\windows\system32\userinit.exe
2008-04-13 20:12  26112  a93aee1928a9d7ce3e16d24ec7380f89   c:\windows\system32\dllcache\userinit.exe
.
(((((((((((((((((((((((((((((   SnapShot@2009-04-11_21.57.21.70   )))))))))))))))))))))))))))))))))))))))))
.
+ 2009-04-12 02:45:24   16,384   ----atw   c:\windows\Temp\Perflib_Perfdata_21c.dat
+ 2009-04-12 02:45:28   16,384   ----atw   c:\windows\Temp\Perflib_Perfdata_2a8.dat
.
(((((((((((((((((((((((((((((((((((((   Reg Loading Points   ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SUPERAntiSpyware"="c:\program files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2009-04-07 1830128]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"LXCGCATS"="c:\windows\system32\spool\DRIVERS\W32X86\3\LXCGtime.dll" [2005-07-20 73728]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-11-24 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2009-04-07 03:50 356352 c:\program files\SUPERAntiSpyware\SASWINLO.DLL

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\SoftwareDistribution32]
@="Service"

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk]
backup=c:\windows\pss\Microsoft Office.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Program Neighborhood Agent.lnk]
backup=c:\windows\pss\Program Neighborhood Agent.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\KernelFaultCheck]
c:\windows\system32\dumprep 0 -k [X]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
--a------ 2008-04-13 20:12 15360 c:\windows\system32\ctfmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DellSupport]
-ra------ 2007-03-15 11:09 460784 c:\program files\DellSupport\DSAgnt.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\dla]
--a------ 2004-12-06 03:05 127035 c:\windows\system32\dla\tfswctrl.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DMXLauncher]
-ra------ 2005-01-27 03:02 86016 c:\program files\Dell\Media Experience\DMXLauncher.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\dscactivate]
-ra------ 2007-11-15 10:24 16384 c:\program files\Dell Support Center\gs_agent\custom\dsca.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\EzPrint]
-ra------ 2005-08-01 08:05 94208 c:\program files\Lexmark 2300 Series\ezprint.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\FaxCenterServer]
-ra------ 2005-07-12 09:36 299008 c:\program files\Lexmark Fax Solutions\fm3032.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\igfxhkcmd]
--a------ 2005-09-20 10:32 77824 c:\windows\system32\hkcmd.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\igfxpers]
--a------ 2005-09-20 10:36 114688 c:\windows\system32\igfxpers.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\igfxtray]
--a------ 2005-09-20 10:35 94208 c:\windows\system32\igfxtray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISUSPM Startup]
-ra------ 2005-06-10 12:44 249856 c:\program files\Common Files\InstallShield\UpdateService\ISUSPM.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISUSScheduler]
-ra------ 2005-06-10 12:44 81920 c:\program files\Common Files\InstallShield\UpdateService\issch.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
-ra------ 2008-11-20 14:20 290088 c:\program files\iTunes\iTunesHelper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\lxcgmon.exe]
-ra------ 2005-07-21 02:07 200704 c:\program files\Lexmark 2300 Series\lxcgmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
-ra------ 2008-04-13 20:12 1695232 c:\program files\Messenger\msmsgs.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
--a------ 2001-07-09 10:50 155648 c:\windows\system32\NeroCheck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
-ra------ 2008-11-04 11:30 413696 c:\program files\QuickTime\QTTask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RealTray]
-ra------ 2007-03-19 22:25 214560 c:\program files\Real\RealPlayer\realplay.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
--a------ 2009-01-27 20:49 136600 c:\program files\Java\jre6\bin\jusched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SUPERAntiSpyware]
--a------ 2009-04-07 03:50 1830128 c:\program files\SUPERAntiSpyware\SUPERANTISPYWARE.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
-ra------ 2007-03-19 22:24 185896 c:\program files\Common Files\Real\Update_OB\realsched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Logitech Utility]
--------- 2003-12-17 10:50 19968 c:\windows\LOGI_MWX.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"WMPNetworkSvc"=3 (0x3)
"iPod Service"=3 (0x3)
"ERSvc"=2 (0x2)
"Apple Mobile Device"=2 (0x2)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Intel\\PROSetWired\\NCS\\PROSet\\PROSet.exe"=
"c:\\Program Files\\LimeWire\\LimeWire.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\StubInstaller.exe"=
"c:\\Program Files\\AIM\\aim.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3587:TCP"= 3587:TCP:Windows Peer-to-Peer Grouping
"3540:UDP"= 3540:UDP:Peer Name Resolution Protocol (PNRP)
"135:TCP"= 135:TCP:TCP Port 135
"5000:TCP"= 5000:TCP:TCP Port 5000
"5001:TCP"= 5001:TCP:TCP Port 5001
"5002:TCP"= 5002:TCP:TCP Port 5002
"5003:TCP"= 5003:TCP:TCP Port 5003
"5004:TCP"= 5004:TCP:TCP Port 5004
"5005:TCP"= 5005:TCP:TCP Port 5005
"5006:TCP"= 5006:TCP:TCP Port 5006
"5007:TCP"= 5007:TCP:TCP Port 5007
"5008:TCP"= 5008:TCP:TCP Port 5008
"5009:TCP"= 5009:TCP:TCP Port 5009
"5010:TCP"= 5010:TCP:TCP Port 5010
"5011:TCP"= 5011:TCP:TCP Port 5011
"5012:TCP"= 5012:TCP:TCP Port 5012
"5013:TCP"= 5013:TCP:TCP Port 5013
"5014:TCP"= 5014:TCP:TCP Port 5014
"5015:TCP"= 5015:TCP:TCP Port 5015
"5016:TCP"= 5016:TCP:TCP Port 5016
"5017:TCP"= 5017:TCP:TCP Port 5017
"5018:TCP"= 5018:TCP:TCP Port 5018
"5019:TCP"= 5019:TCP:TCP Port 5019
"5020:TCP"= 5020:TCP:TCP Port 5020

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\IcmpSettings]
"AllowInboundEchoRequest"= 1 (0x1)

R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\SASDIFSV.SYS [2008-02-29 9968]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [2008-02-29 55024]
R3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [2006-02-16 4096]
S2 DComEx;COM+ System Executer;
S2 SoftwareDistribution32;Software Distribution;
S3 MBAMCatchMe;MBAMCatchMe;\??\c:\windows\system32\drivers\mbamcatchme.sys --> c:\windows\system32\drivers\mbamcatchme.sys [?]
S3 SoftwareDistributionDrv32;SoftwareDistributionDrv32;\??\c:\windows\SoftwareDistributiondrv.sys --> c:\windows\SoftwareDistributiondrv.sys [?]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
p2psvc   REG_MULTI_SZ      p2psvc p2pimsvc p2pgasvc PNRPSvc

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\E]
\Shell\AutoRun\command - E:\LaunchU3.exe -a

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{f9e361ca-4e2d-11dd-855c-001320dd2786}]
\Shell\AutoRun\command - E:\LaunchU3.exe -a
.
Contents of the 'Scheduled Tasks' folder

2009-04-05 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 13:34]
.
.
------- Supplementary Scan -------
.
uInternet Settings,ProxyOverride = *.local
TCP: {C6C4B238-CA4D-4851-A806-B085CE8238B8} = 24.25.5.150,24.25.5.149
.

**************************************************************************

catchme 0.3.1375 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-04-11 22:51:23
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ... 

scanning hidden autostart entries ...

HKLM\Software\Microsoft\Windows\CurrentVersion\Run
  LXCGCATS = rundll32 c:\windows\system32\spool\DRIVERS\W32X86\3\LXCGtime.dll,_RunDLLEntry@16?Huh?Huh?Huh?Huh?Huh?Huh?Huh?Huh?Huh?Huh?Huh?Huh?Huh?Huh?Huh?Huh?Huh?Huh?Huh?Huh?Huh?Huh?Huh?Huh?Huh?Huh?Huh?Huh?Huh?Huh?Huh?Huh?Huh?Huh?Huh?Huh?Huh?Huh?Huh?Huh?Huh?Huh?Huh?Huh?Huh?Huh?Huh?Huh?Huh?Huh?Huh?Huh?Huh?Huh?Huh?Huh?Huh?Huh?Huh??

scanning hidden files ... 


**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(756)
c:\program files\SUPERAntiSpyware\SASWINLO.DLL
.
Completion time: 2009-04-11 22:56:51
ComboFix-quarantined-files.txt  2009-04-12 02:55:29
ComboFix2.txt  2009-04-12 02:02:00
ComboFix3.txt  2009-01-02 04:31:59
ComboFix4.txt  2009-01-02 02:41:12

Pre-Run: 6,433,251,328 bytes free
Post-Run: 6,530,719,744 bytes free

202   --- E O F ---   2009-04-09 20:22:26
Logged
Pancake
Global Moderator
Hero Member
*****

Karma: +78/-0
Offline Offline

Gender: Male
Posts: 3915


Bookmark and Share

View Profile
« Reply #12 on: April 12, 2009, 04:13:59 AM »

Just this to do and you should then be fine..



Please copy this page to *Notepad* and save to your desktop for reference as you will not have any browsers open while you are carrying out portions of these instructions.

It's IMPORTANT to carry out the instructions in the sequence listed below.
1. Close any open browsers.
2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

Open *notepad* and copy/paste the text in the quotebox below into it:

Quote



File::
C:\WINDOWS\system32\dsound3dd.dll


Folder::
 C:\found.000




 

Save this as CFScript.txt, in the same location as ComboFix.exe which is on the Desktop.




Refering to the picture above, drag CFScript.txt into ComboFix.exe


When finished, it shall produce a log for you at C:\ComboFix.txt

Please copy and paste the ComboFix.txt along with a fresh HijackThis log in your next reply  please.


*Note:
Do not mouseclick combofix's window whilst it's running. That may cause it to stall.Altering this script in any way could damage your computer*


Logged

An Australian Member of

EDDY
Lizi59
Jr. Member
**

Karma: +0/-0
Offline Offline

Posts: 44


Bookmark and Share

View Profile
« Reply #13 on: April 12, 2009, 05:18:30 AM »

ComboFix 09-04-04.01 - Gene Cohn 2009-04-12  0:52:04.5 - NTFSx86
Microsoft Windows XP Home Edition  5.1.2600.3.1252.1.1033.18.510.233 [GMT -4:00]
Running from: c:\documents and settings\Gene Cohn\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Gene Cohn\Desktop\CFScript.txt
 * Created a new restore point

FILE ::
c:\windows\system32\dsound3dd.dll
.

(((((((((((((((((((((((((((((((((((((((   Other Deletions   )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\found.000
c:\found.000\file0000.chk

.
(((((((((((((((((((((((((   Files Created from 2009-03-12 to 2009-04-12  )))))))))))))))))))))))))))))))
.

2009-04-11 13:43 . 2002-08-28 23:41   22,016   --a------   c:\windows\system32\userinit.exe
2009-04-10 16:11 . 2009-04-10 16:11   <DIR>   d--------   c:\documents and settings\Administrator
2009-04-09 04:14 . 2009-04-09 04:14   664   --a------   c:\windows\system32\d3d9caps.dat
2009-04-09 02:36 . 2009-04-09 07:31   <DIR>   d--------   c:\windows\BDOSCAN8
2009-04-03 23:04 . 2009-04-03 23:04   63   --a------   c:\windows\mdm.ini
2009-04-02 16:14 . 2009-04-07 01:10   <DIR>   d--------   c:\program files\Common

.
((((((((((((((((((((((((((((((((((((((((   Find3M Report   ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-04-12 02:45   ---------   d-----w   c:\program files\Lx_cats
2009-04-09 23:54   ---------   d-----w   c:\program files\MySpace
2009-04-08 04:59   ---------   d-----w   c:\program files\Malwarebytes' Anti-Malware
2009-04-07 07:50   ---------   d-----w   c:\program files\SUPERAntiSpyware
2009-04-07 05:08   ---------   d-----w   c:\program files\Spybot - Search & Destroy
2009-04-06 19:32   38,496   ----a-w   c:\windows\system32\drivers\mbamswissarmy.sys
2009-04-06 19:32   15,504   ----a-w   c:\windows\system32\drivers\mbam.sys
2009-03-22 17:12   ---------   d-----w   c:\program files\Silver Oak Casino
2009-03-12 03:26   ---------   d-----w   c:\program files\Casino Extreme
2009-02-09 11:13   1,846,784   ----a-w   c:\windows\system32\win32k.sys
2009-02-09 11:13   1,846,784   ------w   c:\windows\system32\dllcache\win32k.sys
2009-01-28 00:49   410,984   ----a-w   c:\windows\system32\deploytk.dll
2009-01-17 02:35   3,594,752   ----a-w   c:\windows\system32\dllcache\mshtml.dll
2006-11-04 22:47   49   ----a-w   c:\documents and settings\Gene Cohn\Application Data\internaldb41.dat
2006-11-04 22:47   382   ----a-w   c:\documents and settings\Gene Cohn\Application Data\internaldb1942.dat
2006-11-04 21:40   69,632   ----a-w   c:\documents and settings\Gene Cohn\Application Data\internaldb4827.dat
2006-11-04 21:40   151   ----a-w   c:\documents and settings\Gene Cohn\Application Data\internaldb4556.dat
2006-10-26 05:13   9,216   ----a-w   c:\documents and settings\Gene Cohn\Application Data\internaldb8467.dat
2006-01-28 00:52   4,096   ----a-w   c:\documents and settings\Gene Cohn\log.dat
2007-09-11 02:43   104   --sh--r   c:\windows\system32\26C161093B.sys
2007-09-11 02:43   4,184   --sha-w   c:\windows\system32\KGyGaAvL.sys
2008-09-13 16:18   32,768   --sha-w   c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\MSHist012008091320080914\index.dat
.

------- Sigcheck -------

2004-08-04 07:00  24576  39b1ffb03c2296323832acbae50d2aff   c:\windows\$NtServicePackUninstall$\userinit.exe
2008-04-13 20:12  26112  a93aee1928a9d7ce3e16d24ec7380f89   c:\windows\ServicePackFiles\i386\userinit.exe
2002-08-28 23:41  22016  e931e0a2b8bf0019db902e98d03662cb   c:\windows\system32\userinit.exe
2008-04-13 20:12  26112  a93aee1928a9d7ce3e16d24ec7380f89   c:\windows\system32\dllcache\userinit.exe
.
(((((((((((((((((((((((((((((   SnapShot@2009-04-11_21.57.21.70   )))))))))))))))))))))))))))))))))))))))))
.
+ 2009-04-12 02:45:24   16,384   ----atw   c:\windows\Temp\Perflib_Perfdata_21c.dat
+ 2009-04-12 02:45:28   16,384   ----atw   c:\windows\Temp\Perflib_Perfdata_2a8.dat
.
(((((((((((((((((((((((((((((((((((((   Reg Loading Points   ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SUPERAntiSpyware"="c:\program files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2009-04-07 1830128]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"LXCGCATS"="c:\windows\system32\spool\DRIVERS\W32X86\3\LXCGtime.dll" [2005-07-20 73728]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-11-24 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2009-04-07 03:50 356352 c:\program files\SUPERAntiSpyware\SASWINLO.DLL

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\SoftwareDistribution32]
@="Service"

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk]
backup=c:\windows\pss\Microsoft Office.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Program Neighborhood Agent.lnk]
backup=c:\windows\pss\Program Neighborhood Agent.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\KernelFaultCheck]
c:\windows\system32\dumprep 0 -k [X]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
--a------ 2008-04-13 20:12 15360 c:\windows\system32\ctfmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DellSupport]
-ra------ 2007-03-15 11:09 460784 c:\program files\DellSupport\DSAgnt.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\dla]
--a------ 2004-12-06 03:05 127035 c:\windows\system32\dla\tfswctrl.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DMXLauncher]
-ra------ 2005-01-27 03:02 86016 c:\program files\Dell\Media Experience\DMXLauncher.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\dscactivate]
-ra------ 2007-11-15 10:24 16384 c:\program files\Dell Support Center\gs_agent\custom\dsca.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\EzPrint]
-ra------ 2005-08-01 08:05 94208 c:\program files\Lexmark 2300 Series\ezprint.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\FaxCenterServer]
-ra------ 2005-07-12 09:36 299008 c:\program files\Lexmark Fax Solutions\fm3032.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\igfxhkcmd]
--a------ 2005-09-20 10:32 77824 c:\windows\system32\hkcmd.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\igfxpers]
--a------ 2005-09-20 10:36 114688 c:\windows\system32\igfxpers.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\igfxtray]
--a------ 2005-09-20 10:35 94208 c:\windows\system32\igfxtray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISUSPM Startup]
-ra------ 2005-06-10 12:44 249856 c:\program files\Common Files\InstallShield\UpdateService\ISUSPM.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISUSScheduler]
-ra------ 2005-06-10 12:44 81920 c:\program files\Common Files\InstallShield\UpdateService\issch.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
-ra------ 2008-11-20 14:20 290088 c:\program files\iTunes\iTunesHelper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\lxcgmon.exe]
-ra------ 2005-07-21 02:07 200704 c:\program files\Lexmark 2300 Series\lxcgmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
-ra------ 2008-04-13 20:12 1695232 c:\program files\Messenger\msmsgs.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
--a------ 2001-07-09 10:50 155648 c:\windows\system32\NeroCheck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
-ra------ 2008-11-04 11:30 413696 c:\program files\QuickTime\QTTask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RealTray]
-ra------ 2007-03-19 22:25 214560 c:\program files\Real\RealPlayer\realplay.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
--a------ 2009-01-27 20:49 136600 c:\program files\Java\jre6\bin\jusched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SUPERAntiSpyware]
--a------ 2009-04-07 03:50 1830128 c:\program files\SUPERAntiSpyware\SUPERANTISPYWARE.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
-ra------ 2007-03-19 22:24 185896 c:\program files\Common Files\Real\Update_OB\realsched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Logitech Utility]
--------- 2003-12-17 10:50 19968 c:\windows\LOGI_MWX.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"WMPNetworkSvc"=3 (0x3)
"iPod Service"=3 (0x3)
"ERSvc"=2 (0x2)
"Apple Mobile Device"=2 (0x2)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Intel\\PROSetWired\\NCS\\PROSet\\PROSet.exe"=
"c:\\Program Files\\LimeWire\\LimeWire.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\StubInstaller.exe"=
"c:\\Program Files\\AIM\\aim.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3587:TCP"= 3587:TCP:Windows Peer-to-Peer Grouping
"3540:UDP"= 3540:UDP:Peer Name Resolution Protocol (PNRP)
"135:TCP"= 135:TCP:TCP Port 135
"5000:TCP"= 5000:TCP:TCP Port 5000
"5001:TCP"= 5001:TCP:TCP Port 5001
"5002:TCP"= 5002:TCP:TCP Port 5002
"5003:TCP"= 5003:TCP:TCP Port 5003
"5004:TCP"= 5004:TCP:TCP Port 5004
"5005:TCP"= 5005:TCP:TCP Port 5005
"5006:TCP"= 5006:TCP:TCP Port 5006
"5007:TCP"= 5007:TCP:TCP Port 5007
"5008:TCP"= 5008:TCP:TCP Port 5008
"5009:TCP"= 5009:TCP:TCP Port 5009
"5010:TCP"= 5010:TCP:TCP Port 5010
"5011:TCP"= 5011:TCP:TCP Port 5011
"5012:TCP"= 5012:TCP:TCP Port 5012
"5013:TCP"= 5013:TCP:TCP Port 5013
"5014:TCP"= 5014:TCP:TCP Port 5014
"5015:TCP"= 5015:TCP:TCP Port 5015
"5016:TCP"= 5016:TCP:TCP Port 5016
"5017:TCP"= 5017:TCP:TCP Port 5017
"5018:TCP"= 5018:TCP:TCP Port 5018
"5019:TCP"= 5019:TCP:TCP Port 5019
"5020:TCP"= 5020:TCP:TCP Port 5020

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\IcmpSettings]
"AllowInboundEchoRequest"= 1 (0x1)

R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\SASDIFSV.SYS [2008-02-29 9968]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [2008-02-29 55024]
R3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [2006-02-16 4096]
S2 DComEx;COM+ System Executer;
S2 SoftwareDistribution32;Software Distribution;
S3 MBAMCatchMe;MBAMCatchMe;\??\c:\windows\system32\drivers\mbamcatchme.sys --> c:\windows\system32\drivers\mbamcatchme.sys [?]
S3 SoftwareDistributionDrv32;SoftwareDistributionDrv32;\??\c:\windows\SoftwareDistributiondrv.sys --> c:\windows\SoftwareDistributiondrv.sys [?]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
p2psvc   REG_MULTI_SZ      p2psvc p2pimsvc p2pgasvc PNRPSvc

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\E]
\Shell\AutoRun\command - E:\LaunchU3.exe -a

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{f9e361ca-4e2d-11dd-855c-001320dd2786}]
\Shell\AutoRun\command - E:\LaunchU3.exe -a
.
Contents of the 'Scheduled Tasks' folder

2009-04-05 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 13:34]
.
.
------- Supplementary Scan -------
.
uInternet Settings,ProxyOverride = *.local
TCP: {C6C4B238-CA4D-4851-A806-B085CE8238B8} = 24.25.5.150,24.25.5.149
.

**************************************************************************

catchme 0.3.1375 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-04-12 00:55:02
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ... 

scanning hidden autostart entries ...

HKLM\Software\Microsoft\Windows\CurrentVersion\Run
  LXCGCATS = rundll32 c:\windows\system32\spool\DRIVERS\W32X86\3\LXCGtime.dll,_RunDLLEntry@16?Huh?Huh?Huh?Huh?Huh?Huh?Huh?Huh?Huh?Huh?Huh?Huh?Huh?Huh?Huh?Huh?Huh?Huh?Huh?Huh?Huh?Huh?Huh?Huh?Huh?Huh?Huh?Huh?Huh?Huh?Huh?Huh?Huh?Huh?Huh?Huh?Huh?Huh?Huh?Huh?Huh?Huh?Huh?Huh?Huh?Huh?Huh?Huh?Huh?Huh?Huh?Huh?Huh?Huh?Huh?Huh?Huh?Huh?Huh??

scanning hidden files ... 

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(756)
c:\program files\SUPERAntiSpyware\SASWINLO.DLL
.
Completion time: 2009-04-12  0:59:21
ComboFix-quarantined-files.txt  2009-04-12 04:58:11
ComboFix2.txt  2009-04-12 02:56:52
ComboFix3.txt  2009-04-12 02:02:00
ComboFix4.txt  2009-01-02 04:31:59
ComboFix5.txt  2009-04-12 04:50:52

Pre-Run: 6,512,676,864 bytes free
Post-Run: 6,493,933,568 bytes free

213   --- E O F ---   2009-04-09 20:22:26

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 01:15:53, on 4/12/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16791)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\system32\tcpsvcs.exe
C:\WINDOWS\System32\snmp.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\explorer.exe
C:\HJT\HiJackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,First Home Page = http://go.microsoft.com/fwlink/?LinkId=54843
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll (file missing)
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: Java(tm) Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O4 - HKLM\..\Run: [LXCGCATS] rundll32 C:\WINDOWS\system32\spool\DRIVERS\W32X86\3\LXCGtime.dll,_RunDLLEntry@16
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab
O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - http://cdn.scan.safety.live.com/resource/download/scanner/wlscbase8460.cab
O16 - DPF: {6944D0ED-F974-40CC-AE94-5A6ABAA2557A} (GBSolitaire Control) - http://www.gamebonus.com/dngame/gbsolitaire.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1227565111468
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} (Java Runtime Environment 1.6.0) - http://sdlc-esd.sun.com/ESD5/JSCDL/jre/6u11-b90/jinstall-6u11-windows-i586-jc.cab?AuthParam=1233104084_a564c057d23a2c47fd9bc3c99ef300a4&GroupName=JSC&FilePath=/ESD5/JSCDL/jre/6u11-b90/jinstall-6u11-windows-i586-jc.cab&File=jinstall-6u11-windows-i586-jc.cab&BHost=javadl.sun.com
O16 - DPF: {D0C0F75C-683A-4390-A791-1ACFD5599AB8} (Oberon Flash Game Host) - http://games.myspace.com/Gameshell/GameHost/1.0/OberonGameHost.cab
O16 - DPF: {F7EDBBEA-1AD2-4EBF-AA07-D453CC29EE65} (Flash Casino Helper Object) - https://casinoshare.microgaming.com/casinoshare/flashax2.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{C6C4B238-CA4D-4851-A806-B085CE8238B8}: NameServer = 24.25.5.150,24.25.5.149
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.DLL
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: lxcg_device -   - C:\WINDOWS\system32\lxcgcoms.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\PROSetWired\NCS\Sync\NetSvc.exe

--
End of file - 5485 bytes


Logged
Pancake
Global Moderator
Hero Member
*****

Karma: +78/-0
Offline Offline

Gender: Male
Posts: 3915


Bookmark and Share

View Profile
« Reply #14 on: April 12, 2009, 08:40:31 AM »

Ok.All done.You should be fine now.

This will clear away any of the files and folders that were created by ComboFix.

Go to :
Start > Run then copy and paste the following highlighted text below into the box  and click OK.



ComboFix /u

Logged

An Australian Member of

EDDY
Pages: [1] 2  All Go Up Print 
 
Jump to:  

Powered by MySQL Powered by PHP

Powered by SMF 1.1.21 | SMF © 2015, Simple Machines

Valid XHTML 1.0! Valid CSS!

Disclaimer
This site is NOT responsible for any damage that the information on this site may cause to your system. Everything you try, whether inspired by the response given from this site or not, is entirely at your own risk. All product names and company names used herein are for identification purpose only and may be trademarks or registered trademarks of their respective owners. We are in no way affiliated or representing any of the companies on this site unless specified.
Back to Top
Stop Spam Harvesters, Join Project Honey Pot Fight Back Against Spammers! Get Firefox! Get Thunderbird! View Sylvain Amyots profile on LinkedIn
Back to Top
Google visited last this page December 31, 2018, 01:20:12 PM