Jump to content

AntivirusPro_2010 / can't load malwarebytes


Recommended Posts

I have the AntivirusPro_2010. I have tried to download and install MalwareBytes. It would not let me install the file. I downloaded it on another machine, renamed the file and then I was able to install the application. Once I ran the application and started a scan, it cleared off the screen and was no longer in my list of processes. I renamed the .exe and the app loaded, I started the scan and then it cleared off the screen and again was not in the list of processes.

I downloaded and installed HiJackThis with the same result.

When I try to run each of these I get the error message "Windows can not access the specified device, path or file. You may not have the appropriate permissions to access the item"

I have been able to delete the registry items I know of:

* HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\"Antivirus Pro 2010" = "C:\Program Files\AntivirusPro_2010\AntivirusPro_2010.exe"

* HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\LinksBar\ItemCache

* HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\LowRegistry\Extensions

* HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Recovery

* HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\SQM\PIDs

* HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\SearchScopes

* HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext\Settings\{DBC80044-A445-435B-BC74-9C25C1C588A9}

* HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext\Settings\{E7E6F031-17CE-4C07-BC86-EABFE594F69C}

* HKEY_LOCAL_MACHINE\SOFTWARE\AntivirusPro_2010

* HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\ESENT\Process\[ORIGINAL FILE NAME]

* HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\AntivirusPro_2010

* HKEY_CURRENT_USER\Control Panel\don't load "scui.cpl"

* HKEY_CURRENT_USER\Control Panel\don't load "wscui.cpl"

and remove the wallpaper but I still am not able to run a MalwareBytes scan or an AntiVirus scan or get HiJackThis to run.

Any help would be greatly appreciated.

Thanks.

Link to post
Share on other sites

By the way, I am running Windows XP Professional Service Pack 2, Malwarebytes ver. 1.41. Let me know if you need any more system info.

Reading through some of the other posts it looks like you recommend running ComboFix, HiJackThis and Win32diag. I was able to run ComboFix which cleared up some of the issues. I am still not able to run the Win32diag. Here are the ComboFix and HiJackThis logs.

Thanks.

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 6:38:13 AM, on 10/7/2009

Platform: Windows XP SP2 (WinNT 5.01.2600)

MSIE: Internet Explorer v8.00 (8.00.6001.18702)

Boot mode: Normal

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\spoolsv.exe

C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe

C:\Program Files\Java\jre6\bin\jqs.exe

C:\PROGRA~1\AVG\AVG8\avgrsx.exe

C:\PROGRA~1\AVG\AVG8\avgnsx.exe

C:\Program Files\LogMeIn\x86\RaMaint.exe

C:\Program Files\LogMeIn\x86\LogMeIn.exe

C:\Program Files\LogMeIn\x86\LMIGuardian.exe

C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe

C:\PROGRA~1\AVG\AVG8\avgemc.exe

C:\Program Files\AVG\AVG8\avgcsrvx.exe

C:\Program Files\LogMeIn\x86\LogMeIn.exe

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\system32\wuauclt.exe

C:\WINDOWS\system32\S3apphk.exe

C:\Program Files\LogMeIn\x86\LogMeInSystray.exe

C:\Program Files\LogMeIn\x86\LMIGuardian.exe

C:\PROGRA~1\AVG\AVG8\avgtray.exe

C:\Program Files\Microsoft ActiveSync\Wcescomm.exe

C:\WINDOWS\system32\ctfmon.exe

C:\PROGRA~1\MI3AA1~1\rapimgr.exe

C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/defaul...rch/search.html

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/

R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.com/customize/ie/defaul...//www.yahoo.com

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =

O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file)

O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll

O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll

O2 - BHO: Java Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll

O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll

O4 - HKLM\..\Run: [s3apphk] S3apphk.exe

O4 - HKLM\..\Run: [LogMeIn GUI] "C:\Program Files\LogMeIn\x86\LogMeInSystray.exe"

O4 - HKLM\..\Run: [Malwarebytes Anti-Malware (reboot)] "C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe" /runcleanupscript

O4 - HKLM\..\Run: [Ad-Watch] C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe

O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe

O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\Wcescomm.exe"

O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe

O4 - HKUS\S-1-5-21-1935655697-1004336348-839522115-1146\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\Wcescomm.exe" (User '?')

O4 - HKUS\S-1-5-21-1935655697-1004336348-839522115-1146\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe (User '?')

O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office10\EXCEL.EXE/3000

O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll

O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll

O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll

O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204

O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupd...b?1195661782535

O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftu...b?1195662179305

O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab

O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = domain.local

O17 - HKLM\Software\..\Telephony: DomainName = domain.local

O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = domain.local

O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = domain.local

O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll

O20 - Winlogon Notify: avgrsstarter - C:\WINDOWS\SYSTEM32\avgrsstx.dll

O23 - Service: AVG Free8 E-mail Scanner (avg8emc) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgemc.exe

O23 - Service: AVG Free8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe

O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe

O23 - Service: Lavasoft Ad-Aware Service - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe

O23 - Service: LogMeIn Maintenance Service (LMIMaint) - LogMeIn, Inc. - C:\Program Files\LogMeIn\x86\RaMaint.exe

O23 - Service: LogMeIn - LogMeIn, Inc. - C:\Program Files\LogMeIn\x86\LogMeIn.exe

O23 - Service: XoftSpyService - Unknown owner - C:\Program Files\Common Files\XoftSpySE\6\xoftspyservice.exe (file missing)

--

End of file - 6544 bytes

ComboFix 09-10-04.01 - tbutcher 10/05/2009 15:15.1.1 - NTFSx86

Running from: c:\documents and settings\tbutcher\Desktop\Combo-Fix.exe

AV: AVG Anti-Virus Free *On-access scanning disabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.

c:\documents and settings\All Users\Application Data\ekuniq.bin

c:\documents and settings\All Users\Application Data\fojodomo.com

c:\documents and settings\All Users\Application Data\lyjex.scr

c:\documents and settings\All Users\Application Data\oqyxope._dl

c:\documents and settings\All Users\Application Data\qego.lib

c:\documents and settings\All Users\Documents\efajot.pif

c:\documents and settings\All Users\Documents\eneb.ban

c:\documents and settings\tbutcher\Application Data\aqenanuqo._sy

c:\documents and settings\tbutcher\Application Data\ciqyxidy._dl

c:\documents and settings\tbutcher\Application Data\otuwibysus.vbs

c:\documents and settings\tbutcher\Application Data\seres.exe

c:\documents and settings\tbutcher\Local Settings\Application Data\cevamiwox.scr

c:\documents and settings\tbutcher\Local Settings\Application Data\fefehuhog.reg

c:\documents and settings\tbutcher\Local Settings\Application Data\qalofifab.pif

c:\documents and settings\tbutcher\Local Settings\Application Data\rogixihe.dl

c:\documents and settings\tbutcher\Local Settings\Application Data\usic.dl

c:\program files\Common Files\irufy.exe

c:\program files\Common Files\pyxator.pif

c:\program files\Common Files\urod.bin

c:\windows\ecugi.bin

c:\windows\eqamysagaz.vbs

c:\windows\erahup.dll

c:\windows\hozucop.pif

c:\windows\ilatenuma.sys

c:\windows\iqazitefih.pif

c:\windows\irid.dll

c:\windows\puma.pif

c:\windows\search_res.txt

c:\windows\system32\_scui.cpl

c:\windows\system32\~.exe

c:\windows\system32\41.exe

c:\windows\system32\AVR09.exe

c:\windows\system32\drivers\gasfkyuijwioet.sys

c:\windows\system32\ecagik.bin

c:\windows\system32\gasfkyejwxnrje.dat

c:\windows\system32\gasfkyewswuigf.dll

c:\windows\system32\gasfkyilwadarn.dat

c:\windows\system32\gasfkylxshlwti.dll

c:\windows\system32\gasfkyxexrxoan.dll

c:\windows\system32\pygubuqypo._dl

c:\windows\system32\winhelper.dll

c:\windows\system32\yjajofiw.reg

c:\windows\udys.sys

c:\windows\upovo.bin

c:\windows\ybora.scr

c:\windows\zaponce52597.dat

c:\windows\zaponce52689.dat

Infected copy of c:\windows\system32\eventlog.dll was found and disinfected

Restored copy from - c:\windows\system32\dllcache\eventlog.dll

c:\windows\system32\proquota.exe . . . is missing!!

.

((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))

.

-------\Legacy_gasfkypxylbopx

-------\Legacy_{79007602-0CDB-4405-9DBF-1257BB3226ED}

-------\Service_gasfkypxylbopx

((((((((((((((((((((((((( Files Created from 2009-09-05 to 2009-10-05 )))))))))))))))))))))))))))))))

.

2009-10-05 20:07 . 2009-10-05 20:07 -------- d-----w- c:\program files\Windows Installer Clean Up

2009-10-05 16:46 . 2009-09-10 19:54 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys

2009-10-05 16:46 . 2009-10-05 16:48 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware

2009-10-05 16:46 . 2009-09-10 19:53 19160 ----a-w- c:\windows\system32\drivers\mbam.sys

2009-10-05 16:43 . 2009-10-05 16:43 -------- d-----w- c:\program files\Trend Micro

2009-10-05 15:52 . 2009-10-05 15:52 -------- d--h--w- c:\windows\system32\GroupPolicy

2009-10-05 15:32 . 2009-10-05 15:32 -------- d-----w- c:\program files\CCleaner

2009-10-05 14:25 . 2009-10-05 14:25 -------- d-----w- c:\documents and settings\administrator\Application Data\Malwarebytes

2009-10-05 14:22 . 2009-10-05 14:22 -------- d--h--r- c:\documents and settings\administrator\Application Data\yahoo!

2009-10-05 14:22 . 2009-10-05 14:22 -------- d-----w- c:\documents and settings\administrator\Local Settings\Application Data\LogMeIn

2009-10-05 14:22 . 2009-10-05 14:22 -------- d-sh--w- c:\documents and settings\administrator\IETldCache

2009-10-05 14:17 . 2009-10-05 14:17 -------- d-----w- c:\documents and settings\tbutcher\Application Data\Malwarebytes

2009-10-05 14:16 . 2009-10-05 14:16 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes

2009-09-30 21:37 . 2009-10-01 21:09 -------- d-----w- c:\documents and settings\All Users\Application Data\NOS

2009-09-30 18:43 . 2009-09-30 18:43 -------- d-----w- c:\documents and settings\All Users\Application Data\XoftSpySE

2009-09-30 17:29 . 2009-09-30 17:29 16078 ----a-w- c:\windows\system32\enidycasi.com

2009-09-30 17:29 . 2009-09-30 17:29 12006 ----a-w- c:\documents and settings\tbutcher\Local Settings\Application Data\otunagivez.dat

2009-09-30 17:10 . 2009-09-30 17:10 -------- d-----w- c:\documents and settings\LocalService\Local Settings\Application Data\ICS

2009-09-30 17:06 . 2009-09-30 17:06 -------- d-sh--w- c:\windows\system32\config\systemprofile\IETldCache

2009-09-30 16:59 . 2009-10-05 18:46 0 ----a-r- c:\windows\win32k.sys

2009-09-18 17:50 . 2009-09-18 17:50 -------- d-----w- c:\documents and settings\LocalService\Application Data\Yahoo!

2009-09-10 03:41 . 2009-09-10 03:41 -------- d-----w- c:\program files\Common Files\Apple

2009-09-10 03:40 . 2009-09-10 03:40 -------- d-----w- c:\program files\QuickTime

2009-09-10 03:40 . 2009-09-10 03:40 -------- d-----w- c:\documents and settings\All Users\Application Data\Apple Computer

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2009-10-05 20:09 . 2006-06-03 19:39 -------- d-----w- c:\program files\Yahoo!

2009-10-05 20:07 . 2009-05-29 15:01 -------- d-----w- c:\program files\MSECache

2009-10-05 19:53 . 2008-04-30 17:13 -------- d-----w- c:\documents and settings\All Users\Application Data\avg8

2009-10-05 19:52 . 2009-06-25 17:15 -------- d-----w- c:\documents and settings\All Users\Application Data\Yahoo!

2009-10-05 15:34 . 2009-06-25 17:18 -------- d-----w- c:\documents and settings\tbutcher\Application Data\Yahoo!

2009-10-05 13:28 . 2009-03-31 20:29 -------- d-----w- c:\program files\LogMeIn

2009-10-01 14:11 . 2009-03-31 20:30 28984 ----a-w- c:\windows\system32\LMIport.dll

2009-10-01 14:11 . 2009-03-31 20:30 83288 ----a-w- c:\windows\system32\LMIRfsClientNP.dll

2009-10-01 14:11 . 2009-03-31 20:30 87352 ----a-w- c:\windows\system32\LMIinit.dll

2009-09-30 18:43 . 2007-06-18 15:03 23440 -c--a-w- c:\documents and settings\tbutcher\Local Settings\Application Data\GDIPFONTCACHEV1.DAT

2009-09-30 18:33 . 2009-04-02 02:27 -------- d-----w- c:\program files\Spybot - Search & Destroy

2009-09-30 18:32 . 2009-04-02 02:27 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy

2009-09-30 17:24 . 2007-07-25 15:56 -------- d-----w- c:\program files\Common Files\Real

2009-09-30 17:24 . 2007-07-25 15:56 -------- d-----w- c:\program files\Real

2009-09-30 17:04 . 2009-09-30 17:04 17290 ----a-w- c:\program files\Common Files\leviw._sy

2009-09-16 11:49 . 2009-04-01 04:33 -------- d-----w- c:\program files\Microsoft Silverlight

2009-09-10 03:43 . 2009-04-02 02:46 -------- d-----w- c:\program files\Java

2009-09-10 03:41 . 2007-08-24 19:37 1744 ----a-w- c:\windows\system32\d3d9caps.dat

2009-09-08 14:12 . 2008-10-17 01:35 11552 ----a-w- c:\windows\system32\lmimirr2.dll

2009-09-08 14:12 . 2008-10-17 01:35 25248 ----a-w- c:\windows\system32\lmimirr.dll

2009-09-01 15:02 . 2006-01-20 21:08 -------- d-----w- c:\program files\ZipForm Desktop

2009-08-28 13:09 . 2008-04-30 17:14 11952 ----a-w- c:\windows\system32\avgrsstx.dll

2009-08-28 13:09 . 2008-04-30 17:14 27784 ----a-w- c:\windows\system32\drivers\avgmfx86.sys

2009-08-28 13:09 . 2008-04-30 17:14 335240 ----a-w- c:\windows\system32\drivers\avgldx86.sys

2009-08-05 09:11 . 2004-08-04 12:00 204800 ----a-w- c:\windows\system32\mswebdvd.dll

2009-07-25 10:23 . 2009-04-02 02:47 411368 ----a-w- c:\windows\system32\deploytk.dll

2009-07-17 18:55 . 2004-08-04 12:00 58880 ----a-w- c:\windows\system32\atl.dll

2009-07-14 04:43 . 2004-08-04 12:00 286208 ----a-w- c:\windows\system32\wmpdxm.dll

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"H/PC Connection Agent"="c:\program files\Microsoft ActiveSync\wcescomm.exe" [2006-11-13 1289000]

"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2004-08-04 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"LogMeIn GUI"="c:\program files\LogMeIn\x86\LogMeInSystray.exe" [2008-07-24 63048]

"S3apphk"="S3apphk.exe" - c:\windows\system32\S3apphk.exe [2002-02-01 28672]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]

"ForceClassicControlPanel"= 1 (0x1)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]

2009-08-28 13:09 11952 ----a-w- c:\windows\system32\avgrsstx.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\LMIinit]

2009-10-01 14:11 87352 ----a-w- c:\windows\system32\LMIinit.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-1935655697-1004336348-839522115-1129\Scripts\Logon\0\0]

"Script"=login.bat

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-1935655697-1004336348-839522115-1133\Scripts\Logon\0\0]

"Script"=login.bat

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-1935655697-1004336348-839522115-1138\Scripts\Logon\0\0]

"Script"=login.bat

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-1935655697-1004336348-839522115-1146\Scripts\Logon\0\0]

"Script"=login.bat

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-1935655697-1004336348-839522115-500\Scripts\Logon\0\0]

"Script"=login.bat

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Lavasoft Ad-Aware Service]

@="Service"

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk]

path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Microsoft Office.lnk

backup=c:\windows\pss\Microsoft Office.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]

"Lavasoft Ad-Aware Service"=3 (0x3)

"avg8wd"=2 (0x2)

[HKEY_LOCAL_MACHINE\software\microsoft\security center]

"UpdatesDisableNotify"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"%windir%\\system32\\sessmgr.exe"=

"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

"c:\program files\Microsoft ActiveSync\rapimgr.exe"= c:\program files\Microsoft ActiveSync\rapimgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync RAPI Manager

"c:\program files\Microsoft ActiveSync\wcescomm.exe"= c:\program files\Microsoft ActiveSync\wcescomm.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Connection Manager

"c:\program files\Microsoft ActiveSync\WCESMgr.exe"= c:\program files\Microsoft ActiveSync\WCESMgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Application

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]

"3389:TCP"= 3389:TCP:@xpsp2res.dll,-22009

"26675:TCP"= 26675:TCP:169.254.2.0/255.255.255.0:Enabled:ActiveSync Service

R3 trid3d;trid3d;c:\windows\system32\DRIVERS\trid3dm.sys [2001-08-17 222336]

R3 XoftSpyService;XoftSpyService;c:\program files\Common Files\XoftSpySE\6\xoftspyservice.exe [x]

R4 avg8wd;AVG8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe [2009-08-28 297752]

R4 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\Lavasoft\Ad-Aware\AAWService.exe [2009-09-22 1028432]

R4 LMIRfsClientNP;LMIRfsClientNP; [x]

S0 Lbd;Lbd;c:\windows\system32\DRIVERS\Lbd.sys [2009-04-23 64160]

S1 AvgLdx86;AVG AVI Loader Driver x86;c:\windows\System32\Drivers\avgldx86.sys [2009-08-28 335240]

S2 LMIInfo;LogMeIn Kernel Information Provider;c:\program files\LogMeIn\x86\RaInfo.sys [2008-07-24 12856]

S2 LMIRfsDriver;LogMeIn Remote File System Driver;c:\windows\system32\drivers\LMIRfsDriver.sys [2008-07-24 47640]

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\>{60B49E34-C7CC-11D0-8953-00A0C90347FF}]

"c:\windows\system32\rundll32.exe" "c:\windows\system32\iedkcs32.dll",BrandIEActiveSetup SIGNUP

.

Contents of the 'Scheduled Tasks' folder

2009-10-01 c:\windows\Tasks\Ad-Aware Update (Weekly).job

- c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2009-03-09 04:45]

2009-10-01 c:\windows\Tasks\AppleSoftwareUpdate.job

- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 17:34]

2009-10-05 c:\windows\Tasks\Spybot - Search & Destroy - Scheduled Task.job

- c:\program files\Spybot - Search & Destroy\SpybotSD.exe [2009-04-02 20:31]

.

.

------- Supplementary Scan -------

.

uStart Page = hxxp://www.yahoo.com/

mStart Page = hxxp://www.yahoo.com/

mSearch Bar = hxxp://us.rd.yahoo.com/customize/ie/defaults/sb/msgr9/*http://www.yahoo.com/ext/search/search.html

uSearchURL,(Default) = hxxp://us.rd.yahoo.com/customize/ie/defaults/su/msgr9/*http://www.yahoo.com

IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~3\Office10\EXCEL.EXE/3000

FF - ProfilePath - c:\documents and settings\tbutcher\Application Data\Mozilla\Firefox\Profiles\qt33rb5n.default\

FF - prefs.js: browser.search.defaulturl - hxxp://search.yahoo.com/search?fr=ffsp1&p=

FF - prefs.js: browser.search.selectedEngine - Google

FF - prefs.js: browser.startup.homepage - hxxp://www.yahoo.com/

FF - prefs.js: keyword.URL - hxxp://search.yahoo.com/search?fr=ffds1&p=

---- FIREFOX POLICIES ----

FF - user.js: yahoo.homepage.dontask - true.

- - - - ORPHANS REMOVED - - - -

Notify-NavLogon - (no file)

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2009-10-05 15:57

Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully

hidden files: 0

**************************************************************************

.

--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{19114156-8E9A-4D4E-9EE9-17A0E48D3BBB}]

@Denied: (A 2) (Everyone)

@="FlashBroker"

"LocalizedString"="@c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10c.exe,-101"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{19114156-8E9A-4D4E-9EE9-17A0E48D3BBB}\Elevation]

"Enabled"=dword:00000001

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{19114156-8E9A-4D4E-9EE9-17A0E48D3BBB}\LocalServer32]

@="c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10c.exe"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{19114156-8E9A-4D4E-9EE9-17A0E48D3BBB}\TypeLib]

@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{1D4C8A81-B7AC-460A-8C23-98713C41D6B3}]

@Denied: (A 2) (Everyone)

@="IFlashBroker3"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{1D4C8A81-B7AC-460A-8C23-98713C41D6B3}\ProxyStubClsid32]

@="{00020424-0000-0000-C000-000000000046}"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{1D4C8A81-B7AC-460A-8C23-98713C41D6B3}\TypeLib]

@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"

"Version"="1.0"

.

--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(516)

c:\windows\system32\LMIinit.dll

c:\windows\system32\wsock32.dll

c:\windows\system32\LMIRfsClientNP.dll

- - - - - - - > 'explorer.exe'(2888)

c:\windows\system32\WININET.dll

c:\windows\system32\webcheck.dll

c:\windows\system32\IEFRAME.dll

c:\progra~1\COMMON~1\MICROS~1\WEBCOM~1\10\OWC10.DLL

c:\windows\system32\mshtml.dll

c:\windows\system32\msls31.dll

c:\windows\IME\SPGRMR.DLL

c:\program files\Common Files\Microsoft Shared\Ink\SKCHUI.DLL

c:\windows\system32\WPDShServiceObj.dll

c:\windows\system32\PortableDeviceTypes.dll

c:\windows\system32\PortableDeviceApi.dll

.

------------------------ Other Running Processes ------------------------

.

c:\program files\AVG\AVG8\avgrsx.exe

c:\program files\Java\jre6\bin\jqs.exe

c:\program files\LogMeIn\x86\ramaint.exe

c:\program files\LogMeIn\x86\LogMeIn.exe

c:\program files\LogMeIn\x86\LMIGuardian.exe

c:\program files\Common Files\Microsoft Shared\VS7Debug\mdm.exe

c:\program files\LogMeIn\x86\LogMeIn.exe

c:\progra~1\MI3AA1~1\rapimgr.exe

c:\program files\LogMeIn\x86\LMIGuardian.exe

.

**************************************************************************

.

Completion time: 2009-10-05 16:00 - machine was rebooted

ComboFix-quarantined-files.txt 2009-10-05 21:00

Pre-Run: 7,324,495,872 bytes free

Post-Run: 7,222,808,576 bytes free

270 --- E O F --- 2009-09-10 08:05

Link to post
Share on other sites

That log is looking pretty good.

I have attached a file to this message called CFScript.txt which will tell ComboFix how to remove some of the bad things I saw in your ComboFix log. Please save CFScript onto your desktop, and then download a fresh copy of ComboFix from the link below, and make sure to save it on your desktop as well. Once you have both CFScript and ComboFix saved to your desktop, hold down the left mouse button on top of the icon for CFScript, and drag it on top of the ComboFix icon, and then let go. This should start ComboFix again. Make sure, when it finishes, to attach the new log to a reply so that I can verify that it deleted what it was supposed to.

http://download.bleepingcomputer.com/sUBs/ComboFix.exe

CFScript.txt

Link to post
Share on other sites

  • 2 weeks later...
Guest
This topic is now closed to further replies.
 Share

  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.