Hello,

I recently (past 2 days) have become infected from a virus from an online "download" site.

I was looking for a program for my class at school and downloaded a program that apparently housed a virus.

Now the problem:
I can access any website by typing in the exact URL, and the website will work fine - however use of google, yahoo, or any search engine for that matter brings up irrelevant ads, i.e. searching "Hello" on google will bring up thousands of pages, yet if I click on any one of them, I will be redirected to irrelevant ad pages.

Nothing else seems to be crucially wrong except:

I have downloaded Hijackthis, MBAM, and have tried ETES online scanner, as well as several other virus and malicious software removal tools with all of them simply shutting off after about one minute of runtime, with the exception of windows defender - which will run a full scan completely and will find nothing.

After the first use of any virus scanner besides windows defender, the second use will come up with "Windows cannot open the specified path, you may not have privelage" - This has nothing to do with "Run as administrator" - I have tried that, and I am on the admin account of the computer.

Secondly - Windows defender has found Win32/Renos.(string) multpile times, and deleted it multiple times. When I realized it was not going away I found the path of it's origin and deleted "B.Exe", "A.Exe", "A.log" And one other program ... I can't remember.

Now the program appears to have stopped interfering with windows defender - I don't get "Trojan found" anymore, yet the ads and the problem with virus scanners still exist.

Note: I CANNOT GET A LOG as of right now. Hijackthis will not stay open long enough to finish a scan and create a log, nor will any others!

If you can help - Thanks.

Recommended Answers

All 15 Replies

Try this suggestion from the MBA-M forums;
If you already have MBAM installed on your computer.
Please navigate to the MBAM folder located in the Program Files directory.

Locate MBAM.exe and rename it to winlogon.exe

Once renamed double click on the file to open MBAM and select Full Scan.

At the end of the scan allow MBAM to remove what it had found then reboot.

Post the log here. If you cannot do this either then try running MBA-M in Safe Mode. It IS meant to be run in normal mode since it won't load all of it's drivers in safe mode but if all else fails then this would be the next best thing to try.
Of course have it remove all if you are able to run it in safe mode.
Then reboot to Normal mode and attempt to run another full scan with it. If it works then of course have it remove all it finds and reboot.
Rename HiJackThis to analyze.exe and run the system scan and save the log. Post back here with both logs.
Judy

Hey unfortunate news:
Booting in safe mode, and renaming the file both did nothing. Same problem:
I installed the program, renamed it, and I set all the permissions of the .dll's and the .exe to NOT be able to be read or written. Only "SYSTEM" could read the file, but still could not write it. I allowed however, all users and SYSTEM to execute the file, yet still:
After one use of the program (the program would last ~7 seconds and shut off) the MBAM or HJT icon would turn into a generic windows .exe icon, and trying to open the file a second time results in:
"D:\...\Winlogon.exe path was unable to be found or executed. You may not have enough permission to view the file." Or something along those lines.

So: No logs, no scans yet. Computer seems to be getting slower and slower. Also, now new problem: after a restard, the first bootup in normal mode usually encounters:
Windows has encountered a critical problem and will reboot in one minute, please save everything now.
This luckily only happens once, and the reboot I am fine.

Have asked PhilliePhan to take a look at his one and see what he thinks.

Let's try this:

If you already have Combofix on your machine, DELETE it.

Then follow the instructions in the link below to download a fresh copy of Combofix and run it:
http://www.bleepingcomputer.com/combofix/how-to-use-combofix

What I want you to do, though, is this:
When you download it and it asks you to "Save File As," rename combofix to Combo-Fix and then download it to your Desktop as that and follow the instructions in the linky very carefully to run it and then post the combofix log for me.
Be sure to install Recovery Console (if you are able to do so) and disable any other security programs or Anti-Virus programs as per the linky before running Combofix!

Let us know how you fare.

PP :)

Hi, the combofix ran, and unfortunately I had my screensaver set to about 2minutes. The screensaver turned on, (all black) and i decided to press an arrow key to see what was happening with combofix.

All I saw was "Warning: do not attempt to reboot the computer manually"
After the computer rebooted itself, it was a black screen for >2minutes, I CTRL+ALT+DELETED and log offed, logged back on.

Combofix gave me a log report and said it had deleted an infected file "C:\...syskey?" or maybe it was "32key"

But new problem: No programs will open, the error is new, and it states "Illegal operation attempted on a registry key that has been marked for deletion"
This happens when I try to open ANY file or ANY program.
Note: I cannot access the internet, or any program. I cannot load anything from a thumbdrive either...
I am wondering if I should attempt to reboot the system, or if that will be fatal...

EDIT Combofix had started, and after a few seconds - not even scanning had begun - Combofix had stated "Rootkit activity was detected on your computer, automatic restart in 5 seconds" or something.

Thats it for editing.

Thanks.

Well . . . That puts a wrinkle in things.

-- Did you install the recovery console?

It really does - and yes I apparently had it previously - it didn't ask to download it. ... Do you think I should restart?

It really does - and yes I apparently had it previously - it didn't ask to download it. ... Do you think I should restart?

-- What OS?
-- Do you have your Windows OS disk?

-- You should know if recovery console is installed because it will give you that option on reboot. Have you seen that option?

Windows vista,
You think it's that bad huh?
I'm going to restart... I don't think that will make it worse. I will look for the recovery.

Windows vista,
You think it's that bad huh?
I'm going to restart... I don't think that will make it worse. I will look for the recovery.

Tap F8 on reboot and see if Recovery Console is option. If so, choose it and let me know.
If not, do Safe Mode with Command Prompt.

Let me know.

Might not be that bad - rather err on the side of caution.

Back on original computer - windows must have redid the key registry.
I will post the log, note: I will be gone for 3+hours I have to catch the bus home, but I'll let you take a look for now.
ComboFix 09-10-17.01 - Shut Down 10/18/2009 17:39.1.2 - NTFSx86
Microsoft® Windows Vista™ Home Premium 6.0.6000.0.1252.1.1033.18.2814.1625 [GMT -5:00]
Running from: c:\users\Shut Down\Desktop\Combo-Fix.exe
AV: Norton Internet Security *On-access scanning disabled* (Outdated) {E10A9785-9598-4754-B552-92431C1C35F8}
AV: Symantec AntiVirus *On-access scanning disabled* (Updated) {FB06448E-52B8-493A-90F3-E43226D3305C}
FW: Norton Internet Security *disabled* {7C21A4C9-F61F-4AC4-B722-A6E19C16F220}
SP: Norton Internet Security *enabled* (Outdated) {CBB7EE13-8244-4DAB-8B55-D5C7AA91E59A}
SP: Symantec AntiVirus *disabled* (Updated) {6C85A515-B91D-4D2B-AF18-40984A4A8493}
SP: Windows Defender *disabled* (Updated) {D68DDC3A-831F-4FAE-9E44-DA132C1ACF46}
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\win32k.sys

Infected copy of c:\windows\system32\cngaudit.dll was found and disinfected
Restored copy from - c:\windows\winsxs\x86_microsoft-windows-cngaudit-dll_31bf3856ad364e35_6.0.6000.16386_none_e62d292932a96ce6\cngaudit.dll

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_{79007602-0CDB-4405-9DBF-1257BB3226ED}
-------\Legacy_{79007602-0CDB-4405-9DBF-1257BB3226EE}


((((((((((((((((((((((((( Files Created from 2009-09-18 to 2009-10-18 )))))))))))))))))))))))))))))))
.

2009-10-18 22:49 . 2009-10-18 22:49 -------- d-----w- c:\users\Default\AppData\Local\temp
2009-10-18 22:49 . 2009-10-18 22:55 -------- d-----w- c:\users\Shut Down\AppData\Local\temp
2009-10-18 21:26 . 2009-09-10 19:54 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-10-18 21:26 . 2009-09-10 19:53 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-10-16 21:51 . 2009-10-16 21:51 -------- d-----w- c:\users\Shut Down\AppData\Local\Apple Computer
2009-10-16 20:06 . 2009-10-16 20:07 160272 ----a-w- c:\windows\system32\drivers\tmcomm.sys
2009-10-16 14:40 . 2009-10-16 14:40 -------- d-----w- c:\users\Shut Down\AppData\Local\Adobe
2009-10-16 03:56 . 2009-10-16 03:56 -------- d-----w- c:\program files\Trend Micro
2009-10-15 22:11 . 2009-10-15 22:11 -------- d-----w- C:\VundoFix Backups
2009-10-15 20:17 . 2009-10-15 20:17 -------- d-----w- c:\users\Shut Down\AppData\Roaming\Malwarebytes
2009-10-15 20:17 . 2009-10-15 20:17 -------- d-----w- c:\programdata\Malwarebytes
2009-10-15 14:20 . 2009-07-11 19:32 502272 ----a-w- c:\windows\system32\wlansvc.dll
2009-10-15 14:20 . 2009-07-11 19:32 297984 ----a-w- c:\windows\system32\wlansec.dll
2009-10-15 14:20 . 2009-07-11 19:32 290816 ----a-w- c:\windows\system32\wlanmsm.dll
2009-10-15 14:20 . 2009-07-11 19:32 67584 ----a-w- c:\windows\system32\wlanhlp.dll
2009-10-15 14:20 . 2009-07-11 19:32 47104 ----a-w- c:\windows\system32\wlanapi.dll
2009-10-15 14:15 . 2009-04-02 11:50 604672 ----a-w- c:\windows\system32\WMSPDMOD.DLL
2009-10-15 14:15 . 2009-09-14 09:50 130048 ----a-w- c:\windows\system32\drivers\srv2.sys
2009-10-14 21:57 . 2009-10-14 21:57 -------- d-----w- c:\users\Shut Down\AppData\Roaming\ShurikSoft
2009-10-07 02:09 . 2009-10-01 15:29 195440 ------w- c:\windows\system32\MpSigStub.exe
2009-10-05 19:06 . 2009-10-05 19:06 -------- d-----w- c:\users\Shut Down\.netbeans-derby
2009-10-05 18:50 . 2009-10-05 19:06 -------- d-----w- c:\users\Shut Down\.netbeans
2009-10-05 18:50 . 2009-10-05 18:50 -------- d-----w- c:\users\Shut Down\.netbeans-registration
2009-10-05 18:47 . 2009-10-05 18:50 -------- d-----w- c:\program files\NetBeans 6.7.1
2009-10-05 18:46 . 2009-10-05 18:46 -------- d-----w- c:\program files\Sun
2009-10-05 18:43 . 2009-10-05 19:05 -------- d-----w- c:\users\Shut Down\.nbi
2009-10-02 14:35 . 2009-10-02 14:35 -------- d-----w- C:\System32
2009-09-23 14:26 . 2009-09-23 14:26 -------- d-----w- c:\users\Shut Down\AppData\Roaming\MathWorks
2009-09-23 13:09 . 2009-09-23 13:09 -------- d-----w- c:\program files\MATLAB

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-10-18 22:54 . 2009-08-04 02:02 -------- d-----w- c:\users\Shut Down\AppData\Roaming\WTablet
2009-10-18 22:45 . 2009-10-16 14:00 5012 ----a-w- c:\windows\system32\PerfStringBackup.TMP
2009-10-16 21:54 . 2009-04-19 20:09 -------- d-----w- c:\users\Shut Down\AppData\Roaming\uTorrent
2009-10-16 03:36 . 2009-04-15 15:27 28219 ----a-w- c:\programdata\nvModes.dat
2009-10-15 17:31 . 2009-01-22 02:54 -------- d-----w- c:\program files\Microsoft Silverlight
2009-10-15 14:21 . 2007-07-25 10:52 -------- d-----w- c:\program files\Microsoft Works
2009-10-05 18:46 . 2009-02-14 17:02 411368 ----a-w- c:\windows\system32\deploytk.dll
2009-10-05 18:44 . 2008-09-08 15:48 -------- d-----w- c:\program files\Java
2009-09-13 19:50 . 2009-09-13 19:36 -------- d-----w- c:\program files\Winamp
2009-09-13 19:42 . 2009-09-13 19:36 -------- d-----w- c:\users\Shut Down\AppData\Roaming\Winamp
2009-09-13 19:36 . 2009-09-13 19:36 -------- d-----w- c:\program files\Common Files\PX Storage Engine
2009-09-10 17:38 . 2009-10-15 14:16 216576 ----a-w- c:\windows\system32\msv1_0.dll
2009-09-04 18:13 . 2009-09-04 17:56 -------- d-----w- c:\users\Shut Down\AppData\Roaming\Apple Computer
2009-09-04 18:02 . 2009-07-11 23:33 -------- d-----w- c:\programdata\Apple
2009-09-04 17:56 . 2009-09-04 17:55 -------- d-----w- c:\programdata\{8CD7F5AF-ECFA-4793-BF40-D8F42DBFF906}
2009-09-04 17:56 . 2009-09-04 17:55 -------- d-----w- c:\program files\iTunes
2009-09-04 17:55 . 2009-09-04 17:55 -------- d-----w- c:\program files\iPod
2009-09-04 17:55 . 2009-09-04 17:50 -------- d-----w- c:\program files\Common Files\Apple
2009-09-04 17:55 . 2009-09-04 17:54 -------- d-----w- c:\programdata\Apple Computer
2009-09-04 17:55 . 2008-09-26 20:18 -------- d-----w- c:\program files\Bonjour
2009-09-04 17:54 . 2009-09-04 17:54 -------- d-----w- c:\program files\QuickTime
2009-09-04 17:08 . 2007-07-25 09:36 -------- d--h--w- c:\program files\InstallShield Installation Information
2009-09-04 12:38 . 2009-10-15 14:16 60928 ----a-w- c:\windows\system32\msasn1.dll
2009-08-27 05:22 . 2009-10-15 14:16 916480 ----a-w- c:\windows\system32\wininet.dll
2009-08-27 05:17 . 2009-10-15 14:16 109056 ----a-w- c:\windows\system32\iesysprep.dll
2009-08-27 05:17 . 2009-10-15 14:16 71680 ----a-w- c:\windows\system32\iesetup.dll
2009-08-27 03:42 . 2009-10-15 14:16 133632 ----a-w- c:\windows\system32\ieUnatt.exe
2009-08-20 18:52 . 2007-07-25 10:51 -------- d-----w- c:\programdata\Microsoft Help
2009-08-14 17:16 . 2009-10-15 14:19 213592 ----a-w- c:\windows\system32\drivers\netio.sys
2009-08-14 16:42 . 2009-10-15 14:19 167424 ----a-w- c:\windows\system32\tcpipcfg.dll
2009-08-14 16:40 . 2009-10-15 14:19 103936 ----a-w- c:\windows\system32\netiohlp.dll
2009-08-14 16:40 . 2009-10-15 14:19 15360 ----a-w- c:\windows\system32\netevent.dll
2009-08-14 14:25 . 2009-10-15 14:19 9728 ----a-w- c:\windows\system32\TCPSVCS.EXE
2009-08-14 14:25 . 2009-10-15 14:19 17920 ----a-w- c:\windows\system32\ROUTE.EXE
2009-08-14 14:25 . 2009-10-15 14:19 11264 ----a-w- c:\windows\system32\MRINFO.EXE
2009-08-14 14:25 . 2009-10-15 14:19 27136 ----a-w- c:\windows\system32\NETSTAT.EXE
2009-08-14 14:25 . 2009-10-15 14:19 8704 ----a-w- c:\windows\system32\HOSTNAME.EXE
2009-08-14 14:25 . 2009-10-15 14:19 19968 ----a-w- c:\windows\system32\ARP.EXE
2009-08-14 14:25 . 2009-10-15 14:19 10240 ----a-w- c:\windows\system32\finger.exe
2009-08-14 14:24 . 2009-10-15 14:19 813568 ----a-w- c:\windows\system32\drivers\tcpip.sys
2009-08-14 14:23 . 2009-10-15 14:19 22016 ----a-w- c:\windows\system32\netiougc.exe
2009-08-05 14:28 . 2009-10-15 14:16 3502152 ----a-w- c:\windows\system32\ntkrnlpa.exe
2009-08-05 14:28 . 2009-10-15 14:16 3467864 ----a-w- c:\windows\system32\ntoskrnl.exe
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ehTray.exe"="c:\windows\ehome\ehTray.exe" [2006-11-02 125440]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Windows Defender"="c:\program files\Windows Defender\MSASCui.exe" [2007-07-25 1006264]
"Acer Product Registration"="c:\program files\Acer Registration\ACE1.exe" [2007-02-02 3383296]
"Apoint"="c:\program files\Apoint2K\Apoint.exe" [2007-06-06 159744]
"ccApp"="c:\program files\Common Files\Symantec Shared\ccApp.exe" [2006-11-22 107112]
"vptray"="c:\progra~1\SYMANT~1\VPTray.exe" [2006-11-28 134808]
"Windows Mobile-based device management"="c:\windows\WindowsMobile\wmdSync.exe" [2006-11-02 215552]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2008-12-04 13556256]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2008-12-04 92704]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-10-15 39792]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-10-05 149280]
"RtHDVCpl"="RtHDVCpl.exe" - c:\windows\RtHDVCpl.exe [2007-07-06 4669440]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend]
@="Service"

[HKLM\~\startupfolder\C:^ProgramData^Microsoft^Windows^Start Menu^Programs^Startup^Adobe Acrobat Speed Launcher.lnk]
path=c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\Adobe Acrobat Speed Launcher.lnk
backup=c:\windows\pss\Adobe Acrobat Speed Launcher.lnk.CommonStartup
backupExtension=.CommonStartup

[HKLM\~\startupfolder\C:^ProgramData^Microsoft^Windows^Start Menu^Programs^Startup^Adobe Acrobat Synchronizer.lnk]
path=c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\Adobe Acrobat Synchronizer.lnk
backup=c:\windows\pss\Adobe Acrobat Synchronizer.lnk.CommonStartup
backupExtension=.CommonStartup

[HKLM\~\startupfolder\C:^ProgramData^Microsoft^Windows^Start Menu^Programs^Startup^VPN Client.lnk]
path=c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\VPN Client.lnk
backup=c:\windows\pss\VPN Client.lnk.CommonStartup
backupExtension=.CommonStartup

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\FirewallRules]
"{93095D21-614D-4009-B519-EFD2A48F45DF}"= UDP:c:\program files\Microsoft Office\Office12\ONENOTE.EXE:Microsoft Office OneNote
"{32945355-CDBE-48E8-AA99-E3234C3E3E07}"= TCP:c:\program files\Microsoft Office\Office12\ONENOTE.EXE:Microsoft Office OneNote
"{2012C426-15D5-42E4-B7E6-9867FCC0CF72}"= UDP:c:\program files\Common Files\AOL\Loader\aolload.exe:AOL Loader
"{57DCD897-BBC0-409A-8FCA-734AE6493D01}"= TCP:c:\program files\Common Files\AOL\Loader\aolload.exe:AOL Loader
"{6820B606-3582-44E1-96FD-7274435375D7}"= UDP:c:\program files\Symantec AntiVirus\Rtvscan.exe:Symantec Antivirus
"{E594D10B-8FF4-49DB-9301-B3AC8D731B6F}"= TCP:c:\program files\Symantec AntiVirus\Rtvscan.exe:Symantec Antivirus
"{2A0BE52A-EA5E-4CD9-9FDB-FCE94E83607A}"= UDP:c:\program files\Common Files\Symantec Shared\ccApp.exe:Symantec Email
"{68A48BC2-27E2-4277-9137-A83475FF1CFF}"= TCP:c:\program files\Common Files\Symantec Shared\ccApp.exe:Symantec Email
"{C2C235E9-1EFA-47DF-BB6F-F3A1C7C11F33}"= UDP:c:\program files\AIM6\aim6.exe:AIM
"{CBE51243-1651-4AEB-8432-2C07B7940E06}"= TCP:c:\program files\AIM6\aim6.exe:AIM
"TCP Query User{6B627D64-3350-4753-A7B3-F92EFE1FB77A}c:\\program files\\limewire\\limewire.exe"= UDP:c:\program files\limewire\limewire.exe:LimeWire
"UDP Query User{9C61FBF8-F7BF-4913-A035-9289699F76A6}c:\\program files\\limewire\\limewire.exe"= TCP:c:\program files\limewire\limewire.exe:LimeWire
"{A0D1B84E-A850-4A27-A250-94BC73F8DF90}"= Disabled:UDP:3703:Adobe Version Cue CS3 Server
"{8B8AAFDA-84F0-491F-83FC-0D99F1538AB1}"= Disabled:UDP:3704:Adobe Version Cue CS3 Server
"{BA395114-75BF-4270-B9B3-DD6508ECC3B5}"= Disabled:UDP:50900:Adobe Version Cue CS3 Server
"{FEFFABE1-EEA8-40E2-9B62-E818E943C387}"= Disabled:UDP:50901:Adobe Version Cue CS3 Server
"{810E8928-2BF0-462F-B034-F5DCEBC8C1DF}"= UDP:c:\program files\Ventrilo\Ventrilo.exe:Ventrilo.exe
"{76A9EFA4-B071-4060-9F6C-C5ED06400CD8}"= TCP:c:\program files\Ventrilo\Ventrilo.exe:Ventrilo.exe
"{D2DE94A2-7BF8-4885-B5D3-706EF6174D40}"= Disabled:TCP:6004|c:\program files\Microsoft Office\Office12\outlook.exe:Microsoft Office Outlook
"TCP Query User{85206577-A704-4277-B5E4-D654D0942966}c:\\program files\\internet explorer\\iexplore.exe"= UDP:c:\program files\internet explorer\iexplore.exe:Internet Explorer
"UDP Query User{4C43A002-0491-449F-BAB5-6FE30887E9B9}c:\\program files\\internet explorer\\iexplore.exe"= TCP:c:\program files\internet explorer\iexplore.exe:Internet Explorer
"TCP Query User{09AA8728-8EEA-4A01-B15A-C4051D22DF99}d:\\warcraft iii\\war3.exe"= UDP:d:\warcraft iii\war3.exe:Warcraft III
"UDP Query User{77038A57-2927-4A14-918F-024713D98C95}d:\\warcraft iii\\war3.exe"= TCP:d:\warcraft iii\war3.exe:Warcraft III
"{85BED648-DFCF-44FB-9873-F5943FCDC1D8}"= Disabled:UDP:c:\program files\Common Files\Adobe\Adobe Version Cue CS3\Server\bin\VersionCueCS3.exe:Adobe Version Cue CS3 Server
"{29722E8D-08D6-433B-8D7E-689A3A0FF62E}"= Disabled:TCP:c:\program files\Common Files\Adobe\Adobe Version Cue CS3\Server\bin\VersionCueCS3.exe:Adobe Version Cue CS3 Server
"TCP Query User{8E176E1E-A8E8-409C-8456-DFD3C2A92658}c:\\program files\\steam\\steamapps\\greendischarge\\counter-strike source\\hl2.exe"= Disabled:UDP:c:\program files\steam\steamapps\greendischarge\counter-strike source\hl2.exe:hl2
"UDP Query User{47E73A6C-4C36-4239-823D-B9C1A05E9D38}c:\\program files\\steam\\steamapps\\greendischarge\\counter-strike source\\hl2.exe"= Disabled:TCP:c:\program files\steam\steamapps\greendischarge\counter-strike source\hl2.exe:hl2
"TCP Query User{E8B4854C-517D-440A-B3B9-71AE1BCC30D2}c:\\program files\\limewire\\limewire.exe"= Disabled:UDP:c:\program files\limewire\limewire.exe:LimeWire
"UDP Query User{E3BBFCBE-4805-4C84-9445-F29EADAFB268}c:\\program files\\limewire\\limewire.exe"= Disabled:TCP:c:\program files\limewire\limewire.exe:LimeWire
"{212AADD8-DF97-46D5-A230-78002FA22ABC}"= Disabled:UDP:c:\program files\Microsoft Office\Office12\GROOVE.EXE:Microsoft Office Groove
"{085099D8-497C-4BEF-A201-0E90AABC5101}"= Disabled:TCP:c:\program files\Microsoft Office\Office12\GROOVE.EXE:Microsoft Office Groove
"{01C6EB4C-73D9-479D-9DC8-E70E4B65BEE0}"= Disabled:UDP:c:\program files\Microsoft Office\Office12\ONENOTE.EXE:Microsoft Office OneNote
"{23FFD0A1-9925-4F2E-BF0C-F19CB9ACAA39}"= Disabled:TCP:c:\program files\Microsoft Office\Office12\ONENOTE.EXE:Microsoft Office OneNote
"{61F2C8B2-8893-4814-B2EE-3B95473E8B62}"= UDP:45801:45801
"TCP Query User{922750AE-B83C-4A19-8784-72E0884CFDE2}c:\\program files\\frostwire\\frostwire.exe"= UDP:c:\program files\frostwire\frostwire.exe:FrostWire
"UDP Query User{192DCF4D-2017-409D-9699-03CD82DD37E4}c:\\program files\\frostwire\\frostwire.exe"= TCP:c:\program files\frostwire\frostwire.exe:FrostWire
"TCP Query User{C1A95237-760F-47DC-97EB-0F16D87CE8AF}d:\\warcraft iii\\warcraft iii\\war3.exe"= UDP:d:\warcraft iii\warcraft iii\war3.exe:Warcraft III
"UDP Query User{157DF432-D276-4469-AD48-10807B6F18FD}d:\\warcraft iii\\warcraft iii\\war3.exe"= TCP:d:\warcraft iii\warcraft iii\war3.exe:Warcraft III
"{28F3E2C9-FC90-4C01-93AA-1EB47A8E3EC5}"= UDP:c:\program files\uTorrent\uTorrent.exe:µTorrent (TCP-In)
"{795DCCA7-856E-410A-8B69-993DA75820DB}"= TCP:c:\program files\uTorrent\uTorrent.exe:µTorrent (UDP-In)
"TCP Query User{DD233514-BBDB-4965-A152-BB1F068A5CD4}c:\\program files\\utorrent\\utorrent.exe"= UDP:c:\program files\utorrent\utorrent.exe:µTorrent
"UDP Query User{5A70D5F9-3A21-45F7-BAEC-D34A524A58CF}c:\\program files\\utorrent\\utorrent.exe"= TCP:c:\program files\utorrent\utorrent.exe:µTorrent
"TCP Query User{93489AD0-6E4F-448E-AA3B-656CFDC43A97}d:\\warcraft iii\\warcraft iii\\war3.exe"= UDP:d:\warcraft iii\warcraft iii\war3.exe:Warcraft III
"UDP Query User{EC941744-FFCC-4EF6-B0F1-75A17BB0EB0F}d:\\warcraft iii\\warcraft iii\\war3.exe"= TCP:d:\warcraft iii\warcraft iii\war3.exe:Warcraft III
"TCP Query User{7181B5C3-5DA9-4DE8-B20A-A9F9E46A302B}c:\\program files\\pfportchecker\\pfportchecker.exe"= UDP:c:\program files\pfportchecker\pfportchecker.exe:PFPortchecker by portforward.com helps check if your ports are properly forwarded.
"UDP Query User{4D037F4C-2D8B-4DBE-8639-62E2494B4F14}c:\\program files\\pfportchecker\\pfportchecker.exe"= TCP:c:\program files\pfportchecker\pfportchecker.exe:PFPortchecker by portforward.com helps check if your ports are properly forwarded.
"{AFFB0E5E-121B-4BA3-B05F-B5D95B294506}"= UDP:c:\program files\Bonjour\mDNSResponder.exe:Bonjour
"{E77C25CB-4018-4EC3-BA51-89E567C24E2D}"= TCP:c:\program files\Bonjour\mDNSResponder.exe:Bonjour
"{CCD2B10A-F863-4298-89AD-F6699DA20525}"= UDP:c:\program files\iTunes\iTunes.exe:iTunes
"{111BB54A-854D-40D9-A318-9CBF53A1C882}"= TCP:c:\program files\iTunes\iTunes.exe:iTunes

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\PublicProfile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\RestrictedServices\Static\System]
"DFSR-1"= RPort=5722|UDP:%SystemRoot%\system32\svchost.exe|Svc=DFSR:Allow inbound TCP traffic|

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\StandardProfile\AuthorizedApplications\List]
"c:\\Acer\\Empowering Technology\\eDataSecurity\\eDSfsu.exe"= c:\acer\Empowering Technology\eDataSecurity\eDSfsu.exe:*:Enabled:eDSfsu
"c:\\Acer\\Empowering Technology\\eDataSecurity\\encryption.exe"= c:\acer\Empowering Technology\eDataSecurity\encryption.exe:*:Enabled:encryption
"c:\\Acer\\Empowering Technology\\eDataSecurity\\decryption.exe"= c:\acer\Empowering Technology\eDataSecurity\decryption.exe:*:Enabled:decryption

R3 enecir;ENE CIR Receiver;c:\windows\System32\drivers\enecir.sys [7/25/2007 4:08 AM 32256]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [8/30/2009 4:47 PM 102448]
S3 SavRoam;SAVRoam;c:\program files\Symantec AntiVirus\SavRoam.exe [11/28/2006 6:34 AM 122008]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
WindowsMobile REG_MULTI_SZ wcescomm rapimgr
LocalServiceRestricted REG_MULTI_SZ WcesComm RapiMgr

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{A509B1FF-37FF-4bFF-8CFF-4F3A747040FF}]
c:\windows\system32\rundll32.exe c:\windows\system32\advpack.dll,LaunchINFSectionEx c:\program files\Internet Explorer\clrtour.inf,DefaultInstall.ResetTour,,12
.
Contents of the 'Scheduled Tasks' folder

2009-10-18 c:\windows\Tasks\User_Feed_Synchronization-{BA3B951F-D62A-4F73-9D82-2953102A0E25}.job
- c:\windows\system32\msfeedssync.exe [2009-10-15 03:41]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://my.yahoo.com/
uSearchMigratedDefaultURL = hxxp://search.yahoo.com/search?p={searchTerms}&ei=utf-8&fr=b1ie7
mStart Page = hxxp://en.us.acer.yahoo.com
uInternet Settings,ProxyOverride = *.local
uSearchURL,(Default) = hxxp://us.rd.yahoo.com/customize/ycomp/defaults/su/*http://www.yahoo.com
IE: Append to existing PDF - d:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert link target to Adobe PDF - d:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert link target to existing PDF - d:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert selected links to Adobe PDF - d:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert selected links to existing PDF - d:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Convert selection to Adobe PDF - d:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert selection to existing PDF - d:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert to Adobe PDF - d:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
Trusted Zone: newgrounds.com\www
DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} - hxxp://download.eset.com/special/eos/OnlineScanner.cab
FF - ProfilePath - c:\users\Shut Down\AppData\Roaming\Mozilla\Firefox\Profiles\p7nt5br5.default\
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\
.
- - - - ORPHANS REMOVED - - - -

WebBrowser-{604BC32A-9680-40D1-9AC6-E06B23A1BA4C} - (no file)
HKCU-Run-Aim6 - (no file)
HKLM-Run-eRecoveryService - (no file)
HKU-Default-Run-Acer Tour Reminder - c:\acer\AcerTour\Reminder.exe
AddRemove-Malwarebytes' Anti-Malware_is1 - d:\program files\Analyze\Yeah\unins000.exe

**************************************************************************
scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files:

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
------------------------ Other Running Processes ------------------------
.
c:\windows\System32\nvvsvc.exe
c:\windows\System32\audiodg.exe
c:\program files\Common Files\Symantec Shared\ccSvcHst.exe
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\Cisco Systems\VPN Client\cvpnd.exe
c:\program files\Symantec AntiVirus\DefWatch.exe
c:\acer\Empowering Technology\eLock\Service\eLockServ.exe
c:\acer\Empowering Technology\eNet\eNet Service.exe
c:\program files\Common Files\LightScribe\LSSrvc.exe
c:\program files\Symantec AntiVirus\Rtvscan.exe
c:\windows\System32\Tablet.exe
c:\acer\Empowering Technology\eRecovery\eRecoveryService.exe
c:\windows\System32\rundll32.exe
c:\windows\System32\wisptis.exe
c:\program files\Common Files\microsoft shared\ink\TabTip.exe
c:\windows\System32\wisptis.exe
c:\program files\Common Files\microsoft shared\ink\TabTip.exe
c:\windows\System32\WTablet\TabUserW.exe
c:\windows\System32\Tablet.exe
c:\combo-fix\CF10052.exe
c:\windows\System32\wbem\WMIADAP.exe
c:\program files\Common Files\microsoft shared\ink\InputPersonalization.exe
.
**************************************************************************
.
Completion time: 2009-10-18 17:58 - machine was rebooted
ComboFix-quarantined-files.txt 2009-10-18 22:58

Pre-Run: 23,647,526,912 bytes free
Post-Run: 23,242,571,776 bytes free

287 --- E O F --- 2009-10-15 14:25

Back on original computer - windows must have redid the key registry.
I will post the log, note: I will be gone for 3+hours I have to catch the bus home, but I'll let you take a look for now.

Great - Now we are cooking with gas! Or . . . however the saying goes.

I didn't think it would be too bad given all that you did prior to combofix. Looks like it replaced the infected file - hopefully you can run programs now.

I'll have a closer look and get back to you.

PP :)

Well . . . things don't look too bad outside of all the P2P stuff. You are playing with serious fire there. A lot of forums won't help you unless those are removed.....

-- What is this folder?: C:\System32

-- Some forum volunteers would likely wipe this registry key:
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\FirewallRules]

I'll leave that up to you - My feeling is that "people are going to do what they are going to do" . . .LOL.

I will say that you dodged a very big bullet - malware purveyors are really starting to take advantage of P2P stuff. I've seen a lot of borked machines.
Well. . . That's the extent of my lecture.

PP :)

Thanks alot, I still use uTorrent, limewire and those p2p's are all off my system, or so I thought... The virus came from neglegence downloading of a "cracked" software. Shame on me.

I'm careful with the torrent's. If it's not an .mp3 file I won't download it... ehem.

Thanks for all you've done!
AND YES. It's gone! WOOO!

Thanks for all you've done!
AND YES. It's gone! WOOO!

Glad we could help :)

Be a part of the DaniWeb community

We're a friendly, industry-focused community of developers, IT pros, digital marketers, and technology enthusiasts meeting, networking, learning, and sharing knowledge.