Jump to content

Welcome to Geeks to Go - Register now for FREE

Need help with your computer or device? Want to learn new tech skills? You're in the right place!
Geeks to Go is a friendly community of tech experts who can solve any problem you have. Just create a free account and post your question. Our volunteers will reply quickly and guide you through the steps. Don't let tech troubles stop you. Join Geeks to Go now and get the support you need!

How it Works Create Account
Photo

Trojan and Worm. SCtri.exe and c1234[1].exe [Solved]

Started by lostris , Jan 29 2009 02:07 PM

  • This topic is locked This topic is locked

#1
lostris
Posted 29 January 2009 - 02:07 PM

lostris

    Member

  • Member
  • PipPip
  • 42 posts
My antivirus software Avira keeps finding trojans and worms every 10 minutes or so. I've tried deleting and moving to quarentine but neither does anything.

The two main one's are:

C:\windows\system32\drivers\SCtri.exe
contains recognition pattern of the WORM/SdBot.735232.1 worm

c:\documents and settings\locaservice\...\c1234[1].exe
Is the TR/Dropper.Gen Trojan

And the others one's that are found when doing a virus check:
c:\windows\system32\host.exet.exe
c:\a.bat
c:z8g5q3d3n2s9.exe
c:\ark3.tmp
c:\ark4.tmp
c:\ark5.tmp
c:\windows\system32\.exe
c:\windows\system32\urdvxx.exe
c:\system volume information\...\A0005459.exe
c:\windows\system32\esr.exe
c:\windows\system32\pyt.exe

I have SpyBot S&D, Malwarebytes and Spybuster and none them help.

HijaakThis log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 20:02:55, on 29/01/2009
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
C:\WINDOWS\System32\hkcmd.exe
C:\WINDOWS\System32\igfxpers.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
C:\WINDOWS\system32\drivers\SCtri.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\WINDOWS\system32\NOTEPAD.EXE
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

F2 - REG:system.ini: Shell=Explorer.exe %windir%\system32\drivers\SCtri.exe
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\System32\igfxpers.exe
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [avgnt] "C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe" /min
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Default user')
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search && Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.mi...b?1233085177609
O23 - Service: Avira AntiVir Personal - Free Antivirus Scheduler (AntiVirScheduler) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
O23 - Service: Avira AntiVir Personal - Free Antivirus Guard (AntiVirService) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
O23 - Service: Service Controler Installer - Unknown owner - C:\WINDOWS\system32\drivers\SCtri.exe

--
End of file - 3435 bytes

Edited by lostris, 30 January 2009 - 05:11 PM.

  • 0

Advertisements

#2
Thunderbird1988
Posted 29 January 2009 - 03:21 PM

Thunderbird1988

    Member 2k

  • Member
  • PipPipPipPipPip
  • 2,416 posts
Hello lostris,

One or more of the identified infections is a backdoor trojan.

This allows hackers to remotely control your computer, steal critical system information and download and execute files.

I would counsel you to disconnect this PC from the Internet immediately. If you do any banking or other financial transactions on the PC or if it should contain any other sensitive information, please get to a known clean computer and change all passwords where applicable, and it would be wise to contact those same financial institutions to apprise them of your situation.

Though the trojan has been identified and can be killed, because of it's backdoor functionality, your PC is very likely compromised and there is no way to be sure your computer can ever again be trusted. Many experts in the security community believe that once infected with this type of trojan, the best course of action would be a reformat and reinstall of the OS. Please read these for more information:

How Do I Handle Possible Identify Theft, Internet Fraud and CC Fraud?
When Should I Format, How Should I Reinstall

We can still clean this machine but I can't guarantee that it will be 100% secure afterwards. Let me know what you decide to do. :)

Thunderbird1988
  • 0

#3
lostris
Posted 29 January 2009 - 05:58 PM

lostris

    Member

  • Topic Starter
  • Member
  • PipPip
  • 42 posts
Hi thanks for the quick responce.

I had just reformatted my computer about 10 minutes before i got the virus's. So the computer contains no sensitive information.

Here's what happened. I reformatted. Then i inserted a CDR with my ethernet card driver on it and installed it. Then i connected to internet. Then installed the rest of the drivers from internet. Then downloaded and installed security software. Ran Avira and it found lots of virus's.

That was my 7th reformat in about two weeks. The only time my computer worked fine was after the 5th reformat, but then after three days i downloaded Windows updates service pack 2 and when i switched on my computer again i got a permanent black screen.

When im reformatting and at the partition screen there are two partitions. I only ever partition one of the partitions, the one that says c:. Do i need to partition the other one? Is this where the virus is? If i should partition this space then after i do partition it do i leave it blank and then go on to partition the c: partition and reformat and install windows on it?

I have a foreboding feeling that if i do reformat again i will have the virus's again.

Edited by lostris, 29 January 2009 - 06:04 PM.

  • 0

#4
Thunderbird1988
Posted 30 January 2009 - 04:33 AM

Thunderbird1988

    Member 2k

  • Member
  • PipPipPipPipPip
  • 2,416 posts
Hello lostris,

As far as I know, a virus can not store itself to a location that can not be allocated by your operating system (Windows) so I don't think the virus lies in the unpartioned space of your harddisk.

Please go to UploadMalware to upload a suspicious file for analysis.
  • Enter your username from this forum
  • Copy and paste the link to this thread
  • Browse for this filename: C:\windows\system32\drivers\SCtri.exe
  • In the comments, please mention that I asked you to upload this file
  • Click on Send File

Download the GMER Rootkit Scanner. Unzip it to your Desktop.

Before scanning, make sure all other running programs are closed and no other actions like a scheduled antivirus scan will occur while the scan is being performed. Do not use your computer for anything else during the scan.

Double-click gmer.exe. The program will begin to run.

**Caution**
These types of scans can produce false positives. Do NOT take any action on any "<--- ROOKIT" entries unless advised!

If possible rootkit activity is found, you will be asked if you would like to perform a full scan.
  • Click NO
  • In the right panel, you will see a bunch of boxes that have been checked ... leave everything checked and ensure the Show all box is un-checked.
  • Now click the Scan button.
    Once the scan is complete, you may receive another notice about rootkit activity.
  • Click OK.
  • GMER will produce a log. Click on the [Save..] button, and in the File name area, type in "GMER.txt"
  • Save it where you can easily find it, such as your desktop.
Post the contents of GMER.txt in your next reply.

Before running a new scan let's clean out the temporary folders.




Download ATF Cleaner to your Desktop.

  • Double-click ATF-Cleaner.exe to run the program.
  • Click Select All found at the bottom of the list.
  • Click the Empty Selected button.
If you use Firefox browser, do this also:

  • Click Firefox at the top and choose Select All from the list.
  • Click the Empty Selected button.
  • NOTE : If you would like to keep your saved passwords, please click No at the prompt.
If you use Opera browser, do this also:

  • Click Opera at the top and choose Select All from the list.
  • Close ALL Internet browsers (very important).
  • Click the Empty Selected button.
  • NOTE : If you would like to keep your saved passwords, please click No at the prompt.
Click Exit on the Main menu to close the program.




Now download OTScanIt2.exe to your Desktop and double-click on it to extract the files. It will create a folder named OTScanIt2 on your desktop.




Note: You must be logged on to the system with an account that has Administrator privileges to run this program.




  • Close ALL OTHER PROGRAMS.
  • Open the OTScanIt2 folder and double-click on OTScanIt2.exe to start the program (if you are running on Vista then right-click the program and choose Run as Administrator).
  • In the Drivers section click on Non-Microsoft.
  • Under Additional Scans click the checkboxes in front of the following items to select them:
  • Click the Extras button
  • Do not change any other settings.
  • Now click the Run Scan button on the toolbar.
  • Let it run unhindered until it finishes.
  • When the scan is complete Notepad will open with the report file loaded in it.
  • Click the Format menu and make sure that Wordwrap is not checked. If it is then click on it to uncheck it.
  • Save the file to your desktop or other location where you can find it back.

Use the Add Reply button and attach the file in your next post.

Thunderbird1988
  • 0

#5
lostris
Posted 30 January 2009 - 09:20 AM

lostris

    Member

  • Topic Starter
  • Member
  • PipPip
  • 42 posts
Did UploadMalware.

GMER Rootkit Scanner log:

GMER 1.0.14.14536 - http://www.gmer.net
Rootkit scan 2009-01-30 15:11:29
Windows 5.1.2600 Service Pack 1


---- System - GMER 1.0.14 ----

SSDT F8B80624 ZwCreateThread
SSDT F8B80610 ZwOpenProcess
SSDT F8B80615 ZwOpenThread
SSDT F8B8061F ZwTerminateProcess
SSDT F8B8061A ZwWriteVirtualMemory

---- Kernel code sections - GMER 1.0.14 ----

.text ntoskrnl.exe!KeInitializeInterrupt + B67 804DA23C 1 Byte [ 06 ]
.text ntoskrnl.exe!KeI386Call16BitCStyleFunction + 1E0 8050265C 4 Bytes [ 24, 06, B8, F8 ]
.text ntoskrnl.exe!KeI386Call16BitCStyleFunction + 2F4 80502770 4 Bytes [ 10, 06, B8, F8 ]
.text ntoskrnl.exe!KeI386Call16BitCStyleFunction + 30C 80502788 4 Bytes [ 15, 06, B8, F8 ]
.text ntoskrnl.exe!KeI386Call16BitCStyleFunction + 510 8050298C 4 Bytes [ 1F, 06, B8, F8 ]
.text ntoskrnl.exe!KeI386Call16BitCStyleFunction + 560 805029DC 4 Bytes [ 1A, 06, B8, F8 ]

---- Devices - GMER 1.0.14 ----

AttachedDevice \FileSystem\Ntfs \Ntfs avgntmgr.sys (Avira AntiVir File Filter Driver Manager/Avira GmbH)
AttachedDevice \FileSystem\Fastfat \Fat avgntmgr.sys (Avira AntiVir File Filter Driver Manager/Avira GmbH)

---- EOF - GMER 1.0.14 ----


Used ATF Cleaner.

In OTScanIt2 there isnt any 'Non-Microsoft', under drivers, theres 'none', 'safe list' and 'all'.
You didnt post the items to check in the Under Additional Scans part.
  • 0

#6
Thunderbird1988
Posted 30 January 2009 - 12:50 PM

Thunderbird1988

    Member 2k

  • Member
  • PipPipPipPipPip
  • 2,416 posts
Hello lostris,

I have written new insctructions for OTScanIt2, could you please foolow these?

  • Close ALL OTHER PROGRAMS.
  • Open the OTScanIt2 folder and double-click on OTScanIt2.exe to start the program (if you are running on Vista then right-click the program and choose Run as Administrator).
  • In the Drivers section click on Safe List.
  • Click the Extras button
  • Do not change any other settings.
  • Now click the Run Scan button on the toolbar.
  • Let it run unhindered until it finishes.
  • When the scan is complete Notepad will open with the report file loaded in it.
  • Click the Format menu and make sure that Wordwrap is not checked. If it is then click on it to uncheck it.
  • Save the file to your desktop or other location where you can find it back.

Use the Add Reply button and attach the file in your next post.

Thunderbird1988
  • 0

#7
lostris
Posted 30 January 2009 - 03:08 PM

lostris

    Member

  • Topic Starter
  • Member
  • PipPip
  • 42 posts
Ok thanks, OTScanIt2 is attached.

Attached Files


  • 0

#8
Thunderbird1988
Posted 31 January 2009 - 08:01 AM

Thunderbird1988

    Member 2k

  • Member
  • PipPipPipPipPip
  • 2,416 posts
Open the OTScanIt2 folder and double-click on OTScanIt2.exe to start the program (if you are running on Vista then right-click the program and choose Run as Administrator).




Copy/Paste the information in the codebox below into the pane where it says "Paste fix here" and then click the Run Fix button.




[Kill Explorer]
[Unregister Dlls]
[Processes - Safe List]
YY -> sctri.exe -> %SystemRoot%\system32\drivers\SCtri.exe
YN -> teatimer.exe -> %ProgramFiles%\Spybot - Search & Destroy\TeaTimer.exe
[Win32 Services - Safe List]
YY -> (MSWindows) Network Windows Service [Win32_Own | Auto | Stopped] -> 
YY -> (Service Controler Installer) Service Controler Installer [Win32_Own | Auto | Running] -> %SystemRoot%\system32\drivers\SCtri.exe
[Registry - Safe List]
< Winlogon settings [HKEY_LOCAL_MACHINE] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon
*Shell* -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\\Shell
YY -> %windir%\system32\drivers\SCtri.exe -> %SystemRoot%\system32\drivers\SCtri.exe
< Winlogon settings [HKEY_LOCAL_MACHINE] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon
[Files/Folders - Created Within 30 Days]
NY -> 1 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp
NY -> 3 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp
NY -> jdn.exe -> %SystemRoot%\System32\jdn.exe
NY -> SCtri.exe -> %SystemRoot%\System32\drivers\SCtri.exe
NY -> lui.exe -> %SystemRoot%\System32\lui.exe
NY -> i -> %SystemRoot%\System32\i
NY -> apg.exe -> %SystemRoot%\System32\apg.exe
[Custom Items]
:files
%SystemRoot%\System32\ykm.exe
%SystemRoot%\System32\vso.exe
c:\windows\system32\host.exet.exe
c:\a.bat
c:\z8g5q3d3n2s9.exe
c:\windows\system32\.exe
c:\windows\system32\urdvxx.exe
c:\windows\system32\esr.exe
c:\windows\system32\pyt.exe
:end
[Purity]
[Empty Temp Folders]
[Start Explorer]
[Reboot]




The fix should only take a very short time. When the fix is completed either a message box will popup telling you that it is finished or you will be asked to reboot to finish the fix. If it is finished, click the Ok button and Notepad will open with a log of actions taken during the fix. Post that information back here.




If a reboot is required, click the "Yes" button to reboot the machine. After the reboot, OTScanIt will finish moving any files that could not be moved during the fix and NotePad will open with the final results at that time. Post that information back here.

Download Dr.Web CureIt to the desktop:
ftp://ftp.drweb.com/pub/drweb/cureit/drweb-cureit.exe
  • Doubleclick the drweb-cureit.exe file and Allow to run the express scan
  • This will scan the files currently running in memory and when something is found, click the yes button when it asks you if you want to cure it. This is only a short scan.
  • Once the short scan has finished, mark the drives that you want to scan.
  • Select all drives. A red dot shows which drives have been chosen.
  • Click the green arrow at the right, and the scan will start.
  • Click 'Yes to all' if it asks if you want to cure/move the file.
  • When the scan has finished, in the menu, click file and choose save report list
  • Save the report to your desktop. The report will be called DrWeb.csv
  • Close Dr.Web Cureit.

Please post also a new Hijackthislog.

Thunderbird1988
  • 0

#9
lostris
Posted 31 January 2009 - 03:49 PM

lostris

    Member

  • Topic Starter
  • Member
  • PipPip
  • 42 posts
Ok cheers. The OTScanIt2 log:

Process Explorer.EXE killed successfully!
[Processes - Safe List]
No active process named sctri.exe was found!
File move failed. C:\WINDOWS\system32\drivers\SCtri.exe scheduled to be moved on reboot.
Process teatimer.exe killed successfully!
[Win32 Services - Safe List]
Service MSWindows stopped successfully!
Service MSWindows deleted successfully!
File not found.
Unable to stop service Service Controler Installer!
Registry key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Service Controler Installer deleted successfully.
Unable to delete service Service Controler Installer!
C:\WINDOWS\system32\drivers\SCtri.exe moved successfully.
[Registry - Safe List]
Registry value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\\Shell:%windir%\system32\drivers\SCtri.exe deleted successfully.
File C:\WINDOWS\system32\drivers\SCtri.exe not found.
[Files/Folders - Created Within 30 Days]
C:\WINDOWS\System32\jdn.exe moved successfully.
File C:\WINDOWS\System32\drivers\SCtri.exe not found!
C:\WINDOWS\System32\lui.exe moved successfully.
C:\WINDOWS\System32\i moved successfully.
C:\WINDOWS\System32\apg.exe moved successfully.
[Custom Items]
========== FILES ==========
Folder C:\WINDOWS\System32\ykm.exe not found.
Folder C:\WINDOWS\System32\vso.exe not found.
File/Folder c:\windows\system32\host.exet.exe not found.
File/Folder c:\a.bat not found.
File/Folder c:\z8g5q3d3n2s9.exe not found.
File/Folder c:\windows\system32\.exe not found.
File/Folder c:\windows\system32\urdvxx.exe not found.
File/Folder c:\windows\system32\esr.exe not found.
File/Folder c:\windows\system32\pyt.exe not found.
[Purity]
Purity scan complete.
[Empty Temp Folders]
User's Temp folder emptied.
User's Temporary Internet Files folder emptied.
User's Internet Explorer cache folder emptied.
Local Service Temp folder emptied.
File delete failed. C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat scheduled to be deleted on reboot.
Local Service Temporary Internet Files folder emptied.
Windows Temp folder emptied.
RecycleBin -> emptied.
Explorer started successfully
< End of fix log >
OTScanIt2 by OldTimer - Version 1.0.7.1 fix logfile created on 01312009_211858

Files moved on Reboot...
File C:\WINDOWS\system32\drivers\SCtri.exe not found!
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat moved successfully.

Registry entries deleted on Reboot...




The DrWeb report:

A0006516.exe;C:\System Volume Information\_restore{C1E882A6-7904-4D53-86E4-44C62BC4E9D2}\RP11;Win32.Virut.30;Cured.;
cds.exe;C:\WINDOWS\system32;BackDoor.IRC.Rxbot.46;Deleted.;
sxn.exe;C:\WINDOWS\system32;BackDoor.IRC.Rxbot.46;Deleted.;
apg.exe;C:\_OTScanIt\MovedFiles\01312009_211858\C_WINDOWS\system32;BackDoor.IRC.Rxbot.46;Deleted.;
jdn.exe;C:\_OTScanIt\MovedFiles\01312009_211858\C_WINDOWS\system32;BackDoor.IRC.Rxbot.46;Deleted.;
lui.exe;C:\_OTScanIt\MovedFiles\01312009_211858\C_WINDOWS\system32;BackDoor.IRC.Rxbot.46;Deleted.;
SCtri.exe;C:\_OTScanIt\MovedFiles\01312009_211858\C_WINDOWS\system32\drivers;BackDoor.IRC.Rxbot.46;Deleted.;



Hijackthis report:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 21:44:17, on 31/01/2009
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
C:\WINDOWS\notepad.exe
C:\WINDOWS\System32\hkcmd.exe
C:\WINDOWS\System32\igfxpers.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

F2 - REG:system.ini: Shell=Explorer.exe
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\System32\igfxpers.exe
O4 - HKLM\..\Run: [avgnt] "C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe" /min
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Default user')
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search && Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.mi...b?1233085177609
O23 - Service: Avira AntiVir Personal - Free Antivirus Scheduler (AntiVirScheduler) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
O23 - Service: Avira AntiVir Personal - Free Antivirus Guard (AntiVirService) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe

--
End of file - 3130 bytes
  • 0

#10
lostris
Posted 31 January 2009 - 05:58 PM

lostris

    Member

  • Topic Starter
  • Member
  • PipPip
  • 42 posts
I ran avira and these are the virus's that its finding now:

c:\documents and settings\administrator\...\swfobject[1].js
c:\system volume information\...\A0006524.exe
c:\system volume information\...\A0006566.exe
c:\system volume information\...\A0006567.exe
c:\system volume information\...\A0006568.exe
c:\system volume information\...\A0006571.exe
c:\system volume information\...\A0006573.exe
c:\windows\system32\hob.exe
c:\windows\system32\jaf.exe
c:\windows\system32\pdh.exe
c:\windows\system32\notepad.exe
c:\windows\system32\logon.scr

And ive had this error message once i was getting before about NT AUTHORITY\SYSTEM which counts down from 60 seconds then shuts down and restarts the computer. Says its c:\\Windows\system32\lsass.exe. And something about terminated with status code 0. Sorry should have mentioned this message earlier but thought it was part of SCtri.

Edited by lostris, 31 January 2009 - 06:44 PM.

  • 0

Advertisements

#11
Thunderbird1988
Posted 01 February 2009 - 06:13 AM

Thunderbird1988

    Member 2k

  • Member
  • PipPipPipPipPip
  • 2,416 posts
We will begin with ComboFix.exe. Please visit this webpage for download links, and instructions for running the tool:

http://www.bleepingc...to-use-combofix

* Ensure you have disabled all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

Please include the C:\ComboFix.txt in your next reply for further review.

Thunderbird1988
  • 0

#12
lostris
Posted 01 February 2009 - 08:36 AM

lostris

    Member

  • Topic Starter
  • Member
  • PipPip
  • 42 posts
When i double click Combofix i get the message:
" Windows cannot find 'c:\docume~1\admini~1\temp\4.tmp\Prep.cmd' "

Each message is different, with the number before .tmp increasing by one each time.

Also when i switched on my computer today Avira can no longer open. When i try to reinstall or remove it i get the message: "The CRC sum of c:\program files\avira\antivir personaledition classic\setup.exe has been changed! This could be due to virus."

Edited by lostris, 01 February 2009 - 06:08 PM.

  • 0

#13
Thunderbird1988
Posted 02 February 2009 - 07:28 AM

Thunderbird1988

    Member 2k

  • Member
  • PipPipPipPipPip
  • 2,416 posts
Hello lostris,

Please make sure Avira is completely disabled, after that, please download a new copy of Combofix and try if you can run it.

Can you repair Avira by downloading a new Avira installer from here and then run it?

Thunderbird1988
  • 0

#14
lostris
Posted 03 February 2009 - 04:56 AM

lostris

    Member

  • Topic Starter
  • Member
  • PipPip
  • 42 posts
Hi Thunderbird, thank you for all the help you give me.

Avira wouldnt work again no matter what i tried and Combofix wouldnt open also no matter what i tried.

So I reformatted my computer again. I had the drivers and security software on a new CDR.

I installed the drivers and then the security software. Then i installed the internet. Then I updated the security software. I then installed my two remaning uninstalled drivers. Immediately after that AntiVir found two virus's, they were:

c:\windows\system32\axxh.exe
c:\windows\system32\isass.exe

Then i restared. Ran AntiVir and found no virus's. Then after it was finished some time it found:

c:\windows\system32\jybxy.exe
c:\windows\system32\iexplore.exe

I restarted my computer and got a message there was a problem with iexplorer. Then AntiVir found:

c:\windows\system32\iexplore.exe
c:\windows\system32\bxuop.exe - which appeared three times in a row

Not long later it found:

c:\windows\system32\lldyvfwf.exe
c:\windows\system32\ncsphmu.exe

I also then got a message form Messenger Service saying telling me the operating system registry may have errors and to go to www.restorefix.com. Then AntiVir got:

c:\windows\system32\TFTP3432

I have also posted this in a the thread http://www.geekstogo...68#entry1448868, which i just got a reply to a few days ago.

Edited by lostris, 03 February 2009 - 04:57 AM.

  • 0

#15
Thunderbird1988
Posted 03 February 2009 - 07:22 AM

Thunderbird1988

    Member 2k

  • Member
  • PipPipPipPipPip
  • 2,416 posts
Hello lostris,

Please make sure you are helped by only one helper. if you are helped by more then one person, it is very likely the fixes are going to interfere with each other.

Please do the following:

  • 1 - Flash Drive Disinfector
    Download Flash_Disinfector.exe by sUBs from >here< and save it to your desktop.
  • Double-click Flash_Disinfector.exe to run it and follow any prompts that may appear.
  • The utility may ask you to insert your flash drive and/or other removable drives including your mobile phone. Please do so and allow the utility to clean up those drives as well.
  • Wait until it has finished scanning and then exit the program.
  • Reboot your computer when done.
Note: Flash_Disinfector will create a hidden folder named autorun.inf in each partition and every USB drive plugged in when you ran it. Don't delete this folder...it will help protect your drives from future infection.

Now you have your computer formatted please try if Combofix will work now:

Please visit this webpage for download links, and instructions for running the tool:

http://www.bleepingc...to-use-combofix

Please make sure your pendrive is still inserted when you run Combofix.

* Ensure you have disabled all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

Please include the C:\ComboFix.txt in your next reply for further review.

Thunderbird1988
  • 0
Back to Virus, Spyware, Malware Removal · Next Unread Topic →




Similar Topics

1 user(s) are reading this topic

0 members, 1 guests, 0 anonymous users

  1. Geeks to Go Community
  2. Security
  3. Virus, Spyware, Malware Removal

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP