Jump to content


System Log Check

Started by mitternacht_engel, May 10 2007 06:34 PM

  • You cannot reply to this topic
3 replies to this topic

#1 OFFLINE   mitternacht_engel

    Member

  • Members
  • PipPip
  • 20 posts
  • Location:NW Wales, UK

Posted 10 May 2007 - 06:34 PM

Hi :)
My system has been slow as of late, and I'm currently scanning my system with AVG Antispyware and AVG Free later, and a quick check of my HijackThis log would be greatly appreciated!
Much thanks
>Steff>

Logfile of Trend Micro HijackThis v2.0.0 (BETA)
Scan saved at 19:28:56, on 10/05/2007
Platform: Windows XP (WinNT 5.01.2600)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\WINDOWS\System32\DRIVERS\CDANTSRV.EXE
C:\Program Files\Sunbelt Software\Personal Firewall 4\kpf4ss.exe
C:\WINDOWS\system32\pctspk.exe
C:\Program Files\Sunbelt Software\Personal Firewall 4\kpf4gui.exe
C:\Program Files\Thomson\SpeedTouch USB\Dragdiag.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\Sunbelt Software\Personal Firewall 4\kpf4gui.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\WINDOWS\System32\taskmgr.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Documents and Settings\Steffen\My Documents\HiJackThis_v2.exe
C:\Program Files\Mozilla Firefox\firefox.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://google.co.uk/
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {338DA9F8-3260-41FC-A66B-19B525185D1A} - C:\WINDOWS\System32\byxxxur.dll
O2 - BHO: (no name) - {60A9A46C-556B-49F1-8B1D-147D4FD8F68C} - C:\WINDOWS\System32\geeec.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: (no name) - {D651AFF4-9590-424d-BD1E-8E33E090DFB3} - C:\WINDOWS\System32\qnnssfvi.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [LXCFCATS] rundll32 C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\LXCFtime.dll,_RunDLLEntry@16
O4 - HKLM\..\Run: [SpeedTouch USB Diagnostics] "C:\Program Files\Thomson\SpeedTouch USB\Dragdiag.exe" /icon
O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Default user')
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O12 - Plugin for .fpx: C:\\Program Files\\Internet Explorer\\PLUGINS\\NPRVRT32.dll
O12 - Plugin for .ivr: C:\\Program Files\\Internet Explorer\\PLUGINS\\NPRVRT32.dll
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....k/?linkid=39204
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/...b?1177865823352
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1177869147328
O17 - HKLM\System\CCS\Services\Tcpip\..\{AE3E7B15-26E2-40DF-9AB5-80F6E02D21C1}: NameServer = 194.168.4.100 194.168.8.100
O20 - Winlogon Notify: byxxxur - C:\WINDOWS\SYSTEM32\byxxxur.dll
O20 - Winlogon Notify: geeec - C:\WINDOWS\System32\geeec.dll
O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\System32\browseui.dll
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\System32\browseui.dll
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: C-DillaSrv - C-Dilla Ltd - C:\WINDOWS\System32\DRIVERS\CDANTSRV.EXE
O23 - Service: Sunbelt Kerio Personal Firewall 4 (KPF4) - Sunbelt Software - C:\Program Files\Sunbelt Software\Personal Firewall 4\kpf4ss.exe
O23 - Service: lxcf_device - - C:\WINDOWS\System32\lxcfcoms.exe
O23 - Service: PCTEL Speaker Phone (Pctspk) - PCtel, Inc. - C:\WINDOWS\system32\pctspk.exe
"Der Geist der Liebe erfühllt der Erde..."

#2 OFFLINE   AndyManchesta

    Power Member

  • Spyware Moderators
  • 1,821 posts
  • Gender:Male
  • Location:Manchester. UK
  • Interests:Music, Movies, Website Building & Design, Malware Testing/Research and spending time with friends & family.

Posted 10 May 2007 - 08:12 PM

Hi Steff,

Please download VundoFix.exe to your desktop.
  • Double-click VundoFix.exe to run it.
  • Click the Scan for Vundo button.
  • Once it's done scanning, click the Remove Vundo button.
  • You will receive a prompt asking if you want to remove the files, click YES
  • Once you click yes, your desktop will go blank as it starts removing Vundo.
  • When completed, it will prompt that it will reboot your computer, click OK.
  • Please post the contents of C:\vundofix.txt and a new HiJackThis log.
Note: It is possible that VundoFix encountered a file it could not remove. In this case, VundoFix will run on reboot, simply follow the above instructions starting from "Click the Scan for Vundo button." when VundoFix appears at reboot.

Next download this file - combofix.exe and save it to your desktop.
Double click combofix.exe & follow the prompts.
When it's finished, it will produce a log of what it found. Please post the contents of that log in your next reply

Note:
Do not mouseclick combofix's window whilst it's running as it may cause it to stall

Please then post back the Vundofix log, Comboscan log and a new HijackThis log

Cheers

Andy

#3 OFFLINE   mitternacht_engel

    Member

  • Members
  • PipPip
  • 20 posts
  • Location:NW Wales, UK

Posted 11 May 2007 - 10:45 AM

Hi Andy, thank you so much for your speedy reply, and in accordance to your instructions, here are the logs, and thanks very much for the help thus far :)

>Steff>

Vundofix Log:

VundoFix V6.3.21

Checking Java version...

Scan started at 10:55:17 11/05/2007

Listing files found while scanning....

C:\WINDOWS\System32\ceeeg.bak1
C:\WINDOWS\System32\ceeeg.ini
C:\WINDOWS\System32\ceeeg.tmp
C:\WINDOWS\System32\geeec.dll
C:\WINDOWS\System32\qnnssfvi.dll

Beginning removal...

Attempting to delete C:\WINDOWS\System32\ceeeg.bak1
C:\WINDOWS\System32\ceeeg.bak1 Has been deleted!

Attempting to delete C:\WINDOWS\System32\ceeeg.ini
C:\WINDOWS\System32\ceeeg.ini Has been deleted!

Attempting to delete C:\WINDOWS\System32\geeec.dll
C:\WINDOWS\System32\geeec.dll Has been deleted!

Performing Repairs to the registry.
Done!

ComboFix Log:

ComboFix 07-05.08.3.V - Running from: "C:\Documents and Settings\Steffen\Desktop\"

(((((((((((((((((((((((((((((((((((((((((((((((((( V Log )))))))))))))))))))))))))))))))))))))))))))))))))))))))

C:\WINDOWS\system32\uqfxvkjh.dll
C:\WINDOWS\system32\hjkvxfqu.ini

* * * POST RUN FILES/FOLDERS * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * *

(((((((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

C:\WINDOWS\system32\packet.dll

((((((((((((((((((((((((((((((( Files Created from 2007-04-05 to 2007-05-11 ))))))))))))))))))))))))))))))))))

2007-05-11 10:55 <DIR> d-------- C:\VundoFix Backups
2007-05-10 17:50 <DIR> d--hs---- C:\FOUND.002
2007-05-09 21:56 <DIR> d-------- C:\Program Files\ccts
2007-05-09 21:31 262,708 ---hs---- C:\WINDOWS\system32\nnlkh.dll
2007-05-09 21:18 1,060,864 --a------ C:\WINDOWS\system32\mfc71.dll
2007-05-09 21:18 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\ErrorProtector Free
2007-05-09 21:08 <DIR> d-------- C:\Program Files\BitDownload
2007-05-09 17:47 <DIR> d-------- C:\DOCUME~1\Mathilde\APPLIC~1\OpenOffice.org2
2007-05-07 19:29 <DIR> d-------- C:\DOCUME~1\Steffen\APPLIC~1\Help
2007-05-07 19:10 <DIR> d-------- C:\DOCUME~1\Steffen\APPLIC~1\OpenOffice.org2
2007-05-07 12:53 <DIR> d-------- C:\Program Files\RegCleaner
2007-05-06 13:04 <DIR> d-------- C:\DOCUME~1\Steffen\APPLIC~1\acccore
2007-05-06 13:03 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\AOL OCP
2007-05-06 13:03 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\AOL
2007-05-06 12:54 <DIR> d-------- C:\Program Files\Common Files\AOL
2007-05-06 12:54 <DIR> d-------- C:\Program Files\AIM6
2007-05-06 12:47 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\AOL Downloads
2007-05-05 17:59 626,688 --a------ C:\WINDOWS\system32\msvcr80.dll
2007-05-05 17:44 22,702 --a------ C:\cc_20070505_1744.reg
2007-05-05 16:58 <DIR> d-------- C:\Program Files\OpenOffice.org 2.0
2007-05-05 13:45 <DIR> d-------- C:\DOCUME~1\Steffen\APPLIC~1\AdobeUM
2007-05-04 13:50 <DIR> d-------- C:\Program Files\Free WMA to MP3 Converter
2007-05-03 19:55 81,920 --a------ C:\WINDOWS\system32\viscomwave.dll
2007-05-03 19:55 323,584 --a------ C:\WINDOWS\system32\FoxImager.dll
2007-05-03 19:55 1,101,824 --a------ C:\WINDOWS\system32\NMSDVDXU.dll
2007-05-03 19:55 <DIR> d-------- C:\Program Files\Cheetah Burner
2007-05-03 18:07 <DIR> d--hs---- C:\FOUND.001
2007-05-03 17:16 <DIR> d-------- C:\DOCUME~1\Mathilde\Shared
2007-05-03 17:16 <DIR> d-------- C:\DOCUME~1\Mathilde\Incomplete
2007-05-03 17:15 <DIR> d-------- C:\DOCUME~1\Mathilde\APPLIC~1\LimeWire
2007-04-30 16:31 <DIR> d-------- C:\Program Files\Ashampoo
2007-04-29 18:33 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Windows Genuine Advantage
2007-04-29 18:25 <DIR> d---s---- C:\DOCUME~1\Steffen\UserData
2007-04-29 10:58 127,208 --a------ C:\WINDOWS\system32\mucltui.dll
2007-04-29 09:58 465,176 --a------ C:\WINDOWS\system32\wuapi.dll
2007-04-29 09:58 41,240 --a------ C:\WINDOWS\system32\wups.dll
2007-04-29 09:58 313,344 --a------ C:\WINDOWS\system32\winhttp.dll
2007-04-29 09:58 194,328 --a------ C:\WINDOWS\system32\wuaueng1.dll
2007-04-29 09:58 18,200 --a------ C:\WINDOWS\system32\wups2.dll
2007-04-29 09:58 172,312 --a------ C:\WINDOWS\system32\wuauclt1.exe
2007-04-29 09:58 127,256 --a------ C:\WINDOWS\system32\wucltui.dll
2007-04-29 09:57 <DIR> d-------- C:\WINDOWS\SoftwareDistribution
2007-04-29 08:52 <DIR> d---s---- C:\DOCUME~1\Grethe\UserData
2007-04-29 07:01 60,800 -ra------ C:\WINDOWS\system32\drivers\w300bus.sys
2007-04-29 07:01 5,840 -ra------ C:\WINDOWS\system32\drivers\w300whnt.sys
2007-04-29 07:01 5,840 -ra------ C:\WINDOWS\system32\drivers\w300wh.sys
2007-04-29 07:01 24,960 --a------ C:\WINDOWS\system32\drivers\usbccgp.sys
2007-04-29 06:25 <DIR> d-------- C:\DOCUME~1\Grethe\Shared
2007-04-29 06:25 <DIR> d-------- C:\DOCUME~1\Grethe\Incomplete
2007-04-29 06:25 <DIR> d-------- C:\DOCUME~1\Grethe\APPLIC~1\LimeWire
2007-04-27 15:21 <DIR> d-------- C:\Program Files\Common Files\AVSMedia
2007-04-27 13:58 <DIR> d-------- C:\DOCUME~1\ADMINI~1\APPLIC~1\DeepBurner
2007-04-25 13:05 506 --a------ C:\WINDOWS\system\regsys4.dll
2007-04-25 13:03 506 --a------ C:\WINDOWS\system\pubtrksys4.dll
2007-04-25 13:03 372 --a------ C:\WINDOWS\system\BPSYS4.DAT
2007-04-25 13:03 <DIR> d-------- C:\DOCUME~1\Steffen\APPLIC~1\Elmbrook
2007-04-25 11:50 <DIR> d-------- C:\DOCUME~1\Steffen\APPLIC~1\DeepBurner
2007-04-25 11:48 <DIR> d-------- C:\Program Files\Astonsoft
2007-04-23 13:36 <DIR> d-------- C:\WINDOWS\Downloaded Installations
2007-04-22 14:43 <DIR> d-------- C:\Program Files\Soulseek
2007-04-22 11:19 <DIR> d--hs---- C:\FOUND.000
2007-04-19 16:47 <DIR> d-------- C:\DOCUME~1\Steffen\APPLIC~1\Lavasoft
2007-04-19 16:38 <DIR> d-------- C:\Program Files\Lavasoft
2007-04-19 15:56 <DIR> d-------- C:\Program Files\Yahoo!
2007-04-19 15:56 <DIR> d-------- C:\Program Files\CCleaner
2007-04-18 19:23 786,432 --ah----- C:\DOCUME~1\ADMINI~1\NTUSER.DAT
2007-04-18 16:50 <DIR> d-------- C:\Program Files\Speed Gear 5
2007-04-18 14:51 198,424 --a------ C:\WINDOWS\system32\iuengine.dll
2007-04-18 14:51 <DIR> d-------- C:\WUTemp
2007-04-17 20:20 <DIR> d-------- C:\Program Files\Pop Art Studio 2.0
2007-04-17 20:12 <DIR> d-------- C:\WINDOWS\system32\URTTemp
2007-04-17 15:34 <DIR> d---s---- C:\DOCUME~1\Mathilde\UserData
2007-04-16 19:41 <DIR> d-------- C:\Program Files\InterMute
2007-04-16 15:13 <DIR> d--h----- C:\Program Files\Zero G Registry
2007-04-16 15:13 <DIR> d-------- C:\WINDOWS\iSee Media
2007-04-16 14:42 <DIR> d-------- C:\DOCUME~1\Steffen\APPLIC~1\ArcSoft
2007-04-16 14:41 163,840 --a------ C:\WINDOWS\system32\PhotoImpression Screen Saver.scr
2007-04-16 14:39 212,480 --a------ C:\WINDOWS\pcdlib32.dll
2007-04-16 14:39 <DIR> d-------- C:\Program Files\ArcSoft
2007-04-16 14:22 <DIR> d-------- C:\Program Files\PhotoFiltre
2007-04-16 10:54 3,968 --a------ C:\WINDOWS\system32\drivers\AvgAsCln.sys
2007-04-15 20:19 274,381 --a------ C:\WINDOWS\PC Image Editor Uninstaller.exe
2007-04-15 20:19 <DIR> d-------- C:\Program Files\PC Image Editor
2007-04-15 19:31 356,352 --a------ C:\WINDOWS\eSellerateEngine.dll
2007-04-15 19:30 716,800 --a------ C:\WINDOWS\MSNImport.exe
2007-04-15 19:30 <DIR> d-------- C:\Program Files\MSN Content Plus Inc
2007-04-15 14:43 <DIR> d-------- C:\Program Files\Notation
2007-04-15 14:29 1,310,720 --ah----- C:\DOCUME~1\Mathilde\NTUSER.DAT
2007-04-15 14:25 1,048,576 --ah----- C:\DOCUME~1\Grethe\NTUSER.DAT
2007-04-15 14:07 <DIR> d-------- C:\DOCUME~1\Steffen\Contacts
2007-04-15 14:06 <DIR> d-------- C:\WINDOWS\system32\DRVSTORE
2007-04-15 13:56 499,712 --a------ C:\WINDOWS\system32\msvcp71.dll
2007-04-15 13:56 348,160 --a------ C:\WINDOWS\system32\msvcr71.dll
2007-04-15 12:44 <DIR> d-------- C:\Program Files\CD FILES
2007-04-15 12:07 <DIR> d-------- C:\WINDOWS\system32\embedded
2007-04-15 12:07 <DIR> d-------- C:\Program Files\LimeWire Acceleration Patch
2007-04-15 12:04 <DIR> d-------- C:\DOCUME~1\Steffen\Shared
2007-04-15 12:04 <DIR> d-------- C:\DOCUME~1\Steffen\Incomplete
2007-04-15 12:03 <DIR> d-------- C:\DOCUME~1\Steffen\APPLIC~1\LimeWire
2007-04-15 12:02 <DIR> d-------- C:\Program Files\LimeWire
2007-04-15 11:36 <DIR> d-------- C:\Program Files\Limewire Lime Wire Pro 4.12.3 (GOOD)
2007-04-15 11:28 335 --a------ C:\WINDOWS\nsreg.dat
2007-04-15 11:25 <DIR> d-------- C:\Program Files\Sunbelt Software
2007-04-15 11:23 3,054 --a------ C:\WINDOWS\mozver.dat
2007-04-15 11:23 107,134 --a------ C:\WINDOWS\UninstallFirefox.exe
2007-04-15 11:19 <DIR> d-------- C:\Program Files\MSN Messenger
2007-04-15 11:12 70,688 --a------ C:\WINDOWS\system32\drivers\alcaudsl.sys
2007-04-15 11:12 53,600 --a------ C:\WINDOWS\system32\drivers\alcan5wn.sys
2007-04-15 11:12 5,606 --a------ C:\WINDOWS\system32\stci.dll
2007-04-15 11:12 5,280 --a------ C:\WINDOWS\system32\drivers\alcawh.sys
2007-04-15 11:12 3,968 --a------ C:\WINDOWS\system32\drivers\alcacr.sys
2007-04-15 11:12 <DIR> d-------- C:\Program Files\Thomson
2007-04-15 11:08 <DIR> d-------- C:\Program Files\Lx_cats
2007-04-15 11:07 983,121 --a------ C:\WINDOWS\system32\lxcfgf.dll
2007-04-15 11:07 98,304 --a------ C:\WINDOWS\system32\lxcfinsr.dll
2007-04-15 11:07 86,016 --a------ C:\WINDOWS\system32\lxcfcub.dll
2007-04-15 11:07 73,728 --a------ C:\WINDOWS\system32\lxcfcu.dll
2007-04-15 11:07 704,512 --a------ C:\WINDOWS\system32\lxcfcomc.dll
2007-04-15 11:07 65,536 -ra------ C:\WINDOWS\system32\lxcfcfg.dll
2007-04-15 11:07 491,520 --a------ C:\WINDOWS\system32\lxcfcoms.exe
2007-04-15 11:07 483,328 --a------ C:\WINDOWS\system32\lxcflmpm.dll
2007-04-15 11:07 413,696 --a------ C:\WINDOWS\system32\lxcfcomm.dll
2007-04-15 11:07 40,960 --a------ C:\WINDOWS\system32\lxcfvs.dll
2007-04-15 11:07 397,312 --a------ C:\WINDOWS\system32\lxcfutil.dll
2007-04-15 11:07 372,736 --a------ C:\WINDOWS\system32\lxcfih.exe
2007-04-15 11:07 36,864 --a------ C:\WINDOWS\system32\lxcfcur.dll
2007-04-15 11:07 172,032 --a------ C:\WINDOWS\system32\lxcfinsb.dll
2007-04-15 11:07 155,648 --a------ C:\WINDOWS\system32\lxcfprox.dll
2007-04-15 11:07 131,072 --a------ C:\WINDOWS\system32\lxcfins.dll
2007-04-15 11:07 126,976 --a------ C:\WINDOWS\system32\lxcfjswr.dll
2007-04-15 11:07 114,688 --a------ C:\WINDOWS\system32\lxcfpplc.dll
2007-04-15 11:07 1,183,744 --a------ C:\WINDOWS\system32\lxcfserv.dll
2007-04-15 11:07 1,134,592 --a------ C:\WINDOWS\system32\lxcfusb1.dll
2007-04-15 11:06 <DIR> d-------- C:\TEMP\{9F5FBC24-EFE2-4f90-B498-EC0FB7D47D15}
2007-04-15 11:06 <DIR> d-------- C:\Program Files\Lexmark 730 Series
2007-04-15 11:05 24,832 --a------ C:\WINDOWS\system32\drivers\usbprint.sys
2007-04-15 10:06 <DIR> d-------- C:\WINDOWS\pss
2007-04-15 09:52 387,752 --a------ C:\WINDOWS\system32\vimc.exe
2007-04-15 09:51 720,412 --a------ C:\WINDOWS\system32\MGB_ScreenSaver.scr
2007-04-15 09:51 382,976 --a------ C:\WINDOWS\system32\Vista.scr
2007-04-15 09:51 2,449,408 --a------ C:\WINDOWS\system32\longhornui.exe
2007-04-15 09:51 19,968 --a------ C:\WINDOWS\system32\reico.exe
2007-04-15 09:50 81,920 --a------ C:\WINDOWS\system32\closeapp.exe
2007-04-15 09:50 111,104 --a------ C:\WINDOWS\system32\Uharc.exe
2007-04-15 09:50 <DIR> d-------- C:\WINDOWS\system32\VITrans
2007-04-15 09:50 <DIR> d-------- C:\Program Files\LClock
2007-04-15 09:49 <DIR> d-------- C:\VTPFiles
2007-04-15 09:37 2,621,440 --ah----- C:\DOCUME~1\Steffen\NTUSER.DAT

(((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))))

2007-04-15 17:05:12 1,744 ----a-w C:\WINDOWS\system32\d3d9caps.dat
2007-03-25 00:10:16 1,632 ----a-w C:\WINDOWS\system32\d3d8caps.dat

(((((((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))

*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects]
"{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}"="C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll"
"{338DA9F8-3260-41FC-A66B-19B525185D1A}"="C:\WINDOWS\System32\byxxxur.dll" [x]
"{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}"="C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll"
"{F42BC894-1740-42EF-9F00-AD69349C5CB1}"="C:\WINDOWS\System32\geeec.dll" [x]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run]
"LXCFCATS"="rundll32 C:\\WINDOWS\\System32\\spool\\DRIVERS\\W32X86\\3\\LXCFtime.dll,_RunDLLEntry@16"
"SpeedTouch USB Diagnostics"="\"C:\\Program Files\\Thomson\\SpeedTouch USB\\Dragdiag.exe\" /icon"

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run]
"CTFMON.EXE"="C:\\WINDOWS\\System32\\ctfmon.exe"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{57B86673-276A-48B2-BAE7-C6DBB3020EB8}"="C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\shellexecutehook.dll"
"{338DA9F8-3260-41FC-A66B-19B525185D1A}"="C:\WINDOWS\System32\byxxxur.dll" [x]


HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\byxxxur

HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa
Authentication Packages msv1_0\
Security Packages kerberosmsv1_0schannelwdigest\
Notification Packages scecli\

HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\c:^documents and settings^all users^start menu^programs^startup^adobe reader speed launch.lnk
C:\PROGRA~1\Adobe\ACROBA~1.0\Reader\READER~1.EXE

HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\c:^documents and settings^Mathilde^start menu^programs^startup^limewire on startup.lnk
C:\PROGRA~1\LimeWire\LimeWire.exe -startup

HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\!avg anti-spyware
"C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized

HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\aim6
"C:\Program Files\AIM6\aim6.exe" /d locale=en-US ee://aol/imApp

HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\avg7_cc
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP

HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\errorprotector free
C:\Program Files\ErrorProtector Free\ertmain.exe /min

HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\glass2k
C:\Program Files\Glass2k\Glass2k.exe

HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\lclock
C:\Program Files\LClock\LClock.exe

HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\msmsgs
"C:\Program Files\Messenger\msmsgs.exe" /background

HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\msnmsgr
"C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background

HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\quicktime task
"C:\Program Files\QuickTime\qttask.exe" -atboottime

HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\salestart
"C:\Program Files\Common Files\ErrorProtector Free\startmon.exe"

HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\sdtray
"C:\Program Files\Spyware Doctor\SDTrayApp.exe"

HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\spywareterminator
"D:\Spyware Terminator\SpywareTerminatorShield.exe"

HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\sunjavaupdatesched
"C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe"

HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\windowsservice
rundll32.exe "C:\WINDOWS\System32\uqfxvkjh.dll",realset

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Svchost]
LocalService AlerterWebClientLmHostsRemoteRegistryupnphostSSDPSRV\
NetworkService DnsCache\
rpcss RpcSs\
imgsvc StiSvc\
termsvcs TermService\

HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost

********************************************************************

catchme 0.3.660 W2K/XP/Vista - userland rootkit detector by Gmer, http://www.gmer.net
Rootkit scan 2007-05-11 11:17:07
Windows 5.1.2600 FAT

scanning hidden processes ...

scanning hidden services ...

scanning hidden autostart entries ...

HKLM\Software\Microsoft\Windows\CurrentVersion\Run
LXCFCATS = rundll32 C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\LXCFtime.dll,_RunDLLEntry@16???????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????

scanning hidden files ...

scan completed successfully
hidden processes: 0
hidden services: 0
hidden files: 0

Completion time: 2007-05-11 11:17:14
C:\ComboFix-quarantined-files.txt ... 2007-05-11 11:17

New HijackThis Log 11th May 2007:

Logfile of Trend Micro HijackThis v2.0.0 (BETA)
Scan saved at 11:35:52, on 11/05/2007
Platform: Windows XP (WinNT 5.01.2600)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\WINDOWS\System32\DRIVERS\CDANTSRV.EXE
C:\Program Files\Sunbelt Software\Personal Firewall 4\kpf4ss.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\pctspk.exe
C:\Program Files\Sunbelt Software\Personal Firewall 4\kpf4gui.exe
C:\Program Files\Thomson\SpeedTouch USB\Dragdiag.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\Sunbelt Software\Personal Firewall 4\kpf4gui.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Program Files\Hijack This!\HiJackThis_v2.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://google.co.uk/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {338DA9F8-3260-41FC-A66B-19B525185D1A} - C:\WINDOWS\System32\byxxxur.dll (file missing)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: (no name) - {F42BC894-1740-42EF-9F00-AD69349C5CB1} - C:\WINDOWS\System32\geeec.dll (file missing)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [LXCFCATS] rundll32 C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\LXCFtime.dll,_RunDLLEntry@16
O4 - HKLM\..\Run: [SpeedTouch USB Diagnostics] "C:\Program Files\Thomson\SpeedTouch USB\Dragdiag.exe" /icon
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Default user')
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O12 - Plugin for .fpx: C:\\Program Files\\Internet Explorer\\PLUGINS\\NPRVRT32.dll
O12 - Plugin for .ivr: C:\\Program Files\\Internet Explorer\\PLUGINS\\NPRVRT32.dll
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....k/?linkid=39204
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/...b?1177865823352
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1177869147328
O17 - HKLM\System\CCS\Services\Tcpip\..\{AE3E7B15-26E2-40DF-9AB5-80F6E02D21C1}: NameServer = 194.168.4.100 194.168.8.100
O20 - Winlogon Notify: byxxxur - byxxxur.dll (file missing)
O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\System32\browseui.dll
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\System32\browseui.dll
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: C-DillaSrv - C-Dilla Ltd - C:\WINDOWS\System32\DRIVERS\CDANTSRV.EXE
O23 - Service: Sunbelt Kerio Personal Firewall 4 (KPF4) - Sunbelt Software - C:\Program Files\Sunbelt Software\Personal Firewall 4\kpf4ss.exe
O23 - Service: lxcf_device - - C:\WINDOWS\System32\lxcfcoms.exe
O23 - Service: PCTEL Speaker Phone (Pctspk) - PCtel, Inc. - C:\WINDOWS\system32\pctspk.exe
"Der Geist der Liebe erfühllt der Erde..."

#4 OFFLINE   AndyManchesta

    Power Member

  • Spyware Moderators
  • 1,821 posts
  • Gender:Male
  • Location:Manchester. UK
  • Interests:Music, Movies, Website Building &amp; Design, Malware Testing/Research and spending time with friends &amp; family.

Posted 11 May 2007 - 06:25 PM

Hi Steff

Thanks for the logs, afew things left to remove but first I really need to advise you to upgrade your version of Windows, running Windows without any Service Packs is very dangerous as there is far too many security holes that can be exploited so you will keep getting infected until you get the machine up to date, Id recommend going to Windows Updates and getting Service Pack 1 now and then reboot when prompted and keep revisiting to get all the security updates.

If you think the version isnt genuine Id suggest using this link

http://www.microsoft.com/resources/howtote...ws/default.mspx

If it doesnt pass the validation check then it will give you some instructions on how you can proceed and options to puchase a genuine version of Windows.


Set Windows to show hidden files and folders as there is a file that needs removing with hidden attributes

Can you set Windows to show hidden files and folders and then upload the Userinit.dll file at VirusTotal if its found.

Click Start. Goto MyComputer then C:\drive
Select the Tools menu from the top bar and click Folder Options. Select the View Tab.
Under the Hidden files and folders heading select "Show hidden files and folders".
UnCheck the "Hide protected operating system files (recommended)" option.

Click Yes to confirm then OK

Set this back once you have checked for the file by opening the same page and pressing the Restore Defaults button the click Apply and OK.

Then delete this file

C:\WINDOWS\system32\nnlkh.dll


Next visit VirusTotal and have this file scanned:

C:\WINDOWS\system\regsys4.dll

Open the scan site and press Browse, locate the file and double click it to load the path into the Virus scan window then press Send, copy and paste the Virus scan results back and let us know if you have any problems finding the file. Repeat the steps for both of these files

C:\WINDOWS\system\pubtrksys4.dll
C:\WINDOWS\system\BPSYS4.DAT


Next open notepad (Start Menu > Run > type notepad and press ok) then copy and paste the contents of the code box into Notepad making REGEDIT4 the top line.
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{338DA9F8-3260-41FC-A66B-19B525185D1A}"=-
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\errorprotector free]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\salestart]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\windowsservice]

Goto File on the top bar of Notepad and choose Save As, on the Save As Type area change it to all files then name it fix.reg and save it to your desktop, double click fix.reg(or right click and choose Merge) and allow it to be merged into the registry which will remove the entries.

Run Hijack This and choose Do A System Scan then place a check next to these entries

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O2 - BHO: (no name) - {338DA9F8-3260-41FC-A66B-19B525185D1A} - C:\WINDOWS\System32\byxxxur.dll (file missing)
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: (no name) - {F42BC894-1740-42EF-9F00-AD69349C5CB1} - C:\WINDOWS\System32\geeec.dll (file missing)
O20 - Winlogon Notify: byxxxur - byxxxur.dll (file missing)

Close all open browser and other windows except for Hijack This and press the Fix Checked button

Please do an online scan with Kaspersky WebScanner.

Click on Kaspersky Online Scanner

You will be promted to install an ActiveX component from Kaspersky, Click Yes.
  • The program will launch and then begin downloading the latest definition files:
  • Once the files have been downloaded click on NEXT

  • Now click on Scan Settings
  • In the scan settings make sure that the following are selected:
    • Scan using the following Anti-Virus database:
      Extended (if available otherwise Standard)
    • Scan Options:
      Scan Archives
      Scan Mail Bases
  • Click OK
  • Now under select a target to scan:
      Select My Computer
  • This program will start and scan your system.
  • The scan will take a while so be patient and let it run.
  • Once the scan is complete it will display if your system has been infected.
    • Now click on the Save as Text button:
  • Save the file to your desktop.
  • Copy and paste that information in your next post.
Finally generate a report of the Add/Remove screen entries:
Open Hijackthis, and click the Misc Tools button.
Then click the Open Uninstall Manager... button.
The Add/Remove Programs Manager panel should appear.
In this panel click the Save list button.
Save the uninstall_list.txt file to your desktop and copy and paste the contents back in your next reply.

Please then post back the VirusTotal results, Uninstall List, Kaspersky log and a new HijackThis log, let us know if you have any problems

Thanks

Andy
Back to Spyware Hell


  1. Piriform Community Forums
  2. Computer Help and Discussion
  3. Spyware Hell