Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

fizipime, Vundo-9 and others


  • Please log in to reply
9 replies to this topic

#1 biggsy

biggsy

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:08:30 AM

Posted 10 March 2009 - 09:35 AM

Hello everyone.

I've run Trend Micro Internet Security scan, AdAware and S&D and I am still having issues. Trend Micro has recently been popping up warning about possible Vundo-9 infections, but does not offer me a good solution to fix the issue. It provides a link to their site that has instructions which are less than adequate and tries to educate me on the threat, but once again does not offer me a solution on how to fix it.

I've gone into MSCONFIG and turned off at least 6 or 7 processes that should not have been running that I could not even find when I did an internet search.

Once again thanks for taking a look at my issue. I appreciate your time.

John

Attached Files



BC AdBot (Login to Remove)

 


#2 Grinler

Grinler

    Lawrence Abrams


  • Admin
  • 43,639 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:08:30 AM

Posted 21 March 2009 - 07:56 AM

Please visit the following link and use the instructions there to post a ComboFix log as a reply to this topic:

http://www.bleepingcomputer.com/combofix/how-to-use-combofix

After running ComboFix, please post the ComboFix log as a reply to this

#3 biggsy

biggsy
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:08:30 AM

Posted 24 March 2009 - 01:44 AM

Thanks for your response. The log is posted below.


ComboFix 09-03-22.01 - Administrator 2009-03-24 2:30:23.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.3070.1714 [GMT -4:00]
Running from: c:\documents and settings\Administrator\My Documents\Downloads\ComboFix.exe
AV: Trend Micro Internet Security *On-access scanning disabled* (Updated)
FW: Trend Micro Personal Firewall *disabled*
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\Administrator\Application Data\inst.exe
c:\windows\system32\__c00E8418.dat
c:\windows\system32\~.exe
c:\windows\system32\gomejeno.dll
c:\windows\system32\higahayi.dll
c:\windows\system32\votilute.dll
K:\Autorun.inf

.
((((((((((((((((((((((((( Files Created from 2009-02-24 to 2009-03-24 )))))))))))))))))))))))))))))))
.

2009-03-19 13:44 . 2009-03-19 13:45 <DIR> d-------- c:\documents and settings\All Users\Application Data\WinZip
2009-03-18 11:11 . 2009-03-18 11:11 95 --a------ c:\windows\wininit.ini
2009-03-14 16:58 . 2009-03-14 16:59 <DIR> d-------- c:\program files\iTunes
2009-03-14 16:58 . 2009-03-14 16:58 <DIR> d-------- c:\program files\iPod
2009-03-14 16:58 . 2009-03-14 16:59 <DIR> d-------- c:\documents and settings\All Users\Application Data\{00D89592-F643-4D8D-8F0F-AFAE0F14D4C3}
2009-03-14 16:54 . 2009-03-05 23:59 1,900,544 --a------ c:\windows\system32\usbaaplrc.dll
2009-03-11 12:22 . 2009-03-11 12:22 <DIR> d-------- c:\program files\Unlocker
2009-03-11 09:40 . 2009-03-11 09:40 <DIR> d-------- C:\VundoFix Backups
2009-03-10 16:10 . 2009-03-10 16:10 <DIR> d--h-c--- c:\windows\ie8
2009-03-03 19:31 . 2009-03-03 19:31 2,713 ---hs---- c:\windows\system32\hutapasi.dll
2009-03-03 19:30 . 2009-03-03 19:30 2,713 ---hs---- c:\windows\system32\vifuhiya.dll
2009-03-03 19:30 . 2009-03-03 19:30 2,713 ---hs---- c:\windows\system32\mugatoma.dll
2009-02-26 11:43 . 2009-02-27 06:57 <DIR> d-a------ c:\documents and settings\All Users\Application Data\TEMP
2009-02-26 11:42 . 2009-02-26 11:42 <DIR> d-------- c:\windows\Downloaded Installations
2009-02-26 11:42 . 2009-02-26 11:42 <DIR> d-------- c:\program files\EnergyGauge
2009-02-26 11:42 . 2009-02-26 11:42 <DIR> d-------- c:\program files\Common Files\Borland Shared

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-03-23 13:18 --------- d-----w c:\documents and settings\All Users\Application Data\1Click DVD Copy
2009-03-23 12:53 --------- d-----w c:\program files\Mozilla Thunderbird
2009-03-23 12:12 --------- d-----w c:\documents and settings\Administrator\Application Data\Vso
2009-03-23 07:17 --------- d-----w c:\documents and settings\All Users\Application Data\Google Updater
2009-03-18 14:49 --------- d-----w c:\program files\Spybot - Search & Destroy
2009-03-14 20:58 --------- d-----w c:\program files\Common Files\Apple
2009-03-14 20:57 --------- d-----w c:\program files\QuickTime
2009-03-10 14:25 --------- d-----w c:\program files\Trend Micro
2009-03-06 03:59 36,864 ----a-w c:\windows\system32\drivers\usbaapl.sys
2009-03-03 22:28 64,160 ----a-w c:\windows\system32\drivers\Lbd.sys
2009-02-26 15:42 --------- d--h--w c:\program files\InstallShield Installation Information
2009-02-23 15:22 --------- d-----w c:\program files\Dell
2009-02-23 14:46 --------- d-----w c:\program files\Windows Media Connect 2
2009-02-21 14:06 --------- d-----w c:\documents and settings\All Users\Application Data\vsosdk
2009-02-17 23:07 --------- d-----w c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2009-02-17 22:28 --------- d-----w c:\documents and settings\All Users\Application Data\Lavasoft
2009-02-17 22:22 --------- dc-h--w c:\documents and settings\All Users\Application Data\{83C91755-2546-441D-AC40-9A6B4B860800}
2009-02-17 22:22 --------- d-----w c:\program files\Lavasoft
2009-02-16 19:52 18,816 ----a-w c:\windows\system32\drivers\dvd43llh.sys
2009-02-16 19:52 --------- d-----w c:\program files\dvd43
2009-02-16 19:51 47,360 ----a-w c:\windows\system32\drivers\pcouffin.sys
2009-02-16 19:51 47,360 ----a-w c:\documents and settings\Administrator\Application Data\pcouffin.sys
2009-02-16 19:51 --------- d-----w c:\program files\LG Software Innovations
2009-02-14 15:43 --------- d-----w c:\program files\Safari
2009-02-12 15:50 16,384 ----a-w c:\windows\DCEBoot.exe
2009-02-12 12:53 --------- d-----w c:\documents and settings\All Users\Application Data\Trend Micro
2009-02-11 17:01 --------- d-----w c:\program files\Google
2009-02-09 15:34 --------- d-----w c:\program files\AceBIT
2009-02-06 21:27 --------- d-----w c:\documents and settings\Administrator\Application Data\BitTorrent
2009-01-30 09:07 --------- d-----w c:\program files\Simpson
2009-01-29 23:19 --------- d-----w c:\documents and settings\All Users\Application Data\Microsoft Help
2009-01-25 14:51 --------- d-----w c:\program files\Bonjour
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-13 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2008-12-26 13680640]
"Ad-Watch"="c:\program files\Lavasoft\Ad-Aware\AAWTray.exe" [2009-03-03 515416]
"nwiz"="nwiz.exe" [2008-12-26 c:\windows\system32\nwiz.exe]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\GoToAssist]
2009-01-11 21:27 10536 c:\program files\Citrix\GoToAssist\514\g2awinlogon.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Lavasoft Ad-Aware Service]
@="Service"

[HKLM\~\startupfolder\C:^Documents and Settings^Administrator^Start Menu^Programs^Startup^OneNote 2007 Screen Clipper and Launcher.lnk]
path=c:\documents and settings\Administrator\Start Menu\Programs\Startup\OneNote 2007 Screen Clipper and Launcher.lnk
backup=c:\windows\pss\OneNote 2007 Screen Clipper and Launcher.lnkStartup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^AutoCAD Startup Accelerator.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\AutoCAD Startup Accelerator.lnk
backup=c:\windows\pss\AutoCAD Startup Accelerator.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Digital Imaging Monitor.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\HP Digital Imaging Monitor.lnk
backup=c:\windows\pss\HP Digital Imaging Monitor.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Image Zone Fast Start.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\HP Image Zone Fast Start.lnk
backup=c:\windows\pss\HP Image Zone Fast Start.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\KernelFaultCheck]
c:\windows\system32\dumprep 0 -k [X]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Acrobat Assistant 8.0]
--a------ 2007-05-10 23:46 624248 c:\program files\Adobe\Acrobat 8.0\Acrobat\acrotray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AdobeUpdater]
--a------ 2009-01-14 18:32 2356088 c:\program files\Common Files\Adobe\Updater5\AdobeUpdater.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe_ID0EYTHM]
--a------ 2007-03-20 17:40 1884160 c:\progra~1\COMMON~1\Adobe\ADOBEV~1\Server\bin\VERSIO~2.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AppleSyncNotifier]
--a------ 2009-02-06 17:27 177472 c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BitTorrent DNA]
--a------ 2009-01-20 08:20 342848 c:\program files\DNA\btdna.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
--a------ 2008-04-13 20:12 15360 c:\windows\system32\ctfmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\dvd43]
--a------ 2008-11-17 19:50 827904 c:\program files\dvd43\DVD43_Tray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ehTray]
--a------ 2005-08-05 17:56 64512 c:\windows\ehome\ehtray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Google Update]
--a----t- 2009-02-12 04:41 133104 c:\documents and settings\Administrator\Local Settings\Application Data\Google\Update\GoogleUpdate.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\GrooveMonitor]
--a------ 2006-10-27 01:47 31016 c:\program files\Microsoft Office\Office12\GrooveMonitor.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Software Update]
--a------ 2007-05-08 17:24 54840 c:\program files\HP\HP Software Update\hpwuSchd2.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
--a------ 2009-03-12 20:56 342312 c:\program files\iTunes\iTunesHelper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvMediaCenter]
--a------ 2008-12-26 04:08 86016 c:\windows\system32\nvmctray.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
--a------ 2009-01-05 16:18 413696 c:\program files\QuickTime\QTTask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\UfSeAgnt.exe]
--a------ 2008-09-22 19:12 1398024 c:\program files\Trend Micro\Internet Security\UfSeAgnt.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AtiPTA]
--a------ 2001-10-10 16:59 270336 c:\windows\system32\atiptaxx.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SigmatelSysTrayApp]
--a------ 2006-03-20 20:00 282624 c:\windows\stsystra.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001
"UpdatesDisableNotify"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\TrendAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\TrendFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"c:\\Program Files\\Common Files\\Adobe\\Adobe Version Cue CS3\\Server\\bin\\VersionCueCS3.exe"=
"c:\\Program Files\\DNA\\btdna.exe"=
"c:\\Program Files\\BitTorrent\\bittorrent.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\WINDOWS\\system32\\wbem\\wmiprvse.exe"=
"c:\\Program Files\\Trend Micro\\Internet Security\\TmProxy.exe"=
"c:\\Program Files\\Google\\Update\\GoogleUpdate.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\WINDOWS\\system32\\dllhost.exe"=
"c:\\Program Files\\Trend Micro\\Internet Security\\SfCtlCom.exe"=
"c:\\WINDOWS\\ehome\\ehrecvr.exe"=
"c:\\WINDOWS\\system32\\wbem\\unsecapp.exe"=
"c:\\WINDOWS\\system32\\dwwin.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3703:TCP"= 3703:TCP:Adobe Version Cue CS3 Server
"3704:TCP"= 3704:TCP:Adobe Version Cue CS3 Server
"50900:TCP"= 50900:TCP:Adobe Version Cue CS3 Server
"50901:TCP"= 50901:TCP:Adobe Version Cue CS3 Server

R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [2009-02-17 64160]
R2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\Lavasoft\Ad-Aware\AAWService.exe [2009-01-18 951632]
R2 tmevtmgr;tmevtmgr;c:\windows\system32\drivers\tmevtmgr.sys [2009-02-12 52240]
R2 tmpreflt;tmpreflt;c:\windows\system32\drivers\tmpreflt.sys [2008-02-18 36368]
R3 ati2mpad;ati2mpad;c:\windows\system32\drivers\ati2mpad.sys [2001-12-21 303232]
R3 tmcfw;Trend Micro Common Firewall Service;c:\windows\system32\drivers\TM_CFW.sys [2008-02-18 333328]
R3 TmPfw;Trend Micro Personal Firewall;c:\progra~1\TRENDM~1\INTERN~1\TmPfw.exe [2009-02-12 488768]
R3 tmproxy;Trend Micro Proxy Service;c:\program files\Trend Micro\Internet Security\TmProxy.exe [2009-02-12 648456]
S2 gupdate1c986bb8c656974;Google Update Service (gupdate1c986bb8c656974);c:\program files\Google\Update\GoogleUpdate.exe [2009-02-04 133104]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\K]
\Shell\AutoRun\command - K:\Launch.exe

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\>{60B49E34-C7CC-11D0-8953-00A0C90347FF}]
"c:\windows\system32\rundll32.exe" "c:\windows\system32\iedkcs32.dll",BrandIEActiveSetup SIGNUP
.
Contents of the 'Scheduled Tasks' folder

2009-03-23 c:\windows\Tasks\Ad-Aware Update (Weekly).job
- c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2009-03-03 18:28]

2009-03-14 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 13:34]

2009-03-24 c:\windows\Tasks\Google Software Updater.job
- c:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe [2009-02-04 07:27]

2009-03-24 c:\windows\Tasks\GoogleUpdateTaskMachine.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-02-04 07:27]

2009-03-24 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1060284298-1035525444-725345543-500.job
- c:\documents and settings\Administrator\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2009-02-12 04:41]
.
- - - - ORPHANS REMOVED - - - -

BHO-{9f28b197-81b3-48b1-8206-2e340bcabc58} - c:\windows\system32\vepeyivo.dll
HKLM-Run-CPM9724b954 - c:\windows\system32\ledinuda.dll
Notify-__c00E8418 - c:\windows\system32\__c00E8418.dat
MSConfigStartUp-000000af - c:\windows\system32\zajamudu.dll
MSConfigStartUp-94178ac8 - c:\windows\system32\zitakozi.dll
MSConfigStartUp-CPM9724b954 - c:\windows\system32\zohubuwu.dll
MSConfigStartUp-explorer - c:\windows\system32\explorer32.exe
MSConfigStartUp-fupepasina - c:\windows\system32\votilute.dll
MSConfigStartUp-PoliceAV - c:\program files\XPPoliceAntivirus\xppolice.exe


.
------- Supplementary Scan -------
.
uStart Page = about:blank
uInternet Settings,ProxyOverride = *.local
IE: Append to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert link target to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert link target to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert selected links to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert selected links to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Convert selection to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert selection to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
DPF: {76A2A0AB-38B7-46DB-8E47-F10CDE4D7920} - hxxp://aerial.leepa.org/ecwplugins/NCS.cab
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-03-24 02:33:31
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-1060284298-1035525444-725345543-500\Software\Microsoft\Internet Explorer\User Preferences]
@Denied: (2) (Administrator)
"88D7D0879DAB32E14DE5B3A805A34F98AFF34F5977"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,8f,0d,05,03,a7,cb,3b,40,8d,bd,76,\
"2D53CFFC5C1A3DD2E97B7979AC2A92BD59BC839E81"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,8f,0d,05,03,a7,cb,3b,40,8d,bd,76,\

[HKEY_USERS\S-1-5-21-1060284298-1035525444-725345543-500\Software\Microsoft\SystemCertificates\AddressBook*]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(1036)
c:\program files\Citrix\GoToAssist\514\G2AWinLogon.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\windows\ehome\ehrecvr.exe
c:\windows\ehome\ehSched.exe
c:\windows\system32\nvsvc32.exe
c:\windows\system32\HPZipm12.exe
c:\program files\Trend Micro\Internet Security\SfCtlCom.exe
c:\windows\ehome\mcrdsvc.exe
c:\program files\Trend Micro\BM\TMBMSRV.exe
c:\windows\system32\dllhost.exe
c:\windows\system32\wbem\unsecapp.exe
c:\windows\system32\rundll32.exe
.
**************************************************************************
.
Completion time: 2009-03-24 2:39:16 - machine was rebooted
ComboFix-quarantined-files.txt 2009-03-24 06:39:12

Pre-Run: 193,669,402,624 bytes free
Post-Run: 193,648,492,544 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Windows XP Media Center Edition" /noexecute=optin /fastdetect

273 --- E O F --- 2009-01-12 13:48:33

Attached Files


Edited by biggsy, 24 March 2009 - 01:45 AM.


#4 Grinler

Grinler

    Lawrence Abrams


  • Admin
  • 43,639 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:08:30 AM

Posted 27 March 2009 - 01:47 PM

Sorry for the delay.

* Open notepad - don't use any other texteditor than notepad or the script will fail.
Copy/paste the text in the quotebox below into notepad:

Dirlook::
c:\documents and settings\All Users\Application Data\{83C91755-2546-441D-AC40-9A6B4B860800}

File::
c:\windows\DCEBoot.exe
c:\windows\system32\hutapasi.dll
c:\windows\system32\vifuhiya.dll
c:\windows\system32\mugatoma.dll

Registry::
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000000
"UpdatesDisableNotify"=dword:00000000
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\TrendAntiVirus]
"DisableMonitoring"=dword:00000000
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\TrendFirewall]
"DisableMonitoring"=dword:00000000


Reglock::
[HKEY_USERS\S-1-5-21-1060284298-1035525444-725345543-500\Software\Microsoft\Internet Explorer\User Preferences]
[HKEY_USERS\S-1-5-21-1060284298-1035525444-725345543-500\Software\Microsoft\SystemCertificates\AddressBook*]


Save this as the txtfile CFScript

Then drag the CFScript into ComboFix.exe as you see in the screenshot below.

Posted Image

This will start ComboFix again. After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply[/b].

#5 biggsy

biggsy
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:08:30 AM

Posted 28 March 2009 - 11:23 AM

Hi Lawrence,

Thanks for the response. Here is the new Combo Fix Log.

John

ComboFix 09-03-27.02 - Administrator 2009-03-28 12:18:19.3 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.3070.2556 [GMT -4:00]
Running from: c:\documents and settings\Administrator\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Administrator\Desktop\CFScript.txt
AV: Trend Micro Internet Security *On-access scanning disabled* (Updated)
FW: Trend Micro Personal Firewall *disabled*
* Created a new restore point
.

((((((((((((((((((((((((( Files Created from 2009-02-28 to 2009-03-28 )))))))))))))))))))))))))))))))
.

2009-03-25 03:14 . 2009-03-25 03:14 <DIR> d-------- c:\windows\system32\MpEngineStore
2009-03-25 03:14 . 2009-03-25 03:14 206 --a------ c:\windows\system32\MRT.INI
2009-03-25 03:01 . 2009-03-25 03:01 <DIR> d-------- c:\program files\MSXML 4.0
2009-03-24 12:35 . 2008-10-16 14:06 268,648 --a------ c:\windows\system32\mucltui.dll
2009-03-24 12:35 . 2008-10-16 14:06 208,744 --a------ c:\windows\system32\muweb.dll
2009-03-24 12:35 . 2008-10-16 14:06 27,496 --a------ c:\windows\system32\mucltui.dll.mui
2009-03-24 06:34 . 2009-03-24 06:34 <DIR> d-------- c:\windows\Sun
2009-03-24 06:33 . 2009-03-24 06:33 410,984 --a------ c:\windows\system32\deploytk.dll
2009-03-24 06:33 . 2009-03-24 06:33 73,728 --a------ c:\windows\system32\javacpl.cpl
2009-03-24 06:32 . 2009-03-24 06:32 <DIR> d-------- c:\program files\Java
2009-03-19 13:44 . 2009-03-19 13:45 <DIR> d-------- c:\documents and settings\All Users\Application Data\WinZip
2009-03-18 11:11 . 2009-03-18 11:11 95 --a------ c:\windows\wininit.ini
2009-03-14 16:58 . 2009-03-14 16:59 <DIR> d-------- c:\program files\iTunes
2009-03-14 16:58 . 2009-03-14 16:58 <DIR> d-------- c:\program files\iPod
2009-03-14 16:58 . 2009-03-14 16:59 <DIR> d-------- c:\documents and settings\All Users\Application Data\{00D89592-F643-4D8D-8F0F-AFAE0F14D4C3}
2009-03-14 16:54 . 2009-03-05 23:59 1,900,544 --a------ c:\windows\system32\usbaaplrc.dll
2009-03-11 12:22 . 2009-03-11 12:22 <DIR> d-------- c:\program files\Unlocker
2009-03-11 09:40 . 2009-03-11 09:40 <DIR> d-------- C:\VundoFix Backups
2009-03-10 16:10 . 2009-03-10 16:10 <DIR> d--h-c--- c:\windows\ie8

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-03-28 13:23 --------- d-----w c:\documents and settings\All Users\Application Data\Google Updater
2009-03-28 07:20 --------- d-----w c:\program files\Mozilla Thunderbird
2009-03-27 21:38 --------- d-----w c:\documents and settings\All Users\Application Data\Microsoft Help
2009-03-25 19:39 --------- d-----w c:\documents and settings\All Users\Application Data\1Click DVD Copy
2009-03-23 12:12 --------- d-----w c:\documents and settings\Administrator\Application Data\Vso
2009-03-18 14:49 --------- d-----w c:\program files\Spybot - Search & Destroy
2009-03-18 11:33 5,811 --sha-w c:\windows\system32\vezudolo.dll
2009-03-18 11:33 5,811 --sha-w c:\windows\system32\vepijaje.dll
2009-03-18 11:33 5,811 --sha-w c:\windows\system32\ribuwagu.dll
2009-03-17 23:33 5,811 --sha-w c:\windows\system32\rokataje.dll
2009-03-17 23:33 5,811 --sha-w c:\windows\system32\jisideso.dll
2009-03-17 11:33 5,811 --sha-w c:\windows\system32\dibewori.dll
2009-03-17 11:33 5,811 --sha-w c:\windows\system32\deviyuso.dll
2009-03-17 11:33 5,811 --sha-w c:\windows\system32\bufupalo.dll
2009-03-16 23:33 5,811 --sha-w c:\windows\system32\munigibo.dll
2009-03-16 23:33 5,811 --sha-w c:\windows\system32\bugewama.dll
2009-03-16 23:33 5,811 --sha-w c:\windows\system32\bopufeto.dll
2009-03-16 11:33 5,811 --sha-w c:\windows\system32\pohelene.dll
2009-03-16 11:33 5,811 --sha-w c:\windows\system32\lewamehe.dll
2009-03-16 11:33 5,811 --sha-w c:\windows\system32\belekibe.dll
2009-03-15 23:33 5,811 --sha-w c:\windows\system32\vodareri.dll
2009-03-15 23:33 5,811 --sha-w c:\windows\system32\goluyako.dll
2009-03-15 23:33 5,811 --sha-w c:\windows\system32\dadukiva.dll
2009-03-15 11:32 5,811 --sha-w c:\windows\system32\sivakubo.dll
2009-03-15 11:32 5,811 --sha-w c:\windows\system32\lomobegi.dll
2009-03-15 11:32 5,811 --sha-w c:\windows\system32\gikurire.dll
2009-03-14 23:32 5,811 --sha-w c:\windows\system32\vojumaha.dll
2009-03-14 23:32 5,811 --sha-w c:\windows\system32\pufofoba.dll
2009-03-14 23:32 5,811 --sha-w c:\windows\system32\hudetola.dll
2009-03-14 20:58 --------- d-----w c:\program files\Common Files\Apple
2009-03-14 20:57 --------- d-----w c:\program files\QuickTime
2009-03-14 11:32 5,811 --sha-w c:\windows\system32\voketana.dll
2009-03-14 11:32 5,811 --sha-w c:\windows\system32\pogimoso.dll
2009-03-14 11:32 5,811 --sha-w c:\windows\system32\lizineka.dll
2009-03-13 23:32 5,811 --sha-w c:\windows\system32\raruwuze.dll
2009-03-13 23:32 5,811 --sha-w c:\windows\system32\moyuyoni.dll
2009-03-13 23:32 5,811 --sha-w c:\windows\system32\jamirito.dll
2009-03-13 11:32 5,811 --sha-w c:\windows\system32\morahove.dll
2009-03-13 11:32 5,811 --sha-w c:\windows\system32\lagolobi.dll
2009-03-13 11:32 5,811 --sha-w c:\windows\system32\girulala.dll
2009-03-12 23:32 5,811 --sha-w c:\windows\system32\sotedaza.dll
2009-03-12 23:32 5,811 --sha-w c:\windows\system32\mikowuto.dll
2009-03-12 23:32 5,811 --sha-w c:\windows\system32\dahadare.dll
2009-03-12 11:32 5,811 --sha-w c:\windows\system32\tedegeru.dll
2009-03-12 11:32 5,811 --sha-w c:\windows\system32\mahalemo.dll
2009-03-12 11:32 5,811 --sha-w c:\windows\system32\legidonu.dll
2009-03-11 23:32 5,811 --sha-w c:\windows\system32\nusufugi.dll
2009-03-11 23:32 5,811 --sha-w c:\windows\system32\juyarono.dll
2009-03-11 23:32 5,811 --sha-w c:\windows\system32\dotewawa.dll
2009-03-10 14:25 --------- d-----w c:\program files\Trend Micro
2009-03-06 03:59 36,864 ----a-w c:\windows\system32\drivers\usbaapl.sys
2009-03-03 22:29 15,688 ----a-w c:\windows\system32\lsdelete.exe
2009-03-03 22:28 64,160 ----a-w c:\windows\system32\drivers\Lbd.sys
2009-02-27 10:57 --------- d---a-w c:\documents and settings\All Users\Application Data\TEMP
2009-02-26 15:42 --------- d--h--w c:\program files\InstallShield Installation Information
2009-02-26 15:42 --------- d-----w c:\program files\EnergyGauge
2009-02-26 15:42 --------- d-----w c:\program files\Common Files\Borland Shared
2009-02-23 15:22 --------- d-----w c:\program files\Dell
2009-02-23 14:46 --------- d-----w c:\program files\Windows Media Connect 2
2009-02-21 14:06 --------- d-----w c:\documents and settings\All Users\Application Data\vsosdk
2009-02-17 23:07 --------- d-----w c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2009-02-17 22:28 --------- d-----w c:\documents and settings\All Users\Application Data\Lavasoft
2009-02-17 22:22 --------- dc-h--w c:\documents and settings\All Users\Application Data\{83C91755-2546-441D-AC40-9A6B4B860800}
2009-02-17 22:22 --------- d-----w c:\program files\Lavasoft
2009-02-16 19:52 18,816 ----a-w c:\windows\system32\drivers\dvd43llh.sys
2009-02-16 19:52 --------- d-----w c:\program files\dvd43
2009-02-16 19:51 47,360 ----a-w c:\windows\system32\drivers\pcouffin.sys
2009-02-16 19:51 47,360 ----a-w c:\documents and settings\Administrator\Application Data\pcouffin.sys
2009-02-16 19:51 --------- d-----w c:\program files\LG Software Innovations
2009-02-14 15:43 --------- d-----w c:\program files\Safari
2009-02-12 12:53 --------- d-----w c:\documents and settings\All Users\Application Data\Trend Micro
2009-02-11 17:01 --------- d-----w c:\program files\Google
2009-02-09 15:34 --------- d-----w c:\program files\AceBIT
2009-02-09 11:13 1,846,784 ----a-w c:\windows\system32\win32k.sys
2009-02-06 21:27 --------- d-----w c:\documents and settings\Administrator\Application Data\BitTorrent
2009-01-30 09:07 --------- d-----w c:\program files\Simpson
2009-01-15 06:05 911,872 ----a-w c:\windows\system32\wininet.dll
2009-01-15 06:05 43,008 ----a-w c:\windows\system32\licmgr10.dll
2009-01-15 06:04 18,944 ----a-w c:\windows\system32\corpol.dll
2009-01-15 06:03 72,704 ----a-w c:\windows\system32\admparse.dll
2009-01-15 06:03 71,680 ----a-w c:\windows\system32\iesetup.dll
2009-01-15 06:03 420,352 ----a-w c:\windows\system32\vbscript.dll
2009-01-15 06:01 34,304 ----a-w c:\windows\system32\imgutil.dll
2009-01-15 06:00 48,128 ----a-w c:\windows\system32\mshtmler.dll
2009-01-15 06:00 45,568 ----a-w c:\windows\system32\mshta.exe
2009-01-15 05:50 156,160 ----a-w c:\windows\system32\msls31.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-13 15360]
"AdobeUpdater"="c:\program files\Common Files\Adobe\Updater5\AdobeUpdater.exe" [2009-01-14 2356088]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2008-12-26 13680640]
"Ad-Watch"="c:\program files\Lavasoft\Ad-Aware\AAWTray.exe" [2009-03-03 515416]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-03-24 148888]
"GrooveMonitor"="c:\program files\Microsoft Office\Office12\GrooveMonitor.exe" [2007-08-24 33648]
"nwiz"="nwiz.exe" [2008-12-26 c:\windows\system32\nwiz.exe]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\GoToAssist]
2009-01-11 21:27 10536 c:\program files\Citrix\GoToAssist\514\g2awinlogon.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Lavasoft Ad-Aware Service]
@="Service"

[HKLM\~\startupfolder\C:^Documents and Settings^Administrator^Start Menu^Programs^Startup^OneNote 2007 Screen Clipper and Launcher.lnk]
path=c:\documents and settings\Administrator\Start Menu\Programs\Startup\OneNote 2007 Screen Clipper and Launcher.lnk
backup=c:\windows\pss\OneNote 2007 Screen Clipper and Launcher.lnkStartup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^AutoCAD Startup Accelerator.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\AutoCAD Startup Accelerator.lnk
backup=c:\windows\pss\AutoCAD Startup Accelerator.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Digital Imaging Monitor.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\HP Digital Imaging Monitor.lnk
backup=c:\windows\pss\HP Digital Imaging Monitor.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Image Zone Fast Start.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\HP Image Zone Fast Start.lnk
backup=c:\windows\pss\HP Image Zone Fast Start.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\KernelFaultCheck]
c:\windows\system32\dumprep 0 -k [X]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Acrobat Assistant 8.0]
--a------ 2007-05-10 23:46 624248 c:\program files\Adobe\Acrobat 8.0\Acrobat\acrotray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AdobeUpdater]
--a------ 2009-01-14 18:32 2356088 c:\program files\Common Files\Adobe\Updater5\AdobeUpdater.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe_ID0EYTHM]
--a------ 2007-03-20 17:40 1884160 c:\progra~1\COMMON~1\Adobe\ADOBEV~1\Server\bin\VERSIO~2.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AppleSyncNotifier]
--a------ 2009-02-06 17:27 177472 c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BitTorrent DNA]
--a------ 2009-01-20 08:20 342848 c:\program files\DNA\btdna.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
--a------ 2008-04-13 20:12 15360 c:\windows\system32\ctfmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\dvd43]
--a------ 2008-11-17 19:50 827904 c:\program files\dvd43\DVD43_Tray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ehTray]
--a------ 2005-08-05 17:56 64512 c:\windows\ehome\ehtray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Google Update]
--a----t- 2009-02-12 04:41 133104 c:\documents and settings\Administrator\Local Settings\Application Data\Google\Update\GoogleUpdate.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\GrooveMonitor]
--a------ 2007-08-24 07:00 33648 c:\program files\Microsoft Office\Office12\GrooveMonitor.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Software Update]
--a------ 2007-05-08 17:24 54840 c:\program files\HP\HP Software Update\hpwuSchd2.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
--a------ 2009-03-12 20:56 342312 c:\program files\iTunes\iTunesHelper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvMediaCenter]
--a------ 2008-12-26 04:08 86016 c:\windows\system32\nvmctray.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
--a------ 2009-01-05 16:18 413696 c:\program files\QuickTime\QTTask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\UfSeAgnt.exe]
--a------ 2008-09-22 19:12 1398024 c:\program files\Trend Micro\Internet Security\UfSeAgnt.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AtiPTA]
--a------ 2001-10-10 16:59 270336 c:\windows\system32\atiptaxx.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SigmatelSysTrayApp]
--a------ 2006-03-20 20:00 282624 c:\windows\stsystra.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\TrendAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\TrendFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"c:\\Program Files\\Common Files\\Adobe\\Adobe Version Cue CS3\\Server\\bin\\VersionCueCS3.exe"=
"c:\\Program Files\\DNA\\btdna.exe"=
"c:\\Program Files\\BitTorrent\\bittorrent.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\WINDOWS\\system32\\wbem\\wmiprvse.exe"=
"c:\\Program Files\\Trend Micro\\Internet Security\\TmProxy.exe"=
"c:\\Program Files\\Google\\Update\\GoogleUpdate.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\WINDOWS\\system32\\dllhost.exe"=
"c:\\Program Files\\Trend Micro\\Internet Security\\SfCtlCom.exe"=
"c:\\WINDOWS\\ehome\\ehrecvr.exe"=
"c:\\WINDOWS\\system32\\wbem\\unsecapp.exe"=
"c:\\WINDOWS\\system32\\dwwin.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3703:TCP"= 3703:TCP:Adobe Version Cue CS3 Server
"3704:TCP"= 3704:TCP:Adobe Version Cue CS3 Server
"50900:TCP"= 50900:TCP:Adobe Version Cue CS3 Server
"50901:TCP"= 50901:TCP:Adobe Version Cue CS3 Server

R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [2009-02-17 64160]
R2 tmpreflt;tmpreflt;c:\windows\system32\drivers\tmpreflt.sys [2008-02-18 36368]
R3 ati2mpad;ati2mpad;c:\windows\system32\drivers\ati2mpad.sys [2001-12-21 303232]
R3 tmcfw;Trend Micro Common Firewall Service;c:\windows\system32\drivers\TM_CFW.sys [2008-02-18 333328]
S2 gupdate1c986bb8c656974;Google Update Service (gupdate1c986bb8c656974);c:\program files\Google\Update\GoogleUpdate.exe [2009-02-04 133104]
S2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\Lavasoft\Ad-Aware\AAWService.exe [2009-01-18 951632]
S2 tmevtmgr;tmevtmgr;c:\windows\system32\drivers\tmevtmgr.sys [2009-02-12 52240]
S3 TmPfw;Trend Micro Personal Firewall;c:\progra~1\TRENDM~1\INTERN~1\TmPfw.exe [2009-02-12 488768]
S3 tmproxy;Trend Micro Proxy Service;c:\program files\Trend Micro\Internet Security\TmProxy.exe [2009-02-12 648456]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\K]
\Shell\AutoRun\command - K:\Launch.exe

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\>{60B49E34-C7CC-11D0-8953-00A0C90347FF}]
"c:\windows\system32\rundll32.exe" "c:\windows\system32\iedkcs32.dll",BrandIEActiveSetup SIGNUP
.
Contents of the 'Scheduled Tasks' folder

2009-03-24 c:\windows\Tasks\Ad-Aware Update (Weekly).job
- c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2009-03-03 18:28]

2009-03-28 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 13:34]

2009-03-28 c:\windows\Tasks\Google Software Updater.job
- c:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe [2009-03-24 04:18]

2009-03-28 c:\windows\Tasks\GoogleUpdateTaskMachine.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-02-04 07:27]

2009-03-28 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1060284298-1035525444-725345543-500.job
- c:\documents and settings\Administrator\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2009-02-12 04:41]
.
.
------- Supplementary Scan -------
.
uStart Page = about:blank
uInternet Settings,ProxyOverride = *.local
IE: Append to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert link target to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert link target to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert selected links to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert selected links to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Convert selection to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert selection to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
DPF: {76A2A0AB-38B7-46DB-8E47-F10CDE4D7920} - hxxp://aerial.leepa.org/ecwplugins/NCS.cab
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-03-28 12:19:39
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-1060284298-1035525444-725345543-500\Software\Microsoft\SystemCertificates\AddressBook*]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(1032)
c:\program files\Citrix\GoToAssist\514\G2AWinLogon.dll
.
Completion time: 2009-03-28 12:22:00
ComboFix-quarantined-files.txt 2009-03-28 16:21:00
ComboFix2.txt 2009-03-28 15:03:33
ComboFix3.txt 2009-03-24 06:39:17

Pre-Run: 191,962,365,952 bytes free
Post-Run: 191,949,856,768 bytes free

283 --- E O F --- 2009-03-25 07:17:06

#6 Grinler

Grinler

    Lawrence Abrams


  • Admin
  • 43,639 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:08:30 AM

Posted 29 March 2009 - 10:50 AM

* Open notepad - don't use any other texteditor than notepad or the script will fail.
Copy/paste the text in the quotebox below into notepad:

Dirlook::
c:\windows\ie8
c:\documents and settings\Administrator\Application Data\Vso
c:\documents and settings\All Users\Application Data\{83C91755-2546-441D-AC40-9A6B4B860800}

File::
c:\windows\system32\vezudolo.dll
c:\windows\system32\vepijaje.dll
c:\windows\system32\ribuwagu.dll
c:\windows\system32\rokataje.dll
c:\windows\system32\jisideso.dll
c:\windows\system32\dibewori.dll
c:\windows\system32\deviyuso.dll
c:\windows\system32\bufupalo.dll
c:\windows\system32\munigibo.dll
c:\windows\system32\bugewama.dll
c:\windows\system32\bopufeto.dll
c:\windows\system32\pohelene.dll
c:\windows\system32\lewamehe.dll
c:\windows\system32\belekibe.dll
c:\windows\system32\vodareri.dll
c:\windows\system32\goluyako.dll
c:\windows\system32\dadukiva.dll
c:\windows\system32\sivakubo.dll
c:\windows\system32\lomobegi.dll
c:\windows\system32\gikurire.dll
c:\windows\system32\vojumaha.dll
c:\windows\system32\pufofoba.dll
c:\windows\system32\hudetola.dll
c:\windows\system32\voketana.dll
c:\windows\system32\pogimoso.dll
c:\windows\system32\lizineka.dll
c:\windows\system32\raruwuze.dll
c:\windows\system32\moyuyoni.dll
c:\windows\system32\jamirito.dll
c:\windows\system32\morahove.dll
c:\windows\system32\lagolobi.dll
c:\windows\system32\girulala.dll
c:\windows\system32\sotedaza.dll
c:\windows\system32\mikowuto.dll
c:\windows\system32\dahadare.dll
c:\windows\system32\tedegeru.dll
c:\windows\system32\mahalemo.dll
c:\windows\system32\legidonu.dll
c:\windows\system32\nusufugi.dll
c:\windows\system32\juyarono.dll
c:\windows\system32\dotewawa.dll

Regnull::
[HKEY_USERS\S-1-5-21-1060284298-1035525444-725345543-500\Software\Microsoft\SystemCertificates\AddressBook*]

Reglock:
[HKEY_USERS\S-1-5-21-1060284298-1035525444-725345543-500\Software\Microsoft\SystemCertificates\AddressBook*]


Save this as the txtfile CFScript

Then drag the CFScript into ComboFix.exe as you see in the screenshot below.

Posted Image

This will start ComboFix again. After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply[/b].

#7 biggsy

biggsy
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:08:30 AM

Posted 29 March 2009 - 11:10 AM

Thanks again for the help. Here is the log.

ComboFix 09-03-28.06 - Administrator 2009-03-29 12:01:09.4 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.3070.2532 [GMT -4:00]
Running from: c:\documents and settings\Administrator\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Administrator\Desktop\CFScript.txt
AV: Trend Micro Internet Security *On-access scanning disabled* (Updated)
FW: Trend Micro Personal Firewall *disabled*
* Created a new restore point

FILE ::
c:\windows\system32\belekibe.dll
c:\windows\system32\bopufeto.dll
c:\windows\system32\bufupalo.dll
c:\windows\system32\bugewama.dll
c:\windows\system32\dadukiva.dll
c:\windows\system32\dahadare.dll
c:\windows\system32\deviyuso.dll
c:\windows\system32\dibewori.dll
c:\windows\system32\dotewawa.dll
c:\windows\system32\gikurire.dll
c:\windows\system32\girulala.dll
c:\windows\system32\goluyako.dll
c:\windows\system32\hudetola.dll
c:\windows\system32\jamirito.dll
c:\windows\system32\jisideso.dll
c:\windows\system32\juyarono.dll
c:\windows\system32\lagolobi.dll
c:\windows\system32\legidonu.dll
c:\windows\system32\lewamehe.dll
c:\windows\system32\lizineka.dll
c:\windows\system32\lomobegi.dll
c:\windows\system32\mahalemo.dll
c:\windows\system32\mikowuto.dll
c:\windows\system32\morahove.dll
c:\windows\system32\moyuyoni.dll
c:\windows\system32\munigibo.dll
c:\windows\system32\nusufugi.dll
c:\windows\system32\pogimoso.dll
c:\windows\system32\pohelene.dll
c:\windows\system32\pufofoba.dll
c:\windows\system32\raruwuze.dll
c:\windows\system32\ribuwagu.dll
c:\windows\system32\rokataje.dll
c:\windows\system32\sivakubo.dll
c:\windows\system32\sotedaza.dll
c:\windows\system32\tedegeru.dll
c:\windows\system32\vepijaje.dll
c:\windows\system32\vezudolo.dll
c:\windows\system32\vodareri.dll
c:\windows\system32\vojumaha.dll
c:\windows\system32\voketana.dll
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\system32\belekibe.dll
c:\windows\system32\bopufeto.dll
c:\windows\system32\bufupalo.dll
c:\windows\system32\bugewama.dll
c:\windows\system32\dadukiva.dll
c:\windows\system32\dahadare.dll
c:\windows\system32\deviyuso.dll
c:\windows\system32\dibewori.dll
c:\windows\system32\dotewawa.dll
c:\windows\system32\gikurire.dll
c:\windows\system32\girulala.dll
c:\windows\system32\goluyako.dll
c:\windows\system32\hudetola.dll
c:\windows\system32\jamirito.dll
c:\windows\system32\jisideso.dll
c:\windows\system32\juyarono.dll
c:\windows\system32\lagolobi.dll
c:\windows\system32\legidonu.dll
c:\windows\system32\lewamehe.dll
c:\windows\system32\lizineka.dll
c:\windows\system32\lomobegi.dll
c:\windows\system32\mahalemo.dll
c:\windows\system32\mikowuto.dll
c:\windows\system32\morahove.dll
c:\windows\system32\moyuyoni.dll
c:\windows\system32\munigibo.dll
c:\windows\system32\nusufugi.dll
c:\windows\system32\pogimoso.dll
c:\windows\system32\pohelene.dll
c:\windows\system32\pufofoba.dll
c:\windows\system32\raruwuze.dll
c:\windows\system32\ribuwagu.dll
c:\windows\system32\rokataje.dll
c:\windows\system32\sivakubo.dll
c:\windows\system32\sotedaza.dll
c:\windows\system32\tedegeru.dll
c:\windows\system32\vepijaje.dll
c:\windows\system32\vezudolo.dll
c:\windows\system32\vodareri.dll
c:\windows\system32\vojumaha.dll
c:\windows\system32\voketana.dll

.
((((((((((((((((((((((((( Files Created from 2009-02-28 to 2009-03-29 )))))))))))))))))))))))))))))))
.

2009-03-28 17:18 . 2009-03-28 17:18 <DIR> d-------- c:\windows\system32\XPSViewer
2009-03-28 17:18 . 2009-03-28 17:18 <DIR> d-------- c:\program files\Reference Assemblies
2009-03-28 17:17 . 2009-03-28 17:18 <DIR> d-------- C:\73fe01d2a342fbdcb02f7b50
2009-03-28 17:17 . 2008-07-06 08:06 1,676,288 --------- c:\windows\system32\xpssvcs.dll
2009-03-28 17:17 . 2008-07-06 08:06 1,676,288 -----c--- c:\windows\system32\dllcache\xpssvcs.dll
2009-03-28 17:17 . 2008-07-06 06:50 597,504 -----c--- c:\windows\system32\dllcache\printfilterpipelinesvc.exe
2009-03-28 17:17 . 2008-07-06 08:06 575,488 --------- c:\windows\system32\xpsshhdr.dll
2009-03-28 17:17 . 2008-07-06 08:06 575,488 -----c--- c:\windows\system32\dllcache\xpsshhdr.dll
2009-03-28 17:17 . 2008-07-06 08:06 117,760 --------- c:\windows\system32\prntvpt.dll
2009-03-28 17:17 . 2008-07-06 08:06 89,088 -----c--- c:\windows\system32\dllcache\filterpipelineprintproc.dll
2009-03-25 03:14 . 2009-03-25 03:14 <DIR> d-------- c:\windows\system32\MpEngineStore
2009-03-25 03:14 . 2009-03-25 03:14 206 --a------ c:\windows\system32\MRT.INI
2009-03-25 03:01 . 2009-03-25 03:01 <DIR> d-------- c:\program files\MSXML 4.0
2009-03-24 12:35 . 2008-10-16 14:06 268,648 --a------ c:\windows\system32\mucltui.dll
2009-03-24 12:35 . 2008-10-16 14:06 208,744 --a------ c:\windows\system32\muweb.dll
2009-03-24 12:35 . 2008-10-16 14:06 27,496 --a------ c:\windows\system32\mucltui.dll.mui
2009-03-24 06:34 . 2009-03-24 06:34 <DIR> d-------- c:\windows\Sun
2009-03-24 06:33 . 2009-03-24 06:33 410,984 --a------ c:\windows\system32\deploytk.dll
2009-03-24 06:33 . 2009-03-24 06:33 73,728 --a------ c:\windows\system32\javacpl.cpl
2009-03-24 06:32 . 2009-03-24 06:32 <DIR> d-------- c:\program files\Java
2009-03-19 13:44 . 2009-03-19 13:45 <DIR> d-------- c:\documents and settings\All Users\Application Data\WinZip
2009-03-18 11:11 . 2009-03-18 11:11 95 --a------ c:\windows\wininit.ini
2009-03-14 16:58 . 2009-03-14 16:59 <DIR> d-------- c:\program files\iTunes
2009-03-14 16:58 . 2009-03-14 16:58 <DIR> d-------- c:\program files\iPod
2009-03-14 16:58 . 2009-03-14 16:59 <DIR> d-------- c:\documents and settings\All Users\Application Data\{00D89592-F643-4D8D-8F0F-AFAE0F14D4C3}
2009-03-14 16:54 . 2009-03-05 23:59 1,900,544 --a------ c:\windows\system32\usbaaplrc.dll
2009-03-11 12:22 . 2009-03-11 12:22 <DIR> d-------- c:\program files\Unlocker
2009-03-11 09:40 . 2009-03-11 09:40 <DIR> d-------- C:\VundoFix Backups
2009-03-10 16:10 . 2009-03-10 16:10 <DIR> d--h-c--- c:\windows\ie8

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-03-29 14:24 --------- d-----w c:\documents and settings\All Users\Application Data\Google Updater
2009-03-29 13:09 --------- d-----w c:\program files\Mozilla Thunderbird
2009-03-28 20:01 --------- d-----w c:\documents and settings\All Users\Application Data\1Click DVD Copy
2009-03-27 21:38 --------- d-----w c:\documents and settings\All Users\Application Data\Microsoft Help
2009-03-23 12:12 --------- d-----w c:\documents and settings\Administrator\Application Data\Vso
2009-03-18 14:49 --------- d-----w c:\program files\Spybot - Search & Destroy
2009-03-14 20:58 --------- d-----w c:\program files\Common Files\Apple
2009-03-14 20:57 --------- d-----w c:\program files\QuickTime
2009-03-10 14:25 --------- d-----w c:\program files\Trend Micro
2009-03-06 03:59 36,864 ----a-w c:\windows\system32\drivers\usbaapl.sys
2009-03-03 22:29 15,688 ----a-w c:\windows\system32\lsdelete.exe
2009-03-03 22:28 64,160 ----a-w c:\windows\system32\drivers\Lbd.sys
2009-02-27 10:57 --------- d---a-w c:\documents and settings\All Users\Application Data\TEMP
2009-02-26 15:42 --------- d--h--w c:\program files\InstallShield Installation Information
2009-02-26 15:42 --------- d-----w c:\program files\EnergyGauge
2009-02-26 15:42 --------- d-----w c:\program files\Common Files\Borland Shared
2009-02-23 15:22 --------- d-----w c:\program files\Dell
2009-02-23 14:46 --------- d-----w c:\program files\Windows Media Connect 2
2009-02-21 14:06 --------- d-----w c:\documents and settings\All Users\Application Data\vsosdk
2009-02-17 23:07 --------- d-----w c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2009-02-17 22:28 --------- d-----w c:\documents and settings\All Users\Application Data\Lavasoft
2009-02-17 22:22 --------- dc-h--w c:\documents and settings\All Users\Application Data\{83C91755-2546-441D-AC40-9A6B4B860800}
2009-02-17 22:22 --------- d-----w c:\program files\Lavasoft
2009-02-16 19:52 18,816 ----a-w c:\windows\system32\drivers\dvd43llh.sys
2009-02-16 19:52 --------- d-----w c:\program files\dvd43
2009-02-16 19:51 47,360 ----a-w c:\windows\system32\drivers\pcouffin.sys
2009-02-16 19:51 47,360 ----a-w c:\documents and settings\Administrator\Application Data\pcouffin.sys
2009-02-16 19:51 --------- d-----w c:\program files\LG Software Innovations
2009-02-14 15:43 --------- d-----w c:\program files\Safari
2009-02-12 12:53 --------- d-----w c:\documents and settings\All Users\Application Data\Trend Micro
2009-02-11 17:01 --------- d-----w c:\program files\Google
2009-02-09 15:34 --------- d-----w c:\program files\AceBIT
2009-02-09 11:13 1,846,784 ----a-w c:\windows\system32\win32k.sys
2009-02-06 21:27 --------- d-----w c:\documents and settings\Administrator\Application Data\BitTorrent
2009-01-30 09:07 --------- d-----w c:\program files\Simpson
2009-01-15 06:05 911,872 ----a-w c:\windows\system32\wininet.dll
2009-01-15 06:05 43,008 ----a-w c:\windows\system32\licmgr10.dll
2009-01-15 06:04 18,944 ----a-w c:\windows\system32\corpol.dll
2009-01-15 06:03 72,704 ----a-w c:\windows\system32\admparse.dll
2009-01-15 06:03 71,680 ----a-w c:\windows\system32\iesetup.dll
2009-01-15 06:03 420,352 ----a-w c:\windows\system32\vbscript.dll
2009-01-15 06:01 34,304 ----a-w c:\windows\system32\imgutil.dll
2009-01-15 06:00 48,128 ----a-w c:\windows\system32\mshtmler.dll
2009-01-15 06:00 45,568 ----a-w c:\windows\system32\mshta.exe
2009-01-15 05:50 156,160 ----a-w c:\windows\system32\msls31.dll
.

(((((((((((((((((((((((((((((((((((((((((((( Look )))))))))))))))))))))))))))))))))))))))))))))))))))))))))
.

---- Directory of c:\documents and settings\Administrator\Application Data\Vso ----


---- Directory of c:\documents and settings\All Users\Application Data\{83C91755-2546-441D-AC40-9A6B4B860800} ----

2009-02-17 18:27 497 --a--c--- c:\documents and settings\All Users\Application Data\{83C91755-2546-441D-AC40-9A6B4B860800}\Ad-AwareAE.dat
2009-02-17 18:22 9031 --a--c--- c:\documents and settings\All Users\Application Data\{83C91755-2546-441D-AC40-9A6B4B860800}\Ad-AwareAE.par
2009-02-17 18:22 90 --a--c--- c:\documents and settings\All Users\Application Data\{83C91755-2546-441D-AC40-9A6B4B860800}\instance.dat
2009-02-17 18:22 9 --a--c--- c:\documents and settings\All Users\Application Data\{83C91755-2546-441D-AC40-9A6B4B860800}\Ad-AwareAE.lan
2009-01-18 17:43 578782 --a--c--- c:\documents and settings\All Users\Application Data\{83C91755-2546-441D-AC40-9A6B4B860800}\mia.lib
2009-01-18 17:43 569856 --a--c--- c:\documents and settings\All Users\Application Data\{83C91755-2546-441D-AC40-9A6B4B860800}\Ad-AwareAE.msi
2009-01-18 17:43 5113482 --a--c--- c:\documents and settings\All Users\Application Data\{83C91755-2546-441D-AC40-9A6B4B860800}\Ad-AwareAE.res
2009-01-18 17:43 2892112 --a--c--- c:\documents and settings\All Users\Application Data\{83C91755-2546-441D-AC40-9A6B4B860800}\Ad-AwareAE.exe

---- Directory of c:\windows\ie8 ----

2009-03-10 16:11 484548 --a--c--- c:\windows\ie8\spuninst\spuninst.inf
2009-03-10 16:11 114 --a--c--- c:\windows\ie8\ieaccess.inf
2009-03-10 16:10 81920 --a--c--- c:\windows\ie8\reg01276
2009-03-10 16:10 8192 --a--c--- c:\windows\ie8\reg01299
2009-03-10 16:10 8192 --a--c--- c:\windows\ie8\reg01295
2009-03-10 16:10 8192 --a--c--- c:\windows\ie8\reg01294
2009-03-10 16:10 8192 --a--c--- c:\windows\ie8\reg01293
2009-03-10 16:10 8192 --a--c--- c:\windows\ie8\reg01292
2009-03-10 16:10 8192 --a--c--- c:\windows\ie8\reg01291
2009-03-10 16:10 8192 --a--c--- c:\windows\ie8\reg01290
2009-03-10 16:10 8192 --a--c--- c:\windows\ie8\reg01289
2009-03-10 16:10 8192 --a--c--- c:\windows\ie8\reg01288
2009-03-10 16:10 8192 --a--c--- c:\windows\ie8\reg01287
2009-03-10 16:10 8192 --a--c--- c:\windows\ie8\reg01286
2009-03-10 16:10 8192 --a--c--- c:\windows\ie8\reg01285
2009-03-10 16:10 8192 --a--c--- c:\windows\ie8\reg01283
2009-03-10 16:10 8192 --a--c--- c:\windows\ie8\reg01282
2009-03-10 16:10 8192 --a--c--- c:\windows\ie8\reg01281
2009-03-10 16:10 8192 --a--c--- c:\windows\ie8\reg01279
2009-03-10 16:10 8192 --a--c--- c:\windows\ie8\reg01278
2009-03-10 16:10 8192 --a--c--- c:\windows\ie8\reg01277
2009-03-10 16:10 8192 --a--c--- c:\windows\ie8\reg01275
2009-03-10 16:10 8192 --a--c--- c:\windows\ie8\reg01274
2009-03-10 16:10 8192 --a--c--- c:\windows\ie8\reg01272
2009-03-10 16:10 8192 --a--c--- c:\windows\ie8\reg01271
2009-03-10 16:10 8192 --a--c--- c:\windows\ie8\reg01269
2009-03-10 16:10 8192 --a--c--- c:\windows\ie8\reg01268
2009-03-10 16:10 8192 --a--c--- c:\windows\ie8\reg01267
2009-03-10 16:10 8192 --a--c--- c:\windows\ie8\reg01266
2009-03-10 16:10 8192 --a--c--- c:\windows\ie8\reg01265
2009-03-10 16:10 8192 --a--c--- c:\windows\ie8\reg01264
2009-03-10 16:10 8192 --a--c--- c:\windows\ie8\reg01263
2009-03-10 16:10 8192 --a--c--- c:\windows\ie8\reg01260
2009-03-10 16:10 8192 --a--c--- c:\windows\ie8\reg01259
2009-03-10 16:10 8192 --a--c--- c:\windows\ie8\reg01257
2009-03-10 16:10 8192 --a--c--- c:\windows\ie8\reg01256
2009-03-10 16:10 8192 --a--c--- c:\windows\ie8\reg01255
2009-03-10 16:10 8192 --a--c--- c:\windows\ie8\reg01254
2009-03-10 16:10 8192 --a--c--- c:\windows\ie8\reg01253
2009-03-10 16:10 8192 --a--c--- c:\windows\ie8\reg01252
2009-03-10 16:10 8192 --a--c--- c:\windows\ie8\reg01250
2009-03-10 16:10 8192 --a--c--- c:\windows\ie8\reg01248
2009-03-10 16:10 8192 --a--c--- c:\windows\ie8\reg01246
2009-03-10 16:10 8192 --a--c--- c:\windows\ie8\reg01243
2009-03-10 16:10 8192 --a--c--- c:\windows\ie8\reg01241
2009-03-10 16:10 8192 --a--c--- c:\windows\ie8\reg01240
2009-03-10 16:10 8192 --a--c--- c:\windows\ie8\reg01239
2009-03-10 16:10 8192 --a--c--- c:\windows\ie8\reg01237
2009-03-10 16:10 8192 --a--c--- c:\windows\ie8\reg01236
2009-03-10 16:10 8192 --a--c--- c:\windows\ie8\reg01235
2009-03-10 16:10 8192 --a--c--- c:\windows\ie8\reg01234
2009-03-10 16:10 8192 --a--c--- c:\windows\ie8\reg01233
2009-03-10 16:10 8192 --a--c--- c:\windows\ie8\reg01232
2009-03-10 16:10 8192 --a--c--- c:\windows\ie8\reg01230
2009-03-10 16:10 8192 --a--c--- c:\windows\ie8\reg01229
2009-03-10 16:10 8192 --a--c--- c:\windows\ie8\reg01227
2009-03-10 16:10 8192 --a--c--- c:\windows\ie8\reg01225
2009-03-10 16:10 8192 --a--c--- c:\windows\ie8\reg01223
2009-03-10 16:10 8192 --a--c--- c:\windows\ie8\reg01222
2009-03-10 16:10 8192 --a--c--- c:\windows\ie8\reg01221
2009-03-10 16:10 8192 --a--c--- c:\windows\ie8\reg01220
2009-03-10 16:10 8192 --a--c--- c:\windows\ie8\reg01218
2009-03-10 16:10 8192 --a--c--- c:\windows\ie8\reg01217
2009-03-10 16:10 8192 --a--c--- c:\windows\ie8\reg01216
2009-03-10 16:10 8192 --a--c--- c:\windows\ie8\reg01215
2009-03-10 16:10 8192 --a--c--- c:\windows\ie8\reg01213
2009-03-10 16:10 8192 --a--c--- c:\windows\ie8\reg01212
2009-03-10 16:10 8192 --a--c--- c:\windows\ie8\reg01211
2009-03-10 16:10 8192 --a--c--- c:\windows\ie8\reg01210
2009-03-10 16:10 8192 --a--c--- c:\windows\ie8\reg01209
2009-03-10 16:10 8192 --a--c--- c:\windows\ie8\reg01208
2009-03-10 16:10 8192 --a--c--- c:\windows\ie8\reg01206
2009-03-10 16:10 8192 --a--c--- c:\windows\ie8\reg01205
2009-03-10 16:10 8192 --a--c--- c:\windows\ie8\reg01204
2009-03-10 16:10 8192 --a--c--- c:\windows\ie8\reg01203
2009-03-10 16:10 8192 --a--c--- c:\windows\ie8\reg01202
2009-03-10 16:10 8192 --a--c--- c:\windows\ie8\reg01201
2009-03-10 16:10 8192 --a--c--- c:\windows\ie8\reg01200
2009-03-10 16:10 8192 --a--c--- c:\windows\ie8\reg01199
2009-03-10 16:10 8192 --a--c--- c:\windows\ie8\reg01197
2009-03-10 16:10 8192 --a--c--- c:\windows\ie8\reg01196
2009-03-10 16:10 8192 --a--c--- c:\windows\ie8\reg01194
2009-03-10 16:10 8192 --a--c--- c:\windows\ie8\reg01192
2009-03-10 16:10 8192 --a--c--- c:\windows\ie8\reg01191
2009-03-10 16:10 8192 --a--c--- c:\windows\ie8\reg01190
2009-03-10 16:10 8192 --a--c--- c:\windows\ie8\reg01189
2009-03-10 16:10 8192 --a--c--- c:\windows\ie8\reg01188
2009-03-10 16:10 8192 --a--c--- c:\windows\ie8\reg01187
2009-03-10 16:10 8192 --a--c--- c:\windows\ie8\reg01185
2009-03-10 16:10 8192 --a--c--- c:\windows\ie8\reg01183
2009-03-10 16:10 8192 --a--c--- c:\windows\ie8\reg01182
2009-03-10 16:10 8192 --a--c--- c:\windows\ie8\reg01180
2009-03-10 16:10 8192 --a--c--- c:\windows\ie8\reg01179
2009-03-10 16:10 8192 --a--c--- c:\windows\ie8\reg01178
2009-03-10 16:10 8192 --a--c--- c:\windows\ie8\reg01177
2009-03-10 16:10 8192 --a--c--- c:\windows\ie8\reg01176
2009-03-10 16:10 8192 --a--c--- c:\windows\ie8\reg01174
2009-03-10 16:10 8192 --a--c--- c:\windows\ie8\reg01172
2009-03-10 16:10 8192 --a--c--- c:\windows\ie8\reg01171
2009-03-10 16:10 8192 --a--c--- c:\windows\ie8\reg01170
2009-03-10 16:10 8192 --a--c--- c:\windows\ie8\reg01168
2009-03-10 16:10 8192 --a--c--- c:\windows\ie8\reg01166
2009-03-10 16:10 8192 --a--c--- c:\windows\ie8\reg01163
2009-03-10 16:10 8192 --a--c--- c:\windows\ie8\reg01162
2009-03-10 16:10 8192 --a--c--- c:\windows\ie8\reg01161
2009-03-10 16:10 8192 --a--c--- c:\windows\ie8\reg01160
2009-03-10 16:10 8192 --a--c--- c:\windows\ie8\reg01158
2009-03-10 16:10 8192 --a--c--- c:\windows\ie8\reg01157
2009-03-10 16:10 8192 --a--c--- c:\windows\ie8\reg01155
2009-03-10 16:10 8192 --a--c--- c:\windows\ie8\reg01154
2009-03-10 16:10 8192 --a--c--- c:\windows\ie8\reg01153
2009-03-10 16:10 8192 --a--c--- c:\windows\ie8\reg01150
2009-03-10 16:10 8192 --a--c--- c:\windows\ie8\reg01149
2009-03-10 16:10 8192 --a--c--- c:\windows\ie8\reg01148
2009-03-10 16:10 8192 --a--c--- c:\windows\ie8\reg01147
2009-03-10 16:10 8192 --a--c--- c:\windows\ie8\reg01146
2009-03-10 16:10 8192 --a--c--- c:\windows\ie8\reg01145
2009-03-10 16:10 8192 --a--c--- c:\windows\ie8\reg01144
2009-03-10 16:10 8192 --a--c--- c:\windows\ie8\reg01143
2009-03-10 16:10 8192 --a--c--- c:\windows\ie8\reg01142
2009-03-10 16:10 8192 --a--c--- c:\windows\ie8\reg01141
2009-03-10 16:10 8192 --a--c--- c:\windows\ie8\reg01140
2009-03-10 16:10 8192 --a--c--- c:\windows\ie8\reg01139
2009-03-10 16:10 8192 --a--c--- c:\windows\ie8\reg01138
2009-03-10 16:10 8192 --a--c--- c:\windows\ie8\reg01134
2009-03-10 16:10 8192 --a--c--- c:\windows\ie8\reg01133
2009-03-10 16:10 8192 --a--c--- c:\windows\ie8\reg01132
2009-03-10 16:10 8192 --a--c--- c:\windows\ie8\reg01130
2009-03-10 16:10 8192 --a--c--- c:\windows\ie8\reg01129
2009-03-10 16:10 8192 --a--c--- c:\windows\ie8\reg01128
2009-03-10 16:10 8192 --a--c--- c:\windows\ie8\reg01126
2009-03-10 16:10 8192 --a--c--- c:\windows\ie8\reg01125
2009-03-10 16:10 8192 --a--c--- c:\windows\ie8\reg01124
2009-03-10 16:10 8192 --a--c--- c:\windows\ie8\reg01123
2009-03-10 16:10 8192 --a--c--- c:\windows\ie8\reg01122
2009-03-10 16:10 8192 --a--c--- c:\windows\ie8\reg01121
2009-03-10 16:10 8192 --a--c--- c:\windows\ie8\reg01120
2009-03-10 16:10 8192 --a--c--- c:\windows\ie8\reg01119
2009-03-10 16:10 8192 --a--c--- c:\windows\ie8\reg01118
2009-03-10 16:10 8192 --a--c--- c:\windows\ie8\reg01117
2009-03-10 16:10 8192 --a--c--- c:\windows\ie8\reg01116
2009-03-10 16:10 8192 --a--c--- c:\windows\ie8\reg01115
2009-03-10 16:10 8192 --a--c--- c:\windows\ie8\reg01114
2009-03-10 16:10 8192 --a--c--- c:\windows\ie8\reg01112
2009-03-10 16:10 8192 --a--c--- c:\windows\ie8\reg01111
2009-03-10 16:10 8192 --a--c--- c:\windows\ie8\reg01110
2009-03-10 16:10 8192 --a--c--- c:\windows\ie8\reg01109
2009-03-10 16:10 8192 --a--c--- c:\windows\ie8\reg01108
2009-03-10 16:10 8192 --a--c--- c:\windows\ie8\reg01107
2009-03-10 16:10 8192 --a--c--- c:\windows\ie8\reg01106
2009-03-10 16:10 8192 --a--c--- c:\windows\ie8\reg01105
2009-03-10 16:10 8192 --a--c--- c:\windows\ie8\reg01104
2009-03-10 16:10 8192 --a--c--- c:\windows\ie8\reg01102
2009-03-10 16:10 8192 --a--c--- c:\windows\ie8\reg01101
2009-03-10 16:10 8192 --a--c--- c:\windows\ie8\reg01100
2009-03-10 16:10 8192 --a--c--- c:\windows\ie8\reg01098
2009-03-10 16:10 8192 --a--c--- c:\windows\ie8\reg01096
2009-03-10 16:10 8192 --a--c--- c:\windows\ie8\reg01095
2009-03-10 16:10 8192 --a--c--- c:\windows\ie8\reg01094
2009-03-10 16:10 8192 --a--c---

#8 Grinler

Grinler

    Lawrence Abrams


  • Admin
  • 43,639 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:08:30 AM

Posted 29 March 2009 - 11:31 AM

Run combofix normally and post the resulting log.

#9 biggsy

biggsy
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:08:30 AM

Posted 29 March 2009 - 11:59 AM

Here you go.

ComboFix 09-03-28.06 - Administrator 2009-03-29 12:34:33.5 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.3070.2590 [GMT -4:00]
Running from: c:\documents and settings\Administrator\Desktop\ComboFix.exe
AV: Trend Micro Internet Security *On-access scanning disabled* (Updated)
FW: Trend Micro Personal Firewall *disabled*
.

((((((((((((((((((((((((( Files Created from 2009-02-28 to 2009-03-29 )))))))))))))))))))))))))))))))
.

2009-03-28 17:18 . 2009-03-28 17:18 <DIR> d-------- c:\windows\system32\XPSViewer
2009-03-28 17:18 . 2009-03-28 17:18 <DIR> d-------- c:\program files\Reference Assemblies
2009-03-28 17:17 . 2009-03-28 17:18 <DIR> d-------- C:\73fe01d2a342fbdcb02f7b50
2009-03-28 17:17 . 2008-07-06 08:06 1,676,288 --------- c:\windows\system32\xpssvcs.dll
2009-03-28 17:17 . 2008-07-06 08:06 1,676,288 -----c--- c:\windows\system32\dllcache\xpssvcs.dll
2009-03-28 17:17 . 2008-07-06 06:50 597,504 -----c--- c:\windows\system32\dllcache\printfilterpipelinesvc.exe
2009-03-28 17:17 . 2008-07-06 08:06 575,488 --------- c:\windows\system32\xpsshhdr.dll
2009-03-28 17:17 . 2008-07-06 08:06 575,488 -----c--- c:\windows\system32\dllcache\xpsshhdr.dll
2009-03-28 17:17 . 2008-07-06 08:06 117,760 --------- c:\windows\system32\prntvpt.dll
2009-03-28 17:17 . 2008-07-06 08:06 89,088 -----c--- c:\windows\system32\dllcache\filterpipelineprintproc.dll
2009-03-25 03:14 . 2009-03-25 03:14 <DIR> d-------- c:\windows\system32\MpEngineStore
2009-03-25 03:14 . 2009-03-25 03:14 206 --a------ c:\windows\system32\MRT.INI
2009-03-25 03:01 . 2009-03-25 03:01 <DIR> d-------- c:\program files\MSXML 4.0
2009-03-24 12:35 . 2008-10-16 14:06 268,648 --a------ c:\windows\system32\mucltui.dll
2009-03-24 12:35 . 2008-10-16 14:06 208,744 --a------ c:\windows\system32\muweb.dll
2009-03-24 12:35 . 2008-10-16 14:06 27,496 --a------ c:\windows\system32\mucltui.dll.mui
2009-03-24 06:34 . 2009-03-24 06:34 <DIR> d-------- c:\windows\Sun
2009-03-24 06:33 . 2009-03-24 06:33 410,984 --a------ c:\windows\system32\deploytk.dll
2009-03-24 06:33 . 2009-03-24 06:33 73,728 --a------ c:\windows\system32\javacpl.cpl
2009-03-24 06:32 . 2009-03-24 06:32 <DIR> d-------- c:\program files\Java
2009-03-19 13:44 . 2009-03-19 13:45 <DIR> d-------- c:\documents and settings\All Users\Application Data\WinZip
2009-03-18 11:11 . 2009-03-18 11:11 95 --a------ c:\windows\wininit.ini
2009-03-14 16:58 . 2009-03-14 16:59 <DIR> d-------- c:\program files\iTunes
2009-03-14 16:58 . 2009-03-14 16:58 <DIR> d-------- c:\program files\iPod
2009-03-14 16:58 . 2009-03-14 16:59 <DIR> d-------- c:\documents and settings\All Users\Application Data\{00D89592-F643-4D8D-8F0F-AFAE0F14D4C3}
2009-03-14 16:54 . 2009-03-05 23:59 1,900,544 --a------ c:\windows\system32\usbaaplrc.dll
2009-03-11 12:22 . 2009-03-11 12:22 <DIR> d-------- c:\program files\Unlocker
2009-03-11 09:40 . 2009-03-11 09:40 <DIR> d-------- C:\VundoFix Backups
2009-03-10 16:10 . 2009-03-10 16:10 <DIR> d--h-c--- c:\windows\ie8

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-03-29 16:14 --------- d-----w c:\program files\Mozilla Thunderbird
2009-03-29 14:24 --------- d-----w c:\documents and settings\All Users\Application Data\Google Updater
2009-03-28 20:01 --------- d-----w c:\documents and settings\All Users\Application Data\1Click DVD Copy
2009-03-27 21:38 --------- d-----w c:\documents and settings\All Users\Application Data\Microsoft Help
2009-03-23 12:12 --------- d-----w c:\documents and settings\Administrator\Application Data\Vso
2009-03-18 14:49 --------- d-----w c:\program files\Spybot - Search & Destroy
2009-03-14 20:58 --------- d-----w c:\program files\Common Files\Apple
2009-03-14 20:57 --------- d-----w c:\program files\QuickTime
2009-03-10 14:25 --------- d-----w c:\program files\Trend Micro
2009-03-06 03:59 36,864 ----a-w c:\windows\system32\drivers\usbaapl.sys
2009-03-03 22:29 15,688 ----a-w c:\windows\system32\lsdelete.exe
2009-03-03 22:28 64,160 ----a-w c:\windows\system32\drivers\Lbd.sys
2009-02-27 10:57 --------- d---a-w c:\documents and settings\All Users\Application Data\TEMP
2009-02-26 15:42 --------- d--h--w c:\program files\InstallShield Installation Information
2009-02-26 15:42 --------- d-----w c:\program files\EnergyGauge
2009-02-26 15:42 --------- d-----w c:\program files\Common Files\Borland Shared
2009-02-23 15:22 --------- d-----w c:\program files\Dell
2009-02-23 14:46 --------- d-----w c:\program files\Windows Media Connect 2
2009-02-21 14:06 --------- d-----w c:\documents and settings\All Users\Application Data\vsosdk
2009-02-17 23:07 --------- d-----w c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2009-02-17 22:28 --------- d-----w c:\documents and settings\All Users\Application Data\Lavasoft
2009-02-17 22:22 --------- dc-h--w c:\documents and settings\All Users\Application Data\{83C91755-2546-441D-AC40-9A6B4B860800}
2009-02-17 22:22 --------- d-----w c:\program files\Lavasoft
2009-02-16 19:52 18,816 ----a-w c:\windows\system32\drivers\dvd43llh.sys
2009-02-16 19:52 --------- d-----w c:\program files\dvd43
2009-02-16 19:51 47,360 ----a-w c:\windows\system32\drivers\pcouffin.sys
2009-02-16 19:51 47,360 ----a-w c:\documents and settings\Administrator\Application Data\pcouffin.sys
2009-02-16 19:51 --------- d-----w c:\program files\LG Software Innovations
2009-02-14 15:43 --------- d-----w c:\program files\Safari
2009-02-12 12:53 --------- d-----w c:\documents and settings\All Users\Application Data\Trend Micro
2009-02-11 17:01 --------- d-----w c:\program files\Google
2009-02-09 15:34 --------- d-----w c:\program files\AceBIT
2009-02-09 11:13 1,846,784 ----a-w c:\windows\system32\win32k.sys
2009-02-06 21:27 --------- d-----w c:\documents and settings\Administrator\Application Data\BitTorrent
2009-01-30 09:07 --------- d-----w c:\program files\Simpson
2009-01-15 06:05 911,872 ----a-w c:\windows\system32\wininet.dll
2009-01-15 06:05 43,008 ----a-w c:\windows\system32\licmgr10.dll
2009-01-15 06:04 18,944 ----a-w c:\windows\system32\corpol.dll
2009-01-15 06:03 72,704 ----a-w c:\windows\system32\admparse.dll
2009-01-15 06:03 71,680 ----a-w c:\windows\system32\iesetup.dll
2009-01-15 06:03 420,352 ----a-w c:\windows\system32\vbscript.dll
2009-01-15 06:01 34,304 ----a-w c:\windows\system32\imgutil.dll
2009-01-15 06:00 48,128 ----a-w c:\windows\system32\mshtmler.dll
2009-01-15 06:00 45,568 ----a-w c:\windows\system32\mshta.exe
2009-01-15 05:50 156,160 ----a-w c:\windows\system32\msls31.dll
.

((((((((((((((((((((((((((((( SnapShot_2009-03-29_12.06.00.84 )))))))))))))))))))))))))))))))))))))))))
.
+ 2009-03-29 16:12:45 16,384 ----atw c:\windows\temp\Perflib_Perfdata_6d8.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-13 15360]
"AdobeUpdater"="c:\program files\Common Files\Adobe\Updater5\AdobeUpdater.exe" [2009-01-14 2356088]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2008-12-26 13680640]
"Ad-Watch"="c:\program files\Lavasoft\Ad-Aware\AAWTray.exe" [2009-03-03 515416]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-03-24 148888]
"GrooveMonitor"="c:\program files\Microsoft Office\Office12\GrooveMonitor.exe" [2007-08-24 33648]
"nwiz"="nwiz.exe" [2008-12-26 c:\windows\system32\nwiz.exe]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\GoToAssist]
2009-01-11 21:27 10536 c:\program files\Citrix\GoToAssist\514\g2awinlogon.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Lavasoft Ad-Aware Service]
@="Service"

[HKLM\~\startupfolder\C:^Documents and Settings^Administrator^Start Menu^Programs^Startup^OneNote 2007 Screen Clipper and Launcher.lnk]
path=c:\documents and settings\Administrator\Start Menu\Programs\Startup\OneNote 2007 Screen Clipper and Launcher.lnk
backup=c:\windows\pss\OneNote 2007 Screen Clipper and Launcher.lnkStartup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^AutoCAD Startup Accelerator.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\AutoCAD Startup Accelerator.lnk
backup=c:\windows\pss\AutoCAD Startup Accelerator.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Digital Imaging Monitor.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\HP Digital Imaging Monitor.lnk
backup=c:\windows\pss\HP Digital Imaging Monitor.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Image Zone Fast Start.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\HP Image Zone Fast Start.lnk
backup=c:\windows\pss\HP Image Zone Fast Start.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\KernelFaultCheck]
c:\windows\system32\dumprep 0 -k [X]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Acrobat Assistant 8.0]
--a------ 2007-05-10 23:46 624248 c:\program files\Adobe\Acrobat 8.0\Acrobat\acrotray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AdobeUpdater]
--a------ 2009-01-14 18:32 2356088 c:\program files\Common Files\Adobe\Updater5\AdobeUpdater.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe_ID0EYTHM]
--a------ 2007-03-20 17:40 1884160 c:\progra~1\COMMON~1\Adobe\ADOBEV~1\Server\bin\VERSIO~2.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AppleSyncNotifier]
--a------ 2009-02-06 17:27 177472 c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BitTorrent DNA]
--a------ 2009-01-20 08:20 342848 c:\program files\DNA\btdna.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
--a------ 2008-04-13 20:12 15360 c:\windows\system32\ctfmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\dvd43]
--a------ 2008-11-17 19:50 827904 c:\program files\dvd43\DVD43_Tray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ehTray]
--a------ 2005-08-05 17:56 64512 c:\windows\ehome\ehtray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Google Update]
--a----t- 2009-02-12 04:41 133104 c:\documents and settings\Administrator\Local Settings\Application Data\Google\Update\GoogleUpdate.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\GrooveMonitor]
--a------ 2007-08-24 07:00 33648 c:\program files\Microsoft Office\Office12\GrooveMonitor.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Software Update]
--a------ 2007-05-08 17:24 54840 c:\program files\HP\HP Software Update\hpwuSchd2.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
--a------ 2009-03-12 20:56 342312 c:\program files\iTunes\iTunesHelper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvMediaCenter]
--a------ 2008-12-26 04:08 86016 c:\windows\system32\nvmctray.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
--a------ 2009-01-05 16:18 413696 c:\program files\QuickTime\QTTask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\UfSeAgnt.exe]
--a------ 2008-09-22 19:12 1398024 c:\program files\Trend Micro\Internet Security\UfSeAgnt.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AtiPTA]
--a------ 2001-10-10 16:59 270336 c:\windows\system32\atiptaxx.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SigmatelSysTrayApp]
--a------ 2006-03-20 20:00 282624 c:\windows\stsystra.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\TrendAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\TrendFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"c:\\Program Files\\Common Files\\Adobe\\Adobe Version Cue CS3\\Server\\bin\\VersionCueCS3.exe"=
"c:\\Program Files\\DNA\\btdna.exe"=
"c:\\Program Files\\BitTorrent\\bittorrent.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\WINDOWS\\system32\\wbem\\wmiprvse.exe"=
"c:\\Program Files\\Trend Micro\\Internet Security\\TmProxy.exe"=
"c:\\Program Files\\Google\\Update\\GoogleUpdate.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\WINDOWS\\system32\\dllhost.exe"=
"c:\\Program Files\\Trend Micro\\Internet Security\\SfCtlCom.exe"=
"c:\\WINDOWS\\ehome\\ehrecvr.exe"=
"c:\\WINDOWS\\system32\\wbem\\unsecapp.exe"=
"c:\\WINDOWS\\system32\\dwwin.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3703:TCP"= 3703:TCP:Adobe Version Cue CS3 Server
"3704:TCP"= 3704:TCP:Adobe Version Cue CS3 Server
"50900:TCP"= 50900:TCP:Adobe Version Cue CS3 Server
"50901:TCP"= 50901:TCP:Adobe Version Cue CS3 Server

R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [2009-02-17 64160]
R2 tmpreflt;tmpreflt;c:\windows\system32\drivers\tmpreflt.sys [2008-02-18 36368]
R3 ati2mpad;ati2mpad;c:\windows\system32\drivers\ati2mpad.sys [2001-12-21 303232]
R3 tmcfw;Trend Micro Common Firewall Service;c:\windows\system32\drivers\TM_CFW.sys [2008-02-18 333328]
S2 gupdate1c986bb8c656974;Google Update Service (gupdate1c986bb8c656974);c:\program files\Google\Update\GoogleUpdate.exe [2009-02-04 133104]
S2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\Lavasoft\Ad-Aware\AAWService.exe [2009-01-18 951632]
S2 tmevtmgr;tmevtmgr;c:\windows\system32\drivers\tmevtmgr.sys [2009-02-12 52240]
S3 TmPfw;Trend Micro Personal Firewall;c:\progra~1\TRENDM~1\INTERN~1\TmPfw.exe [2009-02-12 488768]
S3 tmproxy;Trend Micro Proxy Service;c:\program files\Trend Micro\Internet Security\TmProxy.exe [2009-02-12 648456]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\K]
\Shell\AutoRun\command - K:\Launch.exe

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\>{60B49E34-C7CC-11D0-8953-00A0C90347FF}]
"c:\windows\system32\rundll32.exe" "c:\windows\system32\iedkcs32.dll",BrandIEActiveSetup SIGNUP
.
Contents of the 'Scheduled Tasks' folder

2009-03-24 c:\windows\Tasks\Ad-Aware Update (Weekly).job
- c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2009-03-03 18:28]

2009-03-28 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 13:34]

2009-03-29 c:\windows\Tasks\Google Software Updater.job
- c:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe [2009-03-24 04:18]

2009-03-29 c:\windows\Tasks\GoogleUpdateTaskMachine.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-02-04 07:27]

2009-03-29 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1060284298-1035525444-725345543-500.job
- c:\documents and settings\Administrator\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2009-02-12 04:41]
.
.
------- Supplementary Scan -------
.
uStart Page = about:blank
uInternet Settings,ProxyOverride = *.local
IE: Append to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert link target to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert link target to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert selected links to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert selected links to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Convert selection to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert selection to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
DPF: {76A2A0AB-38B7-46DB-8E47-F10CDE4D7920} - hxxp://aerial.leepa.org/ecwplugins/NCS.cab
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-03-29 12:37:09
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-1060284298-1035525444-725345543-500\Software\Microsoft\SystemCertificates\AddressBook*]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(1028)
c:\program files\Citrix\GoToAssist\514\G2AWinLogon.dll
.
Completion time: 2009-03-29 12:40:18
ComboFix-quarantined-files.txt 2009-03-29 16:40:02
ComboFix2.txt 2009-03-29 16:07:07
ComboFix3.txt 2009-03-28 16:22:01
ComboFix4.txt 2009-03-28 15:03:33
ComboFix5.txt 2009-03-29 16:34:10

Pre-Run: 190,867,357,696 bytes free
Post-Run: 190,853,189,632 bytes free

256 --- E O F --- 2009-03-25 07:17:06

#10 Grinler

Grinler

    Lawrence Abrams


  • Admin
  • 43,639 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:08:30 AM

Posted 03 April 2009 - 11:51 AM

Looks clean. How does the computer feel to you?

Update Java:
  • Go to Start > Control Panel double-click on the Software icon > add/remove programs.
  • Search in the list for all previous installed versions of Java. (J2SE Runtime Environment.... )

    It should have next icon next to it: Posted Image
    Select it and click Remove.
  • The current version can be downloaded from Sun here: http://java.sun.com/javase/downloads/index.jsp Scroll down the page to 'Java Runtime Environment (JRE) 6 Update 13' and press the 'Download' button. On the new web page, click the 'Accept License Agreement' button. Then select 'Windows Offline Installation, Multi-language' in the Windows Platform area just below the Accept button.





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users