Solved

Unable to update anti-virus, anti-spyware, windows update, searches redirected...

Posted on 2009-04-04
41
1,630 Views
Last Modified: 2013-12-09
I'm working on my ex-bosses home machine.  Problem started with random system freezes, which I at first associated with a hardware problem like a bad RAM stick or something.  MemTest86 says RAM is good.

System freezes seem to have subsided, however, something is still on this machine and I can't quite put my finger on it.  I've installed Malwarebytes and ran a scan, it removed a trojan from C:\a or something like that.  But every time you try to update it - it tells you the latest database is already installed but it's from March 26th.  AVG won't connect to the update server.  SUPERAntiSpyware won't update.  When you try connecting to Windows Update IE freezes and you just have to control-alt-delete and end task to get out of it.

Google and Yahoo searches at first appear normal, but when you click on one of the results, you are 9 times out of 10 redirected to some hokey looking web site.

I ran a HJT and looked it over but don't really know what I'm looking for.  Can someone please help?  Any assistance greatly appreciated!

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 1:54:24 PM, on 4/4/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16791)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Ahead\InCD\InCDsrv.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Acronis\Schedule2\schedul2.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\WINDOWS\system32\bgsvcgen.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\HPZipm12.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\System32\svchost.exe
C:\PROGRA~1\AVG\AVG8\avgemc.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\PROGRA~1\AVG\AVG8\avgnsx.exe
C:\Program Files\AVG\AVG8\avgcsrvx.exe
C:\Program Files\Intel\Intel(R) Active Monitor\imonnt.exe
C:\Program Files\AVG\AVG8\avgcsrvx.exe
C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe
C:\Program Files\Analog Devices\SoundMAX\Smax4.exe
C:\Program Files\Intel\Intel(R) Active Monitor\imontray.exe
C:\Program Files\Microsoft Hardware\Keyboard\type32.exe
C:\Program Files\Ahead\InCD\InCD.exe
C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb09.exe
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Java\jre6\bin\java.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Documents and Settings\Roberta\Desktop\HiJackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll
O2 - BHO: Canon Easy Web Print Helper - {68F9551E-0411-48E4-9AAF-4BC42A6A46BE} - C:\Program Files\Canon\Easy-WebPrint\EWPBrowseLoader.dll
O2 - BHO: Java(tm) Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll
O2 - BHO: AVG Security Toolbar - {A057A204-BACC-4D26-9990-79A187E2698E} - C:\PROGRA~1\AVG\AVG8\AVGTOO~1.DLL
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files\Google\Google Toolbar\GoogleToolbar.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.0.926.3450\swg.dll
O2 - BHO: Google Dictionary Compression sdch - {C84D72FE-E17D-4195-BB24-76C02E2E7C4E} - C:\Program Files\Google\Google Toolbar\Component\fastsearch_219B3E1547538286.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: Easy-WebPrint - {327C2873-E90D-4c37-AA9D-10AC9BABA46C} - C:\Program Files\Canon\Easy-WebPrint\Toolband.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O3 - Toolbar: &Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar.dll
O3 - Toolbar: AVG Security Toolbar - {A057A204-BACC-4D26-9990-79A187E2698E} - C:\PROGRA~1\AVG\AVG8\AVGTOO~1.DLL
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe
O4 - HKLM\..\Run: [SoundMAX] "C:\Program Files\Analog Devices\SoundMAX\Smax4.exe" /tray
O4 - HKLM\..\Run: [IMONTRAY] C:\Program Files\Intel\Intel(R) Active Monitor\imontray.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [IntelliType] "C:\Program Files\Microsoft Hardware\Keyboard\type32.exe"
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [InCD] C:\Program Files\Ahead\InCD\InCD.exe
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb09.exe
O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
O4 - HKLM\..\Run: [tgcmd] "C:\Program Files\Support.com\bin\tgcmd.exe" /server /startmonitor /deaf
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [PDUiP6700DMon] C:\Program Files\Canon\Memory Card Utility\iP6700D\PDUiP6700DMon.exe
O4 - HKLM\..\Run: [CanonMyPrinter] C:\Program Files\Canon\MyPrinter\BJMyPrt.exe /logon
O4 - HKLM\..\Run: [TrueImageMonitor.exe] C:\Program Files\Acronis\TrueImageHome\TrueImageMonitor.exe
O4 - HKLM\..\Run: [AcronisTimounterMonitor] C:\Program Files\Acronis\TrueImageHome\TimounterMonitor.exe
O4 - HKLM\..\Run: [Acronis Scheduler2 Service] "C:\Program Files\Common Files\Acronis\Schedule2\schedhlp.exe"
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKLM\..\Run: [UserFaultCheck] %systemroot%\system32\dumprep 0 -u
O4 - HKCU\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NVMCTRAY.DLL,NvTaskbarInit
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [updateMgr] "C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" AcRdB7_0_9 -reboot 1
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - HKUS\S-1-5-18\..\Run: [ALUAlert] C:\Program Files\Symantec\LiveUpdate\ALUNotify.exe (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\Run: [DWQueuedReporting] "C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [ALUAlert] C:\Program Files\Symantec\LiveUpdate\ALUNotify.exe (User 'Default user')
O4 - Startup: AVG Free Tray Icon.lnk = C:\Program Files\AVG\AVG8\avgtray.exe
O4 - Startup: SUPERAntiSpyware Free Edition.lnk = C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = ?
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: ExifLauncher2.lnk = C:\Program Files\FinePixViewer\QuickDCF2.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: Kodak EasyShare software.lnk = C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: NkbMonitor.exe.lnk = C:\Program Files\Nikon\PictureProject\NkbMonitor.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {56762DEC-6B0D-4AB4-A8AD-989993B5D08B} (OnlineScanner Control) - http://www.eset.eu/buxus/docs/OnlineScanner.cab
O16 - DPF: {88D969C0-F192-11D4-A65F-0040963251E5} (XML DOM Document 4.0) -
O16 - DPF: {94B82441-A413-4E43-8422-D49930E69764} (TLIEFlashObj Class) - https://rtc1.webresponse.one.microsoft.com/media/xp/TLIEFlash.CAB
O16 - DPF: {A18962F6-E6ED-40B1-97C9-1FB36F38BFA8} (Aurigma Image Uploader 3.5 Control) - http://www.scrapbookpictures.com/ImageUploader3.cab
O16 - DPF: {A90A5822-F108-45AD-8482-9BC8B12DD539} (Crucial cpcScan) - http://www.crucial.com/controls/cpcScanner.cab
O16 - DPF: {EDFCB7CB-942C-4822-AF14-F0B687409848} (Image Uploader Control) - http://scrapbookpictures.com/ImageUploader4.cab
O16 - DPF: {FD0B6769-6490-4A91-AA0A-B5AE0DC75AC9} (Performance Viewer Activex Control) - https://secure.logmein.com/activex/ractrl.cab?lmi=100
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.DLL
O20 - Winlogon Notify: avgrsstarter - C:\WINDOWS\SYSTEM32\avgrsstx.dll
O23 - Service: Acronis Scheduler2 Service (AcrSch2Svc) - Acronis - C:\Program Files\Common Files\Acronis\Schedule2\schedul2.exe
O23 - Service: AVG Free8 E-mail Scanner (avg8emc) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgemc.exe
O23 - Service: AVG Free8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: B's Recorder GOLD Library General Service (bgsvcgen) - B.H.A Corporation - C:\WINDOWS\system32\bgsvcgen.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: Intel(R) Active Monitor (imonNT) - Intel Corp. - C:\Program Files\Intel\Intel(R) Active Monitor\imonnt.exe
O23 - Service: InCD Helper (InCDsrv) - Nero AG - C:\Program Files\Ahead\InCD\InCDsrv.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe

--
End of file - 11307 bytes
0
Comment
Question by:deonc
  • 16
  • 8
  • 6
  • +4
41 Comments
 
LVL 4

Assisted Solution

by:thsteph
thsteph earned 20 total points
ID: 24069071
check your hosts file if has been renamed or given an extention
C:\WINDOWS\system32\drivers\etc\  ->hosts
0
 
LVL 4

Assisted Solution

by:blissbear
blissbear earned 20 total points
ID: 24069091
Everything looks ok as far as I can tell. You may still have something installed using a rootkit technique to hide itself from HighjackThis. I'm not sure how great SUPERAntiSpyware is. I use Spybot Search and Destroy, it's pretty intuitive, has a tremendous spyware database, can be loaded as a service to actively scan for spyware, and is free. :)
0
 
LVL 4

Expert Comment

by:blissbear
ID: 24069099
Also, as far as the lockups go, check to make sure you have the latest NVidia video driver for your adapter. There are some lockup issues with older drivers.
0
 
LVL 4

Expert Comment

by:thsteph
ID: 24069163
please reply for the hosts file ... had almost the same issue ... virus was renaming the hosts file, hence couldn't resolve dns and couldn't update
virus was specifically written for nod32 av and could not be eliminated with the specific av.
you'll need to install an up to date av or download the updates on another pc and install them manually ...
I believe your problem is because, AVs cannot update, hence cannot get latest virus definitions, hence, cannot even find it!
0
 
LVL 4

Expert Comment

by:blissbear
ID: 24069204
thsteph, if it were a hosts file issue there would be an "O1 - Hosts file redirection" line in the hijackthis log. There isn't one present so it's not likely a hosts file issue.
0
 

Author Comment

by:deonc
ID: 24069372
I will check it out and keep you all posted.  Sorry for the delay - I'm not at the infected computer at this moment.  It is running a Kaspersky online scanner as it seems to be the only one that will update, I've tried eset and whatever is on the machine seems to be blocking it from receiving updates even from the online scanner.  Same story for ewido online scanner.  SUPERAntiSpyware seems to be alright - there is a free and paid version, free does not have the features that the free Spybot does, however, SAS can be helpful in removing some infections (at least from what I've seen).
0
 
LVL 4

Expert Comment

by:thsteph
ID: 24069389
blissbear ... hosts file redirection may exists with false dns(s) in it ... had a virus with the exact thing in it
0
 
LVL 4

Expert Comment

by:thsteph
ID: 24069403
it usually inserts a comment in front of the dns dissallowing it to redirect
0
 

Author Comment

by:deonc
ID: 24069496
Alright I know virtually nothing about hosts files.  The first hosts file in there doesn't appear to be renamed or given an extension.  I've tried to attach a screen shot of what I saw in there.  There are some other files that I don't know if are still needed or if they can be safely removed, or if they're what might be causing the problem.

The following are the files in there, in order from left to right, top to bottom - hosts, hosts.20081127-134435.backup, hosts.20081127-1127-134529.backup, hosts.msn, lmhosts, networks, protocol, services.

Hosts.bmp
0
 
LVL 4

Expert Comment

by:thsteph
ID: 24069534
open the hosts (first one) with notepad and check if there is anything written under the 127.0.0.1 or any other comments after that
0
 

Author Comment

by:deonc
ID: 24069575
Says localhost after 127.0.0.1, then there's a long list of web sites that it says were added by Spybot Search & Destroy.

Why won't the anti-virus software update?  The virus scan turned up nothing.  I'll have to run another one but Malware Bytes now says it encountered a problem and needs to close every time you ask it to update, and anti-spyware and AVG still won't update, keep saying update failed, make sure you're connected to the Internet, yada yada...but I'm on that computer right now so the Internet is definitely working, and actually fairly well, too, except for the search redirect problem.  Can I get rid of those backup hosts files?
0
 
LVL 15

Accepted Solution

by:
greyknight17 earned 220 total points
ID: 24069670
Click here and download that file when prompted. Extract the file and run it. Follow the instructions to run the copy of regedit provided. Go to File->Export and save the registry somewhere as a backup. Then navigate to:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Drivers32

Click on  drivers32 and then go to File > Export. Export that key only and save it to your desktop. Right click on that saved file and go to Edit. Copy and paste all the contents of that file here.

If you feel comfortable working in the registry, you can look for suspicious values for any entries that begin with aux. You need to change the value to wdmaud.drv in most cases. If unsure, post the values of those aux entries here. Usually will be something like c:\windows\...some random name.
0
 
LVL 4

Expert Comment

by:thsteph
ID: 24069674
delete everything after 127.0.0.1 localhost
everything's blocked
delete all other hosts except lmhosts (hosts2008 and hosts msn)
restart pc and try updating AV
recheck hosts file after restart and tell me if is still empty or has been filled with antries again
those entries should simply not exist!
try another AV
download trial of ESET NOD32
update to the latest virus def and scan
see how it goes and post reply
0
 
LVL 4

Expert Comment

by:blissbear
ID: 24069768
You have been using Hijackthis. There is a rudimentary hosts file editor included in that program. It might make it easier to look at. :)
0
 
LVL 4

Expert Comment

by:blissbear
ID: 24069774
Can you post a copy of your hosts file so we can modify it for you?
0
 

Author Comment

by:deonc
ID: 24069882
I edited the hosts file and now this is what is in there.  Is this what should be?

# Copyright (c) 1993-1999 Microsoft Corp.
#
# This is a sample HOSTS file used by Microsoft TCP/IP for Windows.
#
# This file contains the mappings of IP addresses to host names. Each
# entry should be kept on an individual line. The IP address should
# be placed in the first column followed by the corresponding host name.
# The IP address and the host name should be separated by at least one
# space.
#
# Additionally, comments (such as these) may be inserted on individual
# lines or following the machine name denoted by a '#' symbol.
#
# For example:
#
#      102.54.94.97     rhino.acme.com          # source server
#       38.25.63.10     x.acme.com              # x client host

127.0.0.1       localhost
0
 

Author Comment

by:deonc
ID: 24069939
greyknight17: I don't know if I did this right or not (nice start eh? :)  Anyway - this might be another symptom but it doesn't want to let me open regedit.  I exported Drivers32 to the desktop as a .txt file and I'm copying and pasting the results here:

Key Name:          HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Drivers32
Class Name:        <NO CLASS>
Last Write Time:   3/23/2009 - 4:54 PM
Value 0
  Name:            midimapper
  Type:            REG_SZ
  Data:            midimap.dll

Value 1
  Name:            msacm.imaadpcm
  Type:            REG_SZ
  Data:            imaadp32.acm

Value 2
  Name:            msacm.msadpcm
  Type:            REG_SZ
  Data:            msadp32.acm

Value 3
  Name:            msacm.msg711
  Type:            REG_SZ
  Data:            msg711.acm

Value 4
  Name:            msacm.msgsm610
  Type:            REG_SZ
  Data:            msgsm32.acm

Value 5
  Name:            msacm.trspch
  Type:            REG_SZ
  Data:            tssoft32.acm

Value 6
  Name:            vidc.cvid
  Type:            REG_SZ
  Data:            iccvid.dll

Value 7
  Name:            vidc.I420
  Type:            REG_SZ
  Data:            msh263.drv

Value 8
  Name:            vidc.iv31
  Type:            REG_SZ
  Data:            ir32_32.dll

Value 9
  Name:            vidc.iv32
  Type:            REG_SZ
  Data:            ir32_32.dll

Value 10
  Name:            vidc.iv41
  Type:            REG_SZ
  Data:            ir41_32.ax

Value 11
  Name:            vidc.iyuv
  Type:            REG_SZ
  Data:            iyuv_32.dll

Value 12
  Name:            vidc.mrle
  Type:            REG_SZ
  Data:            msrle32.dll

Value 13
  Name:            vidc.msvc
  Type:            REG_SZ
  Data:            msvidc32.dll

Value 14
  Name:            vidc.uyvy
  Type:            REG_SZ
  Data:            msyuv.dll

Value 15
  Name:            vidc.yuy2
  Type:            REG_SZ
  Data:            msyuv.dll

Value 16
  Name:            vidc.yvu9
  Type:            REG_SZ
  Data:            tsbyuv.dll

Value 17
  Name:            vidc.yvyu
  Type:            REG_SZ
  Data:            msyuv.dll

Value 18
  Name:            wavemapper
  Type:            REG_SZ
  Data:            msacm32.drv

Value 19
  Name:            msacm.msg723
  Type:            REG_SZ
  Data:            msg723.acm

Value 20
  Name:            vidc.M263
  Type:            REG_SZ
  Data:            msh263.drv

Value 21
  Name:            vidc.M261
  Type:            REG_SZ
  Data:            msh261.drv

Value 22
  Name:            msacm.msaudio1
  Type:            REG_SZ
  Data:            msaud32.acm

Value 23
  Name:            msacm.sl_anet
  Type:            REG_SZ
  Data:            sl_anet.acm

Value 24
  Name:            msacm.iac2
  Type:            REG_SZ
  Data:            C:\WINDOWS\System32\iac25_32.ax

Value 25
  Name:            vidc.iv50
  Type:            REG_SZ
  Data:            ir50_32.dll

Value 26
  Name:            msacm.l3acm
  Type:            REG_SZ
  Data:            C:\WINDOWS\System32\l3codeca.acm

Value 27
  Name:            wave
  Type:            REG_SZ
  Data:            wdmaud.drv

Value 28
  Name:            midi
  Type:            REG_SZ
  Data:            wdmaud.drv

Value 29
  Name:            mixer
  Type:            REG_SZ
  Data:            wdmaud.drv

Value 30
  Name:            VIDC.MPG4
  Type:            REG_SZ
  Data:            mpg4c32.dll

Value 31
  Name:            VIDC.MP42
  Type:            REG_SZ
  Data:            mpg4c32.dll

Value 32
  Name:            vidc.LEAD
  Type:            REG_SZ
  Data:            LCODCCMP.DLL

Value 33
  Name:            msacm.siren
  Type:            REG_SZ
  Data:            sirenacm.dll

Value 34
  Name:            aux
  Type:            REG_SZ
  Data:            C:\WINDOWS\system32\..\gmnc.mbp


Key Name:          HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Drivers32\Terminal Server
Class Name:        <NO CLASS>
Last Write Time:   9/27/2003 - 6:08 AM

Key Name:          HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Drivers32\Terminal Server\RDP
Class Name:        <NO CLASS>
Last Write Time:   9/27/2003 - 6:08 AM
Value 0
  Name:            wave
  Type:            REG_SZ
  Data:            rdpsnd.dll

Value 1
  Name:            MaxBandwidth
  Type:            REG_DWORD
  Data:            0x56b9

Value 2
  Name:            wavemapper
  Type:            REG_SZ
  Data:            msacm32.drv

Value 3
  Name:            EnableMP3Codec
  Type:            REG_DWORD
  Data:            0x1

Value 4
  Name:            midimapper
  Type:            REG_SZ
  Data:            midimap.dll


0
 

Author Comment

by:deonc
ID: 24069948
I suspect this entry right here:

Value 34
  Name:            aux
  Type:            REG_SZ
  Data:            C:\WINDOWS\system32\..\gmnc.mbp

gmnc.mbp is the name of a trojan horse that was detected during a command line AVG 8.5 scan performed in Safe Mode about 30 minutes ago...

However, it won't let me into regedit and I'll be totally honest, I'm not overly comfortable screwing with the registry as I haven't done it much.

Crap!  :)
0
 
LVL 47

Assisted Solution

by:rpggamergirl
rpggamergirl earned 220 total points
ID: 24070000
You need to rename regedit to regedit.com, then you can change the value of that aux to wdmaud.drv

If you're not comfortable with editing the registry just export the Drivers32 subkey to your desktop first(as a backup) before you edit the registry.

Then delete the bad file manually or use Hijackthis to delete the file at reboot.

Or...download the file and instructions greyknight17 already posted.
0
 
LVL 47

Assisted Solution

by:rpggamergirl
rpggamergirl earned 220 total points
ID: 24070018
Or,
If you don't want to edit the registry you can also just run this regfile. Open notepad and save all bolded text below into it, save as type "All files, save as "Fix.reg". Then doubleclick "Fix.reg" to merge with the registry.
Then delete the file using Hijackthis MIsc.Tools section > Delete a file on reboot" or delete it manually.

REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Drivers32]
"aux"="wdmaud.drv"
0
How your wiki can always stay up-to-date

Quip doubles as a “living” wiki and a project management tool that evolves with your organization. As you finish projects in Quip, the work remains, easily accessible to all team members, new and old.
- Increase transparency
- Onboard new hires faster
- Access from mobile/offline

 
LVL 5

Expert Comment

by:Mechanic_Kharkov
ID: 24070031
Conficker virus blocks antiviruses from update, hoocking DNS queries. To kill this virus You can use KidoKiller program.
In this archive You will find this tool, and some useful patches for windows ( http://file.qip.ru/file/78391514/f017d363/Kill_VIRUS.html ).
0
 
LVL 8

Assisted Solution

by:MrMintanet
MrMintanet earned 20 total points
ID: 24070038
You have a variant of Conficker.

Formatting would be the most secure way to remove the problem.  As hooking any USB or external drive would instantly call replication of the virus to the added component.

Edit the registry all you want, I would not be comfortable giving the computer back to the person.  You put your seal of approval on that computer when it passes back into their hands.  If you think a registry edit will guarntee the viri to not reappear later, be my guest.  It's a bit cynial, but I am being very honest, and I am speaking from personal and professional experience.

I like giving a compuer back to the person with 100% confidence that the computer is nuked and paved.  :)


rpggamergirl:

I have lots of respect for you, but i had to give my ethical opinion here.  Please don't take offense.


Deonc:
If you listen to anyone trying to help you, I would suggest either listening to the advice I am giving you, or listen to rpggamergirl.  If there was anyone on the net telling me how to edit my registry or looking at my hijackthis, it'd be her.


;)
Mintanet...
0
 

Author Comment

by:deonc
ID: 24070069
I may just wipe everything clean and do a fresh install of Windows, but I'm not sure if it will work with what I have.  I have a legal copy of WinXP, but the key for that disc is already installed on an existing machine that is currently in use.  The machine I'm working on was custom built about 5 years ago and whoever built it didn't provide my ex-boss with a WinXP disc.  I used a keyfinder to find the WinXP code on this machine thinking that maybe I could install WinXP and then use the key pulled off the machine.  It's an OEM key.  Does that make a difference in whether it will work or not?  I'd sure hate to format and reinstall only to find it won't accept the key and we're even more screwed than we were before.

Everything was (is) backed up to external HD using Acronis True Image, however, if the virus could be on there then uh oh.

I very well may try renaming regedit and following the instructions provided by rpggamergirl.

Whew - I'm going to have to step away from it for a bit, though.  I'll be back.  Thanks SO much for all of the replies so far.
0
 
LVL 47

Expert Comment

by:rpggamergirl
ID: 24070101
Once the redirect is fixed..then we can run tools like combofix to check if there are bad files that are still lurking there....or if virut/sality may be present....


Mintanet,
No offence taken.
Most infections usually can be fixed without any harm done or without the pc being compromised.
Reformat is always a wise decision but usually users come here to ask for help because they haven't reach that last option yest (reformat).

I for one would be the first one to suggest a reformat when I know for sure that the system has been compromised (when logs are showing info-stealers)
Or when I know that the system has Virut infection my suggestion would be a straight reformat as it would just be a waste of time cleaning a virut-infected pc.
0
 
LVL 8

Expert Comment

by:MrMintanet
ID: 24070130
>>I have a legal copy of WinXP, but the key for that disc is already installed on an existing machine that is currently in use.

No you don't. ;)

Just call the 1-800 and speak to Hadish
0
 

Author Comment

by:deonc
ID: 24070295
LOL  Yeah I'm sure Mr. Hadish could straighten everything out in a jiffy.  ;)

I've backed off the infected machine for tonight.  Had to round up the kids and get them in bed, all that good stuff.  I'm going to go back at it in the morning probably.  Try some of the above suggestions and see what happens.  Unless I can't sleep (which is likely) then I'll be fighting with it again until I can't stay awake anymore...

0
 
LVL 8

Expert Comment

by:MrMintanet
ID: 24070318
1-800-SAV-TIME
0
 

Author Comment

by:deonc
ID: 24072098
Success!  Using the XP Emergency Util recommended by greyknight17, and following the instructions provided by rpggamergirl, I was able to edit the registry entry, and delete gmnc.mbp on reboot using HJT.  Security software is now loading again at startup, allows updates, and I currently have a Malwarebytes scan running.

Now, noob question.  It's fairly obvious that I should go back in to the registry and remove C:\WINDOWS\system32\.. \gmnc.mbp.  Can I do that safely?

Unless I just did something wrong - renaming regedit to regedit.com didn't seem to work.  It wouldn't allow me to open regedit or regedit.com, still, and I also noticed that even though regedit was renamed to regedit.com, a new "regedit" appeared.  I don't know if that's normal or was probably part of the virus I'm guessing.

What should the next steps be?  I will be in and out for the remainder of the day and probably gone for a couple of hours this afternoon.
0
 
LVL 47

Expert Comment

by:rpggamergirl
ID: 24073682
>>> It's fairly obvious that I should go back in to the registry and remove C:\WINDOWS\system32\.. \gmnc.mbp.<<<
I thought you already edited the registry as per your post below:

>>>I was able to edit the registry entry<<<

I assumed you already changed the bad value and replaced it with the default "aux"="wdmaud.drv"
either by manually editing or merging the reg file I posted.


C:\WINDOWS\system32\.. \gmnc.mbp <-- I also assumed his flie has been already deleted as you mentioned using Hijackthis "delete file on reboot"
So if the file is gone and the value in the registry is also fixed, then that's that for the search engine redirect problem.

But that's not all, there might be other nasties present so let's see what MBAM found...and then we will also scan with Combofix.
 
@Mintanet.
BTW, thanks for the kind words... :)
0
 

Author Comment

by:deonc
ID: 24073802
rpggamergirl:  Thank you for your kind assistance!  :)  Well, I did edit the registry and change the "aux" to "wdmaud.drv", and I did use HJT to delte gmnc.mbp on reboot, the file is now officially MIA (hooray!), however, I think what my question was is now that I DOES allow me to edit the registry, if I look at Drivers 32, that string is still there, C:\WINDOWS\system32\.. \gmnc.mpb, after the "wdmaud.drv" value of course.  So what I wanted to know is if I should right click on that entry and select delete.

I hope I didn't jump the gun too much, but, I felt comfortable running Combofix, so I did.  Followed the instructions, it did remove one file - CMMGR32.EXE and automatically deleted on reboot.  Following is the log file:

ComboFix 09-04-04.01 - User 2009-04-05 17:41:35.1 - NTFSx86
Microsoft Windows XP Home Edition  5.1.2600.3.1252.1.1033.18.1535.789 [GMT -7:00]
Running from: c:\documents and settings\User\Desktop\ComboFix.exe
AV: AVG Anti-Virus Free *On-access scanning disabled* (Updated)
 * Created a new restore point
.

(((((((((((((((((((((((((((((((((((((((   Other Deletions   )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\system32\CMMGR32.EXE

.
(((((((((((((((((((((((((((((((((((((((   Drivers/Services   )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_ZESOFT


(((((((((((((((((((((((((   Files Created from 2009-03-06 to 2009-04-06  )))))))))))))))))))))))))))))))
.

2009-04-04 19:15 . 2009-04-04 19:15      <DIR>      d--------      C:\EmergencyUtils
2009-04-04 18:38 . 2009-04-05 10:35      <DIR>      d--h-----      C:\$AVG8.VAULT$
2009-04-04 13:15 . 2009-04-05 12:31      <DIR>      d--------      c:\program files\EsetOnlineScanner
2009-04-04 12:31 . 2009-04-04 12:31      107,912      --a------      c:\windows\system32\drivers\avgtdix.sys
2009-04-04 12:31 . 2009-04-04 12:31      10,520      --a------      c:\windows\system32\avgrsstx.dll
2009-04-04 12:30 . 2009-04-05 09:59      <DIR>      d--------      c:\windows\system32\drivers\Avg
2009-04-04 12:30 . 2009-04-04 12:30      <DIR>      d--------      c:\documents and settings\Roberta\Application Data\AVGTOOLBAR
2009-04-04 12:30 . 2009-04-04 12:30      325,640      --a------      c:\windows\system32\drivers\avgldx86.sys
2009-04-03 17:20 . 2009-04-03 17:20      <DIR>      d--------      c:\program files\Malwarebytes' Anti-Malware
2009-04-03 17:20 . 2009-04-03 17:20      <DIR>      d--------      c:\documents and settings\User\Application Data\Malwarebytes
2009-04-03 17:20 . 2009-04-03 17:20      <DIR>      d--------      c:\documents and settings\All Users\Application Data\Malwarebytes
2009-04-03 17:20 . 2009-03-26 16:49      38,496      --a------      c:\windows\system32\drivers\mbamswissarmy.sys
2009-04-03 17:20 . 2009-03-26 16:49      15,504      --a------      c:\windows\system32\drivers\mbam.sys

.
((((((((((((((((((((((((((((((((((((((((   Find3M Report   ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-04-05 18:03      ---------      d-----w      c:\documents and settings\User\Application Data\MSN6
2009-04-04 19:30      ---------      d-----w      c:\documents and settings\All Users\Application Data\avg8
2009-03-29 19:44      ---------      d-----w      c:\program files\Glary Utilities
2009-03-29 19:38      ---------      d---a-w      c:\documents and settings\All Users\Application Data\TEMP
2009-03-29 19:38      ---------      d-----w      c:\program files\SpywareBlaster
2009-03-29 19:35      ---------      d-----w      c:\program files\SUPERAntiSpyware
2009-03-12 17:01      ---------      d-----w      c:\documents and settings\User\Application Data\Wal-Mart Digital Photo Manager
2009-03-04 18:27      ---------      d-----w      c:\program files\Google
2009-02-24 07:48      ---------      d-----w      c:\program files\HP
2009-02-24 07:48      ---------      d-----w      c:\program files\Hewlett-Packard
2008-12-16 06:32      20      ---h--w      c:\documents and settings\All Users\Application Data\PKP_DLec.DAT
2008-04-22 21:57      71,992      ------w      c:\documents and settings\User\Application Data\GDIPFONTCACHEV1.DAT
2008-11-27 21:25      32,768      --sha-w      c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\MSHist012008112720081128\index.dat
.

(((((((((((((((((((((((((((((((((((((   Reg Loading Points   ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvMediaCenter"="c:\windows\System32\NVMCTRAY.DLL" [2003-10-06 49152]
"MsnMsgr"="c:\program files\MSN Messenger\MsnMsgr.Exe" [2007-01-19 5674352]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-13 15360]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-07-05 68856]
"updateMgr"="c:\program files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" [2006-03-30 313472]
"SUPERAntiSpyware"="c:\program files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2009-03-29 1830128]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SoundMAXPnP"="c:\program files\Analog Devices\SoundMAX\SMax4PNP.exe" [2003-03-11 774144]
"IMONTRAY"="c:\program files\Intel\Intel(R) Active Monitor\imontray.exe" [2003-01-10 32768]
"NvCplDaemon"="c:\windows\System32\NvCpl.dll" [2003-10-06 5058560]
"IntelliType"="c:\program files\Microsoft Hardware\Keyboard\type32.exe" [2002-03-21 94208]
"NeroCheck"="c:\windows\system32\NeroCheck.exe" [2001-07-09 155648]
"InCD"="c:\program files\Ahead\InCD\InCD.exe" [2006-03-23 1398272]
"HPDJ Taskbar Utility"="c:\windows\System32\spool\drivers\w32x86\3\hpztsb09.exe" [2003-08-11 188416]
"HP Component Manager"="c:\program files\HP\hpcoretech\hpcmpmgr.exe" [2005-01-12 241664]
"Microsoft Works Update Detection"="c:\program files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe" [2003-09-13 50688]
"tgcmd"="c:\program files\Support.com\bin\tgcmd.exe" [2005-02-03 1851392]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-01-25 136600]
"PDUiP6700DMon"="c:\program files\Canon\Memory Card Utility\iP6700D\PDUiP6700DMon.exe" [2006-03-16 61440]
"CanonMyPrinter"="c:\program files\Canon\MyPrinter\BJMyPrt.exe" [2006-03-21 1191936]
"TrueImageMonitor.exe"="c:\program files\Acronis\TrueImageHome\TrueImageMonitor.exe" [2007-02-16 1169776]
"AcronisTimounterMonitor"="c:\program files\Acronis\TrueImageHome\TimounterMonitor.exe" [2007-02-16 1945960]
"Acronis Scheduler2 Service"="c:\program files\Common Files\Acronis\Schedule2\schedhlp.exe" [2007-02-16 149024]
"HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2007-05-08 54840]
"AVG8_TRAY"="c:\progra~1\AVG\AVG8\avgtray.exe" [2009-04-04 1932568]
"nwiz"="nwiz.exe" [2003-10-06 c:\windows\system32\nwiz.exe]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"DWQueuedReporting"="c:\progra~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2007-03-13 39264]

c:\documents and settings\User\Start Menu\Programs\Startup\
AVG Free Tray Icon.lnk - c:\program files\AVG\AVG8\avgtray.exe [2009-04-04 1932568]
SUPERAntiSpyware Free Edition.lnk - c:\program files\SUPERAntiSpyware\SUPERAntiSpyware.exe [2007-01-10 1830128]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Gamma Loader.lnk - c:\program files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2003-09-27 113664]
Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-09-23 29696]
ExifLauncher2.lnk - c:\program files\FinePixViewer\QuickDCF2.exe [2008-12-06 303104]
HP Digital Imaging Monitor.lnk - c:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2003-07-07 233472]
Kodak EasyShare software.lnk - c:\program files\Kodak\Kodak EasyShare software\bin\EasyShare.exe [2007-02-20 282624]
Microsoft Office.lnk - c:\program files\Microsoft Office\Office10\OSA.EXE [2001-02-13 83360]
NkbMonitor.exe.lnk - c:\program files\Nikon\PictureProject\NkbMonitor.exe [2007-09-05 118784]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-21 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2009-01-03 00:23 356352 c:\program files\SUPERAntiSpyware\SASWINLO.DLL

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]
2009-04-04 12:31 10520 c:\windows\system32\avgrsstx.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"wdmaud.drv"= c:\windows\system32\..\gmnc.mbp

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-disabled]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" -atboottime
"REGSHAVE"=c:\program files\REGSHAVE\REGSHAVE.EXE /AUTORUN

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\IncrediMail\\bin\\ImpCnt.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\MSN Messenger\\msnmsgr.exe"=
"c:\\Program Files\\MSN Messenger\\livecall.exe"=
"c:\\Program Files\\MSN\\MSNCoreFiles\\msn.exe"=
"c:\\Program Files\\Kodak\\Kodak EasyShare software\\bin\\EasyShare.exe"=
"c:\\WINDOWS\\system32\\fxsclnt.exe"=
"c:\\Program Files\\SUPERAntiSpyware\\SUPERANTISPYWARE.EXE"=
"c:\\Program Files\\SUPERAntiSpyware\\SSUPDATE.EXE"=
"c:\\Program Files\\AVG\\AVG8\\avgtray.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgui.exe"=
"c:\\Program Files\\Glary Utilities\\Integrator.exe"=
"c:\\Program Files\\SUPERAntiSpyware\\SASINST.EXE"=
"c:\\Program Files\\AVG\\AVG8\\avgemc.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgupd.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgnsx.exe"=

R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [2009-04-04 325640]
R1 AvgTdiX;AVG Free8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [2009-04-04 107912]
R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\SASDIFSV.SYS [2006-10-10 9968]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [2007-01-09 55024]
R2 avg8emc;AVG Free8 E-mail Scanner;c:\progra~1\AVG\AVG8\avgemc.exe [2009-04-04 908056]
R2 avg8wd;AVG Free8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe [2009-04-04 298264]
R2 WinDefend;Windows Defender;c:\program files\Windows Defender\MsMpEng.exe [2006-11-03 13592]
R3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [2006-02-16 4096]
S3 DUBE100;D-Link DUB-E100 USB 2.0 Fast Ethernet Adapter;c:\windows\system32\drivers\DUBE100.sys [2003-09-27 13594]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{f7a1fb76-2bb9-11db-a586-0050bfe8bc14}]
\Shell\AutoRun\command - H:\LaunchU3.exe
.
Contents of the 'Scheduled Tasks' folder

2009-04-06 c:\windows\Tasks\GlaryInitialize.job
- c:\program files\Glary Utilities\initialize.exe [2009-03-23 09:49]

2009-04-06 c:\windows\Tasks\MP Scheduled Scan.job
- c:\program files\Windows Defender\MpCmdRun.exe [2006-11-03 20:20]
.
- - - - ORPHANS REMOVED - - - -

HKU-Default-Run-ALUAlert - c:\program files\Symantec\LiveUpdate\ALUNotify.exe


.
------- Supplementary Scan -------
.
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uInternet Settings,ProxyOverride = 127.0.0.1
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~4\Office10\EXCEL.EXE/3000
DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
FF - ProfilePath - c:\documents and settings\User\Application Data\Mozilla\Firefox\Profiles\m7oy4nui.default\
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - hxxp://my.msn.com/
FF - component: c:\program files\AVG\AVG8\Firefox\components\avgssff.dll
FF - component: c:\program files\AVG\AVG8\ToolbarFF\components\vmAVGConnector.dll
FF - plugin: c:\program files\Viewpoint\Viewpoint Media Player\npViewpoint.dll
.

**************************************************************************

catchme 0.3.1375 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-04-05 17:45:04
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...  

scanning hidden autostart entries ...

scanning hidden files ...  

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(712)
c:\program files\SUPERAntiSpyware\SASWINLO.DLL
c:\documents and settings\Roberta\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\UIREPAIR.DLL

- - - - - - - > 'lsass.exe'(768)
c:\windows\system32\relog_ap.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Ahead\InCD\incdsrv.exe
c:\program files\Common Files\Acronis\Schedule2\schedul2.exe
c:\windows\system32\bgsvcgen.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
c:\windows\system32\nvsvc32.exe
c:\program files\AVG\AVG8\avgrsx.exe
c:\program files\Analog Devices\SoundMAX\SMAgent.exe
c:\progra~1\AVG\AVG8\avgnsx.exe
c:\program files\AVG\AVG8\avgcsrvx.exe
c:\program files\Intel\Intel(R) Active Monitor\imonNT.exe
c:\program files\AVG\AVG8\avgcsrvx.exe
c:\windows\system32\wscntfy.exe
c:\windows\system32\rundll32.exe
.
**************************************************************************
.
Completion time: 2009-04-05 17:49:52 - machine was rebooted
ComboFix-quarantined-files.txt  2009-04-06 00:49:49

Pre-Run: 59,400,568,832 bytes free
Post-Run: 59,376,058,368 bytes free

WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Home Edition" /fastdetect /NoExecute=OptIn

203      --- E O F ---      2009-03-23 16:01:12


Now - I will run a update Malwarebyates and run another scan and post the results here when finished.  Thank you.  :)
0
 

Author Comment

by:deonc
ID: 24073849
Ok so naturally I did a search for CMMGR32.EXE and apparently it's not Malware and is instead the Windows Connection Manager?  Why would Combofix want that program dead?  One forum post I read said it's only needed in Win 9x machines.

Is the loss of this file going to cause any problems?
0
 

Author Comment

by:deonc
ID: 24073991
MBAM reports nothing found.

Malwarebytes' Anti-Malware 1.35
Database version: 1943
Windows 5.1.2600 Service Pack 3

4/5/2009 6:53:08 PM
mbam-log-2009-04-05 (18-53-08).txt

Scan type: Full Scan (C:\|)
Objects scanned: 186473
Time elapsed: 30 minute(s), 32 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)
0
 

Author Closing Comment

by:deonc
ID: 31566652
Thank you all for your help!!!
0
 
LVL 47

Expert Comment

by:rpggamergirl
ID: 24074183
>>Is the loss of this file going to cause any problems? <<
I don't have it in my XP machine, whether it will cause problems or not (it being deleted) you can just restore it from the quarantine folder. no problem.

"wdmaud.drv"= c:\windows\system32\..\gmnc.mbp
I just quickly glanced the CF log. and how did the above value name "wdmaud.drv" created????.... that wasn't there before in your drivers32 subkey that you exported?
Did you create that one by mistake, just wondering? never seen that as a value name - that's usually the data.


What was there before in the exported drivers32 subkey was this bad value of aux below:
it was this one below:
Value 34
Name: aux
Type: REG_SZ
Data: C:\WINDOWS\system32\..\gmnc.mbp



So let's remove it using Combofix and restore the value of aux just in case.
And about the "CMMGR32.EXE" either that is infected (I doubt it) or maybe just false positive, CF has been having a few false positives recently so we'll just restore that file.


Run combofix again using this script.
1. Open Notepad.
2. Now copy/paste the text between the lines below into the Notepad window:
------------------------------------------------------------------------
DeQuarantine::
C:\Qoobox\Quarantine\c:\windows\system32\CMMGR32.EXE.vir

Registry::
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"wdmaud.drv"=-
"aux"="wdmaud.drv"
------------------------------------------------------------------------
3. Save the above as CFScript.txt on your desktop.
4. Then drag the CFScript.txt into ComboFix.exe. This will start ComboFix again.


0
 
LVL 47

Expert Comment

by:rpggamergirl
ID: 24074215
>>>Well, I did edit the registry and change the "aux" to "wdmaud.drv", >>>
Ok Doc, that explains the new wdmaud.drv value name added there.
Not supposed to change the "aux" into "wdmaud.drv"..... but change the data of the "aux"
Instead of changing the data you changed the "name"

I'm sorry for the not-so-clear instructions, my fault, my apologies.
Much easier to merge the reg file, :)
0
 

Author Comment

by:deonc
ID: 24074590
rpggamergirl:  Alright, I'm sorry but I do just have to say...wow, you are impressive!  Thank you so much for all of your assistance.  It's been a tremendous learning experience for me.  I just looked at the Drivers32 folder and it looks MUCH BETTER!  The orphaned infection file is no longer and it seems that my oops has been repaired.  I just probably got in a bit of a hurry (I'm trying to get this machine back to the owner by tomorrow (Monday).  I'm hoping all is clear, but, I have access to the computer after this that I can still keep an eye on things.  I believe the infection can be considered removed, and neutralized at this point.  However, I have asked the computers owner to keep a close eye out for strange behavior and things like security software not updating, etc.  Hopefully there won't be recurring infections to deal with.  But, you never know.

I suppose I'll throw the Combofix log in here for kicks.  Don't know if you cared to see it again or not.  ;)

ComboFix 09-04-04.01 - Roberta 2009-04-05 22:28:44.2 - NTFSx86
Microsoft Windows XP Home Edition  5.1.2600.3.1252.1.1033.18.1535.831 [GMT -7:00]
Running from: c:\documents and settings\Roberta\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Roberta\Desktop\CFScript.txt
AV: AVG Anti-Virus Free *On-access scanning disabled* (Updated)
 * Created a new restore point
.

(((((((((((((((((((((((((   Files Created from 2009-03-06 to 2009-04-06  )))))))))))))))))))))))))))))))
.

2009-04-04 19:15 . 2009-04-04 19:15      <DIR>      d--------      C:\EmergencyUtils
2009-04-04 18:38 . 2009-04-05 19:31      <DIR>      d--h-----      C:\$AVG8.VAULT$
2009-04-04 13:15 . 2009-04-05 12:31      <DIR>      d--------      c:\program files\EsetOnlineScanner
2009-04-04 12:31 . 2009-04-04 12:31      107,912      --a------      c:\windows\system32\drivers\avgtdix.sys
2009-04-04 12:31 . 2009-04-04 12:31      10,520      --a------      c:\windows\system32\avgrsstx.dll
2009-04-04 12:30 . 2009-04-05 09:59      <DIR>      d--------      c:\windows\system32\drivers\Avg
2009-04-04 12:30 . 2009-04-04 12:30      <DIR>      d--------      c:\documents and settings\Roberta\Application Data\AVGTOOLBAR
2009-04-04 12:30 . 2009-04-04 12:30      325,640      --a------      c:\windows\system32\drivers\avgldx86.sys
2009-04-03 17:20 . 2009-04-03 17:20      <DIR>      d--------      c:\program files\Malwarebytes' Anti-Malware
2009-04-03 17:20 . 2009-04-03 17:20      <DIR>      d--------      c:\documents and settings\Roberta\Application Data\Malwarebytes
2009-04-03 17:20 . 2009-04-03 17:20      <DIR>      d--------      c:\documents and settings\All Users\Application Data\Malwarebytes
2009-04-03 17:20 . 2009-03-26 16:49      38,496      --a------      c:\windows\system32\drivers\mbamswissarmy.sys
2009-04-03 17:20 . 2009-03-26 16:49      15,504      --a------      c:\windows\system32\drivers\mbam.sys

.
((((((((((((((((((((((((((((((((((((((((   Find3M Report   ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-04-06 03:04      ---------      d-----w      c:\documents and settings\Roberta\Application Data\MSN6
2009-04-06 02:17      ---------      d-----w      c:\program files\Web Publish
2009-04-04 19:30      ---------      d-----w      c:\documents and settings\All Users\Application Data\avg8
2009-03-29 19:44      ---------      d-----w      c:\program files\Glary Utilities
2009-03-29 19:38      ---------      d---a-w      c:\documents and settings\All Users\Application Data\TEMP
2009-03-29 19:38      ---------      d-----w      c:\program files\SpywareBlaster
2009-03-29 19:35      ---------      d-----w      c:\program files\SUPERAntiSpyware
2009-03-12 17:01      ---------      d-----w      c:\documents and settings\Roberta\Application Data\Wal-Mart Digital Photo Manager
2009-03-04 18:27      ---------      d-----w      c:\program files\Google
2009-02-24 07:48      ---------      d-----w      c:\program files\HP
2009-02-24 07:48      ---------      d-----w      c:\program files\Hewlett-Packard
2008-12-16 06:32      20      ---h--w      c:\documents and settings\All Users\Application Data\PKP_DLec.DAT
2008-04-22 21:57      71,992      ------w      c:\documents and settings\Roberta\Application Data\GDIPFONTCACHEV1.DAT
2008-11-27 21:25      32,768      --sha-w      c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\MSHist012008112720081128\index.dat
.

(((((((((((((((((((((((((((((((((((((   Reg Loading Points   ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvMediaCenter"="c:\windows\System32\NVMCTRAY.DLL" [2003-10-06 49152]
"MsnMsgr"="c:\program files\MSN Messenger\MsnMsgr.Exe" [2007-01-19 5674352]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-13 15360]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-07-05 68856]
"updateMgr"="c:\program files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" [2006-03-30 313472]
"SUPERAntiSpyware"="c:\program files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2009-03-29 1830128]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SoundMAXPnP"="c:\program files\Analog Devices\SoundMAX\SMax4PNP.exe" [2003-03-11 774144]
"IMONTRAY"="c:\program files\Intel\Intel(R) Active Monitor\imontray.exe" [2003-01-10 32768]
"NvCplDaemon"="c:\windows\System32\NvCpl.dll" [2003-10-06 5058560]
"IntelliType"="c:\program files\Microsoft Hardware\Keyboard\type32.exe" [2002-03-21 94208]
"NeroCheck"="c:\windows\system32\NeroCheck.exe" [2001-07-09 155648]
"InCD"="c:\program files\Ahead\InCD\InCD.exe" [2006-03-23 1398272]
"HPDJ Taskbar Utility"="c:\windows\System32\spool\drivers\w32x86\3\hpztsb09.exe" [2003-08-11 188416]
"HP Component Manager"="c:\program files\HP\hpcoretech\hpcmpmgr.exe" [2005-01-12 241664]
"Microsoft Works Update Detection"="c:\program files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe" [2003-09-13 50688]
"tgcmd"="c:\program files\Support.com\bin\tgcmd.exe" [2005-02-03 1851392]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-01-25 136600]
"PDUiP6700DMon"="c:\program files\Canon\Memory Card Utility\iP6700D\PDUiP6700DMon.exe" [2006-03-16 61440]
"CanonMyPrinter"="c:\program files\Canon\MyPrinter\BJMyPrt.exe" [2006-03-21 1191936]
"TrueImageMonitor.exe"="c:\program files\Acronis\TrueImageHome\TrueImageMonitor.exe" [2007-02-16 1169776]
"AcronisTimounterMonitor"="c:\program files\Acronis\TrueImageHome\TimounterMonitor.exe" [2007-02-16 1945960]
"Acronis Scheduler2 Service"="c:\program files\Common Files\Acronis\Schedule2\schedhlp.exe" [2007-02-16 149024]
"HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2007-05-08 54840]
"AVG8_TRAY"="c:\progra~1\AVG\AVG8\avgtray.exe" [2009-04-04 1932568]
"nwiz"="nwiz.exe" [2003-10-06 c:\windows\system32\nwiz.exe]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"DWQueuedReporting"="c:\progra~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2007-03-13 39264]

c:\documents and settings\Roberta\Start Menu\Programs\Startup\
AVG Free Tray Icon.lnk - c:\program files\AVG\AVG8\avgtray.exe [2009-04-04 1932568]
SUPERAntiSpyware Free Edition.lnk - c:\program files\SUPERAntiSpyware\SUPERAntiSpyware.exe [2007-01-10 1830128]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Gamma Loader.lnk - c:\program files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2003-09-27 113664]
Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-09-23 29696]
ExifLauncher2.lnk - c:\program files\FinePixViewer\QuickDCF2.exe [2008-12-06 303104]
HP Digital Imaging Monitor.lnk - c:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2003-07-07 233472]
Kodak EasyShare software.lnk - c:\program files\Kodak\Kodak EasyShare software\bin\EasyShare.exe [2007-02-20 282624]
Microsoft Office.lnk - c:\program files\Microsoft Office\Office10\OSA.EXE [2001-02-13 83360]
NkbMonitor.exe.lnk - c:\program files\Nikon\PictureProject\NkbMonitor.exe [2007-09-05 118784]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-21 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2009-01-03 00:23 356352 c:\program files\SUPERAntiSpyware\SASWINLO.DLL

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]
2009-04-04 12:31 10520 c:\windows\system32\avgrsstx.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-disabled]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" -atboottime
"REGSHAVE"=c:\program files\REGSHAVE\REGSHAVE.EXE /AUTORUN

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\IncrediMail\\bin\\ImpCnt.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\MSN Messenger\\msnmsgr.exe"=
"c:\\Program Files\\MSN Messenger\\livecall.exe"=
"c:\\Program Files\\MSN\\MSNCoreFiles\\msn.exe"=
"c:\\Program Files\\Kodak\\Kodak EasyShare software\\bin\\EasyShare.exe"=
"c:\\WINDOWS\\system32\\fxsclnt.exe"=
"c:\\Program Files\\SUPERAntiSpyware\\SUPERANTISPYWARE.EXE"=
"c:\\Program Files\\SUPERAntiSpyware\\SSUPDATE.EXE"=
"c:\\Program Files\\AVG\\AVG8\\avgtray.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgui.exe"=
"c:\\Program Files\\Glary Utilities\\Integrator.exe"=
"c:\\Program Files\\SUPERAntiSpyware\\SASINST.EXE"=
"c:\\Program Files\\AVG\\AVG8\\avgemc.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgupd.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgnsx.exe"=

R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [2009-04-04 325640]
R1 AvgTdiX;AVG Free8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [2009-04-04 107912]
R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\SASDIFSV.SYS [2006-10-10 9968]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [2007-01-09 55024]
R2 avg8emc;AVG Free8 E-mail Scanner;c:\progra~1\AVG\AVG8\avgemc.exe [2009-04-04 908056]
R2 avg8wd;AVG Free8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe [2009-04-04 298264]
R2 WinDefend;Windows Defender;c:\program files\Windows Defender\MsMpEng.exe [2006-11-03 13592]
R3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [2006-02-16 4096]
S3 DUBE100;D-Link DUB-E100 USB 2.0 Fast Ethernet Adapter;c:\windows\system32\drivers\DUBE100.sys [2003-09-27 13594]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{f7a1fb76-2bb9-11db-a586-0050bfe8bc14}]
\Shell\AutoRun\command - H:\LaunchU3.exe
.
Contents of the 'Scheduled Tasks' folder

2009-04-06 c:\windows\Tasks\GlaryInitialize.job
- c:\program files\Glary Utilities\initialize.exe [2009-03-23 09:49]

2009-04-06 c:\windows\Tasks\MP Scheduled Scan.job
- c:\program files\Windows Defender\MpCmdRun.exe [2006-11-03 20:20]
.
.
------- Supplementary Scan -------
.
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uInternet Settings,ProxyOverride = 127.0.0.1
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~4\Office10\EXCEL.EXE/3000
DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
FF - ProfilePath - c:\documents and settings\Roberta\Application Data\Mozilla\Firefox\Profiles\m7oy4nui.default\
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - hxxp://my.msn.com/
FF - component: c:\program files\AVG\AVG8\Firefox\components\avgssff.dll
FF - component: c:\program files\AVG\AVG8\ToolbarFF\components\vmAVGConnector.dll
FF - plugin: c:\program files\Viewpoint\Viewpoint Media Player\npViewpoint.dll
.

**************************************************************************

catchme 0.3.1375 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-04-05 22:32:31
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...  

scanning hidden autostart entries ...

scanning hidden files ...  

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(712)
c:\program files\SUPERAntiSpyware\SASWINLO.DLL
c:\documents and settings\Roberta\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\UIREPAIR.DLL

- - - - - - - > 'lsass.exe'(768)
c:\windows\system32\relog_ap.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Ahead\InCD\incdsrv.exe
c:\program files\Common Files\Acronis\Schedule2\schedul2.exe
c:\windows\system32\bgsvcgen.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
c:\program files\AVG\AVG8\avgrsx.exe
c:\progra~1\AVG\AVG8\avgnsx.exe
c:\windows\system32\nvsvc32.exe
c:\program files\Analog Devices\SoundMAX\SMAgent.exe
c:\program files\AVG\AVG8\avgcsrvx.exe
c:\program files\Intel\Intel(R) Active Monitor\imonNT.exe
c:\program files\AVG\AVG8\avgcsrvx.exe
c:\windows\system32\wscntfy.exe
c:\windows\system32\rundll32.exe
.
**************************************************************************
.
Completion time: 2009-04-05 22:37:08 - machine was rebooted [Roberta]
ComboFix-quarantined-files.txt  2009-04-06 05:37:05
ComboFix2.txt  2009-04-06 00:49:54

Pre-Run: 59,470,389,248 bytes free
Post-Run: 59,413,311,488 bytes free

188      --- E O F ---      2009-03-23 16:01:12
0
 
LVL 47

Expert Comment

by:rpggamergirl
ID: 24075109
No problem...thanks for the log and thank you for the compliment, so nice of you :)

Yes, the registry is fixed... confirmed by the combofix log.
Considering what you said - that you're not overly comfortable with editing the registry... you did very well, :)

Next time you have access to the pc, you can uninstall Combofix.
Go to Start > Run and 'copy and paste' next command in the field:

ComboFix /u

The above command will remove Combofix and its files, will delete the created backup and reset System Restore.

Thanks!
0
 

Author Comment

by:deonc
ID: 24083253
Thanks.  I'm an aspiring geek, lot's to learn though.

Any ideas on how to clean out the external hard drive that used to be attached this machine without infecting another machine?  :)  I do have an Ubuntu laptop that I wondered if I could use.  I don't know if Ubuntu is susceptible to the worm or not.

Anyway - thanks a million!  ;)
0
 
LVL 15

Expert Comment

by:greyknight17
ID: 24092952
You can run the malware scans (Malwarebytes', SUPERAntiSpyware, etc.) on the external hard drive as well if you think it's infected.
0
 

Author Comment

by:deonc
ID: 24100988
But if it's a worm doesn't connecting the USB immediately threaten the machine it's hooked up to?  I guess there isn't a lot of choice.
0
 
LVL 47

Expert Comment

by:rpggamergirl
ID: 24104375
It should be alright...If you're only accessing the external drive to scan it. You're not working on it opening/saving files etc.
0

Featured Post

What Should I Do With This Threat Intelligence?

Are you wondering if you actually need threat intelligence? The answer is yes. We explain the basics for creating useful threat intelligence.

Join & Write a Comment

Have you ever tried to find someone you know on Facebook and searched to find more than one result with the same picture? Perhaps someone you know has told you that they have a 'facebook stalker' or someone who is 'posing as them' online and ta…
Ransomware continues to be a growing problem for both personal and business users alike and Antivirus companies are still struggling to find a reliable way to protect you from this dangerous threat.
Here's a very brief overview of the methods PRTG Network Monitor (https://www.paessler.com/prtg) offers for monitoring bandwidth, to help you decide which methods you´d like to investigate in more detail.  The methods are covered in more detail in o…
This video gives you a great overview about bandwidth monitoring with SNMP and WMI with our network monitoring solution PRTG Network Monitor (https://www.paessler.com/prtg). If you're looking for how to monitor bandwidth using netflow or packet s…

746 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

13 Experts available now in Live!

Get 1:1 Help Now