TechSpot

Congratulation's You Won and Part of Song Audio Virus

By Banedor
Jul 26, 2010
  1. Here are the logs, HJT first than Combofix. I saw in other threads of people being asked to run Combofix so I just did and here they are:

    Code:
    Logfile of Trend Micro HijackThis v2.0.2
    Scan saved at 6:14:19 PM, on 7/26/2010
    Platform: Windows Vista SP1 (WinNT 6.00.1905)
    MSIE: Internet Explorer v7.00 (7.00.6001.18470)
    Boot mode: Normal
    
    Running processes:
    C:\Windows\system32\taskeng.exe
    C:\Windows\system32\Dwm.exe
    C:\Windows\Explorer.EXE
    C:\Program Files\Windows Defender\MSASCui.exe
    C:\Windows\SOUNDMAN.EXE
    C:\Program Files\Common Files\Java\Java Update\jusched.exe
    C:\Program Files\Common Files\Pure Networks Shared\Platform\nmctxth.exe
    C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
    C:\Windows\ehome\ehtray.exe
    C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe
    C:\Windows\ehome\ehmsas.exe
    C:\Windows\system32\wuauclt.exe
    C:\Program Files\Mozilla Firefox\firefox.exe
    C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
    C:\Windows\system32\SearchFilterHost.exe
    
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://mail.google.com/mail/
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
    R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
    O1 - Hosts: ::1 localhost
    O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
    O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
    O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - (no file)
    O2 - BHO: (no name) - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - (no file)
    O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
    O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
    O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll
    O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.5.5126.1836\swg.dll
    O2 - BHO: (no name) - {C84D72FE-E17D-4195-BB24-76C02E2E7C4E} - (no file)
    O2 - BHO: Java™ Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
    O3 - Toolbar: Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll
    O4 - HKLM\..\Run: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
    O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
    O4 - HKLM\..\Run: [RoxWatchTray] "C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatchTray9.exe"
    O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
    O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Common Files\Java\Java Update\jusched.exe"
    O4 - HKLM\..\Run: [nmctxth] "C:\Program Files\Common Files\Pure Networks Shared\Platform\nmctxth.exe"
    O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
    O4 - HKLM\..\Run: [Adobe ARM] "C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
    O4 - HKCU\..\Run: [swg] "C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe"
    O4 - HKCU\..\Run: [ehTray.exe] C:\Windows\ehome\ehTray.exe
    O4 - HKCU\..\Run: [ISUSPM] "C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe" -scheduler
    O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
    O4 - HKUS\S-1-5-19\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'LOCAL SERVICE')
    O4 - HKUS\S-1-5-19\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter (User 'LOCAL SERVICE')
    O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
    O4 - HKUS\S-1-5-20\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'NETWORK SERVICE')
    O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'SYSTEM')
    O4 - HKUS\S-1-5-18\..\RunOnce: [FlashPlayerUpdate] C:\Windows\system32\Macromed\Flash\FlashUtil10a.exe (User 'SYSTEM')
    O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'Default user')
    O4 - HKUS\.DEFAULT\..\RunOnce: [FlashPlayerUpdate] C:\Windows\system32\Macromed\Flash\FlashUtil10a.exe (User 'Default user')
    O4 - Global Startup: GN-WP01GS Utility.lnk = C:\Program Files\Gigabyte\Gigabyte WP01GS Wireless PCI Adapter\Installer\WIN2K\RaUI.exe
    O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
    O8 - Extra context menu item: Google Sidewiki... - res://C:\Program Files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_89D8574934B26AC4.dll/cmsidewiki.html
    O13 - Gopher Prefix:
    O16 - DPF: {AB86CE53-AC9F-449F-9399-D8ABCA09EC09} (Get_ActiveX Control) - https://h17000.www1.hp.com/ewfrf-JAVA/Secur...loadManager.ocx
    O16 - DPF: {CAFEEFAC-0016-0000-0015-ABCDEFFEDCBA} (Java Plug-in 1.6.0_15) -
    O16 - DPF: {CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA} (Java Plug-in 1.6.0_17) -
    O16 - DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} -
    O20 - Winlogon Notify: avgwlntf - C:\Windows\SYSTEM32\avgwlntf.dll
    O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
    O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
    O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
    O23 - Service: AVG7 Resident Shield Service (AvgCoreSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgrssvc.exe
    O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
    O23 - Service: ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762## (Bonjour Service) - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
    O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
    O23 - Service: Google Update Service (gupdate) (gupdate) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe
    O23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
    O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
    O23 - Service: LicCtrl Service (LicCtrlService) - Unknown owner - C:\Windows\runservice.exe
    O23 - Service: Linksys Updater (LinksysUpdater) - Unknown owner - C:\Program Files\Linksys\Linksys Updater\bin\LinksysUpdater.exe
    O23 - Service: Nero BackItUp Scheduler 4.0 - Nero AG - C:\Program Files\Common Files\Nero\Nero BackItUp 4\NBService.exe
    O23 - Service: Pure Networks Platform Service (nmservice) - Cisco Systems, Inc. - C:\Program Files\Common Files\Pure Networks Shared\Platform\nmsrvc.exe
    O23 - Service: NVIDIA Display Driver Service (nvsvc) - NVIDIA Corporation - C:\Windows\system32\nvvsvc.exe
    O23 - Service: LabSim Configuration and Security (OrbisClient.Services) - Unknown owner - C:\Program Files\TestOut\Orbis\OrbisClient.Services.exe
    O23 - Service: Roxio UPnP Renderer 9 - Sonic Solutions - C:\Program Files\Roxio\Digital Home 9\RoxioUPnPRenderer9.exe
    O23 - Service: Roxio Upnp Server 9 - Sonic Solutions - C:\Program Files\Roxio\Digital Home 9\RoxioUpnpService9.exe
    O23 - Service: LiveShare P2P Server 9 (RoxLiveShare9) - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxLiveShare9.exe
    O23 - Service: RoxMediaDB9 - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxMediaDB9.exe
    O23 - Service: Roxio Hard Drive Watcher 9 (RoxWatch9) - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatch9.exe
    O23 - Service: SBSD Security Center Service (SBSDWSCService) - Safer Networking Ltd. - C:\Program Files\Spybot - Search & Destroy\SDWinSec.exe
    O23 - Service: Steam Client Service - Valve Corporation - C:\Program Files\Common Files\Steam\SteamService.exe
    O23 - Service: NVIDIA Stereoscopic 3D Driver Service (Stereo Service) - NVIDIA Corporation - C:\Program Files\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe
    
    --
    End of file - 9357 bytes 
     
  2. Banedor

    Banedor TS Rookie Topic Starter

    ComboFix 10-07-24.06 - Administrator 07/26/2010 18:44:53.1.2 - x86
    Microsoft® Windows Vista™ Home Premium 6.0.6001.1.1252.1.1033.18.3327.2132 [GMT -4:00]
    Running from: c:\users\Administrator\Desktop\ComboFix.exe
    AV: AVG 7.5.516 *On-access scanning enabled* (Outdated) {41564737-3200-1071-989B-0000E87B4FB1}
    SP: AVG Anti-Spyware *disabled* (Outdated) {48F2E28D-ED66-4646-9C11-B3055B0AF604}
    SP: Spybot - Search and Destroy *disabled* (Updated) {ED588FAF-1B8F-43B4-ACA8-8E3C85DADBE9}
    .

    ((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
    .

    c:\users\Administrator\AppData\Roaming\MoveMediaPlayer_win_mozilla_07076007.exe

    .
    MBR is infected with the Whistler Bootkit !!

    ((((((((((((((((((((((((( Files Created from 2010-06-26 to 2010-07-26 )))))))))))))))))))))))))))))))
    .

    2010-07-26 22:52 . 2010-07-26 22:53 -------- d-----w- c:\users\Administrator\AppData\Local\temp
    2010-07-26 22:52 . 2010-07-26 22:52 -------- d-----w- c:\users\Default\AppData\Local\temp
    2010-07-26 22:14 . 2010-07-26 22:14 -------- d-----w- c:\program files\Trend Micro
    2010-07-26 10:23 . 2010-04-14 17:47 293376 ----a-w- c:\windows\system32\psisdecd.dll
    2010-07-26 10:23 . 2010-04-14 17:46 428544 ----a-w- c:\windows\system32\EncDec.dll
    2010-07-26 10:21 . 2010-07-26 10:21 -------- d-----w- c:\program files\Microsoft.NET
    2010-07-26 10:19 . 2009-11-08 14:55 99176 ----a-w- c:\windows\system32\PresentationHostProxy.dll
    2010-07-26 10:19 . 2009-11-08 14:55 49472 ----a-w- c:\windows\system32\netfxperf.dll
    2010-07-26 10:19 . 2009-11-08 14:55 297808 ----a-w- c:\windows\system32\mscoree.dll
    2010-07-26 10:19 . 2009-11-08 14:55 295264 ----a-w- c:\windows\system32\PresentationHost.exe
    2010-07-26 10:19 . 2009-11-08 14:55 1130824 ----a-w- c:\windows\system32\dfshim.dll
    2010-07-26 10:16 . 2010-04-23 13:55 2048 ----a-w- c:\windows\system32\tzres.dll
    2010-07-26 10:14 . 2010-01-29 16:21 738304 ----a-w- c:\windows\system32\inetcomm.dll
    2010-07-26 10:14 . 2010-04-05 16:07 67072 ----a-w- c:\windows\system32\asycfilt.dll
    2010-07-26 10:12 . 2010-05-01 13:53 2036224 ----a-w- c:\windows\system32\win32k.sys
    2010-07-24 23:33 . 2010-04-12 21:29 411368 ----a-w- c:\windows\system32\deployJava1.dll
    2010-07-01 01:55 . 2010-07-01 01:55 -------- d-----w- c:\users\Administrator\AppData\Local\The Lord of the Rings Online
    2010-07-01 01:22 . 2010-07-01 01:22 -------- d-----w- c:\users\Administrator\AppData\Roaming\Turbine
    2010-07-01 01:21 . 2010-07-01 01:21 101 ----a-w- c:\users\Administrator\AppData\Local\fusioncache.dat
    2010-07-01 01:21 . 2010-07-01 01:21 -------- d-----w- c:\users\Administrator\AppData\Local\Turbine
    2010-07-01 01:14 . 2010-07-26 10:20 -------- d-----w- c:\users\Administrator\AppData\Local\ApplicationHistory
    2010-07-01 01:12 . 2010-07-01 01:12 -------- d-----w- c:\windows\system32\URTTEMP
    2010-06-28 17:51 . 2010-07-05 22:05 -------- d-----w- c:\users\Administrator\AppData\Local\Procaster

    .
    (((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    2010-07-26 21:07 . 2010-06-12 01:25 35655 ----a-w- c:\programdata\nvModes.dat
    2010-07-26 21:06 . 2007-09-05 12:30 -------- d-----w- c:\programdata\NVIDIA
    2010-07-26 20:59 . 2006-11-02 11:18 -------- d-----w- c:\program files\Windows Mail
    2010-07-26 11:43 . 2008-09-06 23:20 -------- d-----w- c:\programdata\Google Updater
    2010-07-26 09:53 . 2007-10-19 10:30 -------- d-----w- c:\users\Administrator\AppData\Roaming\AVG7
    2010-07-26 09:51 . 2007-09-16 08:20 -------- d-----w- c:\program files\Spybot - Search & Destroy
    2010-07-26 02:01 . 2007-05-23 05:40 -------- d-----w- c:\users\Administrator\AppData\Roaming\BitTorrent
    2010-07-25 16:12 . 2007-12-13 01:07 -------- d-----w- c:\program files\Steam
    2010-07-24 23:34 . 2007-06-15 05:51 -------- d-----w- c:\program files\Common Files\Java
    2010-07-24 23:33 . 2007-06-15 05:52 -------- d-----w- c:\program files\Java
    2010-07-14 21:42 . 2008-05-29 16:43 256 ----a-w- c:\windows\system32\pool.bin
    2010-07-14 21:34 . 2009-06-02 03:14 -------- d-----w- c:\users\Administrator\AppData\Roaming\FrostWire
    2010-07-11 14:07 . 2010-05-05 02:12 -------- d-----w- c:\programdata\Nero
    2010-07-01 00:34 . 2009-10-16 04:54 -------- d-----w- c:\programdata\PMB Files
    2010-06-24 16:04 . 2010-06-24 16:03 -------- d-----w- c:\users\Administrator\AppData\Roaming\vlc
    2010-06-22 18:25 . 2008-02-12 16:31 -------- d-----w- c:\program files\SystemRequirementsLab
    2010-06-22 18:25 . 2010-06-22 18:25 77312 ----a-w- c:\users\Administrator\AppData\Roaming\SystemRequirementsLab\srlproxy_cyri_4.1.72.0A.dll
    2010-06-22 18:25 . 2008-02-12 16:31 -------- d-----w- c:\users\Administrator\AppData\Roaming\SystemRequirementsLab
    2010-06-17 18:52 . 2010-06-17 18:52 -------- d-----w- c:\users\Administrator\AppData\Roaming\LolClient
    2010-06-17 18:50 . 2009-12-10 06:38 -------- d-----w- c:\program files\Common Files\Adobe AIR
    2010-06-17 18:50 . 2009-12-10 06:38 53632 ----a-w- c:\users\Default\AppData\Roaming\Macromedia\Flash Player\www.macromedia.com\bin\airappinstaller\airappinstaller.exe
    2010-06-17 18:44 . 2007-05-23 00:48 -------- d--h--w- c:\program files\InstallShield Installation Information
    2010-06-15 16:12 . 2008-09-21 00:10 -------- d-----w- c:\program files\Warcraft III
    2010-06-14 14:57 . 2010-06-14 14:56 87 ----a-w- c:\users\Administrator\jagex_runescape_preferences2.dat
    2010-06-14 14:57 . 2008-09-15 17:23 45 ----a-w- c:\users\Administrator\jagex_runescape_preferences.dat
    2010-06-14 14:56 . 2010-06-14 14:56 0 ----a-w- c:\users\Administrator\jagex__preferences3.dat
    2010-06-03 18:52 . 2010-06-03 18:52 -------- d-----w- c:\program files\Microsoft
    2010-06-03 18:52 . 2010-06-03 18:52 -------- d-----w- c:\program files\Windows Live SkyDrive
    2010-06-03 18:51 . 2008-04-17 05:39 -------- d-----w- c:\program files\Windows Live
    2010-06-03 18:50 . 2010-06-03 18:50 -------- d-----w- c:\program files\Common Files\Windows Live
    2010-06-03 13:33 . 2010-06-03 13:33 2238 ----a-r- c:\users\Administrator\AppData\Roaming\Microsoft\Installer\{9DE4E17F-0C99-4A57-8F7D-5B69CC95D7A9}\NewShortcut7_9DE4E17F0C994A578F7D5B69CC95D7A9.exe
    2010-06-03 13:33 . 2010-06-03 13:33 2238 ----a-r- c:\users\Administrator\AppData\Roaming\Microsoft\Installer\{9DE4E17F-0C99-4A57-8F7D-5B69CC95D7A9}\NewShortcut4_9DE4E17F0C994A578F7D5B69CC95D7A9.exe
    2010-06-03 13:33 . 2010-06-03 13:33 2238 ----a-r- c:\users\Administrator\AppData\Roaming\Microsoft\Installer\{9DE4E17F-0C99-4A57-8F7D-5B69CC95D7A9}\ARPPRODUCTICON.exe
    2010-05-26 16:16 . 2010-07-26 10:15 34304 ----a-w- c:\windows\system32\atmlib.dll
    2010-05-26 14:25 . 2010-07-26 10:15 289792 ----a-w- c:\windows\system32\atmfd.dll
    2010-05-21 18:14 . 2009-10-03 08:45 221568 ------w- c:\windows\system32\MpSigStub.exe
    2010-05-04 18:42 . 2010-07-26 10:15 833024 ----a-w- c:\windows\system32\wininet.dll
    2010-05-04 18:37 . 2010-07-26 10:15 78336 ----a-w- c:\windows\system32\ieencode.dll
    2010-05-04 18:21 . 2007-05-23 00:26 73328 ----a-w- c:\users\Administrator\AppData\Local\GDIPFONTCACHEV1.DAT
    2010-05-04 16:53 . 2010-07-26 10:15 26624 ----a-w- c:\windows\system32\ieUnatt.exe
    2009-05-01 21:02 . 2009-05-01 21:02 1044480 ----a-w- c:\program files\mozilla firefox\plugins\libdivx.dll
    2009-05-01 21:02 . 2009-05-01 21:02 200704 ----a-w- c:\program files\mozilla firefox\plugins\ssldivx.dll
    2006-05-03 09:06 . 2008-06-06 20:14 163328 --sh--r- c:\windows\System32\flvDX.dll
    2007-02-21 10:47 . 2008-06-06 20:14 31232 --sh--r- c:\windows\System32\msfDX.dll
    2007-12-17 12:43 . 2008-06-06 20:14 27648 --sh--w- c:\windows\System32\Smab0.dll
    .

    ((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    *Note* empty entries & legit default entries are not shown
    REGEDIT4

    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-05-23 68856]
    "ehTray.exe"="c:\windows\ehome\ehTray.exe" [2008-01-19 125952]
    "ISUSPM"="c:\program files\Common Files\InstallShield\UpdateService\ISUSPM.exe" [2006-09-11 218032]
    "SpybotSD TeaTimer"="c:\program files\Spybot - Search & Destroy\TeaTimer.exe" [2009-03-05 2260480]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "Windows Defender"="c:\program files\Windows Defender\MSASCui.exe" [2008-01-19 1008184]
    "AVG7_CC"="c:\progra~1\Grisoft\AVG7\avgcc.exe" [2007-12-21 579072]
    "RoxWatchTray"="c:\program files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatchTray9.exe" [2007-04-23 228088]
    "SoundMan"="SOUNDMAN.EXE" [2007-03-09 598016]
    "QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2009-01-05 413696]
    "SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-02-18 248040]
    "nmctxth"="c:\program files\Common Files\Pure Networks Shared\Platform\nmctxth.exe" [2008-12-12 642856]
    "Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2010-04-04 36272]
    "Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-03-24 952768]

    [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
    "AVG7_Run"="c:\progra~1\Grisoft\AVG7\avgw.exe" [2007-10-26 219136]

    [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
    "FlashPlayerUpdate"="c:\windows\system32\Macromed\Flash\FlashUtil10a.exe" [2008-10-05 235936]

    c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
    GN-WP01GS Utility.lnk - c:\program files\Gigabyte\Gigabyte WP01GS Wireless PCI Adapter\Installer\WIN2K\RaUI.exe [2007-5-22 720896]
    Microsoft Office.lnk - c:\program files\Microsoft Office\Office10\OSA.EXE [2001-2-13 83360]

    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
    "EnableUIADesktopToggle"= 0 (0x0)

    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgwlntf]
    2007-10-19 10:27 9216 ----a-w- c:\windows\System32\avgwlntf.dll

    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
    "mixer"=wdmaud.drv

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\AVG Anti-Spyware Guard]
    @="Service"

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend]
    @="Service"

    [HKEY_LOCAL_MACHINE\software\microsoft\security center\Svc]
    "AntiVirusOverride"=dword:00000001
    "AntiSpywareOverride"=dword:00000001

    R2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-03-18 130384]
    R2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [2009-12-27 135664]
    R2 LicCtrlService;LicCtrl Service;c:\windows\runservice.exe [2008-09-15 2560]
    R2 LinksysUpdater;Linksys Updater;c:\program files\Linksys\Linksys Updater\bin\LinksysUpdater.exe [2008-11-13 204800]
    R3 rt61x86;Gigabyte RT61 Wireless Driver for Windows Vista;c:\windows\system32\DRIVERS\netr61.sys [2007-05-11 357376]
    R3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\Microsoft.NET\Framework\v4.0.30319\WPF\WPFFontCache_v0400.exe [2010-03-18 753504]
    S2 OrbisClient.Services;LabSim Configuration and Security;c:\program files\TestOut\Orbis\OrbisClient.Services.exe [2009-11-17 14336]
    S2 SBSDWSCService;SBSD Security Center Service;c:\program files\Spybot - Search & Destroy\SDWinSec.exe [2009-01-26 1153368]
    S2 Stereo Service;NVIDIA Stereoscopic 3D Driver Service;c:\program files\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe [2010-01-22 240232]
    S3 AvgWFP;AVG7 Firewall Driver x86;c:\windows\System32\Drivers\avgwfp.sys [2007-12-21 55304]

    .
    Contents of the 'Scheduled Tasks' folder

    2010-07-26 c:\windows\Tasks\Google Software Updater.job
    - c:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe [2007-05-23 10:39]

    2010-07-26 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
    - c:\program files\Google\Update\GoogleUpdate.exe [2009-12-27 21:36]

    2010-07-26 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
    - c:\program files\Google\Update\GoogleUpdate.exe [2009-12-27 21:36]
    .
    .
    ------- Supplementary Scan -------
    .
    uStart Page = hxxp://mail.google.com/mail/
    uInternet Settings,ProxyOverride = *.local
    IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office10\EXCEL.EXE/3000
    IE: Google Sidewiki... - c:\program files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_89D8574934B26AC4.dll/cmsidewiki.html
    DPF: {CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA}
    FF - ProfilePath - c:\users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\rqvyihq0.default\
    FF - prefs.js: browser.startup.homepage - hxxp://www.vhahockey.net/index.php
    FF - plugin: c:\program files\Google\Google Earth\plugin\npgeplugin.dll
    FF - plugin: c:\program files\Google\Google Updater\2.4.1536.6592\npCIDetect13.dll
    FF - plugin: c:\program files\Google\Update\1.2.183.29\npGoogleOneClick8.dll
    FF - plugin: c:\program files\Mozilla Firefox\plugins\np-mswmp.dll
    FF - plugin: c:\program files\Mozilla Firefox\plugins\npdeployJava1.dll
    FF - plugin: c:\program files\Mozilla Firefox\plugins\npViewpoint.dll
    FF - plugin: c:\program files\NVIDIA Corporation\3D Vision\npnv3dv.dll
    FF - plugin: c:\program files\Pando Networks\Media Booster\npPandoWebPlugin.dll
    FF - plugin: c:\program files\Viewpoint\Viewpoint Media Player\npViewpoint.dll
    FF - plugin: c:\users\Administrator\AppData\Roaming\Move Networks\plugins\npqmp071502000008.dll
    FF - plugin: c:\users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\rqvyihq0.default\extensions\NPDyyno@dyyno.com\plugins\npDyyno.dll
    .
    - - - - ORPHANS REMOVED - - - -

    HKCU-Run-Aim6 - (no file)
    SafeBoot-AVG Anti-Spyware Driver



    **************************************************************************

    catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
    Rootkit scan 2010-07-26 18:53
    Windows 6.0.6001 Service Pack 1 NTFS

    scanning hidden processes ...

    c:\program files\Internet Explorer\iexplore.exe [2436] 0x84C223B8

    scanning hidden autostart entries ...

    scanning hidden files ...

    scan completed successfully
    hidden files: 0

    **************************************************************************
     
  3. Banedor

    Banedor TS Rookie Topic Starter

    --------------------- LOCKED REGISTRY KEYS ---------------------

    [HKEY_USERS\S-1-5-21-962001124-2967306043-1494952766-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aif\UserChoice]
    @Denied: (2) (Administrator)
    "Progid"="WMP11.AssocFile.AIFF"

    [HKEY_USERS\S-1-5-21-962001124-2967306043-1494952766-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aifc\UserChoice]
    @Denied: (2) (Administrator)
    "Progid"="WMP11.AssocFile.AIFF"

    [HKEY_USERS\S-1-5-21-962001124-2967306043-1494952766-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aiff\UserChoice]
    @Denied: (2) (Administrator)
    "Progid"="WMP11.AssocFile.AIFF"

    [HKEY_USERS\S-1-5-21-962001124-2967306043-1494952766-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.asf\UserChoice]
    @Denied: (2) (Administrator)
    "Progid"="WMP11.AssocFile.ASF"

    [HKEY_USERS\S-1-5-21-962001124-2967306043-1494952766-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.asx\UserChoice]
    @Denied: (2) (Administrator)
    "Progid"="WMP11.AssocFile.ASX"

    [HKEY_USERS\S-1-5-21-962001124-2967306043-1494952766-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.au\UserChoice]
    @Denied: (2) (Administrator)
    "Progid"="WMP11.AssocFile.AU"

    [HKEY_USERS\S-1-5-21-962001124-2967306043-1494952766-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.avi\UserChoice]
    @Denied: (2) (Administrator)
    "Progid"="VLC.avi"

    [HKEY_USERS\S-1-5-21-962001124-2967306043-1494952766-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.cda\UserChoice]
    @Denied: (2) (Administrator)
    "Progid"="WMP11.AssocFile.CDA"

    [HKEY_USERS\S-1-5-21-962001124-2967306043-1494952766-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.gif\UserChoice]
    @Denied: (2) (Administrator)
    "Progid"="Applications\\photoviewer.dll"

    [HKEY_USERS\S-1-5-21-962001124-2967306043-1494952766-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.htm\UserChoice]
    @Denied: (2) (Administrator)
    "Progid"="FirefoxHTML"

    [HKEY_USERS\S-1-5-21-962001124-2967306043-1494952766-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.html\UserChoice]
    @Denied: (2) (Administrator)
    "Progid"="FirefoxHTML"

    [HKEY_USERS\S-1-5-21-962001124-2967306043-1494952766-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.jpg\UserChoice]
    @Denied: (2) (Administrator)
    "Progid"="jpegfile"

    [HKEY_USERS\S-1-5-21-962001124-2967306043-1494952766-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.m1v\UserChoice]
    @Denied: (2) (Administrator)
    "Progid"="WMP11.AssocFile.MPEG"

    [HKEY_USERS\S-1-5-21-962001124-2967306043-1494952766-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.M2V\UserChoice]
    @Denied: (2) (Administrator)
    "Progid"="WMP11.AssocFile.MPEG"

    [HKEY_USERS\S-1-5-21-962001124-2967306043-1494952766-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.m3u\UserChoice]
    @Denied: (2) (Administrator)
    "Progid"="WMP11.AssocFile.M3U"

    [HKEY_USERS\S-1-5-21-962001124-2967306043-1494952766-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mid\UserChoice]
    @Denied: (2) (Administrator)
    "Progid"="WMP11.AssocFile.MIDI"

    [HKEY_USERS\S-1-5-21-962001124-2967306043-1494952766-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.midi\UserChoice]
    @Denied: (2) (Administrator)
    "Progid"="WMP11.AssocFile.MIDI"

    [HKEY_USERS\S-1-5-21-962001124-2967306043-1494952766-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mkv\UserChoice]
    @Denied: (2) (Administrator)
    "Progid"="VLC.mkv"

    [HKEY_USERS\S-1-5-21-962001124-2967306043-1494952766-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.MOD\UserChoice]
    @Denied: (2) (Administrator)
    "Progid"="WMP11.AssocFile.MPEG"

    [HKEY_USERS\S-1-5-21-962001124-2967306043-1494952766-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mp2\UserChoice]
    @Denied: (2) (Administrator)
    "Progid"="WMP11.AssocFile.MPEG"

    [HKEY_USERS\S-1-5-21-962001124-2967306043-1494952766-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mp2v\UserChoice]
    @Denied: (2) (Administrator)
    "Progid"="WMP11.AssocFile.MPEG"

    [HKEY_USERS\S-1-5-21-962001124-2967306043-1494952766-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mp3\UserChoice]
    @Denied: (2) (Administrator)
    "Progid"="Winamp.File"

    [HKEY_USERS\S-1-5-21-962001124-2967306043-1494952766-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.MP4\UserChoice]
    @Denied: (2) (Administrator)
    "Progid"="VLC.mp4"

    [HKEY_USERS\S-1-5-21-962001124-2967306043-1494952766-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mpa\UserChoice]
    @Denied: (2) (Administrator)
    "Progid"="WMP11.AssocFile.MPEG"

    [HKEY_USERS\S-1-5-21-962001124-2967306043-1494952766-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mpe\UserChoice]
    @Denied: (2) (Administrator)
    "Progid"="WMP11.AssocFile.MPEG"

    [HKEY_USERS\S-1-5-21-962001124-2967306043-1494952766-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mpeg\UserChoice]
    @Denied: (2) (Administrator)
    "Progid"="WMP11.AssocFile.MPEG"

    [HKEY_USERS\S-1-5-21-962001124-2967306043-1494952766-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mpg\UserChoice]
    @Denied: (2) (Administrator)
    "Progid"="Applications\\DivX Player.exe"

    [HKEY_USERS\S-1-5-21-962001124-2967306043-1494952766-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mpv2\UserChoice]
    @Denied: (2) (Administrator)
    "Progid"="WMP11.AssocFile.MPEG"

    [HKEY_USERS\S-1-5-21-962001124-2967306043-1494952766-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.png\UserChoice]
    @Denied: (2) (Administrator)
    "Progid"="pngfile"

    [HKEY_USERS\S-1-5-21-962001124-2967306043-1494952766-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.rmi\UserChoice]
    @Denied: (2) (Administrator)
    "Progid"="WMP11.AssocFile.MIDI"

    [HKEY_USERS\S-1-5-21-962001124-2967306043-1494952766-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.shtml\UserChoice]
    @Denied: (2) (Administrator)
    "Progid"="FirefoxHTML"

    [HKEY_USERS\S-1-5-21-962001124-2967306043-1494952766-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.snd\UserChoice]
    @Denied: (2) (Administrator)
    "Progid"="WMP11.AssocFile.AU"

    [HKEY_USERS\S-1-5-21-962001124-2967306043-1494952766-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.wav\UserChoice]
    @Denied: (2) (Administrator)
    "Progid"="WMP11.AssocFile.WAV"

    [HKEY_USERS\S-1-5-21-962001124-2967306043-1494952766-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.wax\UserChoice]
    @Denied: (2) (Administrator)
    "Progid"="WMP11.AssocFile.WAX"

    [HKEY_USERS\S-1-5-21-962001124-2967306043-1494952766-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.wm\UserChoice]
    @Denied: (2) (Administrator)
    "Progid"="WMP11.AssocFile.ASF"

    [HKEY_USERS\S-1-5-21-962001124-2967306043-1494952766-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.wma\UserChoice]
    @Denied: (2) (Administrator)
    "Progid"="WMP11.AssocFile.WMA"

    [HKEY_USERS\S-1-5-21-962001124-2967306043-1494952766-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.wmd\UserChoice]
    @Denied: (2) (Administrator)
    "Progid"="WMP11.AssocFile.WMD"

    [HKEY_USERS\S-1-5-21-962001124-2967306043-1494952766-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.wms\UserChoice]
    @Denied: (2) (Administrator)
    "Progid"="WMP11.AssocFile.WMS"

    [HKEY_USERS\S-1-5-21-962001124-2967306043-1494952766-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.wmv\UserChoice]
    @Denied: (2) (Administrator)
    "Progid"="Applications\\DivX Player.exe"

    [HKEY_USERS\S-1-5-21-962001124-2967306043-1494952766-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.wmx\UserChoice]
    @Denied: (2) (Administrator)
    "Progid"="WMP11.AssocFile.ASX"

    [HKEY_USERS\S-1-5-21-962001124-2967306043-1494952766-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.wmz\UserChoice]
    @Denied: (2) (Administrator)
    "Progid"="WMP11.AssocFile.WMZ"

    [HKEY_USERS\S-1-5-21-962001124-2967306043-1494952766-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.wpl\UserChoice]
    @Denied: (2) (Administrator)
    "Progid"="WMP11.AssocFile.WPL"

    [HKEY_USERS\S-1-5-21-962001124-2967306043-1494952766-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.wvx\UserChoice]
    @Denied: (2) (Administrator)
    "Progid"="WMP11.AssocFile.WVX"

    [HKEY_USERS\S-1-5-21-962001124-2967306043-1494952766-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xht\UserChoice]
    @Denied: (2) (Administrator)
    "Progid"="FirefoxHTML"

    [HKEY_USERS\S-1-5-21-962001124-2967306043-1494952766-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xhtml\UserChoice]
    @Denied: (2) (Administrator)
    "Progid"="FirefoxHTML"

    [HKEY_USERS\S-1-5-21-962001124-2967306043-1494952766-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xls\UserChoice]
    @Denied: (2) (Administrator)
    "Progid"="Applications\\EXCEL.EXE"

    [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
    @Denied: (A) (Users)
    @Denied: (A) (Everyone)
    @Allowed: (B 1 2 3 4 5) (S-1-5-20)
    "BlindDial"=dword:00000000
    .
    Completion time: 2010-07-26 18:56:33
    ComboFix-quarantined-files.txt 2010-07-26 22:56

    Pre-Run: 125,953,523,712 bytes free
    Post-Run: 125,342,220,288 bytes free

    Current=1 Default=1 Failed=0 LastKnownGood=1 Sets=1,2,3,5
    - - End Of File - - 1F860A83DC4EF5C200FC0473AB523FED
     
  4. Broni

    Broni Malware Annihilator Posts: 52,627   +341

    1. We don't use HJT around here anymore.
    2. Don't wrap logs in code
    3. Never run Combofix on your own.
    4. Complete all steps listed here: http://www.techspot.com/vb/topic58138.html
    5. Describe your issues.
     
Topic Status:
Not open for further replies.

Similar Topics

Add New Comment

You need to be a member to leave a comment. Join thousands of tech enthusiasts and participate.
TechSpot Account You may also...