Javascript Disabled Detected

You currently have javascript disabled. Several functions may not work. Please re-enable javascript to access full functionality.

Register a free account to unlock additional features at BleepingComputer.com

Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.

Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Latest News: Are WiFi Network Names Protected by the First Amendment?

Featured Deal: Get 96% off the MCSA SQL Server Training Deal

Cannot run some EXE Files

Started by carpediem79 , Apr 03 2009 09:10 AM

This topic is locked

2 replies to this topic

#1 carpediem79

Members
2 posts
OFFLINE

Local time:08:46 PM

Posted 03 April 2009 - 09:10 AM

I am not sure what I missed, but I had a rundll32.exe file in my system32 folder which was associating with a bunch of stuff and spreading. I cleaned it up, but now when I try to open a screen like for Windows Firewall, it says that Due to an unidentified problem, windows cannot display the windows firewall settings.

I got this from ComboFix. I can also post a HijackThis log if needed.

Thanks in advance all.

ComboFix 09-04-01.01 - pprintz 2009-04-02 14:26:58.1 - NTFSx86
Microsoft® Windows Vista™ Enterprise 6.0.6001.1.1252.1.1033.18.2045.1265 [GMT -4:00]
Running from: c:\users\pprintz\Desktop\ComboFix.exe
AV: VirusScan Enterprise + AntiSpyware Enterprise *On-access scanning disabled* (Updated)
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\install.exe
c:\users\pprintz\AppData\Local\Temp\install_flash_player.exe
c:\windows\system32\SOCKETX.DLL
c:\windows\system32\SOCKETX.OCX

----- BITS: Possible infected sites -----

hxxp://zeno
.
((((((((((((((((((((((((( Files Created from 2009-03-02 to 2009-04-02 )))))))))))))))))))))))))))))))
.

2009-04-02 14:03 . 2009-04-02 14:04 <DIR> d-------- C:\32788R22FWJFW.0.tmp
2009-04-02 07:16 . 2009-04-02 07:16 <DIR> d-------- c:\program files\Trend Micro
2009-04-01 14:04 . 2009-04-01 14:04 <DIR> d-------- c:\program files\Unlocker
2009-03-18 07:04 . 2009-04-02 07:35 <DIR> d-------- c:\users\pprintz\Tracing
2009-03-18 07:03 . 2009-03-18 07:03 <DIR> d-------- c:\program files\Microsoft Sync Framework
2009-03-18 07:02 . 2009-03-18 07:02 <DIR> d-------- c:\program files\Microsoft
2009-03-18 07:01 . 2009-03-18 07:01 <DIR> d-------- c:\program files\Windows Live SkyDrive
2009-03-18 06:57 . 2009-03-18 06:57 <DIR> d-------- c:\program files\Common Files\Windows Live
2009-03-16 07:50 . 2009-03-31 08:37 <DIR> d-------- c:\users\pprintz\AppData\Roaming\gtk-2.0
2009-03-06 11:55 . 2009-03-06 11:55 64,160 --a------ c:\windows\System32\drivers\Lbd.sys
2009-03-06 11:54 . 2009-03-06 11:54 <DIR> d--h-c--- c:\users\All Users\{83C91755-2546-441D-AC40-9A6B4B860800}
2009-03-06 11:54 . 2009-03-06 11:54 <DIR> d-------- c:\program files\Lavasoft
2009-03-04 15:53 . 2009-03-04 15:53 <DIR> d-------- c:\program files\Microsoft Games

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-04-02 16:10 --------- d-----w c:\program files\Armagetron Advanced
2009-03-26 15:24 --------- d-----w c:\users\pprintz\AppData\Roaming\NetSight
2009-03-25 18:06 --------- d-----w c:\users\pprintz\AppData\Roaming\VMware
2009-03-20 20:09 --------- d-----w c:\program files\Microsoft Silverlight
2009-03-18 11:03 --------- d-----w c:\program files\Windows Live Toolbar
2009-03-18 11:03 --------- d-----w c:\program files\Windows Live
2009-03-12 12:22 --------- d-----w c:\users\pprintz\AppData\Roaming\Wireshark
2009-03-12 11:40 --------- d-----w c:\program files\WinPcap
2009-02-18 20:03 --------- d-----w c:\program files\Google
2009-02-18 12:00 --------- d-----w c:\users\pprintz\AppData\Roaming\EVEMon
2009-02-17 18:21 --------- d-----w c:\program files\EVEMon
2009-02-06 22:52 49,504 ----a-w c:\windows\System32\sirenacm.dll
2009-01-15 06:11 827,392 ----a-w c:\windows\System32\wininet.dll
2008-07-08 14:45 23 ----a-w c:\users\pprintz\jagex_runescape_preferences.dat
2008-03-19 15:40 174 --sha-w c:\program files\desktop.ini
2008-06-02 14:44 16,384 --sha-w c:\windows\ServiceProfiles\LocalService\AppData\Local\Temp\Cookies\index.dat
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Sidebar"="c:\program files\Windows Sidebar\sidebar.exe" [2008-01-18 1233920]
"googletalk"="c:\users\pprintz\AppData\Roaming\Google\Google Talk\googletalk.exe" [2007-01-01 3739648]
"Google Update"="c:\users\pprintz\AppData\Local\Google\Update\GoogleUpdate.exe" [2008-09-03 133104]
"DisplayFusion"="c:\program files\DisplayFusion\DisplayFusion.exe" [2008-04-27 548528]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"McAfeeUpdaterUI"="c:\program files\McAfee\Common Framework\udaterui.exe" [2008-03-14 136512]
"ShStatEXE"="c:\program files\McAfee\VirusScan Enterprise\SHSTAT.EXE" [2008-01-24 111952]
"GrooveMonitor"="c:\program files\Microsoft Office\Office12\GrooveMonitor.exe" [2006-10-27 31016]
"Windows Mobile Device Center"="c:\windows\WindowsMobile\wmdc.exe" [2007-05-31 648072]
"PWRESET"="c:\program files\Avaya\Avaya IP Softphone\IP Service Provider\pwreset.exe" [2008-01-18 45056]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2008-09-16 144792]
"RoxWatchTray"="c:\program files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatchTray9.exe" [2007-08-16 236016]
"UVS11 Preload"="c:\program files\Ulead Systems\Ulead VideoStudio 11\uvPL.exe" [2007-03-03 341488]
"vmware-tray"="c:\program files\VMware\VMware Workstation\vmware-tray.exe" [2008-09-18 84528]
"NGTray"="c:\program files\Symantec\Ghost\ngtray.exe" [2008-09-05 218504]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2008-09-06 413696]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2008-10-01 289576]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-10-15 39792]
"Ad-Watch"="c:\program files\Lavasoft\Ad-Aware\AAWTray.exe" [2009-03-06 515416]

c:\users\pprintz\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
OneNote 2007 Screen Clipper and Launcher.lnk - c:\program files\Microsoft Office\Office12\ONENOTEM.EXE [2006-10-26 98632]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableLUA"= 0 (0x0)
"EnableUIADesktopToggle"= 0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"TaskbarNoThumbnail"= 0 (0x0)
"NoWelcomeScreen"= 1 (0x1)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"TaskbarNoNotification"= 0 (0x0)
"HideSCABattery"= 0 (0x0)
"HideSCANetwork"= 0 (0x0)
"HideSCAVolume"= 0 (0x0)
"NoWelcomeScreen"= 1 (0x1)
"ForceStartMenuLogOff"= 1 (0x1)
"ForceClassicControlPanel"= 1 (0x1)
"DisablePersonalDirChange"= 1 (0x1)
"NoSMBalloonTip"= 1 (0x1)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"msacm.dvacm"= c:\progra~1\COMMON~1\ULEADS~1\Vio\Dvacm.acm
"msacm.MPEGacm"= c:\progra~1\COMMON~1\ULEADS~1\MPEG\MPEGacm.acm
"msacm.ulmp3acm"= c:\progra~1\COMMON~1\ULEADS~1\MPEG\ulmp3acm.acm

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\Machine\Scripts\Startup\0\0]
"Script"=labelhd.cmd

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-2145910891-533790987-495535119-10796\Scripts\Logon\0\0]
"Script"=startkix.cmd

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-2145910891-533790987-495535119-16964\Scripts\Logon\0\0]
"Script"=startkix.cmd

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-2145910891-533790987-495535119-16965\Scripts\Logon\0\0]
"Script"=startkix.cmd

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-2145910891-533790987-495535119-1705\Scripts\Logon\0\0]
"Script"=startkix.cmd

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-2145910891-533790987-495535119-17133\Scripts\Logon\0\0]
"Script"=startkix.cmd

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-2145910891-533790987-495535119-18901\Scripts\Logon\0\0]
"Script"=startkix.cmd

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-2145910891-533790987-495535119-18902\Scripts\Logon\0\0]
"Script"=startkix.cmd

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-2145910891-533790987-495535119-500\Scripts\Logon\0\0]
"Script"=startkix.cmd

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Lavasoft Ad-Aware Service]
@="Service"

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\FirewallRules]
"{1F7FB48D-2D60-4130-BE83-133289AF9D09}"= UDP:c:\program files\McAfee\Common Framework\FrameworkService.exe:McAfee Framework Service
"{7E773ADA-F37C-4E07-83CA-DAD0EC802B16}"= TCP:c:\program files\McAfee\Common Framework\FrameworkService.exe:McAfee Framework Service
"{3E6F9767-B135-4D41-988F-4CBC815FE72C}"= TCP:6004|c:\program files\Microsoft Office\Office12\outlook.exe:Microsoft Office Outlook
"{8584B37C-803D-47BD-A6CA-C9059A4D3C06}"= UDP:c:\program files\Microsoft Office\Office12\GROOVE.EXE:Microsoft Office Groove
"{3D89B62C-4E98-4178-B422-CF7760371CED}"= TCP:c:\program files\Microsoft Office\Office12\GROOVE.EXE:Microsoft Office Groove
"{06EA66E1-80A6-4C36-85FD-5747C5A466C9}"= UDP:c:\program files\Microsoft Office\Office12\ONENOTE.EXE:Microsoft Office OneNote
"{B491D5A6-B796-4279-90C4-D8506C0513E4}"= TCP:c:\program files\Microsoft Office\Office12\ONENOTE.EXE:Microsoft Office OneNote
"{BA444EE4-30D6-4E10-BB16-85861E746557}"= UDP:c:\program files\McAfee\Common Framework\FrameworkService.exe:McAfee Framework Service
"{63FCFC06-7589-4444-8AD0-47159077648A}"= TCP:c:\program files\McAfee\Common Framework\FrameworkService.exe:McAfee Framework Service
"{7897F2C8-72FC-4C64-9F6B-6DF3413D1F69}"= UDP:c:\program files\APC\PowerChute Business Edition\server\pbeserver.exe:PowerChute Business Edition Server
"{6650BFE1-8A63-434F-8FA8-DA764FB5C33E}"= TCP:c:\program files\APC\PowerChute Business Edition\server\pbeserver.exe:PowerChute Business Edition Server
"{EBC59C01-DC79-47E2-8EAA-9901A36A90AA}"= UDP:c:\program files\APC\PowerChute Business Edition\agent\pbeagent.exe:PowerChute Business Edition Agent
"{5040A1A8-8B03-46A1-A56A-27DC91944BE2}"= TCP:c:\program files\APC\PowerChute Business Edition\agent\pbeagent.exe:PowerChute Business Edition Agent
"{228484A3-4FAC-4780-8A6E-3E6526C262C8}"= UDP:c:\program files\Common Files\AOL\Loader\aolload.exe:AOL Loader
"{BB65A6D2-D246-4FAA-BD04-C9D03DD2A067}"= TCP:c:\program files\Common Files\AOL\Loader\aolload.exe:AOL Loader
"{3096A3D2-510B-48E3-8E34-B19B1B072CB5}"= UDP:c:\program files\AIM6\aim6.exe:AIM
"{8BB185E3-CDA6-485A-916E-759C66A91017}"= TCP:c:\program files\AIM6\aim6.exe:AIM
"{3108DC41-F455-4C1C-AFFF-EAA104BD0081}"= UDP:c:\program files\VMware\VMware Workstation\vmware-authd.exe:VMware Authd
"{D4AF6AE9-40C9-4AC8-8CA3-4D505285C4D5}"= TCP:c:\program files\VMware\VMware Workstation\vmware-authd.exe:VMware Authd
"{FE537681-059F-4B35-90B2-199A74267FBD}"= UDP:c:\program files\Symantec\Ghost\ngctw32.exe:Symantec Ghost Client Agent
"{4D874742-BF2E-4F2B-9940-B044D82B8158}"= TCP:c:\program files\Symantec\Ghost\ngctw32.exe:Symantec Ghost Client Agent
"{852BC12C-6647-4E1A-AAF4-BB97773F24CF}"= UDP:c:\program files\Symantec\Ghost\ngctw32.exe:Symantec Ghost Client Agent
"{2A0B1B56-8423-4119-8318-5C07913FEE4E}"= TCP:c:\program files\Symantec\Ghost\ngctw32.exe:Symantec Ghost Client Agent
"{98F569DA-6ABF-443A-8F3E-939B27788B1C}"= UDP:c:\program files\Symantec\Ghost\ngctw32.exe:Symantec Ghost Client Agent
"{238F44EE-3236-4B18-8594-9ED13F88D9C7}"= TCP:c:\program files\Symantec\Ghost\ngctw32.exe:Symantec Ghost Client Agent
"{354E7627-2C2E-4F67-A9F4-81C58D37D75D}"= UDP:c:\program files\Bonjour\mDNSResponder.exe:Bonjour
"{13E1387E-272C-4539-AC32-3CD3CD27D310}"= TCP:c:\program files\Bonjour\mDNSResponder.exe:Bonjour
"{BF799D51-8A4A-4196-A94D-F34EACB06E6F}"= UDP:c:\program files\iTunes\iTunes.exe:iTunes
"{44630401-A601-41A5-B610-105D462BB5E3}"= TCP:c:\program files\iTunes\iTunes.exe:iTunes
"{62708AA2-A8EC-4306-80C5-C1D04BBA5AAF}"= UDP:5900:vnc5900
"{2280E9D5-4C44-4EC3-B72D-5172BDED897E}"= UDP:5800:vnc5800
"{93ED4409-8C29-4D1F-A636-3C30F2DD4E72}"= UDP:c:\program files\UltraVNC\vncviewer.exe:vncviewer.exe
"{9099043B-9172-4434-AA67-C0692267C15B}"= TCP:c:\program files\UltraVNC\vncviewer.exe:vncviewer.exe

R0 Lbd;Lbd;c:\windows\System32\drivers\Lbd.sys [2009-03-06 64160]
R2 APCPBEAgent;APC PBE Agent;c:\progra~1\APC\POWERC~1\agent\pbeagent.exe [2008-05-07 34048]
R2 APCPBEServer;APC PBE Server;c:\progra~1\APC\POWERC~1\server\PBESER~1.EXE [2008-05-07 45134]
R2 HFGService;Handsfree Headset Service;c:\windows\system32\svchost.exe -k bthaudiosvc [2008-03-19 21504]
R2 NGCLIENT;Symantec Ghost Client Agent;c:\program files\Symantec\Ghost\ngctw32.exe [2008-09-05 673160]
R2 SeaPort;SeaPort;c:\program files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe [2009-01-14 226656]
R2 vmci;VMware vmci;c:\windows\System32\drivers\vmci.sys [2008-09-18 54960]
S2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\Lavasoft\Ad-Aware\AAWService.exe [2009-01-18 951632]
S3 BthAudioHF;BthAudioHF Service;c:\windows\System32\drivers\BthAudioHF.sys [2007-08-14 30208]
S3 bthav;Bluetooth AV Profile;c:\windows\System32\drivers\bthav.sys [2007-08-14 33792]
S3 BthAvrcp;Bluetooth AVRCP Profile;c:\windows\System32\drivers\BthAvrcp.sys [2007-08-24 15872]
S3 NPF;NetGroup Packet Filter Driver;c:\windows\System32\drivers\npf.sys [2007-11-06 34064]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
LocalServiceNoNetwork REG_MULTI_SZ PLA DPS BFE mpssvc
bthsvcs REG_MULTI_SZ BthServ
WindowsMobile REG_MULTI_SZ wcescomm rapimgr
LocalServiceRestricted REG_MULTI_SZ WcesComm RapiMgr
bthaudiosvc REG_MULTI_SZ HFGService
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{2f330ce0-2729-11dd-86ca-001583f0cc1b}]
\shell\AutoRun\command - E:\CA_EdgeLitemobile.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{561410f6-9493-11dc-af3b-806e6f6e6963}]
\shell\AutoRun\command - D:\setup.exe
.
Contents of the 'Scheduled Tasks' folder

2009-03-30 c:\windows\Tasks\Ad-Aware Update (Weekly).job
- c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2009-03-06 11:55]

2009-04-01 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-2145910891-533790987-495535119-16964.job
- c:\users\pprintz\AppData\Local\Google\Update\GoogleUpdate.exe [2008-09-03 08:39]
.
- - - - ORPHANS REMOVED - - - -

HKCU-Run-Aim6 - (no file)

.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.qcc.mass.edu/qcchome
uInternet Settings,ProxyOverride = *.local
IE: Add to Windows &Live Favorites - http://favorites.live.com/quickadd.aspx
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~1\Office12\EXCEL.EXE/3000
LSP: c:\program files\VMware\VMware Workstation\vsocklib.dll
Trusted Zone: mass.edu\*.qcc
Trusted Zone: qcc.edu\*.campus
Trusted Zone: qcc.edu\www
TCP: {2820A8CD-C8F9-4677-A28D-76CE99A48BD9} = 10.0.0.100,10.0.0.101
DPF: CabBuilder - hxxp://kiw.imgag.com/imgag/kiw/toolbar/download/InstallerControl.cab
.

**************************************************************************

catchme 0.3.1375 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-04-02 14:30:40
Windows 6.0.6001 Service Pack 1 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'lsass.exe'(680)
c:\program files\Bonjour\mdnsNSP.dll
.
Completion time: 2009-04-02 14:33:19
ComboFix-quarantined-files.txt 2009-04-02 18:33:17

Pre-Run: 137,477,476,352 bytes free
Post-Run: 137,810,526,208 bytes free

216 --- E O F --- 2009-02-26 09:02:18

Back to top

BC AdBot (Login to Remove)

BleepingComputer.com
Register to remove ads

#2 Orange Blossom

OBleepin Investigator

Moderator
36,805 posts
OFFLINE

Gender:Not Telling
Location:Bloomington, IN
Local time:08:46 PM

Posted 11 April 2009 - 04:29 PM

Hello and welcome to Bleeping Computer

We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help.

If you have since resolved the original problem you were having, we would appreciate you letting us know. If not please perform the following steps below so we can have a look at the current condition of your machine.

If you have not done so, include a clear description of the problems you're having, along with any steps you may have performed so far.

Upon completing the steps below another staff member will review and take the steps necessary with you to get your machine back in working order clean and free of malware.

If you have already posted a DDS log, please do so again, as your situation may have changed.
Use the 'Add Reply' and add the new log to this thread.

Thanks and again sorry for the delay.

We need to see some information about what is happening in your machine. Please perform the following scan:

Download DDS by sUBs from one of the following links. Save it to your desktop.
- DDS.scr
- DDS.pif
Double click on the DDS icon, allow it to run.
A small box will open, with an explanation about the tool. No input is needed, the scan is running.
Notepad will open with the results, click no to the Optional_Scan
Follow the instructions that pop up for posting the results.
Close the program window, and delete the program from your desktop.

Please note: You may have to disable any script protection running if the scan fails to run. After downloading the tool, disconnect from the internet and disable all antivirus protection. Run the scan, enable your A/V and reconnect to the internet. You can find information on A/V control HERE

Orange Blossom :thumbup2: