ldshyr.old repeated error

sticker · 16-08-2008 6:04pm #1

Hey all,

I'm getting a repeated error message - see image below:

I've ran complete scans as requested in thread sticky and they're still happening. Also, if the PC is left unattended, it reboots of it's own accord - I find the login screen waiting for me...?!!

Any help would be apprectaied!

I'm running Avast 4.8 antivirus.

Dartz · 16-08-2008 7:56pm

http://www.threatexpert.com/report.aspx?uid=71917a80-e2b0-4092-9114-b0dc7a96faa3

This could be it. It's what I got from Googling the filename of it anyway. If it is this, then it's a keylogger.

sticker · 16-08-2008 10:43pm

I don't see a fix for it on the link you posted - what should I do to remove it?

I ran combofix and here's the log (dunno if this helps?!)

ComboFix 08-08-15.04 - name here-- 2008-08-16 19:13:16.4 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.1377 [GMT 1:00]
Running from: c:\documents and settings\=====\desktop\combofix.exe
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\WINDOWS\system32\REGOBJ.DLL

.
((((((((((((((((((((((((( Files Created from 2008-07-16 to 2008-08-16 )))))))))))))))))))))))))))))))
.

2008-08-15 22:40 . 2008-06-19 17:24 28,544 --a

C:\WINDOWS\system32\drivers\pavboot.sys
2008-08-15 22:37 . 2008-08-15 22:37 <DIR> d

C:\Program Files\Panda Security
2008-08-15 08:27 . 2008-08-16 23:32 846,848 --a

C:\WINDOWS\system32\nwwlnt.ini
2008-08-15 08:27 . 2008-06-23 17:57 826,368 --a

C:\WINDOWS\system32\worlg.ini
2008-08-14 19:04 . 2008-05-01 15:30 331,776

c--- C:\WINDOWS\system32\dllcache\msadce.dll
2008-08-14 00:26 . 2008-08-14 00:26 <DIR> d

C:\Program Files\Alwil Software
2008-08-13 20:24 . 2008-08-16 23:32 34,816 --a

C:\WINDOWS\system32\ldshyr.old
2008-08-13 20:23 . 2008-08-14 23:47 34,816 --a

C:\WINDOWS\system32\ldupdt.jpg
2008-08-13 20:23 . 2008-08-13 20:23 136 --a

C:\WINDOWS\system32\srvblck.tmp
2008-08-13 08:52 . 2008-08-13 08:52 <DIR> d

C:\Program Files\Seagate
2008-08-11 23:25 . 2008-08-15 23:42 54,156 --ah

C:\WINDOWS\QTFont.qfn
2008-08-11 23:25 . 2008-08-11 23:25 1,409 --a

C:\WINDOWS\QTFont.for
2008-08-10 23:04 . 2008-08-10 23:06 <DIR> d

C:\Program Files\Flash Menu Labs Std v2
2008-08-09 19:26 . 2008-08-09 19:26 <DIR> d

C:\Program Files\Microsoft Picture It! 7
2008-08-08 00:26 . 2008-08-16 08:23 <DIR> d

C:\Program Files\Hard Disk Sentinel
2008-08-05 11:47 . 2008-07-30 20:07 38,472 --a

C:\WINDOWS\system32\drivers\mbamswissarmy.sys
2008-08-05 11:01 . 2008-04-07 05:38 45,392 -ra

C:\WINDOWS\system32\AdobePDF.dll
2008-08-05 11:01 . 2008-04-07 05:38 22,872 -ra

C:\WINDOWS\system32\AdobePDFUI.dll
2008-08-05 10:33 . 2008-08-05 10:36 <DIR> d

C:\Program Files\Amara - Flash News Ticker
2008-08-03 19:00 . 2008-08-03 19:00 <DIR> d

C:\Program Files\Photo!
2008-07-31 10:22 . 2008-07-31 10:22 <DIR> d

C:\Documents and Settings\----\Application Data\Ambient Design
2008-07-31 10:21 . 2008-07-31 10:21 <DIR> d

C:\Program Files\Ambient Design
2008-07-31 10:05 . 2008-07-31 10:05 <DIR> d

C:\Program Files\Website Layout Maker
2008-07-31 09:57 . 2008-07-31 09:57 <DIR> d

C:\Program Files\Photodex Presenter
2008-07-31 09:57 . 2008-07-31 09:57 <DIR> d

C:\Documents and Settings\----\Application Data\Netscape
2008-07-31 09:56 . 2008-07-31 09:56 <DIR> d

C:\Program Files\Photodex
2008-07-31 09:56 . 2008-07-31 09:56 <DIR> d

C:\Documents and Settings\

\Application Data\Photodex
2008-07-30 14:59 . 2008-07-30 15:01 <DIR> d

C:\Program Files\BoxShot3D
2008-07-30 14:57 . 2008-07-30 14:57 <DIR> d

C:\Documents and Settings\----\Application Data\Aurora Web Editor
2008-07-30 14:52 . 2008-07-30 14:52 <DIR> d

C:\Program Files\Site Map Maker
2008-07-30 14:52 . 2008-07-30 14:52 434,688 --a

C:\WINDOWS\system32\ss2uinst.exe
2008-07-30 14:46 . 2008-07-30 14:46 <DIR> d

C:\Program Files\PayPal Shop Maker 3
2008-07-30 14:46 . 2007-12-17 18:23 1,136,640 --a

C:\Program Files\Common Files\ewutils2.dll
2008-07-30 14:46 . 2002-07-26 17:02 153,088 --a

C:\WINDOWS\system32\UNWISE.EXE
2008-07-30 13:37 . 2008-07-30 13:37 1,409 --a

C:\WINDOWS\system32\tmp39E9C.FOT
2008-07-24 21:29 . 2007-07-12 18:58 49,904 -ra

C:\WINDOWS\system32\drivers\BVRPMPR5.SYS
2008-07-24 21:27 . 2008-07-25 09:16 <DIR> d

C:\Netgear
2008-07-17 23:41 . 2008-07-17 23:41 <DIR> d

C:\Program Files\ffdshow
2008-07-17 23:41 . 2008-06-22 20:33 60,273 --a

C:\WINDOWS\system32\pthreadGC2.dll
2008-07-17 23:41 . 2008-06-22 20:33 7,680 --a

C:\WINDOWS\system32\ff_vfw.dll
2008-07-17 23:41 . 2008-06-22 20:33 547 --a

C:\WINDOWS\system32\ff_vfw.dll.manifest
2008-07-17 23:38 . 2008-07-17 23:38 <DIR> d

C:\Program Files\Codec Pack - All In 1
2008-07-17 23:38 . 2008-07-17 23:37 737,280 --a

C:\WINDOWS\iun6002.exe
2008-07-17 14:42 . 2008-07-17 14:42 <DIR> d

C:\Program Files\XP Codec Pack
2008-07-16 12:10 . 2008-07-16 12:10 <DIR> d

C:\Program Files\Intel
2008-07-16 12:10 . 2008-05-01 16:35 53,248 --a

C:\WINDOWS\system32\CSVer.dll
2008-07-16 12:09 . 2008-07-16 12:09 <DIR> d

C:\Intel
2008-07-16 12:06 . 2008-07-16 12:10 <DIR> d

C:\Drivers Download
2008-07-16 09:53 . 2008-07-16 09:53 <DIR> d

C:\Program Files\Driver-Soft
2008-07-16 09:53 . 2007-09-02 20:56 1,686,016 --a

C:\WINDOWS\system32\clinetsuitex6.ocx
2008-07-16 09:53 . 2004-06-14 14:56 427,864 --a

C:\WINDOWS\system32\XceedZip.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-08-16 17:58

d

w C:\Program Files\PeerGuardian2
2008-08-15 23:18

d

w C:\Program Files\FlashGet
2008-08-15 23:05

d

w C:\Program Files\Flash Saver
2008-08-15 22:48

d

w C:\Program Files\EarthView
2008-08-14 23:30

d

w C:\Documents and Settings\All Users\Application Data\Microsoft Help
2008-08-14 08:52

d

w C:\Program Files\Common Files\Nero
2008-08-14 08:28

d

w C:\Documents and Settings\All Users\Application Data\Nero
2008-08-14 08:26

d

w C:\Program Files\AIO FLASH Mixer
2008-08-13 23:42

d

w C:\Program Files\Common Files\Ahead
2008-08-13 15:30

d

w C:\Documents and Settings\====\Application Data\Vso
2008-08-13 15:16

d

w C:\Program Files\NewzCrawler
2008-08-13 07:51

d

w C:\Program Files\Common Files\Wise Installation Wizard
2008-08-10 21:52

d

w C:\Documents and Settings\====\Application Data\Ashampoo
2008-08-07 23:23

d

w C:\Documents and Settings\====\Application Data\FileZilla
2008-08-07 18:29

d

w C:\Program Files\VideoLAN
2008-08-05 10:57

d

w C:\Program Files\Malwarebytes' Anti-Malware
2008-08-05 09:59

d

w C:\Program Files\Common Files\Adobe
2008-07-30 22:03

d

w C:\Program Files\Steam
2008-07-30 22:02

d

w C:\Documents and Settings\All Users\Application Data\nHancer
2008-07-30 19:07 17,144 ----a-w C:\WINDOWS\system32\drivers\mbam.sys
2008-07-30 12:38

d

w C:\Program Files\Alchemy Mindworks
2008-07-30 12:38

d

w C:\Documents and Settings\Conor Murray\Application Data\Alchemy Mindworks
2008-07-27 18:25 115,200 ----a-w C:\outsound.bin
2008-07-25 11:04

d

w C:\Program Files\DVDPean Pro 5.5.2
2008-07-23 08:27

d

w C:\Program Files\QR Photo to Flash Converter
2008-07-20 19:01

d

w C:\Documents and Settings\All Users\Application Data\iolo
2008-07-20 18:58

d

w C:\Program Files\Alawar
2008-07-17 22:40

d

w C:\Program Files\DivX
2008-07-14 08:40

d

w C:\Program Files\TuneUp Utilities 2008
2008-07-14 08:32

d

w C:\Documents and Settings\All Users\Application Data\Lavasoft
2008-07-10 01:22

d

w C:\Program Files\Microsoft SQL Server
2008-07-09 19:09

d

w C:\Program Files\Java
2008-07-09 19:08

d

w C:\Program Files\Common Files\Java
2008-07-09 14:29 3,454 --sha-w C:\Documents and Settings\All Users\Application Data\KGyGaAvL.sys
2008-07-09 10:52

d

w C:\Documents and Settings\All Users\Application Data\Corel
2008-07-07 15:59

d

w C:\Program Files\FileZilla FTP Client
2008-07-03 23:07

d

w C:\Documents and Settings\====\Application Data\uTorrent
2008-07-03 14:36

d

w C:\Program Files\Web Button Menu Maker
2008-07-02 09:41

d

w C:\Documents and Settings\====\Application Data\Malwarebytes
2008-07-02 09:41

d

w C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-07-02 09:15

d---a-w C:\Documents and Settings\All Users\Application Data\TEMP
2008-07-01 23:15

d

w C:\Program Files\Spyware Doctor
2008-07-01 23:05

d

w C:\Program Files\Onlineeye Pro
2008-07-01 14:46

d

w C:\Documents and Settings\====\Application Data\PC Tools
2008-07-01 11:53

d

w C:\Program Files\SourceTec
2008-07-01 11:53

d

w C:\Program Files\Common Files\SourceTec
2008-07-01 11:38

d

w C:\Program Files\DHTML Menu Builder
2008-07-01 09:59

d

w C:\Program Files\AllWebMenus5
2008-07-01 09:17

d

w C:\Documents and Settings\====\Application Data\Likno
2008-06-27 20:07

d

w C:\Program Files\Amara - Flash Menu Builder
2008-06-24 22:39

d

w C:\Program Files\AAALOGO2008
2008-06-24 15:06 972,072 ----a-w C:\WINDOWS\UNNeroMediaHome.exe
2008-06-23 19:09

d

w C:\Documents and Settings\===\Application Data\DivX
2008-06-23 14:01

d

w C:\Documents and Settings\===\Application Data\Artisteer
2008-06-23 14:00

d

w C:\Program Files\Artisteer
2008-06-23 13:42

d

w C:\Program Files\Water Clock 3D Screensaver
2008-06-22 15:49

d

w C:\Documents and Settings\=====\Application Data\PerfectClock2007
2008-06-22 15:48

d

w C:\Program Files\PerfectClock
2008-06-22 15:48

d

w C:\Documents and Settings\All Users\Application Data\PerfectClock2007
2008-06-22 10:43

d

w C:\Program Files\DAP
2008-06-22 10:39

d

w C:\Program Files\speed-bit
2008-06-21 10:53

d

w C:\Documents and Settings\====\Application Data\TuneUp Software
2008-06-21 10:53

d

w C:\Documents and Settings\All Users\Application Data\TuneUp Software
2008-06-21 10:36

d

w C:\Program Files\Desktop Icons Arranger
2008-06-20 10:45 360,320 ----a-w C:\WINDOWS\system32\drivers\tcpip.sys
2008-06-20 10:44 138,368 ----a-w C:\WINDOWS\system32\drivers\afd.sys
2008-06-20 09:52 225,920 ----a-w C:\WINDOWS\system32\drivers\tcpip6.sys
2008-06-06 13:54 972,072 ----a-w C:\WINDOWS\UNRecode.exe
2008-06-04 00:01 120 ----a-w C:\drmHeader.bin
2008-04-23 22:21 13 ---h--w C:\Documents and Settings\All Users\Application Data\sys.sys
2008-03-22 10:35 88 --sh--r C:\Documents and Settings\All Users\Application Data\FB07B41AE1.sys
2008-01-31 22:10 87,608 ----a-w C:\Documents and Settings\====\Application Data\ezpinst.exe
2008-01-31 22:10 47,360 ----a-w C:\Documents and Settings\====\Application Data\pcouffin.sys
2007-12-26 11:50 32 ----a-w C:\Documents and Settings\All Users\Application Data\ezsid.dat
2007-12-15 11:50 11,114 ----a-w C:\Documents and Settings\All Users\Application Data\MainApp.dll
2007-11-26 19:35 22,328 ----a-w C:\Documents and Settings\====\Application Data\PnkBstrK.sys
2007-11-25 18:26 6,650 ----a-w C:\Program Files\install.log
2002-04-16 11:27 5 --sha-w C:\WINDOWS\system32\CdI5T.drv
2008-03-16 11:00 56 --sh--r C:\WINDOWS\system32\E11AB407FB.sys
2006-05-03 10:06 163,328 --sha-r C:\WINDOWS\system32\flvDX.dll
2008-03-16 11:06 1,682 --sha-w C:\WINDOWS\system32\KGyGaAvL.sys
2007-02-21 11:47 31,232 --sha-r C:\WINDOWS\system32\msfDX.dll
2007-12-17 13:43 27,648 --sha-w C:\WINDOWS\system32\Smab0.dll
2008-02-04 19:26 151,040 --sha-w C:\WINDOWS\system32\VistaUltm.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]
"{2ba521ac-b9b9-4433-ba45-dba2f02cba5a}"= "C:\Program Files\speed-bit\tbspee.dll" [2007-07-31 16:33 1391640]

[HKEY_CLASSES_ROOT\clsid\{2ba521ac-b9b9-4433-ba45-dba2f02cba5a}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{2ba521ac-b9b9-4433-ba45-dba2f02cba5a}]
2007-07-31 16:33 1391640 --a

C:\Program Files\speed-bit\tbspee.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{2ba521ac-b9b9-4433-ba45-dba2f02cba5a}"= "C:\Program Files\speed-bit\tbspee.dll" [2007-07-31 16:33 1391640]

[HKEY_CLASSES_ROOT\clsid\{2ba521ac-b9b9-4433-ba45-dba2f02cba5a}]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{2BA521AC-B9B9-4433-BA45-DBA2F02CBA5A}"= "C:\Program Files\speed-bit\tbspee.dll" [2007-07-31 16:33 1391640]

[HKEY_CLASSES_ROOT\clsid\{2ba521ac-b9b9-4433-ba45-dba2f02cba5a}]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 01:56 15360]
"PeerGuardian"="C:\Program Files\PeerGuardian2\pg2.exe" [2005-09-18 18:44 1382400]
"GBMPro8Agent"="c:\program files\genie-soft\gbmpro8\gbmagent.exe" [2007-10-29 04:36 225920]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"OnlineTime"="c:\program files\onlineeye pro\onlineeye.exe" [2006-11-05 20:41 1196127]
"GrooveMonitor"="C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe" [2007-08-24 07:00 33648]
"GBMPro8Agent"="c:\program files\genie-soft\gbmpro8\gbmagent.exe" [2007-10-29 04:36 225920]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2008-03-24 19:52 13524992]
"Media Codec Update Service"="C:\Program Files\Essentials Codec Pack\update.exe" [2007-04-08 17:44 303104]
"Adobe Acrobat Speed Launcher"="C:\Program Files\Adobe\Acrobat 9.0\Acrobat\Acrobat_sl.exe" [2008-06-12 02:25 37232]
"Acrobat Assistant 8.0"="C:\Program Files\Adobe\Acrobat 9.0\Acrobat\Acrotray.exe" [2008-06-11 22:43 640376]
"Hard Disk Sentinel"="c:\program files\hard disk sentinel\hdsentinel.exe" [2008-08-06 16:15 3264000]
"NBKeyScan"="C:\Program Files\Nero\Nero8\Nero BackItUp\NBKeyScan.exe" [2008-06-08 09:31 2221352]
"NeroFilterCheck"="C:\Program Files\Common Files\Nero\Lib\NeroCheck.exe" [2008-06-19 09:53 570664]
"nwiz"="nwiz.exe" [2008-03-24 19:52 1626112 C:\WINDOWS\system32\nwiz.exe]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\System32\CTFMON.EXE" [2004-08-04 01:56 15360]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon]
"UIHost"="C:\\WINDOWS\\system32\\logonuiX.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\WBSrv]
2007-11-08 00:28 229376 C:\Program Files\Stardock\Object Desktop\WindowBlinds\WbSrv.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=wbsys.dll acaptuser32.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"VIDC.I420"= i420vfw.dll
"msacm.dvacm"= C:\PROGRA~1\COMMON~1\ULEADS~1\Vio\Dvacm.acm
"msacm.MPEGacm"= C:\PROGRA~1\COMMON~1\ULEADS~1\MPEG\MPEGacm.acm
"msacm.ulmp3acm"= C:\PROGRA~1\COMMON~1\ULEADS~1\MPEG\ulmp3acm.acm

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Notification Packages REG_MULTI_SZ scecli scecli

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
backup=C:\WINDOWS\pss\Adobe Reader Speed Launch.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Free WebSite Tools.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Free WebSite Tools.lnk
backup=C:\WINDOWS\pss\Free WebSite Tools.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^=====^Start Menu^Programs^Startup^OneNote 2007 Screen Clipper and Launcher.lnk]
path=C:\Documents and Settings\=====\Start Menu\Programs\Startup\OneNote 2007 Screen Clipper and Launcher.lnk
backup=C:\WINDOWS\pss\OneNote 2007 Screen Clipper and Launcher.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AnyDVD]
--a

2007-11-30 16:28 1637312 C:\Program Files\SlySoft\AnyDVD\AnyDVD.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Creative Detector]

2004-12-02 19:23 102400 C:\Program Files\Creative\MediaSource\Detector\CTDetect.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CTSyncU.exe]

2006-09-28 21:09 700416 C:\Program Files\Creative\Sync Manager Unicode\CTSyncU.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Dexpot 1.4]
--a

2006-05-05 22:08 1286144 C:\Program Files\Dexpot\dexpot.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Media Codec Update Service]
--a

2007-04-08 17:44 303104 C:\Program Files\Essentials Codec Pack\update.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NBKeyScan]
--a

2008-06-08 09:31 2221352 C:\Program Files\Nero\Nero8\Nero BackItUp\NBKeyScan.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
--a

2008-06-19 09:53 570664 C:\Program Files\Common Files\Nero\Lib\NeroCheck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\nvidia ntune]
--a

2007-07-03 13:32 81920 C:\Program Files\NVIDIA Corporation\nTune\nTuneCmd.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\OpwareSE4]
--a

2006-10-11 13:45 75304 C:\Program Files\ScanSoft\OmniPageSE4.0\OpWareSE4.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
--a

2008-03-28 23:37 413696 C:\Program Files\QuickTime\QTTask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Sony Ericsson PC Suite]
-ra

2006-11-24 02:06 487424 C:\Program Files\Sony Ericsson\Mobile2\Application Launcher\Application Launcher.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SpybotSD TeaTimer]

2008-01-28 11:43 2097488 C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SSBkgdUpdate]
--a

2006-09-28 14:16 185896 C:\Program Files\Common Files\ScanSoft Shared\SSBkgdUpdate\SSBkgdUpdate.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Steam]
--a

2007-11-30 09:45 1266936 C:\Program Files\Steam\Steam.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Sweeper.exe]
--a

2006-06-03 00:42 176128 C:\Program Files\History Sweeper\sweeper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\UVS11 Preload]
--a

2007-03-03 15:12 341488 C:\Program Files\Ulead Systems\Ulead VideoStudio 11\uvPL.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CTHelper]
--a

2006-08-17 12:32 17920 C:\WINDOWS\CTHELPER.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CTxfiHlp]
--a

2006-08-17 12:32 18944 C:\WINDOWS\system32\CTXFIHLP.EXE

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\FlashGet\\flashget.exe"=
"C:\\Program Files\\Windows Media Player\\wmplayer.exe"=
"C:\\Program Files\\uTorrent\\uTorrent.exe"=
"C:\\Program Files\\GlobalSCAPE\\CuteFTP 8 Professional\\ftpte.exe"=
"C:\\Program Files\\Skype\\Phone\\Skype.exe"=
"C:\\Program Files\\Activision\\Call of Duty 4 - Modern Warfare\\iw3mp.exe"=
"C:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"C:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"=
"C:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"C:\\xampp\\apache\\bin\\apache.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"24654:UDP"= 24654:UDP:Enfocus Port
"33515:TCP"= 33515:TCP:Windows Update Service Helper

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\icmpsettings]
"AllowInboundEchoRequest"= 1 (0x1)

R0 pavboot;pavboot;C:\WINDOWS\system32\drivers\pavboot.sys [2008-06-19 17:24]
R0 stex;stex;C:\WINDOWS\system32\drivers\stex.sys [2006-08-22 19:36]
R1 aswSP;avast! Self Protection;C:\WINDOWS\system32\drivers\aswSP.sys [2008-07-19 15:35]
R1 SLEE_16_DRIVER;Steganos Live Encryption Engine 16 [Driver];C:\WINDOWS\system32\drivers\Sleen16.sys [2007-10-11 12:24]
R2 Apache2.2;Apache2.2;c:\xampp\apache\bin\apache.exe [2008-01-18 00:37]
R2 aswFsBlk;aswFsBlk;C:\WINDOWS\system32\DRIVERS\aswFsBlk.sys [2008-07-19 15:37]
R2 MSSQL$ACT7;SQL Server (ACT7);C:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe [2008-02-26 22:08]
R2 PromiseWebPAM;Promise WebPAM;C:\Program Files\Promise\WebPAM\jetty\extra\win32\Wrapper.exe [2003-09-29 00:30]
R2 Prvflder;Prvflder;C:\WINDOWS\system32\DRIVERS\prvflder.sys [2006-04-21 09:22]
R2 PSI_SVC_2;Protexis Licensing V2;c:\Program Files\Common Files\Protexis\License Service\PsiService_2.exe [2007-07-24 12:15]
R2 UxTuneUp;TuneUp Theme Extension;C:\WINDOWS\System32\svchost.exe [2004-08-04 01:56]
R3 ha20x2k;Creative 20X HAL Driver;C:\WINDOWS\system32\drivers\ha20x2k.sys [2006-08-17 12:16]
R3 V0260VID;Live! Cam Vista IM;C:\WINDOWS\system32\DRIVERS\V0260Vid.sys [2006-11-03 23:45]
S1 d04b37aa;d04b37aa;C:\WINDOWS\system32\drivers\d04b37aa.sys []
S3 NPF;NetGroup Packet Filter Driver;C:\WINDOWS\system32\drivers\npf.sys [2007-11-06 21:22]
S3 TuneUp.Defrag;TuneUp Drive Defrag Service;C:\WINDOWS\System32\TuneUpDefragService.exe [2008-06-21 11:53]

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
UxTuneUp
.
Contents of the 'Scheduled Tasks' folder

2008-08-16 C:\WINDOWS\Tasks\1-Click Maintenance.job
- C:\Program Files\TuneUp Utilities 2008\OneClickStarter.exe [2008-06-20 09:09]

2008-08-16 C:\WINDOWS\Tasks\GBM - General Backup - Sticker's Rig-Full.job
- C:\Program Files\Genie-Soft\GBMPro8\GBM8.exe [2007-12-04 10:34]

2008-08-16 C:\WINDOWS\Tasks\SDMsgUpdate (SD).job
- C:\Program Files\SmartDraw 2008\Messages\SDNotify.exe [2007-09-26 10:53]
.
- - - - ORPHANS REMOVED - - - -

MSConfigStartUp-Act! Preloader - C:\Program Files\ACT\Act for Windows\ActSage.exe
MSConfigStartUp-Act.Outlook - C:\Program Files\ACT\Act for Windows\Act.Outlook.Service.exe
MSConfigStartUp-ReminderApp - C:\Program Files\Nova Development\Greeting Card Factory\ReminderApp.exe
MSConfigStartUp-SMSystemAnalyzer - C:\Program Files\iolo\System Mechanic Professional 7\SMSystemAnalyzer.exe
MSConfigStartUp-SpySweeper - c:\program files\webroot\spy sweeper\SpySweeperUI.exe
MSConfigStartUp-SunJavaUpdateSched - C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe

.

Supplementary Scan

.
FireFox -: Profile - C:\Documents and Settings\=====\Application Data\Mozilla\Firefox\Profiles\p4eew9fu.default\
FF -: plugin - C:\Documents and Settings\====\Application Data\Mozilla\plugins\npPxPlay.dll
FF -: plugin - C:\Program Files\Adobe\Acrobat 7.0\Reader\browser\nppdf32.dll
FF -: plugin - c:\program files\mozilla firefox\plugins\npff_gdm.dll
FF -: plugin - C:\WINDOWS\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\NPWPF.dll

**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-08-16 23:32:32
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.

Other Running Processes

.
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Common Files\InterVideo\DeviceService\DevSvc.exe
C:\WINDOWS\system32\CTSVCCDA.EXE
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\mdm.exe
C:\xampp\mysql\bin\mysqld-nt.exe
C:\Program Files\Nero\Nero8\Nero BackItUp\NBService.exe
C:\Program Files\nHancer\nHancerService.exe
C:\Program Files\NVIDIA Corporation\nTune\nTuneService.exe
C:\WINDOWS\system32\IoctlSvc.exe
C:\Program Files\Microsoft Private Folder 1.0\PrfldSvc.exe
C:\Program Files\Photodex\ProShowGold\scsiaccess.exe
C:\Program Files\Microsoft SQL Server\90\Shared\sqlbrowser.exe
C:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe
C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe
C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
C:\Program Files\Promise\WebPAM\_jvm\bin\java.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
.
**************************************************************************
.
Completion time: 2008-08-16 23:37:50 - machine was rebooted
ComboFix-quarantined-files.txt 2008-08-16 22:37:47

Pre-Run: 14,173,728,768 bytes free
Post-Run: 14,077,333,504 bytes free

341 --- E O F --- 2008-08-14 23:31:04

ActorSeeksJob · 17-08-2008 1:41am

Why did you run ComboFix, nobody said to run it

sticker · 17-08-2008 7:12am

ActorSeeksJob wrote: »

Why did you run ComboFix, nobody said to run it

Apologies Actor - I wrongly assumed it was a general Malware treatment application. You helped me here before with a problem recently and a lot of the remedy was based on Combofix runs -

Is it not a removal app?

This is the technical data from the error report:
C:\DOCUME~1\CONORM~1\LOCALS~1\Temp\WER1c44.dir00\ldshyr.old.mdmp
C:\DOCUME~1\CONORM~1\LOCALS~1\Temp\WER1c44.dir00\appcompat.txt

EDIT: My PC is now restarting of it's own accord every hour or so - no warning, just powers down...?!

My task manager:

sticker · 18-08-2008 9:27am

Can someone please help -

the problem seems to be getting worse, I'm having crashes with Outlook and the PC is still just powering down of it's own accord. (Not sudden loss of power, more like a normal shut down command)

Malwarebytes is showing no errors as is Avast. although the odd thing is the avast icon has dissapeared from the task bar - but windows security center IS showing the system protected by version 4.8?!

Even if someone can point me in the right direction please, I'd appreciate it...

I'm baffled!

Dartz · 18-08-2008 12:54pm

That was just the first link from Googling it. If you know what the problem is, you should be able to find your own fix. There's plenty of places out there. I dont know **** about fixing it personally...

If you boot to Safe mode, you might be able to get it with malwarebytes, or something like that.

One other thing I found useful is Spybot S&D. Not quite the best at cleaning Malware, but it has a nice little feature that lets you view items in your systems startup registry. if Your lucky, you might be able to disable some of these things, or find their locations and delete them. It's best to do that in safe mode, and it doesnt always work, but it's the best I can advise. Importantly, it doesnt delete the Malware, just prevents them from Starting up. But you really have to get lucky. I blundered about like an idiot and managed to batter them into submission, but it left the registry in a bit of a mess. You need to be real careful mucking with Startups that you dont bollock your PC up completely.

But your Anti-virus is being deactivated, and your OS cheated to think it is running. That's pretty serious. There's probably more on there. You really need to do the sticky thread...

sticker · 18-08-2008 5:32pm

Thanks for the reply -

I think it's called ldshyr.old.mdmp.

The only suggestion of a fix is from Symantec - to turn off system restore / install Symantec and run a sweep - looks like I've no other choice.

Thanks anyway for the advice - much appreciated

Dartz wrote: »

That was just the first link from Googling it. If you know what the problem is, you should be able to find your own fix. There's plenty of places out there. I dont know **** about fixing it personally...

If you boot to Safe mode, you might be able to get it with malwarebytes, or something like that.

One other thing I found useful is Spybot S&D. Not quite the best at cleaning Malware, but it has a nice little feature that lets you view items in your systems startup registry. if Your lucky, you might be able to disable some of these things, or find their locations and delete them. It's best to do that in safe mode, and it doesnt always work, but it's the best I can advise. Importantly, it doesnt delete the Malware, just prevents them from Starting up. But you really have to get lucky. I blundered about like an idiot and managed to batter them into submission, but it left the registry in a bit of a mess. You need to be real careful mucking with Startups that you dont bollock your PC up completely.

But your Anti-virus is being deactivated, and your OS cheated to think it is running. That's pretty serious. There's probably more on there. You really need to do the sticky thread...

sticker · 18-08-2008 7:41pm

EDIT: Did above action and I'm still getting the error messages and shut downs - anyone any ideas?

Dartz · 18-08-2008 8:12pm

Do what it says on the sticky... and wait for ActorseeksJob. As I said, I know ****, and can only offer what worked for me. To get the last of it, I posted a thread here myself...

Looks like that's what you'll have to do...

Either that, or a format and reinstall...

sticker · 18-08-2008 9:19pm

Dartz wrote: »

Do what it says on the sticky... and wait for ActorseeksJob. As I said, I know ****, and can only offer what worked for me. To get the last of it, I posted a thread here myself...

Looks like that's what you'll have to do...

Either that, or a format and reinstall...

Yeah, I hope ActorseeksJob posts - he was a great help to me in the past.

ActorSeeksJob · 18-08-2008 10:34pm

Hello

1. Close any open browsers.

2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

3. Open notepad and copy/paste the text in the quotebox below into it:

File::
C:\WINDOWS\system32\ldshyr.old
C:\WINDOWS\system32\ldupdt.jpg
C:\WINDOWS\system32\srvblck.tmp
C:\Program Files\Common Files\ewutils2.dll

KillAll::

Sysrst::

Folder::

Registry::

Driver::
d04b37aa

Save this as CFScript.txt, in the same location as ComboFix.exe

Refering to the picture above, drag CFScript into ComboFix.exe

When finished, it shall produce a log for you at C:\ComboFix.txt which I will require in your next reply.

Make sure to use Internet Explorer for this
Please go to VirSCAN.org FREE on-line scan service
Copy and paste the following file path into the "Suspicious files to scan" box on the top of the page:
- C:\WINDOWS\system32\drivers\stex.sys
Click on the Upload button
Once the Scan is completed, click on the "Copy to Clipboard" button. This will copy the link of the report into the Clipboard.
Paste the contents of the Clipboard in your next reply.

sticker · 19-08-2008 10:59pm

ActorSeeksJob wrote: »

Hello

1. Close any open browsers.

2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

3. Open notepad and copy/paste the text in the quotebox below into it:

Save this as CFScript.txt, in the same location as ComboFix.exe

Refering to the picture above, drag CFScript into ComboFix.exe

When finished, it shall produce a log for you at C:\ComboFix.txt which I will require in your next reply.

Make sure to use Internet Explorer for this

Please go to VirSCAN.org FREE on-line scan service

Copy and paste the following file path into the "Suspicious files to scan" box on the top of the page:
C:\WINDOWS\system32\drivers\stex.sys

Click on the Upload button

Once the Scan is completed, click on the "Copy to Clipboard" button. This will copy the link of the report into the Clipboard.

Paste the contents of the Clipboard in your next reply.

Thanks for taking the time to reply Actor - much appreciated...

Quick question, if I disable my protection might it be best to turn off my modem or do you need a web connection for the Combofix repair?

EDIT POST:

Also, (and sorry to possibly muddying the water!) but I keep getting this error message a boot:

ActorSeeksJob · 19-08-2008 11:02pm

Disable it although CF will probably do it itself

sticker · 20-08-2008 3:02pm

ActorSeeksJob wrote: »

Disable it although CF will probably do it itself

I did as you asked, although after CF rebooted the PC a new error message appeared -

"SAS Window: winlogin.exe - applicaion error.
The instruction at "0x7c911f6c" referenced at "0x8361b41b" The memory could not be read -

This in fairness HAS taken the place of the ldshyr.old error message I posted last night.

Then windows loads to the desktop image - no icons, no hourglass - just a cursor and reboots after a few minutes - it's done this loop about five times now...

Any ideas?

ActorSeeksJob · 20-08-2008 4:02pm

Can you get into Normal Mode at all to do anything there ?

How about safe mode ?

If not, then reboot your PC, keep pressing F8, try last known good configuration

sticker · 20-08-2008 5:31pm

ActorSeeksJob wrote: »

Can you get into Normal Mode at all to do anything there ?

How about safe mode ?

If not, then reboot your PC, keep pressing F8, try last known good configuration

Nothing! safe mode and last known good configuration are hanging in the same way

EDIT - I do have the option of the Recovery Console - you set that up during the last time you helped me.

ActorSeeksJob · 20-08-2008 6:22pm

Good good, that will come in handy

This is a tech problem so you need somebody else's help

Go make an account here

http://www.geekstogo.com/forum/Windows-XP-2000-2003-NT-f5.html

Post your problem there, tell them Rorschach112 sent you over and that you have the Recovery Console installed

PM me the link to your topic and I will get a friend to jump in to save you time.

Your problem is a little too complicated thats why we gotta send you over there

sticker · 20-08-2008 6:40pm

ActorSeeksJob wrote: »

Good good, that will come in handy

This is a tech problem so you need somebody else's help

Go make an account here

http://www.geekstogo.com/forum/Windows-XP-2000-2003-NT-f5.html

Post your problem there, tell them Rorschach112 sent you over and that you have the Recovery Console installed

PM me the link to your topic and I will get a friend to jump in to save you time.

Your problem is a little too complicated thats why we gotta send you over there

What should I post there? the entire issue from ldshyr.old (including the first combofix log?) or just the recent sartup error message "SAS Window: winlogon.exe - application error" - ?

Also, in what section should I post?

EDIT - sorry I didn't see the link to XP thread.

Thanks

sticker · 20-08-2008 7:18pm

PM to new thread sent

ldshyr.old repeated error

Comments