worm/virus trojan I need help! [Archive]

Protools954

2009-01-04, 21:10

I must have downloaded a worm/virus a couple days ago. I had good luck in the past with removing viruses such as windows antivirus 2008 from friends pc and antivirus 2009 from mine in the past so I have been lurking around the forums following some advise.
at first I could not get malwarebytes to run I had to go into safe mode now it works in regular mode but still cant get rid of 2 viruses Rootkit.Agent.H Trojan.Agent
I also ran some scripts with combofix I found on forums
please help!!!!!!!!
here are some scans
Malwarebytes' Anti-Malware 1.31

Database version: 1456

Windows 5.1.2600 Service Pack 3

1/4/2009 2:25:18 PM

mbam-log-2009-01-04 (14-25-18).txt

Scan type: Quick Scan

Objects scanned: 57203

Time elapsed: 6 minute(s), 59 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 0

Registry Values Infected: 0

Registry Data Items Infected: 0

Folders Infected: 0

Files Infected: 2

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

(No malicious items detected)

Registry Values Infected:

(No malicious items detected)

Registry Data Items Infected:

(No malicious items detected)

Folders Infected:

(No malicious items detected)

Files Infected:

C:\WINDOWS\system32\drivers\mrxdavv.sys (Rootkit.Agent.H) -> Delete on reboot.

C:\WINDOWS\system32\kwave.sys (Trojan.Agent) -> Delete on reboot.[/SIZE]
ComboFix 08-12-31.01 - Owner 2009-01-04 14:26:29.6 - NTFSx86

Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.959.664 [GMT -5:00]

Running from: c:\documents and settings\Owner\Desktop\Unused Desktop Shortcuts\ComboFix.exe

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.

c:\windows\system32\drivers\mrxdavv.sys

c:\windows\system32\kwave.sys

.

((((((((((((((((((((((((( Files Created from 2008-12-04 to 2009-01-04 )))))))))))))))))))))))))))))))

.

2009-01-01 21:19 . 2009-01-01 21:19 <DIR> d-------- c:\program files\Trend Micro

2009-01-01 21:14 . 2009-01-01 21:14 126,976 --a------ c:\windows\system32\InstallAVg_77015105.exe

2009-01-01 19:30 . 2009-01-01 19:30 <DIR> d-------- c:\documents and settings\Administrator\Application Data\Malwarebytes

2009-01-01 19:28 . 2004-04-01 04:03 <DIR> d-------- c:\documents and settings\Administrator\WINDOWS

2009-01-01 19:28 . 2004-04-02 18:04 <DIR> d-------- c:\documents and settings\Administrator\Application Data\Symantec

2009-01-01 19:28 . 2004-04-01 16:49 <DIR> d-------- c:\documents and settings\Administrator\Application Data\SampleView

2009-01-01 19:28 . 2009-01-01 19:28 <DIR> d-------- c:\documents and settings\Administrator

2009-01-01 18:57 . 2009-01-01 18:57 25,600 --ahs---- c:\windows\system32\mss.dll

2009-01-01 18:55 . 2009-01-01 18:55 <DIR> d-------- c:\program files\IESurfBar

2009-01-01 18:55 . 2009-01-04 14:33 112,364 --a------ c:\windows\system32\drivers\d5c1be17.sys

2009-01-01 18:54 . 2009-01-01 18:54 43,750 --a------ C:\mnmx.exe

2009-01-01 18:42 . 2009-01-01 18:42 0 --a------ c:\windows\system32\tmcontrol.bin

2009-01-01 18:04 . 2009-01-01 18:04 0 --a------ c:\windows\system32\system32xp.exe.tmp

2009-01-01 18:04 . 2009-01-01 18:04 0 --a------ c:\windows\system32\.tmp

2009-01-01 18:02 . 2009-01-01 21:19 24,576 --a------ c:\windows\system32\tempexec.exe

2009-01-01 18:01 . 2009-01-01 18:01 108,336 --a------ c:\windows\system32\mswinsck.ocx

2009-01-01 18:00 . 2009-01-04 14:33 112,364 --a------ c:\windows\system32\drivers\6266c5bf.sys

2009-01-01 18:00 . 2009-01-01 18:00 8,512 --a------ c:\windows\system32\swapm.sys

2009-01-01 18:00 . 2009-01-01 18:00 8,512 --a------ c:\windows\system32\drivers\mafw.sys

2009-01-01 18:00 . 2009-01-01 18:00 4,707 --a------ c:\windows\system32\aidb.dat

2009-01-01 18:00 . 2009-01-01 18:54 2 --a------ C:\1077971964

2008-12-23 01:26 . 2008-12-23 01:26 410,984 --a------ c:\windows\system32\deploytk.dll

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2009-01-04 19:16 --------- d-----w c:\documents and settings\Owner\Application Data\U3

2009-01-02 04:26 --------- d-----w c:\program files\Vuze

2009-01-02 03:28 --------- d-----w c:\program files\Malwarebytes' Anti-Malware

2009-01-01 23:04 --------- d-----w c:\documents and settings\Owner\Application Data\Azureus

2009-01-01 23:00 8,512 ----a-w c:\windows\system32\drivers\sptd.sys

2009-01-01 22:59 --------- d-----w c:\program files\Common Files\Real

2008-12-23 06:26 --------- d-----w c:\program files\Java

2008-12-04 00:54 38,496 ----a-w c:\windows\system32\drivers\mbamswissarmy.sys

2008-12-04 00:54 15,504 ----a-w c:\windows\system32\drivers\mbam.sys

2008-11-20 20:11 --------- d-----w c:\program files\free-downloads.net

2008-11-20 20:11 --------- d-----w c:\program files\Conduit

2008-11-20 20:11 --------- d-----w c:\program files\Alcohol Soft

2008-11-04 22:17 --------- d-----w c:\documents and settings\Owner\Application Data\Digidesign

2006-12-16 20:09 251,883 ----a-w c:\program files\uninstal.log

2004-12-05 06:24 184,808 -c--a-w c:\documents and settings\Owner\Application Data\shb.dat

2008-12-24 13:07 67,688 ----a-w c:\program files\mozilla firefox\components\jar50.dll

2008-12-24 13:07 54,368 ----a-w c:\program files\mozilla firefox\components\jsd3250.dll

2008-12-24 13:07 34,944 ----a-w c:\program files\mozilla firefox\components\myspell.dll

2008-12-24 13:07 46,712 ----a-w c:\program files\mozilla firefox\components\spellchk.dll

2008-12-24 13:07 172,136 ----a-w c:\program files\mozilla firefox\components\xpinstal.dll

2008-04-14 00:12 62,991 --sh--r c:\windows\system32\lssa.exe

2008-09-24 17:08 32,768 --sha-w c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\MSHist012008092420080925\index.dat

.

((((((((((((((((((((((((((((( snapshot@2009-01-01_21.43.36.78 )))))))))))))))))))))))))))))))))))))))))

.

+ 2008-04-13 18:32:44 180,608 -c--a-w c:\windows\system32\dllcache\mrxdav.sys

+ 2009-01-04 19:32:23 16,384 ----atw c:\windows\temp\Perflib_Perfdata_6ac.dat

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]

"{0579B4B6-0293-4d73-B02D-5EBB0BA0F0A2}"= "c:\program files\AskSBar\SrchAstt\1.bin\A2SRCHAS.DLL" [2008-08-29 66912]

"{ecdee021-0d17-467f-a1ff-c7a115230949}"= "c:\program files\free-downloads.net\tbfree.dll" [2008-02-14 1555480]

[HKEY_CLASSES_ROOT\clsid\{0579b4b6-0293-4d73-b02d-5ebb0ba0f0a2}]

[HKEY_CLASSES_ROOT\clsid\{ecdee021-0d17-467f-a1ff-c7a115230949}]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-13 15360]

"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-07-26 68856]

"AlcoholAutomount"="c:\program files\Alcohol Soft\Alcohol 120\axcmd.exe" [2008-11-20 4608]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2008-12-23 136600]

"Recguard"="c:\windows\SMINST\RECGUARD.EXE" [2004-04-14 233472]

"UpdateManager"="c:\program files\Common Files\Sonic\Update Manager\sgtray.exe" [2003-08-19 110592]

"DigidesignMMERefresh"="c:\program files\Digidesign\Drivers\MMERefresh.exe" [2007-10-30 77824]

"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2008-09-06 413696]

"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2008-09-10 289576]

"Malwarebytes Anti-Malware (reboot)"="c:\program files\Malwarebytes' Anti-Malware\mbam.exe" [2008-12-03 1265296]

"VTTimer"="VTTimer.exe" [2005-03-08 c:\windows\system32\VTTimer.exe]

"AGRSMMSG"="AGRSMMSG.exe" [2005-03-04 c:\windows\AGRSMMSG.exe]

"AlcxMonitor"="ALCXMNTR.EXE" [2004-09-07 c:\windows\ALCXMNTR.EXE]

"WD Button Manager"="WDBtnMgr.exe" [2007-02-16 c:\windows\system32\WDBtnMgr.exe]

"Windows Service Processor"="lssa.exe" [2008-04-13 c:\windows\system32\lssa.exe]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices]

"Windows Service Processor"="lssa.exe" [2008-04-13 c:\windows\system32\lssa.exe]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]

"DWQueuedReporting"="c:\progra~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2007-03-22 39264]

c:\documents and settings\All Users\Start Menu\Programs\Startup\

Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2008-04-23 29696]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]

"AppInit_DLLs"=mss.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]

"wave10"= Digi32.dll

"Midi1"= BCR2000.DLL

"Midi2"= usbkt1x1.dll

"Midi3"= diomidi.dll

"Midi4"= mbx2midu.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\mafw.sys]

@="Driver"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\swapm.sys]

@="Driver"

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]

path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk

backup=c:\windows\pss\Adobe Reader Speed Launch.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^DriveSelect.lnk]

path=c:\documents and settings\All Users\Start Menu\Programs\Startup\DriveSelect.lnk

backup=c:\windows\pss\DriveSelect.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Digital Imaging Monitor.lnk]

path=c:\documents and settings\All Users\Start Menu\Programs\Startup\HP Digital Imaging Monitor.lnk

backup=c:\windows\pss\HP Digital Imaging Monitor.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^MFWAKeys.lnk]

path=c:\documents and settings\All Users\Start Menu\Programs\Startup\MFWAKeys.lnk

backup=c:\windows\pss\MFWAKeys.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Quicken Scheduled Updates.lnk]

path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Quicken Scheduled Updates.lnk

backup=c:\windows\pss\Quicken Scheduled Updates.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Updates from HP.lnk]

path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Updates from HP.lnk

backup=c:\windows\pss\Updates from HP.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^Owner^Start Menu^Programs^Startup^IMStart.lnk]

path=c:\documents and settings\Owner\Start Menu\Programs\Startup\IMStart.lnk

backup=c:\windows\pss\IMStart.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BackupNotify]

--a------ 2004-01-09 04:34 32768 c:\program files\HP\Digital Imaging\bin\BackupNotify.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Component Manager]

--a------ 2003-12-22 18:38 241664 c:\program files\HP\hpcoretech\hpcmpmgr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HPDJ Taskbar Utility]

--a------ 2003-03-27 04:34 172032 c:\windows\system32\spool\drivers\w32x86\3\hpztsb08.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HPHUPD05]

--a------ 2003-08-21 06:23 49152 c:\program files\HP\{45B6180B-DCAB-4093-8EE8-6164457517F0}\hphupd05.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\hpsysdrv]

--a------ 1998-05-07 19:04 52736 c:\windows\system\hpsysdrv.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]

--a------ 2008-09-10 16:40 289576 c:\program files\iTunes\iTunesHelper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\KBD]

--a------ 2003-02-11 22:02 61440 c:\hp\KBD\kbd.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]

--a------ 2008-04-13 19:12 1695232 c:\program files\Messenger\msmsgs.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]

--a------ 2001-07-09 10:50 155648 c:\windows\system32\NeroCheck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]

--a------ 2008-09-06 14:09 413696 c:\program files\QuickTime\QTTask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\spc_w]

--a------ 2004-11-09 03:29 286786 c:\program files\NZSearch\nzspc.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center]

"AntiVirusOverride"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"%windir%\\system32\\sessmgr.exe"=

"c:\\Program Files\\Updates from HP\\137903\\Program\\BackWeb-137903.exe"=

"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

"c:\\Program Files\\VideoLAN\\VLC\\vlc.exe"=

"c:\\WINDOWS\\system32\\dpvsetup.exe"=

"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=

"c:\\Program Files\\iTunes\\iTunes.exe"=

"ÿ[ë|Ä¯"= ÿ[ë|Ä¯:Windows Service Processor

"ÿ[ë|Ä¯"= ÿ[ë|Ä¯:Windows Service Processor

R0 DigiFilter;DigiFilter;c:\windows\system32\drivers\DigiFilt.sys [2008-08-09 16384]

R1 Asapi;Asapi;c:\windows\system32\drivers\Asapi.sys [2006-01-20 11264]

R1 ewido security suite driver;ewido security suite driver;\??\c:\program files\ewido anti-malware\guard.sys [2005-12-30 3072]

R1 MBX2DFU;MBX2DFU;c:\windows\system32\DRIVERS\MBX2DFU.sys [2008-08-09 21648]

R2 DigiNet;Digidesign Ethernet Support;c:\windows\system32\DRIVERS\diginet.sys [2008-08-09 16400]

R2 WinDefend;Windows Defender;"c:\program files\Windows Defender\MsMpEng.exe" [2006-11-03 13592]

R3 dalwdmservice;dal service;c:\windows\system32\drivers\dalwdm.sys [2008-08-09 97808]

R3 MBX2MIDK;Digidesign Mbox 2 Midi Driver;c:\windows\system32\drivers\mbx2midk.sys [2008-08-09 21904]

R3 motubus;MOTU Audio MIDI Extension;c:\windows\system32\drivers\MotuBus.sys [2004-10-18 15488]

S1 FW;Service for M-Audio Firewire Driver (WDM);c:\windows\system32\DRIVERS\mafw.sys [2009-01-01 8512]

S1 swapm;DRAM Cash Driver;c:\windows\system32\swapm.sys [2009-01-01 8512]

S2 mrtRate;mrtRate; []

S3 BCR2000;B-Control Rotary/Fader 2000 (08/04/2004,1.1.1.0);c:\windows\system32\drivers\bcr2000.sys [2004-08-13 21024]

S3 Duende;Duende Firewire Driver;c:\windows\system32\DRIVERS\Duende.sys [2007-05-24 54320]

S3 iLokDrvr;iLok;c:\windows\system32\DRIVERS\iLokDrvr.sys [2007-09-05 54256]

S3 L6BODP;Bass PODxt Pro Service;c:\windows\system32\Drivers\L6BODP.sys [2004-10-05 114048]

S3 MAFW;%FW.SvcDesc%;c:\windows\system32\DRIVERS\mafw.sys [2009-01-01 8512]

S3 MFWAMIDI;MOTU FireWire Audio MIDI;c:\windows\system32\drivers\MFWAMIDI.sys [2004-10-18 18816]

S3 MFWAWAVE;MOTU FireWire Audio Wave;c:\windows\system32\drivers\MFWAWAVE.sys [2004-10-18 24320]

S3 MotuFWA;MotuFWA;c:\windows\system32\drivers\MotuFWA.sys [2004-10-18 120576]

S3 UKS11LDR;M-Audio USB Keystation Loader;c:\windows\system32\drivers\uks11ldr.sys [2006-01-15 13504]

S3 USBKT1X1;M-Audio USB Keystation;c:\windows\system32\drivers\usbkt1x1.sys [2006-01-15 22304]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\G]

\shell\autorun\command - G:\LaunchU3.exe -a

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{aa894a6c-da92-11dd-81f7-00112f2dc419}]

\shell\autorun\command - G:\LaunchU3.exe -a

.

Contents of the 'Scheduled Tasks' folder

2009-01-01 c:\windows\Tasks\AppleSoftwareUpdate.job

- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 11:34]

2009-01-04 c:\windows\Tasks\hoagvhxs.job

- c:\windows\system32\rundll32.exe [2008-04-13 19:12]

2009-01-04 c:\windows\Tasks\MP Scheduled Scan.job

- c:\program files\Windows Defender\MpCmdRun.exe [2006-11-03 18:20]

2009-01-02 c:\windows\Tasks\Symantec NetDetect.job

- c:\program files\Symantec\LiveUpdate\NDETECT.EXE [2004-12-14 11:24]

.

.

------- Supplementary Scan -------

.

uStart Page = hxxp://google.com

uDefault_Search_URL = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=Q304&bd=pavilion&pf=desktop

uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8

mStart Page = hxxp://www.yahoo.com

mSearch Bar = about:blank

uInternet Connection Wizard,ShellNext = iexplore

uInternet Settings,ProxyOverride = localhost;*.local

uSearchURL,(Default) = hxxp://www.yahoo.com/

IE: &AIM Search - c:\program files\AIM Toolbar\AIMBar.dll/aimsearch.htm

IE: Add To HP Organize... - c:\progra~1\HEWLET~1\HPORGA~1\bin\core.hp.main\SendTo.html

IE: E&xport to Microsoft Excel - c:\progra~1\MI1933~1\OFFICE11\EXCEL.EXE/3000

FF - ProfilePath - c:\documents and settings\Owner\Application Data\Mozilla\Firefox\Profiles\c0djjq0p.default\

FF - prefs.js: browser.search.defaulturl - hxxp://search.conduit.com/ResultsExt.aspx?ctid=CT1098640&SearchSource=3&q=

FF - prefs.js: browser.search.selectedEngine - Web Search

FF - prefs.js: browser.startup.homepage - hxxp://google.com

FF - component: c:\documents and settings\Owner\Application Data\Mozilla\Firefox\Profiles\c0djjq0p.default\extensions\{ecdee021-0d17-467f-a1ff-c7a115230949}\components\FFAlert.dll

.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2009-01-04 14:32:29

Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully

hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\6266c5bf]

"ImagePath"="\SystemRoot\System32\drivers\6266c5bf.sys"

--

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\d5c1be17]

"ImagePath"="\SystemRoot\System32\drivers\d5c1be17.sys"

.

--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{47629D4B-2AD3-4e50-B716-A66C15C63153}\InprocServer32*NULL*]

@Security="Inherited"

"ThreadingModel"="Apartment"

@="c:\\WINDOWS\\system32\\OLE32.DLL"

"cd042efbbd7f7af1647644e76e06692b"=hex:c8,28,51,af,b0,29,a3,98,07,98,47,78,0a,\

78,8d,d2,e2,63,26,f1,3f,c8,ff,68,1e,2b,5b,19,e1,2f,6c,f9,e2,63,26,f1,3f,c8,\

ff,68,39,a6,e3,f1,8f,dd,d0,f5,e2,63,26,f1,3f,c8,ff,68,67,dd,69,9f,58,79,7b,\

c8,20,b0,12,7b

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{604BB98A-A94F-4a5c-A67C-D8D3582C741C}\InprocServer32*NULL*]

@Security="Inherited"

"ThreadingModel"="Apartment"

@="c:\\WINDOWS\\system32\\OLE32.DLL"

"bca643cdc5c2726b20d2ecedcc62c59b"=hex:71,3b,04,66,8b,46,0d,96,d0,70,ec,cf,a3,\

52,bf,1a,6a,9c,d6,61,af,45,84,18,94,be,41,0b,9c,55,ee,14,6a,9c,d6,61,af,45,\

84,18,e7,cc,0a,41,fe,d7,85,0d,71,3b,04,66,8b,46,0d,96,b4,fa,0c,d1,09,76,ec,\

ac,af,7f,10,32

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{684373FB-9CD8-4e47-B990-5A4466C16034}\InprocServer32*NULL*]

@Security="Inherited"

"ThreadingModel"="Apartment"

@="c:\\WINDOWS\\system32\\OLE32.DLL"

"2c81e34222e8052573023a60d06dd016"=hex:7a,45,05,fd,91,e8,6f,31,d9,df,9a,c7,3b,\

fe,fe,70,ff,7c,85,e0,43,d4,0e,fe,d1,57,d4,eb,55,f4,4e,04,ff,7c,85,e0,43,d4,\

0e,fe,66,98,af,60,07,45,a2,fe,ff,7c,85,e0,43,d4,0e,fe,93,73,7c,67,27,5a,83,\

db,e8,49,96,12

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{74554CCD-F60F-4708-AD98-D0152D08C8B9}\InprocServer32*NULL*]

@Security="Inherited"

"ThreadingModel"="Apartment"

@="c:\\WINDOWS\\system32\\OLE32.DLL"

"2582ae41fb52324423be06337561aa48"=hex:86,8c,21,01,be,91,eb,e7,17,b8,8f,4b,8c,\

7a,38,9b,86,8c,21,01,be,91,eb,e7,84,18,24,7c,cc,77,9d,b5,86,8c,21,01,be,91,\

eb,e7,a9,72,27,17,fc,c8,12,55,86,8c,21,01,be,91,eb,e7,75,e0,63,30,cd,94,74,\

91,df,cc,d1,41

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{7EB537F9-A916-4339-B91B-DED8E83632C0}\InprocServer32*NULL*]

@Security="Inherited"

"ThreadingModel"="Apartment"

@="c:\\WINDOWS\\system32\\OLE32.DLL"

"caaeda5fd7a9ed7697d9686d4b818472"=hex:cd,44,cd,b9,a6,33,6c,cd,72,98,fe,94,8e,\

39,91,a9,f5,1d,4d,73,a8,13,5c,05,a5,97,cc,bd,1a,1a,40,ab,f5,1d,4d,73,a8,13,\

5c,05,0e,d1,24,d0,99,f6,41,c0,cd,44,cd,b9,a6,33,6c,cd,b8,49,40,df,e8,0f,60,\

b2,45,15,9f,06

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{948395E8-7A56-4fb1-843B-3E52D94DB145}\InprocServer32*NULL*]

@Security="Inherited"

"ThreadingModel"="Apartment"

@="c:\\WINDOWS\\system32\\OLE32.DLL"

"a4a1bcf2cc2b8bc3716b74b2b4522f5d"=hex:b0,18,ed,a7,3f,8d,37,a4,d8,a5,3b,f9,7d,\

c0,21,8c,df,20,58,62,78,6b,cf,c8,e0,0d,50,49,a6,85,b5,ad,df,20,58,62,78,6b,\

cf,c8,7e,82,24,be,60,fd,48,ec,b0,18,ed,a7,3f,8d,37,a4,79,35,61,f4,f5,ed,b9,\

80,c6,73,3f,61

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{AC3ED30B-6F1A-4bfc-A4F6-2EBDCCD34C19}\InprocServer32*NULL*]

@Security="Inherited"

"ThreadingModel"="Apartment"

@="c:\\WINDOWS\\system32\\OLE32.DLL"

"4d370831d2c43cd13623e232fed27b7b"=hex:97,20,4e,9a,c7,f1,35,ee,a7,bf,7f,13,ac,\

a6,46,aa,fb,a7,78,e6,12,2f,9a,ea,37,19,d7,99,6b,6b,58,fa,fb,a7,78,e6,12,2f,\

9a,ea,08,8d,67,c7,ab,d5,4d,39,97,20,4e,9a,c7,f1,35,ee,71,33,1e,db,ae,ac,ff,\

09,08,e2,da,37

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{DE5654CA-EB84-4df9-915B-37E957082D6D}\InprocServer32*NULL*]

@Security="Inherited"

"ThreadingModel"="Apartment"

@="c:\\WINDOWS\\system32\\OLE32.DLL"

"1d68fe701cdea33e477eb204b76f993d"=hex:aa,52,c6,00,84,3c,26,64,86,ea,e7,95,ee,\

99,16,2a,01,3a,48,fc,e8,04,4a,f1,8a,f7,99,79,45,ea,b6,21,01,3a,48,fc,e8,04,\

4a,f1,13,48,a0,7f,3c,75,43,1b,aa,52,c6,00,84,3c,26,64,eb,e9,e1,02,9b,d3,ff,\

66,c6,1a,e6,39

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{E39C35E8-7488-4926-92B2-2F94619AC1A5}\InprocServer32*NULL*]

@Security="Inherited"

"ThreadingModel"="Apartment"

@="c:\\WINDOWS\\system32\\OLE32.DLL"

"1fac81b91d8e3c5aa4b0a51804d844a3"=hex:f6,0f,4e,58,98,5b,89,c9,69,26,c1,69,c4,\

78,60,12,f6,0f,4e,58,98,5b,89,c9,ea,8c,20,e9,a3,99,d4,ce,f6,0f,4e,58,98,5b,\

89,c9,78,fb,50,2c,52,7d,5e,93,b2,46,9a,e2,1b,fe,1b,94,bb,d3,6c,fc,17,20,52,\

68,ae,88,15,61

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{EACAFCE5-B0E2-4288-8073-C02FF9619B6F}\InprocServer32*NULL*]

@Security="Inherited"

"ThreadingModel"="Apartment"

@="c:\\WINDOWS\\system32\\OLE32.DLL"

"f5f62a6129303efb32fbe080bb27835b"=hex:b1,cd,45,5a,a8,c4,f8,b9,40,68,95,ea,56,\

62,74,a4,3d,ce,ea,26,2d,45,aa,78,f6,00,87,62,58,0e,f0,92,3d,ce,ea,26,2d,45,\

aa,78,87,d4,2d,2b,63,68,14,bc,b1,cd,45,5a,a8,c4,f8,b9,c5,28,16,5d,69,20,73,\

66,66,46,8e,e9

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{F8F02ADD-7366-4186-9488-C21CB8B3DCEC}\InprocServer32*NULL*]

@Security="Inherited"

"ThreadingModel"="Apartment"

@="c:\\WINDOWS\\system32\\OLE32.DLL"

"fd4e2e1a3940b94dceb5a6a021f2e3c6"=hex:f8,31,0f,a9,5f,a0,ec,fb,44,62,b8,4a,6e,\

b6,6b,05,2a,b7,cc,b5,b9,7f,41,e7,e5,61,d8,d9,be,93,a2,cf,2a,b7,cc,b5,b9,7f,\

41,e7,c4,0b,ae,a1,03,eb,25,ae,2a,b7,cc,b5,b9,7f,41,e7,d3,4a,13,1b,cf,ca,d8,\

eb,30,92,31,be

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{FEE45DE2-A467-4bf9-BF2D-1411304BCD84}\InprocServer32*NULL*]

@Security="Inherited"

"ThreadingModel"="Apartment"

@="c:\\WINDOWS\\system32\\OLE32.DLL"

"8a8aec57dd6508a385616fbc86791ec2"=hex:fa,ea,66,7f,d4,3b,6b,70,cf,47,64,f8,b4,\

c9,90,45,6c,43,2d,1e,aa,22,2f,9c,08,ff,49,47,c8,de,39,67,6c,43,2d,1e,aa,22,\

2f,9c,a7,43,97,53,d2,50,aa,1b,05,73,21,dd,54,d8,4a,c5,6b,38,bc,0f,9e,33,a3,\

d4,3a,69,09,92

[HKEY_LOCAL_MACHINE\software\Digidesign]

@Owner=S-1-5-21-3718370760-455776615-2973682036-1003

@Denied: (A C D) (S-1-5-21-3718370760-455776615-2973682036-1014)

@Allowed: (Full) (S-1-5-21-3718370760-455776615-2973682036-1014)

.

--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(712)

c:\windows\system32\mbx2midu.dll

- - - - - - - > 'lsass.exe'(768)

c:\windows\system32\mbx2midu.dll

.

------------------------ Other Running Processes ------------------------

.

c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe

c:\program files\Bonjour\mDNSResponder.exe

c:\program files\ewido anti-malware\ewidoctrl.exe

c:\program files\Java\jre6\bin\jqs.exe

c:\program files\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe

c:\program files\iPod\bin\iPodService.exe

.

**************************************************************************

.

Completion time: 2009-01-04 14:37:43 - machine was rebooted

ComboFix-quarantined-files.txt 2009-01-04 19:37:24

ComboFix2.txt 2009-01-03 02:22:51

ComboFix3.txt 2009-01-02 05:10:26

ComboFix4.txt 2009-01-02 04:49:39

ComboFix5.txt 2009-01-04 19:26:08

Pre-Run: 29,507,047,424 bytes free

Post-Run: 29,493,268,480 bytes free

364 --- E O F --- 2008-12-29 22:10:58