PDA

View Full Version : Malware, Causing 60sec shutdown


cs2h0ai
2009-01-07, 15:05
Hello guys, I am currently experiencing the Services and Controllers app problem thing which makes my computer automatically shut down within 60 seconds...

I have read other threads therefore I am pretty sure i know what i need to provide for you guys just to make things easier.

Here is my log.txt from ConboFix.

ComboFix 09-01-05.05 - Cuong 2009-01-07 14:51:43.1 - NTFSx86 NETWORK
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1023.721 [GMT -8:00]
Running from: c:\documents and settings\Cuong\Desktop\ComboFix.exe
AV: avast! antivirus 4.8.1296 [VPS 090106-1] *On-access scanning enabled* (Updated)
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\system32\cr6S42ce.exe.a_a
c:\windows\system32\ET2qt5yL.exe.a_a

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_TDSSSERV


((((((((((((((((((((((((( Files Created from 2008-12-07 to 2009-01-07 )))))))))))))))))))))))))))))))
.

2009-01-07 13:21 . 2009-01-07 13:21 <DIR> d-------- c:\windows\ERUNT
2009-01-07 05:05 . 2005-11-09 00:26 38,400 --a------ c:\windows\system32\moveex.exe
2009-01-07 04:59 . 2009-01-07 13:29 <DIR> d-------- C:\SDFix
2008-12-12 18:49 . 2008-12-12 18:49 <DIR> d-------- c:\program files\CCleaner
2008-12-12 18:08 . 2008-12-12 18:08 <DIR> d-------- c:\program files\Alwil Software
2008-12-12 18:08 . 2003-03-18 13:20 1,060,864 --a------ c:\windows\system32\MFC71.dll
2008-12-12 17:59 . 2008-12-13 22:33 <DIR> d-------- c:\program files\Spybot - Search & Destroy
2008-12-11 14:17 . 2008-12-01 14:35 593,920 --------- c:\windows\system32\ati2sgag.exe
2008-12-11 02:08 . 2008-12-11 02:08 <DIR> d-------- c:\program files\Lavalys
2008-12-11 00:08 . 2008-12-11 00:08 <DIR> d-------- c:\documents and settings\Cuong\Application Data\CyberLink
2008-12-11 00:07 . 2008-12-11 00:07 <DIR> d-------- c:\documents and settings\All Users\Application Data\CyberLink
2008-12-11 00:06 . 2008-12-11 00:07 <DIR> d-------- c:\program files\CyberLink
2008-12-11 00:06 . 2008-12-11 00:06 <DIR> d-------- c:\program files\Common Files\CyberLink
2008-12-10 21:55 . 2008-12-10 21:55 <DIR> d-------- c:\program files\Microsoft SQL Server Compact Edition
2008-12-10 21:04 . 2008-12-10 21:04 <DIR> d-------- c:\program files\ATITool
2008-12-10 20:51 . 2008-12-10 20:51 <DIR> d-------- c:\program files\PC Wizard 2008
2008-12-10 20:51 . 2007-09-15 15:11 27,136 --a------ c:\windows\system32\PCWizard.cpl
2008-12-10 19:28 . 2008-12-10 19:28 200 --a------ C:\sqmnoopt19.sqm
2008-12-10 19:28 . 2008-12-10 19:28 200 --a------ C:\sqmdata19.sqm
2008-12-10 18:37 . 2008-12-10 18:37 200 --a------ C:\sqmnoopt18.sqm
2008-12-10 18:37 . 2008-12-10 18:37 200 --a------ C:\sqmdata18.sqm
2008-12-10 12:04 . 2008-12-10 12:04 200 --a------ C:\sqmnoopt17.sqm
2008-12-10 12:04 . 2008-12-10 12:04 200 --a------ C:\sqmdata17.sqm
2008-12-10 12:00 . 2008-12-10 12:00 200 --a------ C:\sqmnoopt16.sqm
2008-12-10 12:00 . 2008-12-10 12:00 200 --a------ C:\sqmdata16.sqm
2008-12-10 11:53 . 2008-12-10 11:53 200 --a------ C:\sqmnoopt15.sqm
2008-12-10 11:53 . 2008-12-10 11:53 200 --a------ C:\sqmdata15.sqm
2008-12-10 11:43 . 2008-12-10 11:43 200 --a------ C:\sqmnoopt14.sqm
2008-12-10 11:43 . 2008-12-10 11:43 200 --a------ C:\sqmdata14.sqm
2008-12-10 11:41 . 2008-12-10 11:41 200 --a------ C:\sqmnoopt13.sqm
2008-12-10 11:41 . 2008-12-10 11:41 200 --a------ C:\sqmdata13.sqm
2008-12-10 11:38 . 2008-12-10 11:38 <DIR> d-------- C:\ATI
2008-12-10 11:37 . 2008-12-10 11:37 200 --a------ C:\sqmnoopt12.sqm
2008-12-10 11:37 . 2008-12-10 11:37 200 --a------ C:\sqmdata12.sqm
2008-12-10 11:27 . 2008-12-10 11:27 200 --a------ C:\sqmnoopt11.sqm
2008-12-10 11:27 . 2008-12-10 11:27 200 --a------ C:\sqmdata11.sqm
2008-12-10 06:15 . 2008-12-10 06:15 200 --a------ C:\sqmnoopt10.sqm
2008-12-10 06:15 . 2008-12-10 06:15 200 --a------ C:\sqmdata10.sqm
2008-12-10 05:57 . 2008-12-10 05:57 200 --a------ C:\sqmnoopt09.sqm
2008-12-10 05:57 . 2008-12-10 05:57 200 --a------ C:\sqmdata09.sqm
2008-12-09 05:56 . 2008-12-09 05:56 200 --a------ C:\sqmnoopt08.sqm
2008-12-09 05:56 . 2008-12-09 05:56 200 --a------ C:\sqmdata08.sqm
2008-12-08 14:11 . 2008-12-08 14:11 200 --a------ C:\sqmnoopt07.sqm
2008-12-08 14:11 . 2008-12-08 14:11 200 --a------ C:\sqmdata07.sqm
2008-12-08 06:15 . 2008-12-08 06:15 200 --a------ C:\sqmnoopt06.sqm
2008-12-08 06:15 . 2008-12-08 06:15 200 --a------ C:\sqmdata06.sqm
2008-12-08 06:00 . 2008-12-10 21:00 <DIR> d-------- c:\program files\RivaTuner v2.20
2008-12-08 05:25 . 2008-12-08 05:47 <DIR> d-------- C:\Perfect World International
2008-12-08 05:10 . 2008-12-08 05:10 200 --a------ C:\sqmnoopt05.sqm
2008-12-08 05:10 . 2008-12-08 05:10 200 --a------ C:\sqmdata05.sqm

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-01-07 13:06 --------- d-----w c:\program files\Datamonitor
2009-01-07 11:48 79,872 ----a-w c:\windows\system32\drivers\66vlkbvupsv.sys
2009-01-07 10:49 --------- d-----w c:\documents and settings\Cuong\Application Data\uTorrent
2009-01-07 09:19 79,872 ----a-w c:\windows\system32\drivers\rjny2aqm6j3.sys
2009-01-05 23:27 --------- d-----w c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2009-01-05 22:28 79,872 ----a-w c:\windows\system32\drivers\npzldrrlesr.sys
2008-12-28 01:03 79,872 ----a-w c:\windows\system32\drivers\3ahztnsivnk.sys
2008-12-26 02:42 79,872 ----a-w c:\windows\system32\drivers\h2312ya3kzg.sys
2008-12-24 17:56 --------- d-----w c:\documents and settings\Cuong\Application Data\dvdcss
2008-12-23 14:58 79,872 ----a-w c:\windows\system32\drivers\6htdipulbbq.sys
2008-12-20 03:21 69,632 ----a-w c:\windows\system32\drivers\26xqw2uxhcd.sys
2008-12-17 21:33 69,632 ----a-w c:\windows\system32\drivers\bcqdscja26j.sys
2008-12-16 13:26 69,632 ----a-w c:\windows\system32\drivers\6wx2elwfgow.sys
2008-12-14 19:58 69,632 ----a-w c:\windows\system32\drivers\ab63oirajks.sys
2008-12-11 13:27 --------- d-----w c:\program files\SpeedFan
2008-12-11 05:55 --------- d-----w c:\program files\Windows Live
2008-12-11 05:01 --------- d-----w c:\program files\SUPERAntiSpyware
2008-12-11 05:01 --------- d-----w c:\program files\Common Files\Wise Installation Wizard
2008-12-11 05:01 --------- d-----w c:\documents and settings\Cuong\Application Data\SUPERAntiSpyware.com
2008-12-11 04:09 --------- d-----w c:\program files\uTorrent
2008-12-08 14:14 --------- d-----w c:\program files\Ray Adams
2008-12-07 22:35 69,632 --s---r c:\windows\system32\drivers\e1he1mpvj62.sys
2008-12-07 11:51 --------- d-----w c:\documents and settings\Cuong\Application Data\GetRightToGo
2008-12-01 23:30 --------- d-----w c:\program files\Full Tilt Poker
2008-12-01 22:13 3,452,928 ----a-w c:\windows\system32\drivers\ati2mtag.sys
2008-12-01 19:51 53,248 ----a-w c:\windows\system32\drivers\ati2erec.dll
2008-11-27 10:09 --------- d-----w c:\program files\iTunes
2008-11-27 10:09 --------- d-----w c:\program files\iPod
2008-11-27 10:08 --------- d-----w c:\program files\QuickTime
2008-11-27 10:07 --------- d-----w c:\program files\Common Files\Apple
2008-11-27 09:50 --------- d-----w c:\program files\Safari
2008-10-03 12:53 32,768 --sha-w c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\MSHist012008100320081004\index.dat
2008-10-05 21:19 32,768 --sha-w c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\MSHist012008100520081006\index.dat
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MsnMsgr"="c:\program files\Windows Live\Messenger\MsnMsgr.Exe" [2008-09-09 3513344]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"UserFaultCheck"="c:\windows\system32\dumprep 0 -u" [X]
"Optus Cable Data Monitor"="c:\program files\Datamonitor\Datamonitor.exe" [2007-12-11 233472]
"avast!"="c:\progra~1\ALWILS~1\Avast4\ashDisp.exe" [2008-11-26 81000]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2008-11-04 413696]
"SDFix"="c:\sdfix\RunThis.bat" [2008-11-06 964661]

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
BootExecute REG_MULTI_SZ autocheck autochk *\0OODBS\0lsdelete

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\26xqw2uxhcd.sys]
@="\??\c:\windows\system32\drivers\26xqw2uxhcd.sys"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\3ahztnsivnk.sys]
@="\??\c:\windows\system32\drivers\3ahztnsivnk.sys"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\66vlkbvupsv.sys]
@="\??\c:\windows\system32\drivers\66vlkbvupsv.sys"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\6htdipulbbq.sys]
@="\??\c:\windows\system32\drivers\6htdipulbbq.sys"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\6wx2elwfgow.sys]
@="\??\c:\windows\system32\drivers\6wx2elwfgow.sys"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\ab63oirajks.sys]
@="\??\c:\windows\system32\drivers\ab63oirajks.sys"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\bcqdscja26j.sys]
@="\??\c:\windows\system32\drivers\bcqdscja26j.sys"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\e1he1mpvj62.sys]
@="\??\c:\windows\system32\drivers\e1he1mpvj62.sys"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\edirovcpo32.sys]
@="\??\c:\windows\system32\drivers\edirovcpo32.sys"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\flkf3nf63lh.sys]
@="\??\c:\windows\system32\drivers\flkf3nf63lh.sys"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\gebyd3p2uer.sys]
@="\??\c:\windows\system32\drivers\gebyd3p2uer.sys"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\h2312ya3kzg.sys]
@="\??\c:\windows\system32\drivers\h2312ya3kzg.sys"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\hgvnmsv3ysa.sys]
@="\??\c:\windows\system32\drivers\hgvnmsv3ysa.sys"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\hsibsovppdl.sys]
@="\??\c:\windows\system32\drivers\hsibsovppdl.sys"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\ittjmheqyzd.sys]
@="\??\c:\windows\system32\drivers\ittjmheqyzd.sys"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\nk6xv6ix1mb.sys]
@="\??\c:\windows\system32\drivers\nk6xv6ix1mb.sys"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\npzldrrlesr.sys]
@="\??\c:\windows\system32\drivers\npzldrrlesr.sys"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\qxtghmaubhv.sys]
@="\??\c:\windows\system32\drivers\qxtghmaubhv.sys"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\rjny2aqm6j3.sys]
@="\??\c:\windows\system32\drivers\rjny2aqm6j3.sys"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\rrgj6ktn623.sys]
@="\??\c:\windows\system32\drivers\rrgj6ktn623.sys"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\u36qthyolr6.sys]
@="\??\c:\windows\system32\drivers\u36qthyolr6.sys"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\wwmanrftxcs.sys]
@="\??\c:\windows\system32\drivers\wwmanrftxcs.sys"

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^GetRight.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\GetRight.lnk
backup=c:\windows\pss\GetRight.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AGEIA PhysX SysTray]
--a------ 2006-03-20 11:43 331776 c:\program files\AGEIA Technologies\TrayIcon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AppleSyncNotifier]
--a------ 2008-10-01 11:57 111936 c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BDRegion]
--a------ 2008-05-19 15:24 91432 c:\program files\CyberLink\Shared Files\brs.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
--a------ 2004-08-03 23:56 15360 c:\windows\system32\ctfmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DAEMON Tools Lite]
--a------ 2008-08-08 04:11 490952 c:\program files\DAEMON Tools Lite\daemon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IndxStoreSvr_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}]
--a------ 2008-02-28 17:07 1828136 c:\program files\Common Files\Nero\Lib\NMIndexStoreSvr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
--a------ 2008-11-20 13:20 290088 c:\program files\iTunes\iTunesHelper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Jet Detection]
--a--c--- 2001-11-29 01:00 28672 c:\program files\Creative\SBLive\Program\ADGJDet.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NBKeyScan]
--a------ 2008-02-18 16:29 2221352 c:\program files\Nero\Nero8\Nero BackItUp\NBKeyScan.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
--a------ 2008-04-28 16:14 570664 c:\program files\Common Files\Nero\Lib\NeroCheck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\OODefragTray]
--a------ 2007-05-11 01:08 2512392 c:\windows\system32\oodtray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PDVD8LanguageShortcut]
--------- 2007-12-14 11:36 50472 c:\program files\CyberLink\PowerDVD8\Language\Language.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
--a------ 2008-11-04 10:30 413696 c:\program files\QuickTime\QTTask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RegClean Expert Scheduler]
--a------ 2007-10-15 20:39 601336 c:\program files\Registry Clean Expert\RCHelper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RemoteControl8]
--------- 2008-03-20 20:23 83240 c:\program files\CyberLink\PowerDVD8\PDVD8Serv.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SpybotSD TeaTimer]
-rahs---- 2008-09-16 12:16 1833296 c:\program files\Spybot - Search & Destroy\TeaTimer.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\swg]
--a------ 2008-04-04 03:42 68856 c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
--a------ 2008-04-17 23:37 185896 c:\program files\Common Files\Real\Update_OB\realsched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\UpdReg]
--------- 2000-05-11 01:00 90112 c:\windows\Updreg.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ATIModeChange]
--a------ 2008-12-01 12:40 26112 c:\windows\system32\Ati2mdxx.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CTHelper]
--a------ 2003-08-28 00:45 24576 c:\windows\system32\CTHELPER.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"WMPNetworkSvc"=3 (0x3)
"WLSetupSvc"=3 (0x3)
"usnjsvc"=3 (0x3)
"NMIndexingService"=3 (0x3)
"Nero BackItUp Scheduler 3"=2 (0x2)
"Creative Service for CDROM Access"=2 (0x2)
"Bonjour Service"=2 (0x2)
"ATI Smart"=2 (0x2)
"Ati HotKey Poller"=2 (0x2)
"Apple Mobile Device"=2 (0x2)
"rpcapd"=3 (0x3)
"ose"=3 (0x3)
"iPod Service"=3 (0x3)
"gusvc"=3 (0x3)
"avg8wd"=2 (0x2)
"avg8emc"=2 (0x2)
"aawservice"=2 (0x2)
"PLFlash DeviceIoControl Service"=2 (0x2)
"O&O Defrag"=2 (0x2)
"ekrn"=2 (0x2)
"EhttpSrv"=3 (0x3)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=

S1 aswSP;avast! Self Protection;c:\windows\system32\drivers\aswSP.sys [2008-12-12 111184]
S3 dump_wmimmc;dump_wmimmc;\??\d:\acclaim\2moons\bin\GameGuard\dump_wmimmc.sys --> d:\acclaim\2moons\bin\GameGuard\dump_wmimmc.sys [?]
S3 NPF;NetGroup Packet Filter Driver;c:\windows\system32\drivers\npf.sys [2007-11-06 34064]
S3 NTProcDrv;Process creation detector for NT.;\??\c:\documents and settings\Cuong\Desktop\RohanBotEn1.0.8b\NtProcDrv.sys --> c:\documents and settings\Cuong\Desktop\RohanBotEn1.0.8b\NtProcDrv.sys [?]
S4 {FE4C91E7-22C2-4D0C-9F6B-82F1B7742054};{FE4C91E7-22C2-4D0C-9F6B-82F1B7742054};c:\program files\CyberLink\PowerDVD8\000.fcl [2008-05-15 12:07:00 61424]
S4 26xqw2uxhcd.sys;26xqw2uxhcd.sys;c:\windows\system32\drivers\26xqw2uxhcd.sys [2001-08-23 69632]
S4 3ahztnsivnk.sys;3ahztnsivnk.sys;c:\windows\system32\drivers\3ahztnsivnk.sys [2001-08-23 79872]
S4 66vlkbvupsv.sys;66vlkbvupsv.sys;c:\windows\system32\drivers\66vlkbvupsv.sys [2001-08-23 79872]
S4 6htdipulbbq.sys;6htdipulbbq.sys;c:\windows\system32\drivers\6htdipulbbq.sys [2001-08-23 79872]
S4 6wx2elwfgow.sys;6wx2elwfgow.sys;c:\windows\system32\drivers\6wx2elwfgow.sys [2001-08-23 69632]
S4 ab63oirajks.sys;ab63oirajks.sys;c:\windows\system32\drivers\ab63oirajks.sys [2001-08-23 69632]
S4 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [2008-12-12 20560]
S4 bcqdscja26j.sys;bcqdscja26j.sys;c:\windows\system32\drivers\bcqdscja26j.sys [2001-08-23 69632]
S4 e1he1mpvj62.sys;e1he1mpvj62.sys;c:\windows\system32\drivers\e1he1mpvj62.sys [2001-08-23 69632]
S4 gebyd3p2uer.sys;gebyd3p2uer.sys;\??\c:\windows\system32\drivers\gebyd3p2uer.sys --> c:\windows\system32\drivers\gebyd3p2uer.sys [?]
S4 h2312ya3kzg.sys;h2312ya3kzg.sys;c:\windows\system32\drivers\h2312ya3kzg.sys [2001-08-23 79872]
S4 npzldrrlesr.sys;npzldrrlesr.sys;c:\windows\system32\drivers\npzldrrlesr.sys [2001-08-23 79872]
S4 rjny2aqm6j3.sys;rjny2aqm6j3.sys;c:\windows\system32\drivers\rjny2aqm6j3.sys [2001-08-23 79872]
S4 wwmanrftxcs.sys;wwmanrftxcs.sys;\??\c:\windows\system32\drivers\wwmanrftxcs.sys --> c:\windows\system32\drivers\wwmanrftxcs.sys [?]
.
Contents of the 'Scheduled Tasks' folder

2009-01-01 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 11:34]

2009-01-07 c:\windows\Tasks\At1.job
- c:\windows\system32\cr6S42ce.exe []

2009-01-07 c:\windows\Tasks\At10.job
- c:\windows\system32\cr6S42ce.exe []

2009-01-07 c:\windows\Tasks\At11.job
- c:\windows\system32\cr6S42ce.exe []

2009-01-07 c:\windows\Tasks\At12.job
- c:\windows\system32\cr6S42ce.exe []

2009-01-06 c:\windows\Tasks\At13.job
- c:\windows\system32\cr6S42ce.exe []

2009-01-07 c:\windows\Tasks\At14.job
- c:\windows\system32\cr6S42ce.exe []

2009-01-06 c:\windows\Tasks\At15.job
- c:\windows\system32\cr6S42ce.exe []

2009-01-06 c:\windows\Tasks\At16.job
- c:\windows\system32\cr6S42ce.exe []

2009-01-07 c:\windows\Tasks\At17.job
- c:\windows\system32\cr6S42ce.exe []

2009-01-07 c:\windows\Tasks\At18.job
- c:\windows\system32\cr6S42ce.exe []

2009-01-07 c:\windows\Tasks\At19.job
- c:\windows\system32\cr6S42ce.exe []

2009-01-07 c:\windows\Tasks\At2.job
- c:\windows\system32\cr6S42ce.exe []

2009-01-07 c:\windows\Tasks\At20.job
- c:\windows\system32\cr6S42ce.exe []

2009-01-07 c:\windows\Tasks\At21.job
- c:\windows\system32\cr6S42ce.exe []

2009-01-07 c:\windows\Tasks\At22.job
- c:\windows\system32\cr6S42ce.exe []

2009-01-07 c:\windows\Tasks\At23.job
- c:\windows\system32\cr6S42ce.exe []

2009-01-07 c:\windows\Tasks\At24.job
- c:\windows\system32\cr6S42ce.exe []

2009-01-07 c:\windows\Tasks\At25.job
- c:\windows\system32\ET2qt5yL.exe []

2009-01-07 c:\windows\Tasks\At26.job
- c:\windows\system32\ET2qt5yL.exe []

2009-01-07 c:\windows\Tasks\At27.job
- c:\windows\system32\ET2qt5yL.exe []

2009-01-07 c:\windows\Tasks\At28.job
- c:\windows\system32\ET2qt5yL.exe []

2009-01-07 c:\windows\Tasks\At29.job
- c:\windows\system32\ET2qt5yL.exe []

2009-01-07 c:\windows\Tasks\At3.job
- c:\windows\system32\cr6S42ce.exe []

2009-01-06 c:\windows\Tasks\At30.job
- c:\windows\system32\ET2qt5yL.exe []

2009-01-06 c:\windows\Tasks\At31.job
- c:\windows\system32\ET2qt5yL.exe []

2009-01-07 c:\windows\Tasks\At32.job
- c:\windows\system32\ET2qt5yL.exe []

2009-01-06 c:\windows\Tasks\At33.job
- c:\windows\system32\ET2qt5yL.exe []

2009-01-07 c:\windows\Tasks\At34.job
- c:\windows\system32\ET2qt5yL.exe []

2009-01-07 c:\windows\Tasks\At35.job
- c:\windows\system32\ET2qt5yL.exe []

2009-01-07 c:\windows\Tasks\At36.job
- c:\windows\system32\ET2qt5yL.exe []

2009-01-06 c:\windows\Tasks\At37.job
- c:\windows\system32\ET2qt5yL.exe []

2009-01-07 c:\windows\Tasks\At38.job
- c:\windows\system32\ET2qt5yL.exe []

2009-01-06 c:\windows\Tasks\At39.job
- c:\windows\system32\ET2qt5yL.exe []

2009-01-07 c:\windows\Tasks\At4.job
- c:\windows\system32\cr6S42ce.exe []

2009-01-06 c:\windows\Tasks\At40.job
- c:\windows\system32\ET2qt5yL.exe []

2009-01-07 c:\windows\Tasks\At41.job
- c:\windows\system32\ET2qt5yL.exe []

2009-01-07 c:\windows\Tasks\At42.job
- c:\windows\system32\ET2qt5yL.exe []

2009-01-07 c:\windows\Tasks\At43.job
- c:\windows\system32\ET2qt5yL.exe []

2009-01-07 c:\windows\Tasks\At44.job
- c:\windows\system32\ET2qt5yL.exe []

2009-01-07 c:\windows\Tasks\At45.job
- c:\windows\system32\ET2qt5yL.exe []

2009-01-07 c:\windows\Tasks\At46.job
- c:\windows\system32\ET2qt5yL.exe []

2009-01-07 c:\windows\Tasks\At47.job
- c:\windows\system32\ET2qt5yL.exe []

2009-01-07 c:\windows\Tasks\At48.job
- c:\windows\system32\ET2qt5yL.exe []

2009-01-07 c:\windows\Tasks\At5.job
- c:\windows\system32\cr6S42ce.exe []

2009-01-06 c:\windows\Tasks\At6.job
- c:\windows\system32\cr6S42ce.exe []

2009-01-06 c:\windows\Tasks\At7.job
- c:\windows\system32\cr6S42ce.exe []

2009-01-07 c:\windows\Tasks\At8.job
- c:\windows\system32\cr6S42ce.exe []

2009-01-06 c:\windows\Tasks\At9.job
- c:\windows\system32\cr6S42ce.exe []
.
- - - - ORPHANS REMOVED - - - -

MSConfigStartUp-AVG8_TRAY - c:\progra~1\AVG\AVG8\avgtray.exe
MSConfigStartUp-egui - c:\program files\ESET\ESET NOD32 Antivirus\egui.exe
MSConfigStartUp-StartCCC - c:\program files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe
MSConfigStartUp-SunJavaUpdateSched - c:\program files\Java\jre1.6.0_05\bin\jusched.exe
MSConfigStartUp-SUPERAntiSpyware - c:\program files\SUPERAntiSpyware\SUPERAntiSpyware.exe


.
------- Supplementary Scan -------
.
FF - ProfilePath - c:\documents and settings\Cuong\Application Data\Mozilla\Firefox\Profiles\3u8x4rt7.default\
FF - prefs.js: browser.search.defaulturl - hxxp://search.live.com/results.aspx?FORM=IEFM1&q=
FF - prefs.js: browser.search.selectedEngine - Live Search
FF - prefs.js: keyword.URL - hxxp://search.live.com/results.aspx?FORM=IEFM1&q=
FF - component: c:\program files\DAEMON Tools Toolbar\FirefoxDTT\components\DTToolbarFF.dll
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-01-07 14:57:33
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\{FE4C91E7-22C2-4D0C-9F6B-82F1B7742054}]
"ImagePath"="\??\c:\program files\CyberLink\PowerDVD8\000.fcl"
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-1085031214-1078081533-725345543-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.*NULL*,%’**NULL*]
@Class="Shell"

[HKEY_USERS\S-1-5-21-1085031214-1078081533-725345543-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.*NULL*,%’**NULL*\OpenWithList]
@Class="Shell"

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\System*NULL*]
"OODEFRAG10.00.00.01WORKSTATION"="9D54E5819B23692CE715E3449BD6297DC4F988334E17E4D5357B5382E755934EE334B0BF60CCAE0F205D860F3C9C4E737310E0386838577B43E3A77EA7ABBD148255E2D10829CBA9F57C92CCEF6B898B059918FBB86423A31E68A57C59BF6EF7A6CFCBEA202FF37FFE528B9A7D128F49965900A9DDDF9E6D8B5390D5166A40545E943F2D5AED2048B491F38A4E735A5FAA6B6DDF9901E229B842305517180C3620E594340A050DEFF3C35522EF85A637A7B93AB1D4334FDBB2274FBABDC77162C259280B2A2B3995FEC33CDB95D1756CD706442697F684C06F47BABB8E90534E84DBD93355A7698C7A41382593780D50EA656DB814DD6AC345BB45FEBC9E127BECC74CFEBC9E127BECC74CFEBC9E127BECC74CFEBC9E127BECC74CFEBC9E127BECC74CFEBC9E127BECC74CA6A0AC4980AC79338EDD5E5BE2F6E6679DB7CE019D40AA5CA2D97226D213B5557A1CDAB04519AF2EBA49D5B358A1079C34ABED47D71BC2C9772D7F75B8EAD9E06129A36B9852BAF2234B9C26AD95E132A1F217358F29C7B524B2BA86C7771551C9D989C23932AB7A5A8B1443D1337FC0E6EF750792F340512C6628C7E18AD0105A5AA1162FBD8F409611460969AA7033E121A97BC2F261173EE19E5AC50309C9AC7D17853760C8BE7D87D33ACE8E9A77E7AAE796B605B687F8DF08A267288C2ECF38A775C2E70AFA2B3DEE5B8ED7B8814155F71EB9679FA6F3C15FC86E237F7345A5A50FF386DDF72C26DFB86BDF5747280DB61EC9BFCC7CB50DB738B501DA5004037841A653204006D681DFD9E6D9C3CFE093E5991748933D6A36224EB2690374B298BBE4C802E1AF0C42A1041174F4598613888ED9E97C7A2813F9798D4B4C753B95F3EF44086E1225A7154764B1DDDD53CD5CC457E14AD2349CF7314CF26F584491A3BC898AFA0FA24694B5CDEE856944EF7D8A45B2159FA6B3991F8CAA35641DC24673BDB722F6AECA3E931BDEF57B793ACBE0BBB3F62D35CD9C244D0C6CD237F11FEFEB8E809190F3F4DB81063E89B7006800B50E91BCBF7406D1F50862512A80B2C48265389BBA165CBA17BF707AE4A93CD115C18884C5439EF1CEE06E03ADDD49B354E2EE433E976192D6B724A98D34F0751EA1022C6B6EF2000631687D211270B796864EA9D0F3B079A171F3696330F63CF8D42B50FAB852A9ADE1ADC90536797B641F84E7CF3A3C373A427D7BB8C081AD32553203617CD05339359DE70178F960BCD24288398E3BCAC7D26498849F8684B972CB49AE26C69404BC9C48DD1D4A7B80193D0BAFA7286456A34E6DE496412D64CD2F9B18B85039496094D0887808947840B0E1F9CF3F6B548367999808B14D6ADE1868F547CEC02DDDF1DC15751528CCE7D773836784F71699DDB004E79B396871470F46FC64DD3343A4B9B81295670C84769BDAE2BC5853DF63BB2EBE84FB"
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(640)
c:\windows\system32\Ati2evxx.dll
.
Completion time: 2009-01-07 15:00:02 - machine was rebooted
ComboFix-quarantined-files.txt 2009-01-07 22:59:54
ComboFix2.txt 2009-01-07 13:05:22

Pre-Run: 6,797,115,392 bytes free
Post-Run: 6,844,108,800 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe

timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /fastdetect /NoExecute=OptOut

402 --- E O F --- 2008-07-21 01:37:12


[B]And here is my log from HJT

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 1:05:00 AM, on 1/8/2009
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16674)
Boot mode: Safe mode with network support

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\Cuong\My Documents\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O4 - HKLM\..\Run: [Optus Cable Data Monitor] C:\Program Files\Datamonitor\Datamonitor.exe
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [UserFaultCheck] %systemroot%\system32\dumprep 0 -u
O4 - HKLM\..\Run: [SDFix] C:\SDFix\RunThis.bat /second
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe" /background
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search && Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe

--
End of file - 3037 bytes


I hope these information will help you guys help me fix this problem as I can only use my computer via safemode lol, otherwise if i go normal mode it will shut down within 3-5mins..


Much appreciated.
cs2h0ai
2009-01-07, 16:01
Ah crap, I forgot to read the "READ BEFORE YOU POST" sticky.. darn it, sorry guys.. Is my thread useless now?
cs2h0ai
2009-01-08, 03:21
bump, why dosen't anyone help me :( My computer keeps rebooting ><