TechSpot

Congratulation's You Won and Part of Song Audio Virus

Inactive
By Banedor
Jul 26, 2010
  1. Here are the logs, HJT first than Combofix. I saw in other threads of people being asked to run Combofix so I just did and here they are:

    Code:
    Logfile of Trend Micro HijackThis v2.0.2
    Scan saved at 6:14:19 PM, on 7/26/2010
    Platform: Windows Vista SP1 (WinNT 6.00.1905)
    MSIE: Internet Explorer v7.00 (7.00.6001.18470)
    Boot mode: Normal
    
    Running processes:
    C:\Windows\system32\taskeng.exe
    C:\Windows\system32\Dwm.exe
    C:\Windows\Explorer.EXE
    C:\Program Files\Windows Defender\MSASCui.exe
    C:\Windows\SOUNDMAN.EXE
    C:\Program Files\Common Files\Java\Java Update\jusched.exe
    C:\Program Files\Common Files\Pure Networks Shared\Platform\nmctxth.exe
    C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
    C:\Windows\ehome\ehtray.exe
    C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe
    C:\Windows\ehome\ehmsas.exe
    C:\Windows\system32\wuauclt.exe
    C:\Program Files\Mozilla Firefox\firefox.exe
    C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
    C:\Windows\system32\SearchFilterHost.exe
    
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://mail.google.com/mail/
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
    R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
    O1 - Hosts: ::1 localhost
    O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
    O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
    O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - (no file)
    O2 - BHO: (no name) - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - (no file)
    O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
    O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
    O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll
    O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.5.5126.1836\swg.dll
    O2 - BHO: (no name) - {C84D72FE-E17D-4195-BB24-76C02E2E7C4E} - (no file)
    O2 - BHO: Java™ Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
    O3 - Toolbar: Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll
    O4 - HKLM\..\Run: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
    O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
    O4 - HKLM\..\Run: [RoxWatchTray] "C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatchTray9.exe"
    O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
    O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Common Files\Java\Java Update\jusched.exe"
    O4 - HKLM\..\Run: [nmctxth] "C:\Program Files\Common Files\Pure Networks Shared\Platform\nmctxth.exe"
    O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
    O4 - HKLM\..\Run: [Adobe ARM] "C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
    O4 - HKCU\..\Run: [swg] "C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe"
    O4 - HKCU\..\Run: [ehTray.exe] C:\Windows\ehome\ehTray.exe
    O4 - HKCU\..\Run: [ISUSPM] "C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe" -scheduler
    O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
    O4 - HKUS\S-1-5-19\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'LOCAL SERVICE')
    O4 - HKUS\S-1-5-19\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter (User 'LOCAL SERVICE')
    O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
    O4 - HKUS\S-1-5-20\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'NETWORK SERVICE')
    O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'SYSTEM')
    O4 - HKUS\S-1-5-18\..\RunOnce: [FlashPlayerUpdate] C:\Windows\system32\Macromed\Flash\FlashUtil10a.exe (User 'SYSTEM')
    O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'Default user')
    O4 - HKUS\.DEFAULT\..\RunOnce: [FlashPlayerUpdate] C:\Windows\system32\Macromed\Flash\FlashUtil10a.exe (User 'Default user')
    O4 - Global Startup: GN-WP01GS Utility.lnk = C:\Program Files\Gigabyte\Gigabyte WP01GS Wireless PCI Adapter\Installer\WIN2K\RaUI.exe
    O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
    O8 - Extra context menu item: Google Sidewiki... - res://C:\Program Files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_89D8574934B26AC4.dll/cmsidewiki.html
    O13 - Gopher Prefix:
    O16 - DPF: {AB86CE53-AC9F-449F-9399-D8ABCA09EC09} (Get_ActiveX Control) - https://h17000.www1.hp.com/ewfrf-JAVA/Secur...loadManager.ocx
    O16 - DPF: {CAFEEFAC-0016-0000-0015-ABCDEFFEDCBA} (Java Plug-in 1.6.0_15) -
    O16 - DPF: {CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA} (Java Plug-in 1.6.0_17) -
    O16 - DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} -
    O20 - Winlogon Notify: avgwlntf - C:\Windows\SYSTEM32\avgwlntf.dll
    O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
    O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
    O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
    O23 - Service: AVG7 Resident Shield Service (AvgCoreSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgrssvc.exe
    O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
    O23 - Service: ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762## (Bonjour Service) - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
    O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
    O23 - Service: Google Update Service (gupdate) (gupdate) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe
    O23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
    O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
    O23 - Service: LicCtrl Service (LicCtrlService) - Unknown owner - C:\Windows\runservice.exe
    O23 - Service: Linksys Updater (LinksysUpdater) - Unknown owner - C:\Program Files\Linksys\Linksys Updater\bin\LinksysUpdater.exe
    O23 - Service: Nero BackItUp Scheduler 4.0 - Nero AG - C:\Program Files\Common Files\Nero\Nero BackItUp 4\NBService.exe
    O23 - Service: Pure Networks Platform Service (nmservice) - Cisco Systems, Inc. - C:\Program Files\Common Files\Pure Networks Shared\Platform\nmsrvc.exe
    O23 - Service: NVIDIA Display Driver Service (nvsvc) - NVIDIA Corporation - C:\Windows\system32\nvvsvc.exe
    O23 - Service: LabSim Configuration and Security (OrbisClient.Services) - Unknown owner - C:\Program Files\TestOut\Orbis\OrbisClient.Services.exe
    O23 - Service: Roxio UPnP Renderer 9 - Sonic Solutions - C:\Program Files\Roxio\Digital Home 9\RoxioUPnPRenderer9.exe
    O23 - Service: Roxio Upnp Server 9 - Sonic Solutions - C:\Program Files\Roxio\Digital Home 9\RoxioUpnpService9.exe
    O23 - Service: LiveShare P2P Server 9 (RoxLiveShare9) - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxLiveShare9.exe
    O23 - Service: RoxMediaDB9 - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxMediaDB9.exe
    O23 - Service: Roxio Hard Drive Watcher 9 (RoxWatch9) - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatch9.exe
    O23 - Service: SBSD Security Center Service (SBSDWSCService) - Safer Networking Ltd. - C:\Program Files\Spybot - Search & Destroy\SDWinSec.exe
    O23 - Service: Steam Client Service - Valve Corporation - C:\Program Files\Common Files\Steam\SteamService.exe
    O23 - Service: NVIDIA Stereoscopic 3D Driver Service (Stereo Service) - NVIDIA Corporation - C:\Program Files\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe
    
    --
    End of file - 9357 bytes 
     
  2. Banedor

    Banedor TS Rookie Topic Starter

    ComboFix 10-07-24.06 - Administrator 07/26/2010 18:44:53.1.2 - x86
    Microsoft® Windows Vista™ Home Premium 6.0.6001.1.1252.1.1033.18.3327.2132 [GMT -4:00]
    Running from: c:\users\Administrator\Desktop\ComboFix.exe
    AV: AVG 7.5.516 *On-access scanning enabled* (Outdated) {41564737-3200-1071-989B-0000E87B4FB1}
    SP: AVG Anti-Spyware *disabled* (Outdated) {48F2E28D-ED66-4646-9C11-B3055B0AF604}
    SP: Spybot - Search and Destroy *disabled* (Updated) {ED588FAF-1B8F-43B4-ACA8-8E3C85DADBE9}
    .

    ((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
    .

    c:\users\Administrator\AppData\Roaming\MoveMediaPlayer_win_mozilla_07076007.exe

    .
    MBR is infected with the Whistler Bootkit !!

    ((((((((((((((((((((((((( Files Created from 2010-06-26 to 2010-07-26 )))))))))))))))))))))))))))))))
    .

    2010-07-26 22:52 . 2010-07-26 22:53 -------- d-----w- c:\users\Administrator\AppData\Local\temp
    2010-07-26 22:52 . 2010-07-26 22:52 -------- d-----w- c:\users\Default\AppData\Local\temp
    2010-07-26 22:14 . 2010-07-26 22:14 -------- d-----w- c:\program files\Trend Micro
    2010-07-26 10:23 . 2010-04-14 17:47 293376 ----a-w- c:\windows\system32\psisdecd.dll
    2010-07-26 10:23 . 2010-04-14 17:46 428544 ----a-w- c:\windows\system32\EncDec.dll
    2010-07-26 10:21 . 2010-07-26 10:21 -------- d-----w- c:\program files\Microsoft.NET
    2010-07-26 10:19 . 2009-11-08 14:55 99176 ----a-w- c:\windows\system32\PresentationHostProxy.dll
    2010-07-26 10:19 . 2009-11-08 14:55 49472 ----a-w- c:\windows\system32\netfxperf.dll
    2010-07-26 10:19 . 2009-11-08 14:55 297808 ----a-w- c:\windows\system32\mscoree.dll
    2010-07-26 10:19 . 2009-11-08 14:55 295264 ----a-w- c:\windows\system32\PresentationHost.exe
    2010-07-26 10:19 . 2009-11-08 14:55 1130824 ----a-w- c:\windows\system32\dfshim.dll
    2010-07-26 10:16 . 2010-04-23 13:55 2048 ----a-w- c:\windows\system32\tzres.dll
    2010-07-26 10:14 . 2010-01-29 16:21 738304 ----a-w- c:\windows\system32\inetcomm.dll
    2010-07-26 10:14 . 2010-04-05 16:07 67072 ----a-w- c:\windows\system32\asycfilt.dll
    2010-07-26 10:12 . 2010-05-01 13:53 2036224 ----a-w- c:\windows\system32\win32k.sys
    2010-07-24 23:33 . 2010-04-12 21:29 411368 ----a-w- c:\windows\system32\deployJava1.dll
    2010-07-01 01:55 . 2010-07-01 01:55 -------- d-----w- c:\users\Administrator\AppData\Local\The Lord of the Rings Online
    2010-07-01 01:22 . 2010-07-01 01:22 -------- d-----w- c:\users\Administrator\AppData\Roaming\Turbine
    2010-07-01 01:21 . 2010-07-01 01:21 101 ----a-w- c:\users\Administrator\AppData\Local\fusioncache.dat
    2010-07-01 01:21 . 2010-07-01 01:21 -------- d-----w- c:\users\Administrator\AppData\Local\Turbine
    2010-07-01 01:14 . 2010-07-26 10:20 -------- d-----w- c:\users\Administrator\AppData\Local\ApplicationHistory
    2010-07-01 01:12 . 2010-07-01 01:12 -------- d-----w- c:\windows\system32\URTTEMP
    2010-06-28 17:51 . 2010-07-05 22:05 -------- d-----w- c:\users\Administrator\AppData\Local\Procaster

    .
    (((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    2010-07-26 21:07 . 2010-06-12 01:25 35655 ----a-w- c:\programdata\nvModes.dat
    2010-07-26 21:06 . 2007-09-05 12:30 -------- d-----w- c:\programdata\NVIDIA
    2010-07-26 20:59 . 2006-11-02 11:18 -------- d-----w- c:\program files\Windows Mail
    2010-07-26 11:43 . 2008-09-06 23:20 -------- d-----w- c:\programdata\Google Updater
    2010-07-26 09:53 . 2007-10-19 10:30 -------- d-----w- c:\users\Administrator\AppData\Roaming\AVG7
    2010-07-26 09:51 . 2007-09-16 08:20 -------- d-----w- c:\program files\Spybot - Search & Destroy
    2010-07-26 02:01 . 2007-05-23 05:40 -------- d-----w- c:\users\Administrator\AppData\Roaming\BitTorrent
    2010-07-25 16:12 . 2007-12-13 01:07 -------- d-----w- c:\program files\Steam
    2010-07-24 23:34 . 2007-06-15 05:51 -------- d-----w- c:\program files\Common Files\Java
    2010-07-24 23:33 . 2007-06-15 05:52 -------- d-----w- c:\program files\Java
    2010-07-14 21:42 . 2008-05-29 16:43 256 ----a-w- c:\windows\system32\pool.bin
    2010-07-14 21:34 . 2009-06-02 03:14 -------- d-----w- c:\users\Administrator\AppData\Roaming\FrostWire
    2010-07-11 14:07 . 2010-05-05 02:12 -------- d-----w- c:\programdata\Nero
    2010-07-01 00:34 . 2009-10-16 04:54 -------- d-----w- c:\programdata\PMB Files
    2010-06-24 16:04 . 2010-06-24 16:03 -------- d-----w- c:\users\Administrator\AppData\Roaming\vlc
    2010-06-22 18:25 . 2008-02-12 16:31 -------- d-----w- c:\program files\SystemRequirementsLab
    2010-06-22 18:25 . 2010-06-22 18:25 77312 ----a-w- c:\users\Administrator\AppData\Roaming\SystemRequirementsLab\srlproxy_cyri_4.1.72.0A.dll
    2010-06-22 18:25 . 2008-02-12 16:31 -------- d-----w- c:\users\Administrator\AppData\Roaming\SystemRequirementsLab
    2010-06-17 18:52 . 2010-06-17 18:52 -------- d-----w- c:\users\Administrator\AppData\Roaming\LolClient
    2010-06-17 18:50 . 2009-12-10 06:38 -------- d-----w- c:\program files\Common Files\Adobe AIR
    2010-06-17 18:50 . 2009-12-10 06:38 53632 ----a-w- c:\users\Default\AppData\Roaming\Macromedia\Flash Player\www.macromedia.com\bin\airappinstaller\airappinstaller.exe
    2010-06-17 18:44 . 2007-05-23 00:48 -------- d--h--w- c:\program files\InstallShield Installation Information
    2010-06-15 16:12 . 2008-09-21 00:10 -------- d-----w- c:\program files\Warcraft III
    2010-06-14 14:57 . 2010-06-14 14:56 87 ----a-w- c:\users\Administrator\jagex_runescape_preferences2.dat
    2010-06-14 14:57 . 2008-09-15 17:23 45 ----a-w- c:\users\Administrator\jagex_runescape_preferences.dat
    2010-06-14 14:56 . 2010-06-14 14:56 0 ----a-w- c:\users\Administrator\jagex__preferences3.dat
    2010-06-03 18:52 . 2010-06-03 18:52 -------- d-----w- c:\program files\Microsoft
    2010-06-03 18:52 . 2010-06-03 18:52 -------- d-----w- c:\program files\Windows Live SkyDrive
    2010-06-03 18:51 . 2008-04-17 05:39 -------- d-----w- c:\program files\Windows Live
    2010-06-03 18:50 . 2010-06-03 18:50 -------- d-----w- c:\program files\Common Files\Windows Live
    2010-06-03 13:33 . 2010-06-03 13:33 2238 ----a-r- c:\users\Administrator\AppData\Roaming\Microsoft\Installer\{9DE4E17F-0C99-4A57-8F7D-5B69CC95D7A9}\NewShortcut7_9DE4E17F0C994A578F7D5B69CC95D7A9.exe
    2010-06-03 13:33 . 2010-06-03 13:33 2238 ----a-r- c:\users\Administrator\AppData\Roaming\Microsoft\Installer\{9DE4E17F-0C99-4A57-8F7D-5B69CC95D7A9}\NewShortcut4_9DE4E17F0C994A578F7D5B69CC95D7A9.exe
    2010-06-03 13:33 . 2010-06-03 13:33 2238 ----a-r- c:\users\Administrator\AppData\Roaming\Microsoft\Installer\{9DE4E17F-0C99-4A57-8F7D-5B69CC95D7A9}\ARPPRODUCTICON.exe
    2010-05-26 16:16 . 2010-07-26 10:15 34304 ----a-w- c:\windows\system32\atmlib.dll
    2010-05-26 14:25 . 2010-07-26 10:15 289792 ----a-w- c:\windows\system32\atmfd.dll
    2010-05-21 18:14 . 2009-10-03 08:45 221568 ------w- c:\windows\system32\MpSigStub.exe
    2010-05-04 18:42 . 2010-07-26 10:15 833024 ----a-w- c:\windows\system32\wininet.dll
    2010-05-04 18:37 . 2010-07-26 10:15 78336 ----a-w- c:\windows\system32\ieencode.dll
    2010-05-04 18:21 . 2007-05-23 00:26 73328 ----a-w- c:\users\Administrator\AppData\Local\GDIPFONTCACHEV1.DAT
    2010-05-04 16:53 . 2010-07-26 10:15 26624 ----a-w- c:\windows\system32\ieUnatt.exe
    2009-05-01 21:02 . 2009-05-01 21:02 1044480 ----a-w- c:\program files\mozilla firefox\plugins\libdivx.dll
    2009-05-01 21:02 . 2009-05-01 21:02 200704 ----a-w- c:\program files\mozilla firefox\plugins\ssldivx.dll
    2006-05-03 09:06 . 2008-06-06 20:14 163328 --sh--r- c:\windows\System32\flvDX.dll
    2007-02-21 10:47 . 2008-06-06 20:14 31232 --sh--r- c:\windows\System32\msfDX.dll
    2007-12-17 12:43 . 2008-06-06 20:14 27648 --sh--w- c:\windows\System32\Smab0.dll
    .

    ((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    *Note* empty entries & legit default entries are not shown
    REGEDIT4

    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-05-23 68856]
    "ehTray.exe"="c:\windows\ehome\ehTray.exe" [2008-01-19 125952]
    "ISUSPM"="c:\program files\Common Files\InstallShield\UpdateService\ISUSPM.exe" [2006-09-11 218032]
    "SpybotSD TeaTimer"="c:\program files\Spybot - Search & Destroy\TeaTimer.exe" [2009-03-05 2260480]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "Windows Defender"="c:\program files\Windows Defender\MSASCui.exe" [2008-01-19 1008184]
    "AVG7_CC"="c:\progra~1\Grisoft\AVG7\avgcc.exe" [2007-12-21 579072]
    "RoxWatchTray"="c:\program files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatchTray9.exe" [2007-04-23 228088]
    "SoundMan"="SOUNDMAN.EXE" [2007-03-09 598016]
    "QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2009-01-05 413696]
    "SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-02-18 248040]
    "nmctxth"="c:\program files\Common Files\Pure Networks Shared\Platform\nmctxth.exe" [2008-12-12 642856]
    "Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2010-04-04 36272]
    "Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-03-24 952768]

    [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
    "AVG7_Run"="c:\progra~1\Grisoft\AVG7\avgw.exe" [2007-10-26 219136]

    [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
    "FlashPlayerUpdate"="c:\windows\system32\Macromed\Flash\FlashUtil10a.exe" [2008-10-05 235936]

    c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
    GN-WP01GS Utility.lnk - c:\program files\Gigabyte\Gigabyte WP01GS Wireless PCI Adapter\Installer\WIN2K\RaUI.exe [2007-5-22 720896]
    Microsoft Office.lnk - c:\program files\Microsoft Office\Office10\OSA.EXE [2001-2-13 83360]

    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
    "EnableUIADesktopToggle"= 0 (0x0)

    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgwlntf]
    2007-10-19 10:27 9216 ----a-w- c:\windows\System32\avgwlntf.dll

    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
    "mixer"=wdmaud.drv

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\AVG Anti-Spyware Guard]
    @="Service"

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend]
    @="Service"

    [HKEY_LOCAL_MACHINE\software\microsoft\security center\Svc]
    "AntiVirusOverride"=dword:00000001
    "AntiSpywareOverride"=dword:00000001

    R2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-03-18 130384]
    R2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [2009-12-27 135664]
    R2 LicCtrlService;LicCtrl Service;c:\windows\runservice.exe [2008-09-15 2560]
    R2 LinksysUpdater;Linksys Updater;c:\program files\Linksys\Linksys Updater\bin\LinksysUpdater.exe [2008-11-13 204800]
    R3 rt61x86;Gigabyte RT61 Wireless Driver for Windows Vista;c:\windows\system32\DRIVERS\netr61.sys [2007-05-11 357376]
    R3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\Microsoft.NET\Framework\v4.0.30319\WPF\WPFFontCache_v0400.exe [2010-03-18 753504]
    S2 OrbisClient.Services;LabSim Configuration and Security;c:\program files\TestOut\Orbis\OrbisClient.Services.exe [2009-11-17 14336]
    S2 SBSDWSCService;SBSD Security Center Service;c:\program files\Spybot - Search & Destroy\SDWinSec.exe [2009-01-26 1153368]
    S2 Stereo Service;NVIDIA Stereoscopic 3D Driver Service;c:\program files\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe [2010-01-22 240232]
    S3 AvgWFP;AVG7 Firewall Driver x86;c:\windows\System32\Drivers\avgwfp.sys [2007-12-21 55304]

    .
    Contents of the 'Scheduled Tasks' folder

    2010-07-26 c:\windows\Tasks\Google Software Updater.job
    - c:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe [2007-05-23 10:39]

    2010-07-26 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
    - c:\program files\Google\Update\GoogleUpdate.exe [2009-12-27 21:36]

    2010-07-26 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
    - c:\program files\Google\Update\GoogleUpdate.exe [2009-12-27 21:36]
    .
    .
    ------- Supplementary Scan -------
    .
    uStart Page = hxxp://mail.google.com/mail/
    uInternet Settings,ProxyOverride = *.local
    IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office10\EXCEL.EXE/3000
    IE: Google Sidewiki... - c:\program files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_89D8574934B26AC4.dll/cmsidewiki.html
    DPF: {CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA}
    FF - ProfilePath - c:\users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\rqvyihq0.default\
    FF - prefs.js: browser.startup.homepage - hxxp://www.vhahockey.net/index.php
    FF - plugin: c:\program files\Google\Google Earth\plugin\npgeplugin.dll
    FF - plugin: c:\program files\Google\Google Updater\2.4.1536.6592\npCIDetect13.dll
    FF - plugin: c:\program files\Google\Update\1.2.183.29\npGoogleOneClick8.dll
    FF - plugin: c:\program files\Mozilla Firefox\plugins\np-mswmp.dll
    FF - plugin: c:\program files\Mozilla Firefox\plugins\npdeployJava1.dll
    FF - plugin: c:\program files\Mozilla Firefox\plugins\npViewpoint.dll
    FF - plugin: c:\program files\NVIDIA Corporation\3D Vision\npnv3dv.dll
    FF - plugin: c:\program files\Pando Networks\Media Booster\npPandoWebPlugin.dll
    FF - plugin: c:\program files\Viewpoint\Viewpoint Media Player\npViewpoint.dll
    FF - plugin: c:\users\Administrator\AppData\Roaming\Move Networks\plugins\npqmp071502000008.dll
    FF - plugin: c:\users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\rqvyihq0.default\extensions\NPDyyno@dyyno.com\plugins\npDyyno.dll
    .
    - - - - ORPHANS REMOVED - - - -

    HKCU-Run-Aim6 - (no file)
    SafeBoot-AVG Anti-Spyware Driver



    **************************************************************************

    catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
    Rootkit scan 2010-07-26 18:53
    Windows 6.0.6001 Service Pack 1 NTFS

    scanning hidden processes ...

    c:\program files\Internet Explorer\iexplore.exe [2436] 0x84C223B8

    scanning hidden autostart entries ...

    scanning hidden files ...

    scan completed successfully
    hidden files: 0

    **************************************************************************
     
  3. Banedor

    Banedor TS Rookie Topic Starter

    --------------------- LOCKED REGISTRY KEYS ---------------------

    [HKEY_USERS\S-1-5-21-962001124-2967306043-1494952766-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aif\UserChoice]
    @Denied: (2) (Administrator)
    "Progid"="WMP11.AssocFile.AIFF"

    [HKEY_USERS\S-1-5-21-962001124-2967306043-1494952766-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aifc\UserChoice]
    @Denied: (2) (Administrator)
    "Progid"="WMP11.AssocFile.AIFF"

    [HKEY_USERS\S-1-5-21-962001124-2967306043-1494952766-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aiff\UserChoice]
    @Denied: (2) (Administrator)
    "Progid"="WMP11.AssocFile.AIFF"

    [HKEY_USERS\S-1-5-21-962001124-2967306043-1494952766-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.asf\UserChoice]
    @Denied: (2) (Administrator)
    "Progid"="WMP11.AssocFile.ASF"

    [HKEY_USERS\S-1-5-21-962001124-2967306043-1494952766-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.asx\UserChoice]
    @Denied: (2) (Administrator)
    "Progid"="WMP11.AssocFile.ASX"

    [HKEY_USERS\S-1-5-21-962001124-2967306043-1494952766-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.au\UserChoice]
    @Denied: (2) (Administrator)
    "Progid"="WMP11.AssocFile.AU"

    [HKEY_USERS\S-1-5-21-962001124-2967306043-1494952766-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.avi\UserChoice]
    @Denied: (2) (Administrator)
    "Progid"="VLC.avi"

    [HKEY_USERS\S-1-5-21-962001124-2967306043-1494952766-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.cda\UserChoice]
    @Denied: (2) (Administrator)
    "Progid"="WMP11.AssocFile.CDA"

    [HKEY_USERS\S-1-5-21-962001124-2967306043-1494952766-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.gif\UserChoice]
    @Denied: (2) (Administrator)
    "Progid"="Applications\\photoviewer.dll"

    [HKEY_USERS\S-1-5-21-962001124-2967306043-1494952766-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.htm\UserChoice]
    @Denied: (2) (Administrator)
    "Progid"="FirefoxHTML"

    [HKEY_USERS\S-1-5-21-962001124-2967306043-1494952766-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.html\UserChoice]
    @Denied: (2) (Administrator)
    "Progid"="FirefoxHTML"

    [HKEY_USERS\S-1-5-21-962001124-2967306043-1494952766-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.jpg\UserChoice]
    @Denied: (2) (Administrator)
    "Progid"="jpegfile"

    [HKEY_USERS\S-1-5-21-962001124-2967306043-1494952766-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.m1v\UserChoice]
    @Denied: (2) (Administrator)
    "Progid"="WMP11.AssocFile.MPEG"

    [HKEY_USERS\S-1-5-21-962001124-2967306043-1494952766-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.M2V\UserChoice]
    @Denied: (2) (Administrator)
    "Progid"="WMP11.AssocFile.MPEG"

    [HKEY_USERS\S-1-5-21-962001124-2967306043-1494952766-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.m3u\UserChoice]
    @Denied: (2) (Administrator)
    "Progid"="WMP11.AssocFile.M3U"

    [HKEY_USERS\S-1-5-21-962001124-2967306043-1494952766-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mid\UserChoice]
    @Denied: (2) (Administrator)
    "Progid"="WMP11.AssocFile.MIDI"

    [HKEY_USERS\S-1-5-21-962001124-2967306043-1494952766-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.midi\UserChoice]
    @Denied: (2) (Administrator)
    "Progid"="WMP11.AssocFile.MIDI"

    [HKEY_USERS\S-1-5-21-962001124-2967306043-1494952766-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mkv\UserChoice]
    @Denied: (2) (Administrator)
    "Progid"="VLC.mkv"

    [HKEY_USERS\S-1-5-21-962001124-2967306043-1494952766-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.MOD\UserChoice]
    @Denied: (2) (Administrator)
    "Progid"="WMP11.AssocFile.MPEG"

    [HKEY_USERS\S-1-5-21-962001124-2967306043-1494952766-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mp2\UserChoice]
    @Denied: (2) (Administrator)
    "Progid"="WMP11.AssocFile.MPEG"

    [HKEY_USERS\S-1-5-21-962001124-2967306043-1494952766-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mp2v\UserChoice]
    @Denied: (2) (Administrator)
    "Progid"="WMP11.AssocFile.MPEG"

    [HKEY_USERS\S-1-5-21-962001124-2967306043-1494952766-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mp3\UserChoice]
    @Denied: (2) (Administrator)
    "Progid"="Winamp.File"

    [HKEY_USERS\S-1-5-21-962001124-2967306043-1494952766-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.MP4\UserChoice]
    @Denied: (2) (Administrator)
    "Progid"="VLC.mp4"

    [HKEY_USERS\S-1-5-21-962001124-2967306043-1494952766-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mpa\UserChoice]
    @Denied: (2) (Administrator)
    "Progid"="WMP11.AssocFile.MPEG"

    [HKEY_USERS\S-1-5-21-962001124-2967306043-1494952766-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mpe\UserChoice]
    @Denied: (2) (Administrator)
    "Progid"="WMP11.AssocFile.MPEG"

    [HKEY_USERS\S-1-5-21-962001124-2967306043-1494952766-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mpeg\UserChoice]
    @Denied: (2) (Administrator)
    "Progid"="WMP11.AssocFile.MPEG"

    [HKEY_USERS\S-1-5-21-962001124-2967306043-1494952766-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mpg\UserChoice]
    @Denied: (2) (Administrator)
    "Progid"="Applications\\DivX Player.exe"

    [HKEY_USERS\S-1-5-21-962001124-2967306043-1494952766-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mpv2\UserChoice]
    @Denied: (2) (Administrator)
    "Progid"="WMP11.AssocFile.MPEG"

    [HKEY_USERS\S-1-5-21-962001124-2967306043-1494952766-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.png\UserChoice]
    @Denied: (2) (Administrator)
    "Progid"="pngfile"

    [HKEY_USERS\S-1-5-21-962001124-2967306043-1494952766-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.rmi\UserChoice]
    @Denied: (2) (Administrator)
    "Progid"="WMP11.AssocFile.MIDI"

    [HKEY_USERS\S-1-5-21-962001124-2967306043-1494952766-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.shtml\UserChoice]
    @Denied: (2) (Administrator)
    "Progid"="FirefoxHTML"

    [HKEY_USERS\S-1-5-21-962001124-2967306043-1494952766-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.snd\UserChoice]
    @Denied: (2) (Administrator)
    "Progid"="WMP11.AssocFile.AU"

    [HKEY_USERS\S-1-5-21-962001124-2967306043-1494952766-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.wav\UserChoice]
    @Denied: (2) (Administrator)
    "Progid"="WMP11.AssocFile.WAV"

    [HKEY_USERS\S-1-5-21-962001124-2967306043-1494952766-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.wax\UserChoice]
    @Denied: (2) (Administrator)
    "Progid"="WMP11.AssocFile.WAX"

    [HKEY_USERS\S-1-5-21-962001124-2967306043-1494952766-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.wm\UserChoice]
    @Denied: (2) (Administrator)
    "Progid"="WMP11.AssocFile.ASF"

    [HKEY_USERS\S-1-5-21-962001124-2967306043-1494952766-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.wma\UserChoice]
    @Denied: (2) (Administrator)
    "Progid"="WMP11.AssocFile.WMA"

    [HKEY_USERS\S-1-5-21-962001124-2967306043-1494952766-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.wmd\UserChoice]
    @Denied: (2) (Administrator)
    "Progid"="WMP11.AssocFile.WMD"

    [HKEY_USERS\S-1-5-21-962001124-2967306043-1494952766-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.wms\UserChoice]
    @Denied: (2) (Administrator)
    "Progid"="WMP11.AssocFile.WMS"

    [HKEY_USERS\S-1-5-21-962001124-2967306043-1494952766-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.wmv\UserChoice]
    @Denied: (2) (Administrator)
    "Progid"="Applications\\DivX Player.exe"

    [HKEY_USERS\S-1-5-21-962001124-2967306043-1494952766-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.wmx\UserChoice]
    @Denied: (2) (Administrator)
    "Progid"="WMP11.AssocFile.ASX"

    [HKEY_USERS\S-1-5-21-962001124-2967306043-1494952766-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.wmz\UserChoice]
    @Denied: (2) (Administrator)
    "Progid"="WMP11.AssocFile.WMZ"

    [HKEY_USERS\S-1-5-21-962001124-2967306043-1494952766-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.wpl\UserChoice]
    @Denied: (2) (Administrator)
    "Progid"="WMP11.AssocFile.WPL"

    [HKEY_USERS\S-1-5-21-962001124-2967306043-1494952766-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.wvx\UserChoice]
    @Denied: (2) (Administrator)
    "Progid"="WMP11.AssocFile.WVX"

    [HKEY_USERS\S-1-5-21-962001124-2967306043-1494952766-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xht\UserChoice]
    @Denied: (2) (Administrator)
    "Progid"="FirefoxHTML"

    [HKEY_USERS\S-1-5-21-962001124-2967306043-1494952766-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xhtml\UserChoice]
    @Denied: (2) (Administrator)
    "Progid"="FirefoxHTML"

    [HKEY_USERS\S-1-5-21-962001124-2967306043-1494952766-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xls\UserChoice]
    @Denied: (2) (Administrator)
    "Progid"="Applications\\EXCEL.EXE"

    [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
    @Denied: (A) (Users)
    @Denied: (A) (Everyone)
    @Allowed: (B 1 2 3 4 5) (S-1-5-20)
    "BlindDial"=dword:00000000
    .
    Completion time: 2010-07-26 18:56:33
    ComboFix-quarantined-files.txt 2010-07-26 22:56

    Pre-Run: 125,953,523,712 bytes free
    Post-Run: 125,342,220,288 bytes free

    Current=1 Default=1 Failed=0 LastKnownGood=1 Sets=1,2,3,5
    - - End Of File - - 1F860A83DC4EF5C200FC0473AB523FED
     
  4. Broni

    Broni Malware Annihilator Posts: 47,668   +267

    1. We don't use HJT around here anymore.
    2. Don't wrap logs in code
    3. Never run Combofix on your own.
    4. Complete all steps listed here: http://www.techspot.com/vb/topic58138.html
    5. Describe your issues.
     
Topic Status:
Not open for further replies.


Add New Comment

TechSpot Members
Login or sign up for free,
it takes about 30 seconds.
You may also...


Get complete access to the TechSpot community. Join thousands of technology enthusiasts that contribute and share knowledge in our forum. Get a private inbox, upload your own photo gallery and more.