Micro AV Virus

Discussion in 'Windows - Virus and spyware problems' started by dcnewf, Sep 30, 2008.

  1. dcnewf

    dcnewf Member

    Joined:
    Sep 30, 2008
    Messages:
    1
    Likes Received:
    0
    Trophy Points:
    11
    Hi,

    Having trouble removing this virus. Scanned with the following programs, AVG Antivirus, Spybot S&D, Adware 2008, Super Antispyware, Malewarebytes, but had no luck removing the virus. I downloaded combofix and here is my log. Any help would be great.

    Thanks
    Dave




    ComboFix 08-09-30.01 - Hynes 2008-09-30 17:57:45.1 - NTFSx86
    Microsoft® Windows Vista™ Home Premium 6.0.6001.1.1252.1.1033.18.370 [GMT -2.5:30]
    Running from: C:\Users\Hynes\Desktop\Dave\ComboFix.exe
    .

    ((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
    .

    C:\Users\Hynes\Desktop\Live Safety Center.lnk
    C:\Users\Hynes\FAVORI~1\Online Security Guide.lnk
    C:\Users\Hynes\Favorites\Online Security Guide.lnk
    C:\Windows\system32\x64

    .
    ((((((((((((((((((((((((( Files Created from 2008-08-28 to 2008-09-30 )))))))))))))))))))))))))))))))
    .

    2008-09-30 17:09 . 2008-09-30 17:09 <DIR> d--h----- C:\$AVG8.VAULT$
    2008-09-30 16:43 . 2008-09-30 16:43 <DIR> d-------- C:\Program Files\Uniblue
    2008-09-30 16:40 . 2008-09-30 16:43 <DIR> d-------- C:\Users\Hynes\AppData\Roaming\Uniblue
    2008-09-30 16:33 . 2008-09-30 16:38 <DIR> d-------- C:\Windows\System32\drivers\Avg
    2008-09-30 16:33 . 2008-09-30 16:33 <DIR> d-------- C:\Users\All Users\avg8
    2008-09-30 16:33 . 2008-09-30 16:33 <DIR> d-------- C:\ProgramData\avg8
    2008-09-30 16:33 . 2008-09-30 16:33 <DIR> d-------- C:\Program Files\AVG
    2008-09-30 16:33 . 2008-09-30 16:33 97,928 --a------ C:\Windows\System32\drivers\avgldx86.sys
    2008-09-30 16:33 . 2008-09-30 16:33 69,128 --a------ C:\Windows\System32\drivers\avgwfpx.sys
    2008-09-30 16:33 . 2008-09-30 16:33 10,520 --a------ C:\Windows\System32\avgrsstx.dll
    2008-09-30 14:03 . 2008-09-30 14:03 <DIR> d-------- C:\PerfLogs
    2008-09-30 13:31 . 2008-09-30 13:31 <DIR> d-------- C:\Users\All Users\SUPERAntiSpyware.com
    2008-09-30 13:31 . 2008-09-30 13:31 <DIR> d-------- C:\ProgramData\SUPERAntiSpyware.com
    2008-09-30 13:30 . 2008-09-30 13:30 <DIR> d-------- C:\Users\Hynes\AppData\Roaming\SUPERAntiSpyware.com
    2008-09-30 13:30 . 2008-09-30 13:30 <DIR> d-------- C:\Program Files\SUPERAntiSpyware
    2008-09-30 13:14 . 2008-09-30 13:14 <DIR> d-------- C:\Users\All Users\Windows Genuine Advantage
    2008-09-30 12:32 . 2008-09-30 12:32 <DIR> d-------- C:\Users\Hynes\AppData\Roaming\Malwarebytes
    2008-09-30 12:32 . 2008-09-30 12:32 <DIR> d-------- C:\Users\All Users\Malwarebytes
    2008-09-30 12:32 . 2008-09-30 12:32 <DIR> d-------- C:\ProgramData\Malwarebytes
    2008-09-30 12:32 . 2008-09-30 12:32 <DIR> d-------- C:\Program Files\Malwarebytes' Anti-Malware
    2008-09-30 12:32 . 2008-09-10 00:04 38,528 --a------ C:\Windows\System32\drivers\mbamswissarmy.sys
    2008-09-30 12:32 . 2008-09-10 00:03 17,200 --a------ C:\Windows\System32\drivers\mbam.sys
    2008-09-30 11:15 . 2008-09-30 11:15 <DIR> d-------- C:\Program Files\Spybot - Search & Destroy
    2008-09-11 08:58 . 2008-01-19 05:03 8,139,264 --a------ C:\Windows\System32\ssBranded.scr
    2008-09-11 08:57 . 2008-01-19 03:36 8,147,456 --a------ C:\Windows\System32\wmploc.DLL
    2008-09-11 08:56 . 2008-01-19 05:06 704,512 --a------ C:\Windows\System32\SmiEngine.dll
    2008-09-10 06:11 . 2008-07-30 22:43 4,240,384 --a------ C:\Windows\System32\GameUXLegacyGDFs.dll
    2008-09-10 06:11 . 2008-06-26 00:59 303,616 --a------ C:\Windows\System32\wmpeffects.dll
    2008-09-10 06:11 . 2008-07-31 01:02 28,160 --a------ C:\Windows\System32\Apphlpdm.dll
    2008-09-03 15:59 . 2008-09-03 15:59 <DIR> d-------- C:\Users\Hynes\AppData\Roaming\IUpd646
    2008-08-23 00:19 . 2008-08-23 00:19 244 --ah----- C:\sqmnoopt00.sqm
    2008-08-23 00:19 . 2008-08-23 00:19 232 --ah----- C:\sqmdata00.sqm
    2008-08-21 08:12 . 2008-07-19 02:39 1,811,656 --a------ C:\Windows\System32\wuaueng.dll
    2008-08-21 08:12 . 2008-07-19 01:14 1,524,736 --a------ C:\Windows\System32\wucltux.dll
    2008-08-21 08:12 . 2008-07-19 02:39 563,912 --a------ C:\Windows\System32\wuapi.dll
    2008-08-21 08:12 . 2008-07-18 22:08 163,904 --a------ C:\Windows\System32\wuwebv.dll
    2008-08-21 08:12 . 2008-07-19 01:14 83,456 --a------ C:\Windows\System32\wudriver.dll
    2008-08-21 08:12 . 2008-07-19 02:40 53,448 --a------ C:\Windows\System32\wuauclt.exe
    2008-08-21 08:12 . 2008-07-19 02:40 45,768 --a------ C:\Windows\System32\wups2.dll
    2008-08-21 08:12 . 2008-07-19 02:40 36,552 --a------ C:\Windows\System32\wups.dll
    2008-08-21 08:12 . 2008-07-18 20:44 31,232 --a------ C:\Windows\System32\wuapp.exe
    2008-08-15 03:02 . 2008-07-15 23:02 2,048 --a------ C:\Windows\System32\tzres.dll
    2008-08-14 16:07 . 2008-04-10 02:42 738,304 --a------ C:\Windows\System32\inetcomm.dll
    2008-08-14 14:26 . 2008-08-14 14:26 <DIR> d-------- C:\Program Files\QuickTime

    .
    (((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    2008-09-30 16:45 --------- d-----w C:\Program Files\Lx_cats
    2008-09-30 16:41 174 --sha-w C:\Program Files\desktop.ini
    2008-09-30 16:36 --------- d-----w C:\Program Files\Windows Sidebar
    2008-09-30 16:36 --------- d-----w C:\Program Files\Windows Photo Gallery
    2008-09-30 16:36 --------- d-----w C:\Program Files\Windows Mail
    2008-09-30 16:36 --------- d-----w C:\Program Files\Windows Journal
    2008-09-30 16:36 --------- d-----w C:\Program Files\Windows Collaboration
    2008-09-30 16:36 --------- d-----w C:\Program Files\Windows Calendar
    2008-09-30 16:35 --------- d-----w C:\Program Files\Windows Defender
    2008-09-30 16:15 82,432 ----a-w C:\Windows\System32\axaltocm.dll
    2008-09-30 16:15 101,888 ----a-w C:\Windows\System32\ifxcardm.dll
    2008-09-30 15:57 --------- d-----w C:\ProgramData\Lavasoft
    2008-09-30 15:54 --------- d-----w C:\Program Files\Lavasoft
    2008-09-30 15:53 --------- d-----w C:\Program Files\Common Files\Wise Installation Wizard
    2008-09-30 13:48 --------- d-----w C:\ProgramData\Spybot - Search & Destroy
    2008-09-29 01:44 --------- d-----w C:\Users\Hynes\AppData\Roaming\5400 Series
    2008-09-28 20:30 --------- d-----w C:\Program Files\Norton Security Scan
    2008-09-28 20:30 --------- d-----w C:\Program Files\Common Files\Symantec Shared
    2008-09-11 05:34 --------- d-----w C:\Program Files\Microsoft Works
    2008-07-31 03:32 460,288 ----a-w C:\Windows\AppPatch\AcSpecfc.dll
    2008-07-31 03:32 2,154,496 ----a-w C:\Windows\AppPatch\AcGenral.dll
    2008-07-31 03:32 173,056 ----a-w C:\Windows\AppPatch\AcXtrnal.dll
    2008-06-27 04:15 827,392 ----a-w C:\Windows\System32\wininet.dll
    2008-06-26 03:29 801,280 ----a-w C:\Windows\System32\NaturalLanguage6.dll
    2008-06-26 01:45 2,644,480 ----a-w C:\Windows\System32\NlsLexicons0009.dll
    2008-06-26 01:45 12,240,896 ----a-w C:\Windows\System32\NlsLexicons0007.dll
    2008-06-19 03:31 361,984 ----a-w C:\Windows\System32\IPSECSVC.DLL
    2008-06-12 05:28 541,696 ----a-w C:\Windows\AppPatch\AcLayers.dll
    2008-01-19 04:58 0 ----a-w C:\Users\Hynes\AppData\Roaming\wklnhst.dat
    .

    ((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    *Note* empty entries & legit default entries are not shown
    REGEDIT4

    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "swg"="C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe" [2007-11-08 171448]
    "ehTray.exe"="C:\Windows\ehome\ehTray.exe" [2008-01-19 125952]
    "SpybotSD TeaTimer"="C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe" [2008-07-07 2156368]
    "Uniblue Registry Booster"="C:\Program Files\Uniblue\Registry Booster\RegistryBooster.exe" [2007-01-12 1740800]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe" [2007-09-25 132496]
    "NeroFilterCheck"="C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe" [2006-01-12 155648]
    "lxctmon.exe"="C:\Program Files\Lexmark 5400 Series\lxctmon.exe" [2006-11-22 291760]
    "Lexmark 5400 Series Fax Server"="C:\Program Files\Lexmark 5400 Series\fm3032.exe" [2006-11-22 304048]
    "EzPrint"="C:\Program Files\Lexmark 5400 Series\ezprint.exe" [2006-11-22 82864]
    "LXCTCATS"="C:\Windows\system32\spool\DRIVERS\W32X86\3\LXCTtime.dll" [2006-11-21 106496]
    "IgfxTray"="C:\Windows\system32\igfxtray.exe" [2008-01-02 141848]
    "HotKeysCmds"="C:\Windows\system32\hkcmd.exe" [2008-01-02 166424]
    "Persistence"="C:\Windows\system32\igfxpers.exe" [2008-01-02 133656]
    "QuickFinder Scheduler"="C:\Program Files\WordPerfect Office 11\Programs\QFSCHD110.EXE" [2003-02-25 77887]
    "WordPerfect Office 1115"="C:\Program Files\Common Files\Corel\Registration\EN\Registration.exe" [2003-02-18 327680]
    "Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 39792]
    "NvSvc"="C:\Windows\system32\nvsvc.dll" [2006-10-10 90191]
    "NvCplDaemon"="C:\Windows\system32\NvCpl.dll" [2006-10-10 7741440]
    "NvMediaCenter"="C:\Windows\system32\NvMcTray.dll" [2006-10-10 81920]
    "AVG8_TRAY"="C:\PROGRA~1\AVG\AVG8\avgtray.exe" [2008-09-30 1234712]
    "SigmatelSysTrayApp"="sttray.exe" [2006-11-02 C:\Windows\sttray.exe]

    [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
    "msnmsgr"="C:\Program Files\Windows Live\Messenger\msnmsgr.exe" [2007-10-18 5724184]

    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
    "EnableUIADesktopToggle"= 0 (0x0)

    [hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
    "{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "C:\Program Files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
    2008-07-23 16:28 352256 C:\Program Files\SUPERAntiSpyware\SASWINLO.dll

    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
    "AppInit_DLLs"=avgrsstx.dll

    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\FirewallRules]
    "{7743F6EB-1968-416C-9B3C-2C6057B4C816}"= C:\Program Files\Windows Live\Messenger\livecall.exe:Windows Live Messenger (Phone)
    "{C4CA3E03-91A3-4A6F-9D07-4A5A1726129C}"= UDP:C:\Program Files\LimeWire\LimeWire.exe:LimeWire
    "{DE68B887-2E33-4074-9C24-9CABAF98A2A6}"= TCP:C:\Program Files\LimeWire\LimeWire.exe:LimeWire
    "TCP Query User{8899F9C6-69E3-4793-BD31-33735119CB97}C:\\program files\\nero\\nero 7\\nero home\\nerohome.exe"= UDP:C:\program files\nero\nero 7\nero home\nerohome.exe:Nero Home
    "UDP Query User{68274D3B-2917-42D6-878E-D0381F95D026}C:\\program files\\nero\\nero 7\\nero home\\nerohome.exe"= TCP:C:\program files\nero\nero 7\nero home\nerohome.exe:Nero Home
    "{6C6ECE02-208B-4BD9-B00B-B675D5405894}"= UDP:C:\Windows\System32\lxctcoms.exe:Lexmark Communications System
    "{19B84CD1-F1CD-48C4-BC4B-AB4130343F86}"= TCP:C:\Windows\System32\lxctcoms.exe:Lexmark Communications System
    "{54DBC301-19F5-45D9-BC54-B193793D1519}"= UDP:C:\Program Files\Lexmark 5400 Series\lxctmon.exe:Device Monitor
    "{3257DE26-924E-49CA-9AC4-CD9791C2B28F}"= TCP:C:\Program Files\Lexmark 5400 Series\lxctmon.exe:Device Monitor
    "{A419C271-B51F-489D-B3CC-039FE84EE8D7}"= UDP:C:\Program Files\Lexmark 5400 Series\LXCTaiox.exe:All In One Center
    "{84F64E2B-79F2-4DCD-9657-2A42060876F6}"= TCP:C:\Program Files\Lexmark 5400 Series\LXCTaiox.exe:All In One Center
    "{1BB7DC40-7EF2-4DC0-A8B7-957C587E45C0}"= C:\Program Files\AVG\AVG8\avgemc.exe:avgemc.exe
    "{CE335224-AE2A-4BF3-BED0-BCE0F7E2E95E}"= C:\Program Files\AVG\AVG8\avgupd.exe:avgupd.exe

    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\PublicProfile]
    "EnableFirewall"= 0 (0x0)

    R1 AvgLdx86;AVG Free AVI Loader Driver x86;C:\Windows\system32\Drivers\avgldx86.sys [2008-09-30 97928]
    R2 avg8emc;AVG Free8 E-mail Scanner;C:\PROGRA~1\AVG\AVG8\avgemc.exe [2008-09-30 875288]
    R2 avg8wd;AVG Free8 WatchDog;C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe [2008-09-30 231704]
    R2 SBSDWSCService;SBSD Security Center Service;C:\Program Files\Spybot - Search & Destroy\SDWinSec.exe [2008-07-07 809296]
    R3 AvgWfpX;AVG Free8 Firewall Driver x86;C:\Windows\system32\Drivers\avgwfpx.sys [2008-09-30 69128]
    S3 yukonwlh;NDIS6.0 Miniport Driver for Marvell Yukon Ethernet Controller;C:\Windows\system32\DRIVERS\yk60x86.sys [2006-11-02 194048]

    *Newly Created Service* - CATCHME
    *Newly Created Service* - PROCEXP90
    .
    Contents of the 'Scheduled Tasks' folder
    .
    - - - - ORPHANS REMOVED - - - -

    HKCU-Run-Uniblue RegistryBooster 2009 - c:\program files\uniblue\registrybooster\StartRegistryBooster.exe


    .
    ------- Supplementary Scan -------
    .
    O8 -: &Windows Live Search - C:\Program Files\Windows Live Toolbar\msntb.dll/search.htm
    O8 -: Add to Windows &Live Favorites - http://favorites.live.com/quickadd.aspx

    O16 -: {149E45D8-163E-4189-86FC-45022AB2B6C9} - file:///C:/Program%20Files/Family%20Feud%202/Images/stg_drm.ocx
    C:\Windows\Downloaded Program Files\stg_drm.ocx

    O16 -: {CC450D71-CC90-424C-8638-1F2DBAC87A54} - file:///C:/Program%20Files/Family%20Feud%202/Images/armhelper.ocx
    C:\Windows\Downloaded Program Files\armhelper.ocx
    .

    **************************************************************************

    catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
    Rootkit scan 2008-09-30 18:00:27
    Windows 6.0.6001 Service Pack 1 NTFS

    scanning hidden processes ...

    scanning hidden autostart entries ...

    HKLM\Software\Microsoft\Windows\CurrentVersion\Run
    LXCTCATS = rundll32 C:\Windows\system32\spool\DRIVERS\W32X86\3\LXCTtime.dll,_RunDLLEntry@16???????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????

    scanning hidden files ...

    scan completed successfully
    hidden files: 0

    **************************************************************************
    .
    Completion time: 2008-09-30 18:01:45
    ComboFix-quarantined-files.txt 2008-09-30 20:31:11

    Pre-Run: 220,554,014,720 bytes free
    Post-Run: 220,794,097,664 bytes free

    184 --- E O F --- 2008-09-30 16:19:03
     
    Last edited: Sep 30, 2008
    dcnewf, Sep 30, 2008
    #1
  2. cdavfrew

    cdavfrew Regular member

    Joined:
    May 19, 2008
    Messages:
    1,183
    Likes Received:
    0
    Trophy Points:
    46
    Hey dcnewf

    Before we begin the cleanup process, it is important to do a little analysis first. We will analyze your computer with a tool called HijackThis.

    Please download the HijackThis zip file. Save it onto a convenient place in your computer, and then unzip the file.

    Rename HijackThis(.exe) to scanner(.exe).

    Next, run scanner(.exe). A window will pop up.

    • Click on the button which says Main Menu, then Do a system scan and save a logfile.
    • Please wait for the scan to be completed.
    • After the scan has completed, a text window will pop up. Please post the contents of this window here.

    This will also be located at hijackthis(.txt) in the same folder that HijackThis was originally saved.

    NOTE:: Do not fix anything using HijackThis, as this may also damage legitimate components of your computer.

    Best Regards :D
     
    cdavfrew, Oct 1, 2008
    #2

Share This Page