malleusmalefic

Hi there,

I'm using Windows XP SP3. I'm having a good deal of trouble with both "Win32/Cryptor", "Packed.Monder" amongst others. AVG is also reporting "Trojan Horse Backdoor.Genericll.AJFO" and "Trojan Horse Rootkit-Pakes.M".

The main problem I am having is that when running in normal mode, my computer is suddenly restarting without warning!

Before this happens, typically AVG will become aware of about 3 - 6 sudden instances of infection - C:\Windows\System32\drivers\braviax.exe (cryptor) or C:\Windows\system32\drivers\ntfs.sys (rootkit-pakes) among others. And then the computer will surely restart.

Here is what I did before running DDS and GMER.

Firstly I ran a full scan in AVG (while in safe mode). I have the log of this if you need it.

After this, I ran AVG again, it removed 10 infections - I rebooted my computer and then installed the Malwarebites Anti-Malware scanner, updated it, renamed the .exe file and ran a quick scan which removed
a host of other infections.

After this, my computer wasn't restarting anymore, but I'm nearly certain the viruses are still around. In fact, I think it might have something to do with the fact that I'm disconnected from the internet now.

Here is what DDS gives me now:


DDS (Ver_09-07-30.01) - NTFSx86
Run by Owner at 20:26:17.59 on 16/08/2009
Internet Explorer: 6.0.2900.5512
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.3070.2553 [GMT 1:00]

AV: AVG Anti-Virus Free *On-access scanning enabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\PROGRA~1\AVG\AVG8\avgnsx.exe
C:\Program Files\Genesys PC Camera Device\GenePccMon.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\RTHDCPL.EXE
C:\WINDOWS\system32\hdspmix.exe
C:\WINDOWS\system32\hdsp32.exe
C:\PROGRA~1\AVG\AVG8\avgtray.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe
C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
C:\Program Files\Common Files\Ahead\Lib\NMIndexStoreSvr.exe
C:\Program Files\NETGEAR\WG111v3\WG111v3.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Documents and Settings\Owner\Desktop\dds.scr

============== Pseudo HJT Report ===============

uInternet Settings,ProxyOverride = *.local
BHO: AcroIEHlprObj Class: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\adobe\acrobat 6.0\reader\activex\AcroIEHelper.dll
BHO: RealPlayer Download and Record Plugin for Internet Explorer: {3049c3e9-b461-4bc5-8870-4c09146192ca} - c:\program files\real\realplayer\rpbrowserrecordplugin.dll
BHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - c:\program files\avg\avg8\avgssie.dll
BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
uRun: [RGSC] e:\rockstar games\rockstar games social club\RGSCLauncher.exe /silent
uRun: [MSMSGS] "c:\program files\messenger\msmsgs.exe" /background
uRun: [Google Update] "c:\documents and settings\owner\local settings\application data\google\update\GoogleUpdate.exe" /c
uRun: [CTFMON.EXE] c:\windows\system32\ctfmon.exe
uRun: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "c:\program files\common files\ahead\lib\NMBgMonitor.exe"
mRun: [GenePccMon.exe] c:\program files\genesys pc camera device\GenePccMon.exe
mRun: [nwiz] nwiz.exe /installquiet
mRun: [TkBellExe] "c:\program files\common files\real\update_ob\realsched.exe" -osboot
mRun: [SynTPEnh] c:\program files\synaptics\syntp\SynTPEnh.exe
mRun: [SxgTkBar] SxgTkBar.exe
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
mRun: [Setup] d:\wsetup\Setup.exe
mRun: [RTHDCPL] RTHDCPL.EXE
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [NeroFilterCheck] c:\program files\common files\ahead\lib\NeroCheck.exe
mRun: [HDSPTray2] hdspmix.exe
mRun: [HDSPTray1] hdsp32.exe
mRun: [AzMixerSel] c:\program files\realtek\audio\installshield\AzMixerSel.exe
mRun: [Alcmtr] ALCMTR.EXE
mRun: [AVG8_TRAY] c:\progra~1\avg\avg8\avgtray.exe
mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [AdobeCS4ServiceManager] "c:\program files\common files\adobe\cs4servicemanager\CS4ServiceManager.exe" -launchedbylogin
dRun: [CTFMON.EXE] c:\windows\system32\CTFMON.EXE
dRun: [braviax]
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\micros~1.lnk - c:\program files\microsoft office\office10\OSA.EXE
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\netgea~1.lnk - c:\program files\netgear\wg111v3\WG111v3.exe
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office10\EXCEL.EXE/3000
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
Handler: cdo - {CD00020A-8B95-11D1-82DB-00C04FB1625D} - c:\program files\common files\microsoft shared\web folders\PKMCDO.DLL
Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - c:\program files\avg\avg8\avgpp.dll
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL
Notify: avgrsstarter - avgrsstx.dll
AppInit_DLLs: cru629.dat
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll

============= SERVICES / DRIVERS ===============

R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [2009-8-4 335240]
R1 AvgMfx86;AVG Free On-access Scanner Minifilter Driver x86;c:\windows\system32\drivers\avgmfx86.sys [2009-8-4 27784]
R1 AvgTdiX;AVG Free8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [2009-8-4 108552]
R1 oreans32;oreans32;c:\windows\system32\drivers\oreans32.sys [2009-5-26 33824]
R2 avg8wd;AVG Free8 WatchDog;c:\progra~1\avg\avg8\avgwdsvc.exe [2009-8-4 297752]
R2 EAPPkt;Realtek EAPPkt Protocol;c:\windows\system32\drivers\EAPPkt.sys [2007-10-9 38144]
S3 DCamUSBGene;GenesysLogic USB2.0 PC Camera;c:\windows\system32\drivers\USBGENE.sys [2008-3-31 131584]
S3 hdsp;RME Hammerfall Audio Device;c:\windows\system32\drivers\hdsp.sys [2008-8-13 59392]
S3 RTL8187B;NETGEAR WG111v3 54Mbps Wireless USB 2.0 Adapter Vista Driver;c:\windows\system32\drivers\wg111v3.sys [2007-12-28 287232]
S3 SOFTXG;YAMAHA XG SoftSynthesizer;c:\windows\system32\drivers\sxgxgwdm.sys [2040-10-12 966784]

=============== Created Last 30 ================

2009-08-16 19:26 <DIR> --d----- c:\docume~1\owner\applic~1\Malwarebytes
2009-08-16 19:26 38,160 a------- c:\windows\system32\drivers\mbamswissarmy.sys
2009-08-16 19:25 19,096 a------- c:\windows\system32\drivers\mbam.sys
2009-08-16 19:25 <DIR> --d----- c:\program files\Malwarebytes' Anti-Malware
2009-08-16 19:25 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Malwarebytes
2009-08-15 18:50 107,368 a------- c:\windows\system32\GEARAspi.dll
2009-08-15 18:50 23,400 a------- c:\windows\system32\drivers\GEARAspiWDM.sys
2009-08-15 18:50 <DIR> --d----- c:\program files\iPod
2009-08-15 18:49 <DIR> --d----- c:\program files\iTunes
2009-08-15 18:49 <DIR> --d----- c:\docume~1\alluse~1\applic~1\{8CD7F5AF-ECFA-4793-BF40-D8F42DBFF906}
2009-08-14 12:01 <DIR> --d-h--- C:\$AVG8.VAULT$
2009-08-04 20:08 108,552 a------- c:\windows\system32\drivers\avgtdix.sys
2009-08-04 20:08 11,952 a------- c:\windows\system32\avgrsstx.dll
2009-08-04 20:08 335,240 a------- c:\windows\system32\drivers\avgldx86.sys
2009-08-04 20:07 <DIR> --d----- c:\windows\system32\drivers\Avg
2009-08-04 20:07 <DIR> --d----- c:\program files\AVG
2009-08-04 20:07 <DIR> --d----- c:\docume~1\alluse~1\applic~1\avg8
2009-08-04 19:45 <DIR> --d----- c:\docume~1\owner\applic~1\AVG8
2009-07-18 22:30 <DIR> --d----- c:\program files\Steam
2009-07-18 22:20 <DIR> --d----- c:\program files\1964
2009-07-18 22:16 552 a------- c:\windows\system32\d3d8caps.dat
2009-07-18 22:15 <DIR> --d----- c:\program files\Project64 1.6
2009-07-18 00:53 <DIR> --d----- c:\windows\system32\wbem\Repository

==================== Find3M ====================

2009-08-15 12:25 619,584 a------- c:\windows\system32\drivers\ntfs.sys
2009-06-04 20:30 606,208 a------- c:\windows\system32\REX Shared Library.dll
2009-06-04 20:30 2,101,248 a------- c:\windows\system32\ReWire.dll
2007-12-28 16:02 287,232 a------- c:\windows\inf\wg111v3\wg111v3.sys
2007-12-28 15:59 342,528 a------- c:\windows\inf\wg111v3\vista64\wg111v3.sys
2007-11-27 18:53 63,488 a------- c:\windows\inf\wg111v3\SetDrv64.exe
2007-11-27 18:52 32,768 a------- c:\windows\inf\wg111v3\SetDrv.exe
2006-12-15 12:30 315,392 a------- c:\windows\inf\wg111v3\InstallDriver.exe
2006-12-15 12:30 212,992 a------- c:\windows\inf\wg111v3\CopyWHQLDriver.exe
2006-12-15 12:30 98,304 a------- c:\windows\inf\wg111v3\UScanM.exe
2006-12-15 12:30 20,480 a------- c:\windows\inf\wg111v3\RTWUPath.exe
2006-12-15 12:30 19,968 a------- c:\windows\inf\wg111v3\RTWREFU.EXE

============= FINISH: 20:26:35.25 ===============



GMER (with the options you specified unticked) ran for ages and the resulting log was very small.

Thanks very much for your help with this.

Update.

I switched my laptop on for a minute to see how things were playing out. AVG and MalwareBytes have both recognised similar infections cropping up. Both Cryptor, Rootkit-pakes seem to still be there. For the time being, I'm going to keep the computer switched off, so that nothing will be different from the DDS post I've already submitted.

Any help would really be appreciated.

Attached Files

Attach.zip (4.2 KB, 4 views)

malleusmalefic

BUMP please! Sorry guys. My computer has been out action for days!