Unknown Virus - turns off explorer.exe

BullGuard Antivirus Forum > Virus > Alerts & New Threats > Unknown Virus - turns off explorer.exe

Forum Quick Jump

[ << Previous Thread | Next Thread >> ]

Xenonz
New Member

Date Joined Nov 2007
Total Posts : 3

Posted 11-24-2007 12:41 (GMT +1)

Hello!

I've been infected with somekind of virus, I'm not sure what it is, I only know that it turns off my explorer.exe. When I run the explorer.exe again, it turns on and off, on and off etc.. for ~5-15 minutes then it turns off and does not try and turn on again. This occured after I was stupid enough to not virus check a crack I downloaded, and my anti-virus can't find it. I'm currently using Panda Anti-Virus, and I did a search with F-Secure earlier. Neither can find anything, the only thing Panda could find was Steam.A which I've probably had for more than 4 months, because it was in a Warhammer 40k folder in the "Temp" folder", and it was quite a while ago I DL'd that.

Is there any known viruses which does this? Could it be something else?

Logfile of HijackThis v1.99.1
Scan saved at 12:29:27, on 2007-11-24
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16544)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
D:\Program\Panda Security\Panda Antivirus 2008\pavsrv51.exe
D:\Program\Panda Security\Panda Antivirus 2008\AVENGINE.EXE
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\ATKKBService.exe
C:\Program\Bonjour\mDNSResponder.exe
C:\WINDOWS\system32\CTsvcCDA.exe
C:\Program\Delade filer\InterVideo\RegMgr\iviRegMgr.exe
C:\WINDOWS\system32\nvsvc32.exe
D:\Program\Microsoft Private Folder 1.0\PrfldSvc.exe
D:\Program\Panda Security\Panda Antivirus 2008\psimsvc.exe
D:\Program\MySQL\MySQL Server 5.0\bin\mysqld-nt.exe
D:\Program\Panda Security\Panda Antivirus 2008\PsCtrls.exe
C:\Program\Delade filer\Logitech\LCD Manager\lcdmon.exe
C:\Program\Delade filer\Logitech\G-series Software\LGDCore.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program\Delade filer\InstallShield\UpdateService\ISUSPM.exe
C:\Program\Delade filer\Logitech\LCD Manager\Applets\LCDCountdown.exe
C:\Program\Delade filer\Real\Update_OB\realsched.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program\Delade filer\Logitech\LCD Manager\Applets\LCDClock.exe
C:\Program\Delade filer\Logitech\LCD Manager\Applets\LCDMedia.exe
C:\Program\Delade filer\Logitech\LCD Manager\Applets\LCDPOP3.exe
D:\Program\Panda Security\Panda Antivirus 2008\APVXDWIN.EXE
C:\Program\MSN Messenger\MsnMsgr.Exe
D:\spel\steam2\steam.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program\ECP2\ESC2\esc2.exe
C:\Program\Logitech\SetPoint\SetPoint.exe
C:\Program\Delade filer\Logitech\KhalShared\KHALMNPR.EXE
D:\Program\Panda Security\Panda Antivirus 2008\WebProxy.exe
D:\Program\Panda Security\Panda Antivirus 2008\AvltMain.exe
C:\Program\MSN Messenger\usnsvc.exe
C:\Program\Internet Explorer\IEXPLORE.EXE
C:\Program\Mozilla Firefox\firefox.exe
C:\Program Files\VentriloMIX\Ventrilo 2.1.4.exe
D:\Program\uTorrent\utorrent.exe
D:\Program\Panda Security\Panda Antivirus 2008\psimreal.exe
D:\PROGRAM\WINZIP\winzip32.exe
C:\Documents and Settings\Tim Lindblom\Lokala inställningar\Temp\wz4010\HijackThis.exe

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = :
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Länkar
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [Launch LCDMon] "C:\Program\Delade filer\Logitech\LCD Manager\lcdmon.exe"
O4 - HKLM\..\Run: [Launch LGDCore] "C:\Program\Delade filer\Logitech\G-series Software\LGDCore.exe" /SHOWHIDE
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [Kernel and Hardware Abstraction Layer] KHALMNPR.EXE
O4 - HKLM\..\Run: [ISUSPM] "C:\Program\Delade filer\InstallShield\UpdateService\ISUSPM.exe" -scheduler
O4 - HKLM\..\Run: [TkBellExe] "C:\Program\Delade filer\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [Logitech Hardware Abstraction Layer] KHALMNPR.EXE
O4 - HKLM\..\Run: [LanzarL2007] "C:\DOCUME~1\TIMLIN~1\LOKALA~1\Temp\{2E01B0D7-C383-4553-8E0E-C85C2F196604}\{D1DA2BA7-2592-4036-9BB2-DCCABDE8DC1A}\..\..\L2007tmp\Setup.exe" /SETUP:"/l0x001d"
O4 - HKLM\..\Run: [APVXDWIN] "D:\Program\Panda Security\Panda Antivirus 2008\APVXDWIN.EXE" /s
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [Steam] "d:\spel\steam2\steam.exe" -silent
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [ThePrivacyGuard] "C:\Program\THEPRI~1\THEPRI~1.EXE" /startup
O4 - HKCU\..\Run: [E-Sport Client 2] "C:\Program\ECP2\ESC2\esc2.exe"
O4 - Global Startup: Logitech SetPoint.lnk = C:\Program\Logitech\SetPoint\SetPoint.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\Program\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java-konsol - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\Program\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\Program\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\Program\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\program\bonjour\mdnsnsp.dll
O11 - Options group: [INTERNATIONAL] International*
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1168033486201
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\Program\MICROS~2\Office12\GR99D3~1.DLL
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\Program\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: ms-help - {314111C7-A502-11D2-BBCA-00C04F8EC294} - C:\Program\Delade filer\Microsoft Shared\Help\hxds.dll
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\Program\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\Program\DELADE~1\Skype\SKYPE4~1.DLL
O18 - Filter hijack: text/xml - {807563E5-5146-11D5-A672-00B0D022E945} - C:\Program\DELADE~1\MICROS~1\OFFICE12\MSOXMLMF.DLL
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program\Delade filer\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: ATK Keyboard Service (ATKKeyboardService) - ASUSTeK COMPUTER INC. - C:\WINDOWS\ATKKBService.exe
O23 - Service: Bonjour Service - Apple Computer, Inc. - C:\Program\Bonjour\mDNSResponder.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.exe
O23 - Service: IviRegMgr - InterVideo - C:\Program\Delade filer\InterVideo\RegMgr\iviRegMgr.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Panda Software Controller - Panda Software International - D:\Program\Panda Security\Panda Antivirus 2008\PsCtrls.exe
O23 - Service: Panda anti-virus service (PAVSRV) - Panda Software International - D:\Program\Panda Security\Panda Antivirus 2008\pavsrv51.exe
O23 - Service: Private Folder Service (prfldsvc) - Unknown owner - D:\Program\Microsoft Private Folder 1.0\PrfldSvc.exe
O23 - Service: Panda IManager Service (PSIMSVC) - Panda Software International - D:\Program\Panda Security\Panda Antivirus 2008\psimsvc.exe
O23 - Service: Root - Unknown owner - D:\Program\MySQL\MySQL.exe (file missing)
O23 - Service: Remote Procedure Call (RPC) MO (RPCSE) - Unknown owner - C:\Program\Intel\Intel (file missing)

kHaoS
New Member

Date Joined Dec 2007
Total Posts : 20

Posted 12-10-2007 4:52 (GMT +1)

Don't know if you managed to clean it yourself, but I made that exact same stupid mistake. Touch helped me get rid of it, you can read the thread here:
http://www.bullguard.com/forum/5/Explorerexe--shuts-down-after-_57302.html

Xenonz
New Member

Date Joined Nov 2007
Total Posts : 3

Posted 12-18-2007 5:44 (GMT +1)

What program fixed it for you? Because combofix doesn't seem to work for me, I get an error saying "Nircmd.exe could not be found" or something in that line.

Touch
Forum Moderator

Date Joined Jun 2004
Total Posts : 13812

Posted 12-18-2007 5:49 (GMT +1)

Hi Xenonz

See if this version is better -

Please download Combofix:

http://download.bleepingcomputer.com/sUBs/ComboFix.exe

and save to the desktop.

Close all other browser windows.

Important-> Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".

Go to start --> run and copy/paste in the following:

"%userprofile%\desktop\combofix.exe" /killall

When finished, it will produce a logfile located at C:\ComboFix.txt.

Post the contents of that log in your next reply with a new hijackthis log.

Note:
Do not mouseclick combofix's window while it is running. That may cause your system to stall/hang.

Do NOT post your problem in someone elses thread.

Member of - Alliance of Security Analysis Professionals

Xenonz
New Member

Date Joined Nov 2007
Total Posts : 3

Posted 12-18-2007 6:14 (GMT +1)

The newer version worked and the explorer error is gone!

I'll post the logs just to be sure there's nothing left :)

Combofix in blue, HijackThis in purple.

ComboFix 07-12-18.1 - Tim Lindblom 2007-12-18 17:57:50.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1053.18.180 [GMT 1:00]
Running from: C:\Documents and Settings\Tim Lindblom\Skrivbord\ComboFix.exe
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Documents and Settings\Tim Lindblom\Application Data\macromedia\Flash Player\#SharedObjects\F4KZQJFA\www.broadcaster.com
C:\Documents and Settings\Tim Lindblom\Application Data\macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#www.broadcaster.com
C:\Documents and Settings\Tim Lindblom\Application Data\macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#www.broadcaster.com\settings.sol
C:\WINDOWS\system32\awvvv.dll
C:\WINDOWS\system32\vvvwa.ini
C:\WINDOWS\system32\vvvwa.ini2

.
((((((((((((((((((((((((( Files Created from 2007-11-18 to 2007-12-18 )))))))))))))))))))))))))))))))
.

2007-12-18 17:43 . 2007-12-18 17:43 <KAT> d-------- C:\Documents and Settings\Tim Lindblom\Application Data\SUPERAntiSpyware.com
2007-12-18 17:43 . 2007-12-18 17:43 <KAT> d-------- C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com
2007-12-13 18:05 . 2007-12-13 18:05 <KAT> d-------- C:\Program\7-Zip
2007-12-12 03:00 . 2007-12-12 03:00 <KAT> d-------- C:\Program\Microsoft CAPICOM 2.1.0.2
2007-12-10 16:39 . 2004-08-04 09:34 54,272 --a------ C:\WINDOWS\system32\vfwwdm32.dll
2007-12-10 16:39 . 2004-08-04 09:34 54,272 --a--c--- C:\WINDOWS\system32\dllcache\vfwwdm32.dll
2007-12-10 16:39 . 2004-08-04 09:34 20,992 --a------ C:\WINDOWS\system32\dshowext.ax
2007-12-10 16:39 . 2004-08-04 09:34 20,992 --a--c--- C:\WINDOWS\system32\dllcache\dshowext.ax
2007-12-10 16:39 . 2007-12-18 18:03 0 --a------ C:\WINDOWS\system32\drivers\lvuvc.hs
2007-12-10 16:31 . 2007-12-10 16:39 <KAT> d-------- C:\Program\Delade filer\LogiShrd
2007-12-10 16:21 . 2004-08-04 07:07 59,264 --a------ C:\WINDOWS\system32\drivers\USBAUDIO.sys
2007-12-10 16:21 . 2004-08-04 07:07 59,264 --a--c--- C:\WINDOWS\system32\dllcache\usbaudio.sys
2007-12-04 17:08 . 2007-12-04 17:08 0 --ah----- C:\WINDOWS\system32\drivers\Msft_Kernel_LUsbFilt_01005.Wdf
2007-11-30 10:57 . 2007-11-30 10:57 244 --ah----- C:\sqmnoopt19.sqm
2007-11-30 10:57 . 2007-11-30 10:57 232 --ah----- C:\sqmdata19.sqm
2007-11-29 22:55 . 2007-11-29 22:55 244 --ah----- C:\sqmnoopt18.sqm
2007-11-29 22:55 . 2007-11-29 22:55 232 --ah----- C:\sqmdata18.sqm
2007-11-27 20:45 . 2007-11-27 20:45 244 --ah----- C:\sqmnoopt17.sqm
2007-11-27 20:45 . 2007-11-27 20:45 232 --ah----- C:\sqmdata17.sqm
2007-11-25 13:37 . 2007-11-25 13:37 <KAT> d--hs---- C:\WINDOWS\ftpcache
2007-11-25 13:36 . 2007-11-25 13:36 266 --a------ C:\WINDOWS\game.ini
2007-11-24 21:45 . 2007-12-04 15:49 54,156 --ah----- C:\WINDOWS\QTFont.qfn
2007-11-24 21:45 . 2007-11-24 21:45 1,409 --a------ C:\WINDOWS\QTFont.for
2007-11-24 02:49 . 2007-11-24 02:52 <KAT> d-------- C:\Program\Panda Security
2007-11-24 01:28 . 2007-11-24 01:28 236 --a------ C:\WINDOWS\system32\PavCPL.dat
2007-11-24 01:16 . 2007-11-27 07:59 <KAT> d-------- C:\WINDOWS\system32\PAV
2007-11-24 01:16 . 2007-11-24 01:16 <KAT> d-------- C:\Documents and Settings\All Users\Application Data\sentinel
2007-11-24 01:16 . 2007-06-06 11:43 83,640 --a------ C:\WINDOWS\system32\drivers\pavdrv51.sys
2007-11-24 01:16 . 2007-03-15 18:38 54,832 --a------ C:\WINDOWS\system32\pavcpl.cpl
2007-11-24 01:16 . 2007-02-15 20:02 50,736 --a------ C:\WINDOWS\system32\avldr.dll
2007-11-23 17:49 . 2007-11-23 18:05 30,590 --a------ C:\WINDOWS\system32\pavas.ico
2007-11-23 17:49 . 2007-11-23 18:05 2,550 --a------ C:\WINDOWS\system32\Uninstall.ico
2007-11-23 17:49 . 2007-11-23 18:05 1,406 --a------ C:\WINDOWS\system32\Help.ico
2007-11-23 17:48 . 2007-11-23 18:56 <KAT> d-------- C:\WINDOWS\system32\ActiveScan
2007-11-23 07:03 . 2007-11-25 13:17 317 --ahs---- C:\WINDOWS\system32\qstwa.ini
2007-11-21 21:48 . 2007-11-24 01:47 <KAT> d-------- C:\Program\Mozilla Firefox 3 Beta 1
2007-11-18 20:07 . 2007-11-18 20:07 <KAT> d-------- C:\WINDOWS\system32\Futuremark
2007-11-18 20:07 . 2007-11-18 20:07 <KAT> d-------- C:\Program\Delade filer\Futuremark Shared
2007-11-18 20:07 . 2007-11-18 20:07 <KAT> d-------- C:\Documents and Settings\Tim Lindblom\Application Data\InstallShield
2007-11-18 20:07 . 2007-10-11 11:55 27,672 -ra------ C:\WINDOWS\system32\drivers\Entech.sys

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-12-18 17:01 --------- d-----w C:\Documents and Settings\Tim Lindblom\Application Data\uTorrent
2007-12-18 16:43 --------- d-----w C:\Program\Delade filer\Wise Installation Wizard
2007-12-17 14:27 --------- d-----w C:\Documents and Settings\Tim Lindblom\Application Data\Hamachi
2007-12-15 22:01 --------- d-----w C:\Program\mIRC
2007-12-13 02:03 --------- d-----w C:\Documents and Settings\All Users\Application Data\Microsoft Help
2007-12-10 15:31 --------- d-----w C:\Program\Logitech
2007-12-10 15:31 --------- d-----w C:\Documents and Settings\All Users\Application Data\Logitech
2007-12-10 15:31 --------- d-----w C:\Documents and Settings\All Users\Application Data\LogiShrd
2007-12-05 14:38 --------- d-----w C:\Program\Joost
2007-11-25 20:25 25,280 ----a-w C:\WINDOWS\system32\drivers\hamachi.sys
2007-11-25 12:36 --------- d--h--w C:\Program\InstallShield Installation Information
2007-11-24 01:03 --------- d-----w C:\Program\DAEMON Tools
2007-11-24 00:25 --------- d-----w C:\Program\Bredbandsbolaget Security Services
2007-11-23 17:40 --------- d-----w C:\Program\MSN Messenger
2007-11-23 17:33 --------- d-----w C:\Program\Bonjour
2007-11-13 10:25 20,480 ----a-w C:\WINDOWS\system32\drivers\secdrv.sys
2007-11-10 22:32 --------- d-----w C:\Program\PopCap Games
2007-11-09 17:58 --------- d-----w C:\Program\BSplayerPro
2007-11-09 17:58 --------- d-----w C:\Documents and Settings\Tim Lindblom\Application Data\BSplayer Pro
2007-11-09 17:55 --------- d-----w C:\Program\Apple Software Update
2007-11-09 17:44 --------- d-----w C:\Program\Delade filer\Teleca Shared
2007-11-04 15:39 0 ---ha-w C:\WINDOWS\system32\drivers\MsftWdf_Kernel_01005_Coinstaller_Critical.Wdf
2007-11-04 15:39 0 ---ha-w C:\WINDOWS\system32\drivers\Msft_Kernel_LMouFilt_01005.Wdf
2007-11-02 12:07 --------- d-----w C:\Program\Delade filer\Logitech
2007-10-19 12:16 2,109,976 ----a-w C:\WINDOWS\system32\drivers\Lvckap.sys
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MsnMsgr"="C:\Program\MSN Messenger\MsnMsgr.exe" [2007-01-19 12:55]
"Steam"="d:\spel\steam2\steam.exe" [2007-11-30 10:56]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 09:34]
"ThePrivacyGuard"="C:\Program\THEPRI~1\THEPRI~1.exe" []
"E-Sport Client 2"="C:\Program\ECP2\ESC2\esc2.exe" [2007-09-20 09:35]
"SUPERAntiSpyware"="D:\Program\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2007-06-21 14:06]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="RUNDLL32.exe" [2004-08-04 09:34 C:\WINDOWS\system32\rundll32.exe]
"nwiz"="nwiz.exe" [2007-09-17 00:07 C:\WINDOWS\system32\nwiz.exe]
"Launch LCDMon"="C:\Program\Delade filer\Logitech\LCD Manager\lcdmon.exe" [2006-11-09 12:45]
"Launch LGDCore"="C:\Program\Delade filer\Logitech\G-series Software\LGDCore.exe" [2006-11-09 13:10]
"SoundMan"="SOUNDMAN.EXE" [2004-06-18 09:31 C:\WINDOWS\SOUNDMAN.EXE]
"Kernel and Hardware Abstraction Layer"="KHALMNPR.EXE" [2007-04-11 15:32 C:\WINDOWS\KHALMNPR.Exe]
"ISUSPM"="C:\Program\Delade filer\InstallShield\UpdateService\ISUSPM.exe" [2006-03-20 16:34]
"TkBellExe"="C:\Program\Delade filer\Real\Update_OB\realsched.exe" [2007-03-22 07:39]
"NvMediaCenter"="RUNDLL32.exe" [2004-08-04 09:34 C:\WINDOWS\system32\rundll32.exe]
"Logitech Hardware Abstraction Layer"="KHALMNPR.EXE" [2007-04-11 15:32 C:\WINDOWS\KHALMNPR.Exe]
"APVXDWIN"="D:\Program\Panda Security\Panda Antivirus 2008\APVXDWIN.exe" [2007-07-19 15:23]
"PWRISOVM.EXE"="D:\Program\PowerISO\PWRISOVM.EXE" [2007-08-07 01:05]
"LogitechCommunicationsManager"="C:\Program\Delade filer\LogiShrd\LComMgr\Communications_Helper.exe" [2007-10-25 16:33]
"LogitechQuickCamRibbon"="C:\Program\Logitech\QuickCam\Quickcam.exe" [2007-10-25 16:37]
"RegistryMechanic"="" []

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\System32\CTFMON.EXE" [2004-08-04 09:34]

C:\Documents and Settings\Tim Lindblom\Start-meny\Program\Autostart\
hamachi.lnk - D:\Program\Hamachi\hamachi.exe [2006-12-26 00:13:14]

C:\Documents and Settings\All Users\Start-meny\Program\Autostart\
Logitech SetPoint.lnk - C:\Program\Logitech\SetPoint\SetPoint.exe [2007-11-02 13:07:34]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= D:\Program\SUPERAntiSpyware\SASSEH.DLL [2006-12-20 13:55 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon]
"UIHost"="C:\\WINDOWS\\system32\\logonuiX.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
D:\Program\SUPERAntiSpyware\SASWINLO.dll 2007-04-19 13:41 294912 D:\Program\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avldr]
avldr.dll 2007-02-15 20:02 50736 C:\WINDOWS\system32\avldr.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\ddcyxvv]
ddcyxvv.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WdfLoadGroup]
@=""

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start-meny^Program^Autostart^Adobe Reader Speed Launch.lnk]
path=C:\Documents and Settings\All Users\Start-meny\Program\Autostart\Adobe Reader Speed Launch.lnk
backup=C:\WINDOWS\pss\Adobe Reader Speed Launch.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start-meny^Program^Autostart^Last.fm Helper.lnk]
path=C:\Documents and Settings\All Users\Start-meny\Program\Autostart\Last.fm Helper.lnk
backup=C:\WINDOWS\pss\Last.fm Helper.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start-meny^Program^Autostart^Wowhead Client.lnk]
path=C:\Documents and Settings\All Users\Start-meny\Program\Autostart\Wowhead Client.lnk
backup=C:\WINDOWS\pss\Wowhead Client.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^Tim Lindblom^Start-meny^Program^Autostart^Adobe Gamma.lnk]
path=C:\Documents and Settings\Tim Lindblom\Start-meny\Program\Autostart\Adobe Gamma.lnk
backup=C:\WINDOWS\pss\Adobe Gamma.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^Tim Lindblom^Start-meny^Program^Autostart^OneNote 2007 Screen Clipper and Launcher.lnk]
path=C:\Documents and Settings\Tim Lindblom\Start-meny\Program\Autostart\OneNote 2007 Screen Clipper and Launcher.lnk
backup=C:\WINDOWS\pss\OneNote 2007 Screen Clipper and Launcher.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CTSyncU.exe]
2006-06-12 14:32 700416 --------- C:\Program\Creative\Sync Manager Unicode\CTSyncU.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DAEMON Tools]
C:\Program\DAEMON Tools\daemon.exe -lang 1033

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\GrooveMonitor]
2006-10-27 00:47 31016 --a------ C:\Program\Microsoft Office\Office12\GrooveMonitor.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
C:\Program\iTunes\iTunesHelper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LogonStudio]
C:\Program\WinCustomize\LogonStudio\logonstudio.exe /RANDOM

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MtdAcqu]
C:\Program\Creative\MediaSource5\MtdAcqu.exe /s

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
2001-07-09 11:50 155648 --a------ C:\WINDOWS\system32\NeroCheck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NWEReboot]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
C:\Program\QuickTime\QTTask.exe -atboottime

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Skype]
C:\Program\Skype\Phone\Skype.exe /nosplash /minimized

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
2007-07-12 03:00 132496 --a------ C:\Program\Java\jre1.6.0_02\bin\jusched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SysMetrix]
2006-02-25 21:09 2637824 --a------ D:\Program\SysMetrix\SysMetrix.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
C:\Program\Delade filer\Real\Update_OB\realsched.exe -osboot

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"WZCSVC"=2 (0x2)
"VSS"=3 (0x3)
"Themes"=2 (0x2)
"TermService"=3 (0x3)
"TlntSvr"=3 (0x3)
"WmdmPmSN"=3 (0x3)
"mnmsrvc"=3 (0x3)
"Netlogon"=3 (0x3)
"SwPrv"=3 (0x3)
"helpsvc"=2 (0x2)
"FastUserSwitchingCompatibility"=3 (0x3)
"ERSvc"=2 (0x2)
"MSDTC"=3 (0x3)
"TrkWks"=2 (0x2)
"Dnscache"=2 (0x2)

R2 LBeepKE;LBeepKE;C:\WINDOWS\system32\Drivers\LBeepKE.sys [2006-09-01 12:32]
R2 Prvflder;Prvflder;C:\WINDOWS\system32\DRIVERS\prvflder.sys [2006-04-21 07:22]
R2 PSTRIP;PSTRIP;C:\WINDOWS\system32\drivers\PSTRIP.sys [2004-11-09 22:32]
R2 Root;Root;"D:\Program\MySQL\MySQL Server 5.0\bin\mysqld-nt" --defaults-file="D:\Program\MySQL\MySQL Server 5.0\my.ini" Root []
R3 LUsbFilt;Logitech SetPoint KMDF USB Filter;C:\WINDOWS\system32\Drivers\LUsbFilt.Sys [2007-04-11 15:33]
S2 RPCSE;Remote Procedure Call (RPC) MO;C:\Program\Intel\Intel []

.
**************************************************************************

catchme 0.3.1333 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-12-18 18:05:21
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2007-12-18 18:07:24 - machine was rebooted
.
2007-12-13 02:05:15 --- E O F ---

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 18:12:29, on 2007-12-18
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16574)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
D:\Program\Panda Security\Panda Antivirus 2008\pavsrv51.exe
D:\Program\Panda Security\Panda Antivirus 2008\AVENGINE.EXE
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program\Delade filer\LogiShrd\LVMVFM\LVPrcSrv.exe
C:\WINDOWS\ATKKBService.exe
C:\Program\Bonjour\mDNSResponder.exe
C:\WINDOWS\system32\CTsvcCDA.exe
C:\Program\Delade filer\InterVideo\RegMgr\iviRegMgr.exe
C:\Program\Delade filer\LogiShrd\LVCOMSER\LVComSer.exe
C:\WINDOWS\system32\nvsvc32.exe
D:\Program\Microsoft Private Folder 1.0\PrfldSvc.exe
D:\Program\Panda Security\Panda Antivirus 2008\psimsvc.exe
D:\Program\MySQL\MySQL Server 5.0\bin\mysqld-nt.exe
C:\WINDOWS\System32\svchost.exe
D:\Program\Panda Security\Panda Antivirus 2008\PsCtrls.exe
C:\WINDOWS\Explorer.EXE
C:\Program\Delade filer\Logitech\LCD Manager\lcdmon.exe
C:\Program\Delade filer\Logitech\G-series Software\LGDCore.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program\Delade filer\InstallShield\UpdateService\ISUSPM.exe
C:\Program\Delade filer\Real\Update_OB\realsched.exe
C:\WINDOWS\system32\RUNDLL32.EXE
D:\Program\Panda Security\Panda Antivirus 2008\APVXDWIN.EXE
D:\Program\PowerISO\PWRISOVM.EXE
C:\Program\Delade filer\LogiShrd\LComMgr\Communications_Helper.exe
C:\Program\Logitech\QuickCam\Quickcam.exe
C:\Program\MSN Messenger\MsnMsgr.Exe
C:\Program\Delade filer\Logitech\LCD Manager\Applets\LCDCountdown.exe
C:\Program\Delade filer\Logitech\LCD Manager\Applets\LCDPOP3.exe
C:\Program\Delade filer\Logitech\LCD Manager\Applets\LCDClock.exe
C:\Program\Delade filer\Logitech\LCD Manager\Applets\LCDMedia.exe
C:\WINDOWS\system32\ctfmon.exe
D:\Program\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program\Logitech\SetPoint\SetPoint.exe
D:\Program\Hamachi\hamachi.exe
C:\Program\Delade filer\Logitech\KhalShared\KHALMNPR.EXE
D:\Program\Panda Security\Panda Antivirus 2008\WebProxy.exe
C:\Program\Delade filer\Logishrd\LQCVFX\COCIManager.exe
C:\WINDOWS\system32\notepad.exe
C:\Program\Mozilla Firefox\firefox.exe
C:\Program Files\VentriloMIX\Ventrilo 2.1.4.exe
C:\Documents and Settings\Tim Lindblom\Skrivbord\HiJackThis.exe

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = :
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Länkar
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [Launch LCDMon] "C:\Program\Delade filer\Logitech\LCD Manager\lcdmon.exe"
O4 - HKLM\..\Run: [Launch LGDCore] "C:\Program\Delade filer\Logitech\G-series Software\LGDCore.exe" /SHOWHIDE
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [Kernel and Hardware Abstraction Layer] KHALMNPR.EXE
O4 - HKLM\..\Run: [ISUSPM] "C:\Program\Delade filer\InstallShield\UpdateService\ISUSPM.exe" -scheduler
O4 - HKLM\..\Run: [TkBellExe] "C:\Program\Delade filer\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [Logitech Hardware Abstraction Layer] KHALMNPR.EXE
O4 - HKLM\..\Run: [APVXDWIN] "D:\Program\Panda Security\Panda Antivirus 2008\APVXDWIN.EXE" /s
O4 - HKLM\..\Run: [PWRISOVM.EXE] D:\Program\PowerISO\PWRISOVM.EXE
O4 - HKLM\..\Run: [LogitechCommunicationsManager] "C:\Program\Delade filer\LogiShrd\LComMgr\Communications_Helper.exe"
O4 - HKLM\..\Run: [LogitechQuickCamRibbon] "C:\Program\Logitech\QuickCam\Quickcam.exe" /hide
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [Steam] "d:\spel\steam2\steam.exe" -silent
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [ThePrivacyGuard] "C:\Program\THEPRI~1\THEPRI~1.EXE" /startup
O4 - HKCU\..\Run: [E-Sport Client 2] "C:\Program\ECP2\ESC2\esc2.exe"
O4 - HKCU\..\Run: [SUPERAntiSpyware] D:\Program\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'LOKAL TJÄNST')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Default user')
O4 - S-1-5-18 Startup: hamachi.lnk = D:\Program\Hamachi\hamachi.exe (User 'SYSTEM')
O4 - .DEFAULT Startup: hamachi.lnk = D:\Program\Hamachi\hamachi.exe (User 'Default user')
O4 - Startup: hamachi.lnk = D:\Program\Hamachi\hamachi.exe
O4 - Global Startup: Logitech SetPoint.lnk = C:\Program\Logitech\SetPoint\SetPoint.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\Program\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java-konsol - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\Program\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\Program\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\Program\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program\Messenger\msmsgs.exe
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1168033486201
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\Program\MICROS~2\Office12\GR99D3~1.DLL
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\Program\DELADE~1\Skype\SKYPE4~1.DLL
O20 - Winlogon Notify: !SASWinLogon - D:\Program\SUPERAntiSpyware\SASWINLO.dll
O20 - Winlogon Notify: ddcyxvv - ddcyxvv.dll (file missing)
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program\Delade filer\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: ATK Keyboard Service (ATKKeyboardService) - ASUSTeK COMPUTER INC. - C:\WINDOWS\ATKKBService.exe
O23 - Service: Bonjour Service - Apple Computer, Inc. - C:\Program\Bonjour\mDNSResponder.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.exe
O23 - Service: IviRegMgr - InterVideo - C:\Program\Delade filer\InterVideo\RegMgr\iviRegMgr.exe
O23 - Service: LVCOMSer - Logitech Inc. - C:\Program\Delade filer\LogiShrd\LVCOMSER\LVComSer.exe
O23 - Service: Process Monitor (LVPrcSrv) - Logitech Inc. - C:\Program\Delade filer\LogiShrd\LVMVFM\LVPrcSrv.exe
O23 - Service: LVSrvLauncher - Logitech Inc. - C:\Program\Delade filer\LogiShrd\SrvLnch\SrvLnch.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Panda Software Controller - Panda Software International - D:\Program\Panda Security\Panda Antivirus 2008\PsCtrls.exe
O23 - Service: Panda anti-virus service (PAVSRV) - Panda Software International - D:\Program\Panda Security\Panda Antivirus 2008\pavsrv51.exe
O23 - Service: Private Folder Service (prfldsvc) - Unknown owner - D:\Program\Microsoft Private Folder 1.0\PrfldSvc.exe
O23 - Service: Panda IManager Service (PSIMSVC) - Panda Software International - D:\Program\Panda Security\Panda Antivirus 2008\psimsvc.exe
O23 - Service: Root - Unknown owner - D:\Program\MySQL\MySQL.exe (file missing)
O23 - Service: Remote Procedure Call (RPC) MO (RPCSE) - Unknown owner - C:\Program\Intel\Intel (file missing)

--
End of file - 8711 bytes

Touch
Forum Moderator

Date Joined Jun 2004
Total Posts : 13812

Posted 12-20-2007 7:36 (GMT +1)

Run Hijackthis and place a check beside each of the following. Close all other browser windows except HJT.
Click fix checked:
O20 - Winlogon Notify: ddcyxvv - ddcyxvv.dll (file missing)

Reboot and tell how things are running

Do NOT post your problem in someone elses thread.

Member of - Alliance of Security Analysis Professionals

Forum Information

Currently it is Tuesday, December 02, 2008 3:18 PM (GMT +1)
There are a total of 64.504 posts in 15.907 threads.
In the last 3 days there were 18 new threads and 101 reply posts. View Active Threads