|
|
|
Micro AV Virus
|
|
|
dcnewf
Newbie
|
30. September 2008 @ 16:59 |
Link to this message
|
Hi,
Having trouble removing this virus. Scanned with the following programs, AVG Antivirus, Spybot S&D, Adware 2008, Super Antispyware, Malewarebytes, but had no luck removing the virus. I downloaded combofix and here is my log. Any help would be great.
Thanks
Dave
ComboFix 08-09-30.01 - Hynes 2008-09-30 17:57:45.1 - NTFSx86
Microsoft® Windows Vista? Home Premium 6.0.6001.1.1252.1.1033.18.370 [GMT -2.5:30]
Running from: C:\Users\Hynes\Desktop\Dave\ComboFix.exe
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
C:\Users\Hynes\Desktop\Live Safety Center.lnk
C:\Users\Hynes\FAVORI~1\Online Security Guide.lnk
C:\Users\Hynes\Favorites\Online Security Guide.lnk
C:\Windows\system32\x64
.
((((((((((((((((((((((((( Files Created from 2008-08-28 to 2008-09-30 )))))))))))))))))))))))))))))))
.
2008-09-30 17:09 . 2008-09-30 17:09 <DIR> d--h----- C:\$AVG8.VAULT$
2008-09-30 16:43 . 2008-09-30 16:43 <DIR> d-------- C:\Program Files\Uniblue
2008-09-30 16:40 . 2008-09-30 16:43 <DIR> d-------- C:\Users\Hynes\AppData\Roaming\Uniblue
2008-09-30 16:33 . 2008-09-30 16:38 <DIR> d-------- C:\Windows\System32\drivers\Avg
2008-09-30 16:33 . 2008-09-30 16:33 <DIR> d-------- C:\Users\All Users\avg8
2008-09-30 16:33 . 2008-09-30 16:33 <DIR> d-------- C:\ProgramData\avg8
2008-09-30 16:33 . 2008-09-30 16:33 <DIR> d-------- C:\Program Files\AVG
2008-09-30 16:33 . 2008-09-30 16:33 97,928 --a------ C:\Windows\System32\drivers\avgldx86.sys
2008-09-30 16:33 . 2008-09-30 16:33 69,128 --a------ C:\Windows\System32\drivers\avgwfpx.sys
2008-09-30 16:33 . 2008-09-30 16:33 10,520 --a------ C:\Windows\System32\avgrsstx.dll
2008-09-30 14:03 . 2008-09-30 14:03 <DIR> d-------- C:\PerfLogs
2008-09-30 13:31 . 2008-09-30 13:31 <DIR> d-------- C:\Users\All Users\SUPERAntiSpyware.com
2008-09-30 13:31 . 2008-09-30 13:31 <DIR> d-------- C:\ProgramData\SUPERAntiSpyware.com
2008-09-30 13:30 . 2008-09-30 13:30 <DIR> d-------- C:\Users\Hynes\AppData\Roaming\SUPERAntiSpyware.com
2008-09-30 13:30 . 2008-09-30 13:30 <DIR> d-------- C:\Program Files\SUPERAntiSpyware
2008-09-30 13:14 . 2008-09-30 13:14 <DIR> d-------- C:\Users\All Users\Windows Genuine Advantage
2008-09-30 12:32 . 2008-09-30 12:32 <DIR> d-------- C:\Users\Hynes\AppData\Roaming\Malwarebytes
2008-09-30 12:32 . 2008-09-30 12:32 <DIR> d-------- C:\Users\All Users\Malwarebytes
2008-09-30 12:32 . 2008-09-30 12:32 <DIR> d-------- C:\ProgramData\Malwarebytes
2008-09-30 12:32 . 2008-09-30 12:32 <DIR> d-------- C:\Program Files\Malwarebytes' Anti-Malware
2008-09-30 12:32 . 2008-09-10 00:04 38,528 --a------ C:\Windows\System32\drivers\mbamswissarmy.sys
2008-09-30 12:32 . 2008-09-10 00:03 17,200 --a------ C:\Windows\System32\drivers\mbam.sys
2008-09-30 11:15 . 2008-09-30 11:15 <DIR> d-------- C:\Program Files\Spybot - Search & Destroy
2008-09-11 08:58 . 2008-01-19 05:03 8,139,264 --a------ C:\Windows\System32\ssBranded.scr
2008-09-11 08:57 . 2008-01-19 03:36 8,147,456 --a------ C:\Windows\System32\wmploc.DLL
2008-09-11 08:56 . 2008-01-19 05:06 704,512 --a------ C:\Windows\System32\SmiEngine.dll
2008-09-10 06:11 . 2008-07-30 22:43 4,240,384 --a------ C:\Windows\System32\GameUXLegacyGDFs.dll
2008-09-10 06:11 . 2008-06-26 00:59 303,616 --a------ C:\Windows\System32\wmpeffects.dll
2008-09-10 06:11 . 2008-07-31 01:02 28,160 --a------ C:\Windows\System32\Apphlpdm.dll
2008-09-03 15:59 . 2008-09-03 15:59 <DIR> d-------- C:\Users\Hynes\AppData\Roaming\IUpd646
2008-08-23 00:19 . 2008-08-23 00:19 244 --ah----- C:\sqmnoopt00.sqm
2008-08-23 00:19 . 2008-08-23 00:19 232 --ah----- C:\sqmdata00.sqm
2008-08-21 08:12 . 2008-07-19 02:39 1,811,656 --a------ C:\Windows\System32\wuaueng.dll
2008-08-21 08:12 . 2008-07-19 01:14 1,524,736 --a------ C:\Windows\System32\wucltux.dll
2008-08-21 08:12 . 2008-07-19 02:39 563,912 --a------ C:\Windows\System32\wuapi.dll
2008-08-21 08:12 . 2008-07-18 22:08 163,904 --a------ C:\Windows\System32\wuwebv.dll
2008-08-21 08:12 . 2008-07-19 01:14 83,456 --a------ C:\Windows\System32\wudriver.dll
2008-08-21 08:12 . 2008-07-19 02:40 53,448 --a------ C:\Windows\System32\wuauclt.exe
2008-08-21 08:12 . 2008-07-19 02:40 45,768 --a------ C:\Windows\System32\wups2.dll
2008-08-21 08:12 . 2008-07-19 02:40 36,552 --a------ C:\Windows\System32\wups.dll
2008-08-21 08:12 . 2008-07-18 20:44 31,232 --a------ C:\Windows\System32\wuapp.exe
2008-08-15 03:02 . 2008-07-15 23:02 2,048 --a------ C:\Windows\System32\tzres.dll
2008-08-14 16:07 . 2008-04-10 02:42 738,304 --a------ C:\Windows\System32\inetcomm.dll
2008-08-14 14:26 . 2008-08-14 14:26 <DIR> d-------- C:\Program Files\QuickTime
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-09-30 16:45 --------- d-----w C:\Program Files\Lx_cats
2008-09-30 16:41 174 --sha-w C:\Program Files\desktop.ini
2008-09-30 16:36 --------- d-----w C:\Program Files\Windows Sidebar
2008-09-30 16:36 --------- d-----w C:\Program Files\Windows Photo Gallery
2008-09-30 16:36 --------- d-----w C:\Program Files\Windows Mail
2008-09-30 16:36 --------- d-----w C:\Program Files\Windows Journal
2008-09-30 16:36 --------- d-----w C:\Program Files\Windows Collaboration
2008-09-30 16:36 --------- d-----w C:\Program Files\Windows Calendar
2008-09-30 16:35 --------- d-----w C:\Program Files\Windows Defender
2008-09-30 16:15 82,432 ----a-w C:\Windows\System32\axaltocm.dll
2008-09-30 16:15 101,888 ----a-w C:\Windows\System32\ifxcardm.dll
2008-09-30 15:57 --------- d-----w C:\ProgramData\Lavasoft
2008-09-30 15:54 --------- d-----w C:\Program Files\Lavasoft
2008-09-30 15:53 --------- d-----w C:\Program Files\Common Files\Wise Installation Wizard
2008-09-30 13:48 --------- d-----w C:\ProgramData\Spybot - Search & Destroy
2008-09-29 01:44 --------- d-----w C:\Users\Hynes\AppData\Roaming\5400 Series
2008-09-28 20:30 --------- d-----w C:\Program Files\Norton Security Scan
2008-09-28 20:30 --------- d-----w C:\Program Files\Common Files\Symantec Shared
2008-09-11 05:34 --------- d-----w C:\Program Files\Microsoft Works
2008-07-31 03:32 460,288 ----a-w C:\Windows\AppPatch\AcSpecfc.dll
2008-07-31 03:32 2,154,496 ----a-w C:\Windows\AppPatch\AcGenral.dll
2008-07-31 03:32 173,056 ----a-w C:\Windows\AppPatch\AcXtrnal.dll
2008-06-27 04:15 827,392 ----a-w C:\Windows\System32\wininet.dll
2008-06-26 03:29 801,280 ----a-w C:\Windows\System32\NaturalLanguage6.dll
2008-06-26 01:45 2,644,480 ----a-w C:\Windows\System32\NlsLexicons0009.dll
2008-06-26 01:45 12,240,896 ----a-w C:\Windows\System32\NlsLexicons0007.dll
2008-06-19 03:31 361,984 ----a-w C:\Windows\System32\IPSECSVC.DLL
2008-06-12 05:28 541,696 ----a-w C:\Windows\AppPatch\AcLayers.dll
2008-01-19 04:58 0 ----a-w C:\Users\Hynes\AppData\Roaming\wklnhst.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe" [2007-11-08 171448]
"ehTray.exe"="C:\Windows\ehome\ehTray.exe" [2008-01-19 125952]
"SpybotSD TeaTimer"="C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe" [2008-07-07 2156368]
"Uniblue Registry Booster"="C:\Program Files\Uniblue\Registry Booster\RegistryBooster.exe" [2007-01-12 1740800]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe" [2007-09-25 132496]
"NeroFilterCheck"="C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe" [2006-01-12 155648]
"lxctmon.exe"="C:\Program Files\Lexmark 5400 Series\lxctmon.exe" [2006-11-22 291760]
"Lexmark 5400 Series Fax Server"="C:\Program Files\Lexmark 5400 Series\fm3032.exe" [2006-11-22 304048]
"EzPrint"="C:\Program Files\Lexmark 5400 Series\ezprint.exe" [2006-11-22 82864]
"LXCTCATS"="C:\Windows\system32\spool\DRIVERS\W32X86\3\LXCTtime.dll" [2006-11-21 106496]
"IgfxTray"="C:\Windows\system32\igfxtray.exe" [2008-01-02 141848]
"HotKeysCmds"="C:\Windows\system32\hkcmd.exe" [2008-01-02 166424]
"Persistence"="C:\Windows\system32\igfxpers.exe" [2008-01-02 133656]
"QuickFinder Scheduler"="C:\Program Files\WordPerfect Office 11\Programs\QFSCHD110.EXE" [2003-02-25 77887]
"WordPerfect Office 1115"="C:\Program Files\Common Files\Corel\Registration\EN\Registration.exe" [2003-02-18 327680]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 39792]
"NvSvc"="C:\Windows\system32\nvsvc.dll" [2006-10-10 90191]
"NvCplDaemon"="C:\Windows\system32\NvCpl.dll" [2006-10-10 7741440]
"NvMediaCenter"="C:\Windows\system32\NvMcTray.dll" [2006-10-10 81920]
"AVG8_TRAY"="C:\PROGRA~1\AVG\AVG8\avgtray.exe" [2008-09-30 1234712]
"SigmatelSysTrayApp"="sttray.exe" [2006-11-02 C:\Windows\sttray.exe]
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"msnmsgr"="C:\Program Files\Windows Live\Messenger\msnmsgr.exe" [2007-10-18 5724184]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableUIADesktopToggle"= 0 (0x0)
[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "C:\Program Files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2008-07-23 16:28 352256 C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=avgrsstx.dll
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\FirewallRules]
"{7743F6EB-1968-416C-9B3C-2C6057B4C816}"= C:\Program Files\Windows Live\Messenger\livecall.exe:Windows Live Messenger (Phone)
"{C4CA3E03-91A3-4A6F-9D07-4A5A1726129C}"= UDP:C:\Program Files\LimeWire\LimeWire.exe:LimeWire
"{DE68B887-2E33-4074-9C24-9CABAF98A2A6}"= TCP:C:\Program Files\LimeWire\LimeWire.exe:LimeWire
"TCP Query User{8899F9C6-69E3-4793-BD31-33735119CB97}C:\\program files\\nero\\nero 7\\nero home\\nerohome.exe"= UDP:C:\program files\nero\nero 7\nero home\nerohome.exe:Nero Home
"UDP Query User{68274D3B-2917-42D6-878E-D0381F95D026}C:\\program files\\nero\\nero 7\\nero home\\nerohome.exe"= TCP:C:\program files\nero\nero 7\nero home\nerohome.exe:Nero Home
"{6C6ECE02-208B-4BD9-B00B-B675D5405894}"= UDP:C:\Windows\System32\lxctcoms.exe:Lexmark Communications System
"{19B84CD1-F1CD-48C4-BC4B-AB4130343F86}"= TCP:C:\Windows\System32\lxctcoms.exe:Lexmark Communications System
"{54DBC301-19F5-45D9-BC54-B193793D1519}"= UDP:C:\Program Files\Lexmark 5400 Series\lxctmon.exe:Device Monitor
"{3257DE26-924E-49CA-9AC4-CD9791C2B28F}"= TCP:C:\Program Files\Lexmark 5400 Series\lxctmon.exe:Device Monitor
"{A419C271-B51F-489D-B3CC-039FE84EE8D7}"= UDP:C:\Program Files\Lexmark 5400 Series\LXCTaiox.exe:All In One Center
"{84F64E2B-79F2-4DCD-9657-2A42060876F6}"= TCP:C:\Program Files\Lexmark 5400 Series\LXCTaiox.exe:All In One Center
"{1BB7DC40-7EF2-4DC0-A8B7-957C587E45C0}"= C:\Program Files\AVG\AVG8\avgemc.exe:avgemc.exe
"{CE335224-AE2A-4BF3-BED0-BCE0F7E2E95E}"= C:\Program Files\AVG\AVG8\avgupd.exe:avgupd.exe
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\PublicProfile]
"EnableFirewall"= 0 (0x0)
R1 AvgLdx86;AVG Free AVI Loader Driver x86;C:\Windows\system32\Drivers\avgldx86.sys [2008-09-30 97928]
R2 avg8emc;AVG Free8 E-mail Scanner;C:\PROGRA~1\AVG\AVG8\avgemc.exe [2008-09-30 875288]
R2 avg8wd;AVG Free8 WatchDog;C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe [2008-09-30 231704]
R2 SBSDWSCService;SBSD Security Center Service;C:\Program Files\Spybot - Search & Destroy\SDWinSec.exe [2008-07-07 809296]
R3 AvgWfpX;AVG Free8 Firewall Driver x86;C:\Windows\system32\Drivers\avgwfpx.sys [2008-09-30 69128]
S3 yukonwlh;NDIS6.0 Miniport Driver for Marvell Yukon Ethernet Controller;C:\Windows\system32\DRIVERS\yk60x86.sys [2006-11-02 194048]
*Newly Created Service* - CATCHME
*Newly Created Service* - PROCEXP90
.
Contents of the 'Scheduled Tasks' folder
.
- - - - ORPHANS REMOVED - - - -
HKCU-Run-Uniblue RegistryBooster 2009 - c:\program files\uniblue\registrybooster\StartRegistryBooster.exe
.
------- Supplementary Scan -------
.
O8 -: &Windows Live Search - C:\Program Files\Windows Live Toolbar\msntb.dll/search.htm
O8 -: Add to Windows &Live Favorites - http://favorites.live.com/quickadd.aspx
O16 -: {149E45D8-163E-4189-86FC-45022AB2B6C9} - file:///C:/Program%20Files/Family%20Feud%202/Images/stg_drm.ocx
C:\Windows\Downloaded Program Files\stg_drm.ocx
O16 -: {CC450D71-CC90-424C-8638-1F2DBAC87A54} - file:///C:/Program%20Files/Family%20Feud%202/Images/armhelper.ocx
C:\Windows\Downloaded Program Files\armhelper.ocx
.
**************************************************************************
catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-09-30 18:00:27
Windows 6.0.6001 Service Pack 1 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
HKLM\Software\Microsoft\Windows\CurrentVersion\Run
LXCTCATS = rundll32 C:\Windows\system32\spool\DRIVERS\W32X86\3\LXCTtime.dll,_RunDLLEntry@16???????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
.
Completion time: 2008-09-30 18:01:45
ComboFix-quarantined-files.txt 2008-09-30 20:31:11
Pre-Run: 220,554,014,720 bytes free
Post-Run: 220,794,097,664 bytes free
184 --- E O F --- 2008-09-30 16:19:03
This message has been edited since posting. Last time this message was edited on 30. September 2008 @ 17:53
|
Senior Member
|
1. October 2008 @ 09:36 |
Link to this message
|
Hey dcnewf
Before we begin the cleanup process, it is important to do a little analysis first. We will analyze your computer with a tool called HijackThis.
Please download the HijackThis zip file. Save it onto a convenient place in your computer, and then unzip the file.
Rename HijackThis(.exe) to scanner(.exe).
Next, run scanner(.exe). A window will pop up.
? Click on the button which says Main Menu, then Do a system scan and save a logfile.
? Please wait for the scan to be completed.
? After the scan has completed, a text window will pop up. Please post the contents of this window here.
This will also be located at hijackthis(.txt) in the same folder that HijackThis was originally saved.
NOTE:: Do not fix anything using HijackThis, as this may also damage legitimate components of your computer.
Best Regards :D
Life is but a dream; you dont feel any pain unless you want to or you fall off the bed.
Success is relative; the more success the more relatives.
A computer once beat me at chess, but it was no match for me at kickboxing.
To be or not to be; thats a dumb question.
|
|
