I am not sure what I missed, but I had a rundll32.exe file in my system32 folder which was associating with a bunch of stuff and spreading. I cleaned it up, but now when I try to open a screen like for Windows Firewall, it says that Due to an unidentified problem, windows cannot display the windows firewall settings.
I got this from ComboFix. I can also post a HijackThis log if needed.
Thanks in advance all.
ComboFix 09-04-01.01 - pprintz 2009-04-02 14:26:58.1 - NTFSx86
Microsoft® Windows Vista™ Enterprise 6.0.6001.1.1252.1.1033.18.2045.1265 [GMT -4:00]
Running from: c:\users\pprintz\Desktop\ComboFix.exe
AV: VirusScan Enterprise + AntiSpyware Enterprise *On-access scanning disabled* (Updated)
* Created a new restore point
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
C:\install.exe
c:\users\pprintz\AppData\Local\Temp\install_flash_player.exe
c:\windows\system32\SOCKETX.DLL
c:\windows\system32\SOCKETX.OCX
----- BITS: Possible infected sites -----
hxxp://zeno
.
((((((((((((((((((((((((( Files Created from 2009-03-02 to 2009-04-02 )))))))))))))))))))))))))))))))
.
2009-04-02 14:03 . 2009-04-02 14:04 <DIR> d-------- C:\32788R22FWJFW.0.tmp
2009-04-02 07:16 . 2009-04-02 07:16 <DIR> d-------- c:\program files\Trend Micro
2009-04-01 14:04 . 2009-04-01 14:04 <DIR> d-------- c:\program files\Unlocker
2009-03-18 07:04 . 2009-04-02 07:35 <DIR> d-------- c:\users\pprintz\Tracing
2009-03-18 07:03 . 2009-03-18 07:03 <DIR> d-------- c:\program files\Microsoft Sync Framework
2009-03-18 07:02 . 2009-03-18 07:02 <DIR> d-------- c:\program files\Microsoft
2009-03-18 07:01 . 2009-03-18 07:01 <DIR> d-------- c:\program files\Windows Live SkyDrive
2009-03-18 06:57 . 2009-03-18 06:57 <DIR> d-------- c:\program files\Common Files\Windows Live
2009-03-16 07:50 . 2009-03-31 08:37 <DIR> d-------- c:\users\pprintz\AppData\Roaming\gtk-2.0
2009-03-06 11:55 . 2009-03-06 11:55 64,160 --a------ c:\windows\System32\drivers\Lbd.sys
2009-03-06 11:54 . 2009-03-06 11:54 <DIR> d--h-c--- c:\users\All Users\{83C91755-2546-441D-AC40-9A6B4B860800}
2009-03-06 11:54 . 2009-03-06 11:54 <DIR> d-------- c:\program files\Lavasoft
2009-03-04 15:53 . 2009-03-04 15:53 <DIR> d-------- c:\program files\Microsoft Games
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-04-02 16:10 --------- d-----w c:\program files\Armagetron Advanced
2009-03-26 15:24 --------- d-----w c:\users\pprintz\AppData\Roaming\NetSight
2009-03-25 18:06 --------- d-----w c:\users\pprintz\AppData\Roaming\VMware
2009-03-20 20:09 --------- d-----w c:\program files\Microsoft Silverlight
2009-03-18 11:03 --------- d-----w c:\program files\Windows Live Toolbar
2009-03-18 11:03 --------- d-----w c:\program files\Windows Live
2009-03-12 12:22 --------- d-----w c:\users\pprintz\AppData\Roaming\Wireshark
2009-03-12 11:40 --------- d-----w c:\program files\WinPcap
2009-02-18 20:03 --------- d-----w c:\program files\Google
2009-02-18 12:00 --------- d-----w c:\users\pprintz\AppData\Roaming\EVEMon
2009-02-17 18:21 --------- d-----w c:\program files\EVEMon
2009-02-06 22:52 49,504 ----a-w c:\windows\System32\sirenacm.dll
2009-01-15 06:11 827,392 ----a-w c:\windows\System32\wininet.dll
2008-07-08 14:45 23 ----a-w c:\users\pprintz\jagex_runescape_preferences.dat
2008-03-19 15:40 174 --sha-w c:\program files\desktop.ini
2008-06-02 14:44 16,384 --sha-w c:\windows\ServiceProfiles\LocalService\AppData\Local\Temp\Cookies\index.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Sidebar"="c:\program files\Windows Sidebar\sidebar.exe" [2008-01-18 1233920]
"googletalk"="c:\users\pprintz\AppData\Roaming\Google\Google Talk\googletalk.exe" [2007-01-01 3739648]
"Google Update"="c:\users\pprintz\AppData\Local\Google\Update\GoogleUpdate.exe" [2008-09-03 133104]
"DisplayFusion"="c:\program files\DisplayFusion\DisplayFusion.exe" [2008-04-27 548528]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"McAfeeUpdaterUI"="c:\program files\McAfee\Common Framework\udaterui.exe" [2008-03-14 136512]
"ShStatEXE"="c:\program files\McAfee\VirusScan Enterprise\SHSTAT.EXE" [2008-01-24 111952]
"GrooveMonitor"="c:\program files\Microsoft Office\Office12\GrooveMonitor.exe" [2006-10-27 31016]
"Windows Mobile Device Center"="c:\windows\WindowsMobile\wmdc.exe" [2007-05-31 648072]
"PWRESET"="c:\program files\Avaya\Avaya IP Softphone\IP Service Provider\pwreset.exe" [2008-01-18 45056]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2008-09-16 144792]
"RoxWatchTray"="c:\program files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatchTray9.exe" [2007-08-16 236016]
"UVS11 Preload"="c:\program files\Ulead Systems\Ulead VideoStudio 11\uvPL.exe" [2007-03-03 341488]
"vmware-tray"="c:\program files\VMware\VMware Workstation\vmware-tray.exe" [2008-09-18 84528]
"NGTray"="c:\program files\Symantec\Ghost\ngtray.exe" [2008-09-05 218504]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2008-09-06 413696]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2008-10-01 289576]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-10-15 39792]
"Ad-Watch"="c:\program files\Lavasoft\Ad-Aware\AAWTray.exe" [2009-03-06 515416]
c:\users\pprintz\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
OneNote 2007 Screen Clipper and Launcher.lnk - c:\program files\Microsoft Office\Office12\ONENOTEM.EXE [2006-10-26 98632]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableLUA"= 0 (0x0)
"EnableUIADesktopToggle"= 0 (0x0)
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"TaskbarNoThumbnail"= 0 (0x0)
"NoWelcomeScreen"= 1 (0x1)
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"TaskbarNoNotification"= 0 (0x0)
"HideSCABattery"= 0 (0x0)
"HideSCANetwork"= 0 (0x0)
"HideSCAVolume"= 0 (0x0)
"NoWelcomeScreen"= 1 (0x1)
"ForceStartMenuLogOff"= 1 (0x1)
"ForceClassicControlPanel"= 1 (0x1)
"DisablePersonalDirChange"= 1 (0x1)
"NoSMBalloonTip"= 1 (0x1)
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"msacm.dvacm"= c:\progra~1\COMMON~1\ULEADS~1\Vio\Dvacm.acm
"msacm.MPEGacm"= c:\progra~1\COMMON~1\ULEADS~1\MPEG\MPEGacm.acm
"msacm.ulmp3acm"= c:\progra~1\COMMON~1\ULEADS~1\MPEG\ulmp3acm.acm
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\Machine\Scripts\Startup\0\0]
"Script"=labelhd.cmd
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-2145910891-533790987-495535119-10796\Scripts\Logon\0\0]
"Script"=startkix.cmd
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-2145910891-533790987-495535119-16964\Scripts\Logon\0\0]
"Script"=startkix.cmd
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-2145910891-533790987-495535119-16965\Scripts\Logon\0\0]
"Script"=startkix.cmd
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-2145910891-533790987-495535119-1705\Scripts\Logon\0\0]
"Script"=startkix.cmd
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-2145910891-533790987-495535119-17133\Scripts\Logon\0\0]
"Script"=startkix.cmd
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-2145910891-533790987-495535119-18901\Scripts\Logon\0\0]
"Script"=startkix.cmd
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-2145910891-533790987-495535119-18902\Scripts\Logon\0\0]
"Script"=startkix.cmd
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-2145910891-533790987-495535119-500\Scripts\Logon\0\0]
"Script"=startkix.cmd
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Lavasoft Ad-Aware Service]
@="Service"
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\FirewallRules]
"{1F7FB48D-2D60-4130-BE83-133289AF9D09}"= UDP:c:\program files\McAfee\Common Framework\FrameworkService.exe:McAfee Framework Service
"{7E773ADA-F37C-4E07-83CA-DAD0EC802B16}"= TCP:c:\program files\McAfee\Common Framework\FrameworkService.exe:McAfee Framework Service
"{3E6F9767-B135-4D41-988F-4CBC815FE72C}"= TCP:6004|c:\program files\Microsoft Office\Office12\outlook.exe:Microsoft Office Outlook
"{8584B37C-803D-47BD-A6CA-C9059A4D3C06}"= UDP:c:\program files\Microsoft Office\Office12\GROOVE.EXE:Microsoft Office Groove
"{3D89B62C-4E98-4178-B422-CF7760371CED}"= TCP:c:\program files\Microsoft Office\Office12\GROOVE.EXE:Microsoft Office Groove
"{06EA66E1-80A6-4C36-85FD-5747C5A466C9}"= UDP:c:\program files\Microsoft Office\Office12\ONENOTE.EXE:Microsoft Office OneNote
"{B491D5A6-B796-4279-90C4-D8506C0513E4}"= TCP:c:\program files\Microsoft Office\Office12\ONENOTE.EXE:Microsoft Office OneNote
"{BA444EE4-30D6-4E10-BB16-85861E746557}"= UDP:c:\program files\McAfee\Common Framework\FrameworkService.exe:McAfee Framework Service
"{63FCFC06-7589-4444-8AD0-47159077648A}"= TCP:c:\program files\McAfee\Common Framework\FrameworkService.exe:McAfee Framework Service
"{7897F2C8-72FC-4C64-9F6B-6DF3413D1F69}"= UDP:c:\program files\APC\PowerChute Business Edition\server\pbeserver.exe:PowerChute Business Edition Server
"{6650BFE1-8A63-434F-8FA8-DA764FB5C33E}"= TCP:c:\program files\APC\PowerChute Business Edition\server\pbeserver.exe:PowerChute Business Edition Server
"{EBC59C01-DC79-47E2-8EAA-9901A36A90AA}"= UDP:c:\program files\APC\PowerChute Business Edition\agent\pbeagent.exe:PowerChute Business Edition Agent
"{5040A1A8-8B03-46A1-A56A-27DC91944BE2}"= TCP:c:\program files\APC\PowerChute Business Edition\agent\pbeagent.exe:PowerChute Business Edition Agent
"{228484A3-4FAC-4780-8A6E-3E6526C262C8}"= UDP:c:\program files\Common Files\AOL\Loader\aolload.exe:AOL Loader
"{BB65A6D2-D246-4FAA-BD04-C9D03DD2A067}"= TCP:c:\program files\Common Files\AOL\Loader\aolload.exe:AOL Loader
"{3096A3D2-510B-48E3-8E34-B19B1B072CB5}"= UDP:c:\program files\AIM6\aim6.exe:AIM
"{8BB185E3-CDA6-485A-916E-759C66A91017}"= TCP:c:\program files\AIM6\aim6.exe:AIM
"{3108DC41-F455-4C1C-AFFF-EAA104BD0081}"= UDP:c:\program files\VMware\VMware Workstation\vmware-authd.exe:VMware Authd
"{D4AF6AE9-40C9-4AC8-8CA3-4D505285C4D5}"= TCP:c:\program files\VMware\VMware Workstation\vmware-authd.exe:VMware Authd
"{FE537681-059F-4B35-90B2-199A74267FBD}"= UDP:c:\program files\Symantec\Ghost\ngctw32.exe:Symantec Ghost Client Agent
"{4D874742-BF2E-4F2B-9940-B044D82B8158}"= TCP:c:\program files\Symantec\Ghost\ngctw32.exe:Symantec Ghost Client Agent
"{852BC12C-6647-4E1A-AAF4-BB97773F24CF}"= UDP:c:\program files\Symantec\Ghost\ngctw32.exe:Symantec Ghost Client Agent
"{2A0B1B56-8423-4119-8318-5C07913FEE4E}"= TCP:c:\program files\Symantec\Ghost\ngctw32.exe:Symantec Ghost Client Agent
"{98F569DA-6ABF-443A-8F3E-939B27788B1C}"= UDP:c:\program files\Symantec\Ghost\ngctw32.exe:Symantec Ghost Client Agent
"{238F44EE-3236-4B18-8594-9ED13F88D9C7}"= TCP:c:\program files\Symantec\Ghost\ngctw32.exe:Symantec Ghost Client Agent
"{354E7627-2C2E-4F67-A9F4-81C58D37D75D}"= UDP:c:\program files\Bonjour\mDNSResponder.exe:Bonjour
"{13E1387E-272C-4539-AC32-3CD3CD27D310}"= TCP:c:\program files\Bonjour\mDNSResponder.exe:Bonjour
"{BF799D51-8A4A-4196-A94D-F34EACB06E6F}"= UDP:c:\program files\iTunes\iTunes.exe:iTunes
"{44630401-A601-41A5-B610-105D462BB5E3}"= TCP:c:\program files\iTunes\iTunes.exe:iTunes
"{62708AA2-A8EC-4306-80C5-C1D04BBA5AAF}"= UDP:5900:vnc5900
"{2280E9D5-4C44-4EC3-B72D-5172BDED897E}"= UDP:5800:vnc5800
"{93ED4409-8C29-4D1F-A636-3C30F2DD4E72}"= UDP:c:\program files\UltraVNC\vncviewer.exe:vncviewer.exe
"{9099043B-9172-4434-AA67-C0692267C15B}"= TCP:c:\program files\UltraVNC\vncviewer.exe:vncviewer.exe
R0 Lbd;Lbd;c:\windows\System32\drivers\Lbd.sys [2009-03-06 64160]
R2 APCPBEAgent;APC PBE Agent;c:\progra~1\APC\POWERC~1\agent\pbeagent.exe [2008-05-07 34048]
R2 APCPBEServer;APC PBE Server;c:\progra~1\APC\POWERC~1\server\PBESER~1.EXE [2008-05-07 45134]
R2 HFGService;Handsfree Headset Service;c:\windows\system32\svchost.exe -k bthaudiosvc [2008-03-19 21504]
R2 NGCLIENT;Symantec Ghost Client Agent;c:\program files\Symantec\Ghost\ngctw32.exe [2008-09-05 673160]
R2 SeaPort;SeaPort;c:\program files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe [2009-01-14 226656]
R2 vmci;VMware vmci;c:\windows\System32\drivers\vmci.sys [2008-09-18 54960]
S2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\Lavasoft\Ad-Aware\AAWService.exe [2009-01-18 951632]
S3 BthAudioHF;BthAudioHF Service;c:\windows\System32\drivers\BthAudioHF.sys [2007-08-14 30208]
S3 bthav;Bluetooth AV Profile;c:\windows\System32\drivers\bthav.sys [2007-08-14 33792]
S3 BthAvrcp;Bluetooth AVRCP Profile;c:\windows\System32\drivers\BthAvrcp.sys [2007-08-24 15872]
S3 NPF;NetGroup Packet Filter Driver;c:\windows\System32\drivers\npf.sys [2007-11-06 34064]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
LocalServiceNoNetwork REG_MULTI_SZ PLA DPS BFE mpssvc
bthsvcs REG_MULTI_SZ BthServ
WindowsMobile REG_MULTI_SZ wcescomm rapimgr
LocalServiceRestricted REG_MULTI_SZ WcesComm RapiMgr
bthaudiosvc REG_MULTI_SZ HFGService
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{2f330ce0-2729-11dd-86ca-001583f0cc1b}]
\shell\AutoRun\command - E:\CA_EdgeLitemobile.exe
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{561410f6-9493-11dc-af3b-806e6f6e6963}]
\shell\AutoRun\command - D:\setup.exe
.
Contents of the 'Scheduled Tasks' folder
2009-03-30 c:\windows\Tasks\Ad-Aware Update (Weekly).job
- c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2009-03-06 11:55]
2009-04-01 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-2145910891-533790987-495535119-16964.job
- c:\users\pprintz\AppData\Local\Google\Update\GoogleUpdate.exe [2008-09-03 08:39]
.
- - - - ORPHANS REMOVED - - - -
HKCU-Run-Aim6 - (no file)
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.qcc.mass.edu/qcchome
uInternet Settings,ProxyOverride = *.local
IE: Add to Windows &Live Favorites - http://favorites.live.com/quickadd.aspx
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~1\Office12\EXCEL.EXE/3000
LSP: c:\program files\VMware\VMware Workstation\vsocklib.dll
Trusted Zone: mass.edu\*.qcc
Trusted Zone: qcc.edu\*.campus
Trusted Zone: qcc.edu\www
TCP: {2820A8CD-C8F9-4677-A28D-76CE99A48BD9} = 10.0.0.100,10.0.0.101
DPF: CabBuilder - hxxp://kiw.imgag.com/imgag/kiw/toolbar/download/InstallerControl.cab
.
**************************************************************************
catchme 0.3.1375 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-04-02 14:30:40
Windows 6.0.6001 Service Pack 1 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------
- - - - - - - > 'lsass.exe'(680)
c:\program files\Bonjour\mdnsNSP.dll
.
Completion time: 2009-04-02 14:33:19
ComboFix-quarantined-files.txt 2009-04-02 18:33:17
Pre-Run: 137,477,476,352 bytes free
Post-Run: 137,810,526,208 bytes free
216 --- E O F --- 2009-02-26 09:02:18