Computer infected with Win32/Cryptor trojan

johnblaze · December 9, 2009

Hi, I'm hoping someone can help me. A few days ago my pc started playing up, mainly Internet Explorer which kept crashing everytime I opened it. I ran an AVG scan and it found the Win32/Cryptor trojan, but was unable to remove it so I ran AntiMalware and it seemed to remove it. However, I am still having issues with my PC (Internet Explorer still crashing, although much less frequently, Windows Defender not opening on startup despite being set up to do so, Windows Firewall turning off on its own), so I'm worried that there are more viruses/malware on my system that AVG and AntiMalware can't find, or that I didn't fully manage to remove the Win32/Cryptor trojan. Any help you can offer would be much appreciated. Thanks in advance...

I4n · December 9, 2009

Sit tight John, someone more knowledgable will be along soon

johnblaze · December 9, 2009

No problem, any help you guys can offer is much appreciated so I'm happy to wait.

chiaz · December 10, 2009

Hi johnblaze,

A few things before we start....

1. Please Read All Instructions Carefully.

2. If you don't understand something, stop and ask! Don't keep going on.

3. Please do not run any other tools or scans whilst I am helping you.

4. If you have to go away for an extended period of time, let me know.

5. Please continue to respond until I give you the "All Clear".

(Just because you can't see a problem doesn't mean it isn't there)

Please download Malwarebytes' Anti-Malware by clicking the link below:

Malwarebytes Anti-Malware - Reviews and free Malwarebytes Anti-Malware downloads at Download.com

Double Click mbam-setup.exe to install the application.

* Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.

* If an update is found, it will download and install the latest version.

* Once the program has loaded, select "Perform Quick Scan", then click Scan.

* The scan may take some time to finish,so please be patient.

* When the scan is complete, click OK, then Show Results to view the results.

* Make sure that everything is checked, and click Remove Selected.

* When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)

* The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.

* You'll be required to post the contents of this log later.

Please Note:

If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process,if asked to restart the computer,please do so immediately.

Next let's have you download ComboFix.exe. Please visit this webpage for downloading and instructions for running the tool:

Go here ======> A guide and tutorial on using ComboFix <====== Go here

Please ensure you read this guide carefully and install the Recovery Console first.This applies to XP Pro and XP Home users only.If you have SP3 installed you will need to use the download meant for SP2.

The Windows Recovery Console will allow you to boot up into a special recovery (repair) mode. This allows us to more easily help you should your computer have a problem after an attempted removal of malware. It is a simple procedure that will only take a few moments of your time.

Once installed, you should get a prompt that says:

The Recovery Console was successfully installed.

Please continue as follows:

(1) Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

(2) Click Yes to allow ComboFix to continue scanning for malware.

When the tool is finished, it will produce a report for you.

Please include the MBAM log and C:\ComboFix.txt for further review, so that we may continue cleansing the system.

Caution: Never run and remove files with Combofix unless supervised by a qualified security analyst who is experienced in the use of Combofix. Misuse can cause serious computer problems.

johnblaze · December 10, 2009

Hi Chiaz, thanks very much for your help. I've pasted the MBAM log as requested, and I'll follow up with the ComboFix log in the following post:

Malwarebytes' Anti-Malware 1.42

Database version: 3336

Windows 5.1.2600 Service Pack 3

Internet Explorer 8.0.6001.18702

10/12/2009 06:08:13

mbam-log-2009-12-10 (06-08-13).txt

Scan type: Quick Scan

Objects scanned: 112905

Time elapsed: 10 minute(s), 4 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 0

Registry Values Infected: 0

Registry Data Items Infected: 0

Folders Infected: 0

Files Infected: 0

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

(No malicious items detected)

Registry Values Infected:

(No malicious items detected)

Registry Data Items Infected:

(No malicious items detected)

Folders Infected:

(No malicious items detected)

Files Infected:

(No malicious items detected)

johnblaze · December 10, 2009

Hi Chiaz, ComboFix log as promised:

ComboFix 09-12-09.04 - Admin 10/12/2009 6:26.1.1 - x86

Microsoft Windows XP Home Edition 5.1.2600.3.1252.44.1033.18.1015.599 [GMT 0:00]

Running from: c:\documents and settings\Admin\Desktop\ComboFix.exe

AV: AVG Anti-Virus Free *On-access scanning disabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.

c:\documents and settings\Admin\Application Data\Google\T-Scan

c:\documents and settings\Admin\Application Data\Google\T-Scan\Thumbs.db

c:\documents and settings\All Users\Application Data\avg9\update\download\f9chjcx709b705if.bin

c:\recycler\S-1-5-21-3779935395-1182671931-1460304000-1004

c:\recycler\S-1-5-21-583907252-1284227242-725345543-1004

c:\temp\FT62

c:\windows\Downloaded Program Files\popcaploader.inf

c:\windows\system32\afuvarul.ini

c:\windows\system32\BSTIeprintctl1.dll

c:\windows\system32\dPI19

c:\windows\system32\twain_32.dll

.

((((((((((((((((((((((((( Files Created from 2009-11-10 to 2009-12-10 )))))))))))))))))))))))))))))))

.

2009-12-05 21:55 . 2009-11-02 20:42 195456 ------w- c:\windows\system32\MpSigStub.exe

2009-12-05 21:51 . 2009-12-05 21:51 -------- d-----w- c:\program files\Windows Defender

2009-12-04 23:33 . 2009-12-04 23:33 -------- d-----w- c:\program files\CCleaner

2009-12-04 22:30 . 2009-12-04 22:30 -------- d-----w- c:\windows\system32\wbem\Repository

2009-12-04 21:41 . 2009-12-04 21:41 -------- d-sh--w- c:\windows\system32\config\systemprofile\IETldCache

2009-11-24 19:06 . 2009-11-24 19:06 79488 ----a-w- c:\documents and settings\Admin\Application Data\Sun\Java\jre1.6.0_17\gtapi.dll

2009-11-17 21:27 . 2009-11-17 21:28 -------- d-----w- C:\$AVG

2009-11-17 21:27 . 2009-11-17 21:27 360584 ----a-w- c:\windows\system32\drivers\avgtdix.sys

2009-11-17 21:26 . 2009-12-05 08:42 -------- d-----w- c:\documents and settings\All Users\Application Data\avg9

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2009-12-10 06:19 . 2007-12-26 13:38 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP

2009-12-08 22:53 . 2007-09-03 18:40 -------- d-----w- c:\documents and settings\All Users\Application Data\Microsoft Help

2009-12-05 21:58 . 2008-11-29 08:41 -------- d-----w- c:\documents and settings\Admin\Application Data\SUPERAntiSpyware.com

2009-12-05 21:58 . 2008-01-19 21:18 -------- d-----w- c:\program files\Common Files\Wise Installation Wizard

2009-12-05 21:58 . 2008-11-29 08:41 -------- d-----w- c:\program files\SUPERAntiSpyware

2009-12-05 19:07 . 2008-11-29 11:37 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware

2009-12-05 19:04 . 2008-12-15 22:38 4844295 ----a-w- c:\documents and settings\All Users\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\mbam-setup.exe

2009-12-05 15:08 . 2009-10-03 16:05 -------- d-----w- c:\program files\Rio

2009-12-05 15:06 . 2007-12-12 18:18 -------- d-----w- c:\program files\Soulseek

2009-12-05 15:05 . 2007-12-23 15:06 -------- d-----w- c:\program files\Azureus

2009-12-05 10:00 . 2004-11-30 11:48 -------- d-----w- c:\program files\Trend Micro

2009-12-04 23:34 . 2007-12-17 12:21 -------- d-----w- c:\documents and settings\Admin\Application Data\Azureus

2009-12-03 16:14 . 2008-11-29 11:37 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys

2009-12-03 16:13 . 2008-11-29 11:37 19160 ----a-w- c:\windows\system32\drivers\mbam.sys

2009-11-24 19:12 . 2004-11-30 12:58 -------- d-----w- c:\program files\Java

2009-11-24 19:10 . 2009-11-04 18:53 152576 ----a-w- c:\documents and settings\Admin\Application Data\Sun\Java\jre1.6.0_17\lzma.dll

2009-11-22 11:55 . 2007-12-06 20:27 -------- d-----w- c:\program files\Lx_cats

2009-11-17 21:27 . 2008-08-17 11:41 333192 ----a-w- c:\windows\system32\drivers\avgldx86.sys

2009-11-17 21:27 . 2008-08-17 11:41 28424 ----a-w- c:\windows\system32\drivers\avgmfx86.sys

2009-11-17 21:27 . 2009-01-28 16:51 12464 ----a-w- c:\windows\system32\avgrsstx.dll

2009-11-17 21:26 . 2008-06-23 10:08 -------- d-----w- c:\program files\AVG

2009-11-07 08:31 . 2009-11-07 08:30 -------- d-----w- c:\program files\iTunes

2009-11-07 08:30 . 2005-04-21 00:16 -------- d-----w- c:\program files\iPod

2009-11-07 08:30 . 2007-06-30 15:44 -------- d-----w- c:\program files\Common Files\Apple

2009-11-07 08:20 . 2009-11-07 08:20 79144 ----a-w- c:\documents and settings\All Users\Application Data\Apple Computer\Installer Cache\iTunes 9.0.2.25\SetupAdmin.exe

2009-11-06 20:06 . 2004-11-30 11:42 77848 ----a-w- c:\documents and settings\Admin\Local Settings\Application Data\GDIPFONTCACHEV1.DAT

2009-11-05 22:52 . 2007-09-03 19:02 -------- d-----w- c:\program files\Microsoft Works

2009-10-31 00:08 . 2008-11-02 18:30 -------- d-----w- c:\documents and settings\All Users\Application Data\Sports Interactive

2009-10-31 00:07 . 2008-11-02 18:30 -------- d-----w- c:\documents and settings\Admin\Application Data\Sports Interactive

2009-10-30 23:58 . 2009-10-30 23:58 -------- d-----w- c:\program files\Sports Interactive

2009-10-29 07:45 . 2004-11-30 11:31 916480 ----a-w- c:\windows\system32\wininet.dll

2009-10-21 05:38 . 2005-01-29 00:27 25088 ----a-w- c:\windows\system32\httpapi.dll

2009-10-21 05:38 . 2005-01-29 00:27 75776 ----a-w- c:\windows\system32\strmfilt.dll

2009-10-20 16:20 . 2005-01-29 00:27 265728 ------w- c:\windows\system32\drivers\http.sys

2009-10-15 18:37 . 2009-10-15 18:37 -------- d-----w- c:\program files\Common Files\Macrovision Shared

2009-10-14 22:33 . 2008-01-03 21:15 -------- d-----w- c:\documents and settings\All Users\Application Data\FLEXnet

2009-10-13 10:30 . 2004-11-30 11:32 270336 ----a-w- c:\windows\system32\oakley.dll

2009-10-12 13:38 . 2004-11-30 11:31 149504 ----a-w- c:\windows\system32\rastls.dll

2009-10-12 13:38 . 2004-11-30 11:31 79872 ----a-w- c:\windows\system32\raschap.dll

2009-10-11 04:17 . 2008-12-20 21:19 411368 ----a-w- c:\windows\system32\deploytk.dll

2009-09-11 14:18 . 2004-11-30 11:31 136192 ----a-w- c:\windows\system32\msv1_0.dll

2005-01-26 11:16 . 2005-01-26 11:16 61 --sh--w- c:\windows\cnerolf.dat

2003-03-31 12:00 . 2003-03-31 12:00 94784 -csh--w- c:\windows\twain.dll

2008-04-14 00:12 . 2004-11-30 11:32 50688 --sh--w- c:\windows\twain_32.dll

2008-04-14 00:11 . 2004-11-30 11:32 1028096 --sh--w- c:\windows\system32\mfc42.dll

2008-04-14 00:12 . 2004-11-30 11:32 57344 --sh--w- c:\windows\system32\msvcirt.dll

2008-04-14 00:12 . 2004-11-30 11:32 413696 --sha-w- c:\windows\system32\msvcp60.dll

2008-04-14 00:12 . 2004-11-30 11:32 343040 --sha-w- c:\windows\system32\msvcrt.dll

2008-04-14 00:12 . 2004-11-30 11:31 551936 --sh--w- c:\windows\system32\oleaut32.dll

2008-04-14 00:12 . 2004-11-30 11:32 84992 --sha-w- c:\windows\system32\olepro32.dll

2008-04-14 00:12 . 2004-11-30 11:31 11776 --sh--w- c:\windows\system32\regsvr32.exe

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"WMPNSCFG"="c:\program files\Windows Media Player\WMPNSCFG.exe" [2006-10-18 204288]

"NBJ"="c:\program files\Ahead\Nero BackItUp\NBJ.exe" [2005-07-14 1961984]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]

"Shockwave Updater"="c:\windows\system32\Adobe\SHOCKW~1\SWHELP~2.EXE -Update -1103472 -Mozilla" [X]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"PinnacleDriverCheck"="c:\windows\system32\PSDrvCheck.exe -CheckReg" [X]

"UserFaultCheck"="c:\windows\system32\dumprep 0 -u" [X]

"ISUSPM Startup"="c:\progra~1\COMMON~1\INSTAL~1\UPDATE~1\isuspm.exe -startup" [X]

"ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe -start" [X]

"PCSuiteTrayApplication"="c:\program files\Nokia\Nokia PC Suite 6\LaunchApplication.exe -startup" [X]

"QuickTime Task"="c:\program files\QuickTime\qttask.exe -atboottime" [X]

"Windows Defender"="c:\program files\Windows Defender\MSASCui.exe -hide" [X]

"BJCFD"="c:\program files\BroadJump\Client Foundation\CFD.exe" [2002-09-10 368706]

"DVDTray"="c:\program files\Ahead\ODD Toolkit\DVDTray.exe" [2004-09-03 65536]

"InCD"="c:\program files\Ahead\InCD\InCD.exe" [2005-07-25 1397760]

"RemoteControl"="c:\program files\CyberLink\PowerDVD\PDVDServ.exe" [2004-11-02 32768]

"LXBUCATS"="c:\windows\System32\spool\DRIVERS\W32X86\3\LXBUtime.dll" [2004-08-20 65536]

"lxbumon.exe"="c:\program files\Lexmark 6200 Series\lxbumon.exe" [2004-08-20 188416]

"igfxtray"="c:\windows\system32\igfxtray.exe" [2005-09-20 94208]

"igfxhkcmd"="c:\windows\system32\hkcmd.exe" [2005-09-20 77824]

"igfxpers"="c:\windows\system32\igfxpers.exe" [2005-09-20 114688]

"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-10-15 39792]

"NeroFilterCheck"="c:\windows\system32\NeroCheck.exe" [2001-07-09 155648]

"AppleSyncNotifier"="c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe" [2009-08-13 177440]

"Acrobat Assistant 8.0"="c:\program files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe" [2006-10-22 620152]

"AVG9_TRAY"="c:\progra~1\AVG\AVG9\avgtray.exe" [2009-11-17 2020120]

"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-10-11 149280]

"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2009-10-28 141600]

"GrooveMonitor"="c:\program files\Microsoft Office\Office12\GrooveMonitor.exe" [2008-10-25 31072]

"MediaFace Integration"="c:\program files\Fellowes\MediaFACE 4.0\SetHook.exe" [2004-07-01 53248]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]

"Nokia.PCSync"="c:\program files\Nokia\Nokia PC Suite 6\PcSync2.exe" [2007-06-19 1241088]

c:\documents and settings\Admin\Start Menu\Programs\Startup\

OneNote 2007 Screen Clipper and Launcher.lnk - c:\program files\Microsoft Office\Office12\ONENOTEM.EXE [2008-10-25 98696]

c:\documents and settings\All Users\Start Menu\Programs\Startup\

Adobe Acrobat Speed Launcher.lnk - c:\windows\Installer\{AC76BA86-1033-F400-7760-000000000003}\_SC_Acrobat.exe [2009-10-15 295606]

Adobe Acrobat Synchronizer.lnk - c:\program files\Adobe\Acrobat 8.0\Acrobat\AdobeCollabSync.exe [2006-10-22 734872]

Adobe Gamma Loader.lnk - c:\program files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2009-2-22 113664]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]

2009-11-17 21:27 12464 ----a-w- c:\windows\system32\avgrsstx.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WdfLoadGroup]

@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend]

@="Service"

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]

"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]

"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]

"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]

"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"%windir%\\system32\\sessmgr.exe"=

"c:\\WINDOWS\\system32\\dpnsvr.exe"=

"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=

"c:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"=

"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=

"c:\\WINDOWS\\system32\\lxbucoms.exe"=

"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=

"c:\\Program Files\\Sports Interactive\\Football Manager 2010\\fm.exe"=

"c:\\Program Files\\iTunes\\iTunes.exe"=

"c:\\Program Files\\AVG\\AVG9\\avgupd.exe"=

"c:\\Program Files\\AVG\\AVG9\\avgnsx.exe"=

R0 sptd;sptd;c:\windows\system32\drivers\sptd.sys [20/01/2008 00:33 717296]

R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [17/08/2008 11:41 333192]

R1 AvgTdiX;AVG Free Network Redirector;c:\windows\system32\drivers\avgtdix.sys [17/11/2009 21:27 360584]

R2 avg9wd;AVG Free WatchDog;c:\program files\AVG\AVG9\avgwdsvc.exe [17/11/2009 21:27 285392]

S2 WinDefend;Windows Defender;c:\program files\Windows Defender\MsMpEng.exe [03/11/2006 19:19 13592]

S3 imhidusb;Immersion's HID USB Driver;c:\windows\system32\drivers\imhidusb.sys [26/01/2005 10:56 30984]

S3 KS-959;Kingsun KS-959 USB Infrared Adapter;c:\windows\system32\drivers\KS-959.sys [18/10/2005 18:09 19018]

S3 nmwcdnsu;Nokia USB Flashing Phone Parent;c:\windows\system32\drivers\nmwcdnsu.sys [13/10/2008 16:44 138112]

S3 nmwcdnsuc;Nokia USB Flashing Generic;c:\windows\system32\drivers\nmwcdnsuc.sys [13/10/2008 16:44 8320]

S3 Rdptecia;Rdptecia; [x]

S3 SaiHFFB5;SaiHFFB5;c:\windows\system32\drivers\SaiHFFB5.sys [26/01/2005 10:56 56576]

.

------- Supplementary Scan -------

.

uStart Page = hxxp://www.google.co.uk/

uInternet Connection Wizard,ShellNext = iexplore

uInternet Settings,ProxyOverride = *.local

uSearchURL,(Default) = hxxp://www.google.com/search/?q=%s

IE: Append to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html

IE: Convert link target to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html

IE: Convert link target to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html

IE: Convert selected links to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html

IE: Convert selected links to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html

IE: Convert selection to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html

IE: Convert selection to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html

IE: Convert to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html

IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~3\Office12\EXCEL.EXE/3000

IE: Open Picture in &Microsoft PhotoDraw - c:\progra~1\MICROS~3\Office\1033\phdintl.dll/phdContext.htm

IE: {{08E730A4-FB02-45BD-A900-01E4AD8016F6} - Sky.com - your home for the latest news, sport and entertainment

Trusted Zone: kenyoninternational.com

TCP: {84448EC6-2832-4505-967C-BACCDCD54E90} = 90.207.238.97,87.86.189.16

DPF: Microsoft XML Parser for Java - http://file://c:\windows\Java\classes\xmldso.cab

DPF: {1C11B948-582A-433F-A98D-A8C4D5CC64F2} - hxxp://magnet.2020.net/virtualplanner/Core/Player/2020PlayerAX_Win32.cab

.

- - - - ORPHANS REMOVED - - - -

HKLM-Run-Cmaudio - cmicnfg.cpl

HKLM-Run-Logitech Hardware Abstraction Layer - KHALMNPR.EXE

HKLM-Run-PMCRemote - c:\program files\Pinnacle\Shared Files\\Programs\Remote\Remoterm.exe

AddRemove-Export - c:\progra~1\ABILIT~2\DeIsL4.isu

AddRemove-Ability Office 2002 Program Update - c:\progra~1\ABILIT~2\DeIsL1.isu

AddRemove-Ability Office 2002 Spell - c:\progra~1\ABILIT~2\DeIsL2.isu

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, GMER - Rootkit Detector and Remover

Rootkit scan 2009-12-10 06:35

Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

HKLM\Software\Microsoft\Windows\CurrentVersion\Run

LXBUCATS = rundll32 c:\windows\System32\spool\DRIVERS\W32X86\3\LXBUtime.dll,_RunDLLEntry@16???????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????

scanning hidden files ...

scan completed successfully

hidden files: 0

**************************************************************************

Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, GMER - Rootkit Detector and Remover

device: opened successfully

user: MBR read successfully

called modules: ntoskrnl.exe CLASSPNP.SYS disk.sys atapi.sys spnj.sys hal.dll >>UNKNOWN [0x86F8D938]<<

kernel: MBR read successfully

detected MBR rootkit hooks:

\Driver\Disk -> CLASSPNP.SYS @ 0xf7723f28

\Driver\ACPI -> ACPI.sys @ 0xf757ecb8

\Driver\atapi -> atapi.sys @ 0xf7539b40

IoDeviceObjectType -> DeleteProcedure -> ntoskrnl.exe @ 0x805a05a9

ParseProcedure -> ntoskrnl.exe @ 0x8056ea15

\Device\Harddisk0\DR0 -> DeleteProcedure -> ntoskrnl.exe @ 0x805a05a9

ParseProcedure -> ntoskrnl.exe @ 0x8056ea15

NDIS: Realtek RTL8139/810x Family Fast Ethernet NIC -> SendCompleteHandler -> NDIS.sys @ 0xf7430bd4

PacketIndicateHandler -> NDIS.sys @ 0xf743ca21

SendHandler -> NDIS.sys @ 0xf7430d44

user & kernel MBR OK

**************************************************************************

.

--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-1981001023-1574323382-4245946488-1004\Software\Microsoft\SystemCertificates\AddressBook*]

@Allowed: (Read) (RestrictedCode)

.

--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'explorer.exe'(3400)

c:\windows\system32\WININET.dll

c:\windows\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.4053_x-ww_e6967989\MSVCR80.dll

c:\progra~1\WINDOW~2\wmpband.dll

c:\windows\system32\ieframe.dll

c:\windows\system32\webcheck.dll

c:\windows\system32\WPDShServiceObj.dll

c:\program files\Nokia\Nokia PC Suite 6\PhoneBrowser.dll

c:\program files\Nokia\Nokia PC Suite 6\PCSCM.dll

c:\program files\Nokia\Nokia PC Suite 6\Lang\PhoneBrowser_eng.nlr

c:\program files\Nokia\Nokia PC Suite 6\Resource\PhoneBrowser_Nokia.ngr

c:\windows\system32\PortableDeviceTypes.dll

c:\windows\system32\PortableDeviceApi.dll

.

------------------------ Other Running Processes ------------------------

.

c:\program files\Ahead\InCD\InCDsrv.exe

c:\program files\AVG\AVG9\avgchsvx.exe

c:\program files\AVG\AVG9\avgrsx.exe

c:\program files\AVG\AVG9\avgcsrvx.exe

c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe

c:\program files\Bonjour\mDNSResponder.exe

c:\program files\Java\jre6\bin\jqs.exe

c:\program files\Common Files\LightScribe\LSSrvc.exe

c:\program files\AVG\AVG9\avgnsx.exe

c:\windows\system32\UAService7.exe

c:\program files\Windows Media Player\WMPNetwk.exe

c:\program files\Common Files\InstallShield\UpdateService\issch.exe

c:\program files\Adobe\Acrobat 8.0\Acrobat\acrobat_sl.exe

c:\windows\system32\wscntfy.exe

c:\program files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe

c:\program files\iPod\bin\iPodService.exe

c:\windows\system32\lxbucoms.exe

.

**************************************************************************

.

Completion time: 2009-12-10 06:40:38 - machine was rebooted

ComboFix-quarantined-files.txt 2009-12-10 06:40

Pre-Run: 48,059,604,992 bytes free

Post-Run: 48,180,715,520 bytes free

WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe

[boot loader]

timeout=2

default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS

[operating systems]

c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons

multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Home Edition" /fastdetect /NoExecute=OptIn

- - End Of File - - BBC1D7AE30343F3F17A983A6049EA0AE

chiaz · December 12, 2009

Please copy this page to *Notepad* and save to your desktop for reference as you will not have any browsers open while you are carrying out portions of these instructions.

It's IMPORTANT to carry out the instructions in the sequence listed below.

1. Close any open browsers.

2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

Open *notepad* and copy/paste the text in the quotebox below into it:

Driver::
Rdptecia

Save this as CFScript.txt, in the same location as ComboFix.exe which is on the Desktop.

http://users.pandora.be/bluepatchy/miekiemoes/images/CFScript.gif

Refering to the picture above, drag CFScript.txt into ComboFix.exe

When finished, it shall produce a log for you at C:\ComboFix.txt

Please copy and paste the ComboFix.txt in your new reply later.

*Note:

Do not mouseclick combofix's window whilst it's running. That may cause it to stall. Altering this script in any way could damage your computer.*

=========================

Next please go to http://virusscan.jotti.org , click on Browse, and upload the following file for analysis:

c:\windows\cnerolf.dat

Then click Submit. Allow the files to be scanned, and then please Copy/Paste the results here for me to see, along with the ComboFix.txt.

If Jotti is busy, please go to http://www.virustotal.com.

johnblaze · December 12, 2009

Hi Chiaz, I've followed your instructions and posted the new ComboFix log below. I tried to find the file cnerolf.dat, but I couldn't find it in C:/Windows (I even checked the option to show hidden files just in case it was hidden) so I wasn't unable to upload it to virusscan.

ComboFix 09-12-11.05 - Admin 12/12/2009 17:25:50.2.1 - x86

Microsoft Windows XP Home Edition 5.1.2600.3.1252.44.1033.18.1015.564 [GMT 0:00]

Running from: c:\documents and settings\Admin\Desktop\ComboFix.exe

Command switches used :: c:\documents and settings\Admin\Desktop\CFScript.txt

AV: AVG Anti-Virus Free *On-access scanning disabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.

((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))

.

-------\Service_Rdptecia

((((((((((((((((((((((((( Files Created from 2009-11-12 to 2009-12-12 )))))))))))))))))))))))))))))))

.

2009-12-11 17:46 . 2009-11-22 08:04 844056 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\avgupd.exe

2009-12-11 17:46 . 2009-11-22 08:04 1658136 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\avgupd.dll

2009-12-11 17:46 . 2009-11-22 08:04 798488 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\avginet.dll