Jump to content

Malwarebytes

AntivirusPro_2010 / can't load malwarebytes

- - - - -
Started by mstyers, Oct 05 2009 05:03 PM

3 replies to this topic

#1
mstyers
Posted 05 October 2009 - 05:03 PM

    New Member

  • Members
  • Pip
  • 2 posts
I have the AntivirusPro_2010. I have tried to download and install MalwareBytes. It would not let me install the file. I downloaded it on another machine, renamed the file and then I was able to install the application. Once I ran the application and started a scan, it cleared off the screen and was no longer in my list of processes. I renamed the .exe and the app loaded, I started the scan and then it cleared off the screen and again was not in the list of processes.

I downloaded and installed HiJackThis with the same result.

When I try to run each of these I get the error message "Windows can not access the specified device, path or file. You may not have the appropriate permissions to access the item"

I have been able to delete the registry items I know of:

* HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\"Antivirus Pro 2010" = "C:\Program Files\AntivirusPro_2010\AntivirusPro_2010.exe"
* HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\LinksBar\ItemCache
* HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\LowRegistry\Extensions
* HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Recovery
* HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\SQM\PIDs
* HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\SearchScopes
* HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext\Settings\{DBC80044-A445-435B-BC74-9C25C1C588A9}
* HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext\Settings\{E7E6F031-17CE-4C07-BC86-EABFE594F69C}
* HKEY_LOCAL_MACHINE\SOFTWARE\AntivirusPro_2010
* HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\ESENT\Process\[ORIGINAL FILE NAME]
* HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\AntivirusPro_2010
* HKEY_CURRENT_USER\Control Panel\don't load "scui.cpl"
* HKEY_CURRENT_USER\Control Panel\don't load "wscui.cpl"

and remove the wallpaper but I still am not able to run a MalwareBytes scan or an AntiVirus scan or get HiJackThis to run.

Any help would be greatly appreciated.

Thanks.

#2
mstyers
Posted 07 October 2009 - 12:27 PM

    New Member

  • Members
  • Pip
  • 2 posts
By the way, I am running Windows XP Professional Service Pack 2, Malwarebytes ver. 1.41. Let me know if you need any more system info.

Reading through some of the other posts it looks like you recommend running ComboFix, HiJackThis and Win32diag. I was able to run ComboFix which cleared up some of the issues. I am still not able to run the Win32diag. Here are the ComboFix and HiJackThis logs.

Thanks.


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 6:38:13 AM, on 10/7/2009
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\PROGRA~1\AVG\AVG8\avgnsx.exe
C:\Program Files\LogMeIn\x86\RaMaint.exe
C:\Program Files\LogMeIn\x86\LogMeIn.exe
C:\Program Files\LogMeIn\x86\LMIGuardian.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\PROGRA~1\AVG\AVG8\avgemc.exe
C:\Program Files\AVG\AVG8\avgcsrvx.exe
C:\Program Files\LogMeIn\x86\LogMeIn.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\S3apphk.exe
C:\Program Files\LogMeIn\x86\LogMeInSystray.exe
C:\Program Files\LogMeIn\x86\LMIGuardian.exe
C:\PROGRA~1\AVG\AVG8\avgtray.exe
C:\Program Files\Microsoft ActiveSync\Wcescomm.exe
C:\WINDOWS\system32\ctfmon.exe
C:\PROGRA~1\MI3AA1~1\rapimgr.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/defaul...rch/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.com/customize/ie/defaul...//www.yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file)
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll
O2 - BHO: Java™ Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O4 - HKLM\..\Run: [S3apphk] S3apphk.exe
O4 - HKLM\..\Run: [LogMeIn GUI] "C:\Program Files\LogMeIn\x86\LogMeInSystray.exe"
O4 - HKLM\..\Run: [Malwarebytes Anti-Malware (reboot)] "C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe" /runcleanupscript
O4 - HKLM\..\Run: [Ad-Watch] C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\Wcescomm.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-21-1935655697-1004336348-839522115-1146\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\Wcescomm.exe" (User '?')
O4 - HKUS\S-1-5-21-1935655697-1004336348-839522115-1146\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe (User '?')
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office10\EXCEL.EXE/3000
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....k/?linkid=39204
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupd...b?1195661782535
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftu...b?1195662179305
O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - http://platformdl.ad...Plus/1.6/gp.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = domain.local
O17 - HKLM\Software\..\Telephony: DomainName = domain.local
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = domain.local
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = domain.local
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
O20 - Winlogon Notify: avgrsstarter - C:\WINDOWS\SYSTEM32\avgrsstx.dll
O23 - Service: AVG Free8 E-mail Scanner (avg8emc) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgemc.exe
O23 - Service: AVG Free8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: Lavasoft Ad-Aware Service - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
O23 - Service: LogMeIn Maintenance Service (LMIMaint) - LogMeIn, Inc. - C:\Program Files\LogMeIn\x86\RaMaint.exe
O23 - Service: LogMeIn - LogMeIn, Inc. - C:\Program Files\LogMeIn\x86\LogMeIn.exe
O23 - Service: XoftSpyService - Unknown owner - C:\Program Files\Common Files\XoftSpySE\6\xoftspyservice.exe (file missing)

--
End of file - 6544 bytes



ComboFix 09-10-04.01 - tbutcher 10/05/2009 15:15.1.1 - NTFSx86
Running from: c:\documents and settings\tbutcher\Desktop\Combo-Fix.exe
AV: AVG Anti-Virus Free *On-access scanning disabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\All Users\Application Data\ekuniq.bin
c:\documents and settings\All Users\Application Data\fojodomo.com
c:\documents and settings\All Users\Application Data\lyjex.scr
c:\documents and settings\All Users\Application Data\oqyxope._dl
c:\documents and settings\All Users\Application Data\qego.lib
c:\documents and settings\All Users\Documents\efajot.pif
c:\documents and settings\All Users\Documents\eneb.ban
c:\documents and settings\tbutcher\Application Data\aqenanuqo._sy
c:\documents and settings\tbutcher\Application Data\ciqyxidy._dl
c:\documents and settings\tbutcher\Application Data\otuwibysus.vbs
c:\documents and settings\tbutcher\Application Data\seres.exe
c:\documents and settings\tbutcher\Local Settings\Application Data\cevamiwox.scr
c:\documents and settings\tbutcher\Local Settings\Application Data\fefehuhog.reg
c:\documents and settings\tbutcher\Local Settings\Application Data\qalofifab.pif
c:\documents and settings\tbutcher\Local Settings\Application Data\rogixihe.dl
c:\documents and settings\tbutcher\Local Settings\Application Data\usic.dl
c:\program files\Common Files\irufy.exe
c:\program files\Common Files\pyxator.pif
c:\program files\Common Files\urod.bin
c:\windows\ecugi.bin
c:\windows\eqamysagaz.vbs
c:\windows\erahup.dll
c:\windows\hozucop.pif
c:\windows\ilatenuma.sys
c:\windows\iqazitefih.pif
c:\windows\irid.dll
c:\windows\puma.pif
c:\windows\search_res.txt
c:\windows\system32\_scui.cpl
c:\windows\system32\~.exe
c:\windows\system32\41.exe
c:\windows\system32\AVR09.exe
c:\windows\system32\drivers\gasfkyuijwioet.sys
c:\windows\system32\ecagik.bin
c:\windows\system32\gasfkyejwxnrje.dat
c:\windows\system32\gasfkyewswuigf.dll
c:\windows\system32\gasfkyilwadarn.dat
c:\windows\system32\gasfkylxshlwti.dll
c:\windows\system32\gasfkyxexrxoan.dll
c:\windows\system32\pygubuqypo._dl
c:\windows\system32\winhelper.dll
c:\windows\system32\yjajofiw.reg
c:\windows\udys.sys
c:\windows\upovo.bin
c:\windows\ybora.scr
c:\windows\zaponce52597.dat
c:\windows\zaponce52689.dat

Infected copy of c:\windows\system32\eventlog.dll was found and disinfected
Restored copy from - c:\windows\system32\dllcache\eventlog.dll

c:\windows\system32\proquota.exe . . . is missing!!

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_gasfkypxylbopx
-------\Legacy_{79007602-0CDB-4405-9DBF-1257BB3226ED}
-------\Service_gasfkypxylbopx


((((((((((((((((((((((((( Files Created from 2009-09-05 to 2009-10-05 )))))))))))))))))))))))))))))))
.

2009-10-05 20:07 . 2009-10-05 20:07 -------- d-----w- c:\program files\Windows Installer Clean Up
2009-10-05 16:46 . 2009-09-10 19:54 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-10-05 16:46 . 2009-10-05 16:48 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-10-05 16:46 . 2009-09-10 19:53 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-10-05 16:43 . 2009-10-05 16:43 -------- d-----w- c:\program files\Trend Micro
2009-10-05 15:52 . 2009-10-05 15:52 -------- d--h--w- c:\windows\system32\GroupPolicy
2009-10-05 15:32 . 2009-10-05 15:32 -------- d-----w- c:\program files\CCleaner
2009-10-05 14:25 . 2009-10-05 14:25 -------- d-----w- c:\documents and settings\administrator\Application Data\Malwarebytes
2009-10-05 14:22 . 2009-10-05 14:22 -------- d--h--r- c:\documents and settings\administrator\Application Data\yahoo!
2009-10-05 14:22 . 2009-10-05 14:22 -------- d-----w- c:\documents and settings\administrator\Local Settings\Application Data\LogMeIn
2009-10-05 14:22 . 2009-10-05 14:22 -------- d-sh--w- c:\documents and settings\administrator\IETldCache
2009-10-05 14:17 . 2009-10-05 14:17 -------- d-----w- c:\documents and settings\tbutcher\Application Data\Malwarebytes
2009-10-05 14:16 . 2009-10-05 14:16 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-09-30 21:37 . 2009-10-01 21:09 -------- d-----w- c:\documents and settings\All Users\Application Data\NOS
2009-09-30 18:43 . 2009-09-30 18:43 -------- d-----w- c:\documents and settings\All Users\Application Data\XoftSpySE
2009-09-30 17:29 . 2009-09-30 17:29 16078 ----a-w- c:\windows\system32\enidycasi.com
2009-09-30 17:29 . 2009-09-30 17:29 12006 ----a-w- c:\documents and settings\tbutcher\Local Settings\Application Data\otunagivez.dat
2009-09-30 17:10 . 2009-09-30 17:10 -------- d-----w- c:\documents and settings\LocalService\Local Settings\Application Data\ICS
2009-09-30 17:06 . 2009-09-30 17:06 -------- d-sh--w- c:\windows\system32\config\systemprofile\IETldCache
2009-09-30 16:59 . 2009-10-05 18:46 0 ----a-r- c:\windows\win32k.sys
2009-09-18 17:50 . 2009-09-18 17:50 -------- d-----w- c:\documents and settings\LocalService\Application Data\Yahoo!
2009-09-10 03:41 . 2009-09-10 03:41 -------- d-----w- c:\program files\Common Files\Apple
2009-09-10 03:40 . 2009-09-10 03:40 -------- d-----w- c:\program files\QuickTime
2009-09-10 03:40 . 2009-09-10 03:40 -------- d-----w- c:\documents and settings\All Users\Application Data\Apple Computer

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-10-05 20:09 . 2006-06-03 19:39 -------- d-----w- c:\program files\Yahoo!
2009-10-05 20:07 . 2009-05-29 15:01 -------- d-----w- c:\program files\MSECache
2009-10-05 19:53 . 2008-04-30 17:13 -------- d-----w- c:\documents and settings\All Users\Application Data\avg8
2009-10-05 19:52 . 2009-06-25 17:15 -------- d-----w- c:\documents and settings\All Users\Application Data\Yahoo!
2009-10-05 15:34 . 2009-06-25 17:18 -------- d-----w- c:\documents and settings\tbutcher\Application Data\Yahoo!
2009-10-05 13:28 . 2009-03-31 20:29 -------- d-----w- c:\program files\LogMeIn
2009-10-01 14:11 . 2009-03-31 20:30 28984 ----a-w- c:\windows\system32\LMIport.dll
2009-10-01 14:11 . 2009-03-31 20:30 83288 ----a-w- c:\windows\system32\LMIRfsClientNP.dll
2009-10-01 14:11 . 2009-03-31 20:30 87352 ----a-w- c:\windows\system32\LMIinit.dll
2009-09-30 18:43 . 2007-06-18 15:03 23440 -c--a-w- c:\documents and settings\tbutcher\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-09-30 18:33 . 2009-04-02 02:27 -------- d-----w- c:\program files\Spybot - Search & Destroy
2009-09-30 18:32 . 2009-04-02 02:27 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2009-09-30 17:24 . 2007-07-25 15:56 -------- d-----w- c:\program files\Common Files\Real
2009-09-30 17:24 . 2007-07-25 15:56 -------- d-----w- c:\program files\Real
2009-09-30 17:04 . 2009-09-30 17:04 17290 ----a-w- c:\program files\Common Files\leviw._sy
2009-09-16 11:49 . 2009-04-01 04:33 -------- d-----w- c:\program files\Microsoft Silverlight
2009-09-10 03:43 . 2009-04-02 02:46 -------- d-----w- c:\program files\Java
2009-09-10 03:41 . 2007-08-24 19:37 1744 ----a-w- c:\windows\system32\d3d9caps.dat
2009-09-08 14:12 . 2008-10-17 01:35 11552 ----a-w- c:\windows\system32\lmimirr2.dll
2009-09-08 14:12 . 2008-10-17 01:35 25248 ----a-w- c:\windows\system32\lmimirr.dll
2009-09-01 15:02 . 2006-01-20 21:08 -------- d-----w- c:\program files\ZipForm Desktop
2009-08-28 13:09 . 2008-04-30 17:14 11952 ----a-w- c:\windows\system32\avgrsstx.dll
2009-08-28 13:09 . 2008-04-30 17:14 27784 ----a-w- c:\windows\system32\drivers\avgmfx86.sys
2009-08-28 13:09 . 2008-04-30 17:14 335240 ----a-w- c:\windows\system32\drivers\avgldx86.sys
2009-08-05 09:11 . 2004-08-04 12:00 204800 ----a-w- c:\windows\system32\mswebdvd.dll
2009-07-25 10:23 . 2009-04-02 02:47 411368 ----a-w- c:\windows\system32\deploytk.dll
2009-07-17 18:55 . 2004-08-04 12:00 58880 ----a-w- c:\windows\system32\atl.dll
2009-07-14 04:43 . 2004-08-04 12:00 286208 ----a-w- c:\windows\system32\wmpdxm.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"H/PC Connection Agent"="c:\program files\Microsoft ActiveSync\wcescomm.exe" [2006-11-13 1289000]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2004-08-04 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"LogMeIn GUI"="c:\program files\LogMeIn\x86\LogMeInSystray.exe" [2008-07-24 63048]
"S3apphk"="S3apphk.exe" - c:\windows\system32\S3apphk.exe [2002-02-01 28672]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"ForceClassicControlPanel"= 1 (0x1)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]
2009-08-28 13:09 11952 ----a-w- c:\windows\system32\avgrsstx.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\LMIinit]
2009-10-01 14:11 87352 ----a-w- c:\windows\system32\LMIinit.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-1935655697-1004336348-839522115-1129\Scripts\Logon\0\0]
"Script"=login.bat

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-1935655697-1004336348-839522115-1133\Scripts\Logon\0\0]
"Script"=login.bat

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-1935655697-1004336348-839522115-1138\Scripts\Logon\0\0]
"Script"=login.bat

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-1935655697-1004336348-839522115-1146\Scripts\Logon\0\0]
"Script"=login.bat

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-1935655697-1004336348-839522115-500\Scripts\Logon\0\0]
"Script"=login.bat

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Lavasoft Ad-Aware Service]
@="Service"

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Microsoft Office.lnk
backup=c:\windows\pss\Microsoft Office.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"Lavasoft Ad-Aware Service"=3 (0x3)
"avg8wd"=2 (0x2)

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"UpdatesDisableNotify"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\program files\Microsoft ActiveSync\rapimgr.exe"= c:\program files\Microsoft ActiveSync\rapimgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync RAPI Manager
"c:\program files\Microsoft ActiveSync\wcescomm.exe"= c:\program files\Microsoft ActiveSync\wcescomm.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Connection Manager
"c:\program files\Microsoft ActiveSync\WCESMgr.exe"= c:\program files\Microsoft ActiveSync\WCESMgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Application

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3389:TCP"= 3389:TCP:@xpsp2res.dll,-22009
"26675:TCP"= 26675:TCP:169.254.2.0/255.255.255.0:Enabled:ActiveSync Service

R3 trid3d;trid3d;c:\windows\system32\DRIVERS\trid3dm.sys [2001-08-17 222336]
R3 XoftSpyService;XoftSpyService;c:\program files\Common Files\XoftSpySE\6\xoftspyservice.exe [x]
R4 avg8wd;AVG8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe [2009-08-28 297752]
R4 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\Lavasoft\Ad-Aware\AAWService.exe [2009-09-22 1028432]
R4 LMIRfsClientNP;LMIRfsClientNP; [x]
S0 Lbd;Lbd;c:\windows\system32\DRIVERS\Lbd.sys [2009-04-23 64160]
S1 AvgLdx86;AVG AVI Loader Driver x86;c:\windows\System32\Drivers\avgldx86.sys [2009-08-28 335240]
S2 LMIInfo;LogMeIn Kernel Information Provider;c:\program files\LogMeIn\x86\RaInfo.sys [2008-07-24 12856]
S2 LMIRfsDriver;LogMeIn Remote File System Driver;c:\windows\system32\drivers\LMIRfsDriver.sys [2008-07-24 47640]


[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\>{60B49E34-C7CC-11D0-8953-00A0C90347FF}]
"c:\windows\system32\rundll32.exe" "c:\windows\system32\iedkcs32.dll",BrandIEActiveSetup SIGNUP
.
Contents of the 'Scheduled Tasks' folder

2009-10-01 c:\windows\Tasks\Ad-Aware Update (Weekly).job
- c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2009-03-09 04:45]

2009-10-01 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 17:34]

2009-10-05 c:\windows\Tasks\Spybot - Search & Destroy - Scheduled Task.job
- c:\program files\Spybot - Search & Destroy\SpybotSD.exe [2009-04-02 20:31]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.yahoo.com/
mStart Page = hxxp://www.yahoo.com/
mSearch Bar = hxxp://us.rd.yahoo.com/customize/ie/defaults/sb/msgr9/*http://www.yahoo.com/ext/search/search.html
uSearchURL,(Default) = hxxp://us.rd.yahoo.com/customize/ie/defaults/su/msgr9/*http://www.yahoo.com
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~3\Office10\EXCEL.EXE/3000
FF - ProfilePath - c:\documents and settings\tbutcher\Application Data\Mozilla\Firefox\Profiles\qt33rb5n.default\
FF - prefs.js: browser.search.defaulturl - hxxp://search.yahoo.com/search?fr=ffsp1&p=
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - hxxp://www.yahoo.com/
FF - prefs.js: keyword.URL - hxxp://search.yahoo.com/search?fr=ffds1&p=

---- FIREFOX POLICIES ----
FF - user.js: yahoo.homepage.dontask - true.
- - - - ORPHANS REMOVED - - - -

Notify-NavLogon - (no file)



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-10-05 15:57
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{19114156-8E9A-4D4E-9EE9-17A0E48D3BBB}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10c.exe,-101"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{19114156-8E9A-4D4E-9EE9-17A0E48D3BBB}\Elevation]
"Enabled"=dword:00000001

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{19114156-8E9A-4D4E-9EE9-17A0E48D3BBB}\LocalServer32]
@="c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10c.exe"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{19114156-8E9A-4D4E-9EE9-17A0E48D3BBB}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{1D4C8A81-B7AC-460A-8C23-98713C41D6B3}]
@Denied: (A 2) (Everyone)
@="IFlashBroker3"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{1D4C8A81-B7AC-460A-8C23-98713C41D6B3}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{1D4C8A81-B7AC-460A-8C23-98713C41D6B3}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(516)
c:\windows\system32\LMIinit.dll
c:\windows\system32\wsock32.dll
c:\windows\system32\LMIRfsClientNP.dll

- - - - - - - > 'explorer.exe'(2888)
c:\windows\system32\WININET.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\IEFRAME.dll
c:\progra~1\COMMON~1\MICROS~1\WEBCOM~1\10\OWC10.DLL
c:\windows\system32\mshtml.dll
c:\windows\system32\msls31.dll
c:\windows\IME\SPGRMR.DLL
c:\program files\Common Files\Microsoft Shared\Ink\SKCHUI.DLL
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\AVG\AVG8\avgrsx.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\LogMeIn\x86\ramaint.exe
c:\program files\LogMeIn\x86\LogMeIn.exe
c:\program files\LogMeIn\x86\LMIGuardian.exe
c:\program files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
c:\program files\LogMeIn\x86\LogMeIn.exe
c:\progra~1\MI3AA1~1\rapimgr.exe
c:\program files\LogMeIn\x86\LMIGuardian.exe
.
**************************************************************************
.
Completion time: 2009-10-05 16:00 - machine was rebooted
ComboFix-quarantined-files.txt 2009-10-05 21:00

Pre-Run: 7,324,495,872 bytes free
Post-Run: 7,222,808,576 bytes free

270 --- E O F --- 2009-09-10 08:05

#3
GT500
Posted 12 October 2009 - 06:11 AM

    Mostly Cantankerous

  • Trusted Advisors
  • PipPipPipPipPipPip
  • 5,534 posts
  • Gender:Male
  • Location:Fortville, IN
That log is looking pretty good.

I have attached a file to this message called CFScript.txt which will tell ComboFix how to remove some of the bad things I saw in your ComboFix log. Please save CFScript onto your desktop, and then download a fresh copy of ComboFix from the link below, and make sure to save it on your desktop as well. Once you have both CFScript and ComboFix saved to your desktop, hold down the left mouse button on top of the icon for CFScript, and drag it on top of the ComboFix icon, and then let go. This should start ComboFix again. Make sure, when it finishes, to attach the new log to a reply so that I can verify that it deleted what it was supposed to.
http://download.blee...Bs/ComboFix.exe

Attached File  CFScript.txt   237bytes   46 downloads

Quote

For we wrestle not against flesh and blood, but against principalities, against powers, and against the worldly governors, the princes of the darkness of this world...

#4
GT500
Posted 23 October 2009 - 01:10 AM

    Mostly Cantankerous

  • Trusted Advisors
  • PipPipPipPipPipPip
  • 5,534 posts
  • Gender:Male
  • Location:Fortville, IN
Due to lack of feedback, I am closing this topic. Please send me a private message if you need further assistance.

Quote

For we wrestle not against flesh and blood, but against principalities, against powers, and against the worldly governors, the princes of the darkness of this world...
Back to Resolved HijackThis Logs · Next Unread Topic →


1 user(s) are reading this topic

0 members, 1 guests, 0 anonymous users

  1. Malwarebytes Forum
  2. Computer Help
  3. Malware Removal - HijackThis Logs
  4. Resolved HijackThis Logs

Products

About

Partners

Follow Us