Jump to content

Build Theme!
  •  
  • Infected?

WE'RE SURE THAT YOU'LL LOVE US!

Hey there! :wub: Looks like you're enjoying the discussion, but you're not signed up for an account. When you create an account, we remember exactly what you've read, so you always come right back where you left off. You also get notifications, here and via email, whenever new posts are made. You can like posts to share the love. :D Join 91819 other members! Anybody can ask, anybody can answer. Consistently helpful members may be invited to become staff. Here's how it works. Virus cleanup? Start here -> Malware Removal Forum.

Try What the Tech -- It's free!


Photo

[Resolved] trojan:win32/renos.n


  • This topic is locked This topic is locked
112 replies to this topic

#16 CatByte

CatByte

    Classroom Administrator

  • Classroom Admin
  • 21,059 posts
  • MVP

Posted 01 October 2009 - 07:32 PM

Can you access your task manager? (Ctrl + Alt + Del) Go to the processes tab...list out all the running processes for me.

Microsoft MVP 2010, 2011, 2012, 2013, 2014, 2015

    Advertisements

Register to Remove


#17 entropy1120

entropy1120

    Authentic Member

  • Authentic Member
  • PipPip
  • 70 posts

Posted 01 October 2009 - 07:36 PM

avgtray.exe cinetray.exe cmd.exe csrss.exe CTSysVol.exe DefMgr.exe dwm.exe ehmsas.exe ehtray.exe explorer.exe firefox.exe iTunesHelper jusched.exe KHALMNPR.exe mobsync.exe MSASCui.exe MtdAcqu.exe rundll32.exe SetPoint.exe sidebar.exe taskeng.exe taskmgr.exe winlogon.exe wmpnscfg.exe Ymsg_tray.exe

#18 CatByte

CatByte

    Classroom Administrator

  • Classroom Admin
  • 21,059 posts
  • MVP

Posted 01 October 2009 - 07:58 PM

OK, none of those seem to be an issue, have you been able to save ComboFix to a USB

Microsoft MVP 2010, 2011, 2012, 2013, 2014, 2015


#19 entropy1120

entropy1120

    Authentic Member

  • Authentic Member
  • PipPip
  • 70 posts

Posted 01 October 2009 - 08:04 PM

i have a USB, it won't save.

#20 CatByte

CatByte

    Classroom Administrator

  • Classroom Admin
  • 21,059 posts
  • MVP

Posted 01 October 2009 - 08:32 PM

Can you go into safe mode with networking and try and save the programs to your desktop and run them from safe mode.

Microsoft MVP 2010, 2011, 2012, 2013, 2014, 2015


#21 entropy1120

entropy1120

    Authentic Member

  • Authentic Member
  • PipPip
  • 70 posts

Posted 02 October 2009 - 07:05 PM

combo fix loaded from another computer on to usb port, this is the report:

ComboFix 09-10-01.05 - Jennifer 10/02/2009 18:55.4.2 - NTFSx86
Microsoft® Windows Vista™ Home Premium 6.0.6002.2.1252.1.1033.18.1525.852 [GMT -5:00]
Running from: c:\users\Jennifer\Downloads\ComboFix.com
AV: AVG Anti-Virus Free *On-access scanning enabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}
SP: AVG Anti-Virus Free *enabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}
SP: Lavasoft Ad-Watch Live! *disabled* (Updated) {67844DAE-4F77-4D69-9457-98E8CFFDAA22}
SP: Windows Defender *enabled* (Updated) {D68DDC3A-831F-4FAE-9E44-DA132C1ACF46}
.

((((((((((((((((((((((((( Files Created from 2009-09-02 to 2009-10-02 )))))))))))))))))))))))))))))))
.

2009-10-03 00:01 . 2009-10-03 00:01 -------- d-----w- c:\windows\system32\config\systemprofile\AppData\Local\temp
2009-10-03 00:01 . 2009-10-03 00:01 -------- d-----w- c:\users\Public\AppData\Local\temp
2009-10-03 00:01 . 2009-10-03 00:01 -------- d-----w- c:\users\Mcx1\AppData\Local\temp
2009-10-03 00:01 . 2009-10-03 00:01 -------- d-----w- c:\users\Default\AppData\Local\temp
2009-10-03 00:01 . 2009-10-03 00:02 -------- d-----w- c:\users\Jennifer\AppData\Local\temp
2009-10-02 13:15 . 2009-08-07 02:24 44768 ----a-w- c:\windows\system32\wups2.dll
2009-10-02 13:15 . 2009-08-07 02:24 53472 ----a-w- c:\windows\system32\wuauclt.exe
2009-10-02 13:15 . 2009-08-07 01:45 2421760 ----a-w- c:\windows\system32\wucltux.dll
2009-10-02 13:15 . 2009-08-07 02:23 1929952 ----a-w- c:\windows\system32\wuaueng.dll
2009-10-02 13:14 . 2009-08-07 02:24 35552 ----a-w- c:\windows\system32\wups.dll
2009-10-02 13:14 . 2009-08-07 02:23 575704 ----a-w- c:\windows\system32\wuapi.dll
2009-10-02 13:14 . 2009-08-07 01:44 87552 ----a-w- c:\windows\system32\wudriver.dll
2009-10-02 13:14 . 2009-08-07 00:23 171608 ----a-w- c:\windows\system32\wuwebv.dll
2009-10-02 13:14 . 2009-08-06 23:44 33792 ----a-w- c:\windows\system32\wuapp.exe
2009-09-30 18:07 . 2009-09-30 18:07 -------- d-----w- c:\windows\Sun
2009-09-28 23:30 . 2009-09-28 23:33 -------- d-----w- c:\windows\system32\ca-ES
2009-09-28 23:30 . 2009-09-28 23:33 -------- d-----w- c:\windows\system32\eu-ES
2009-09-28 23:30 . 2009-09-28 23:33 -------- d-----w- c:\windows\system32\vi-VN
2009-09-28 23:08 . 2009-09-28 23:08 -------- d-----w- c:\windows\system32\EventProviders
2009-09-28 02:33 . 2009-10-02 13:08 0 ----a-r- c:\windows\win32k.sys
2009-09-27 18:43 . 2009-09-27 18:43 -------- d-----w- c:\users\Jennifer\AppData\Local\Adobe
2009-09-25 03:31 . 2009-09-25 03:31 -------- d-----w- c:\program files\PocketRAR
2009-09-24 03:16 . 2009-04-11 06:28 327168 ----a-w- c:\windows\system32\P2PGraph.dll
2009-09-24 03:15 . 2009-04-11 06:28 69632 ----a-w- c:\windows\system32\sendmail.dll
2009-09-17 00:10 . 2009-09-17 00:10 -------- d-----w- c:\users\Jennifer\AppData\Local\Apple
2009-09-10 23:07 . 2009-09-19 02:11 -------- d-----w- c:\users\Jennifer\AppData\Local\Apple Computer
2009-09-10 22:18 . 2009-09-10 22:18 -------- d-----w- c:\users\Jennifer\AppData\Roaming\Malwarebytes
2009-09-10 22:18 . 2009-09-10 22:18 -------- d-----w- c:\programdata\Malwarebytes
2009-09-09 16:31 . 2009-09-09 16:31 -------- d-----w- c:\program files\iPod
2009-09-09 16:31 . 2009-09-09 16:31 -------- d-----w- c:\program files\iTunes
2009-09-07 23:52 . 2009-09-07 23:52 -------- d-----w- c:\program files\Trend Micro
2009-09-06 20:44 . 2009-09-06 20:44 -------- d-----w- c:\users\Jennifer\AppData\Roaming\dBpoweramp

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-10-02 22:51 . 2008-02-13 04:01 680 ----a-w- c:\users\Jennifer\AppData\Local\d3d9caps.dat
2009-10-01 04:45 . 2009-01-26 17:26 -------- d-----w- c:\programdata\Spybot - Search & Destroy
2009-09-28 23:34 . 2006-11-02 12:37 -------- d-----w- c:\program files\Windows Calendar
2009-09-28 23:34 . 2006-11-02 11:18 -------- d-----w- c:\program files\Windows Mail
2009-09-28 23:34 . 2006-11-02 12:37 -------- d-----w- c:\program files\Windows Sidebar
2009-09-28 23:34 . 2006-11-02 12:37 -------- d-----w- c:\program files\Windows Journal
2009-09-28 23:34 . 2006-11-02 12:37 -------- d-----w- c:\program files\Windows Collaboration
2009-09-28 23:34 . 2006-11-02 12:37 -------- d-----w- c:\program files\Windows Photo Gallery
2009-09-28 23:33 . 2006-11-02 12:37 -------- d-----w- c:\program files\Windows Defender
2009-09-28 23:00 . 2009-03-04 03:31 -------- d-----w- c:\users\Jennifer\AppData\Roaming\Azureus
2009-09-28 12:23 . 2009-03-04 03:28 -------- d-----w- c:\program files\Vuze
2009-09-14 02:08 . 2008-10-09 18:10 -------- d-----w- c:\program files\Java
2009-09-14 01:55 . 2009-08-23 19:36 -------- d-----w- c:\programdata\Yahoo! Companion
2009-09-09 16:38 . 2008-03-20 23:19 -------- d-----w- c:\program files\Safari
2009-09-09 16:31 . 2008-02-16 01:02 -------- d-----w- c:\program files\Common Files\Apple
2009-08-30 02:26 . 2009-08-30 02:27 286720 ----a-w- c:\windows\iun502.exe
2009-08-29 21:06 . 2009-01-26 17:26 -------- d-----w- c:\program files\Spybot - Search & Destroy
2009-08-29 17:18 . 2009-08-29 17:18 -------- d-----w- c:\users\Jennifer\AppData\Roaming\AccurateRip
2009-08-29 17:18 . 2009-08-29 17:18 14373 ----a-w- c:\windows\system32\SpoonUninstall-dBpoweramp Music Converter.dat
2009-08-29 17:16 . 2009-08-29 17:16 2989 ----a-w- c:\windows\system32\SpoonUninstall-dBpoweramp FLAC Codec.dat
2009-08-29 17:16 . 2009-08-29 17:16 -------- d-----w- c:\program files\Illustrate
2009-08-29 17:15 . 2009-08-29 17:16 5433520 ----a-w- c:\windows\system32\SpoonUninstall.exe
2009-08-29 00:27 . 2009-09-02 21:42 4240384 ----a-w- c:\windows\system32\GameUXLegacyGDFs.dll
2009-08-29 00:14 . 2009-09-02 21:42 28672 ----a-w- c:\windows\system32\Apphlpdm.dll
2009-08-25 00:53 . 2008-09-30 04:33 -------- d-----w- c:\program files\Yahoo!
2009-08-23 19:37 . 2008-10-07 22:21 -------- d-----w- c:\users\Jennifer\AppData\Roaming\Yahoo!
2009-08-23 19:37 . 2009-08-23 19:37 262144 ----a-w- C:\ntuser.dat
2009-08-23 19:36 . 2009-03-02 17:44 -------- d-----w- c:\programdata\Yahoo!
2009-08-20 18:32 . 2009-01-26 18:27 11952 ----a-w- c:\windows\system32\avgrsstx.dll
2009-08-20 18:32 . 2009-01-26 18:26 27784 ----a-w- c:\windows\system32\drivers\avgmfx86.sys
2009-08-20 18:32 . 2009-01-26 18:26 335240 ----a-w- c:\windows\system32\drivers\avgldx86.sys
2009-08-14 16:27 . 2009-09-09 20:35 904776 ----a-w- c:\windows\system32\drivers\tcpip.sys
2009-08-14 15:53 . 2009-09-09 20:35 17920 ----a-w- c:\windows\system32\netevent.dll
2009-08-14 13:49 . 2009-09-09 20:35 9728 ----a-w- c:\windows\system32\TCPSVCS.EXE
2009-08-14 13:49 . 2009-09-09 20:35 17920 ----a-w- c:\windows\system32\ROUTE.EXE
2009-08-14 13:49 . 2009-09-09 20:35 11264 ----a-w- c:\windows\system32\MRINFO.EXE
2009-08-14 13:49 . 2009-09-09 20:35 27136 ----a-w- c:\windows\system32\NETSTAT.EXE
2009-08-14 13:49 . 2009-09-09 20:35 8704 ----a-w- c:\windows\system32\HOSTNAME.EXE
2009-08-14 13:49 . 2009-09-09 20:35 19968 ----a-w- c:\windows\system32\ARP.EXE
2009-08-14 13:49 . 2009-09-09 20:35 10240 ----a-w- c:\windows\system32\finger.exe
2009-08-14 13:48 . 2009-09-09 20:35 30720 ----a-w- c:\windows\system32\drivers\tcpipreg.sys
2009-08-14 13:48 . 2009-09-09 20:35 105984 ----a-w- c:\windows\system32\netiohlp.dll
2009-08-12 19:09 . 2009-06-29 20:32 -------- d-----w- c:\programdata\AVG Security Toolbar
2009-08-08 20:07 . 2009-08-08 20:07 -------- d-----w- c:\program files\Performance Designed Products
2009-07-25 10:23 . 2009-01-26 18:35 411368 ----a-w- c:\windows\system32\deploytk.dll
2009-07-18 16:01 . 2009-07-28 21:49 78336 ----a-w- c:\windows\system32\ieencode.dll
2009-07-18 11:35 . 2009-07-28 21:49 828416 ----a-w- c:\windows\system32\wininet.dll
2009-07-17 13:54 . 2009-08-12 18:26 71680 ----a-w- c:\windows\system32\atl.dll
2009-07-15 12:40 . 2009-08-12 18:25 8147456 ----a-w- c:\windows\system32\wmploc.DLL
2009-07-15 12:39 . 2009-08-12 18:26 313344 ----a-w- c:\windows\system32\wmpdxm.dll
2009-07-15 12:39 . 2009-08-12 18:26 4096 ----a-w- c:\windows\system32\dxmasf.dll
2009-07-15 12:39 . 2009-08-12 18:25 7680 ----a-w- c:\windows\system32\spwmp.dll
2009-07-11 19:01 . 2009-09-09 20:35 513536 ----a-w- c:\windows\system32\wlansvc.dll
2009-07-11 19:01 . 2009-09-09 20:35 293376 ----a-w- c:\windows\system32\wlanmsm.dll
2009-07-11 19:01 . 2009-09-09 20:35 302592 ----a-w- c:\windows\system32\wlansec.dll
2009-07-11 19:01 . 2009-09-09 20:35 65024 ----a-w- c:\windows\system32\wlanapi.dll
2009-07-11 17:03 . 2009-09-09 20:35 127488 ----a-w- c:\windows\system32\L2SecHC.dll
.

((((((((((((((((((((((((((((( SnapShot@2009-10-02_22.08.45 )))))))))))))))))))))))))))))))))))))))))
.
+ 2008-02-14 04:24 . 2009-10-02 22:53 43802 c:\windows\System32\WDI\ShutdownPerformanceDiagnostics_SystemData.bin
+ 2006-11-02 13:05 . 2009-10-02 22:10 62140 c:\windows\System32\WDI\BootPerformanceDiagnostics_SystemData.bin
+ 2006-11-02 13:02 . 2009-10-02 23:04 32768 c:\windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
- 2006-11-02 13:02 . 2009-10-02 21:16 32768 c:\windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
- 2006-11-02 13:02 . 2009-10-02 21:16 16384 c:\windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
+ 2006-11-02 13:02 . 2009-10-02 23:04 16384 c:\windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
+ 2008-02-13 04:02 . 2009-10-02 22:10 9068 c:\windows\System32\WDI\{86432a0b-3c7d-4ddf-a89c-172faa90485d}\S-1-5-21-1631534276-1343516910-3914046087-1000_UserData.bin
+ 2009-10-02 22:50 . 2009-10-02 22:50 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.dat
+ 2009-10-02 22:50 . 2009-10-02 22:50 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.dat
+ 2006-11-02 10:33 . 2009-10-02 22:55 594698 c:\windows\System32\perfh009.dat
- 2006-11-02 10:33 . 2009-10-02 21:41 594698 c:\windows\System32\perfh009.dat
- 2006-11-02 10:33 . 2009-10-02 21:41 100766 c:\windows\System32\perfc009.dat
+ 2006-11-02 10:33 . 2009-10-02 22:55 100766 c:\windows\System32\perfc009.dat
+ 2006-11-02 13:02 . 2009-10-02 23:04 1245184 c:\windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
- 2006-11-02 13:02 . 2009-10-02 21:16 1245184 c:\windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Sidebar"="c:\program files\Windows Sidebar\sidebar.exe" [2009-04-11 1233920]
"ehTray.exe"="c:\windows\ehome\ehTray.exe" [2008-01-19 125952]
"MtdAcqu"="c:\program files\Creative\MediaSource5\MtdAcqu.exe" [2006-03-08 278528]
"WMPNSCFG"="c:\program files\Windows Media Player\WMPNSCFG.exe" [2008-01-19 202240]
"Search Protection"="c:\program files\Yahoo!\Search Protection\SearchProtection.exe" [2009-02-23 111856]
"Messenger (Yahoo!)"="c:\program files\Yahoo!\Messenger\YahooMessenger.exe" [2009-05-27 4351216]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Windows Defender"="c:\program files\Windows Defender\MSASCui.exe" [2008-01-19 1008184]
"CTSysVol"="c:\program files\Creative\SBAudigy\Surround Mixer\CTSysVol.exe" [2005-10-31 57344]
"UpdReg"="c:\windows\UpdReg.EXE" [2000-05-11 90112]
"NeroFilterCheck"="c:\windows\system32\NeroCheck.exe" [2001-07-09 155648]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2008-06-12 34672]
"AppleSyncNotifier"="c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe" [2009-05-14 177472]
"Ad-Watch"="c:\program files\Lavasoft\Ad-Aware\AAWTray.exe" [2009-09-21 520024]
"AVG8_TRAY"="c:\progra~1\AVG\AVG8\avgtray.exe" [2009-10-02 2023704]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2009-05-26 413696]
"YSearchProtection"="c:\program files\Yahoo!\Search Protection\SearchProtection.exe" [2009-02-23 111856]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2009-07-13 292128]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-07-25 149280]
"Microsoft Default Manager"="c:\program files\Microsoft\Search Enhancement Pack\Default Manager\DefMgr.exe" [2009-02-03 233304]
"P17Helper"="P17.dll" - c:\windows\System32\P17.DLL [2005-05-03 64512]
"Kernel and Hardware Abstraction Layer"="KHALMNPR.EXE" - c:\windows\KHALMNPR.Exe [2007-04-11 56080]

c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
Logitech SetPoint.lnk - c:\program files\Logitech\SetPoint\SetPoint.exe [2009-2-10 692224]
Sonic CinePlayer Quick Launch.lnk - c:\program files\Common Files\Sonic Shared\CineTray.exe [2006-7-25 114688]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableUIADesktopToggle"= 0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=c:\windows\System32\avgrsstx.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Lavasoft Ad-Aware Service]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend]
@="Service"

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Svc]
"VistaSp2"=hex(B):23,f6,a6,4d,95,40,ca,01

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\FirewallRules]
"{D504D880-95D1-492C-ADAE-B576E239216B}"= Disabled:UDP:c:\program files\MySpace\IM\MySpaceIM.exe:MySpaceIM
"{A71B1F9C-9255-4273-8ADB-31B3ADFE0F98}"= Disabled:TCP:c:\program files\MySpace\IM\MySpaceIM.exe:MySpaceIM
"TCP Query User{3B996448-D309-4C77-A2B7-C4D414232053}c:\\program files\\mozilla firefox\\firefox.exe"= UDP:c:\program files\mozilla firefox\firefox.exe:Firefox
"UDP Query User{5521154B-CBFB-4B8C-A075-B1A56F929EF5}c:\\program files\\mozilla firefox\\firefox.exe"= TCP:c:\program files\mozilla firefox\firefox.exe:Firefox
"TCP Query User{6F1839D4-9B31-4C83-AE8C-1BF363CA5A37}c:\\program files\\itunes\\itunes.exe"= UDP:c:\program files\itunes\itunes.exe:iTunes
"UDP Query User{5ECC7B7D-9FE9-4625-AF91-FE8869B0E635}c:\\program files\\itunes\\itunes.exe"= TCP:c:\program files\itunes\itunes.exe:iTunes
"TCP Query User{043E93E7-5410-49E1-A795-EB9D7352155F}c:\\program files\\gamehouse\\gemdrop\\gemdrop.exe"= UDP:c:\program files\gamehouse\gemdrop\gemdrop.exe:Super Gem Drop
"UDP Query User{DA3CDD47-60B6-494D-A1DA-C02887DFFA7D}c:\\program files\\gamehouse\\gemdrop\\gemdrop.exe"= TCP:c:\program files\gamehouse\gemdrop\gemdrop.exe:Super Gem Drop
"{EEFACC1F-CBBC-4EC3-9E24-0B943DC59D57}"= c:\program files\AVG\AVG8\avgemc.exe:avgemc.exe
"{F13C2B37-4D30-449C-BABB-38D400F161E9}"= c:\program files\AVG\AVG8\avgupd.exe:avgupd.exe
"{CA32CC9B-8A1B-40D3-A59C-0405F8052CEC}"= UDP:c:\program files\Yahoo!\Messenger\YahooMessenger.exe:Yahoo! Messenger
"{5442C98F-B894-4B74-9C31-CA6C3FD111A3}"= TCP:c:\program files\Yahoo!\Messenger\YahooMessenger.exe:Yahoo! Messenger
"TCP Query User{A006F9C2-4AB7-4093-ABB9-EDC5A41BF38B}c:\\program files\\vuze\\azureus.exe"= UDP:c:\program files\vuze\azureus.exe:Azureus
"UDP Query User{89E20C78-02BA-4802-AAE5-F9EC73EC54D6}c:\\program files\\vuze\\azureus.exe"= TCP:c:\program files\vuze\azureus.exe:Azureus
"{BE3817D7-E7B6-49F8-96AA-4D505FC45CB7}"= UDP:c:\program files\BearShare Applications\BearShare\BearShare.exe:BearShare
"{F832FD03-118A-48A8-917E-01EB630DEBCD}"= TCP:c:\program files\BearShare Applications\BearShare\BearShare.exe:BearShare
"{89DD3D8B-A51F-449E-B250-7A408159C289}"= UDP:c:\program files\Bonjour\mDNSResponder.exe:Bonjour
"{812F4C17-BB33-4451-9C2A-00C9B359DA72}"= TCP:c:\program files\Bonjour\mDNSResponder.exe:Bonjour
"TCP Query User{27E7C1C8-D77C-4283-A51A-BE245F9240A1}c:\\imt\\server32.exe"= UDP:c:\imt\server32.exe:WEBRAMI2
"UDP Query User{583E76B3-288C-45A1-90BA-5958E46759D8}c:\\imt\\server32.exe"= TCP:c:\imt\server32.exe:WEBRAMI2
"{D252D218-FF26-4F53-A931-F816804FFCD1}"= UDP:c:\program files\iTunes\iTunes.exe:iTunes
"{349621B6-92C4-4924-9C59-07787D5F44FE}"= TCP:c:\program files\iTunes\iTunes.exe:iTunes

R0 Lbd;Lbd;c:\windows\System32\drivers\Lbd.sys [5/18/2009 12:23 PM 64160]
R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\System32\drivers\avgldx86.sys [1/26/2009 1:26 PM 335240]
R1 AvgTdiX;AVG8 Network Redirector;c:\windows\System32\drivers\avgtdix.sys [2/6/2009 10:05 AM 108552]
R2 avg8wd;AVG Free8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe [6/29/2009 3:31 PM 297752]
R3 VST_DPV;VST_DPV;c:\windows\System32\drivers\VSTDPV3.SYS [11/2/2006 5:25 AM 987648]
R3 VSTHWBS2;VSTHWBS2;c:\windows\System32\drivers\VSTBS23.SYS [11/2/2006 5:25 AM 251904]
S2 avg8emc;AVG Free8 E-mail Scanner;c:\progra~1\AVG\AVG8\avgemc.exe [6/29/2009 3:31 PM 908056]
S2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\Lavasoft\Ad-Aware\AAWService.exe [1/18/2009 4:34 PM 1028432]
.
Contents of the 'Scheduled Tasks' folder

2009-09-28 c:\windows\Tasks\Ad-Aware Update (Weekly).job
- c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2009-01-18 17:19]

2009-10-02 c:\windows\Tasks\User_Feed_Synchronization-{5B8F40E9-6CDA-465A-B342-AF080453C573}.job
- c:\windows\system32\msfeedssync.exe [2008-09-20 07:33]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
mStart Page = hxxp://www.yahoo.com/
mSearch Bar = hxxp://us.rd.yahoo.com/customize/ie/defaults/sb/msgr9/*http://www.yahoo.com/ext/search/search.html
uInternet Settings,ProxyOverride = *.local
uSearchURL,(Default) = hxxp://us.rd.yahoo.com/customize/ie/defaults/su/msgr9/*http://www.yahoo.com
FF - ProfilePath - c:\users\Jennifer\AppData\Roaming\Mozilla\Firefox\Profiles\srwuzhzv.default\
FF - prefs.js: browser.search.defaulturl - hxxp://search.live.com/results.aspx?FORM=SOLTDF&q=
FF - prefs.js: browser.search.selectedEngine - Live Search
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/
FF - prefs.js: keyword.URL - hxxp://ws.infospace.com/coolchaser/ws/redir?_iceUrl=true&user_id=16934311&tool_id=61057&qkw=
FF - component: c:\program files\AVG\AVG8\Firefox\components\avgssff.dll
FF - component: c:\program files\AVG\AVG8\Toolbar\Firefox\avg@igeared\components\IGeared_tavgp_xputils2.dll
FF - component: c:\program files\AVG\AVG8\Toolbar\Firefox\avg@igeared\components\IGeared_tavgp_xputils3.dll
FF - component: c:\program files\AVG\AVG8\Toolbar\Firefox\avg@igeared\components\IGeared_tavgp_xputils35.dll
FF - component: c:\program files\AVG\AVG8\Toolbar\Firefox\avg@igeared\components\xpavgtbapi.dll
FF - component: c:\users\Jennifer\AppData\Roaming\Mozilla\Firefox\Profiles\srwuzhzv.default\extensions\{a2880346-35bb-45bb-9190-eedb49c132c5}\components\Engine.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\np-mswmp.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

---- FIREFOX POLICIES ----
FF - user.js: yahoo.homepage.dontask - true.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-10-02 19:02
Windows 6.0.6002 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'Explorer.exe'(4224)
c:\program files\Logitech\SetPoint\lgscroll.dll
.
Completion time: 2009-10-03 19:04
ComboFix-quarantined-files.txt 2009-10-03 00:04
ComboFix2.txt 2009-10-02 22:14
ComboFix3.txt 2009-09-14 00:55

Pre-Run: 178,572,460,032 bytes free
Post-Run: 178,533,216,256 bytes free

251 --- E O F --- 2009-09-29 11:59

#22 CatByte

CatByte

    Classroom Administrator

  • Classroom Admin
  • 21,059 posts
  • MVP

Posted 02 October 2009 - 07:13 PM

Hi, Can you please navigate to C:\Qoobox and post the previous combofix logs. Also describe how your computer is running now and if there are any outstanding issues

Microsoft MVP 2010, 2011, 2012, 2013, 2014, 2015


#23 entropy1120

entropy1120

    Authentic Member

  • Authentic Member
  • PipPip
  • 70 posts

Posted 02 October 2009 - 07:42 PM

still unable to access most apps. cannot even open new text doc. internet is running fine,of course. i did say after i ran last combofix that i didn't have permission to open firefox. had to reboot.


2009-10-02 22:12:56 . 2009-10-02 22:12:56 171 ----a-w- C:\Qoobox\Quarantine\Registry_backups\WebBrowser-{604BC32A-9680-40D1-9AC6-E06B23A1BA4C}.reg.dat
2009-10-02 22:03:58 . 2009-10-02 22:03:58 1,046 ----a-w- C:\Qoobox\Quarantine\Registry_backups\Legacy_{79007602-0CDB-4405-9DBF-1257BB3226EE}.reg.dat
2009-10-02 22:03:58 . 2009-10-02 22:03:58 1,046 ----a-w- C:\Qoobox\Quarantine\Registry_backups\Legacy_{79007602-0CDB-4405-9DBF-1257BB3226ED}.reg.dat
2009-10-02 22:03:40 . 2009-10-03 00:00:16 4,009 ----a-w- C:\Qoobox\Quarantine\Registry_backups\tcpip.reg
2009-10-02 21:34:26 . 2009-10-02 23:55:10 124 ----a-w- C:\Qoobox\Quarantine\catchme.log
2009-09-28 02:33:43 . 2009-09-28 02:33:31 150,528 ----a-w- C:\Qoobox\Quarantine\C\Windows\msa.exe.vir
2006-11-02 08:43:04 . 2006-11-02 09:46:03 61,952 ----a-w- C:\Qoobox\Quarantine\C\Windows\System32\cngaudit.dll.vir


ComboFix 09-09-13.04 - Jennifer 09/13/2009 19:46.2.2 - NTFSx86
Microsoft® Windows Vista™ Home Premium 6.0.6001.1.1252.1.1033.18.1525.806 [GMT -5:00]
Running from: c:\users\Jennifer\Downloads\ComboFix.exe
Command switches used :: c:\users\Jennifer\Desktop\CFScript.txt
AV: AVG Anti-Virus Free *On-access scanning enabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}
SP: AVG Anti-Virus Free *enabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}
SP: Lavasoft Ad-Watch Live! *disabled* (Updated) {67844DAE-4F77-4D69-9457-98E8CFFDAA22}
SP: Windows Defender *enabled* (Updated) {D68DDC3A-831F-4FAE-9E44-DA132C1ACF46}
.

((((((((((((((((((((((((( Files Created from 2009-08-14 to 2009-09-14 )))))))))))))))))))))))))))))))
.

2009-09-14 00:53 . 2009-09-14 00:53 -------- d-----w- c:\users\Jennifer\AppData\Local\temp
2009-09-14 00:53 . 2009-09-14 00:53 -------- d-----w- c:\users\Public\AppData\Local\temp
2009-09-14 00:53 . 2009-09-14 00:53 -------- d-----w- c:\users\Mcx1\AppData\Local\temp
2009-09-14 00:53 . 2009-09-14 00:53 -------- d-----w- c:\users\Default\AppData\Local\temp
2009-09-10 23:07 . 2009-09-10 23:07 -------- d-----w- c:\users\Jennifer\AppData\Local\Apple Computer
2009-09-10 22:18 . 2009-09-10 22:18 -------- d-----w- c:\users\Jennifer\AppData\Roaming\Malwarebytes
2009-09-10 22:18 . 2009-09-10 19:54 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-09-10 22:18 . 2009-09-10 22:18 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-09-10 22:18 . 2009-09-10 22:18 -------- d-----w- c:\programdata\Malwarebytes
2009-09-10 22:18 . 2009-09-10 19:53 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-09-09 16:31 . 2009-09-09 16:31 -------- d-----w- c:\program files\iPod
2009-09-09 16:31 . 2009-09-09 16:31 -------- d-----w- c:\program files\iTunes
2009-09-07 23:52 . 2009-09-07 23:52 -------- d-----w- c:\program files\Trend Micro
2009-09-06 20:44 . 2009-09-06 20:44 -------- d-----w- c:\users\Jennifer\AppData\Roaming\dBpoweramp
2009-09-02 21:42 . 2009-08-28 12:39 28672 ----a-w- c:\windows\system32\Apphlpdm.dll
2009-09-02 21:42 . 2009-08-28 10:15 4240384 ----a-w- c:\windows\system32\GameUXLegacyGDFs.dll
2009-08-30 02:27 . 2009-08-30 02:26 286720 ----a-w- c:\windows\iun502.exe
2009-08-30 02:26 . 2009-08-30 02:29 -------- d-----w- C:\IMT
2009-08-30 02:05 . 2009-06-15 15:24 175104 ----a-w- c:\windows\system32\wdigest.dll
2009-08-30 02:05 . 2009-06-15 15:24 270848 ----a-w- c:\windows\system32\schannel.dll
2009-08-30 02:05 . 2009-06-15 15:23 1256448 ----a-w- c:\windows\system32\lsasrv.dll
2009-08-30 02:05 . 2009-06-15 15:22 213504 ----a-w- c:\windows\system32\msv1_0.dll
2009-08-30 02:05 . 2009-06-15 15:21 499712 ----a-w- c:\windows\system32\kerberos.dll
2009-08-30 02:05 . 2009-06-15 18:20 439896 ----a-w- c:\windows\system32\drivers\ksecdd.sys
2009-08-30 02:05 . 2009-06-15 15:24 72704 ----a-w- c:\windows\system32\secur32.dll
2009-08-30 02:05 . 2009-06-15 12:57 9728 ----a-w- c:\windows\system32\lsass.exe
2009-08-29 17:18 . 2009-08-29 17:18 -------- d-----w- c:\users\Jennifer\AppData\Roaming\AccurateRip
2009-08-29 17:18 . 2009-08-29 17:18 14373 ----a-w- c:\windows\system32\SpoonUninstall-dBpoweramp Music Converter.dat
2009-08-29 17:16 . 2009-08-29 17:16 2989 ----a-w- c:\windows\system32\SpoonUninstall-dBpoweramp FLAC Codec.dat
2009-08-29 17:16 . 2009-08-29 17:15 5433520 ----a-w- c:\windows\system32\SpoonUninstall.exe
2009-08-29 17:16 . 2009-08-29 17:16 -------- d-----w- c:\program files\Illustrate
2009-08-26 08:01 . 2009-06-22 10:22 2048 ----a-w- c:\windows\system32\tzres.dll
2009-08-23 19:37 . 2009-08-23 19:37 262144 ----a-w- C:\ntuser.dat
2009-08-23 19:36 . 2009-08-30 01:50 -------- d-----w- c:\programdata\Yahoo! Companion

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-09-13 22:49 . 2008-02-13 04:01 680 ----a-w- c:\users\Jennifer\AppData\Local\d3d9caps.dat
2009-09-13 17:35 . 2009-03-04 03:31 -------- d-----w- c:\users\Jennifer\AppData\Roaming\Azureus
2009-09-10 08:11 . 2006-11-02 11:18 -------- d-----w- c:\program files\Windows Mail
2009-09-09 16:38 . 2008-03-20 23:19 -------- d-----w- c:\program files\Safari
2009-09-09 16:31 . 2008-02-16 01:02 -------- d-----w- c:\program files\Common Files\Apple
2009-09-07 22:49 . 2009-01-26 17:26 -------- d-----w- c:\programdata\Spybot - Search & Destroy
2009-09-03 19:25 . 2009-03-04 03:28 -------- d-----w- c:\program files\Vuze
2009-08-29 21:06 . 2009-01-26 17:26 -------- d-----w- c:\program files\Spybot - Search & Destroy
2009-08-25 00:53 . 2008-09-30 04:33 -------- d-----w- c:\program files\Yahoo!
2009-08-23 19:37 . 2008-10-07 22:21 -------- d-----w- c:\users\Jennifer\AppData\Roaming\Yahoo!
2009-08-23 19:36 . 2009-03-02 17:44 -------- d-----w- c:\programdata\Yahoo!
2009-08-20 18:32 . 2009-01-26 18:27 11952 ----a-w- c:\windows\system32\avgrsstx.dll
2009-08-20 18:32 . 2009-01-26 18:26 27784 ----a-w- c:\windows\system32\drivers\avgmfx86.sys
2009-08-20 18:32 . 2009-01-26 18:26 335240 ----a-w- c:\windows\system32\drivers\avgldx86.sys
2009-08-14 17:07 . 2009-09-09 20:35 897608 ----a-w- c:\windows\system32\drivers\tcpip.sys
2009-08-14 16:29 . 2009-09-09 20:35 104960 ----a-w- c:\windows\system32\netiohlp.dll
2009-08-14 16:29 . 2009-09-09 20:35 17920 ----a-w- c:\windows\system32\netevent.dll
2009-08-14 14:16 . 2009-09-09 20:35 9728 ----a-w- c:\windows\system32\TCPSVCS.EXE
2009-08-14 14:16 . 2009-09-09 20:35 17920 ----a-w- c:\windows\system32\ROUTE.EXE
2009-08-14 14:16 . 2009-09-09 20:35 11264 ----a-w- c:\windows\system32\MRINFO.EXE
2009-08-14 14:16 . 2009-09-09 20:35 27136 ----a-w- c:\windows\system32\NETSTAT.EXE
2009-08-14 14:16 . 2009-09-09 20:35 19968 ----a-w- c:\windows\system32\ARP.EXE
2009-08-14 14:16 . 2009-09-09 20:35 8704 ----a-w- c:\windows\system32\HOSTNAME.EXE
2009-08-14 14:16 . 2009-09-09 20:35 10240 ----a-w- c:\windows\system32\finger.exe
2009-08-12 19:09 . 2009-06-29 20:32 -------- d-----w- c:\programdata\AVG Security Toolbar
2009-08-08 20:07 . 2009-08-08 20:07 -------- d-----w- c:\program files\Performance Designed Products
2009-07-24 20:10 . 2009-03-25 01:55 -------- d-----w- c:\program files\BearShare Applications
2009-07-18 16:06 . 2009-07-28 21:49 827904 ----a-w- c:\windows\system32\wininet.dll
2009-07-18 16:01 . 2009-07-28 21:49 78336 ----a-w- c:\windows\system32\ieencode.dll
2009-07-18 09:46 . 2009-07-28 21:49 26624 ----a-w- c:\windows\system32\ieUnatt.exe
2009-07-17 14:35 . 2009-08-12 18:26 71680 ----a-w- c:\windows\system32\atl.dll
2009-07-14 13:00 . 2009-08-12 18:26 313344 ----a-w- c:\windows\system32\wmpdxm.dll
2009-07-14 12:59 . 2009-08-12 18:25 4096 ----a-w- c:\windows\system32\dxmasf.dll
2009-07-14 12:58 . 2009-08-12 18:25 7680 ----a-w- c:\windows\system32\spwmp.dll
2009-07-14 10:59 . 2009-08-12 18:25 8147456 ----a-w- c:\windows\system32\wmploc.DLL
2009-07-11 19:32 . 2009-09-09 20:35 513024 ----a-w- c:\windows\system32\wlansvc.dll
2009-07-11 19:32 . 2009-09-09 20:35 302592 ----a-w- c:\windows\system32\wlansec.dll
2009-07-11 19:32 . 2009-09-09 20:35 293376 ----a-w- c:\windows\system32\wlanmsm.dll
2009-07-11 19:29 . 2009-09-09 20:35 127488 ----a-w- c:\windows\system32\L2SecHC.dll
.

((((((((((((((((((((((((((((( SnapShot@2009-09-13_22.43.26 )))))))))))))))))))))))))))))))))))))))))
.
+ 2008-02-14 04:24 . 2009-09-13 22:51 43032 c:\windows\System32\WDI\ShutdownPerformanceDiagnostics_SystemData.bin
+ 2006-11-02 13:05 . 2009-09-13 22:51 61038 c:\windows\System32\WDI\BootPerformanceDiagnostics_SystemData.bin
- 2006-11-02 13:02 . 2009-09-13 22:29 16384 c:\windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
+ 2006-11-02 13:02 . 2009-09-14 00:41 16384 c:\windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
+ 2006-11-02 13:02 . 2009-09-14 00:41 16384 c:\windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
- 2006-11-02 13:02 . 2009-09-13 22:29 16384 c:\windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
+ 2008-02-13 04:02 . 2009-09-13 22:51 8470 c:\windows\System32\WDI\{86432a0b-3c7d-4ddf-a89c-172faa90485d}\S-1-5-21-1631534276-1343516910-3914046087-1000_UserData.bin
- 2009-09-10 23:05 . 2009-09-13 17:37 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.dat
+ 2009-09-13 22:49 . 2009-09-13 22:49 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.dat
+ 2009-09-13 22:49 . 2009-09-13 22:49 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.dat
- 2009-09-10 23:05 . 2009-09-13 17:37 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.dat
- 2006-11-02 13:02 . 2009-09-13 22:29 1245184 c:\windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
+ 2006-11-02 13:02 . 2009-09-14 00:41 1245184 c:\windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Sidebar"="c:\program files\Windows Sidebar\sidebar.exe" [2008-01-19 1233920]
"ehTray.exe"="c:\windows\ehome\ehTray.exe" [2008-01-19 125952]
"MtdAcqu"="c:\program files\Creative\MediaSource5\MtdAcqu.exe" [2006-03-08 278528]
"WMPNSCFG"="c:\program files\Windows Media Player\WMPNSCFG.exe" [2008-01-19 202240]
"Search Protection"="c:\program files\Yahoo!\Search Protection\SearchProtection.exe" [2009-02-23 111856]
"Messenger (Yahoo!)"="c:\program files\Yahoo!\Messenger\YahooMessenger.exe" [2009-05-27 4351216]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Windows Defender"="c:\program files\Windows Defender\MSASCui.exe" [2008-01-19 1008184]
"CTSysVol"="c:\program files\Creative\SBAudigy\Surround Mixer\CTSysVol.exe" [2005-10-31 57344]
"UpdReg"="c:\windows\UpdReg.EXE" [2000-05-11 90112]
"NeroFilterCheck"="c:\windows\system32\NeroCheck.exe" [2001-07-09 155648]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2008-06-12 34672]
"AppleSyncNotifier"="c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe" [2009-05-14 177472]
"Ad-Watch"="c:\program files\Lavasoft\Ad-Aware\AAWTray.exe" [2009-07-13 520024]
"AVG8_TRAY"="c:\progra~1\AVG\AVG8\avgtray.exe" [2009-08-20 2007832]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-03-10 148888]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2009-05-26 413696]
"YSearchProtection"="c:\program files\Yahoo!\Search Protection\SearchProtection.exe" [2009-02-23 111856]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2009-07-13 292128]
"P17Helper"="P17.dll" - c:\windows\System32\P17.DLL [2005-05-03 64512]
"Kernel and Hardware Abstraction Layer"="KHALMNPR.EXE" - c:\windows\KHALMNPR.Exe [2007-04-11 56080]

c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
Logitech SetPoint.lnk - c:\program files\Logitech\SetPoint\SetPoint.exe [2009-2-10 692224]
Sonic CinePlayer Quick Launch.lnk - c:\program files\Common Files\Sonic Shared\CineTray.exe [2006-7-25 114688]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableUIADesktopToggle"= 0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=c:\windows\System32\avgrsstx.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"mixer1"=wdmaud.drv

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Lavasoft Ad-Aware Service]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend]
@="Service"

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\FirewallRules]
"{D504D880-95D1-492C-ADAE-B576E239216B}"= Disabled:UDP:c:\program files\MySpace\IM\MySpaceIM.exe:MySpaceIM
"{A71B1F9C-9255-4273-8ADB-31B3ADFE0F98}"= Disabled:TCP:c:\program files\MySpace\IM\MySpaceIM.exe:MySpaceIM
"TCP Query User{3B996448-D309-4C77-A2B7-C4D414232053}c:\\program files\\mozilla firefox\\firefox.exe"= UDP:c:\program files\mozilla firefox\firefox.exe:Firefox
"UDP Query User{5521154B-CBFB-4B8C-A075-B1A56F929EF5}c:\\program files\\mozilla firefox\\firefox.exe"= TCP:c:\program files\mozilla firefox\firefox.exe:Firefox
"TCP Query User{6F1839D4-9B31-4C83-AE8C-1BF363CA5A37}c:\\program files\\itunes\\itunes.exe"= UDP:c:\program files\itunes\itunes.exe:iTunes
"UDP Query User{5ECC7B7D-9FE9-4625-AF91-FE8869B0E635}c:\\program files\\itunes\\itunes.exe"= TCP:c:\program files\itunes\itunes.exe:iTunes
"TCP Query User{043E93E7-5410-49E1-A795-EB9D7352155F}c:\\program files\\gamehouse\\gemdrop\\gemdrop.exe"= UDP:c:\program files\gamehouse\gemdrop\gemdrop.exe:Super Gem Drop
"UDP Query User{DA3CDD47-60B6-494D-A1DA-C02887DFFA7D}c:\\program files\\gamehouse\\gemdrop\\gemdrop.exe"= TCP:c:\program files\gamehouse\gemdrop\gemdrop.exe:Super Gem Drop
"{EEFACC1F-CBBC-4EC3-9E24-0B943DC59D57}"= c:\program files\AVG\AVG8\avgemc.exe:avgemc.exe
"{F13C2B37-4D30-449C-BABB-38D400F161E9}"= c:\program files\AVG\AVG8\avgupd.exe:avgupd.exe
"{CA32CC9B-8A1B-40D3-A59C-0405F8052CEC}"= UDP:c:\program files\Yahoo!\Messenger\YahooMessenger.exe:Yahoo! Messenger
"{5442C98F-B894-4B74-9C31-CA6C3FD111A3}"= TCP:c:\program files\Yahoo!\Messenger\YahooMessenger.exe:Yahoo! Messenger
"TCP Query User{A006F9C2-4AB7-4093-ABB9-EDC5A41BF38B}c:\\program files\\vuze\\azureus.exe"= UDP:c:\program files\vuze\azureus.exe:Azureus
"UDP Query User{89E20C78-02BA-4802-AAE5-F9EC73EC54D6}c:\\program files\\vuze\\azureus.exe"= TCP:c:\program files\vuze\azureus.exe:Azureus
"{BE3817D7-E7B6-49F8-96AA-4D505FC45CB7}"= UDP:c:\program files\BearShare Applications\BearShare\BearShare.exe:BearShare
"{F832FD03-118A-48A8-917E-01EB630DEBCD}"= TCP:c:\program files\BearShare Applications\BearShare\BearShare.exe:BearShare
"{89DD3D8B-A51F-449E-B250-7A408159C289}"= UDP:c:\program files\Bonjour\mDNSResponder.exe:Bonjour
"{812F4C17-BB33-4451-9C2A-00C9B359DA72}"= TCP:c:\program files\Bonjour\mDNSResponder.exe:Bonjour
"TCP Query User{27E7C1C8-D77C-4283-A51A-BE245F9240A1}c:\\imt\\server32.exe"= UDP:c:\imt\server32.exe:WEBRAMI2
"UDP Query User{583E76B3-288C-45A1-90BA-5958E46759D8}c:\\imt\\server32.exe"= TCP:c:\imt\server32.exe:WEBRAMI2
"{D252D218-FF26-4F53-A931-F816804FFCD1}"= UDP:c:\program files\iTunes\iTunes.exe:iTunes
"{349621B6-92C4-4924-9C59-07787D5F44FE}"= TCP:c:\program files\iTunes\iTunes.exe:iTunes

R0 Lbd;Lbd;c:\windows\System32\drivers\Lbd.sys [5/18/2009 12:23 PM 64160]
R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\System32\drivers\avgldx86.sys [1/26/2009 1:26 PM 335240]
R1 AvgTdiX;AVG8 Network Redirector;c:\windows\System32\drivers\avgtdix.sys [2/6/2009 10:05 AM 108552]
R2 avg8emc;AVG Free8 E-mail Scanner;c:\progra~1\AVG\AVG8\avgemc.exe [6/29/2009 3:31 PM 908056]
R2 avg8wd;AVG Free8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe [6/29/2009 3:31 PM 297752]
R3 VST_DPV;VST_DPV;c:\windows\System32\drivers\VSTDPV3.SYS [11/2/2006 5:25 AM 987648]
R3 VSTHWBS2;VSTHWBS2;c:\windows\System32\drivers\VSTBS23.SYS [11/2/2006 5:25 AM 251904]
S2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\Lavasoft\Ad-Aware\AAWService.exe [1/18/2009 4:34 PM 1029456]
.
Contents of the 'Scheduled Tasks' folder

2009-09-07 c:\windows\Tasks\Ad-Aware Update (Weekly).job
- c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2009-01-18 17:22]

2009-09-13 c:\windows\Tasks\User_Feed_Synchronization-{5B8F40E9-6CDA-465A-B342-AF080453C573}.job
- c:\windows\system32\msfeedssync.exe [2008-09-20 07:33]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
mStart Page = hxxp://www.yahoo.com/
mSearch Bar = hxxp://us.rd.yahoo.com/customize/ie/defaults/sb/msgr9/*http://www.yahoo.com/ext/search/search.html
uInternet Settings,ProxyOverride = *.local
uSearchURL,(Default) = hxxp://us.rd.yahoo.com/customize/ie/defaults/su/msgr9/*http://www.yahoo.com
FF - ProfilePath - c:\users\Jennifer\AppData\Roaming\Mozilla\Firefox\Profiles\srwuzhzv.default\
FF - prefs.js: browser.search.defaulturl - hxxp://search.yahoo.com/search?fr=ffsp1&p=
FF - prefs.js: browser.search.selectedEngine - Yahoo
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/
FF - prefs.js: keyword.URL - hxxp://ws.infospace.com/coolchaser/ws/redir?_iceUrl=true&user_id=16934311&tool_id=61057&qkw=
FF - component: c:\program files\AVG\AVG8\Firefox\components\avgssff.dll
FF - component: c:\program files\AVG\AVG8\Toolbar\Firefox\avg@igeared\components\IGeared_tavgp_xputils2.dll
FF - component: c:\program files\AVG\AVG8\Toolbar\Firefox\avg@igeared\components\IGeared_tavgp_xputils3.dll
FF - component: c:\program files\AVG\AVG8\Toolbar\Firefox\avg@igeared\components\IGeared_tavgp_xputils35.dll
FF - component: c:\program files\AVG\AVG8\Toolbar\Firefox\avg@igeared\components\xpavgtbapi.dll
FF - component: c:\users\Jennifer\AppData\Roaming\Mozilla\Firefox\Profiles\srwuzhzv.default\extensions\{a2880346-35bb-45bb-9190-eedb49c132c5}\components\Engine.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\np-mswmp.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

---- FIREFOX POLICIES ----
FF - user.js: yahoo.homepage.dontask - true.
- - - - ORPHANS REMOVED - - - -

URLSearchHooks-{A3BC75A2-1F87-4686-AA43-5347D756017C} - (no file)
BHO-{A3BC75A2-1F87-4686-AA43-5347D756017C} - (no file)
Toolbar-{CCC7A320-B3CA-4199-B1A6-9F516DD69829} - (no file)
WebBrowser-{CCC7A320-B3CA-4199-B1A6-9F516DD69829} - (no file)



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-09-13 19:53
Windows 6.0.6001 Service Pack 1 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'Explorer.exe'(308)
c:\program files\Logitech\SetPoint\lgscroll.dll
.
Completion time: 2009-09-14 19:55
ComboFix-quarantined-files.txt 2009-09-14 00:55
ComboFix2.txt 2009-09-13 22:45

Pre-Run: 158,172,528,640 bytes free
Post-Run: 158,131,916,800 bytes free

237 --- E O F --- 2009-09-10 14:33

#24 CatByte

CatByte

    Classroom Administrator

  • Classroom Admin
  • 21,059 posts
  • MVP

Posted 02 October 2009 - 09:59 PM

Hi.


Please try the inherit program again. You should no be able to download and save it to your desktop.

Download Inherit and save it to your desk top
Drag each of the exe files that you are unable to run into Inherit.exe (must be the exe - not the shortcut)
Then wait for it to say "OK"


NEXT

Please download Malwarebytes' Anti-Malware
  • Double Click mbam-setup.exe to install the application.
  • Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select "Perform Quick Scan", then click Scan.
  • The scan may take some time to finish, so please be patient.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Make sure that everything is checked, and click Remove Selected. <-- very important
  • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart. (See Extra Note)
  • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
  • Copy&Paste the entire report in your next reply.

Extra Note:If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts, click OK to either and let MBAM proceed with the disinfection process, if asked to restart the computer, please do so immediately.

Microsoft MVP 2010, 2011, 2012, 2013, 2014, 2015


#25 entropy1120

entropy1120

    Authentic Member

  • Authentic Member
  • PipPip
  • 70 posts

Posted 03 October 2009 - 12:25 PM

ok, dragged files into inherit.

Edited by entropy1120, 03 October 2009 - 12:29 PM.

    Advertisements

Register to Remove


#26 CatByte

CatByte

    Classroom Administrator

  • Classroom Admin
  • 21,059 posts
  • MVP

Posted 03 October 2009 - 12:32 PM

can you now run Malwarebytes?

Microsoft MVP 2010, 2011, 2012, 2013, 2014, 2015


#27 entropy1120

entropy1120

    Authentic Member

  • Authentic Member
  • PipPip
  • 70 posts

Posted 03 October 2009 - 12:48 PM

still can't acces hijackthis,adaware or avg. should i delete them and re-download? Malwarebytes' Anti-Malware 1.41 Database version: 2900 Windows 6.0.6002 Service Pack 2 10/3/2009 1:40:50 PM mbam-log-2009-10-03 (13-40-50).txt Scan type: Quick Scan Objects scanned: 90866 Time elapsed: 7 minute(s), 45 second(s) Memory Processes Infected: 0 Memory Modules Infected: 0 Registry Keys Infected: 0 Registry Values Infected: 0 Registry Data Items Infected: 0 Folders Infected: 0 Files Infected: 1 Memory Processes Infected: (No malicious items detected) Memory Modules Infected: (No malicious items detected) Registry Keys Infected: (No malicious items detected) Registry Values Infected: (No malicious items detected) Registry Data Items Infected: (No malicious items detected) Folders Infected: (No malicious items detected) Files Infected: C:\Windows\win32k.sys (Trojan.Dropper) -> Quarantined and deleted successfully.

#28 CatByte

CatByte

    Classroom Administrator

  • Classroom Admin
  • 21,059 posts
  • MVP

Posted 03 October 2009 - 12:52 PM

Lets wait till the computer is completely clean first.

Delete the copy of ComboFix that you have on your desktop.

Download a fresh copy from one of the following links:

Link 1
Link 2


rerun it, making sure all your security programs are disabled. If you cannot disable them because they will not function, then please uninstall them. (don't surf the internet until an av is reinstalled)

Microsoft MVP 2010, 2011, 2012, 2013, 2014, 2015


#29 entropy1120

entropy1120

    Authentic Member

  • Authentic Member
  • PipPip
  • 70 posts

Posted 03 October 2009 - 01:10 PM

it's not on my desktop. it was opened through usb.

#30 entropy1120

entropy1120

    Authentic Member

  • Authentic Member
  • PipPip
  • 70 posts

Posted 03 October 2009 - 01:14 PM

combofix won't save to desktop.

Related Topics



0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users