Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

WinAV.exe bug fixed with Combofix


  • This topic is locked This topic is locked
1 reply to this topic

#1 missie82

missie82

  • Members
  • 1 posts
  • OFFLINE
  •  
  • Local time:03:56 PM

Posted 04 June 2009 - 01:09 PM

Well, I'm not really sure what happened. I knew my virus protection was expired so I went out and bought Norton 360 about 4 months ago, and my computer had been working great. Then about a week ago I started getting messages that kept popping up saying I had no virus protection and that I need to purchase WinPC Antivirus for like $99 to activate it. If I clicked "no thanks" or "remind me later" another screen came up showing that it was scanning my computer and said it found 24 potential threats and "Microsoft highly recommends activating WinPC Antivirus." If I closed everything it just popped up again a few minutes later. I also noticed that an icon for WinPC Antivirus kept showing up on my desktop even though I had deleted in many times, and it was never there before. And it was making my Norton 360 not work properly. If I clicked on my Norton it just plain didn't open sometimes, and I had to restart my computer to make sure it was working. AND when I was on the internet, every 4 or 5 screens I would get redirected to a screen that had this message:


Insecure Internet activity. Threat of virus attack
Due to insecure Internet browsing your PC can easily get infected with viruses, worms and trojans without your knowledge, and that can lead to system slowdown, freezes and crashes.
Also insecure Internet activity can result in revealing your personal information.
To get full advanced real-time protection for PC and Internet activity, activate WinPC Antivirus.
We recommend you to protect your PC now and continue safe Internet browsing.
Click here to get full advanced real-time protection and continue browsing.
Continue to this website unprotected (not recommended).


It was so incredibly annoying that I was about to punch my hard drive, ha ha. I obviously didn't want to buy anything because I had virus protection already, even though it wasn't working. It's weird though because it really looked ligit, like it was really Microsoft. You can usually tell if it's a virus or adward, but this seemed completely trustworthy (logos, copyrights, privacy statements, etc etc). I tried downloading Adaware, but it didn't do anything either. I have an external hard drive, so I was seriously considering just putting all of my pictures, music, and important documents on there and just nuking the thing and starting over! I'm sure I must have downloaded something along with some music or movie I was downloading.

Then my friend, who works with these kinds of things for a living, said he had seen this before and suggested I download Combofix. I did earlier this morning, ran it, and voila! No more annoying WinAV!! I'm so ecstatic, you have no idea. I highly recommend it to everyone.

In the directions though it asked me to post online the Log that was created even if the problem seemed to be fixed, so I am posting the log below. If I am supposed to do this somewhere else, please tell me.

Thank you!!
Melissa


ComboFix 09-06-03.04 - Missy 06/04/2009 11:49.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.1270.657 [GMT -5:00]
Running from: c:\documents and settings\Missy\Desktop\ComboFix.exe
AV: Norton 360 *On-access scanning disabled* (Updated) {A5F1BC7C-EA33-4247-961C-0217208396C4}
FW: Norton 360 *disabled* {371C0A40-5A0C-4AD2-A6E5-69C02037FBF3}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\autorun.inf
c:\documents and settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat
c:\documents and settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat
C:\setup.exe
c:\windows\ieocx.dll
c:\windows\system32\drivers\fad.sys
c:\windows\system32\gaopdxcounter
c:\windows\system32\lowsec
c:\windows\system32\lowsec\local.ds
c:\windows\system32\lowsec\user.ds
c:\windows\system32\mdm.exe
c:\windows\system32\tccpwyg.dll
c:\windows\Tasks\At1.job

----- BITS: Possible infected sites -----

hxxp://downloadsoftwareserver.com
Infected copy of c:\windows\system32\sfcfiles.dll was found and disinfected
Restored copy from - c:\i386\SFCFILES.DLL

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_DXKTNTWU
-------\Legacy_SFC
-------\Service_dxktntwu
-------\Service_sfc


((((((((((((((((((((((((( Files Created from 2009-05-04 to 2009-06-04 )))))))))))))))))))))))))))))))
.

2009-06-04 06:03 . 2009-06-04 06:03 1685856 ----a-w- c:\documents and settings\Missy\Application Data\Move Networks\MoveMediaPlayerWin_071500000347.exe
2009-06-04 04:35 . 2009-06-04 04:35 -------- dc----w- c:\program files\iPod
2009-06-04 04:29 . 2009-06-04 04:30 -------- dc----w- c:\program files\QuickTime
2009-06-04 04:17 . 2009-06-04 04:17 75048 -c--a-w- c:\documents and settings\All Users\Application Data\Apple Computer\Installer Cache\iTunes 8.2.0.23\SetupAdmin.exe
2009-06-04 02:20 . 2009-06-04 02:20 -------- d-----w- c:\documents and settings\Missy\Local Settings\Application Data\vfkoacqa
2009-06-04 02:20 . 2009-06-04 02:20 -------- d-----w- c:\documents and settings\Missy\Application Data\vfkoacqa
2009-06-04 01:10 . 2009-06-04 01:10 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\vfkoacqa
2009-06-04 01:10 . 2009-06-04 01:10 -------- d-----w- c:\documents and settings\NetworkService\Application Data\vfkoacqa
2009-06-04 00:51 . 2009-03-09 19:06 15688 ----a-w- c:\windows\system32\lsdelete.exe
2009-06-04 00:33 . 2009-03-09 19:06 64160 ----a-w- c:\windows\system32\drivers\Lbd.sys
2009-06-04 00:31 . 2009-06-04 00:31 -------- dc-h--w- c:\documents and settings\All Users\Application Data\{7972B2E5-3E09-4E5E-81B7-FE5819D6772F}
2009-06-04 00:31 . 2009-03-12 08:17 2902048 -c--a-w- c:\documents and settings\All Users\Application Data\{7972B2E5-3E09-4E5E-81B7-FE5819D6772F}\Ad-AwareAE.exe
2009-06-04 00:31 . 2009-06-04 00:33 -------- dc----w- c:\documents and settings\All Users\Application Data\Lavasoft
2009-06-04 00:31 . 2009-06-04 00:31 -------- dc----w- c:\program files\Lavasoft
2009-06-01 07:03 . 2009-06-01 07:03 -------- d-----w- c:\documents and settings\Missy\Local Settings\Application Data\Symantec
2009-05-29 21:40 . 2009-05-29 21:40 4257280 ----a-w- c:\documents and settings\Missy\Application Data\winav.exe
2009-05-07 22:13 . 2009-06-04 16:12 -------- dc----w- c:\program files\iTunes
2009-05-07 22:13 . 2009-05-07 22:13 -------- dc----w- c:\documents and settings\All Users\Application Data\{8CD7F5AF-ECFA-4793-BF40-D8F42DBFF906}

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-06-04 16:54 . 2008-12-18 17:13 -------- dc----w- c:\program files\Common Files\Symantec Shared
2009-06-04 15:57 . 2009-04-15 23:10 -------- d-----w- c:\documents and settings\Missy\Application Data\LimeWire
2009-06-04 06:03 . 2007-04-27 17:13 -------- d--h--w- c:\documents and settings\Missy\Application Data\Move Networks
2009-06-04 04:35 . 2007-08-02 05:36 -------- dc----w- c:\program files\Common Files\Apple
2009-06-04 04:10 . 2008-03-20 03:46 -------- dc----w- c:\program files\Safari
2009-06-04 03:48 . 2009-04-09 01:36 -------- d-----w- c:\documents and settings\Missy\Application Data\advantage
2009-06-04 00:42 . 2008-12-16 23:53 -------- dc----w- c:\documents and settings\All Users\Application Data\302613999
2009-06-03 23:00 . 2008-12-18 17:12 -------- dc----w- c:\program files\Norton Security Scan
2009-05-31 20:41 . 2006-02-28 20:10 -------- dc----w- c:\documents and settings\All Users\Application Data\DVD Shrink
2009-05-14 15:26 . 2009-04-09 05:52 0 -c--a-w- c:\windows\Crerivoqu.bin
2009-04-28 15:29 . 2008-12-15 15:41 -------- d-----w- c:\documents and settings\Missy\Application Data\uTorrent
2009-04-23 13:30 . 2009-04-23 13:30 152576 ----a-w- c:\documents and settings\Missy\Application Data\Sun\Java\jre1.6.0_11\lzma.dll
2009-04-22 03:57 . 2009-04-22 03:57 34062 ----a-w- c:\documents and settings\Missy\Application Data\Move Networks\ie_bin\Uninst.exe
2009-04-22 03:57 . 2009-04-22 03:57 1047072 ----a-w- c:\documents and settings\Missy\Application Data\Move Networks\MoveMediaPlayer_071303000006.exe
2009-04-19 03:20 . 2009-04-09 21:22 -------- dc----w- c:\documents and settings\All Users\Application Data\Symantec
2009-04-16 13:38 . 2009-04-09 05:52 408 -c--a-w- c:\windows\Xpozetunuxafuja.dat
2009-04-15 23:48 . 2007-10-22 18:57 -------- dc----w- c:\program files\Ares P2P
2009-04-15 22:59 . 2009-04-15 22:58 -------- dc----w- c:\program files\LimeWire
2009-04-15 02:27 . 2005-07-24 19:22 103776 ----a-w- c:\documents and settings\Missy\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-04-14 22:34 . 2004-11-12 21:42 -------- dc----w- c:\program files\Common Files\InstallShield
2009-04-14 22:33 . 2004-11-12 21:42 -------- dc-h--w- c:\program files\InstallShield Installation Information
2009-04-14 22:28 . 2007-01-09 02:32 -------- dc----w- c:\program files\Pinnacle
2009-04-14 22:24 . 2005-07-25 04:04 -------- dc----w- c:\program files\The Print Shop 20
2009-04-14 22:12 . 2009-03-18 23:00 -------- dc----w- c:\program files\Bonjour
2009-04-13 17:19 . 2009-04-09 21:30 -------- d-----w- c:\documents and settings\Missy\Application Data\Symantec
2009-04-10 04:57 . 2009-04-09 21:25 -------- dc----w- c:\program files\Norton 360
2009-04-10 04:30 . 2005-08-10 02:28 -------- dc----w- c:\program files\Ares
2009-04-10 04:26 . 2009-04-09 21:22 -------- dc----w- c:\program files\Symantec
2009-04-10 04:26 . 2009-04-09 21:23 806 ----a-w- c:\windows\system32\drivers\SYMEVENT.INF
2009-04-10 04:26 . 2009-04-09 21:23 60808 ----a-w- c:\windows\system32\S32EVNT1.DLL
2009-04-10 04:26 . 2009-04-09 21:23 124464 ----a-w- c:\windows\system32\drivers\SYMEVENT.SYS
2009-04-10 04:26 . 2009-04-09 21:23 10635 ----a-w- c:\windows\system32\drivers\SYMEVENT.CAT
2009-04-09 21:26 . 2009-04-09 21:26 -------- dc----w- c:\program files\Windows Sidebar
2009-04-09 21:02 . 2005-07-24 18:45 -------- d-----w- c:\documents and settings\Missy\Application Data\AVG7
2009-04-09 21:02 . 2005-07-24 18:45 -------- dc----w- c:\documents and settings\All Users\Application Data\avg7
2009-04-09 01:36 . 2009-04-09 01:36 204208 ----a-w- c:\documents and settings\Missy\Application Data\advantage\AdVantage.exe
2009-04-09 01:32 . 2009-04-09 01:32 -------- d-----w- c:\documents and settings\Missy\Application Data\Skype
2009-04-01 03:46 . 2008-02-24 02:07 9584 -c--a-w- c:\documents and settings\All Users\Application Data\Symantec\LiveUpdate\LuRegManifests\Static\NCO20.dll
2009-03-19 21:32 . 2009-03-19 21:32 23400 -c--a-w- c:\documents and settings\All Users\Application Data\{8CD7F5AF-ECFA-4793-BF40-D8F42DBFF906}\x86\x86\GEARAspiWDM.sys
2009-03-19 21:32 . 2008-01-29 17:01 23400 ----a-w- c:\windows\system32\drivers\GEARAspiWDM.sys
2009-03-09 17:29 . 2009-03-09 17:29 97144 ----a-w- c:\documents and settings\Missy\Application Data\Move Networks\ie_bin\MovePlayerUpgrade.exe
2009-03-09 17:29 . 2009-03-09 17:29 1010552 ----a-w- c:\documents and settings\Missy\Application Data\Move Networks\ie_bin\qsp2ie071303000006.dll
1998-12-09 02:53 . 1998-12-09 02:53 99840 -c--a-w- c:\program files\Common Files\IRAABOUT.DLL
1998-12-09 02:53 . 1998-12-09 02:53 70144 -c--a-w- c:\program files\Common Files\IRAMDMTR.DLL
1998-12-09 02:53 . 1998-12-09 02:53 48640 -c--a-w- c:\program files\Common Files\IRALPTTR.DLL
1998-12-09 02:53 . 1998-12-09 02:53 31744 -c--a-w- c:\program files\Common Files\IRAWEBTR.DLL
1998-12-09 02:53 . 1998-12-09 02:53 186368 -c--a-w- c:\program files\Common Files\IRAREG.DLL
1998-12-09 02:53 . 1998-12-09 02:53 17920 -c--a-w- c:\program files\Common Files\IRASRIAL.DLL
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{FD72061E-9FDE-484D-A58A-0BAB4151CAD8}]
2008-10-01 07:40 192960 -c----w- c:\program files\Yontoo Layers Client for Internet Explorer\YontooIEClient.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Yahoo! Pager"="c:\program files\Yahoo!\Messenger\YahooMessenger.exe" [2006-04-25 3334144]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2004-08-04 15360]
"Aim6"="c:\program files\AIM6\aim6.exe" [2008-10-31 50480]
"WMPNSCFG"="c:\program files\Windows Media Player\WMPNSCFG.exe" [2006-10-19 204288]
"AVScan"="c:\documents and settings\Missy\Application Data\winav.exe" [2009-05-29 4257280]
"AdVantage"="c:\documents and settings\Missy\Application Data\advantage\AdVantage.exe" [2009-04-09 204208]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"UserFaultCheck"="c:\windows\system32\dumprep 0 -u" [X]
"SunJavaUpdateSched"="c:\program files\Java\jre1.6.0_07\bin\jusched.exe" [2008-06-10 144784]
"D-Link AirPlus G"="c:\program files\D-Link\AirPlus G\AirGCFG.exe" [2005-03-18 1228800]
"ANIWZCS2Service"="c:\program files\ANI\ANIWZCS2 Service\WZCSLDR2.exe" [2004-12-16 49152]
"AdaptecDirectCD"="c:\program files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe" [2002-12-17 684032]
"dvd43"="c:\program files\dvd43\dvd43_tray.exe" [2008-04-09 826880]
"Adobe Photo Downloader"="c:\program files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe" [2005-06-07 57344]
"igfxtray"="c:\windows\system32\igfxtray.exe" [2005-10-14 94208]
"igfxhkcmd"="c:\windows\system32\hkcmd.exe" [2005-10-14 77824]
"igfxpers"="c:\windows\system32\igfxpers.exe" [2005-10-14 114688]
"Creative WebCam Tray"="c:\program files\Creative\Shared Files\CAMTRAY.EXE" [2004-04-29 245760]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-12 39792]
"Google Desktop Search"="c:\program files\Google\Google Desktop Search\GoogleDesktop.exe" [2008-09-07 29744]
"HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2005-05-12 49152]
"basicsmssmenu"="c:\program files\Seagate\Basics\Basics Status\MaxMenuMgrBasics.exe" [2007-10-09 169328]
"AppleSyncNotifier"="c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe" [2009-05-14 177472]
"ccApp"="c:\program files\Common Files\Symantec Shared\ccApp.exe" [2008-10-17 51048]
"osCheck"="c:\program files\Norton 360\osCheck.exe" [2008-02-26 988512]
"Ad-Watch"="c:\program files\Lavasoft\Ad-Aware\AAWTray.exe" [2009-03-09 515416]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2009-05-26 413696]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2009-05-30 292136]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"MySpaceIM"="c:\program files\MySpace\IM\MySpaceIM.exe" [2007-12-07 8720384]

c:\documents and settings\Missy\Start Menu\Programs\Startup\
MEMonitor.lnk - c:\program files\Verizon Wireless\V CAST Music Manager\MEMonitor.exe [2007-10-12 947544]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Acrobat Assistant.lnk - c:\program files\Adobe\Acrobat 6.0\Distillr\acrotray.exe [2003-5-15 217193]
HP Digital Imaging Monitor.lnk - c:\program files\Hp\Digital Imaging\bin\hpqtra08.exe [2005-5-11 282624]
Symantec Fax Starter Edition Port.lnk - c:\program files\Microsoft Office\Office\1033\OLFSNT40.EXE [1998-12-23 45568]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Lavasoft Ad-Aware Service]
@="Service"

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001
"UpdatesDisableNotify"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"c:\\Program Files\\AIM6\\aim6.exe"=
"c:\\Program Files\\MSN Messenger\\msnmsgr.exe"=
"c:\\Program Files\\MSN Messenger\\livecall.exe"=
"c:\\Program Files\\Hp\\Digital Imaging\\bin\\hpqtra08.exe"=
"c:\\Program Files\\Hp\\Digital Imaging\\bin\\hpqste08.exe"=
"c:\\Program Files\\Hp\\Digital Imaging\\bin\\hpofxm08.exe"=
"c:\\Program Files\\Hp\\Digital Imaging\\bin\\hposfx08.exe"=
"c:\\Program Files\\Hp\\Digital Imaging\\bin\\hposid01.exe"=
"c:\\Program Files\\Hp\\Digital Imaging\\bin\\hpqscnvw.exe"=
"c:\\Program Files\\Hp\\Digital Imaging\\bin\\hpqkygrp.exe"=
"c:\\Program Files\\Hp\\Digital Imaging\\bin\\hpqCopy.exe"=
"c:\\Program Files\\Hp\\Digital Imaging\\bin\\hpfccopy.exe"=
"c:\\Program Files\\Hp\\Digital Imaging\\bin\\hpzwiz01.exe"=
"c:\\Program Files\\Hp\\Digital Imaging\\Unload\\HpqPhUnl.exe"=
"c:\\Program Files\\Hp\\Digital Imaging\\Unload\\HpqDIA.exe"=
"c:\\Program Files\\Hp\\Digital Imaging\\bin\\hpoews01.exe"=
"c:\\Program Files\\uTorrent\\uTorrent.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\MySpace\\IM\\MySpaceIM.exe"=
"c:\\Program Files\\LimeWire\\LimeWire.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=

R0 Lbd;Lbd;c:\windows\SYSTEM32\DRIVERS\Lbd.sys [6/3/2009 7:33 PM 64160]
R2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\Lavasoft\Ad-Aware\AAWService.exe [3/9/2009 2:06 PM 951632]
R2 LiveUpdate Notice;LiveUpdate Notice;c:\program files\Common Files\Symantec Shared\CCSVCHST.EXE [2/18/2008 2:37 PM 149352]
R2 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\Viewpoint\Common\ViewpointService.exe [2/19/2008 6:54 PM 24652]
R3 A3AB;D-Link AirPro 802.11a/b Wireless Adapter Service(A3AB);c:\windows\SYSTEM32\DRIVERS\A3AB.sys [3/16/2005 6:00 PM 450336]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [5/29/2009 8:11 PM 101936]
S3 COH_Mon;COH_Mon;c:\windows\SYSTEM32\DRIVERS\COH_Mon.sys [1/12/2008 9:32 PM 23888]
S3 GoogleDesktopManager-061008-081103;Google Desktop Manager 5.7.806.10245;c:\program files\Google\Google Desktop Search\GoogleDesktop.exe [7/9/2008 9:05 AM 29744]

--- Other Services/Drivers In Memory ---

*NewlyCreated* - COMHOST
.
Contents of the 'Scheduled Tasks' folder

2009-06-04 c:\windows\Tasks\Ad-Aware Update (Weekly).job
- c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2009-03-09 19:06]

2009-05-30 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 17:34]

2009-06-03 c:\windows\Tasks\Norton Security Scan for Missy.job
- c:\program files\Norton Security Scan\Nss.exe [2008-09-19 01:20]
.
- - - - ORPHANS REMOVED - - - -

BHO-{EC62A8A6-5780-45ED-BC06-E4AEE0C49084} - c:\windows\system32\tccpwyg.dll
HKCU-Run-Free Download Manager - c:\program files\Free Download Manager\fdm.exe
HKCU-Run-updateMgr - c:\program files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe
HKCU-Run-WinButler - c:\documents and settings\Missy\Application Data\WinButler\WinButler.exe
HKCU-Run-Microsoft Windows DLL Services Configuration - windir32.exe
SafeBoot-procexp90.Sys


.
------- Supplementary Scan -------
.
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uInternet Connection Wizard,ShellNext = iexplore
uInternet Settings,ProxyOverride = *.local
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
Trusted Zone: aol.com\free
Filter: x-sdch - {B1759355-3EEC-4C1E-B0F1-B719FE26E377} - c:\program files\Google\Google Toolbar\Component\fastsearch_A8904FB862BD9564.dll
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-06-04 11:55
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{47629D4B-2AD3-4e50-B716-A66C15C63153}\InprocServer32*]
"ThreadingModel"="Apartment"
@="c:\\WINDOWS\\system32\\OLE32.DLL"
"cd042efbbd7f7af1647644e76e06692b"=hex:e2,63,26,f1,3f,c8,ff,68,29,c2,45,6f,86,
28,65,66,c8,28,51,af,b0,29,a3,98,d4,f4,6c,28,bf,21,04,22,e2,63,26,f1,3f,c8,\

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{604BB98A-A94F-4a5c-A67C-D8D3582C741C}\InprocServer32*]
"ThreadingModel"="Apartment"
@="c:\\WINDOWS\\system32\\OLE32.DLL"
"bca643cdc5c2726b20d2ecedcc62c59b"=hex:71,3b,04,66,8b,46,0d,96,07,a9,ce,ba,81,
cd,47,26,71,3b,04,66,8b,46,0d,96,3e,a6,64,e0,48,67,2c,ec,6a,9c,d6,61,af,45,\

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{684373FB-9CD8-4e47-B990-5A4466C16034}\InprocServer32*]
"ThreadingModel"="Apartment"
@="c:\\WINDOWS\\system32\\OLE32.DLL"
"2c81e34222e8052573023a60d06dd016"=hex:25,da,ec,7e,55,20,c9,26,15,5a,bb,66,99,
2f,59,9b,25,da,ec,7e,55,20,c9,26,ca,e4,10,5d,15,a5,b3,11,ff,7c,85,e0,43,d4,\

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{74554CCD-F60F-4708-AD98-D0152D08C8B9}\InprocServer32*]
"ThreadingModel"="Apartment"
@="c:\\WINDOWS\\system32\\OLE32.DLL"
"2582ae41fb52324423be06337561aa48"=hex:6b,65,49,6a,7e,99,74,f7,02,4b,66,09,86,
2b,89,4d,3e,1e,9e,e0,57,5a,93,61,9e,4c,be,ec,ae,bd,41,b2,86,8c,21,01,be,91,\

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{7EB537F9-A916-4339-B91B-DED8E83632C0}\InprocServer32*]
"ThreadingModel"="Apartment"
@="c:\\WINDOWS\\system32\\OLE32.DLL"
"caaeda5fd7a9ed7697d9686d4b818472"=hex:e9,02,6c,fa,fb,1d,47,57,73,4b,0b,f9,44,
50,64,b9,cd,44,cd,b9,a6,33,6c,cd,ca,3f,6e,64,26,14,6f,2a,f5,1d,4d,73,a8,13,\

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{948395E8-7A56-4fb1-843B-3E52D94DB145}\InprocServer32*]
"ThreadingModel"="Apartment"
@="c:\\WINDOWS\\system32\\OLE32.DLL"
"a4a1bcf2cc2b8bc3716b74b2b4522f5d"=hex:b0,18,ed,a7,3f,8d,37,a4,02,c2,5e,30,13,
76,57,ac,b0,18,ed,a7,3f,8d,37,a4,c6,e3,a2,ff,2d,cf,f5,93,df,20,58,62,78,6b,\

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{AC3ED30B-6F1A-4bfc-A4F6-2EBDCCD34C19}\InprocServer32*]
"ThreadingModel"="Apartment"
@="c:\\WINDOWS\\system32\\OLE32.DLL"
"4d370831d2c43cd13623e232fed27b7b"=hex:31,77,e1,ba,b1,f8,68,02,45,55,68,a5,2c,
c1,7e,38,31,77,e1,ba,b1,f8,68,02,b1,e3,a7,5b,73,9b,59,0e,fb,a7,78,e6,12,2f,\

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{DE5654CA-EB84-4df9-915B-37E957082D6D}\InprocServer32*]
"ThreadingModel"="Apartment"
@="c:\\WINDOWS\\system32\\OLE32.DLL"
"1d68fe701cdea33e477eb204b76f993d"=hex:aa,52,c6,00,84,3c,26,64,5b,48,31,1f,48,
21,ab,3c,83,6c,56,8b,a0,85,96,ab,2d,a8,9e,8f,77,0b,5c,3b,01,3a,48,fc,e8,04,\

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{E39C35E8-7488-4926-92B2-2F94619AC1A5}\InprocServer32*]
"ThreadingModel"="Apartment"
@="c:\\WINDOWS\\system32\\OLE32.DLL"
"1fac81b91d8e3c5aa4b0a51804d844a3"=hex:b2,46,9a,e2,1b,fe,1b,94,c7,37,1b,76,23,
81,3b,88,51,fa,6e,91,28,9e,14,cc,fa,05,72,57,02,09,da,b4,f6,0f,4e,58,98,5b,\

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{EACAFCE5-B0E2-4288-8073-C02FF9619B6F}\InprocServer32*]
"ThreadingModel"="Apartment"
@="c:\\WINDOWS\\system32\\OLE32.DLL"
"f5f62a6129303efb32fbe080bb27835b"=hex:3d,ce,ea,26,2d,45,aa,78,cd,1a,56,0f,47,
dd,ca,aa,b1,cd,45,5a,a8,c4,f8,b9,19,45,49,7a,76,d2,12,e3,3d,ce,ea,26,2d,45,\

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{F8F02ADD-7366-4186-9488-C21CB8B3DCEC}\InprocServer32*]
"ThreadingModel"="Apartment"
@="c:\\WINDOWS\\system32\\OLE32.DLL"
"fd4e2e1a3940b94dceb5a6a021f2e3c6"=hex:e3,0e,66,d5,eb,bc,2f,6b,e6,43,1f,37,80,
1e,a8,a3,e3,0e,66,d5,eb,bc,2f,6b,1e,06,b1,14,3b,77,09,d8,2a,b7,cc,b5,b9,7f,\

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{FEE45DE2-A467-4bf9-BF2D-1411304BCD84}\InprocServer32*]
"ThreadingModel"="Apartment"
@="c:\\WINDOWS\\system32\\OLE32.DLL"
"8a8aec57dd6508a385616fbc86791ec2"=hex:fa,ea,66,7f,d4,3b,6b,70,83,41,0f,c3,10,
18,01,80,fa,ea,66,7f,d4,3b,6b,70,45,cc,8e,eb,cc,71,ef,59,6c,43,2d,1e,aa,22,\
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'explorer.exe'(2044)
c:\windows\system32\WPDShServiceObj.dll
c:\program files\ArcSoft\PhotoImpression 5\share\pihook.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Symantec\LiveUpdate\AluSchedulerSvc.exe
c:\windows\SYSTEM32\BAsfIpM.exe
c:\program files\Seagate\Basics\Service\SyncServicesBasics.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\Pinnacle\MediaServer\Microsoft SQL Server\MSSQL$PINNACLESYS\Binn\sqlservr.exe
c:\windows\SYSTEM32\HPZipm12.exe
c:\program files\Windows Media Player\wmpnetwk.exe
c:\windows\SYSTEM32\WBEM\UNSECAPP.EXE
c:\program files\Yahoo!\Messenger\Ymsgr_tray.exe
c:\program files\iPod\bin\iPodService.exe
c:\program files\Hp\Digital Imaging\bin\hpqste08.exe
c:\program files\AIM6\aolsoftware.exe
c:\program files\Hp\Digital Imaging\Product Assistant\bin\hprblog.exe
c:\program files\Java\jre1.6.0_07\bin\jucheck.exe
.
**************************************************************************
.
Completion time: 2009-06-04 12:04 - machine was rebooted
ComboFix-quarantined-files.txt 2009-06-04 17:03

Pre-Run: 22,340,288,512 bytes free
Post-Run: 22,314,278,912 bytes free

WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Microsoft Windows XP Home Edition" /noexecute=optin /fastdetect

336 --- E O F --- 2009-03-14 10:03

BC AdBot (Login to Remove)

 


#2 garmanma

garmanma

    Computer Masochist


  • Staff Emeritus
  • 27,809 posts
  • OFFLINE
  •  
  • Location:Cleveland, Ohio
  • Local time:04:56 PM

Posted 04 June 2009 - 02:30 PM

ComboFix logs should not to be posted or discussed outside the HijackThis forums. It is an extremely powerful tool which should only be used when instructed to do so by someone who has been properly trained. ComboFix is intended by its creator to be "used under the guidance and supervision of an expert", NOT for private use. Please read Combofix's Disclaimer. Using this tool incorrectly could lead to disastrous problems with your operating system such as preventing it from ever starting again.

Please create a new topic in the Am I Infected forum.
http://www.bleepingcomputer.com/forums/f/103/am-i-infected-what-do-i-do/
Explain the nature of your problem. Describe pop-ups and system tray or desktop icons that have appeared. Explain what is "going wrong" with your computer. Note any tools you have used and their respective results.

If needed, we will direct you to our HJT Preparation Guide.

This topic is now closed.
The BC Staff
Mark
Posted Image
why won't my laptop work?

Having grandkids is God's way of giving you a 2nd chance because you were too busy working your butt off the 1st time around
Do not send me PMs with problems that should be posted in the forums. Keep it in the forums, so everyone benefits
Become a BleepingComputer fan: Facebook and Twitter




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users