 |  |  |  |  |  |  |  |
Win32/Renos problem
Thread Solved |
•
•
Join Date: Dec 2006
Posts: 1,024
Reputation: 
Solved Threads: 49
0
#11 Oct 18th, 2009
•
•
•
•
Originally Posted by Win32/Renos 
Windows vista,
You think it's that bad huh?
I'm going to restart... I don't think that will make it worse. I will look for the recovery.
If not, do Safe Mode with Command Prompt.
Let me know.
Might not be that bad - rather err on the side of caution.
0
#12 Oct 18th, 2009
Back on original computer - windows must have redid the key registry.
I will post the log, note: I will be gone for 3+hours I have to catch the bus home, but I'll let you take a look for now.
ComboFix 09-10-17.01 - Shut Down 10/18/2009 17:39.1.2 - NTFSx86
Microsoft® Windows Vista™ Home Premium 6.0.6000.0.1252.1.1033.18.2814.1625 [GMT -5:00]
Running from: c:\users\Shut Down\Desktop\Combo-Fix.exe
AV: Norton Internet Security *On-access scanning disabled* (Outdated) {E10A9785-9598-4754-B552-92431C1C35F8}
AV: Symantec AntiVirus *On-access scanning disabled* (Updated) {FB06448E-52B8-493A-90F3-E43226D3305C}
FW: Norton Internet Security *disabled* {7C21A4C9-F61F-4AC4-B722-A6E19C16F220}
SP: Norton Internet Security *enabled* (Outdated) {CBB7EE13-8244-4DAB-8B55-D5C7AA91E59A}
SP: Symantec AntiVirus *disabled* (Updated) {6C85A515-B91D-4D2B-AF18-40984A4A8493}
SP: Windows Defender *disabled* (Updated) {D68DDC3A-831F-4FAE-9E44-DA132C1ACF46}
* Created a new restore point
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
c:\windows\win32k.sys
Infected copy of c:\windows\system32\cngaudit.dll was found and disinfected
Restored copy from - c:\windows\winsxs\x86_microsoft-windows-cngaudit-dll_31bf3856ad364e35_6.0.6000.16386_none_e62d292932a96ce6\cngaudit.dll
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.
-------\Legacy_{79007602-0CDB-4405-9DBF-1257BB3226ED}
-------\Legacy_{79007602-0CDB-4405-9DBF-1257BB3226EE}
((((((((((((((((((((((((( Files Created from 2009-09-18 to 2009-10-18 )))))))))))))))))))))))))))))))
.
2009-10-18 22:49 . 2009-10-18 22:49 -------- d-----w- c:\users\Default\AppData\Local\temp
2009-10-18 22:49 . 2009-10-18 22:55 -------- d-----w- c:\users\Shut Down\AppData\Local\temp
2009-10-18 21:26 . 2009-09-10 19:54 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-10-18 21:26 . 2009-09-10 19:53 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-10-16 21:51 . 2009-10-16 21:51 -------- d-----w- c:\users\Shut Down\AppData\Local\Apple Computer
2009-10-16 20:06 . 2009-10-16 20:07 160272 ----a-w- c:\windows\system32\drivers\tmcomm.sys
2009-10-16 14:40 . 2009-10-16 14:40 -------- d-----w- c:\users\Shut Down\AppData\Local\Adobe
2009-10-16 03:56 . 2009-10-16 03:56 -------- d-----w- c:\program files\Trend Micro
2009-10-15 22:11 . 2009-10-15 22:11 -------- d-----w- C:\VundoFix Backups
2009-10-15 20:17 . 2009-10-15 20:17 -------- d-----w- c:\users\Shut Down\AppData\Roaming\Malwarebytes
2009-10-15 20:17 . 2009-10-15 20:17 -------- d-----w- c:\programdata\Malwarebytes
2009-10-15 14:20 . 2009-07-11 19:32 502272 ----a-w- c:\windows\system32\wlansvc.dll
2009-10-15 14:20 . 2009-07-11 19:32 297984 ----a-w- c:\windows\system32\wlansec.dll
2009-10-15 14:20 . 2009-07-11 19:32 290816 ----a-w- c:\windows\system32\wlanmsm.dll
2009-10-15 14:20 . 2009-07-11 19:32 67584 ----a-w- c:\windows\system32\wlanhlp.dll
2009-10-15 14:20 . 2009-07-11 19:32 47104 ----a-w- c:\windows\system32\wlanapi.dll
2009-10-15 14:15 . 2009-04-02 11:50 604672 ----a-w- c:\windows\system32\WMSPDMOD.DLL
2009-10-15 14:15 . 2009-09-14 09:50 130048 ----a-w- c:\windows\system32\drivers\srv2.sys
2009-10-14 21:57 . 2009-10-14 21:57 -------- d-----w- c:\users\Shut Down\AppData\Roaming\ShurikSoft
2009-10-07 02:09 . 2009-10-01 15:29 195440 ------w- c:\windows\system32\MpSigStub.exe
2009-10-05 19:06 . 2009-10-05 19:06 -------- d-----w- c:\users\Shut Down\.netbeans-derby
2009-10-05 18:50 . 2009-10-05 19:06 -------- d-----w- c:\users\Shut Down\.netbeans
2009-10-05 18:50 . 2009-10-05 18:50 -------- d-----w- c:\users\Shut Down\.netbeans-registration
2009-10-05 18:47 . 2009-10-05 18:50 -------- d-----w- c:\program files\NetBeans 6.7.1
2009-10-05 18:46 . 2009-10-05 18:46 -------- d-----w- c:\program files\Sun
2009-10-05 18:43 . 2009-10-05 19:05 -------- d-----w- c:\users\Shut Down\.nbi
2009-10-02 14:35 . 2009-10-02 14:35 -------- d-----w- C:\System32
2009-09-23 14:26 . 2009-09-23 14:26 -------- d-----w- c:\users\Shut Down\AppData\Roaming\MathWorks
2009-09-23 13:09 . 2009-09-23 13:09 -------- d-----w- c:\program files\MATLAB
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-10-18 22:54 . 2009-08-04 02:02 -------- d-----w- c:\users\Shut Down\AppData\Roaming\WTablet
2009-10-18 22:45 . 2009-10-16 14:00 5012 ----a-w- c:\windows\system32\PerfStringBackup.TMP
2009-10-16 21:54 . 2009-04-19 20:09 -------- d-----w- c:\users\Shut Down\AppData\Roaming\uTorrent
2009-10-16 03:36 . 2009-04-15 15:27 28219 ----a-w- c:\programdata\nvModes.dat
2009-10-15 17:31 . 2009-01-22 02:54 -------- d-----w- c:\program files\Microsoft Silverlight
2009-10-15 14:21 . 2007-07-25 10:52 -------- d-----w- c:\program files\Microsoft Works
2009-10-05 18:46 . 2009-02-14 17:02 411368 ----a-w- c:\windows\system32\deploytk.dll
2009-10-05 18:44 . 2008-09-08 15:48 -------- d-----w- c:\program files\Java
2009-09-13 19:50 . 2009-09-13 19:36 -------- d-----w- c:\program files\Winamp
2009-09-13 19:42 . 2009-09-13 19:36 -------- d-----w- c:\users\Shut Down\AppData\Roaming\Winamp
2009-09-13 19:36 . 2009-09-13 19:36 -------- d-----w- c:\program files\Common Files\PX Storage Engine
2009-09-10 17:38 . 2009-10-15 14:16 216576 ----a-w- c:\windows\system32\msv1_0.dll
2009-09-04 18:13 . 2009-09-04 17:56 -------- d-----w- c:\users\Shut Down\AppData\Roaming\Apple Computer
2009-09-04 18:02 . 2009-07-11 23:33 -------- d-----w- c:\programdata\Apple
2009-09-04 17:56 . 2009-09-04 17:55 -------- d-----w- c:\programdata\{8CD7F5AF-ECFA-4793-BF40-D8F42DBFF906}
2009-09-04 17:56 . 2009-09-04 17:55 -------- d-----w- c:\program files\iTunes
2009-09-04 17:55 . 2009-09-04 17:55 -------- d-----w- c:\program files\iPod
2009-09-04 17:55 . 2009-09-04 17:50 -------- d-----w- c:\program files\Common Files\Apple
2009-09-04 17:55 . 2009-09-04 17:54 -------- d-----w- c:\programdata\Apple Computer
2009-09-04 17:55 . 2008-09-26 20:18 -------- d-----w- c:\program files\Bonjour
2009-09-04 17:54 . 2009-09-04 17:54 -------- d-----w- c:\program files\QuickTime
2009-09-04 17:08 . 2007-07-25 09:36 -------- d--h--w- c:\program files\InstallShield Installation Information
2009-09-04 12:38 . 2009-10-15 14:16 60928 ----a-w- c:\windows\system32\msasn1.dll
2009-08-27 05:22 . 2009-10-15 14:16 916480 ----a-w- c:\windows\system32\wininet.dll
2009-08-27 05:17 . 2009-10-15 14:16 109056 ----a-w- c:\windows\system32\iesysprep.dll
2009-08-27 05:17 . 2009-10-15 14:16 71680 ----a-w- c:\windows\system32\iesetup.dll
2009-08-27 03:42 . 2009-10-15 14:16 133632 ----a-w- c:\windows\system32\ieUnatt.exe
2009-08-20 18:52 . 2007-07-25 10:51 -------- d-----w- c:\programdata\Microsoft Help
2009-08-14 17:16 . 2009-10-15 14:19 213592 ----a-w- c:\windows\system32\drivers\netio.sys
2009-08-14 16:42 . 2009-10-15 14:19 167424 ----a-w- c:\windows\system32\tcpipcfg.dll
2009-08-14 16:40 . 2009-10-15 14:19 103936 ----a-w- c:\windows\system32\netiohlp.dll
2009-08-14 16:40 . 2009-10-15 14:19 15360 ----a-w- c:\windows\system32\netevent.dll
2009-08-14 14:25 . 2009-10-15 14:19 9728 ----a-w- c:\windows\system32\TCPSVCS.EXE
2009-08-14 14:25 . 2009-10-15 14:19 17920 ----a-w- c:\windows\system32\ROUTE.EXE
2009-08-14 14:25 . 2009-10-15 14:19 11264 ----a-w- c:\windows\system32\MRINFO.EXE
2009-08-14 14:25 . 2009-10-15 14:19 27136 ----a-w- c:\windows\system32\NETSTAT.EXE
2009-08-14 14:25 . 2009-10-15 14:19 8704 ----a-w- c:\windows\system32\HOSTNAME.EXE
2009-08-14 14:25 . 2009-10-15 14:19 19968 ----a-w- c:\windows\system32\ARP.EXE
2009-08-14 14:25 . 2009-10-15 14:19 10240 ----a-w- c:\windows\system32\finger.exe
2009-08-14 14:24 . 2009-10-15 14:19 813568 ----a-w- c:\windows\system32\drivers\tcpip.sys
2009-08-14 14:23 . 2009-10-15 14:19 22016 ----a-w- c:\windows\system32\netiougc.exe
2009-08-05 14:28 . 2009-10-15 14:16 3502152 ----a-w- c:\windows\system32\ntkrnlpa.exe
2009-08-05 14:28 . 2009-10-15 14:16 3467864 ----a-w- c:\windows\system32\ntoskrnl.exe
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ehTray.exe"="c:\windows\ehome\ehTray.exe" [2006-11-02 125440]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Windows Defender"="c:\program files\Windows Defender\MSASCui.exe" [2007-07-25 1006264]
"Acer Product Registration"="c:\program files\Acer Registration\ACE1.exe" [2007-02-02 3383296]
"Apoint"="c:\program files\Apoint2K\Apoint.exe" [2007-06-06 159744]
"ccApp"="c:\program files\Common Files\Symantec Shared\ccApp.exe" [2006-11-22 107112]
"vptray"="c:\progra~1\SYMANT~1\VPTray.exe" [2006-11-28 134808]
"Windows Mobile-based device management"="c:\windows\WindowsMobile\wmdSync.exe" [2006-11-02 215552]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2008-12-04 13556256]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2008-12-04 92704]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-10-15 39792]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-10-05 149280]
"RtHDVCpl"="RtHDVCpl.exe" - c:\windows\RtHDVCpl.exe [2007-07-06 4669440]
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
@="Driver"
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend]
@="Service"
[HKLM\~\startupfolder\C:^ProgramData^Microsoft^Windows^Start Menu^Programs^Startup^Adobe Acrobat Speed Launcher.lnk]
path=c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\Adobe Acrobat Speed Launcher.lnk
backup=c:\windows\pss\Adobe Acrobat Speed Launcher.lnk.CommonStartup
backupExtension=.CommonStartup
[HKLM\~\startupfolder\C:^ProgramData^Microsoft^Windows^Start Menu^Programs^Startup^Adobe Acrobat Synchronizer.lnk]
path=c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\Adobe Acrobat Synchronizer.lnk
backup=c:\windows\pss\Adobe Acrobat Synchronizer.lnk.CommonStartup
backupExtension=.CommonStartup
[HKLM\~\startupfolder\C:^ProgramData^Microsoft^Windows^Start Menu^Programs^Startup^VPN Client.lnk]
path=c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\VPN Client.lnk
backup=c:\windows\pss\VPN Client.lnk.CommonStartup
backupExtension=.CommonStartup
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\FirewallRules]
"{93095D21-614D-4009-B519-EFD2A48F45DF}"= UDP:c:\program files\Microsoft Office\Office12\ONENOTE.EXE:Microsoft Office OneNote
"{32945355-CDBE-48E8-AA99-E3234C3E3E07}"= TCP:c:\program files\Microsoft Office\Office12\ONENOTE.EXE:Microsoft Office OneNote
"{2012C426-15D5-42E4-B7E6-9867FCC0CF72}"= UDP:c:\program files\Common Files\AOL\Loader\aolload.exe:AOL Loader
"{57DCD897-BBC0-409A-8FCA-734AE6493D01}"= TCP:c:\program files\Common Files\AOL\Loader\aolload.exe:AOL Loader
"{6820B606-3582-44E1-96FD-7274435375D7}"= UDP:c:\program files\Symantec AntiVirus\Rtvscan.exe
ymantec Antivirus
"{E594D10B-8FF4-49DB-9301-B3AC8D731B6F}"= TCP:c:\program files\Symantec AntiVirus\Rtvscan.exeymantec Antivirus
"{2A0BE52A-EA5E-4CD9-9FDB-FCE94E83607A}"= UDP:c:\program files\Common Files\Symantec Shared\ccApp.exeymantec Email
"{68A48BC2-27E2-4277-9137-A83475FF1CFF}"= TCP:c:\program files\Common Files\Symantec Shared\ccApp.exeymantec Email
"{C2C235E9-1EFA-47DF-BB6F-F3A1C7C11F33}"= UDP:c:\program files\AIM6\aim6.exe:AIM
"{CBE51243-1651-4AEB-8432-2C07B7940E06}"= TCP:c:\program files\AIM6\aim6.exe:AIM
"TCP Query User{6B627D64-3350-4753-A7B3-F92EFE1FB77A}c:\\program files\\limewire\\limewire.exe"= UDP:c:\program files\limewire\limewire.exe:LimeWire
"UDP Query User{9C61FBF8-F7BF-4913-A035-9289699F76A6}c:\\program files\\limewire\\limewire.exe"= TCP:c:\program files\limewire\limewire.exe:LimeWire
"{A0D1B84E-A850-4A27-A250-94BC73F8DF90}"= Disabled:UDP:3703:Adobe Version Cue CS3 Server
"{8B8AAFDA-84F0-491F-83FC-0D99F1538AB1}"= Disabled:UDP:3704:Adobe Version Cue CS3 Server
"{BA395114-75BF-4270-B9B3-DD6508ECC3B5}"= Disabled:UDP:50900:Adobe Version Cue CS3 Server
"{FEFFABE1-EEA8-40E2-9B62-E818E943C387}"= Disabled:UDP:50901:Adobe Version Cue CS3 Server
"{810E8928-2BF0-462F-B034-F5DCEBC8C1DF}"= UDP:c:\program files\Ventrilo\Ventrilo.exe:Ventrilo.exe
"{76A9EFA4-B071-4060-9F6C-C5ED06400CD8}"= TCP:c:\program files\Ventrilo\Ventrilo.exe:Ventrilo.exe
"{D2DE94A2-7BF8-4885-B5D3-706EF6174D40}"= Disabled:TCP:6004|c:\program files\Microsoft Office\Office12\outlook.exe:Microsoft Office Outlook
"TCP Query User{85206577-A704-4277-B5E4-D654D0942966}c:\\program files\\internet explorer\\iexplore.exe"= UDP:c:\program files\internet explorer\iexplore.exe:Internet Explorer
"UDP Query User{4C43A002-0491-449F-BAB5-6FE30887E9B9}c:\\program files\\internet explorer\\iexplore.exe"= TCP:c:\program files\internet explorer\iexplore.exe:Internet Explorer
"TCP Query User{09AA8728-8EEA-4A01-B15A-C4051D22DF99}d:\\warcraft iii\\war3.exe"= UDP:d:\warcraft iii\war3.exe:Warcraft III
"UDP Query User{77038A57-2927-4A14-918F-024713D98C95}d:\\warcraft iii\\war3.exe"= TCP:d:\warcraft iii\war3.exe:Warcraft III
"{85BED648-DFCF-44FB-9873-F5943FCDC1D8}"= Disabled:UDP:c:\program files\Common Files\Adobe\Adobe Version Cue CS3\Server\bin\VersionCueCS3.exe:Adobe Version Cue CS3 Server
"{29722E8D-08D6-433B-8D7E-689A3A0FF62E}"= Disabled:TCP:c:\program files\Common Files\Adobe\Adobe Version Cue CS3\Server\bin\VersionCueCS3.exe:Adobe Version Cue CS3 Server
"TCP Query User{8E176E1E-A8E8-409C-8456-DFD3C2A92658}c:\\program files\\steam\\steamapps\\greendischarge\\counter-strike source\\hl2.exe"= Disabled:UDP:c:\program files\steam\steamapps\greendischarge\counter-strike source\hl2.exe:hl2
"UDP Query User{47E73A6C-4C36-4239-823D-B9C1A05E9D38}c:\\program files\\steam\\steamapps\\greendischarge\\counter-strike source\\hl2.exe"= Disabled:TCP:c:\program files\steam\steamapps\greendischarge\counter-strike source\hl2.exe:hl2
"TCP Query User{E8B4854C-517D-440A-B3B9-71AE1BCC30D2}c:\\program files\\limewire\\limewire.exe"= Disabled:UDP:c:\program files\limewire\limewire.exe:LimeWire
"UDP Query User{E3BBFCBE-4805-4C84-9445-F29EADAFB268}c:\\program files\\limewire\\limewire.exe"= Disabled:TCP:c:\program files\limewire\limewire.exe:LimeWire
"{212AADD8-DF97-46D5-A230-78002FA22ABC}"= Disabled:UDP:c:\program files\Microsoft Office\Office12\GROOVE.EXE:Microsoft Office Groove
"{085099D8-497C-4BEF-A201-0E90AABC5101}"= Disabled:TCP:c:\program files\Microsoft Office\Office12\GROOVE.EXE:Microsoft Office Groove
"{01C6EB4C-73D9-479D-9DC8-E70E4B65BEE0}"= Disabled:UDP:c:\program files\Microsoft Office\Office12\ONENOTE.EXE:Microsoft Office OneNote
"{23FFD0A1-9925-4F2E-BF0C-F19CB9ACAA39}"= Disabled:TCP:c:\program files\Microsoft Office\Office12\ONENOTE.EXE:Microsoft Office OneNote
"{61F2C8B2-8893-4814-B2EE-3B95473E8B62}"= UDP:45801:45801
"TCP Query User{922750AE-B83C-4A19-8784-72E0884CFDE2}c:\\program files\\frostwire\\frostwire.exe"= UDP:c:\program files\frostwire\frostwire.exe:FrostWire
"UDP Query User{192DCF4D-2017-409D-9699-03CD82DD37E4}c:\\program files\\frostwire\\frostwire.exe"= TCP:c:\program files\frostwire\frostwire.exe:FrostWire
"TCP Query User{C1A95237-760F-47DC-97EB-0F16D87CE8AF}d:\\warcraft iii\\warcraft iii\\war3.exe"= UDP:d:\warcraft iii\warcraft iii\war3.exe:Warcraft III
"UDP Query User{157DF432-D276-4469-AD48-10807B6F18FD}d:\\warcraft iii\\warcraft iii\\war3.exe"= TCP:d:\warcraft iii\warcraft iii\war3.exe:Warcraft III
"{28F3E2C9-FC90-4C01-93AA-1EB47A8E3EC5}"= UDP:c:\program files\uTorrent\uTorrent.exe:µTorrent (TCP-In)
"{795DCCA7-856E-410A-8B69-993DA75820DB}"= TCP:c:\program files\uTorrent\uTorrent.exe:µTorrent (UDP-In)
"TCP Query User{DD233514-BBDB-4965-A152-BB1F068A5CD4}c:\\program files\\utorrent\\utorrent.exe"= UDP:c:\program files\utorrent\utorrent.exe:µTorrent
"UDP Query User{5A70D5F9-3A21-45F7-BAEC-D34A524A58CF}c:\\program files\\utorrent\\utorrent.exe"= TCP:c:\program files\utorrent\utorrent.exe:µTorrent
"TCP Query User{93489AD0-6E4F-448E-AA3B-656CFDC43A97}d:\\warcraft iii\\warcraft iii\\war3.exe"= UDP:d:\warcraft iii\warcraft iii\war3.exe:Warcraft III
"UDP Query User{EC941744-FFCC-4EF6-B0F1-75A17BB0EB0F}d:\\warcraft iii\\warcraft iii\\war3.exe"= TCP:d:\warcraft iii\warcraft iii\war3.exe:Warcraft III
"TCP Query User{7181B5C3-5DA9-4DE8-B20A-A9F9E46A302B}c:\\program files\\pfportchecker\\pfportchecker.exe"= UDP:c:\program files\pfportchecker\pfportchecker.exe
FPortchecker by portforward.com helps check if your ports are properly forwarded.
"UDP Query User{4D037F4C-2D8B-4DBE-8639-62E2494B4F14}c:\\program files\\pfportchecker\\pfportchecker.exe"= TCP:c:\program files\pfportchecker\pfportchecker.exeFPortchecker by portforward.com helps check if your ports are properly forwarded.
"{AFFB0E5E-121B-4BA3-B05F-B5D95B294506}"= UDP:c:\program files\Bonjour\mDNSResponder.exe:Bonjour
"{E77C25CB-4018-4EC3-BA51-89E567C24E2D}"= TCP:c:\program files\Bonjour\mDNSResponder.exe:Bonjour
"{CCD2B10A-F863-4298-89AD-F6699DA20525}"= UDP:c:\program files\iTunes\iTunes.exe:iTunes
"{111BB54A-854D-40D9-A318-9CBF53A1C882}"= TCP:c:\program files\iTunes\iTunes.exe:iTunes
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\PublicProfile]
"EnableFirewall"= 0 (0x0)
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\RestrictedServices\Static\System]
"DFSR-1"= RPort=5722|UDP:%SystemRoot%\system32\svchost.exe|Svc=DFSR:Allow inbound TCP traffic|
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\StandardProfile\AuthorizedApplications\List]
"c:\\Acer\\Empowering Technology\\eDataSecurity\\eDSfsu.exe"= c:\acer\Empowering Technology\eDataSecurity\eDSfsu.exe
:Enabled:eDSfsu
"c:\\Acer\\Empowering Technology\\eDataSecurity\\encryption.exe"= c:\acer\Empowering Technology\eDataSecurity\encryption.exe:Enabled:encryption
"c:\\Acer\\Empowering Technology\\eDataSecurity\\decryption.exe"= c:\acer\Empowering Technology\eDataSecurity\decryption.exe:Enabled:decryption
R3 enecir;ENE CIR Receiver;c:\windows\System32\drivers\enecir.sys [7/25/2007 4:08 AM 32256]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [8/30/2009 4:47 PM 102448]
S3 SavRoam;SAVRoam;c:\program files\Symantec AntiVirus\SavRoam.exe [11/28/2006 6:34 AM 122008]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
WindowsMobile REG_MULTI_SZ wcescomm rapimgr
LocalServiceRestricted REG_MULTI_SZ WcesComm RapiMgr
[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{A509B1FF-37FF-4bFF-8CFF-4F3A747040FF}]
c:\windows\system32\rundll32.exe c:\windows\system32\advpack.dll,LaunchINFSectionEx c:\program files\Internet Explorer\clrtour.inf,DefaultInstall.ResetTour,,12
.
Contents of the 'Scheduled Tasks' folder
2009-10-18 c:\windows\Tasks\User_Feed_Synchronization-{BA3B951F-D62A-4F73-9D82-2953102A0E25}.job
- c:\windows\system32\msfeedssync.exe [2009-10-15 03:41]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://my.yahoo.com/
uSearchMigratedDefaultURL = hxxp://search.yahoo.com/search?p={searchTerms}&ei=utf-8&fr=b1ie7
mStart Page = hxxp://en.us.acer.yahoo.com
uInternet Settings,ProxyOverride = *.local
uSearchURL,(Default) = hxxp://us.rd.yahoo.com/customize/ycomp/defaults/su/*http://www.yahoo.com
IE: Append to existing PDF - d:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert link target to Adobe PDF - d:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert link target to existing PDF - d:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert selected links to Adobe PDF - d:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert selected links to existing PDF - d:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Convert selection to Adobe PDF - d:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert selection to existing PDF - d:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert to Adobe PDF - d:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
Trusted Zone: newgrounds.com\www
DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} - hxxp://download.eset.com/special/eos/OnlineScanner.cab
FF - ProfilePath - c:\users\Shut Down\AppData\Roaming\Mozilla\Firefox\Profiles\p7nt5br5.default\
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\
.
- - - - ORPHANS REMOVED - - - -
WebBrowser-{604BC32A-9680-40D1-9AC6-E06B23A1BA4C} - (no file)
HKCU-Run-Aim6 - (no file)
HKLM-Run-eRecoveryService - (no file)
HKU-Default-Run-Acer Tour Reminder - c:\acer\AcerTour\Reminder.exe
AddRemove-Malwarebytes' Anti-Malware_is1 - d:\program files\Analyze\Yeah\unins000.exe
**************************************************************************
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files:
**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
------------------------ Other Running Processes ------------------------
.
c:\windows\System32\nvvsvc.exe
c:\windows\System32\audiodg.exe
c:\program files\Common Files\Symantec Shared\ccSvcHst.exe
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\Cisco Systems\VPN Client\cvpnd.exe
c:\program files\Symantec AntiVirus\DefWatch.exe
c:\acer\Empowering Technology\eLock\Service\eLockServ.exe
c:\acer\Empowering Technology\eNet\eNet Service.exe
c:\program files\Common Files\LightScribe\LSSrvc.exe
c:\program files\Symantec AntiVirus\Rtvscan.exe
c:\windows\System32\Tablet.exe
c:\acer\Empowering Technology\eRecovery\eRecoveryService.exe
c:\windows\System32\rundll32.exe
c:\windows\System32\wisptis.exe
c:\program files\Common Files\microsoft shared\ink\TabTip.exe
c:\windows\System32\wisptis.exe
c:\program files\Common Files\microsoft shared\ink\TabTip.exe
c:\windows\System32\WTablet\TabUserW.exe
c:\windows\System32\Tablet.exe
c:\combo-fix\CF10052.exe
c:\windows\System32\wbem\WMIADAP.exe
c:\program files\Common Files\microsoft shared\ink\InputPersonalization.exe
.
**************************************************************************
.
Completion time: 2009-10-18 17:58 - machine was rebooted
ComboFix-quarantined-files.txt 2009-10-18 22:58
Pre-Run: 23,647,526,912 bytes free
Post-Run: 23,242,571,776 bytes free
287 --- E O F --- 2009-10-15 14:25
I will post the log, note: I will be gone for 3+hours I have to catch the bus home, but I'll let you take a look for now.
ComboFix 09-10-17.01 - Shut Down 10/18/2009 17:39.1.2 - NTFSx86
Microsoft® Windows Vista™ Home Premium 6.0.6000.0.1252.1.1033.18.2814.1625 [GMT -5:00]
Running from: c:\users\Shut Down\Desktop\Combo-Fix.exe
AV: Norton Internet Security *On-access scanning disabled* (Outdated) {E10A9785-9598-4754-B552-92431C1C35F8}
AV: Symantec AntiVirus *On-access scanning disabled* (Updated) {FB06448E-52B8-493A-90F3-E43226D3305C}
FW: Norton Internet Security *disabled* {7C21A4C9-F61F-4AC4-B722-A6E19C16F220}
SP: Norton Internet Security *enabled* (Outdated) {CBB7EE13-8244-4DAB-8B55-D5C7AA91E59A}
SP: Symantec AntiVirus *disabled* (Updated) {6C85A515-B91D-4D2B-AF18-40984A4A8493}
SP: Windows Defender *disabled* (Updated) {D68DDC3A-831F-4FAE-9E44-DA132C1ACF46}
* Created a new restore point
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
c:\windows\win32k.sys
Infected copy of c:\windows\system32\cngaudit.dll was found and disinfected
Restored copy from - c:\windows\winsxs\x86_microsoft-windows-cngaudit-dll_31bf3856ad364e35_6.0.6000.16386_none_e62d292932a96ce6\cngaudit.dll
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.
-------\Legacy_{79007602-0CDB-4405-9DBF-1257BB3226ED}
-------\Legacy_{79007602-0CDB-4405-9DBF-1257BB3226EE}
((((((((((((((((((((((((( Files Created from 2009-09-18 to 2009-10-18 )))))))))))))))))))))))))))))))
.
2009-10-18 22:49 . 2009-10-18 22:49 -------- d-----w- c:\users\Default\AppData\Local\temp
2009-10-18 22:49 . 2009-10-18 22:55 -------- d-----w- c:\users\Shut Down\AppData\Local\temp
2009-10-18 21:26 . 2009-09-10 19:54 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-10-18 21:26 . 2009-09-10 19:53 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-10-16 21:51 . 2009-10-16 21:51 -------- d-----w- c:\users\Shut Down\AppData\Local\Apple Computer
2009-10-16 20:06 . 2009-10-16 20:07 160272 ----a-w- c:\windows\system32\drivers\tmcomm.sys
2009-10-16 14:40 . 2009-10-16 14:40 -------- d-----w- c:\users\Shut Down\AppData\Local\Adobe
2009-10-16 03:56 . 2009-10-16 03:56 -------- d-----w- c:\program files\Trend Micro
2009-10-15 22:11 . 2009-10-15 22:11 -------- d-----w- C:\VundoFix Backups
2009-10-15 20:17 . 2009-10-15 20:17 -------- d-----w- c:\users\Shut Down\AppData\Roaming\Malwarebytes
2009-10-15 20:17 . 2009-10-15 20:17 -------- d-----w- c:\programdata\Malwarebytes
2009-10-15 14:20 . 2009-07-11 19:32 502272 ----a-w- c:\windows\system32\wlansvc.dll
2009-10-15 14:20 . 2009-07-11 19:32 297984 ----a-w- c:\windows\system32\wlansec.dll
2009-10-15 14:20 . 2009-07-11 19:32 290816 ----a-w- c:\windows\system32\wlanmsm.dll
2009-10-15 14:20 . 2009-07-11 19:32 67584 ----a-w- c:\windows\system32\wlanhlp.dll
2009-10-15 14:20 . 2009-07-11 19:32 47104 ----a-w- c:\windows\system32\wlanapi.dll
2009-10-15 14:15 . 2009-04-02 11:50 604672 ----a-w- c:\windows\system32\WMSPDMOD.DLL
2009-10-15 14:15 . 2009-09-14 09:50 130048 ----a-w- c:\windows\system32\drivers\srv2.sys
2009-10-14 21:57 . 2009-10-14 21:57 -------- d-----w- c:\users\Shut Down\AppData\Roaming\ShurikSoft
2009-10-07 02:09 . 2009-10-01 15:29 195440 ------w- c:\windows\system32\MpSigStub.exe
2009-10-05 19:06 . 2009-10-05 19:06 -------- d-----w- c:\users\Shut Down\.netbeans-derby
2009-10-05 18:50 . 2009-10-05 19:06 -------- d-----w- c:\users\Shut Down\.netbeans
2009-10-05 18:50 . 2009-10-05 18:50 -------- d-----w- c:\users\Shut Down\.netbeans-registration
2009-10-05 18:47 . 2009-10-05 18:50 -------- d-----w- c:\program files\NetBeans 6.7.1
2009-10-05 18:46 . 2009-10-05 18:46 -------- d-----w- c:\program files\Sun
2009-10-05 18:43 . 2009-10-05 19:05 -------- d-----w- c:\users\Shut Down\.nbi
2009-10-02 14:35 . 2009-10-02 14:35 -------- d-----w- C:\System32
2009-09-23 14:26 . 2009-09-23 14:26 -------- d-----w- c:\users\Shut Down\AppData\Roaming\MathWorks
2009-09-23 13:09 . 2009-09-23 13:09 -------- d-----w- c:\program files\MATLAB
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-10-18 22:54 . 2009-08-04 02:02 -------- d-----w- c:\users\Shut Down\AppData\Roaming\WTablet
2009-10-18 22:45 . 2009-10-16 14:00 5012 ----a-w- c:\windows\system32\PerfStringBackup.TMP
2009-10-16 21:54 . 2009-04-19 20:09 -------- d-----w- c:\users\Shut Down\AppData\Roaming\uTorrent
2009-10-16 03:36 . 2009-04-15 15:27 28219 ----a-w- c:\programdata\nvModes.dat
2009-10-15 17:31 . 2009-01-22 02:54 -------- d-----w- c:\program files\Microsoft Silverlight
2009-10-15 14:21 . 2007-07-25 10:52 -------- d-----w- c:\program files\Microsoft Works
2009-10-05 18:46 . 2009-02-14 17:02 411368 ----a-w- c:\windows\system32\deploytk.dll
2009-10-05 18:44 . 2008-09-08 15:48 -------- d-----w- c:\program files\Java
2009-09-13 19:50 . 2009-09-13 19:36 -------- d-----w- c:\program files\Winamp
2009-09-13 19:42 . 2009-09-13 19:36 -------- d-----w- c:\users\Shut Down\AppData\Roaming\Winamp
2009-09-13 19:36 . 2009-09-13 19:36 -------- d-----w- c:\program files\Common Files\PX Storage Engine
2009-09-10 17:38 . 2009-10-15 14:16 216576 ----a-w- c:\windows\system32\msv1_0.dll
2009-09-04 18:13 . 2009-09-04 17:56 -------- d-----w- c:\users\Shut Down\AppData\Roaming\Apple Computer
2009-09-04 18:02 . 2009-07-11 23:33 -------- d-----w- c:\programdata\Apple
2009-09-04 17:56 . 2009-09-04 17:55 -------- d-----w- c:\programdata\{8CD7F5AF-ECFA-4793-BF40-D8F42DBFF906}
2009-09-04 17:56 . 2009-09-04 17:55 -------- d-----w- c:\program files\iTunes
2009-09-04 17:55 . 2009-09-04 17:55 -------- d-----w- c:\program files\iPod
2009-09-04 17:55 . 2009-09-04 17:50 -------- d-----w- c:\program files\Common Files\Apple
2009-09-04 17:55 . 2009-09-04 17:54 -------- d-----w- c:\programdata\Apple Computer
2009-09-04 17:55 . 2008-09-26 20:18 -------- d-----w- c:\program files\Bonjour
2009-09-04 17:54 . 2009-09-04 17:54 -------- d-----w- c:\program files\QuickTime
2009-09-04 17:08 . 2007-07-25 09:36 -------- d--h--w- c:\program files\InstallShield Installation Information
2009-09-04 12:38 . 2009-10-15 14:16 60928 ----a-w- c:\windows\system32\msasn1.dll
2009-08-27 05:22 . 2009-10-15 14:16 916480 ----a-w- c:\windows\system32\wininet.dll
2009-08-27 05:17 . 2009-10-15 14:16 109056 ----a-w- c:\windows\system32\iesysprep.dll
2009-08-27 05:17 . 2009-10-15 14:16 71680 ----a-w- c:\windows\system32\iesetup.dll
2009-08-27 03:42 . 2009-10-15 14:16 133632 ----a-w- c:\windows\system32\ieUnatt.exe
2009-08-20 18:52 . 2007-07-25 10:51 -------- d-----w- c:\programdata\Microsoft Help
2009-08-14 17:16 . 2009-10-15 14:19 213592 ----a-w- c:\windows\system32\drivers\netio.sys
2009-08-14 16:42 . 2009-10-15 14:19 167424 ----a-w- c:\windows\system32\tcpipcfg.dll
2009-08-14 16:40 . 2009-10-15 14:19 103936 ----a-w- c:\windows\system32\netiohlp.dll
2009-08-14 16:40 . 2009-10-15 14:19 15360 ----a-w- c:\windows\system32\netevent.dll
2009-08-14 14:25 . 2009-10-15 14:19 9728 ----a-w- c:\windows\system32\TCPSVCS.EXE
2009-08-14 14:25 . 2009-10-15 14:19 17920 ----a-w- c:\windows\system32\ROUTE.EXE
2009-08-14 14:25 . 2009-10-15 14:19 11264 ----a-w- c:\windows\system32\MRINFO.EXE
2009-08-14 14:25 . 2009-10-15 14:19 27136 ----a-w- c:\windows\system32\NETSTAT.EXE
2009-08-14 14:25 . 2009-10-15 14:19 8704 ----a-w- c:\windows\system32\HOSTNAME.EXE
2009-08-14 14:25 . 2009-10-15 14:19 19968 ----a-w- c:\windows\system32\ARP.EXE
2009-08-14 14:25 . 2009-10-15 14:19 10240 ----a-w- c:\windows\system32\finger.exe
2009-08-14 14:24 . 2009-10-15 14:19 813568 ----a-w- c:\windows\system32\drivers\tcpip.sys
2009-08-14 14:23 . 2009-10-15 14:19 22016 ----a-w- c:\windows\system32\netiougc.exe
2009-08-05 14:28 . 2009-10-15 14:16 3502152 ----a-w- c:\windows\system32\ntkrnlpa.exe
2009-08-05 14:28 . 2009-10-15 14:16 3467864 ----a-w- c:\windows\system32\ntoskrnl.exe
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ehTray.exe"="c:\windows\ehome\ehTray.exe" [2006-11-02 125440]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Windows Defender"="c:\program files\Windows Defender\MSASCui.exe" [2007-07-25 1006264]
"Acer Product Registration"="c:\program files\Acer Registration\ACE1.exe" [2007-02-02 3383296]
"Apoint"="c:\program files\Apoint2K\Apoint.exe" [2007-06-06 159744]
"ccApp"="c:\program files\Common Files\Symantec Shared\ccApp.exe" [2006-11-22 107112]
"vptray"="c:\progra~1\SYMANT~1\VPTray.exe" [2006-11-28 134808]
"Windows Mobile-based device management"="c:\windows\WindowsMobile\wmdSync.exe" [2006-11-02 215552]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2008-12-04 13556256]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2008-12-04 92704]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-10-15 39792]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-10-05 149280]
"RtHDVCpl"="RtHDVCpl.exe" - c:\windows\RtHDVCpl.exe [2007-07-06 4669440]
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
@="Driver"
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend]
@="Service"
[HKLM\~\startupfolder\C:^ProgramData^Microsoft^Windows^Start Menu^Programs^Startup^Adobe Acrobat Speed Launcher.lnk]
path=c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\Adobe Acrobat Speed Launcher.lnk
backup=c:\windows\pss\Adobe Acrobat Speed Launcher.lnk.CommonStartup
backupExtension=.CommonStartup
[HKLM\~\startupfolder\C:^ProgramData^Microsoft^Windows^Start Menu^Programs^Startup^Adobe Acrobat Synchronizer.lnk]
path=c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\Adobe Acrobat Synchronizer.lnk
backup=c:\windows\pss\Adobe Acrobat Synchronizer.lnk.CommonStartup
backupExtension=.CommonStartup
[HKLM\~\startupfolder\C:^ProgramData^Microsoft^Windows^Start Menu^Programs^Startup^VPN Client.lnk]
path=c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\VPN Client.lnk
backup=c:\windows\pss\VPN Client.lnk.CommonStartup
backupExtension=.CommonStartup
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\FirewallRules]
"{93095D21-614D-4009-B519-EFD2A48F45DF}"= UDP:c:\program files\Microsoft Office\Office12\ONENOTE.EXE:Microsoft Office OneNote
"{32945355-CDBE-48E8-AA99-E3234C3E3E07}"= TCP:c:\program files\Microsoft Office\Office12\ONENOTE.EXE:Microsoft Office OneNote
"{2012C426-15D5-42E4-B7E6-9867FCC0CF72}"= UDP:c:\program files\Common Files\AOL\Loader\aolload.exe:AOL Loader
"{57DCD897-BBC0-409A-8FCA-734AE6493D01}"= TCP:c:\program files\Common Files\AOL\Loader\aolload.exe:AOL Loader
"{6820B606-3582-44E1-96FD-7274435375D7}"= UDP:c:\program files\Symantec AntiVirus\Rtvscan.exe
ymantec Antivirus"{E594D10B-8FF4-49DB-9301-B3AC8D731B6F}"= TCP:c:\program files\Symantec AntiVirus\Rtvscan.exe
ymantec Antivirus"{2A0BE52A-EA5E-4CD9-9FDB-FCE94E83607A}"= UDP:c:\program files\Common Files\Symantec Shared\ccApp.exe
ymantec Email"{68A48BC2-27E2-4277-9137-A83475FF1CFF}"= TCP:c:\program files\Common Files\Symantec Shared\ccApp.exe
ymantec Email"{C2C235E9-1EFA-47DF-BB6F-F3A1C7C11F33}"= UDP:c:\program files\AIM6\aim6.exe:AIM
"{CBE51243-1651-4AEB-8432-2C07B7940E06}"= TCP:c:\program files\AIM6\aim6.exe:AIM
"TCP Query User{6B627D64-3350-4753-A7B3-F92EFE1FB77A}c:\\program files\\limewire\\limewire.exe"= UDP:c:\program files\limewire\limewire.exe:LimeWire
"UDP Query User{9C61FBF8-F7BF-4913-A035-9289699F76A6}c:\\program files\\limewire\\limewire.exe"= TCP:c:\program files\limewire\limewire.exe:LimeWire
"{A0D1B84E-A850-4A27-A250-94BC73F8DF90}"= Disabled:UDP:3703:Adobe Version Cue CS3 Server
"{8B8AAFDA-84F0-491F-83FC-0D99F1538AB1}"= Disabled:UDP:3704:Adobe Version Cue CS3 Server
"{BA395114-75BF-4270-B9B3-DD6508ECC3B5}"= Disabled:UDP:50900:Adobe Version Cue CS3 Server
"{FEFFABE1-EEA8-40E2-9B62-E818E943C387}"= Disabled:UDP:50901:Adobe Version Cue CS3 Server
"{810E8928-2BF0-462F-B034-F5DCEBC8C1DF}"= UDP:c:\program files\Ventrilo\Ventrilo.exe:Ventrilo.exe
"{76A9EFA4-B071-4060-9F6C-C5ED06400CD8}"= TCP:c:\program files\Ventrilo\Ventrilo.exe:Ventrilo.exe
"{D2DE94A2-7BF8-4885-B5D3-706EF6174D40}"= Disabled:TCP:6004|c:\program files\Microsoft Office\Office12\outlook.exe:Microsoft Office Outlook
"TCP Query User{85206577-A704-4277-B5E4-D654D0942966}c:\\program files\\internet explorer\\iexplore.exe"= UDP:c:\program files\internet explorer\iexplore.exe:Internet Explorer
"UDP Query User{4C43A002-0491-449F-BAB5-6FE30887E9B9}c:\\program files\\internet explorer\\iexplore.exe"= TCP:c:\program files\internet explorer\iexplore.exe:Internet Explorer
"TCP Query User{09AA8728-8EEA-4A01-B15A-C4051D22DF99}d:\\warcraft iii\\war3.exe"= UDP:d:\warcraft iii\war3.exe:Warcraft III
"UDP Query User{77038A57-2927-4A14-918F-024713D98C95}d:\\warcraft iii\\war3.exe"= TCP:d:\warcraft iii\war3.exe:Warcraft III
"{85BED648-DFCF-44FB-9873-F5943FCDC1D8}"= Disabled:UDP:c:\program files\Common Files\Adobe\Adobe Version Cue CS3\Server\bin\VersionCueCS3.exe:Adobe Version Cue CS3 Server
"{29722E8D-08D6-433B-8D7E-689A3A0FF62E}"= Disabled:TCP:c:\program files\Common Files\Adobe\Adobe Version Cue CS3\Server\bin\VersionCueCS3.exe:Adobe Version Cue CS3 Server
"TCP Query User{8E176E1E-A8E8-409C-8456-DFD3C2A92658}c:\\program files\\steam\\steamapps\\greendischarge\\counter-strike source\\hl2.exe"= Disabled:UDP:c:\program files\steam\steamapps\greendischarge\counter-strike source\hl2.exe:hl2
"UDP Query User{47E73A6C-4C36-4239-823D-B9C1A05E9D38}c:\\program files\\steam\\steamapps\\greendischarge\\counter-strike source\\hl2.exe"= Disabled:TCP:c:\program files\steam\steamapps\greendischarge\counter-strike source\hl2.exe:hl2
"TCP Query User{E8B4854C-517D-440A-B3B9-71AE1BCC30D2}c:\\program files\\limewire\\limewire.exe"= Disabled:UDP:c:\program files\limewire\limewire.exe:LimeWire
"UDP Query User{E3BBFCBE-4805-4C84-9445-F29EADAFB268}c:\\program files\\limewire\\limewire.exe"= Disabled:TCP:c:\program files\limewire\limewire.exe:LimeWire
"{212AADD8-DF97-46D5-A230-78002FA22ABC}"= Disabled:UDP:c:\program files\Microsoft Office\Office12\GROOVE.EXE:Microsoft Office Groove
"{085099D8-497C-4BEF-A201-0E90AABC5101}"= Disabled:TCP:c:\program files\Microsoft Office\Office12\GROOVE.EXE:Microsoft Office Groove
"{01C6EB4C-73D9-479D-9DC8-E70E4B65BEE0}"= Disabled:UDP:c:\program files\Microsoft Office\Office12\ONENOTE.EXE:Microsoft Office OneNote
"{23FFD0A1-9925-4F2E-BF0C-F19CB9ACAA39}"= Disabled:TCP:c:\program files\Microsoft Office\Office12\ONENOTE.EXE:Microsoft Office OneNote
"{61F2C8B2-8893-4814-B2EE-3B95473E8B62}"= UDP:45801:45801
"TCP Query User{922750AE-B83C-4A19-8784-72E0884CFDE2}c:\\program files\\frostwire\\frostwire.exe"= UDP:c:\program files\frostwire\frostwire.exe:FrostWire
"UDP Query User{192DCF4D-2017-409D-9699-03CD82DD37E4}c:\\program files\\frostwire\\frostwire.exe"= TCP:c:\program files\frostwire\frostwire.exe:FrostWire
"TCP Query User{C1A95237-760F-47DC-97EB-0F16D87CE8AF}d:\\warcraft iii\\warcraft iii\\war3.exe"= UDP:d:\warcraft iii\warcraft iii\war3.exe:Warcraft III
"UDP Query User{157DF432-D276-4469-AD48-10807B6F18FD}d:\\warcraft iii\\warcraft iii\\war3.exe"= TCP:d:\warcraft iii\warcraft iii\war3.exe:Warcraft III
"{28F3E2C9-FC90-4C01-93AA-1EB47A8E3EC5}"= UDP:c:\program files\uTorrent\uTorrent.exe:µTorrent (TCP-In)
"{795DCCA7-856E-410A-8B69-993DA75820DB}"= TCP:c:\program files\uTorrent\uTorrent.exe:µTorrent (UDP-In)
"TCP Query User{DD233514-BBDB-4965-A152-BB1F068A5CD4}c:\\program files\\utorrent\\utorrent.exe"= UDP:c:\program files\utorrent\utorrent.exe:µTorrent
"UDP Query User{5A70D5F9-3A21-45F7-BAEC-D34A524A58CF}c:\\program files\\utorrent\\utorrent.exe"= TCP:c:\program files\utorrent\utorrent.exe:µTorrent
"TCP Query User{93489AD0-6E4F-448E-AA3B-656CFDC43A97}d:\\warcraft iii\\warcraft iii\\war3.exe"= UDP:d:\warcraft iii\warcraft iii\war3.exe:Warcraft III
"UDP Query User{EC941744-FFCC-4EF6-B0F1-75A17BB0EB0F}d:\\warcraft iii\\warcraft iii\\war3.exe"= TCP:d:\warcraft iii\warcraft iii\war3.exe:Warcraft III
"TCP Query User{7181B5C3-5DA9-4DE8-B20A-A9F9E46A302B}c:\\program files\\pfportchecker\\pfportchecker.exe"= UDP:c:\program files\pfportchecker\pfportchecker.exe
FPortchecker by portforward.com helps check if your ports are properly forwarded."UDP Query User{4D037F4C-2D8B-4DBE-8639-62E2494B4F14}c:\\program files\\pfportchecker\\pfportchecker.exe"= TCP:c:\program files\pfportchecker\pfportchecker.exe
FPortchecker by portforward.com helps check if your ports are properly forwarded."{AFFB0E5E-121B-4BA3-B05F-B5D95B294506}"= UDP:c:\program files\Bonjour\mDNSResponder.exe:Bonjour
"{E77C25CB-4018-4EC3-BA51-89E567C24E2D}"= TCP:c:\program files\Bonjour\mDNSResponder.exe:Bonjour
"{CCD2B10A-F863-4298-89AD-F6699DA20525}"= UDP:c:\program files\iTunes\iTunes.exe:iTunes
"{111BB54A-854D-40D9-A318-9CBF53A1C882}"= TCP:c:\program files\iTunes\iTunes.exe:iTunes
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\PublicProfile]
"EnableFirewall"= 0 (0x0)
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\RestrictedServices\Static\System]
"DFSR-1"= RPort=5722|UDP:%SystemRoot%\system32\svchost.exe|Svc=DFSR:Allow inbound TCP traffic|
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\StandardProfile\AuthorizedApplications\List]
"c:\\Acer\\Empowering Technology\\eDataSecurity\\eDSfsu.exe"= c:\acer\Empowering Technology\eDataSecurity\eDSfsu.exe
:Enabled:eDSfsu"c:\\Acer\\Empowering Technology\\eDataSecurity\\encryption.exe"= c:\acer\Empowering Technology\eDataSecurity\encryption.exe
:Enabled:encryption"c:\\Acer\\Empowering Technology\\eDataSecurity\\decryption.exe"= c:\acer\Empowering Technology\eDataSecurity\decryption.exe
:Enabled:decryptionR3 enecir;ENE CIR Receiver;c:\windows\System32\drivers\enecir.sys [7/25/2007 4:08 AM 32256]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [8/30/2009 4:47 PM 102448]
S3 SavRoam;SAVRoam;c:\program files\Symantec AntiVirus\SavRoam.exe [11/28/2006 6:34 AM 122008]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
WindowsMobile REG_MULTI_SZ wcescomm rapimgr
LocalServiceRestricted REG_MULTI_SZ WcesComm RapiMgr
[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{A509B1FF-37FF-4bFF-8CFF-4F3A747040FF}]
c:\windows\system32\rundll32.exe c:\windows\system32\advpack.dll,LaunchINFSectionEx c:\program files\Internet Explorer\clrtour.inf,DefaultInstall.ResetTour,,12
.
Contents of the 'Scheduled Tasks' folder
2009-10-18 c:\windows\Tasks\User_Feed_Synchronization-{BA3B951F-D62A-4F73-9D82-2953102A0E25}.job
- c:\windows\system32\msfeedssync.exe [2009-10-15 03:41]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://my.yahoo.com/
uSearchMigratedDefaultURL = hxxp://search.yahoo.com/search?p={searchTerms}&ei=utf-8&fr=b1ie7
mStart Page = hxxp://en.us.acer.yahoo.com
uInternet Settings,ProxyOverride = *.local
uSearchURL,(Default) = hxxp://us.rd.yahoo.com/customize/ycomp/defaults/su/*http://www.yahoo.com
IE: Append to existing PDF - d:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert link target to Adobe PDF - d:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert link target to existing PDF - d:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert selected links to Adobe PDF - d:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert selected links to existing PDF - d:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Convert selection to Adobe PDF - d:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert selection to existing PDF - d:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert to Adobe PDF - d:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
Trusted Zone: newgrounds.com\www
DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} - hxxp://download.eset.com/special/eos/OnlineScanner.cab
FF - ProfilePath - c:\users\Shut Down\AppData\Roaming\Mozilla\Firefox\Profiles\p7nt5br5.default\
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\
.
- - - - ORPHANS REMOVED - - - -
WebBrowser-{604BC32A-9680-40D1-9AC6-E06B23A1BA4C} - (no file)
HKCU-Run-Aim6 - (no file)
HKLM-Run-eRecoveryService - (no file)
HKU-Default-Run-Acer Tour Reminder - c:\acer\AcerTour\Reminder.exe
AddRemove-Malwarebytes' Anti-Malware_is1 - d:\program files\Analyze\Yeah\unins000.exe
**************************************************************************
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files:
**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
------------------------ Other Running Processes ------------------------
.
c:\windows\System32\nvvsvc.exe
c:\windows\System32\audiodg.exe
c:\program files\Common Files\Symantec Shared\ccSvcHst.exe
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\Cisco Systems\VPN Client\cvpnd.exe
c:\program files\Symantec AntiVirus\DefWatch.exe
c:\acer\Empowering Technology\eLock\Service\eLockServ.exe
c:\acer\Empowering Technology\eNet\eNet Service.exe
c:\program files\Common Files\LightScribe\LSSrvc.exe
c:\program files\Symantec AntiVirus\Rtvscan.exe
c:\windows\System32\Tablet.exe
c:\acer\Empowering Technology\eRecovery\eRecoveryService.exe
c:\windows\System32\rundll32.exe
c:\windows\System32\wisptis.exe
c:\program files\Common Files\microsoft shared\ink\TabTip.exe
c:\windows\System32\wisptis.exe
c:\program files\Common Files\microsoft shared\ink\TabTip.exe
c:\windows\System32\WTablet\TabUserW.exe
c:\windows\System32\Tablet.exe
c:\combo-fix\CF10052.exe
c:\windows\System32\wbem\WMIADAP.exe
c:\program files\Common Files\microsoft shared\ink\InputPersonalization.exe
.
**************************************************************************
.
Completion time: 2009-10-18 17:58 - machine was rebooted
ComboFix-quarantined-files.txt 2009-10-18 22:58
Pre-Run: 23,647,526,912 bytes free
Post-Run: 23,242,571,776 bytes free
287 --- E O F --- 2009-10-15 14:25
•
•
Join Date: Dec 2006
Posts: 1,024
Reputation:
Solved Threads: 49
0
#13 Oct 18th, 2009
•
•
•
•
Originally Posted by Win32/Renos
Back on original computer - windows must have redid the key registry.
I will post the log, note: I will be gone for 3+hours I have to catch the bus home, but I'll let you take a look for now.
I didn't think it would be too bad given all that you did prior to combofix. Looks like it replaced the infected file - hopefully you can run programs now.
I'll have a closer look and get back to you.
PP
In some sort of crude sense, which no vulgarity, no humor, no overstatement can quite extinguish, the physicists have known sin; and this is a knowledge which they cannot lose.
~ J. Robert Oppenheimer
ASAP
~ J. Robert Oppenheimer
ASAP
•
•
Join Date: Dec 2006
Posts: 1,024
Reputation:
Solved Threads: 49
0
#14 Oct 18th, 2009
Well . . . things don't look too bad outside of all the P2P stuff. You are playing with serious fire there. A lot of forums won't help you unless those are removed.....
-- What is this folder?: C:\System32
-- Some forum volunteers would likely wipe this registry key:
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\FirewallRules]
I'll leave that up to you - My feeling is that "people are going to do what they are going to do" . . .LOL.
I will say that you dodged a very big bullet - malware purveyors are really starting to take advantage of P2P stuff. I've seen a lot of borked machines.
Well. . . That's the extent of my lecture.
PP
-- What is this folder?: C:\System32
-- Some forum volunteers would likely wipe this registry key:
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\FirewallRules]
I'll leave that up to you - My feeling is that "people are going to do what they are going to do" . . .LOL.
I will say that you dodged a very big bullet - malware purveyors are really starting to take advantage of P2P stuff. I've seen a lot of borked machines.
Well. . . That's the extent of my lecture.
PP
In some sort of crude sense, which no vulgarity, no humor, no overstatement can quite extinguish, the physicists have known sin; and this is a knowledge which they cannot lose.
~ J. Robert Oppenheimer
ASAP
~ J. Robert Oppenheimer
ASAP
0
#15 Oct 19th, 2009
Thanks alot, I still use uTorrent, limewire and those p2p's are all off my system, or so I thought... The virus came from neglegence downloading of a "cracked" software. Shame on me.
I'm careful with the torrent's. If it's not an .mp3 file I won't download it... ehem.
Thanks for all you've done!
AND YES. It's gone! WOOO!
I'm careful with the torrent's. If it's not an .mp3 file I won't download it... ehem.
Thanks for all you've done!
AND YES. It's gone! WOOO!
•
•
Join Date: Dec 2006
Posts: 1,024
Reputation:
Solved Threads: 49
0
#16 Oct 19th, 2009
•
•
•
•
Originally Posted by Win32/Renos
Thanks for all you've done!
AND YES. It's gone! WOOO!
In some sort of crude sense, which no vulgarity, no humor, no overstatement can quite extinguish, the physicists have known sin; and this is a knowledge which they cannot lose.
~ J. Robert Oppenheimer
ASAP
~ J. Robert Oppenheimer
ASAP
 |
Similar Threads
- Problems: TrojanDownloader:Win32/Renos.DX with b.exe application error (Windows NT / 2000 / XP)
- I need to get rid of the TrojanDownloader:Win32/Renos.EE virus (Viruses, Spyware and other Nasties)
- Help me with TrojanDownloader:Win32/Renos.EE virus.!! (Viruses, Spyware and other Nasties)
- Remnants fron Win32/Renos:FJ ??? (Viruses, Spyware and other Nasties)
- Infected with Hoax.Win32.Renos.vaoz. Please Help!! (Viruses, Spyware and other Nasties)
- Win32/Renos keeps coming back (Viruses, Spyware and other Nasties)
Other Threads in the Viruses, Spyware and other Nasties Forum
- Previous Thread: MSN virus..
- Next Thread: Hijack Help!
Views: 1013 | Replies: 15
| Thread Tools | Search this Thread |
Latest Viruses, Spyware and other Nasties Posts
Related Forum Features
Tag cloud for Viruses, Spyware and other Nasties
adobe adware anti-malware anti-virussitesaccessissue antivirus apple attack audio avg backtoschoolspeech bar blackhat botnet china combofix commercials conficker connect control crosssitescripting cyber cyberwarfare ddos domains e-mafia email europe explorer facebook fake fancheckvirus gaming google gtaiv gumblar hijack internet iphone kaspersky legal logfiles mail malware mcafee mega-d messagelabs microsoft mobile msn news norton obama panel parents pc phishing police president privacy pro problem redirect redirecting reliability report research risk rogueantivirus rootkit scareware school search security seopoisoning sites software spam spyware spywareexternalwindows7adminstratortrojans sqlinjection symantec system teen threat translate trojan unabletoaccessanti-virussites unwanted update usa virus viruses vista volume vulnerability warning web windows worm zero-day
