Results 1 to 2 of 2

Thread: worm/virus trojan I need help!

  1. 2009-01-04, 21:10 #1
    Protools954
    Protools954 is offline
    Member
    Join Date
    Jan 2009
    Posts
    40

    Default worm/virus trojan I need help!

    I must have downloaded a worm/virus a couple days ago. I had good luck in the past with removing viruses such as windows antivirus 2008 from friends pc and antivirus 2009 from mine in the past so I have been lurking around the forums following some advise.
    at first I could not get malwarebytes to run I had to go into safe mode now it works in regular mode but still cant get rid of 2 viruses Rootkit.Agent.H Trojan.Agent
    I also ran some scripts with combofix I found on forums
    please help!!!!!!!!
    here are some scans
    Malwarebytes' Anti-Malware 1.31

    Database version: 1456

    Windows 5.1.2600 Service Pack 3



    1/4/2009 2:25:18 PM

    mbam-log-2009-01-04 (14-25-18).txt



    Scan type: Quick Scan

    Objects scanned: 57203

    Time elapsed: 6 minute(s), 59 second(s)



    Memory Processes Infected: 0

    Memory Modules Infected: 0

    Registry Keys Infected: 0

    Registry Values Infected: 0

    Registry Data Items Infected: 0

    Folders Infected: 0

    Files Infected: 2



    Memory Processes Infected:

    (No malicious items detected)



    Memory Modules Infected:

    (No malicious items detected)



    Registry Keys Infected:

    (No malicious items detected)



    Registry Values Infected:

    (No malicious items detected)



    Registry Data Items Infected:

    (No malicious items detected)



    Folders Infected:

    (No malicious items detected)



    Files Infected:

    C:\WINDOWS\system32\drivers\mrxdavv.sys (Rootkit.Agent.H) -> Delete on reboot.

    C:\WINDOWS\system32\kwave.sys (Trojan.Agent) -> Delete on reboot.[/SIZE]
    ComboFix 08-12-31.01 - Owner 2009-01-04 14:26:29.6 - NTFSx86

    Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.959.664 [GMT -5:00]

    Running from: c:\documents and settings\Owner\Desktop\Unused Desktop Shortcuts\ComboFix.exe

    .



    ((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

    .



    c:\windows\system32\drivers\mrxdavv.sys

    c:\windows\system32\kwave.sys



    .

    ((((((((((((((((((((((((( Files Created from 2008-12-04 to 2009-01-04 )))))))))))))))))))))))))))))))

    .



    2009-01-01 21:19 . 2009-01-01 21:19 <DIR> d-------- c:\program files\Trend Micro

    2009-01-01 21:14 . 2009-01-01 21:14 126,976 --a------ c:\windows\system32\InstallAVg_77015105.exe

    2009-01-01 19:30 . 2009-01-01 19:30 <DIR> d-------- c:\documents and settings\Administrator\Application Data\Malwarebytes

    2009-01-01 19:28 . 2004-04-01 04:03 <DIR> d-------- c:\documents and settings\Administrator\WINDOWS

    2009-01-01 19:28 . 2004-04-02 18:04 <DIR> d-------- c:\documents and settings\Administrator\Application Data\Symantec

    2009-01-01 19:28 . 2004-04-01 16:49 <DIR> d-------- c:\documents and settings\Administrator\Application Data\SampleView

    2009-01-01 19:28 . 2009-01-01 19:28 <DIR> d-------- c:\documents and settings\Administrator

    2009-01-01 18:57 . 2009-01-01 18:57 25,600 --ahs---- c:\windows\system32\mss.dll

    2009-01-01 18:55 . 2009-01-01 18:55 <DIR> d-------- c:\program files\IESurfBar

    2009-01-01 18:55 . 2009-01-04 14:33 112,364 --a------ c:\windows\system32\drivers\d5c1be17.sys

    2009-01-01 18:54 . 2009-01-01 18:54 43,750 --a------ C:\mnmx.exe

    2009-01-01 18:42 . 2009-01-01 18:42 0 --a------ c:\windows\system32\tmcontrol.bin

    2009-01-01 18:04 . 2009-01-01 18:04 0 --a------ c:\windows\system32\system32xp.exe.tmp

    2009-01-01 18:04 . 2009-01-01 18:04 0 --a------ c:\windows\system32\.tmp

    2009-01-01 18:02 . 2009-01-01 21:19 24,576 --a------ c:\windows\system32\tempexec.exe

    2009-01-01 18:01 . 2009-01-01 18:01 108,336 --a------ c:\windows\system32\mswinsck.ocx

    2009-01-01 18:00 . 2009-01-04 14:33 112,364 --a------ c:\windows\system32\drivers\6266c5bf.sys

    2009-01-01 18:00 . 2009-01-01 18:00 8,512 --a------ c:\windows\system32\swapm.sys

    2009-01-01 18:00 . 2009-01-01 18:00 8,512 --a------ c:\windows\system32\drivers\mafw.sys

    2009-01-01 18:00 . 2009-01-01 18:00 4,707 --a------ c:\windows\system32\aidb.dat

    2009-01-01 18:00 . 2009-01-01 18:54 2 --a------ C:\1077971964

    2008-12-23 01:26 . 2008-12-23 01:26 410,984 --a------ c:\windows\system32\deploytk.dll



    .

    (((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

    .

    2009-01-04 19:16 --------- d-----w c:\documents and settings\Owner\Application Data\U3

    2009-01-02 04:26 --------- d-----w c:\program files\Vuze

    2009-01-02 03:28 --------- d-----w c:\program files\Malwarebytes' Anti-Malware

    2009-01-01 23:04 --------- d-----w c:\documents and settings\Owner\Application Data\Azureus

    2009-01-01 23:00 8,512 ----a-w c:\windows\system32\drivers\sptd.sys

    2009-01-01 22:59 --------- d-----w c:\program files\Common Files\Real

    2008-12-23 06:26 --------- d-----w c:\program files\Java

    2008-12-04 00:54 38,496 ----a-w c:\windows\system32\drivers\mbamswissarmy.sys

    2008-12-04 00:54 15,504 ----a-w c:\windows\system32\drivers\mbam.sys

    2008-11-20 20:11 --------- d-----w c:\program files\free-downloads.net

    2008-11-20 20:11 --------- d-----w c:\program files\Conduit

    2008-11-20 20:11 --------- d-----w c:\program files\Alcohol Soft

    2008-11-04 22:17 --------- d-----w c:\documents and settings\Owner\Application Data\Digidesign

    2006-12-16 20:09 251,883 ----a-w c:\program files\uninstal.log

    2004-12-05 06:24 184,808 -c--a-w c:\documents and settings\Owner\Application Data\shb.dat

    2008-12-24 13:07 67,688 ----a-w c:\program files\mozilla firefox\components\jar50.dll

    2008-12-24 13:07 54,368 ----a-w c:\program files\mozilla firefox\components\jsd3250.dll

    2008-12-24 13:07 34,944 ----a-w c:\program files\mozilla firefox\components\myspell.dll

    2008-12-24 13:07 46,712 ----a-w c:\program files\mozilla firefox\components\spellchk.dll

    2008-12-24 13:07 172,136 ----a-w c:\program files\mozilla firefox\components\xpinstal.dll

    2008-04-14 00:12 62,991 --sh--r c:\windows\system32\lssa.exe

    2008-09-24 17:08 32,768 --sha-w c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\MSHist012008092420080925\index.dat

    .



    ((((((((((((((((((((((((((((( snapshot@2009-01-01_21.43.36.78 )))))))))))))))))))))))))))))))))))))))))

    .

    + 2008-04-13 18:32:44 180,608 -c--a-w c:\windows\system32\dllcache\mrxdav.sys

    + 2009-01-04 19:32:23 16,384 ----atw c:\windows\temp\Perflib_Perfdata_6ac.dat

    .

    ((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

    .

    .

    *Note* empty entries & legit default entries are not shown

    REGEDIT4



    [HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]

    "{0579B4B6-0293-4d73-B02D-5EBB0BA0F0A2}"= "c:\program files\AskSBar\SrchAstt\1.bin\A2SRCHAS.DLL" [2008-08-29 66912]

    "{ecdee021-0d17-467f-a1ff-c7a115230949}"= "c:\program files\free-downloads.net\tbfree.dll" [2008-02-14 1555480]



    [HKEY_CLASSES_ROOT\clsid\{0579b4b6-0293-4d73-b02d-5ebb0ba0f0a2}]



    [HKEY_CLASSES_ROOT\clsid\{ecdee021-0d17-467f-a1ff-c7a115230949}]



    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

    "ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-13 15360]

    "swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-07-26 68856]

    "AlcoholAutomount"="c:\program files\Alcohol Soft\Alcohol 120\axcmd.exe" [2008-11-20 4608]



    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

    "SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2008-12-23 136600]

    "Recguard"="c:\windows\SMINST\RECGUARD.EXE" [2004-04-14 233472]

    "UpdateManager"="c:\program files\Common Files\Sonic\Update Manager\sgtray.exe" [2003-08-19 110592]

    "DigidesignMMERefresh"="c:\program files\Digidesign\Drivers\MMERefresh.exe" [2007-10-30 77824]

    "QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2008-09-06 413696]

    "iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2008-09-10 289576]

    "Malwarebytes Anti-Malware (reboot)"="c:\program files\Malwarebytes' Anti-Malware\mbam.exe" [2008-12-03 1265296]

    "VTTimer"="VTTimer.exe" [2005-03-08 c:\windows\system32\VTTimer.exe]

    "AGRSMMSG"="AGRSMMSG.exe" [2005-03-04 c:\windows\AGRSMMSG.exe]

    "AlcxMonitor"="ALCXMNTR.EXE" [2004-09-07 c:\windows\ALCXMNTR.EXE]

    "WD Button Manager"="WDBtnMgr.exe" [2007-02-16 c:\windows\system32\WDBtnMgr.exe]

    "Windows Service Processor"="lssa.exe" [2008-04-13 c:\windows\system32\lssa.exe]



    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices]

    "Windows Service Processor"="lssa.exe" [2008-04-13 c:\windows\system32\lssa.exe]



    [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]

    "DWQueuedReporting"="c:\progra~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2007-03-22 39264]



    c:\documents and settings\All Users\Start Menu\Programs\Startup\

    Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2008-04-23 29696]



    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]

    "AppInit_DLLs"=mss.dll



    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]

    "wave10"= Digi32.dll

    "Midi1"= BCR2000.DLL

    "Midi2"= usbkt1x1.dll

    "Midi3"= diomidi.dll

    "Midi4"= mbx2midu.dll



    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\mafw.sys]

    @="Driver"



    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\swapm.sys]

    @="Driver"



    [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]

    path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk

    backup=c:\windows\pss\Adobe Reader Speed Launch.lnkCommon Startup



    [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^DriveSelect.lnk]

    path=c:\documents and settings\All Users\Start Menu\Programs\Startup\DriveSelect.lnk

    backup=c:\windows\pss\DriveSelect.lnkCommon Startup



    [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Digital Imaging Monitor.lnk]

    path=c:\documents and settings\All Users\Start Menu\Programs\Startup\HP Digital Imaging Monitor.lnk

    backup=c:\windows\pss\HP Digital Imaging Monitor.lnkCommon Startup



    [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^MFWAKeys.lnk]

    path=c:\documents and settings\All Users\Start Menu\Programs\Startup\MFWAKeys.lnk

    backup=c:\windows\pss\MFWAKeys.lnkCommon Startup



    [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Quicken Scheduled Updates.lnk]

    path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Quicken Scheduled Updates.lnk

    backup=c:\windows\pss\Quicken Scheduled Updates.lnkCommon Startup



    [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Updates from HP.lnk]

    path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Updates from HP.lnk

    backup=c:\windows\pss\Updates from HP.lnkCommon Startup



    [HKLM\~\startupfolder\C:^Documents and Settings^Owner^Start Menu^Programs^Startup^IMStart.lnk]

    path=c:\documents and settings\Owner\Start Menu\Programs\Startup\IMStart.lnk

    backup=c:\windows\pss\IMStart.lnkStartup



    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BackupNotify]

    --a------ 2004-01-09 04:34 32768 c:\program files\HP\Digital Imaging\bin\BackupNotify.exe



    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Component Manager]

    --a------ 2003-12-22 18:38 241664 c:\program files\HP\hpcoretech\hpcmpmgr.exe



    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HPDJ Taskbar Utility]

    --a------ 2003-03-27 04:34 172032 c:\windows\system32\spool\drivers\w32x86\3\hpztsb08.exe



    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HPHUPD05]

    --a------ 2003-08-21 06:23 49152 c:\program files\HP\{45B6180B-DCAB-4093-8EE8-6164457517F0}\hphupd05.exe



    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\hpsysdrv]

    --a------ 1998-05-07 19:04 52736 c:\windows\system\hpsysdrv.exe



    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]

    --a------ 2008-09-10 16:40 289576 c:\program files\iTunes\iTunesHelper.exe



    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\KBD]

    --a------ 2003-02-11 22:02 61440 c:\hp\KBD\kbd.exe



    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]

    --a------ 2008-04-13 19:12 1695232 c:\program files\Messenger\msmsgs.exe



    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]

    --a------ 2001-07-09 10:50 155648 c:\windows\system32\NeroCheck.exe



    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]

    --a------ 2008-09-06 14:09 413696 c:\program files\QuickTime\QTTask.exe



    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\spc_w]

    --a------ 2004-11-09 03:29 286786 c:\program files\NZSearch\nzspc.exe



    [HKEY_LOCAL_MACHINE\software\microsoft\security center]

    "AntiVirusOverride"=dword:00000001



    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

    "%windir%\\system32\\sessmgr.exe"=

    "c:\\Program Files\\Updates from HP\\137903\\Program\\BackWeb-137903.exe"=

    "%windir%\\Network Diagnostic\\xpnetdiag.exe"=

    "c:\\Program Files\\VideoLAN\\VLC\\vlc.exe"=

    "c:\\WINDOWS\\system32\\dpvsetup.exe"=

    "c:\\Program Files\\Bonjour\\mDNSResponder.exe"=

    "c:\\Program Files\\iTunes\\iTunes.exe"=

    "ÿ[ë|į"= ÿ[ë|į:Windows Service Processor

    "ÿ[ë|į"= ÿ[ë|į:Windows Service Processor



    R0 DigiFilter;DigiFilter;c:\windows\system32\drivers\DigiFilt.sys [2008-08-09 16384]

    R1 Asapi;Asapi;c:\windows\system32\drivers\Asapi.sys [2006-01-20 11264]

    R1 ewido security suite driver;ewido security suite driver;\??\c:\program files\ewido anti-malware\guard.sys [2005-12-30 3072]

    R1 MBX2DFU;MBX2DFU;c:\windows\system32\DRIVERS\MBX2DFU.sys [2008-08-09 21648]

    R2 DigiNet;Digidesign Ethernet Support;c:\windows\system32\DRIVERS\diginet.sys [2008-08-09 16400]

    R2 WinDefend;Windows Defender;"c:\program files\Windows Defender\MsMpEng.exe" [2006-11-03 13592]

    R3 dalwdmservice;dal service;c:\windows\system32\drivers\dalwdm.sys [2008-08-09 97808]

    R3 MBX2MIDK;Digidesign Mbox 2 Midi Driver;c:\windows\system32\drivers\mbx2midk.sys [2008-08-09 21904]

    R3 motubus;MOTU Audio MIDI Extension;c:\windows\system32\drivers\MotuBus.sys [2004-10-18 15488]

    S1 FW;Service for M-Audio Firewire Driver (WDM);c:\windows\system32\DRIVERS\mafw.sys [2009-01-01 8512]

    S1 swapm;DRAM Cash Driver;c:\windows\system32\swapm.sys [2009-01-01 8512]

    S2 mrtRate;mrtRate; []

    S3 BCR2000;B-Control Rotary/Fader 2000 (08/04/2004,1.1.1.0);c:\windows\system32\drivers\bcr2000.sys [2004-08-13 21024]

    S3 Duende;Duende Firewire Driver;c:\windows\system32\DRIVERS\Duende.sys [2007-05-24 54320]

    S3 iLokDrvr;iLok;c:\windows\system32\DRIVERS\iLokDrvr.sys [2007-09-05 54256]

    S3 L6BODP;Bass PODxt Pro Service;c:\windows\system32\Drivers\L6BODP.sys [2004-10-05 114048]

    S3 MAFW;%FW.SvcDesc%;c:\windows\system32\DRIVERS\mafw.sys [2009-01-01 8512]

    S3 MFWAMIDI;MOTU FireWire Audio MIDI;c:\windows\system32\drivers\MFWAMIDI.sys [2004-10-18 18816]

    S3 MFWAWAVE;MOTU FireWire Audio Wave;c:\windows\system32\drivers\MFWAWAVE.sys [2004-10-18 24320]

    S3 MotuFWA;MotuFWA;c:\windows\system32\drivers\MotuFWA.sys [2004-10-18 120576]

    S3 UKS11LDR;M-Audio USB Keystation Loader;c:\windows\system32\drivers\uks11ldr.sys [2006-01-15 13504]

    S3 USBKT1X1;M-Audio USB Keystation;c:\windows\system32\drivers\usbkt1x1.sys [2006-01-15 22304]



    [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\G]

    \shell\autorun\command - G:\LaunchU3.exe -a



    [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{aa894a6c-da92-11dd-81f7-00112f2dc419}]

    \shell\autorun\command - G:\LaunchU3.exe -a

    .

    Contents of the 'Scheduled Tasks' folder



    2009-01-01 c:\windows\Tasks\AppleSoftwareUpdate.job

    - c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 11:34]



    2009-01-04 c:\windows\Tasks\hoagvhxs.job

    - c:\windows\system32\rundll32.exe [2008-04-13 19:12]



    2009-01-04 c:\windows\Tasks\MP Scheduled Scan.job

    - c:\program files\Windows Defender\MpCmdRun.exe [2006-11-03 18:20]



    2009-01-02 c:\windows\Tasks\Symantec NetDetect.job

    - c:\program files\Symantec\LiveUpdate\NDETECT.EXE [2004-12-14 11:24]

    .

    .

    ------- Supplementary Scan -------

    .

    uStart Page = hxxp://google.com

    uDefault_Search_URL = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=Q304&bd=pavilion&pf=desktop

    uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8

    mStart Page = hxxp://www.yahoo.com

    mSearch Bar = about:blank

    uInternet Connection Wizard,ShellNext = iexplore

    uInternet Settings,ProxyOverride = localhost;*.local

    uSearchURL,(Default) = hxxp://www.yahoo.com/

    IE: &AIM Search - c:\program files\AIM Toolbar\AIMBar.dll/aimsearch.htm

    IE: Add To HP Organize... - c:\progra~1\HEWLET~1\HPORGA~1\bin\core.hp.main\SendTo.html

    IE: E&xport to Microsoft Excel - c:\progra~1\MI1933~1\OFFICE11\EXCEL.EXE/3000

    FF - ProfilePath - c:\documents and settings\Owner\Application Data\Mozilla\Firefox\Profiles\c0djjq0p.default\

    FF - prefs.js: browser.search.defaulturl - hxxp://search.conduit.com/ResultsExt.aspx?ctid=CT1098640&SearchSource=3&q=

    FF - prefs.js: browser.search.selectedEngine - Web Search

    FF - prefs.js: browser.startup.homepage - hxxp://google.com

    FF - component: c:\documents and settings\Owner\Application Data\Mozilla\Firefox\Profiles\c0djjq0p.default\extensions\{ecdee021-0d17-467f-a1ff-c7a115230949}\components\FFAlert.dll

    .



    **************************************************************************



    catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

    Rootkit scan 2009-01-04 14:32:29

    Windows 5.1.2600 Service Pack 3 NTFS



    scanning hidden processes ...



    scanning hidden autostart entries ...



    scanning hidden files ...



    scan completed successfully

    hidden files: 0



    **************************************************************************



    [HKEY_LOCAL_MACHINE\System\ControlSet001\Services\6266c5bf]

    "ImagePath"="\SystemRoot\System32\drivers\6266c5bf.sys"

    --



    [HKEY_LOCAL_MACHINE\System\ControlSet001\Services\d5c1be17]

    "ImagePath"="\SystemRoot\System32\drivers\d5c1be17.sys"

    .

    --------------------- LOCKED REGISTRY KEYS ---------------------



    [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{47629D4B-2AD3-4e50-B716-A66C15C63153}\InprocServer32*NULL*]

    @Security="Inherited"

    "ThreadingModel"="Apartment"

    @="c:\\WINDOWS\\system32\\OLE32.DLL"

    "cd042efbbd7f7af1647644e76e06692b"=hex:c8,28,51,af,b0,29,a3,98,07,98,47,78,0a,\

    78,8d,d2,e2,63,26,f1,3f,c8,ff,68,1e,2b,5b,19,e1,2f,6c,f9,e2,63,26,f1,3f,c8,\

    ff,68,39,a6,e3,f1,8f,dd,d0,f5,e2,63,26,f1,3f,c8,ff,68,67,dd,69,9f,58,79,7b,\

    c8,20,b0,12,7b



    [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{604BB98A-A94F-4a5c-A67C-D8D3582C741C}\InprocServer32*NULL*]

    @Security="Inherited"

    "ThreadingModel"="Apartment"

    @="c:\\WINDOWS\\system32\\OLE32.DLL"

    "bca643cdc5c2726b20d2ecedcc62c59b"=hex:71,3b,04,66,8b,46,0d,96,d0,70,ec,cf,a3,\

    52,bf,1a,6a,9c,d6,61,af,45,84,18,94,be,41,0b,9c,55,ee,14,6a,9c,d6,61,af,45,\

    84,18,e7,cc,0a,41,fe,d7,85,0d,71,3b,04,66,8b,46,0d,96,b4,fa,0c,d1,09,76,ec,\

    ac,af,7f,10,32



    [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{684373FB-9CD8-4e47-B990-5A4466C16034}\InprocServer32*NULL*]

    @Security="Inherited"

    "ThreadingModel"="Apartment"

    @="c:\\WINDOWS\\system32\\OLE32.DLL"

    "2c81e34222e8052573023a60d06dd016"=hex:7a,45,05,fd,91,e8,6f,31,d9,df,9a,c7,3b,\

    fe,fe,70,ff,7c,85,e0,43,d4,0e,fe,d1,57,d4,eb,55,f4,4e,04,ff,7c,85,e0,43,d4,\

    0e,fe,66,98,af,60,07,45,a2,fe,ff,7c,85,e0,43,d4,0e,fe,93,73,7c,67,27,5a,83,\

    db,e8,49,96,12



    [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{74554CCD-F60F-4708-AD98-D0152D08C8B9}\InprocServer32*NULL*]

    @Security="Inherited"

    "ThreadingModel"="Apartment"

    @="c:\\WINDOWS\\system32\\OLE32.DLL"

    "2582ae41fb52324423be06337561aa48"=hex:86,8c,21,01,be,91,eb,e7,17,b8,8f,4b,8c,\

    7a,38,9b,86,8c,21,01,be,91,eb,e7,84,18,24,7c,cc,77,9d,b5,86,8c,21,01,be,91,\

    eb,e7,a9,72,27,17,fc,c8,12,55,86,8c,21,01,be,91,eb,e7,75,e0,63,30,cd,94,74,\

    91,df,cc,d1,41



    [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{7EB537F9-A916-4339-B91B-DED8E83632C0}\InprocServer32*NULL*]

    @Security="Inherited"

    "ThreadingModel"="Apartment"

    @="c:\\WINDOWS\\system32\\OLE32.DLL"

    "caaeda5fd7a9ed7697d9686d4b818472"=hex:cd,44,cd,b9,a6,33,6c,cd,72,98,fe,94,8e,\

    39,91,a9,f5,1d,4d,73,a8,13,5c,05,a5,97,cc,bd,1a,1a,40,ab,f5,1d,4d,73,a8,13,\

    5c,05,0e,d1,24,d0,99,f6,41,c0,cd,44,cd,b9,a6,33,6c,cd,b8,49,40,df,e8,0f,60,\

    b2,45,15,9f,06



    [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{948395E8-7A56-4fb1-843B-3E52D94DB145}\InprocServer32*NULL*]

    @Security="Inherited"

    "ThreadingModel"="Apartment"

    @="c:\\WINDOWS\\system32\\OLE32.DLL"

    "a4a1bcf2cc2b8bc3716b74b2b4522f5d"=hex:b0,18,ed,a7,3f,8d,37,a4,d8,a5,3b,f9,7d,\

    c0,21,8c,df,20,58,62,78,6b,cf,c8,e0,0d,50,49,a6,85,b5,ad,df,20,58,62,78,6b,\

    cf,c8,7e,82,24,be,60,fd,48,ec,b0,18,ed,a7,3f,8d,37,a4,79,35,61,f4,f5,ed,b9,\

    80,c6,73,3f,61



    [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{AC3ED30B-6F1A-4bfc-A4F6-2EBDCCD34C19}\InprocServer32*NULL*]

    @Security="Inherited"

    "ThreadingModel"="Apartment"

    @="c:\\WINDOWS\\system32\\OLE32.DLL"

    "4d370831d2c43cd13623e232fed27b7b"=hex:97,20,4e,9a,c7,f1,35,ee,a7,bf,7f,13,ac,\

    a6,46,aa,fb,a7,78,e6,12,2f,9a,ea,37,19,d7,99,6b,6b,58,fa,fb,a7,78,e6,12,2f,\

    9a,ea,08,8d,67,c7,ab,d5,4d,39,97,20,4e,9a,c7,f1,35,ee,71,33,1e,db,ae,ac,ff,\

    09,08,e2,da,37



    [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{DE5654CA-EB84-4df9-915B-37E957082D6D}\InprocServer32*NULL*]

    @Security="Inherited"

    "ThreadingModel"="Apartment"

    @="c:\\WINDOWS\\system32\\OLE32.DLL"

    "1d68fe701cdea33e477eb204b76f993d"=hex:aa,52,c6,00,84,3c,26,64,86,ea,e7,95,ee,\

    99,16,2a,01,3a,48,fc,e8,04,4a,f1,8a,f7,99,79,45,ea,b6,21,01,3a,48,fc,e8,04,\

    4a,f1,13,48,a0,7f,3c,75,43,1b,aa,52,c6,00,84,3c,26,64,eb,e9,e1,02,9b,d3,ff,\

    66,c6,1a,e6,39



    [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{E39C35E8-7488-4926-92B2-2F94619AC1A5}\InprocServer32*NULL*]

    @Security="Inherited"

    "ThreadingModel"="Apartment"

    @="c:\\WINDOWS\\system32\\OLE32.DLL"

    "1fac81b91d8e3c5aa4b0a51804d844a3"=hex:f6,0f,4e,58,98,5b,89,c9,69,26,c1,69,c4,\

    78,60,12,f6,0f,4e,58,98,5b,89,c9,ea,8c,20,e9,a3,99,d4,ce,f6,0f,4e,58,98,5b,\

    89,c9,78,fb,50,2c,52,7d,5e,93,b2,46,9a,e2,1b,fe,1b,94,bb,d3,6c,fc,17,20,52,\

    68,ae,88,15,61



    [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{EACAFCE5-B0E2-4288-8073-C02FF9619B6F}\InprocServer32*NULL*]

    @Security="Inherited"

    "ThreadingModel"="Apartment"

    @="c:\\WINDOWS\\system32\\OLE32.DLL"

    "f5f62a6129303efb32fbe080bb27835b"=hex:b1,cd,45,5a,a8,c4,f8,b9,40,68,95,ea,56,\

    62,74,a4,3d,ce,ea,26,2d,45,aa,78,f6,00,87,62,58,0e,f0,92,3d,ce,ea,26,2d,45,\

    aa,78,87,d4,2d,2b,63,68,14,bc,b1,cd,45,5a,a8,c4,f8,b9,c5,28,16,5d,69,20,73,\

    66,66,46,8e,e9



    [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{F8F02ADD-7366-4186-9488-C21CB8B3DCEC}\InprocServer32*NULL*]

    @Security="Inherited"

    "ThreadingModel"="Apartment"

    @="c:\\WINDOWS\\system32\\OLE32.DLL"

    "fd4e2e1a3940b94dceb5a6a021f2e3c6"=hex:f8,31,0f,a9,5f,a0,ec,fb,44,62,b8,4a,6e,\

    b6,6b,05,2a,b7,cc,b5,b9,7f,41,e7,e5,61,d8,d9,be,93,a2,cf,2a,b7,cc,b5,b9,7f,\

    41,e7,c4,0b,ae,a1,03,eb,25,ae,2a,b7,cc,b5,b9,7f,41,e7,d3,4a,13,1b,cf,ca,d8,\

    eb,30,92,31,be



    [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{FEE45DE2-A467-4bf9-BF2D-1411304BCD84}\InprocServer32*NULL*]

    @Security="Inherited"

    "ThreadingModel"="Apartment"

    @="c:\\WINDOWS\\system32\\OLE32.DLL"

    "8a8aec57dd6508a385616fbc86791ec2"=hex:fa,ea,66,7f,d4,3b,6b,70,cf,47,64,f8,b4,\

    c9,90,45,6c,43,2d,1e,aa,22,2f,9c,08,ff,49,47,c8,de,39,67,6c,43,2d,1e,aa,22,\

    2f,9c,a7,43,97,53,d2,50,aa,1b,05,73,21,dd,54,d8,4a,c5,6b,38,bc,0f,9e,33,a3,\

    d4,3a,69,09,92



    [HKEY_LOCAL_MACHINE\software\Digidesign]

    @Owner=S-1-5-21-3718370760-455776615-2973682036-1003

    @Denied: (A C D) (S-1-5-21-3718370760-455776615-2973682036-1014)

    @Allowed: (Full) (S-1-5-21-3718370760-455776615-2973682036-1014)

    .

    --------------------- DLLs Loaded Under Running Processes ---------------------



    - - - - - - - > 'winlogon.exe'(712)

    c:\windows\system32\mbx2midu.dll



    - - - - - - - > 'lsass.exe'(768)

    c:\windows\system32\mbx2midu.dll

    .

    ------------------------ Other Running Processes ------------------------

    .

    c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe

    c:\program files\Bonjour\mDNSResponder.exe

    c:\program files\ewido anti-malware\ewidoctrl.exe

    c:\program files\Java\jre6\bin\jqs.exe

    c:\program files\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe

    c:\program files\iPod\bin\iPodService.exe

    .

    **************************************************************************

    .

    Completion time: 2009-01-04 14:37:43 - machine was rebooted

    ComboFix-quarantined-files.txt 2009-01-04 19:37:24

    ComboFix2.txt 2009-01-03 02:22:51

    ComboFix3.txt 2009-01-02 05:10:26

    ComboFix4.txt 2009-01-02 04:49:39

    ComboFix5.txt 2009-01-04 19:26:08



    Pre-Run: 29,507,047,424 bytes free

    Post-Run: 29,493,268,480 bytes free



    364 --- E O F --- 2008-12-29 22:10:58
  2. 2009-01-05, 11:05 #2
    Shaba
    Shaba is offline
    Security Expert: Emeritus
    Join Date
    Oct 2006
    Location
    Finland
    Posts
    29,374

    Default

    Hello Protools954

    Please see this next

    Please follow the instructions in the above thread and then start a fresh topic with the logs required.

    Regards.
    Microsoft MVP Consumer Security 2008-2011

    Member of ASAP and UNITE since 2006
« Previous Thread | Next Thread »

Tags for this Thread

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •  

Forum Rules