Can't remove Win32.Autorun.tmp

**alphabet_soup** · 2010-09-11, 15:41

Aha! Finally...Combo fix worked!

Here's the log:

ComboFix 10-09-09.04 - willmonotti 11/09/2010 23:31:51.1.1 - FAT32x86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1015.550 [GMT 10:00]
Running from: c:\documents and settings\willmonotti\Desktop\commy.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\Uninstall.ini

.
((((((((((((((((((((((((( Files Created from 2010-08-11 to 2010-09-11 )))))))))))))))))))))))))))))))
.

2010-09-09 13:11 . 2010-09-09 13:11 -------- d-----w- C:\_OTL
2010-09-09 13:09 . 2010-09-09 13:09 -------- d-----w- c:\program files\ERUNT
2010-09-08 12:11 . 2010-09-08 12:11 -------- d-----w- c:\documents and settings\willmonotti\Application Data\Malwarebytes
2010-09-08 12:11 . 2010-04-29 05:39 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-09-08 12:11 . 2010-09-08 12:11 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-09-08 12:11 . 2010-09-08 12:11 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2010-09-08 12:11 . 2010-04-29 05:39 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-09-08 09:57 . 2010-09-08 09:57 -------- d-----w- C:\ComboFix
2010-09-01 13:56 . 2010-09-01 13:56 -------- d-----w- c:\program files\Safer Networking
2010-08-15 10:24 . 2010-08-15 10:24 503808 ----a-w- c:\documents and settings\willmonotti\Application Data\Sun\Java\Deployment\SystemCache\6.0\4\7ec4bf04-4d9ba47b-n\msvcp71.dll
2010-08-15 10:24 . 2010-08-15 10:24 499712 ----a-w- c:\documents and settings\willmonotti\Application Data\Sun\Java\Deployment\SystemCache\6.0\4\7ec4bf04-4d9ba47b-n\jmc.dll
2010-08-15 10:24 . 2010-08-15 10:24 61440 ----a-w- c:\documents and settings\willmonotti\Application Data\Sun\Java\Deployment\SystemCache\6.0\42\4488892a-40226f48-n\decora-sse.dll
2010-08-15 10:24 . 2010-08-15 10:24 348160 ----a-w- c:\documents and settings\willmonotti\Application Data\Sun\Java\Deployment\SystemCache\6.0\4\7ec4bf04-4d9ba47b-n\msvcr71.dll
2010-08-15 10:24 . 2010-08-15 10:24 12800 ----a-w- c:\documents and settings\willmonotti\Application Data\Sun\Java\Deployment\SystemCache\6.0\42\4488892a-40226f48-n\decora-d3d.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-09-11 12:32 . 2005-05-24 05:18 12 ----a-w- c:\windows\bthservsdp.dat
2010-08-03 07:15 . 2009-05-23 10:52 664 ----a-w- c:\windows\system32\d3d9caps.dat
2008-10-16 01:46 . 2008-10-16 01:46 700 ----a-w- c:\program files\studentVPN.pcf
2008-08-29 04:00 . 2008-08-29 04:00 1073 ----a-w- c:\program files\sig.dat
2008-08-29 04:00 . 2008-08-29 04:00 1099 ----a-w- c:\program files\vpnclient_setup.ini
2008-08-29 04:00 . 2008-08-29 04:00 52224 ----a-w- c:\program files\vpnclient_jp.mst
2008-08-29 04:00 . 2008-08-29 04:00 10935808 ----a-w- c:\program files\vpnclient_setup.msi
2008-08-29 04:00 . 2008-08-29 04:00 51200 ----a-w- c:\program files\vpnclient_fc.mst
2008-08-29 04:00 . 2008-08-29 04:00 819 ----a-w- c:\program files\vpnclient_setup.sms
2008-08-29 04:00 . 2008-08-29 04:00 640 ----a-w- c:\program files\vpnclient_setup.pdf
2008-08-29 04:00 . 2008-08-29 04:00 1822520 ----a-w- c:\program files\instmsiw.exe
2008-08-29 04:00 . 2008-08-29 04:00 1708856 ----a-w- c:\program files\instmsi.exe
2008-08-29 03:59 . 2008-08-29 03:59 56832 ----a-w- c:\program files\vpnclient_setup.exe
2008-08-29 03:58 . 2008-08-29 03:58 221315 ----a-w- c:\program files\installservice.exe
2008-08-29 03:57 . 2008-08-29 03:57 16505 ----a-w- c:\program files\DelayInst.exe
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SpybotSD TeaTimer"="c:\program files\Spybot - Search & Destroy\TeaTimer.exe" [2009-03-05 2260480]
"Google Update"="c:\documents and settings\willmonotti\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" [2010-06-16 136176]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"LaunchApp"="Alaunch" [X]
"BluetoothAuthenticationAgent"="bthprops.cpl" [2004-08-03 110592]
"IMJPMIG8.1"="c:\windows\IME\imjp8_1\IMJPMIG.EXE" [2004-08-03 208952]
"MSPY2002"="c:\windows\system32\IME\PINTLGNT\ImScInst.exe" [2004-08-03 59392]
"PHIME2002ASync"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2004-08-03 455168]
"PHIME2002A"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2004-08-03 455168]
"GrooveMonitor"="c:\program files\Microsoft Office\Office12\GrooveMonitor.exe" [2006-10-26 31016]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2009-06-05 292136]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2010-02-15 417792]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-02-18 248040]

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\DC++\\DCPlusPlus.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3453:TCP"= 3453:TCP:huxutzgk
"3389:TCP"= 3389:TCP:@xpsp2res.dll,-22009

R2 WDDMService;WD SmartWare Drive Manager;c:\program files\Western Digital\WD SmartWare\WD Drive Manager\WDDMService.exe [13/11/2009 11:28 AM 110592]
R2 WDSmartWareBackgroundService;WD SmartWare Background Service;c:\program files\Western Digital\WD SmartWare\Front Parlor\WDSmartWareBackgroundService.exe [16/06/2009 8:58 AM 20480]
S0 Lbd;Lbd;c:\windows\system32\DRIVERS\Lbd.sys --> c:\windows\system32\DRIVERS\Lbd.sys [?]
S2 ywyyitdy;System Monitor;c:\windows\system32\svchost.exe -k netsvcs [24/05/2005 2:35 PM 14336]
S3 WDC_SAM;WD SCSI Pass Thru driver;c:\windows\system32\drivers\wdcsam.sys [21/06/2010 4:01 PM 11520]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
getPlusHelper REG_MULTI_SZ getPlusHelper

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
ywyyitdy
.
Contents of the 'Scheduled Tasks' folder

2010-08-30 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 02:34]

2010-03-24 c:\windows\Tasks\Install_NSS.job
- c:\windows\system32\Adobe\Shockwave 11\nssstub.exe [2010-03-15 13:58]

2010-09-10 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-4089067542-3450742136-2425182029-1004Core1cb4c3f70ac632c.job
- c:\documents and settings\willmonotti\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2010-06-16 10:03]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://trinity.unimelb.edu.au/portal
uInternet Connection Wizard,ShellNext = hxxp://global.acer.com/
uInternet Settings,ProxyServer = wwwproxy.student.unimelb.edu.au:8000
uInternet Settings,ProxyOverride = <local>
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
FF - ProfilePath - c:\documents and settings\willmonotti\Application Data\Mozilla\Firefox\Profiles\qtrsc0zj.default\
FF - prefs.js: browser.search.defaulturl - hxxp://aim.search.aol.com/search/search?query={searchTerms}&invocationType=tb50-ff-aim-chromesbox-en-us
FF - prefs.js: browser.startup.homepage - hxxps://www.trinitycollege.vic.edu.au/portal/today/today.php
FF - prefs.js: keyword.URL - hxxp://slirsredirect.search.aol.com/slirs_http/sredir?sredir=2706&invocationType=tb50-ff-aim-ab-en-us&query=
FF - prefs.js: network.proxy.ftp - wwwproxy.unimelb.edu.au
FF - prefs.js: network.proxy.ftp_port - 8000
FF - prefs.js: network.proxy.gopher - wwwproxy.unimelb.edu.au
FF - prefs.js: network.proxy.gopher_port - 8000
FF - prefs.js: network.proxy.http - wwwproxy.unimelb.edu.au
FF - prefs.js: network.proxy.http_port - 8000
FF - prefs.js: network.proxy.socks - wwwproxy.unimelb.edu.au
FF - prefs.js: network.proxy.socks_port - 8000
FF - prefs.js: network.proxy.ssl - wwwproxy.unimelb.edu.au
FF - prefs.js: network.proxy.ssl_port - 8000
FF - prefs.js: network.proxy.type - 1
FF - plugin: c:\documents and settings\willmonotti\Application Data\Mozilla\Firefox\Profiles\qtrsc0zj.default\extensions\{E2883E8F-472F-4fb0-9522-AC9BF37916A7}\plugins\np_gp.dll
FF - plugin: c:\documents and settings\willmonotti\Local Settings\Application Data\Google\Update\1.2.183.29\npGoogleOneClick8.dll
FF - plugin: c:\program files\Java\jre6\bin\new_plugin\npdeployJava1.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npdnupdater2.dll
FF - plugin: c:\program files\QuickTime\Plugins\npqtplugin8.dll

---- FIREFOX POLICIES ----
FF - user.js: network.protocol-handler.warn-external.dnupdate - false);user_pref(network.protocol-handler.warn-external.dnupdate, false.
- - - - ORPHANS REMOVED - - - -

URLSearchHooks-HookURL - (no file)
URLSearchHooks-Rank - (no file)
HKCU-Run-MsnMsgr - c:\program files\Windows Live\Messenger\MsnMsgr.Exe
HKCU-Run-DW6 - c:\program files\The Weather Channel FW\Desktop\DesktopWeather.exe
HKCU-Run-vgr60 - c:\windows\system32\6xc81oz.exe
HKCU-Run-lbhc6y - c:\windows\system32\lr2xd2jk.exe
HKCU-Run-llmcdi - c:\windows\system32\bm5hdyuu.exe
HKCU-Run-rcc86 - c:\windows\system32\q1gw1ni13p.exe
HKCU-Run-mcdi3e - c:\windows\system32\bm86y3pl.exe
HKCU-Run-yuupgg - c:\windows\system32\ytkkfwwr.exe
HKCU-Run-zuvqm - c:\windows\system32\kkfwwrii.exe
HKCU-Run-upggbs - c:\windows\system32\dzpplbbxnn.exe
HKCU-Run-wbxxoo3 - c:\windows\system32\0xdyep0.exe
HKCU-Run-teea6r - c:\windows\system32\w39ee5v1wb.exe
HKCU-Run-tkkfww - c:\windows\system32\i1eaavmmhy.exe
HKCU-Run-pkkgww - c:\windows\system32\ni1eaavmmh.exe
HKCU-Run-ezqqlcc - c:\windows\system32\oojaavmmhy.exe
HKCU-Run-snoejuf - c:\windows\system32\86y2ff6.exe
HKCU-Run-yzpf0w - c:\windows\system32\n20zvfbw.exe
HKCU-Run-nojpk0r - c:\windows\system32\0jff66w.exe
HKCU-Run-falhcc - c:\windows\system32\1qmmhyy.exe
HKCU-Run-xdtyuua - c:\windows\system32\vlw2nyojzav.exe
HKCU-Run-dzuklg2 - c:\windows\system32\rsnt66k8708.exe
HKCU-Run-uplbbxc - c:\windows\system32\pff69m1i.exe
HKCU-Run-faawmm - c:\windows\system32\3wwriid.exe
HKCU-Run-mmiyy6k - c:\windows\system32\fwwriiduupg.exe
HKCU-Run-hcyytkk - c:\windows\system32\qlccxoojaa.exe
HKCU-Run-zaflw - c:\windows\system32\70bxny1.exe
HKCU-Run-cydo8 - c:\windows\system32\cttuzf81.exe
HKCU-Run-wcxtoeu - c:\windows\system32\70i1zuv.exe
HKCU-Run-akvwx - c:\windows\system32\e1vbg3sn.exe
HKCU-Run-vqwxin - c:\windows\system32\60niy1p.exe
HKCU-Run-qhxiioj - c:\windows\system32\1cdi81u.exe
HKCU-Run-hxdtp - c:\windows\system32\hm2noj081q.exe
HKCU-Run-xsoo8 - c:\windows\system32\sndu1klq.exe
HKCU-Run-wrmns - c:\windows\system32\60xs0zf.exe
HKCU-Run-cito0 - c:\windows\system32\chxd60flvr.exe
HKCU-Run-dezpq - c:\windows\system32\w2xyt081alm.exe
HKCU-Run-dzuva - c:\windows\system32\1epqlr8.exe
HKLM-Run-IgfxTray - c:\windows\system32\igfxtray.exe
HKLM-Run-HotKeysCmds - c:\windows\system32\hkcmd.exe
HKLM-Run-SoundMan - SOUNDMAN.EXE
HKLM-Run-KTPWare - c:\program files\Elantech\ktp.exe
AddRemove-Trillian - c:\program files\Trillian\trillian.exe
AddRemove-Universal Soccer Manager 2 - c:\program files\Universal Soccer Manager 2\Uninstal.exe

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-09-11 23:37
Windows 5.1.2600 Service Pack 2 FAT NTAPI

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(840)
c:\windows\system32\Ati2evxx.dll
c:\windows\system32\igfxsrvc.dll
c:\windows\system32\hccutils.DLL
.
Completion time: 2010-09-11 23:40:07
ComboFix-quarantined-files.txt 2010-09-11 13:40

Pre-Run: 4,167,008,256 bytes free
Post-Run: 4,139,712,512 bytes free

- - End Of File - - C6D230758D0672820BBC94C84E897482

Thread: Can't remove Win32.Autorun.tmp

Thread Tools

Display

Threaded View

Posting Permissions