troj/rustock

View previous topic View next topic Go down

Solved Same Troj/Rustok-N Issue/No Updates

Post by matosmg08 on Sun Dec 28, 2008 2:06 am

I've been following this thread and am having the same problem. Ran your reg fix and still having issues updating Ad-AwareSE (malaware software).

Ran DDS, here's my info:

DDS (Version 1.1.0) - NTFSx86
Run at 23:41:34.08 on Fri 12/26/2008
Internet Explorer: 7.0.6001.18000 BrowserJavaVersion: 1.6.0_11
Microsoft® Windows Vista™ Home Premium 6.0.6001.1.1252.1.1033.18.3070.1678 [GMT -5:00]


============== Running Processes ===============

C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\svchost.exe -k rpcss
C:\Windows\System32\svchost.exe -k secsvcs
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\SLsvc.exe
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\System32\spoolsv.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Windows\system32\agrsmsvc.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Windows\system32\svchost.exe -k bthsvcs
C:\Windows\system32\svchost.exe -k hpdevmgmt
C:\Program Files\Intel\Intel Matrix Storage Manager\Iaantmon.exe
C:\Windows\System32\svchost.exe -k HPZ12
C:\Windows\System32\svchost.exe -k HPZ12
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
C:\Windows\system32\STacSV.exe
C:\Windows\system32\svchost.exe -k imgsvc
C:\Program Files\Universal Shield 4.2\US30Service.exe
C:\Windows\System32\svchost.exe -k WerSvcGroup
C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\taskeng.exe
C:\Windows\system32\svchost.exe -k HPService
C:\Program Files\Symantec\LiveUpdate\AluSchedulerSvc.exe
C:\Windows\system32\Dwm.exe
C:\Windows\system32\taskeng.exe
C:\Windows\Explorer.EXE
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\IAAnotif.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Camera Assistant Software for Gateway\traybar.exe
C:\Program Files\Spare Backup\SpareBackup.exe
C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
C:\Program Files\HP\HP Software Update\hpwuSchd2.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\IDT\WDM\sttray.exe
C:\Windows\System32\rundll32.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Windows\ehome\ehtray.exe
C:\Windows\System32\rundll32.exe
C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe
C:\Program Files\Camera Assistant Software for Gateway\CEC_MAIN.exe
C:\Program Files\Windows Media Player\wmpnscfg.exe
C:\Program Files\Lavasoft\Ad-Aware SE Plus\Ad-Watch.exe
C:\Program Files\BigFix\bigfix.exe
C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe
C:\Program Files\eFax Messenger 4.3\J2GTray.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Windows\ehome\ehmsas.exe
C:\Program Files\Fotki Desktop\fotki.exe
C:\Program Files\Windows Media Player\wmpnetwk.exe
C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
C:\Program Files\Common Files\Ahead\Lib\NMIndexStoreSvr.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\WIDCOMM\Bluetooth Software\BtStackServer.exe
C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
C:\Program Files\Common Files\Symantec Shared\VAScanner\comHost.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Windows\system32\SearchProtocolHost.exe
C:\Windows\system32\SearchFilterHost.exe
C:\Windows\system32\DllHost.exe
C:\Users\Greg Matos\Downloads\dds.scr
C:\Windows\system32\wbem\wmiprvse.exe

============== Pseudo HJT Report ===============

uStart Page = [You must be registered and logged in to see this link.]
mStart Page = [You must be registered and logged in to see this link.]

matosmg08
Novice
Novice

Posts Posts : 16
Joined Joined : 2008-12-28
OS OS : Gabriel08
Points Points : 29000
# Likes # Likes : 0

View user profile

Back to top Go down

Solved Re: troj/rustock

Post by matosmg08 on Sun Dec 28, 2008 2:06 am

mDefault_Page_URL = [You must be registered and logged in to see this link.]
uInternet Settings,ProxyOverride = *.local
mSearchAssistant = [You must be registered and logged in to see this link.]
uURLSearchHooks: AIM Toolbar Search Class: {03402f96-3dc7-4285-bc50-9e81fefafe43} - c:\program files\aim toolbar\aimtb.dll
mURLSearchHooks: AIM Toolbar Search Class: {03402f96-3dc7-4285-bc50-9e81fefafe43} - c:\program files\aim toolbar\aimtb.dll
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
BHO: Skype add-on (mastermind): {22bf413b-c6d2-4d91-82a9-a0f997ba588c} - c:\program files\skype\toolbars\internet explorer\SkypeIEPlugin.dll
BHO: NCO 2.0 IE BHO: {602adb0e-4aff-4217-8aa1-95dac4dfa408} - c:\program files\common files\symantec shared\coshared\browser\2.6\coIEPlg.dll
BHO: Symantec Intrusion Prevention: {6d53ec84-6aae-4787-aeee-f4628f01010c} - c:\progra~1\common~1\symant~1\ids\IPSBHO.dll
BHO: Groove GFS Browser Helper: {72853161-30c5-4d22-b7f9-0bbc1d38a37e} - c:\progra~1\micros~3\office12\GRA8E1~1.DLL
BHO: Java(tm) Plug-In SSV Helper: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre6\bin\ssv.dll
BHO: {7E853D72-626A-48EC-A868-BA8D5E23E045} - No File
BHO: AIM Toolbar Loader: {b0cda128-b425-4eef-a174-61a11ac5dbf8} - c:\program files\aim toolbar\aimtb.dll
BHO: CBrowserHelperObject Object: {ca6319c0-31b7-401e-a518-a07c3db8f777} - c:\windows\system32\BAE.dll
BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
TB: Show Norton Toolbar: {7febefe3-6b19-4349-98d2-ffb09d4b49ca} - c:\program files\common files\symantec shared\coshared\browser\2.6\CoIEPlg.dll
TB: AIM Toolbar: {61539ecd-cc67-4437-a03c-9aaccbd14326} - c:\program files\aim toolbar\aimtb.dll
TB: {4E7BD74F-2B8D-469E-8DA9-FD60BB9AAE33} - No File
uRun: [ehTray.exe] c:\windows\ehome\ehTray.exe
uRun: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "c:\program files\common files\ahead\lib\NMBgMonitor.exe"
uRun: [igndlm.exe] c:\program files\download manager\DLM.exe /windowsstart /startifwork
uRun: [Aim6]
uRun: [WMPNSCFG] c:\program files\windows media player\WMPNSCFG.exe
uRun: [AWMON] "c:\program files\lavasoft\ad-aware se plus\Ad-Watch.exe"
mRun: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
mRun: [IAAnotif] "c:\program files\intel\intel matrix storage manager\Iaanotif.exe"
mRun: [SynTPEnh] c:\program files\synaptics\syntp\SynTPEnh.exe
mRun: [Camera Assistant Software] "c:\program files\camera assistant software for gateway\traybar.exe"
mRun: [Spare Backup] "c:\program files\spare backup\SpareBackup.exe" /silent
mRun: [NapsterShell] c:\program files\napster\napster.exe /systray
mRun: [GrooveMonitor] "c:\program files\microsoft office\office12\GrooveMonitor.exe"
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 8.0\reader\Reader_sl.exe"
mRun: [OCAudioIni] c:\program files\one-click audio converter\OCAudioIni.exe
mRun: [NeroFilterCheck] c:\program files\common files\ahead\lib\NeroCheck.exe
mRun: [HP Software Update] c:\program files\hp\hp software update\HPWuSchd2.exe
mRun: [eFax 4.3] "c:\program files\efax messenger 4.3\J2GDllCmd.exe" /R
mRun: [TkBellExe] "c:\program files\common files\real\update_ob\realsched.exe" -osboot
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
mRun: [SysTrayApp] %ProgramFiles%\IDT\WDM\sttray.exe
mRun: [NvSvc] RUNDLL32.EXE c:\windows\system32\nvsvc.dll,nvsvcStart
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [NvMediaCenter] RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInit
mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
mRun: [AppleSyncNotifier] c:\program files\common files\apple\mobile device support\bin\AppleSyncNotifier.exe
mRun: [ccApp] "c:\program files\common files\symantec shared\ccApp.exe"
mRun: [osCheck] "c:\program files\norton 360\osCheck.exe"
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [UVS12 Preload] c:\program files\corel\corel videostudio 12\uvPL.exe
mRunOnce: [Launcher] %WINDIR%\SMINST\launcher.exe
StartupFolder: c:\users\gregma~1\appdata\roaming\micros~1\windows\startm~1\programs\startup\adobeg~1.lnk - c:\program files\common files\adobe\calibration\Adobe Gamma Loader.exe
StartupFolder: c:\users\gregma~1\appdata\roaming\micros~1\windows\startm~1\programs\startup\fotkid~1.lnk - c:\program files\fotki desktop\fotki.exe
StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\bigfix.lnk - c:\program files\bigfix\bigfix.exe
StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\blueto~1.lnk - c:\program files\widcomm\bluetooth software\BTTray.exe
StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\efax43~1.lnk - c:\program files\efax messenger 4.3\J2GTray.exe
StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\hpdigi~1.lnk - c:\program files\hp\digital imaging\bin\hpqtra08.exe
mPolicies-system: EnableLUA = 0 (0x0)
mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
IE: &AIM Toolbar Search - c:\programdata\aim toolbar\ietoolbar\resources\en-us\local\search.html
IE: E&xport to Microsoft Excel - c:\progra~1\micros~3\office12\EXCEL.EXE/3000
IE: Send image to &Bluetooth Device... - c:\program files\widcomm\bluetooth software\btsendto_ie_ctx.htm
IE: Send page to &Bluetooth Device... - c:\program files\widcomm\bluetooth software\btsendto_ie.htm
IE: {CCA281CA-C863-46ef-9331-5C8D4460577F} - c:\program files\widcomm\bluetooth software\btsendto_ie.htm
IE: {0b83c99c-1efa-4259-858f-bcb33e007a5b} - {61539ecd-cc67-4437-a03c-9aaccbd14326} - c:\program files\aim toolbar\aimtb.dll
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~1\micros~3\office12\ONBttnIE.dll
IE: {77BF5300-1474-4EC7-9980-D32B190E9B07} - {77BF5300-1474-4EC7-9980-D32B190E9B07} - c:\program files\skype\toolbars\internet explorer\SkypeIEPlugin.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~3\office12\REFIEBAR.DLL
Handler: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - c:\progra~1\micros~3\office12\GR99D3~1.DLL
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL
SEH: Groove GFS Stub Execution Hook: {b5a7f190-dda6-4420-b3ba-52453494e6cd} - c:\progra~1\micros~3\office12\GRA8E1~1.DLL

================= FIREFOX ===================

FF - ProfilePath - c:\users\gregma~1\appdata\roaming\mozilla\firefox\profiles\0t17hi7e.default\
FF - prefs.js: browser.search.defaulturl - [You must be registered and logged in to see this link.]
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - [You must be registered and logged in to see this link.]
FF - prefs.js: keyword.URL - [You must be registered and logged in to see this link.]
FF - component: c:\program files\mozilla firefox\components\coFFPlgn.dll
FF - plugin: c:\program files\download manager\npfpdlm.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npdnu.dll
FF - plugin: c:\program files\mozilla firefox\plugins\NPTURNMED.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npViewpoint.dll
FF - plugin: c:\program files\viewpoint\viewpoint media player\npViewpoint.dll

============= SERVICES / DRIVERS ===============

R0 Si3531;SiI-3531 SATA Controller;c:\windows\system32\drivers\Si3531.sys [2008-7-25 212008]
R1 IDSvix86;Symantec Intrusion Prevention Driver;\??\c:\progra~2\symantec\defini~1\symcdata\ipsdefs\20081220.001\IDSvix86.sys [2008-12-20 270384]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;\??\c:\program files\common files\symantec shared\eengine\EraserUtilRebootDrv.sys [2008-12-25 99376]
R3 SYMNDISV;SYMNDISV;c:\windows\system32\drivers\SYMNDISV.SYS [2008-6-13 41008]
R3 US30Kbd;US30Kbd;c:\windows\system32\drivers\US30Kbd2K.sys [2007-2-10 10752]
S1 RCFOX;SonicWALL IPsec Driver;\??\c:\windows\system32\drivers\RCFOX.sys [2008-9-9 91136]
S2 LiveUpdate Notice;LiveUpdate Notice;"c:\program files\common files\symantec shared\ccSvcHst.exe" /h ccCommon [2008-2-18 149352]
S3 COH_Mon;COH_Mon;\??\c:\windows\system32\drivers\COH_Mon.sys [2008-1-12 23888]
S3 NETw2v32;Intel(R) PRO/Wireless 2200BG Network Connection Driver for Windows Vista;c:\windows\system32\drivers\NETw2v32.sys [2006-11-2 2589184]
S3 rcvpn;SonicWALL VPN Adapter;c:\windows\system32\drivers\rcvpn.sys [2008-9-9 23180]

=============== Created Last 30 ================

2008-12-26 23:22 --d----- c:\users\gregma~1\appdata\roaming\Webroot
2008-12-26 22:57 --d----- c:\program files\Lavasoft
2008-12-19 21:47 --dshr-- C:\resycled
2008-12-19 21:47 254 ---shr-- C:\autorun.inf
2008-12-09 17:55 410,984 a------- c:\windows\system32\deploytk.dll
2008-12-09 17:30 2,048 a------- c:\windows\system32\tzres.dll
2008-12-09 15:34 28,672 a------- c:\windows\system32\Apphlpdm.dll
2008-12-09 15:34 4,240,384 a------- c:\windows\system32\GameUXLegacyGDFs.dll
2008-12-09 09:03 317 a------- c:\windows\Tiger5.INI

==================== Find3M ====================

2008-12-18 23:59 109,490 a------- c:\users\gregma~1\appdata\roaming\nvModes.dat
2008-12-17 14:08 143,360 a------- c:\windows\inf\infstrng.dat
2008-12-17 14:08 51,200 a------- c:\windows\inf\infpub.dat
2008-12-17 14:08 86,016 a------- c:\windows\inf\infstor.dat
2008-10-31 22:44 52,736 a------- c:\windows\apppatch\iebrshim.dll
2008-10-31 22:44 2,154,496 a------- c:\windows\apppatch\AcGenral.dll
2008-10-31 22:44 541,696 a------- c:\windows\apppatch\AcLayers.dll
2008-10-31 22:44 460,288 a------- c:\windows\apppatch\AcSpecfc.dll
2008-10-31 22:44 173,056 a------- c:\windows\apppatch\AcXtrnal.dll
2008-10-29 01:29 2,927,104 a------- c:\windows\explorer.exe
2008-10-22 21:24 32 a------- C:\ezsid.dat
2008-10-21 22:57 241,152 a------- c:\windows\system32\PortableDeviceApi.dll
2008-10-21 00:25 296,960 a------- c:\windows\system32\gdi32.dll
2008-10-21 00:25 1,645,568 a------- c:\windows\system32\connect.dll
2008-10-16 15:56 1,524,736 a------- c:\windows\system32\wucltux.dll
2008-10-16 15:55 83,456 a------- c:\windows\system32\wudriver.dll
2008-10-16 14:08 162,064 a------- c:\windows\system32\wuwebv.dll
2008-10-16 13:56 31,232 a------- c:\windows\system32\wuapp.exe
2008-10-15 23:47 827,392 a------- c:\windows\system32\wininet.dll
2008-09-30 16:43 1,286,152 a------- c:\windows\system32\msxml4.dll
2008-09-15 21:41 174 a--sh--- c:\program files\desktop.ini
2008-09-15 21:25 665,600 a------- c:\windows\inf\drvindex.dat
2008-03-02 19:31 87,608 a------- c:\users\gregma~1\appdata\roaming\inst.exe
2008-03-02 19:31 47,360 a------- c:\users\gregma~1\appdata\roaming\pcouffin.sys
2008-02-22 18:04 32 a------- c:\programdata\ezsid.dat
2008-02-22 18:04 32 a------- c:\progra~2\ezsid.dat
2006-11-02 07:42 287,440 a------- c:\windows\inf\perflib\0409\perfi.dat
2006-11-02 07:42 287,440 a------- c:\windows\inf\perflib\0409\perfh.dat
2006-11-02 07:42 30,674 a------- c:\windows\inf\perflib\0409\perfd.dat
2006-11-02 07:42 30,674 a------- c:\windows\inf\perflib\0409\perfc.dat
2006-11-02 04:20 287,440 a------- c:\windows\inf\perflib\0000\perfi.dat
2006-11-02 04:20 287,440 a------- c:\windows\inf\perflib\0000\perfh.dat
2006-11-02 04:20 30,674 a------- c:\windows\inf\perflib\0000\perfd.dat
2006-11-02 04:20 30,674 a------- c:\windows\inf\perflib\0000\perfc.dat

============= FINISH: 23:42:12.01 ===============

Any trace of Troj/Rustok-N? Think I picked it up on a shady download I shouldn't have pulled. Thanks for any help you can give.

G

matosmg08
Novice
Novice

Posts Posts : 16
Joined Joined : 2008-12-28
OS OS : Gabriel08
Points Points : 29000
# Likes # Likes : 0

View user profile

Back to top Go down

Solved Re: troj/rustock

Post by Belahzur on Sun Dec 28, 2008 2:12 am

Hello.
Before we clean this, do you have any external drives? USB thumb drive or external hardrive?
Because they too are infected and need to be cleaned.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34916
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : XP SP3 Media Centre
Points Points : 245069
# Likes # Likes : 1

View user profile

Back to top Go down

Solved Re: troj/rustock

Post by matosmg08 on Sun Dec 28, 2008 2:22 am

Hi Belahzur,

Thanks for the quick reply. Yes, unfortunately two days ago I backed up my entire computer on an external hard drive. Let me know what I need to do with that. Thanks!

matosmg08
Novice
Novice

Posts Posts : 16
Joined Joined : 2008-12-28
OS OS : Gabriel08
Points Points : 29000
# Likes # Likes : 0

View user profile

Back to top Go down

Solved Re: troj/rustock

Post by Belahzur on Sun Dec 28, 2008 2:25 am

Yes, that is infected then.
Please plug it.

Please download and run this tool.

Download Malwarebytes' Anti-Malware from [You must be registered and logged in to see this link.]

Double Click mbam-setup.exe to install the application.

  • Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select "Perform Quick Scan", then click Scan.
  • The scan may take some time to finish,so please be patient.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Make sure that everything is checked, and click Remove Selected.
  • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart. (See Note)
  • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
Note:
If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts.
Click OK to either and let MBAM proceed with the disinfection process.
If asked to restart the computer, please do so immediately.


Post the contents of the MBAM Log.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34916
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : XP SP3 Media Centre
Points Points : 245069
# Likes # Likes : 1

View user profile

Back to top Go down

Solved Re: troj/rustock

Post by matosmg08 on Sun Dec 28, 2008 4:17 am

Thanks. Here are the results of the scan, I restarted by computer as well. What next?

Malwarebytes' Anti-Malware 1.31
Database version: 1550
Windows 6.0.6001 Service Pack 1

12/27/2008 11:10:49 PM
mbam-log-2008-12-27 (23-10-49).txt

Scan type: Quick Scan
Objects scanned: 55194
Time elapsed: 4 minute(s), 14 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 1
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 1
Files Infected: 2

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CLASSES_ROOT\extravideo (Trojan.DNSChanger) -> Quarantined and deleted successfully.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
C:\resycled (Trojan.DNSChanger) -> Quarantined and deleted successfully.

Files Infected:
C:\Windows\System32\msqpdxfeynshvk.dll (Trojan.Agent) -> Delete on reboot.
C:\resycled\boot.com (Trojan.DNSChanger) -> Quarantined and deleted successfully.

matosmg08
Novice
Novice

Posts Posts : 16
Joined Joined : 2008-12-28
OS OS : Gabriel08
Points Points : 29000
# Likes # Likes : 0

View user profile

Back to top Go down

Solved Re: troj/rustock

Post by Belahzur on Sun Dec 28, 2008 1:16 pm

1. Download this file - [You must be registered and logged in to see this link.]
2. Double click combofix.exe & follow the prompts, but select NO when asked to install the recovery console.
3. When finished, it shall produce a log for you. Post that log in your next reply.

Note:
Do not mouseclick combofix's window whilst it's running. That may cause it to stall.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34916
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : XP SP3 Media Centre
Points Points : 245069
# Likes # Likes : 1

View user profile

Back to top Go down

Solved Re: troj/rustock

Post by matosmg08 on Mon Dec 29, 2008 3:15 am

The program wasn't able to finish for some reason. But here is the script:

ComboFix 08-12-28.01 - Greg Matos 2008-12-28 22:03:55.2 - NTFSx86
Microsoft® Windows Vista™ Home Premium 6.0.6001.1.1252.1.1033.18.3070.1503 [GMT -5:00]
Running from: c:\users\Greg Matos\Downloads\ComboFix.exe
.

((((((((((((((((((((((((( Files Created from 2008-11-28 to 2008-12-29 )))))))))))))))))))))))))))))))
.

2008-12-27 23:00 . 2008-12-27 23:00 d-------- c:\users\Greg Matos\AppData\Roaming\Malwarebytes
2008-12-27 23:00 . 2008-12-27 23:00 d-------- c:\users\All Users\Malwarebytes
2008-12-27 23:00 . 2008-12-27 23:00 d-------- c:\program files\Malwarebytes' Anti-Malware
2008-12-27 23:00 . 2008-12-27 23:00 d-------- c:\progra~2\Malwarebytes
2008-12-27 23:00 . 2008-12-03 19:59 38,496 --a------ c:\windows\System32\drivers\mbamswissarmy.sys
2008-12-27 23:00 . 2008-12-03 19:59 15,504 --a------ c:\windows\System32\drivers\mbam.sys
2008-12-27 21:47 . 2008-12-27 21:47 d-------- c:\users\Greg Matos\AppData\Roaming\OfficeWork Software
2008-12-27 21:40 . 2008-12-27 21:40 d-------- c:\windows\System32\Adobe
2008-12-27 21:40 . 2008-12-27 21:40 d-------- c:\program files\Common Files\crystal decisions
2008-12-27 21:39 . 2008-12-27 21:39 d-------- c:\users\Greg Matos\AppData\Roaming\RelevantReach
2008-12-27 21:39 . 2008-12-27 21:39 d-------- c:\users\All Users\OfficeWork Software
2008-12-27 21:39 . 2008-12-27 21:39 d-------- c:\program files\OfficeWork Software
2008-12-27 21:39 . 2008-12-27 21:39 d-------- c:\progra~2\OfficeWork Software
2008-12-27 15:32 . 2008-12-27 15:32 d-------- c:\program files\Panda Security
2008-12-27 15:32 . 2008-06-19 17:24 28,544 --a------ c:\windows\System32\drivers\pavboot.sys
2008-12-27 15:09 . 2008-12-27 15:19 d-------- c:\users\Greg Matos\.housecall6.6
2008-12-27 14:36 . 2008-12-27 14:44 d-------- C:\NSS
2008-12-26 23:22 . 2008-12-26 23:22 d-------- c:\users\Greg Matos\AppData\Roaming\Webroot
2008-12-26 22:57 . 2008-12-27 23:00 d-------- c:\users\Greg Matos\AppData\Roaming\Lavasoft
2008-12-09 17:55 . 2008-12-09 17:54 410,984 --a------ c:\windows\System32\deploytk.dll
2008-12-09 17:30 . 2008-10-21 20:22 2,048 --a------ c:\windows\System32\tzres.dll
2008-12-09 15:34 . 2008-10-31 20:21 4,240,384 --a------ c:\windows\System32\GameUXLegacyGDFs.dll
2008-12-09 15:34 . 2008-10-31 22:44 28,672 --a------ c:\windows\System32\Apphlpdm.dll
2008-12-09 09:03 . 2008-12-09 09:03 317 --a------ c:\windows\Tiger5.INI

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-12-28 19:07 --------- d-----w c:\users\Greg Matos\AppData\Roaming\Spare Backup
2008-12-28 19:05 --------- d-----w c:\users\Greg Matos\AppData\Roaming\FotkiDesktop
2008-12-28 02:40 --------- d-----w c:\program files\Common Files\Adobe
2008-12-26 15:50 --------- d-----w c:\program files\Nvu
2008-12-24 04:08 --------- d-----w c:\users\Greg Matos\AppData\Roaming\Skype
2008-12-24 03:29 --------- d-----w c:\users\Greg Matos\AppData\Roaming\skypePM
2008-12-20 04:49 --------- d-----w c:\program files\Corel
2008-12-19 04:59 109,490 ----a-w c:\users\Greg Matos\AppData\Roaming\nvModes.dat
2008-12-09 22:54 --------- d-----w c:\program files\Java
2008-12-09 22:33 --------- d-----w c:\program files\Windows Mail
2008-12-08 02:24 --------- d-----w c:\progra~2\Microsoft Help
2008-11-29 16:56 --------- d-----w c:\progra~2\Symantec
2008-11-24 04:06 --------- d-----w c:\program files\AIMTunes
2008-11-21 01:32 --------- d-----w c:\program files\AIM6
2008-11-21 01:32 --------- d-----w c:\progra~2\AOL Downloads
2008-11-21 01:26 --------- d-----w c:\program files\Viewpoint
2008-11-21 01:26 --------- d-----w c:\program files\Common Files\Software Update Utility
2008-11-21 01:26 --------- d-----w c:\progra~2\Viewpoint
2008-11-21 01:26 --------- d-----w c:\progra~2\acccore
2008-11-07 20:06 --------- d-----w c:\users\Greg Matos\AppData\Roaming\Ulead Systems
2008-11-07 03:12 --------- d-----w c:\progra~2\Ulead Systems
2008-11-07 03:11 --------- d--h--w c:\program files\InstallShield Installation Information
2008-11-07 03:11 --------- d-----w c:\progra~2\InterVideo
2008-11-07 03:10 --------- d-----w c:\program files\Windows Media Components
2008-11-07 03:10 --------- d-----w c:\program files\Common Files\Ulead Systems
2008-11-07 03:05 --------- d-----w c:\users\Greg Matos\AppData\Roaming\InstallShield
2008-11-04 00:18 --------- d-----w c:\program files\Norton 360
2008-11-02 21:54 --------- d-----w c:\program files\Common Files\Blizzard Entertainment
2008-11-01 03:44 541,696 ----a-w c:\windows\AppPatch\AcLayers.dll
2008-11-01 03:44 52,736 ----a-w c:\windows\AppPatch\iebrshim.dll
2008-11-01 03:44 460,288 ----a-w c:\windows\AppPatch\AcSpecfc.dll
2008-11-01 03:44 2,154,496 ----a-w c:\windows\AppPatch\AcGenral.dll
2008-11-01 03:44 173,056 ----a-w c:\windows\AppPatch\AcXtrnal.dll
2008-10-31 05:28 --------- d-----w c:\users\Greg Matos\AppData\Roaming\Progeny
2008-10-31 04:15 --------- d-----w c:\program files\Common Files\Symantec Shared
2008-10-29 06:29 2,927,104 ----a-w c:\windows\explorer.exe
2008-10-23 02:24 32 ----a-w C:\ezsid.dat
2008-10-22 03:57 241,152 ----a-w c:\windows\System32\PortableDeviceApi.dll
2008-10-21 05:25 296,960 ----a-w c:\windows\System32\gdi32.dll
2008-10-21 05:25 1,645,568 ----a-w c:\windows\System32\connect.dll
2008-10-16 21:13 1,809,944 ----a-w c:\windows\System32\wuaueng.dll
2008-10-16 21:12 561,688 ----a-w c:\windows\System32\wuapi.dll
2008-10-16 21:09 51,224 ----a-w c:\windows\System32\wuauclt.exe
2008-10-16 21:09 43,544 ----a-w c:\windows\System32\wups2.dll
2008-10-16 21:08 34,328 ----a-w c:\windows\System32\wups.dll
2008-10-16 20:56 1,524,736 ----a-w c:\windows\System32\wucltux.dll
2008-10-16 20:55 83,456 ----a-w c:\windows\System32\wudriver.dll
2008-10-16 19:08 162,064 ----a-w c:\windows\System32\wuwebv.dll
2008-10-16 18:56 31,232 ----a-w c:\windows\System32\wuapp.exe
2008-10-16 04:47 827,392 ----a-w c:\windows\System32\wininet.dll
2008-09-30 21:43 1,286,152 ----a-w c:\windows\System32\msxml4.dll
2008-09-16 02:41 174 --sha-w c:\program files\desktop.ini
2008-03-03 00:31 47,360 ----a-w c:\users\Greg Matos\AppData\Roaming\pcouffin.sys
2008-02-22 23:04 32 ----a-w c:\users\All Users\ezsid.dat
2008-02-22 23:04 32 ----a-w c:\progra~2\ezsid.dat
2007-12-10 22:40 6,275,816 ----a-w c:\program files\mozilla firefox\plugins\ScorchPDFWrapper.dll
2007-12-10 22:40 6,275,816 ----a-w c:\program files\opera\program\plugins\ScorchPDFWrapper.dll
2008-06-30 17:44 324,976 ----a-w c:\program files\mozilla firefox\components\coFFPlgn.dll
.

((((((((((((((((((((((((((((( [You must be registered and logged in to see this link.] )))))))))))))))))))))))))))))))))))))))))
.
- 2008-12-28 19:11:45 102,194 ----a-w c:\windows\System32\perfc009.dat
+ 2008-12-29 03:05:52 102,194 ----a-w c:\windows\System32\perfc009.dat
- 2008-12-28 19:11:45 598,588 ----a-w c:\windows\System32\perfh009.dat
+ 2008-12-29 03:05:52 598,588 ----a-w c:\windows\System32\perfh009.dat

matosmg08
Novice
Novice

Posts Posts : 16
Joined Joined : 2008-12-28
OS OS : Gabriel08
Points Points : 29000
# Likes # Likes : 0

View user profile

Back to top Go down

Solved Re: troj/rustock

Post by matosmg08 on Mon Dec 29, 2008 3:16 am

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\OverlayExcluded]
@="{4433A54A-1AC8-432F-90FC-85F045CF383C}"
[HKEY_CLASSES_ROOT\CLSID\{4433A54A-1AC8-432F-90FC-85F045CF383C}]
2008-10-31 12:24 576352 --a------ c:\program files\Common Files\Symantec Shared\Backup\buShell.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\OverlayPending]
@="{F17C0B1E-EF8E-4AD4-8E1B-7D7E8CB23225}"
[HKEY_CLASSES_ROOT\CLSID\{F17C0B1E-EF8E-4AD4-8E1B-7D7E8CB23225}]
2008-10-31 12:24 576352 --a------ c:\program files\Common Files\Symantec Shared\Backup\buShell.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\OverlayProtected]
@="{476D0EA3-80F9-48B5-B70B-05E677C9C148}"
[HKEY_CLASSES_ROOT\CLSID\{476D0EA3-80F9-48B5-B70B-05E677C9C148}]
2008-10-31 12:24 576352 --a------ c:\program files\Common Files\Symantec Shared\Backup\buShell.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ehTray.exe"="c:\windows\ehome\ehTray.exe" [2008-01-19 125952]
"BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="c:\program files\Common Files\Ahead\Lib\NMBgMonitor.exe" [2007-05-16 153136]
"igndlm.exe"="c:\program files\Download Manager\DLM.exe" [2007-03-05 1103480]
"WMPNSCFG"="c:\program files\Windows Media Player\WMPNSCFG.exe" [2008-01-19 202240]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IAAnotif"="c:\program files\Intel\Intel Matrix Storage Manager\Iaanotif.exe" [2007-02-12 174872]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2007-02-15 857648]
"Camera Assistant Software"="c:\program files\Camera Assistant Software for Gateway\traybar.exe" [2007-09-13 638976]
"Spare Backup"="c:\program files\Spare Backup\SpareBackup.exe" [2007-09-13 5252936]
"GrooveMonitor"="c:\program files\Microsoft Office\Office12\GrooveMonitor.exe" [2006-10-27 31016]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 39792]
"OCAudioIni"="c:\program files\One-click Audio Converter\OCAudioIni.exe" [2006-01-23 57344]
"NeroFilterCheck"="c:\program files\Common Files\Ahead\Lib\NeroCheck.exe" [2007-03-01 153136]
"HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2006-12-10 49152]
"eFax 4.3"="c:\program files\eFax Messenger 4.3\J2GDllCmd.exe" [2007-03-06 116224]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2008-08-11 185632]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2008-12-09 136600]
"SysTrayApp"="c:\program files\IDT\WDM\sttray.exe" [2007-11-09 409600]
"NvSvc"="c:\windows\system32\nvsvc.dll" [2007-11-14 86016]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2007-11-14 8534560]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2007-11-14 81920]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2008-09-06 413696]
"AppleSyncNotifier"="c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe" [2008-09-03 111936]
"ccApp"="c:\program files\Common Files\Symantec Shared\ccApp.exe" [2008-10-17 51048]
"osCheck"="c:\program files\Norton 360\osCheck.exe" [2008-02-26 988512]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2008-10-01 289576]
"UVS12 Preload"="c:\program files\Corel\Corel VideoStudio 12\uvPL.exe" [2008-06-09 397456]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
"Launcher"="c:\windows\SMINST\launcher.exe" [2007-07-13 40072]

c:\users\Greg Matos\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
Adobe Gamma.lnk - c:\program files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2005-03-16 113664]
Fotki Desktop.lnk - c:\program files\Fotki Desktop\fotki.exe [2008-04-29 2001920]

c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
BigFix.lnk - c:\program files\BigFix\bigfix.exe [2007-12-14 2342912]
Bluetooth.lnk - c:\program files\WIDCOMM\Bluetooth Software\BTTray.exe [2007-03-29 719664]
eFax 4.3.lnk - c:\program files\eFax Messenger 4.3\J2GTray.exe [2008-04-27 629248]
HP Digital Imaging Monitor.lnk - c:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2007-01-02 210520]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableLUA"= 0 (0x0)
"EnableUIADesktopToggle"= 0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"msacm.clmp3enc"= c:\progra~1\CYBERL~1\Power2Go\CLMP3Enc.ACM
"midi6"= xgusb.cpl
"VIDC.MFZ0"= MyFlashZip0.ax
"msacm.dvacm"= c:\progra~1\COMMON~1\ULEADS~1\Vio\Dvacm.acm
"msacm.MPEGacm"= c:\progra~1\COMMON~1\ULEADS~1\MPEG\MPEGacm.acm
"msacm.ulmp3acm"= c:\progra~1\COMMON~1\ULEADS~1\MPEG\ulmp3acm.acm

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Svc\S-1-5-21-2857160768-3149739328-402376366-1000]
"EnableNotificationsRef"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\DomainProfile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\FirewallRules]
"{B1AB1ED7-7DD6-4AAA-94C3-23E9C1064E8D}"= UDP:c:\program files\Microsoft Office\Office12\ONENOTE.EXE:Microsoft Office OneNote
"{6FCDA6AF-DDBF-44B5-AA47-3C69429EAE67}"= TCP:c:\program files\Microsoft Office\Office12\ONENOTE.EXE:Microsoft Office OneNote
"{2CF8046A-3290-449E-8FD2-7F8850C77D6C}"= c:\program files\MSN Messenger\livecall.exe:Windows Live Messenger 8.1 (Phone)
"{61066DA9-A807-4F36-99A7-070D5DDDEDE9}"= TCP:6004|c:\program files\Microsoft Office\Office12\outlook.exe:Microsoft Office Outlook
"{A1E20A87-462D-43D0-9AA1-419A901D1BB5}"= UDP:c:\program files\Microsoft Office\Office12\GROOVE.EXE:Microsoft Office Groove
"{17E49938-4D98-4EBE-95E0-3CD79BB15D6A}"= TCP:c:\program files\Microsoft Office\Office12\GROOVE.EXE:Microsoft Office Groove
"{E45E8A32-DE10-461E-B4B8-6C1631FF3F1C}"= UDP:c:\program files\Bonjour\mDNSResponder.exe:Bonjour
"{61FC0B6A-0272-4CAE-AC5D-73CA0B306CE8}"= TCP:c:\program files\Bonjour\mDNSResponder.exe:Bonjour
"{52A08D4A-CB75-450D-AE54-138759F8A1C6}"= Disabled:UDP:c:\program files\SPSSInc\SPSS16EV\SPSSWinWrapIDE.exe:SPSS Basic Script Editor (1033)
"{86F4DBB8-EFD1-42AF-96C1-1D88F8D114CC}"= Disabled:UDP:c:\program files\SPSSInc\SPSS16EV\spss.com:SPSS 16.0 Evaluation Version (1033:com)
"{6F57E6EE-DC8B-4560-A9DB-64AA7DD41C33}"= Disabled:UDP:c:\program files\SPSSInc\SPSS16EV\spss.exe:SPSS 16.0 Evaluation Version (1033:exe)
"{EC47D5CF-EC0F-43A3-BCDA-E750E42B8C47}"= Disabled:TCP:c:\program files\SPSSInc\SPSS16EV\SPSSWinWrapIDE.exe:SPSS Basic Script Editor (1033)
"{51BF4A75-9E92-4B9A-BECD-04878688FD94}"= Disabled:TCP:c:\program files\SPSSInc\SPSS16EV\spss.com:SPSS 16.0 Evaluation Version (1033:com)
"{B22A09B5-7A61-43F3-A5F3-E24471F08DF0}"= Disabled:TCP:c:\program files\SPSSInc\SPSS16EV\spss.exe:SPSS 16.0 Evaluation Version (1033:exe)
"{6E7300E8-A12E-40AE-8D0B-664D21603121}"= Disabled:UDP:c:\users\Greg Matos\AppData\Local\Temp\7zSD71D.tmp\setup\HPZnui01.exe:hpznui01.exe
"{0423B4A5-5F88-41DA-9232-210417E0FFC6}"= Disabled:TCP:c:\users\Greg Matos\AppData\Local\Temp\7zSD71D.tmp\setup\HPZnui01.exe:hpznui01.exe
"{718FB2A1-4DD3-4FBA-9E33-0A042E179A72}"= Disabled:UDP:c:\users\Greg Matos\AppData\Local\Temp\7zSD71D.tmp\setup\hponicifs01.exe:hponicifs01.exe
"{12263ECD-21AF-4D47-9C71-2BA291A0587F}"= Disabled:TCP:c:\users\Greg Matos\AppData\Local\Temp\7zSD71D.tmp\setup\hponicifs01.exe:hponicifs01.exe
"{A8BD404C-1C57-4544-AF3C-23C94A78D6DF}"= Disabled:UDP:c:\program files\HP\Digital Imaging\bin\hpqtra08.exe:hpqtra08.exe
"{584D84B4-B094-441B-9E23-5E9DC70DA6F0}"= Disabled:TCP:c:\program files\HP\Digital Imaging\bin\hpqtra08.exe:hpqtra08.exe
"{2260701F-9862-42C0-B430-19FA916C9795}"= Disabled:UDP:c:\program files\HP\Digital Imaging\bin\hpqste08.exe:hpqste08.exe
"{F7A458DE-5365-4B43-9C47-69DE32E0AB69}"= Disabled:TCP:c:\program files\HP\Digital Imaging\bin\hpqste08.exe:hpqste08.exe
"{AFD7E143-1F53-4557-9348-FCE7831F1088}"= Disabled:UDP:c:\program files\HP\Digital Imaging\bin\hpofxm08.exe:hpofxm08.exe
"{D52C0E5F-DFB6-4B19-8B2E-7B07C1E41F4B}"= Disabled:TCP:c:\program files\HP\Digital Imaging\bin\hpofxm08.exe:hpofxm08.exe
"{190AAEC5-4720-44E0-9599-480FB75D09AA}"= Disabled:UDP:c:\program files\HP\Digital Imaging\bin\hposfx08.exe:hposfx08.exe
"{E45FB4DA-279A-4F71-AE12-9C05A54CC917}"= Disabled:TCP:c:\program files\HP\Digital Imaging\bin\hposfx08.exe:hposfx08.exe
"{06375D90-497A-4A1A-8E65-7ECC3A2A4BB4}"= Disabled:UDP:c:\program files\HP\Digital Imaging\bin\hposid01.exe:hposid01.exe
"{69BEFD32-93A4-43D6-A57A-D3F80EBCB4E1}"= Disabled:TCP:c:\program files\HP\Digital Imaging\bin\hposid01.exe:hposid01.exe
"{48FF8251-09CA-4E65-9666-F5A100C3422C}"= Disabled:UDP:c:\program files\HP\Digital Imaging\bin\hpqscnvw.exe:hpqscnvw.exe
"{7D506DEE-60AB-4E0B-91A7-68820C09366D}"= Disabled:TCP:c:\program files\HP\Digital Imaging\bin\hpqscnvw.exe:hpqscnvw.exe
"{AC5FE256-0039-4151-9515-2027590F21C0}"= Disabled:UDP:c:\program files\HP\Digital Imaging\bin\hpqkygrp.exe:hpqkygrp.exe
"{CCD6C67B-B3CE-4CA3-8AF5-57C736C6A1C1}"= Disabled:TCP:c:\program files\HP\Digital Imaging\bin\hpqkygrp.exe:hpqkygrp.exe
"{AB587E62-249A-4272-8454-4487F5A98865}"= Disabled:UDP:c:\program files\HP\Digital Imaging\bin\hpzwiz01.exe:hpzwiz01.exe
"{C7292A69-4072-4FF5-99AB-8898DBA2AEA6}"= Disabled:TCP:c:\program files\HP\Digital Imaging\bin\hpzwiz01.exe:hpzwiz01.exe
"{FF9AFE92-61AE-48F7-A7E3-224E3A019C1A}"= Disabled:UDP:c:\program files\HP\Digital Imaging\bin\hpoews01.exe:hpoews01.exe
"{0EF8D19F-9BC6-44E2-AEB7-AE28FBF05E2E}"= Disabled:TCP:c:\program files\HP\Digital Imaging\bin\hpoews01.exe:hpoews01.exe
"{7F2DBCB3-9615-4024-B606-8836C030C5C3}"= Disabled:UDP:c:\program files\SPSSInc\SPSS16\spss.exe:SPSS 16.0 for Windows (1033:exe)
"{AA9213C8-8904-4A88-B4E6-A87836033F0D}"= Disabled:TCP:c:\program files\SPSSInc\SPSS16\spss.exe:SPSS 16.0 for Windows (1033:exe)
"{BD38F2A6-C9EA-4B62-A8DB-7F9924642EBF}"= Disabled:UDP:c:\program files\SPSSInc\SPSS16\SPSSWinWrapIDE.exe:SPSS Basic Script Editor (1033)
"{70F4F86D-BBD1-4AB8-A23F-D6456F69142D}"= Disabled:TCP:c:\program files\SPSSInc\SPSS16\SPSSWinWrapIDE.exe:SPSS Basic Script Editor (1033)
"{293D4609-FB41-4128-9067-97397318157F}"= Disabled:UDP:c:\program files\SPSSInc\SPSS16\spss.com:SPSS 16.0 for Windows (1033:com)
"{A7147B4F-B9C0-4FA2-B790-415EDDF47D56}"= Disabled:TCP:c:\program files\SPSSInc\SPSS16\spss.com:SPSS 16.0 for Windows (1033:com)
"{FC857ED8-2A7A-4FF1-9695-D8E639FFAF4C}"= UDP:c:\program files\Common Files\AOL\Loader\aolload.exe:AOL Loader
"{1BA26668-DFB7-43F4-8D01-5F13CFFC4BBA}"= TCP:c:\program files\Common Files\AOL\Loader\aolload.exe:AOL Loader
"{65D9924F-0DCA-40BE-868C-3D26815A240B}"= UDP:c:\program files\Bonjour\mDNSResponder.exe:Bonjour
"{732D1B3F-4603-4E98-974C-6E11EA60DF24}"= TCP:c:\program files\Bonjour\mDNSResponder.exe:Bonjour
"{E14E08A6-7DDB-4715-83BC-7C40EE4F7107}"= UDP:c:\program files\iTunes\iTunes.exe:iTunes
"{AC5F3C8B-313F-4BC5-ADA3-235B9946848C}"= TCP:c:\program files\iTunes\iTunes.exe:iTunes
"{7E7CEF5E-44F8-4423-9025-8044DECCDFDA}"= UDP:c:\program files\iTunes\iTunes.exe:iTunes
"{C25D608B-4F90-4463-A12A-17A80D9102BE}"= TCP:c:\program files\iTunes\iTunes.exe:iTunes
"TCP Query User{4A3B67A8-4A96-492F-8470-8FBCE19FC5F5}c:\\program files\\aim6\\aim6.exe"= UDP:c:\program files\aim6\aim6.exe:AIM
"UDP Query User{24000A31-ACDC-442F-8D37-019CE7600E82}c:\\program files\\aim6\\aim6.exe"= TCP:c:\program files\aim6\aim6.exe:AIM
"{10E41B79-9790-4F40-AC33-A3D5CB986D6D}"= Disabled:UDP:c:\program files\Skype\Phone\Skype.exe:Skype
"{B8B4C877-BFEE-49B8-9F91-4B0D88F03275}"= Disabled:TCP:c:\program files\Skype\Phone\Skype.exe:Skype
"{86692ADF-C6FA-4F14-BAE0-B9E7C15BA870}"= UDP:c:\program files\AIM6\aim6.exe:AIM
"{56440CB3-F29C-41A6-97FA-EBB21814B558}"= TCP:c:\program files\AIM6\aim6.exe:AIM
"{24C3A46D-F7E6-4912-8B39-2EE05F9B3C9C}"= Disabled:UDP:c:\program files\Skype\Phone\Skype.exe:Skype
"{2FAC270D-FFDB-4736-A9DE-13F9E7590BF7}"= Disabled:TCP:c:\program files\Skype\Phone\Skype.exe:Skype

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\StandardProfile]
"EnableFirewall"= 0 (0x0)

R0 pavboot;pavboot;c:\windows\system32\drivers\pavboot.sys [2008-12-27 28544]
R0 Si3531;SiI-3531 SATA Controller;c:\windows\system32\DRIVERS\Si3531.sys [2008-07-25 212008]
R1 IDSvix86;Symantec Intrusion Prevention Driver;\??\c:\progra~2\Symantec\DEFINI~1\SymcData\ipsdefs\20081220.001\IDSvix86.sys [2008-12-20 270384]
R2 LiveUpdate Notice;LiveUpdate Notice;"c:\program files\Common Files\Symantec Shared\ccSvcHst.exe" /h ccCommon [2008-02-18 149352]
R3 COH_Mon;COH_Mon;\??\c:\windows\system32\Drivers\COH_Mon.sys [2008-01-12 23888]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;\??\c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [2008-12-25 99376]
R3 SYMNDISV;SYMNDISV;c:\windows\system32\Drivers\SYMNDISV.SYS [2008-06-13 41008]
R3 US30Kbd;US30Kbd;c:\windows\system32\Drivers\US30Kbd2K.sys [2007-02-10 10752]
S1 RCFOX;SonicWALL IPsec Driver;\??\c:\windows\system32\Drivers\RCFOX.sys [2008-09-09 91136]
S3 NETw2v32;Intel(R) PRO/Wireless 2200BG Network Connection Driver for Windows Vista;c:\windows\system32\DRIVERS\NETw2v32.sys [2006-11-02 2589184]
S3 rcvpn;SonicWALL VPN Adapter;c:\windows\system32\DRIVERS\rcvpn.sys [2008-09-09 23180]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
bthsvcs REG_MULTI_SZ BthServ
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
HPService REG_MULTI_SZ HPSLPSVC
hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\G]
\shell\AutoRun\command - G:\LaunchU3.exe -a

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{f5c958e2-8eef-11dd-858f-001e4ceada67}]
\shell\AutoRun\command - G:\LaunchU3.exe -a

*Newly Created Service* - CATCHME
*Newly Created Service* - COMHOST
*Newly Created Service* - PROCEXP90
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, [You must be registered and logged in to see this link.]
Rootkit scan 2008-12-28 22:07:00
Windows 6.0.6001 Service Pack 1 NTFS

scanning hidden processes ...

[0] 0xFEFF000D

scanning hidden autostart entries ...

scanning hidden files ...

matosmg08
Novice
Novice

Posts Posts : 16
Joined Joined : 2008-12-28
OS OS : Gabriel08
Points Points : 29000
# Likes # Likes : 0

View user profile

Back to top Go down

Solved Re: troj/rustock

Post by matosmg08 on Mon Dec 29, 2008 3:16 am

scan completed successfully
hidden files:

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'Explorer.exe'(36352)
c:\windows\system32\btmmhook.dll
.
Completion time: 2008-12-28 22:12:48
ComboFix-quarantined-files.txt 2008-12-29 03:12:42
ComboFix2.txt 2008-12-29 03:01:20

Pre-Run: 51,385,679,872 bytes free
Post-Run: 51,353,948,160 bytes free

280 --- E O F --- 2008-12-22 16:04:22

matosmg08
Novice
Novice

Posts Posts : 16
Joined Joined : 2008-12-28
OS OS : Gabriel08
Points Points : 29000
# Likes # Likes : 0

View user profile

Back to top Go down

Solved Re: troj/rustock

Post by Belahzur on Mon Dec 29, 2008 12:59 pm

Hello.
I think the infection was removed by MBAM to be honest, combofix didn't really do anything.

What problems remain?


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34916
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : XP SP3 Media Centre
Points Points : 245069
# Likes # Likes : 1

View user profile

Back to top Go down

Solved Re: troj/rustock

Post by matosmg08 on Mon Dec 29, 2008 4:18 pm

Belahzur,

I actually ran combofix twice because I forgot to plug in my external hard drive. On the first scan a few files were deleted. If you don't see anything in the second scan, should I be okay? I'm still seeing more frequent pop ups than usual. Thanks again!

matosmg08
Novice
Novice

Posts Posts : 16
Joined Joined : 2008-12-28
OS OS : Gabriel08
Points Points : 29000
# Likes # Likes : 0

View user profile

Back to top Go down

Solved Re: troj/rustock

Post by Belahzur on Mon Dec 29, 2008 4:24 pm

Hello.
Please post the log from the first scan, the second scan is clean, but there maybe something present on the first scan.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34916
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : XP SP3 Media Centre
Points Points : 245069
# Likes # Likes : 1

View user profile

Back to top Go down

Solved Re: troj/rustock

Post by matosmg08 on Mon Dec 29, 2008 4:35 pm

Is there any way to access the log from the first scan, I didn't save it as a separate file.

matosmg08
Novice
Novice

Posts Posts : 16
Joined Joined : 2008-12-28
OS OS : Gabriel08
Points Points : 29000
# Likes # Likes : 0

View user profile

Back to top Go down

Solved Re: troj/rustock

Post by Belahzur on Mon Dec 29, 2008 4:39 pm

Is there a combofix2.txt or combofix3.txt in C:\ or C:\combofix\?


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34916
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : XP SP3 Media Centre
Points Points : 245069
# Likes # Likes : 1

View user profile

Back to top Go down

Solved Re: troj/rustock

Post by matosmg08 on Mon Dec 29, 2008 4:50 pm

There's only a ComboFix.txt. in C:\ and it's scan time is identical to the file I already copied to this thread.

matosmg08
Novice
Novice

Posts Posts : 16
Joined Joined : 2008-12-28
OS OS : Gabriel08
Points Points : 29000
# Likes # Likes : 0

View user profile

Back to top Go down

Solved Re: troj/rustock

Post by Belahzur on Mon Dec 29, 2008 4:53 pm

Okay.
Lets get a more upto date log.
Please plug in any flash drives or external drives you have.


  • Download random's system information tool (RSIT) by random/random from [You must be registered and logged in to see this link.] and save it to your desktop.
  • Double click on RSIT.exe to run RSIT.
  • Click Continue at the disclaimer screen.
  • Once it has finished, two logs will open. Please post the contents of both log.txt (<< will be maximized) and info.txt (<< will be minimized)


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34916
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : XP SP3 Media Centre
Points Points : 245069
# Likes # Likes : 1

View user profile

Back to top Go down

Solved Re: troj/rustock

Post by matosmg08 on Tue Dec 30, 2008 2:04 am

Logfile of random's system information tool 1.05 (written by random/random)
Run by Greg Matos at 2008-12-29 20:55:39
Microsoft® Windows Vista™ Home Premium Service Pack 1
System drive C: has 49 GB (22%) free of 227 GB
Total RAM: 3070 MB (50% free)

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 8:58:28 PM, on 12/29/2008
Platform: Windows Vista SP1 (WinNT 6.00.1905)
MSIE: Internet Explorer v7.00 (7.00.6001.18000)
Boot mode: Normal

Running processes:
C:\Windows\system32\taskeng.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Program Files\Intel\Intel Matrix Storage Manager\IAAnotif.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Camera Assistant Software for Gateway\traybar.exe
C:\Program Files\Spare Backup\SpareBackup.exe
C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
C:\Program Files\HP\HP Software Update\hpwuSchd2.exe
C:\Program Files\eFax Messenger 4.3\J2GDllCmd.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\IDT\WDM\sttray.exe
C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Windows Media Player\wmpnscfg.exe
C:\Windows\ehome\ehtray.exe
C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe
C:\Program Files\BigFix\bigfix.exe
C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe
C:\Program Files\eFax Messenger 4.3\J2GTray.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\Fotki Desktop\fotki.exe
C:\Program Files\Camera Assistant Software for Gateway\CEC_MAIN.exe
C:\Windows\ehome\ehmsas.exe
C:\Program Files\Common Files\Ahead\Lib\NMIndexStoreSvr.exe
C:\Program Files\WIDCOMM\Bluetooth Software\BtStackServer.exe
C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
C:\PROGRA~1\MICROS~3\Office12\OUTLOOK.EXE
C:\Program Files\AIM6\aim6.exe
C:\Program Files\AIM6\aolsoftware.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Users\Greg Matos\Downloads\RSIT.exe
C:\Program Files\trend micro\Greg Matos.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = [You must be registered and logged in to see this link.]
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = [You must be registered and logged in to see this link.]
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = [You must be registered and logged in to see this link.]
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = [You must be registered and logged in to see this link.]
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = [You must be registered and logged in to see this link.]
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O1 - Hosts: ::1 localhost
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Skype add-on (mastermind) - {22BF413B-C6D2-4d91-82A9-A0F997BA588C} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O2 - BHO: NCO 2.0 IE BHO - {602ADB0E-4AFF-4217-8AA1-95DAC4DFA408} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\2.6\coIEPlg.dll
O2 - BHO: Symantec Intrusion Prevention - {6D53EC84-6AAE-4787-AEEE-F4628F01010C} - C:\PROGRA~1\COMMON~1\SYMANT~1\IDS\IPSBHO.dll
O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\PROGRA~1\MICROS~3\Office12\GRA8E1~1.DLL
O2 - BHO: Java(tm) Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Browser Address Error Redirector - {CA6319C0-31B7-401E-A518-A07C3DB8F777} - c:\windows\system32\BAE.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O3 - Toolbar: Show Norton Toolbar - {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\2.6\CoIEPlg.dll
O4 - HKLM\..\Run: [IAAnotif] "C:\Program Files\Intel\Intel Matrix Storage Manager\Iaanotif.exe"
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [Camera Assistant Software] "C:\Program Files\Camera Assistant Software for Gateway\traybar.exe"
O4 - HKLM\..\Run: [Spare Backup] "C:\Program Files\Spare Backup\SpareBackup.exe" /silent
O4 - HKLM\..\Run: [GrooveMonitor] "C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [OCAudioIni] C:\Program Files\One-click Audio Converter\OCAudioIni.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [eFax 4.3] "C:\Program Files\eFax Messenger 4.3\J2GDllCmd.exe" /R
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [SysTrayApp] %ProgramFiles%\IDT\WDM\sttray.exe
O4 - HKLM\..\Run: [NvSvc] RUNDLL32.EXE C:\Windows\system32\nvsvc.dll,nvsvcStart
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\Windows\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\Windows\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [AppleSyncNotifier] C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [osCheck] "C:\Program Files\Norton 360\osCheck.exe"
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [UVS12 Preload] C:\Program Files\Corel\Corel VideoStudio 12\uvPL.exe
O4 - HKLM\..\RunOnce: [Launcher] %WINDIR%\SMINST\launcher.exe
O4 - HKCU\..\Run: [ehTray.exe] C:\Windows\ehome\ehTray.exe
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe"
O4 - HKCU\..\Run: [igndlm.exe] C:\Program Files\Download Manager\DLM.exe /windowsstart /startifwork
O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Startup: Fotki Desktop.lnk = C:\Program Files\Fotki Desktop\fotki.exe
O4 - Global Startup: BigFix.lnk = C:\Program Files\BigFix\bigfix.exe
O4 - Global Startup: Bluetooth.lnk = ?
O4 - Global Startup: eFax 4.3.lnk = C:\Program Files\eFax Messenger 4.3\J2GTray.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - [You must be registered and logged in to see this link.]
O8 - Extra context menu item: Send image to &Bluetooth Device... - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm
O8 - Extra context menu item: Send page to &Bluetooth Device... - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~3\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~3\Office12\ONBttnIE.dll
O9 - Extra button: Skype - {77BF5300-1474-4EC7-9980-D32B190E9B07} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\Office12\REFIEBAR.DLL
O9 - Extra button: @btrez.dll,-4015 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
O9 - Extra 'Tools' menuitem: @btrez.dll,-12650 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
O13 - Gopher Prefix:
O16 - DPF: {149E45D8-163E-4189-86FC-45022AB2B6C9} (SpinTop DRM Control) - [You must be registered and logged in to see this link.]
O16 - DPF: {2D8ED06D-3C30-438B-96AE-4D110FDC1FB8} (ActiveScan 2.0 Installer Class) - [You must be registered and logged in to see this link.]
O16 - DPF: {CC450D71-CC90-424C-8638-1F2DBAC87A54} (ArmHelper Control) - [You must be registered and logged in to see this link.]
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\PROGRA~1\MICROS~3\Office12\GR99D3~1.DLL
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Agere Modem Call Progress Audio (AgereModemAudio) - Agere Systems - C:\Windows\system32\agrsmsvc.exe
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\AluSchedulerSvc.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: COM Host (comHost) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\VAScanner\comHost.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: GameConsoleService - WildTangent, Inc. - C:\Program Files\Gateway Games\Gateway Game Console\GameConsoleService.exe
O23 - Service: Intel(R) Matrix Storage Event Monitor (IAANTMON) - Intel Corporation - C:\Program Files\Intel\Intel Matrix Storage Manager\Iaantmon.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\LuComServer_3_4.EXE
O23 - Service: LiveUpdate Notice - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
O23 - Service: SonicWall VPN Client Service (RampartSvc) - SonicWALL, Inc. - C:\Program Files\SonicWALL\SonicWALL Global VPN Client\RampartSvc.exe
O23 - Service: Audio Service (STacSV) - IDT, Inc. - C:\Windows\system32\STacSV.exe
O23 - Service: Symantec Core LC - Unknown owner - C:\PROGRA~1\COMMON~1\SYMANT~1\CCPD-LC\symlcsvc.exe
O23 - Service: US30Service - Unknown owner - C:\Program Files\Universal Shield 4.2\US30Service.exe

--
End of file - 11570 bytes

matosmg08
Novice
Novice

Posts Posts : 16
Joined Joined : 2008-12-28
OS OS : Gabriel08
Points Points : 29000
# Likes # Likes : 0

View user profile

Back to top Go down

Solved Re: troj/rustock

Post by matosmg08 on Tue Dec 30, 2008 2:04 am

======Registry dump======

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}]
Adobe PDF Reader Link Helper - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll [2006-10-22 62080]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{22BF413B-C6D2-4d91-82A9-A0F997BA588C}]
Skype add-on (mastermind) - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll [2007-12-07 1377576]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{602ADB0E-4AFF-4217-8AA1-95DAC4DFA408}]
C:\Program Files\Common Files\Symantec Shared\coShared\Browser\2.6\coIEPlg.dll [2008-06-30 349552]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{6D53EC84-6AAE-4787-AEEE-F4628F01010C}]
Symantec Intrusion Prevention - C:\PROGRA~1\COMMON~1\SYMANT~1\IDS\IPSBHO.dll [2008-09-21 116088]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{72853161-30C5-4D22-B7F9-0BBC1D38A37E}]
Groove GFS Browser Helper - C:\PROGRA~1\MICROS~3\Office12\GRA8E1~1.DLL [2006-10-27 2210608]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}]
Java(tm) Plug-In SSV Helper - C:\Program Files\Java\jre6\bin\ssv.dll [2008-12-09 320920]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{7E853D72-626A-48EC-A868-BA8D5E23E045}]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{CA6319C0-31B7-401E-A518-A07C3DB8F777}]
CBrowserHelperObject Object - c:\windows\system32\BAE.dll [2006-01-31 94208]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{DBC80044-A445-435b-BC74-9C25C1C588A9}]
Java(tm) Plug-In 2 SSV Helper - C:\Program Files\Java\jre6\bin\jp2ssv.dll [2008-12-09 34816]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
{7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - Show Norton Toolbar - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\2.6\CoIEPlg.dll [2008-06-30 349552]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run]
"IAAnotif"=C:\Program Files\Intel\Intel Matrix Storage Manager\Iaanotif.exe [2007-02-12 174872]
"SynTPEnh"=C:\Program Files\Synaptics\SynTP\SynTPEnh.exe [2007-02-15 857648]
"Camera Assistant Software"=C:\Program Files\Camera Assistant Software for Gateway\traybar.exe [2007-09-13 638976]
"Spare Backup"=C:\Program Files\Spare Backup\SpareBackup.exe [2007-09-13 5252936]
"GrooveMonitor"=C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe [2006-10-27 31016]
"Adobe Reader Speed Launcher"=C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe [2008-01-11 39792]
"OCAudioIni"=C:\Program Files\One-click Audio Converter\OCAudioIni.exe [2006-01-23 57344]
"NeroFilterCheck"=C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe [2007-03-01 153136]
"HP Software Update"=C:\Program Files\HP\HP Software Update\HPWuSchd2.exe [2006-12-10 49152]
"eFax 4.3"=C:\Program Files\eFax Messenger 4.3\J2GDllCmd.exe [2007-03-06 116224]
"TkBellExe"=C:\Program Files\Common Files\Real\Update_OB\realsched.exe [2008-08-11 185632]
"SunJavaUpdateSched"=C:\Program Files\Java\jre6\bin\jusched.exe [2008-12-09 136600]
"SysTrayApp"=C:\Program Files\IDT\WDM\sttray.exe [2007-11-09 409600]
"NvSvc"=C:\Windows\system32\nvsvc.dll [2007-11-14 86016]
"NvCplDaemon"=C:\Windows\system32\NvCpl.dll [2007-11-14 8534560]
"NvMediaCenter"=C:\Windows\system32\NvMcTray.dll [2007-11-14 81920]
"QuickTime Task"=C:\Program Files\QuickTime\QTTask.exe [2008-09-06 413696]
"AppleSyncNotifier"=C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe [2008-09-03 111936]
"ccApp"=C:\Program Files\Common Files\Symantec Shared\ccApp.exe [2008-10-17 51048]
"osCheck"=C:\Program Files\Norton 360\osCheck.exe [2008-02-26 988512]
"iTunesHelper"=C:\Program Files\iTunes\iTunesHelper.exe [2008-10-01 289576]
"UVS12 Preload"=C:\Program Files\Corel\Corel VideoStudio 12\uvPL.exe [2008-06-09 397456]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"Launcher"=C:\Windows\SMINST\launcher.exe [2007-07-13 40072]

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
"ehTray.exe"=C:\Windows\ehome\ehTray.exe [2008-01-19 125952]
"BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"=C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe [2007-05-16 153136]
"igndlm.exe"=C:\Program Files\Download Manager\DLM.exe [2007-03-05 1103480]
"WMPNSCFG"=C:\Program Files\Windows Media Player\WMPNSCFG.exe [2008-01-19 202240]

C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup
BigFix.lnk - C:\Program Files\BigFix\bigfix.exe
Bluetooth.lnk - C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe
eFax 4.3.lnk - C:\Program Files\eFax Messenger 4.3\J2GTray.exe
HP Digital Imaging Monitor.lnk - C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe

C:\Users\Greg Matos\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup
Adobe Gamma.lnk - C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
Fotki Desktop.lnk - C:\Program Files\Fotki Desktop\fotki.exe

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{B5A7F190-DDA6-4420-B3BA-52453494E6CD}"=C:\PROGRA~1\MICROS~3\Office12\GRA8E1~1.DLL [2006-10-27 2210608]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System]
"EnableLUA"=0
"dontdisplaylastusername"=0
"legalnoticecaption"=
"legalnoticetext"=
"shutdownwithoutlogon"=1
"undockwithoutlogon"=1
"EnableUIADesktopToggle"=0

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\explorer]
"NoDrives"=0

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\explorer]
"NoDrives"=

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\G]
shell\AutoRun\command - G:\LaunchU3.exe -a

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{f5c958e2-8eef-11dd-858f-001e4ceada67}]
shell\AutoRun\command - G:\LaunchU3.exe -a


======File associations======

.js - edit - "C:\Program Files\Macromedia\Dreamweaver 8\dreamweaver.exe" "%1"

======List of files/folders created in the last 1 months======

2008-12-29 20:55:45 ----D---- C:\Program Files\trend micro
2008-12-29 20:55:39 ----D---- C:\rsit
2008-12-29 20:55:39 ----D---- \rsit
2008-12-28 22:12:49 ----A---- C:\ComboFix.txt
2008-12-28 22:12:49 ----A---- \ComboFix.txt
2008-12-28 21:50:59 ----A---- C:\Windows\zip.exe
2008-12-28 21:50:59 ----A---- C:\Windows\SWREG.exe
2008-12-28 21:50:59 ----A---- C:\Windows\NIRCMD.exe
2008-12-28 21:50:58 ----A---- C:\Windows\VFIND.exe
2008-12-28 21:50:58 ----A---- C:\Windows\SWXCACLS.exe
2008-12-28 21:50:58 ----A---- C:\Windows\SWSC.exe
2008-12-28 21:50:58 ----A---- C:\Windows\sed.exe
2008-12-28 21:50:58 ----A---- C:\Windows\grep.exe
2008-12-28 21:50:58 ----A---- C:\Windows\fdsv.exe
2008-12-28 21:50:37 ----D---- C:\Windows\ERDNT
2008-12-28 21:50:37 ----AD---- C:\Qoobox
2008-12-28 21:50:37 ----AD---- \Qoobox
2008-12-27 23:12:31 ----D---- C:\Avenger
2008-12-27 23:12:31 ----D---- \Avenger
2008-12-27 23:00:27 ----D---- C:\Users\Greg Matos\AppData\Roaming\Malwarebytes
2008-12-27 23:00:21 ----D---- C:\Program Files\Malwarebytes' Anti-Malware
2008-12-27 21:47:02 ----D---- C:\Users\Greg Matos\AppData\Roaming\OfficeWork Software
2008-12-27 21:40:51 ----D---- C:\Windows\system32\Adobe
2008-12-27 21:40:41 ----D---- C:\Program Files\Common Files\crystal decisions
2008-12-27 21:39:10 ----D---- C:\Users\Greg Matos\AppData\Roaming\RelevantReach
2008-12-27 21:39:04 ----D---- C:\Program Files\OfficeWork Software
2008-12-27 15:32:30 ----D---- C:\Program Files\Panda Security
2008-12-27 14:36:37 ----D---- C:\NSS
2008-12-27 14:36:37 ----D---- \NSS
2008-12-26 23:22:38 ----D---- C:\Users\Greg Matos\AppData\Roaming\Webroot
2008-12-26 22:57:54 ----D---- C:\Users\Greg Matos\AppData\Roaming\Lavasoft
2008-12-17 14:08:55 ----A---- C:\Windows\system32\mshtml.dll
2008-12-09 17:55:07 ----A---- C:\Windows\system32\javaws.exe
2008-12-09 17:55:07 ----A---- C:\Windows\system32\deploytk.dll
2008-12-09 17:55:06 ----A---- C:\Windows\system32\javaw.exe
2008-12-09 17:55:06 ----A---- C:\Windows\system32\java.exe
2008-12-09 17:30:03 ----A---- C:\Windows\system32\tzres.dll
2008-12-09 15:34:12 ----A---- C:\Windows\system32\Apphlpdm.dll
2008-12-09 15:34:11 ----A---- C:\Windows\system32\GameUXLegacyGDFs.dll
2008-12-09 15:33:39 ----A---- C:\Windows\system32\gdi32.dll
2008-12-09 15:33:36 ----A---- C:\Windows\system32\shell32.dll
2008-12-09 15:33:30 ----A---- C:\Windows\explorer.exe
2008-12-09 15:33:25 ----A---- C:\Windows\system32\urlmon.dll
2008-12-09 15:33:25 ----A---- C:\Windows\system32\ieframe.dll
2008-12-09 15:33:24 ----A---- C:\Windows\system32\wininet.dll
2008-12-09 15:33:24 ----A---- C:\Windows\system32\mstime.dll
2008-12-09 15:33:24 ----A---- C:\Windows\system32\iertutil.dll
2008-12-09 15:33:23 ----A---- C:\Windows\system32\jsproxy.dll
2008-12-09 15:33:19 ----A---- C:\Windows\system32\mf.dll
2008-12-09 15:33:18 ----A---- C:\Windows\system32\WMVCORE.DLL
2008-12-09 15:33:17 ----A---- C:\Windows\system32\WMNetMgr.dll
2008-12-09 15:33:17 ----A---- C:\Windows\system32\logagent.exe
2008-12-09 09:03:15 ----A---- C:\Windows\Tiger5.INI

======List of files/folders modified in the last 1 months======

2008-12-29 20:56:04 ----D---- C:\Windows\Prefetch
2008-12-29 20:55:58 ----D---- C:\Windows\Temp
2008-12-29 20:55:45 ----D---- C:\Program Files
2008-12-29 20:55:45 ----D---- \Program Files
2008-12-29 20:54:35 ----D---- C:\Program Files\Mozilla Firefox
2008-12-29 19:04:51 ----HD---- C:\Windows\inf
2008-12-29 19:04:51 ----D---- C:\Windows\System32
2008-12-29 19:04:51 ----A---- C:\Windows\system32\PerfStringBackup.INI
2008-12-29 18:59:36 ----D---- C:\Users\Greg Matos\AppData\Roaming\Spare Backup
2008-12-29 18:58:49 ----A---- C:\Windows\NeroDigital.ini
2008-12-29 18:58:26 ----A---- C:\Windows\win.ini
2008-12-29 18:58:23 ----D---- C:\Users\Greg Matos\AppData\Roaming\FotkiDesktop
2008-12-28 22:12:53 ----D---- C:\Windows\system32\en-US
2008-12-28 22:12:50 ----D---- C:\Windows
2008-12-28 22:12:50 ----D---- \Windows
2008-12-28 22:07:02 ----A---- C:\Windows\system.ini
2008-12-28 22:05:31 ----D---- C:\Windows\system32\drivers
2008-12-28 22:05:30 ----D---- C:\Windows\AppPatch
2008-12-28 22:05:30 ----D---- C:\Program Files\Common Files
2008-12-27 23:00:21 ----HD---- C:\ProgramData
2008-12-27 23:00:21 ----HD---- \ProgramData
2008-12-27 21:40:51 ----D---- C:\Program Files\Common Files\Adobe
2008-12-27 21:39:19 ----SHD---- C:\Windows\Installer
2008-12-27 21:39:19 ----HD---- C:\Config.Msi
2008-12-27 21:39:19 ----HD---- \Config.Msi
2008-12-27 18:50:03 ----A---- C:\Windows\ntbtlog.txt
2008-12-27 15:31:35 ----SD---- C:\Windows\Downloaded Program Files
2008-12-26 16:11:04 ----SHD---- C:\System Volume Information
2008-12-26 16:11:04 ----SHD---- \System Volume Information
2008-12-26 16:03:03 ----D---- C:\Windows\system32\catroot2
2008-12-26 10:50:54 ----D---- C:\Program Files\Nvu
2008-12-23 23:08:54 ----D---- C:\Users\Greg Matos\AppData\Roaming\Skype
2008-12-23 22:29:27 ----D---- C:\Users\Greg Matos\AppData\Roaming\skypePM
2008-12-23 08:30:09 ----D---- C:\Windows\Minidump
2008-12-21 19:50:51 ----D---- C:\Windows\system32\WDI
2008-12-19 23:49:39 ----D---- C:\Program Files\Corel
2008-12-17 14:28:36 ----D---- C:\Windows\rescache
2008-12-17 14:09:09 ----D---- C:\Windows\winsxs
2008-12-17 14:09:02 ----D---- C:\Windows\system32\catroot
2008-12-17 14:07:12 ----D---- C:\Windows\system
2008-12-09 17:54:43 ----D---- C:\Program Files\Java
2008-12-09 17:33:02 ----D---- C:\Program Files\Windows Mail
2008-12-02 16:26:30 ----A---- C:\Windows\system32\mrt.exe

matosmg08
Novice
Novice

Posts Posts : 16
Joined Joined : 2008-12-28
OS OS : Gabriel08
Points Points : 29000
# Likes # Likes : 0

View user profile

Back to top Go down

Solved Re: troj/rustock

Post by Belahzur on Tue Dec 30, 2008 2:13 am

Will give this more of a look over in the morning when I have more time.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34916
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : XP SP3 Media Centre
Points Points : 245069
# Likes # Likes : 1

View user profile

Back to top Go down

Solved Re: troj/rustock

Post by matosmg08 on Tue Dec 30, 2008 2:18 am

Thanks for all your help. Here is the rest of it log.txt:



======List of drivers (R=Running, S=Stopped, 0=Boot, 1=System, 2=Auto, 3=Demand, 4=Disabled)======

R1 eeCtrl;Symantec Eraser Control driver; \??\C:\Program Files\Common Files\Symantec Shared\EENGINE\eeCtrl.sys [2008-09-17 371248]
R1 IDSvix86;Symantec Intrusion Prevention Driver; \??\C:\PROGRA~2\Symantec\DEFINI~1\SymcData\ipsdefs\20081220.001\IDSvix86.sys [2008-09-12 270384]
R1 SPBBCDrv;SPBBCDrv; \??\C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCDrv.sys [2008-09-05 447024]
R1 SRTSPX;SRTSPX; C:\Windows\System32\Drivers\SRTSPX.SYS [2008-01-31 43696]
R1 SymIM;Symantec Network Security Intermediate Filter Driver; C:\Windows\system32\DRIVERS\SymIMv.sys [2008-06-13 24112]
R1 SYMTDI;SYMTDI; C:\Windows\System32\Drivers\SYMTDI.SYS [2008-06-13 184240]
R1 US30Sys;US30Sys; C:\Windows\System32\Drivers\US30XP.sys [2007-03-27 110592]
R2 CO_Mon;CO_Mon; \??\C:\Windows\system32\drivers\CO_Mon.sys [2007-08-08 36056]
R3 AgereSoftModem;Agere Systems Soft Modem; C:\Windows\system32\DRIVERS\AGRSM.sys [2007-10-30 1201632]
R3 BthEnum;Bluetooth Enumerator Service; C:\Windows\system32\DRIVERS\BthEnum.sys [2008-01-19 19456]
R3 BthPan;Bluetooth Device (Personal Area Network); C:\Windows\system32\DRIVERS\bthpan.sys [2008-01-19 92160]
R3 BTHUSB;Bluetooth Radio USB Driver; C:\Windows\System32\Drivers\BTHUSB.sys [2008-04-28 29184]
R3 btwaudio;Bluetooth Audio Device Service; C:\Windows\system32\drivers\btwaudio.sys [2007-03-29 79664]
R3 btwavdt;Bluetooth AVDT; C:\Windows\system32\drivers\btwavdt.sys [2007-02-27 81200]
R3 btwrchid;btwrchid; C:\Windows\system32\DRIVERS\btwrchid.sys [2007-02-27 16432]
R3 CmBatt;Microsoft ACPI Control Method Battery Driver; C:\Windows\system32\DRIVERS\CmBatt.sys [2008-01-19 14208]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv; \??\C:\Program Files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [2008-09-17 99376]
R3 GEARAspiWDM;GEAR ASPI Filter Driver; C:\Windows\System32\Drivers\GEARAspiWDM.sys [2008-04-17 15464]
R3 NAVENG;NAVENG; \??\C:\PROGRA~2\Symantec\DEFINI~1\VIRUSD~1\20081229.003\NAVENG.SYS [2008-11-11 89104]
R3 NAVEX15;NAVEX15; \??\C:\PROGRA~2\Symantec\DEFINI~1\VIRUSD~1\20081229.003\NAVEX15.SYS [2008-11-11 876112]
R3 NETw4v32;Intel(R) Wireless WiFi Link Adapter Driver for Windows Vista 32 Bit; C:\Windows\system32\DRIVERS\NETw4v32.sys [2007-09-26 2251776]
R3 nvlddmkm;nvlddmkm; C:\Windows\system32\DRIVERS\nvlddmkm.sys [2007-11-14 8234176]
R3 RFCOMM;Bluetooth Device (RFCOMM Protocol TDI); C:\Windows\system32\DRIVERS\rfcomm.sys [2008-01-19 49664]
R3 RTL8169;Realtek 8169 NT Driver; C:\Windows\system32\DRIVERS\Rtlh86.sys [2008-08-06 124928]
R3 RTSTOR;Realtek USB 2.0 Card Reader; C:\Windows\system32\drivers\RTSTOR.SYS [2008-06-23 62464]
R3 SRTSP;SRTSP; C:\Windows\System32\Drivers\SRTSP.SYS [2008-01-31 279088]
R3 STHDA;IDT High Definition Audio CODEC; C:\Windows\system32\DRIVERS\stwrt.sys [2007-11-09 356352]
R3 StillCam;Still Serial Digital Camera Driver; C:\Windows\system32\DRIVERS\serscan.sys [2008-01-19 9216]
R3 SYMDNS;SYMDNS; C:\Windows\System32\Drivers\SYMDNS.SYS [2008-06-13 13616]
R3 SymEvent;SymEvent; \??\C:\Windows\system32\Drivers\SYMEVENT.SYS [2008-09-24 123952]
R3 SYMFW;SYMFW; C:\Windows\System32\Drivers\SYMFW.SYS [2008-06-13 96432]
R3 SYMNDISV;SYMNDISV; C:\Windows\System32\Drivers\SYMNDISV.SYS [2008-06-13 41008]
R3 SYMREDRV;SYMREDRV; C:\Windows\System32\Drivers\SYMREDRV.SYS [2008-06-13 22320]
R3 SynTP;Synaptics TouchPad Driver; C:\Windows\system32\DRIVERS\SynTP.sys [2007-02-15 182456]
R3 US30Kbd;US30Kbd; C:\Windows\System32\Drivers\US30Kbd2K.sys [2007-02-10 10752]
R3 usbvideo;Gateway USB 2.0 Webcam; C:\Windows\System32\Drivers\usbvideo.sys [2008-01-19 134016]
R3 UVCFTR;UVCFTR; C:\Windows\System32\Drivers\UVCFTR_S.SYS [2007-05-23 11776]
R3 WmiAcpi;Microsoft Windows Management Interface for ACPI; C:\Windows\system32\DRIVERS\wmiacpi.sys [2008-01-19 11264]
S1 RCFOX;SonicWALL IPsec Driver; \??\C:\Windows\system32\Drivers\RCFOX.sys [2004-10-15 91136]
S3 ac97intc;Intel(r) 82801 Audio Driver Install Service (WDM); C:\Windows\system32\drivers\ac97intc.sys [2006-11-02 108032]
S3 bcm4sbxp;Broadcom 440x 10/100 Integrated Controller XP Driver; C:\Windows\system32\DRIVERS\bcm4sbxp.sys [2006-11-02 45056]
S3 BTHPORT;Bluetooth Port Driver; C:\Windows\System32\Drivers\BTHport.sys [2008-04-28 220160]
S3 catchme;catchme; \??\C:\ComboFix\catchme.sys []
S3 COH_Mon;COH_Mon; \??\C:\Windows\system32\Drivers\COH_Mon.sys [2008-07-30 23888]
S3 drmkaud;Microsoft Kernel DRM Audio Descrambler; C:\Windows\system32\drivers\drmkaud.sys [2008-01-19 5632]
S3 HdAudAddService;Microsoft 1.1 UAA Function Driver for High Definition Audio Service; C:\Windows\system32\drivers\HdAudio.sys [2006-11-02 235520]
S3 ialm;ialm; C:\Windows\system32\DRIVERS\ialmnt5.sys [2006-11-02 1302492]
S3 MSKSSRV;Microsoft Streaming Service Proxy; C:\Windows\system32\drivers\MSKSSRV.sys [2008-01-19 8192]
S3 MSPCLOCK;Microsoft Streaming Clock Proxy; C:\Windows\system32\drivers\MSPCLOCK.sys [2008-01-19 5888]
S3 MSPQM;Microsoft Streaming Quality Manager Proxy; C:\Windows\system32\drivers\MSPQM.sys [2008-01-19 5504]
S3 MSTEE;Microsoft Streaming Tee/Sink-to-Sink Converter; C:\Windows\system32\drivers\MSTEE.sys [2008-01-19 6016]
S3 NETw2v32;Intel(R) PRO/Wireless 2200BG Network Connection Driver for Windows Vista; C:\Windows\system32\DRIVERS\NETw2v32.sys [2006-11-02 2589184]
S3 pcouffin;VSO Software pcouffin; C:\Windows\System32\Drivers\pcouffin.sys [2008-03-02 47360]
S3 rcvpn;SonicWALL VPN Adapter; C:\Windows\system32\DRIVERS\rcvpn.sys [2003-08-20 23180]
S3 SRTSPL;SRTSPL; C:\Windows\System32\Drivers\SRTSPL.SYS [2008-01-31 317616]
S3 usbaudio;USB Audio Driver (WDM); C:\Windows\system32\drivers\usbaudio.sys [2008-01-19 73088]
S3 WUDFRd;WUDFRd; C:\Windows\system32\DRIVERS\WUDFRd.sys [2008-01-19 83328]
S3 YMIDUSB;YAMAHA Corporation USB MIDI Driver; C:\Windows\System32\Drivers\ymidusb.sys [2005-07-25 14464]
S4 sdbus;sdbus; C:\Windows\system32\DRIVERS\sdbus.sys [2006-11-02 82432]

======List of services (R=Running, S=Stopped, 0=Boot, 1=System, 2=Auto, 3=Demand, 4=Disabled)======

R2 AgereModemAudio;Agere Modem Call Progress Audio; C:\Windows\system32\agrsmsvc.exe [2007-09-26 12800]
R2 Apple Mobile Device;Apple Mobile Device; C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe [2008-10-01 116040]
R2 Automatic LiveUpdate Scheduler;Automatic LiveUpdate Scheduler; C:\Program Files\Symantec\LiveUpdate\AluSchedulerSvc.exe [2008-02-21 238968]
R2 Bonjour Service;Bonjour Service; C:\Program Files\Bonjour\mDNSResponder.exe [2008-08-29 238888]
R2 BthServ;@%SystemRoot%\System32\bthserv.dll,-101; C:\Windows\system32\svchost.exe [2008-01-19 21504]
R2 ccEvtMgr;Symantec Event Manager; C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe [2008-10-17 149352]
R2 ccSetMgr;Symantec Settings Manager; C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe [2008-10-17 149352]
R2 CLTNetCnService;Symantec Lic NetConnect service; C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe [2008-10-17 149352]
R2 hpqddsvc;HP CUE DeviceDiscovery Service; C:\Windows\system32\svchost.exe [2008-01-19 21504]
R2 HPSLPSVC;HP Network Devices Support; C:\Windows\system32\svchost.exe [2008-01-19 21504]
R2 IAANTMON;Intel(R) Matrix Storage Event Monitor; C:\Program Files\Intel\Intel Matrix Storage Manager\Iaantmon.exe [2007-02-12 355096]
R2 LiveUpdate Notice;LiveUpdate Notice; C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe [2008-10-17 149352]
R2 Net Driver HPZ12;Net Driver HPZ12; C:\Windows\System32\svchost.exe [2008-01-19 21504]
R2 Pml Driver HPZ12;Pml Driver HPZ12; C:\Windows\System32\svchost.exe [2008-01-19 21504]
R2 STacSV;Audio Service; C:\Windows\system32\STacSV.exe [2007-11-09 212992]
R2 US30Service;US30Service; C:\Program Files\Universal Shield 4.2\US30Service.exe [2007-02-09 24576]
R3 hpqcxs08;hpqcxs08; C:\Windows\system32\svchost.exe [2008-01-19 21504]
R3 iPod Service;iPod Service; C:\Program Files\iPod\bin\iPodService.exe [2008-10-01 536872]
R3 NMIndexingService;NMIndexingService; C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe [2007-05-16 271920]
R3 Symantec Core LC;Symantec Core LC; C:\PROGRA~1\COMMON~1\SYMANT~1\CCPD-LC\symlcsvc.exe [2008-09-21 1245064]
S3 Adobe LM Service;Adobe LM Service; C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe [2008-03-23 72704]
S3 comHost;COM Host; C:\Program Files\Common Files\Symantec Shared\VAScanner\comHost.exe [2007-08-22 55640]
S3 FLEXnet Licensing Service;FLEXnet Licensing Service; C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe [2008-04-22 654848]
S3 GameConsoleService;GameConsoleService; C:\Program Files\Gateway Games\Gateway Game Console\GameConsoleService.exe [2007-08-29 181800]
S3 IDriverT;InstallDriver Table Manager; C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe [2004-10-22 73728]
S3 LiveUpdate;LiveUpdate; C:\Program Files\Symantec\LiveUpdate\LuComServer_3_4.EXE [2008-09-05 3220856]
S3 Microsoft Office Groove Audit Service;Microsoft Office Groove Audit Service; C:\Program Files\Microsoft Office\Office12\GrooveAuditService.exe [2006-10-27 65824]
S3 NBService;NBService; C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe [2007-04-13 792112]
S3 odserv;Microsoft Office Diagnostics Service; C:\Program Files\Common Files\Microsoft Shared\OFFICE12\ODSERV.EXE [2006-10-26 441136]
S3 ose;Office Source Engine; C:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE [2006-10-26 145184]
S3 RampartSvc;SonicWall VPN Client Service; C:\Program Files\SonicWALL\SonicWALL Global VPN Client\RampartSvc.exe [2004-10-15 131072]
S3 usnjsvc;Messenger Sharing Folders USN Journal Reader service; C:\Program Files\MSN Messenger\usnsvc.exe [2007-01-19 97136]

-----------------EOF-----------------

matosmg08
Novice
Novice

Posts Posts : 16
Joined Joined : 2008-12-28
OS OS : Gabriel08
Points Points : 29000
# Likes # Likes : 0

View user profile

Back to top Go down

Solved Re: troj/rustock

Post by matosmg08 on Tue Dec 30, 2008 2:28 am

info.txt logfile of random's system information tool 1.05 2008-12-29 20:58:32

======Uninstall list======

Moyea SWF to Video Converter Pro version 3.0.1.4-->"C:\Program Files\Moyea\SWF to Video Pro\unins000.exe"
-->"C:\Program Files\Gateway Games\Bejeweled 2 Deluxe\Uninstall.exe"
-->"C:\Program Files\Gateway Games\Blasterball 3\Uninstall.exe"
-->"C:\Program Files\Gateway Games\Chuzzle Deluxe\Uninstall.exe"
-->"C:\Program Files\Gateway Games\Diner Dash\Uninstall.exe"
-->"C:\Program Files\Gateway Games\FATE\Uninstall.exe"
-->"C:\Program Files\Gateway Games\Gateway Game Console\Uninstall.exe"
-->"C:\Program Files\Gateway Games\Penguins!\Uninstall.exe"
-->"C:\Program Files\Gateway Games\Polar Bowler\Uninstall.exe"
-->"C:\Program Files\Gateway Games\Polar Golfer\Uninstall.exe"
-->"C:\Program Files\Gateway Games\Tradewinds\Uninstall.exe"
-->"C:\Program Files\Gateway Games\Virtual Villagers - A New Home\Uninstall.exe"
-->"C:\Program Files\InstallShield Installation Information\{BB8AE808-F003-4C7F-B56B-8C80EEAFFE23}\setup.exe" --u:{BB8AE808-F003-4C7F-B56B-8C80EEAFFE23}
-->C:\Program Files\Common Files\Real\Update_OB\r1puninst.exe RealNetworks|RealPlayer|6.0
-->C:\Program Files\Nero\Nero 7\\nero\uninstall\UNNERO.exe /UNINSTALL
-->C:\Windows\UNNeroBackItUp.exe /UNINSTALL
-->C:\Windows\UNNeroMediaHome.exe /UNINSTALL
-->C:\Windows\UNNeroShowTime.exe /UNINSTALL
-->C:\Windows\UNNeroVision.exe /UNINSTALL
-->C:\Windows\UNRecode.exe /UNINSTALL
32 Bit HP CIO Components Installer-->MsiExec.exe /I{F1E63043-54FC-429B-AB2C-31AF9FBA4BC7}
AceFTP 3 Freeware-->"C:\Program Files\Visicom Media\AceFTP 3 Freeware\uninst-[You must be registered and logged in to see this link.]
Adobe Acrobat and Reader 8.1.2 Security Update 1 (KB403742)-->MsiExec.exe /X{6846389C-BAC0-4374-808E-B120F86AF5D7}
Adobe Anchor Service CS3-->MsiExec.exe /I{90176341-0A8B-4CCC-A78D-F862228A6B95}
Adobe Asset Services CS3-->MsiExec.exe /I{6FF5DD7A-FE28-4439-B8CF-1E9AF4EA0A61}
Adobe Bridge 1.0-->MsiExec.exe /I{B74D4E10-6884-0000-0000-000000000103}
Adobe Bridge CS3-->MsiExec.exe /I{9C9824D9-9000-4373-A6A5-D0E5D4831394}
Adobe Bridge Start Meeting-->MsiExec.exe /I{08B32819-6EEF-4057-AEDA-5AB681A36A23}
Adobe Camera Raw 4.0-->MsiExec.exe /I{B3BF6689-A81D-40D8-9A86-4AC4ACD9FC1C}
Adobe CMaps-->MsiExec.exe /I{A2B242BD-FF8D-4840-9DAA-9170EABEC59C}
Adobe Common File Installer-->MsiExec.exe /I{8EDBA74D-0686-4C99-BFDD-F894678E5B39}
Adobe Default Language CS3-->MsiExec.exe /I{B9B35331-B7E4-4E5C-BF4C-7BC87856124D}
Adobe ExtendScript Toolkit 2-->C:\Program Files\Common Files\Adobe\Installers\3e054d2218e7aa282c2369d939e58ff\Setup.exe
Adobe ExtendScript Toolkit 2-->MsiExec.exe /I{24D7346D-D4B4-45E8-98EA-75EC14B42DD8}
Adobe Extension Manager CS3-->MsiExec.exe /I{D7A53E41-3F32-4A44-989C-53DDEBB2130C}
Adobe Fireworks CS3-->C:\Program Files\Common Files\Adobe\Installers\bbef028176efa5abf0233d3e1747be8\Setup.exe
Adobe Fireworks CS3-->MsiExec.exe /I{7DFC1012-D346-46CE-B03E-FF79125AE029}
Adobe Flash Player 10 Plugin-->C:\Windows\system32\Macromed\Flash\uninstall_plugin.exe
Adobe Flash Player 9 ActiveX-->C:\Windows\system32\Macromed\Flash\FlashUtil9b.exe -uninstallDelete
Adobe Flash Player ActiveX-->C:\Windows\system32\Macromed\Flash\uninstall_activeX.exe
Adobe Help Center 1.0-->MsiExec.exe /I{E9787678-1033-0000-8E67-000000000001}
Adobe Help Viewer CS3-->MsiExec.exe /I{04AF207D-9A77-465A-8B76-991F6AB66245}
Adobe PDF Library Files-->MsiExec.exe /I{D2559B88-CC9D-4B48-81BB-F492BAA9C48C}
Adobe Photoshop CS2-->msiexec /I {236BB7C4-4419-42FD-0409-1E257A25E34D}
Adobe Reader 8.1.2-->MsiExec.exe /I{AC76BA86-7AD7-1033-7B44-A81200000003}
Adobe Setup-->MsiExec.exe /I{B3C02EC1-A7B0-4987-9A43-8789426AAA7D}
Adobe Setup-->MsiExec.exe /I{C92A5A89-B218-46F7-8898-77C52113FFE0}
Adobe Stock Photos 1.0-->MsiExec.exe /I{786C5747-1033-0000-B58E-000000000001}
Adobe SVG Viewer 3.0-->C:\Program Files\Common Files\Adobe\SVG Viewer 3.0\Uninstall\Winstall.exe -u -fC:\Program Files\Common Files\Adobe\SVG Viewer 3.0\Uninstall\Install.log
Adobe Type Support-->MsiExec.exe /I{8E6808E2-613D-4FCD-81A2-6C8FA8E03312}
Adobe Update Manager CS3-->MsiExec.exe /I{E69AE897-9E0B-485C-8552-7841F48D42D8}
Adobe Version Cue CS3 Client-->MsiExec.exe /I{D0DFF92A-492E-4C40-B862-A74A173C25C5}
Adobe XMP Panels CS3-->MsiExec.exe /I{802771A9-A856-4A41-ACF7-1450E523C923}
Agere Systems HDA Modem-->agrsmdel
AIM 6-->C:\Program Files\AIM6\uninst.exe
AIMTunes-->C:\Program Files\AIMTunes\Uninstall.exe
AppCore-->MsiExec.exe /I{EFB5B3B5-A280-4E25-BE1C-634EEFE32C1B}
Apple Mobile Device Support-->MsiExec.exe /I{976C2B2A-CE59-4AB3-83FB-BF895E28F2E6}
Apple Software Update-->MsiExec.exe /I{6956856F-B6B3-4BE0-BA0B-8F495BE32033}
Backup-->MsiExec.exe /I{24DF7221-644B-4C3A-A478-459502D40522}
BASC-2 and PRQ ASSIST-->"C:\Program Files\AGS\BASC-2 and PRQ ASSIST\Uninstall_BASC-2 and PRQ ASSIST\Uninstall BASC-2 and PRQ ASSIST.exe"
BigFix-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\11\00\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{34FF0741-EC67-4C05-AC2A-6D257123DF2E}\setup.exe" -l0x9 -uninst -f"C:\Program Files\BigFix\Uninst.isu" -c"C:\Program Files\BigFix\Lib\UninstallHelper.dll"
BigOven-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\0701\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{E0267007-A6FD-4304-8131-346D1CEA6F82}\Setup.exe" -l0x9
Bonjour-->MsiExec.exe /I{8A25392D-C5D2-4E79-A2BD-C15DDC5B0959}
Browser Address Error Redirector-->regsvr32 /u /s "c:\windows\system32\BAE.dll"
Camera Assistant Software for Gateway-->C:\Program Files\InstallShield Installation Information\{39098402-3F7A-4257-A4AE-FC1181D1B40B}\setup.exe -runfromtemp -l0x0009
ccCommon-->MsiExec.exe /I{B24E05CC-46FF-4787-BBB8-5CD516AFB118}
Chessmaster Grandmaster Edition-->C:\Program Files\InstallShield Installation Information\{27614800-84A9-484E-9CCB-43ED2F1205F5}\setup.exe -runfromtemp -l0x0409
Comcast High-Speed Internet Install Wizard-->C:\Program Files\support.com\uninstall\chsi_uninstaller.exe
Compatibility Pack for the 2007 Office system-->MsiExec.exe /X{90120000-0020-0409-0000-0000000FF1CE}
Corel VideoStudio 12-->C:\Program Files\InstallShield Installation Information\{F0FDF9C9-1DDC-401F-B638-36F1CAE8A875}\setup.exe -runfromtemp -l0x0409
Download Manager 2.3.6-->C:\Program Files\Download Manager\uninst.exe
Download Updater (AOL LLC)-->C:\Program Files\Common Files\Software Update Utility\uninstall.exe
eFax Messenger 4.3-->C:\Program Files\eFax Messenger 4.3\Uninstall.exe
Fotki Desktop-->"C:\Program Files\Fotki Desktop\unins000.exe"
Gateway Connect-->MsiExec.exe /I{EE5EEDAF-F932-462B-A2CB-EEBDF819D5F5}
Gateway Games-->"C:\Program Files\Gateway Games\Uninstall.exe"
Gateway Recovery Center Installer-->MsiExec.exe /X{7F3BCF8A-8E02-4659-AF25-F9AB66BD6718}
GearDrvs-->MsiExec.exe /I{206FD69B-F9FE-4164-81BD-D52552BC9C23}
Google Earth-->MsiExec.exe /I{1E04F83B-2AB9-4301-9EF7-E86307F79C72}
HijackThis 2.0.2-->"C:\Program Files\trend micro\HijackThis.exe" /uninstall
HP Imaging Device Functions 8.0-->C:\Program Files\HP\Digital Imaging\DeviceManagement\hpzscr01.exe -datfile hpqbud01.dat
HP OCR Software 8.0-->C:\Program Files\HP\Digital Imaging\OCR\hpzscr01.exe -datfile hpqbud11.dat
HP Officejet Pro All-In-One Series-->C:\Program Files\HP\Digital Imaging\{868EA922-5675-4E91-BDA6-BBD0F923C5EF}\setup\hpzscr01.exe -datfile hpwscr05.dat
HP Solution Center 8.0-->C:\Program Files\HP\Digital Imaging\eSupport\hpzscr01.exe -datfile hpqbud05.dat
HP Update-->MsiExec.exe /X{C8FD5BC1-92EF-4C15-92A9-F9AC7F61985F}
IDT Audio-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\10\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{E3A5A8AB-58F6-45FF-AFCB-C9AE18C05001}\setup.exe" -l0x9 -remove -removeonly
InqScribe 2.0.1-->"C:\Program Files\InqScribe\unins000.exe"
Intel(R) Matrix Storage Manager-->C:\Windows\System32\Imsmudlg.exe
iTunes-->MsiExec.exe /I{DDDE0BE3-0CBE-4BF6-B75A-E3F69C947843}
Java(TM) 6 Update 11-->MsiExec.exe /X{26A24AE4-039D-4CA4-87B4-2F83216011FF}
Java(TM) 6 Update 7-->MsiExec.exe /I{3248F0A8-6813-11D6-A77B-00B0D0160070}
Java(TM) SE Runtime Environment 6 Update 1-->MsiExec.exe /I{3248F0A8-6813-11D6-A77B-00B0D0160010}
LabelPrint-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{C59C179C-668D-49A9-B6EA-0121CCFC1243}\Setup.exe" -uninstall
LiveUpdate (Symantec Corporation)-->MsiExec.exe /x {E80F62FF-5D3C-4A19-8409-9721F2928206} /l*v "C:\ProgramData\LuUninstall.LiveUpdate"
LiveUpdate (Symantec Corporation)-->MsiExec.exe /X{E80F62FF-5D3C-4A19-8409-9721F2928206}
LiveUpdate 3.2 (Symantec Corporation)-->"C:\Program Files\Symantec\LiveUpdate\LSETUP.EXE" /U
LiveUpdate Notice (Symantec Corporation)-->MsiExec.exe /X{DBA4DB9D-EE51-4944-A419-98AB1F1249C8}
Macromedia Dreamweaver 8-->MsiExec.exe /I{0837A661-FEC3-48B3-876C-91E7D32048A9}
Macromedia Extension Manager-->MsiExec.exe /I{5546CDB5-2CE2-498B-B059-5B3BF81FC41F}
Macromedia Flash 8 Video Encoder-->MsiExec.exe /X{8BF2C401-02CE-424D-BC26-6C4F9FB446B6}
Macromedia Flash 8-->MsiExec.exe /I{2BD5C305-1B27-4D41-B690-7A61172D2FEB}
Malwarebytes' Anti-Malware-->"C:\Program Files\Malwarebytes' Anti-Malware\unins000.exe"
MFZ0 codec (Remove Only)-->rundll32.exe setupapi.dll,InstallHinfSection DefaultUninstall

matosmg08
Novice
Novice

Posts Posts : 16
Joined Joined : 2008-12-28
OS OS : Gabriel08
Points Points : 29000
# Likes # Likes : 0

View user profile

Back to top Go down

Solved Re: troj/rustock

Post by matosmg08 on Tue Dec 30, 2008 2:30 am

132 C:\Windows\INF\MFZ0Vfw.INF
Microsoft Money 2007-->"C:\Program Files\Microsoft Money 2007\MNYCoreFiles\Setup\uninst.exe" /s:120
Microsoft Money Shared Libraries-->MsiExec.exe /X{5F00DF7E-418B-4CD9-8EC5-781156BCC49E}
Microsoft Office Access MUI (English) 2007-->MsiExec.exe /X{90120000-0015-0409-0000-0000000FF1CE}
Microsoft Office Access Setup Metadata MUI (English) 2007-->MsiExec.exe /X{90120000-0117-0409-0000-0000000FF1CE}
Microsoft Office Enterprise 2007-->"C:\Program Files\Common Files\Microsoft Shared\OFFICE12\Office Setup Controller\setup.exe" /uninstall ENTERPRISE /dll OSETUP.DLL
Microsoft Office Enterprise 2007-->MsiExec.exe /X{90120000-0030-0000-0000-0000000FF1CE}
Microsoft Office Excel MUI (English) 2007-->MsiExec.exe /X{90120000-0016-0409-0000-0000000FF1CE}
Microsoft Office Groove MUI (English) 2007-->MsiExec.exe /X{90120000-00BA-0409-0000-0000000FF1CE}
Microsoft Office Groove Setup Metadata MUI (English) 2007-->MsiExec.exe /X{90120000-0114-0409-0000-0000000FF1CE}
Microsoft Office InfoPath MUI (English) 2007-->MsiExec.exe /X{90120000-0044-0409-0000-0000000FF1CE}
Microsoft Office OneNote MUI (English) 2007-->MsiExec.exe /X{90120000-00A1-0409-0000-0000000FF1CE}
Microsoft Office Outlook MUI (English) 2007-->MsiExec.exe /X{90120000-001A-0409-0000-0000000FF1CE}
Microsoft Office PowerPoint MUI (English) 2007-->MsiExec.exe /X{90120000-0018-0409-0000-0000000FF1CE}
Microsoft Office Proof (English) 2007-->MsiExec.exe /X{90120000-001F-0409-0000-0000000FF1CE}
Microsoft Office Proof (French) 2007-->MsiExec.exe /X{90120000-001F-040C-0000-0000000FF1CE}
Microsoft Office Proof (Spanish) 2007-->MsiExec.exe /X{90120000-001F-0C0A-0000-0000000FF1CE}
Microsoft Office Proofing (English) 2007-->MsiExec.exe /X{90120000-002C-0409-0000-0000000FF1CE}
Microsoft Office Publisher MUI (English) 2007-->MsiExec.exe /X{90120000-0019-0409-0000-0000000FF1CE}
Microsoft Office Shared MUI (English) 2007-->MsiExec.exe /X{90120000-006E-0409-0000-0000000FF1CE}
Microsoft Office Shared Setup Metadata MUI (English) 2007-->MsiExec.exe /X{90120000-0115-0409-0000-0000000FF1CE}
Microsoft Office Word MUI (English) 2007-->MsiExec.exe /X{90120000-001B-0409-0000-0000000FF1CE}
Microsoft Visual C++ 2005 Redistributable-->MsiExec.exe /X{7299052b-02a4-4627-81f2-1818da5d550d}
Microsoft Visual C++ 2005 Redistributable-->MsiExec.exe /X{A49F249F-0C91-497F-86DF-B2585E8E76B7}
Microsoft WSE 2.0 SP3 Runtime-->MsiExec.exe /X{F3CA9611-CD42-4562-ADAB-A554CF8E17F1}
MobileMe Control Panel-->MsiExec.exe /I{6DA9102E-199F-43A0-A36B-6EF48081A658}
Mozilla Firefox (3.0.5)-->C:\Program Files\Mozilla Firefox\uninstall\helper.exe
Mozilla Thunderbird (2.0.0.14)-->C:\Program Files\Mozilla Thunderbird\uninstall\helper.exe
MSXML 4.0 SP2 (KB936181)-->MsiExec.exe /I{C04E32E0-0416-434D-AFB9-6969D703A9EF}
MSXML 4.0 SP2 (KB941833)-->MsiExec.exe /I{C523D256-313D-4866-B36A-F3DE528246EF}
MSXML 4.0 SP2 (KB954430)-->MsiExec.exe /I{86493ADD-824D-4B8E-BD72-8C5DCDC52A71}
Nero 7 Premium-->MsiExec.exe /X{A20A58C4-6784-4B4B-86CC-94E2E3671033}
neroxml-->MsiExec.exe /I{56C049BE-79E9-4502-BEA7-9754A3E60F9B}
Netflix Movie Viewer-->MsiExec.exe /X{BCE72AED-3332-4863-9567-C5DCB9052CA2}
Norton 360 (Symantec Corporation)-->"C:\Program Files\Common Files\Symantec Shared\SymSetup\{2D617065-1C52-4240-B5BC-C0AE12157777}_2_0_0_242\Setup.exe" /X
Norton 360 HTMLHelp-->MsiExec.exe /I{0BDD3FAD-61CD-4BF3-B9C4-4CEFD43F53F8}
Norton 360-->MsiExec.exe /I{21829177-4DED-4209-AD08-490B3AC9C01A}
Norton 360-->MsiExec.exe /I{2D617065-1C52-4240-B5BC-C0AE12157777}
Norton 360-->MsiExec.exe /I{40DA9A54-48CA-4A2C-AEAF-F67715BB046E}
Norton Confidential Core-->MsiExec.exe /I{55A6283C-638A-4EE0-B491-51118554BDA2}
NVIDIA Drivers-->C:\Windows\system32\NVUNINST.EXE UninstallGUI
Nvu 1.0-->"C:\Program Files\Nvu\unins000.exe"
One-click Audio Converter Uninstall-->"C:\Program Files\One-click Audio Converter\unins000.exe"
OpenOffice.org Installer 1.0-->MsiExec.exe /X{0D499481-22C6-4B25-8AC2-6D3F6C885FB9}
OrgChart Professional 4.5-->C:\Program Files\OfficeWork Software\OrgChart Professional\uninst.exe
Panda ActiveScan 2.0-->C:\Program Files\Panda Security\ActiveScan 2.0\as2uninst.exe
Power2Go 5.0-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{40BF1E83-20EB-11D8-97C5-0009C5020658}\Setup.exe" -uninstall
QuickTime-->MsiExec.exe /I{8DC42D05-680B-41B0-8878-6C14D24602DB}
RealPlayer-->C:\Program Files\Common Files\Real\Update_OB\r1puninst.exe RealNetworks|RealPlayer|6.0
Realtek 8169 PCI, 8168 and 8101E PCIe Ethernet Network Card Driver for Windows Vista-->C:\Program Files\InstallShield Installation Information\{8833FFB6-5B0C-4764-81AA-06DFEED9A476}\setup.exe -runfromtemp -l0x0009 -removeonly
Realtek USB 2.0 Card Reader-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\11\50\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{DC24971E-1946-445D-8A82-CE685433FA7D}\setup.exe" -l0x9 -removeonly
Room Arranger (remove only)-->"C:\Program Files\Room Arranger\uninstall.exe"
Safari-->MsiExec.exe /I{C9D96682-5A4D-45FA-BA3E-DDCB2B0CB868}
Secs v1.111-->C:\Program Files\Common Files\InstallerA\Setup.exe /SECS
Shop for HP Supplies-->C:\Program Files\HP\Digital Imaging\HPSSupply\hpzscr01.exe -datfile hpqbud16.dat
Sibelius Scorch-->MsiExec.exe /I{51C65CD6-A344-41B5-81E2-3CCAC8024F68}
Skype™ 3.6-->MsiExec.exe /X{5C82DAE5-6EB0-4374-9254-BE3319BA4E82}
SonicWALL Global VPN Client-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\09\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{53648F92-1CC5-22D2-A6DF-00A0C9A23BCD}\setup.exe" -l0x9 -FromCPL
Spare Backup-->MsiExec.exe /X{A57C6094-FC5A-4DEC-B1E0-1B2F48EEE8F4}
SPBBC 32bit-->MsiExec.exe /I{77772678-817F-4401-9301-ED1D01A8DA56}
SPSS 16.0 for Windows-->MsiExec.exe /X{621025AE-3510-478E-BC27-1A647150976F}
Symantec Real Time Storage Protection Component-->MsiExec.exe /I{D6E6FA4A-5445-4850-8365-CF216C1CBB7A}
Symantec Technical Support Controls-->MsiExec.exe /I{45690715-80A6-4445-B61D-ADEC5888E8CD}
Synaptics Pointing Device Driver-->rundll32.exe "C:\Program Files\Synaptics\SynTP\SynISDLL.dll",standAloneUninstall
TBS WMP Plug-in-->C:\PROGRA~1\COMMON~1\INSTAL~1\Driver\1050\INTEL3~1\IDriver.exe /M{13515135-48BB-4184-8C1F-2FAE0138E200}
Universal Shield-->"C:\Program Files\Universal Shield 4.2\Uninstall.exe" "C:\Program Files\Universal Shield 4.2\install.log" -u
Viewpoint Media Player-->C:\Program Files\Viewpoint\Viewpoint Media Player\mtsAxInstaller.exe /u
WIDCOMM Bluetooth Software 6.0.1.4900-->MsiExec.exe /X{03D1988F-469F-4843-8E6E-E5FE9D17889D}
Windows Live Messenger-->MsiExec.exe /I{571700F0-DB9D-4B3A-B03D-35A14BB5939F}
Windows Media Player Firefox Plugin-->MsiExec.exe /I{69FDFBB6-351D-4B8C-89D8-867DC9D0A2A4}
WinRAR archiver-->C:\Program Files\WinRAR\uninstall.exe
YAMAHA Musicsoft Downloader 5-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\0701\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{6D3C6846-CDB6-418F-8FDB-DA21FE064F86}\Setup.exe" -l0x9

======Security center information======

AS: Windows Defender

System event log

Computer Name: Matos-Notebook
Event Code: 1001
Message: Windows Defender scan has finished.
Scan ID: {EAA8D57B-16E5-4F93-B4DD-7C72C5C86A15}
Scan Type: AntiSpyware
Scan Parameters: Quick Scan
User: NT AUTHORITY\NETWORK SERVICE
Scan Time: 0:12:19
Record Number: 116067
Source Name: Microsoft-Windows-Windows Defender
Time Written: 20081230002853.000000-000
Event Type: Information
User:

Computer Name: Matos-Notebook
Event Code: 7036
Message: The WinHTTP Web Proxy Auto-Discovery Service service entered the stopped state.
Record Number: 116068
Source Name: Service Control Manager
Time Written: 20081230003239.000000-000
Event Type: Information
User:

Computer Name: Matos-Notebook
Event Code: 7036
Message: The LiveUpdate service entered the running state.
Record Number: 116069
Source Name: Service Control Manager
Time Written: 20081230010728.000000-000
Event Type: Information
User:

Computer Name: Matos-Notebook
Event Code: 7036
Message: The LiveUpdate service entered the stopped state.
Record Number: 116070
Source Name: Service Control Manager
Time Written: 20081230010801.000000-000
Event Type: Information
User:

Computer Name: Matos-Notebook
Event Code: 7036
Message: The Interactive Services Detection service entered the running state.
Record Number: 116071
Source Name: Service Control Manager
Time Written: 20081230014503.000000-000
Event Type: Information
User:

Application event log

Computer Name: Matos-Notebook
Event Code: 1001
Message: Fault bucket 32034982, type 5
Event Name: MpTelemetry
Response: None
Cab Id: 0

Problem signature:
P1: 80244019
P2: EndSearch
P3: Search
P4: 1.1.1600.0
P5: MpSigDwn.dll
P6: 1.1.1600.0
P7: Windows Defender
P8:
P9:
P10:

Attached files:
C:\Windows\Temp\MPTelemetrySubmit\client_manifest.txt

These files may be available here:
C:\ProgramData\Microsoft\Windows\WER\ReportArchive\Report059f470e
Record Number: 36169
Source Name: Windows Error Reporting
Time Written: 20081230001633.000000-000
Event Type: Information
User:

Computer Name: Matos-Notebook
Event Code: 101
Message: Information Level: success

Scheduler launched Automatic LiveUpdate.
Record Number: 36170
Source Name: Automatic LiveUpdate Scheduler
Time Written: 20081230010728.000000-000
Event Type: Information
User: NT AUTHORITY\SYSTEM

Computer Name: Matos-Notebook
Event Code: 101
Message: Information Level: success

Automatic LiveUpdate has terminated.
Record Number: 36171
Source Name: Automatic LiveUpdate Scheduler
Time Written: 20081230010804.000000-000
Event Type: Information
User: NT AUTHORITY\SYSTEM

Computer Name: Matos-Notebook
Event Code: 101
Message: Information Level: success

The next run has been scheduled to occur at approximately 9:09 PM.
Record Number: 36172
Source Name: Automatic LiveUpdate Scheduler
Time Written: 20081230010804.000000-000
Event Type: Information
User: NT AUTHORITY\SYSTEM

Computer Name: Matos-Notebook
Event Code: 1000
Message: A device or program has requested attention. Device or application: C:\Windows\System32\spoolsv.exe. Message title: HP Officejet Pro L7700 series Document Properties.
Record Number: 36173
Source Name: Interactive Services detection
Time Written: 20081230014504.000000-000
Event Type: Information
User:

Security event log

Computer Name: Matos-Notebook
Event Code: 5038
Message: Code integrity determined that the image hash of a file is not valid. The file could be corrupt due to unauthorized modification or the invalid hash could indicate a potential disk device error.

File Name: \Device\HarddiskVolume2\Windows\System32\drivers\tcpip.sys
Record Number: 34548
Source Name: Microsoft-Windows-Security-Auditing
Time Written: 20081230015827.500538-000
Event Type: Audit Failure
User:

Computer Name: Matos-Notebook
Event Code: 5038
Message: Code integrity determined that the image hash of a file is not valid. The file could be corrupt due to unauthorized modification or the invalid hash could indicate a potential disk device error.

File Name: \Device\HarddiskVolume2\Windows\System32\drivers\tcpip.sys
Record Number: 34549
Source Name: Microsoft-Windows-Security-Auditing
Time Written: 20081230015827.565538-000
Event Type: Audit Failure
User:

Computer Name: Matos-Notebook
Event Code: 5038
Message: Code integrity determined that the image hash of a file is not valid. The file could be corrupt due to unauthorized modification or the invalid hash could indicate a potential disk device error.

File Name: \Device\HarddiskVolume2\Windows\System32\drivers\tcpip.sys
Record Number: 34550
Source Name: Microsoft-Windows-Security-Auditing
Time Written: 20081230015827.627538-000
Event Type: Audit Failure
User:

Computer Name: Matos-Notebook
Event Code: 5038
Message: Code integrity determined that the image hash of a file is not valid. The file could be corrupt due to unauthorized modification or the invalid hash could indicate a potential disk device error.

File Name: \Device\HarddiskVolume2\Windows\System32\drivers\tcpip.sys
Record Number: 34551
Source Name: Microsoft-Windows-Security-Auditing
Time Written: 20081230015827.691538-000
Event Type: Audit Failure
User:

Computer Name: Matos-Notebook
Event Code: 5038
Message: Code integrity determined that the image hash of a file is not valid. The file could be corrupt due to unauthorized modification or the invalid hash could indicate a potential disk device error.

File Name: \Device\HarddiskVolume2\Windows\System32\drivers\tcpip.sys
Record Number: 34552
Source Name: Microsoft-Windows-Security-Auditing
Time Written: 20081230015827.754538-000
Event Type: Audit Failure
User:

======Environment variables======

"ComSpec"=%SystemRoot%\system32\cmd.exe
"FP_NO_HOST_CHECK"=NO
"OS"=Windows_NT
"Path"=%systemroot%\system32;%systemroot%;%systemroot%\system32\wbem;C:\Program Files\Common Files\Adobe\AGL;C:\Program Files\QuickTime\QTSystem;C:\Program Files\Common Files\Ulead Systems\MPEG
"PATHEXT"=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC
"PROCESSOR_ARCHITECTURE"=x86
"TEMP"=%SystemRoot%\TEMP
"TMP"=%SystemRoot%\TEMP
"USERNAME"=SYSTEM
"windir"=%SystemRoot%
"PROCESSOR_LEVEL"=6
"PROCESSOR_IDENTIFIER"=x86 Family 6 Model 15 Stepping 13, GenuineIntel
"PROCESSOR_REVISION"=0f0d
"NUMBER_OF_PROCESSORS"=2
"CLASSPATH"=.;C:\Program Files\Java\jre1.6.0_07\lib\ext\QTJava.zip
"QTJAVA"=C:\Program Files\Java\jre1.6.0_07\lib\ext\QTJava.zip

-----------------EOF-----------------

matosmg08
Novice
Novice

Posts Posts : 16
Joined Joined : 2008-12-28
OS OS : Gabriel08
Points Points : 29000
# Likes # Likes : 0

View user profile

Back to top Go down

Solved Re: troj/rustock

Post by Belahzur on Tue Dec 30, 2008 2:30 pm

Hello.
I honestly believe this machine is clean and whatever it is, is fake, there's no malware to be found.

Go to Start > Control Panel > Add/Remove Programs and remove the following programs if present.

  • Java(TM) 6 Update 7
  • Java(TM) SE Runtime Environment 6 Update 1
  • Viewpoint Media Player


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34916
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : XP SP3 Media Centre
Points Points : 245069
# Likes # Likes : 1

View user profile

Back to top Go down

Solved Re: troj/rustock

Post by matosmg08 on Tue Dec 30, 2008 3:44 pm

All three were installed and I removed them. Shortly after my computer went to blue screen and restarted. I've restarted four times as the computer will go to blue screen and do a memory dump after a few seconds booting programs in windows.

Why would those programs I delted have such an impact on my system? Please advise. I'm currently on another PC writing this since mine is non-functional.

Thanks!

Greg

matosmg08
Novice
Novice

Posts Posts : 16
Joined Joined : 2008-12-28
OS OS : Gabriel08
Points Points : 29000
# Likes # Likes : 0

View user profile

Back to top Go down

Solved Re: troj/rustock

Post by Belahzur on Tue Dec 30, 2008 4:45 pm

Just uninstalling software doesn't cause a blue screen, something else has happened.
Although I've no idea what.

I think it maybe easier to just format for you.
The machine will then be fully clean and safe and fixed.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34916
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : XP SP3 Media Centre
Points Points : 245069
# Likes # Likes : 1

View user profile

Back to top Go down

Solved Re: troj/rustock

Post by Doctor Inferno on Sat Feb 14, 2009 4:08 am

Since this issue is resolved, this topic is closed.

If you need this topic reopened, please contact a staff member. This applies only to the original topic starter.

Everyone else, please open a new topic for your questions.


Please be a GeekPolice fan on [You must be registered and logged in to see this link.]



Have we helped you? [You must be registered and logged in to see this link.] | Doctor by day, ninja by night.

Doctor Inferno
Administrator
Administrator

Posts Posts : 12015
Joined Joined : 2007-12-26
Gender Gender : Male
OS OS : Windows 7 Home Premium and Ultimate X64
Protection Protection : Kaspersky PURE and Malwarebytes' Anti-Malware
Points Points : 104600
# Likes # Likes : 0

View user profile

Back to top Go down

View previous topic View next topic Back to top


 
Permissions in this forum:
You cannot reply to topics in this forum