Avira Scan Report

missile · 15 June 2010 at 12:27AM

Hi Rik,

I did that and left combofix running. It did it's thing and rebooted. Unfortunately it did not create C:\Combofix.txt

It created two new folders:
C:\Combofix 10.8 MB containing 242 files, including

\combofix.txt>
ComboFix 10-06-14.02 - bob 14/06/2010 23:06:25.1.2 - x86 MINIMAL
Microsoft® Windows Vista™ Home Premium 6.0.6002.2.1252.44.1033.18.2046.1545 [GMT 1:00]
Running from: C:\Users\bob\Downloads\ComboFix.exe
AV: AntiVir Desktop *On-access scanning disabled* (Outdated) {AD166499-45F9-482A-A743-FDD3350758C7}
SP: AVG Anti-Spyware *disabled* (Outdated) {48F2E28D-ED66-4646-9C11-B3055B0AF604}
SP: SUPERAntiSpyware *disabled* (Updated) {222A897C-5018-402e-943F-7E7AC8560DA7}
SP: Windows Defender *disabled* (Updated) {D68DDC3A-831F-4FAE-9E44-DA132C1ACF46}
.

_________________

Other folder created is C:\Qoobox 887 KB containing 35 Files, 14 Folders.

I do not understand what that is that all about?

I did find this You Tube demo for Combofix > http://www.youtube.com/watch?v=7PRWXVD_8-8

aliEnRIK · 15 June 2010 at 1:04AM

\combofix.txt>
ComboFix 10-06-14.02 - bob 14/06/2010 23:06:25.1.2 - x86 MINIMAL
Microsoft® Windows Vista™ Home Premium 6.0.6002.2.1252.44.1033.18.2046.1545 [GMT 1:00]
Running from: C:\Users\bob\Downloads\ComboFix.exe
AV: AntiVir Desktop *On-access scanning disabled* (Outdated) {AD166499-45F9-482A-A743-FDD3350758C7}
SP: AVG Anti-Spyware *disabled* (Outdated) {48F2E28D-ED66-4646-9C11-B3055B0AF604}
SP: SUPERAntiSpyware *disabled* (Updated) {222A897C-5018-402e-943F-7E7AC8560DA7}
SP: Windows Defender *disabled* (Updated) {D68DDC3A-831F-4FAE-9E44-DA132C1ACF46}
.

Thats what im after (And the rest obviously)

missile · 15 June 2010 at 12:17PM

aliEnRIK wrote: »

\combofix.txt>
ComboFix 10-06-14.02 - bob 14/06/2010 23:06:25.1.2 - x86 MINIMAL
Microsoft® Windows Vista™ Home Premium 6.0.6002.2.1252.44.1033.18.2046.1545 [GMT 1:00]
Running from: C:\Users\bob\Downloads\ComboFix.exe
AV: AntiVir Desktop *On-access scanning disabled* (Outdated) {AD166499-45F9-482A-A743-FDD3350758C7}
SP: AVG Anti-Spyware *disabled* (Outdated) {48F2E28D-ED66-4646-9C11-B3055B0AF604}
SP: SUPERAntiSpyware *disabled* (Updated) {222A897C-5018-402e-943F-7E7AC8560DA7}
SP: Windows Defender *disabled* (Updated) {D68DDC3A-831F-4FAE-9E44-DA132C1ACF46}
.

Thats what im after (And the rest obviously)

Hi RIK,

That is all there was. I guess it didn't work properly and the application may have terminated prematurely? I am very reluctant to try it again. I am not impressed with the 10.8 MB + 887KB of what I guess are back up files the program left on my PC.

It appears there was an issue with Combofix? See here>

ComboFix is not available for download until an issue with the program has been resolved. Please be patient while the developer fixes the program and makes it available once again. As more information becomes available, we will update this page.

Read more: http://www.d-a-l.com/help/latest-software-security-updates/67434-combofix-warning-bleepingcomputer.html#ixzz0qv330Qlu

fiddiwebb · 15 June 2010 at 12:22PM

missile wrote: »

Hi RIK,

That is all there was. I guess it didn't work properly and the application may have terminated prematurely? I am very reluctant to try it again. I am not impressed with the 10.8 MB + 887KB of what I guess are back up files the program left on my PC.

It appears there is an issue with Combofix? See here>

If you check the date for that thread it was for Dec 2009, Combofix is working fine and has had no problems since last year.

Here's a link to a tutorial on how to use Combofix but only use when directed to.......

http://www.bleepingcomputer.com/combofix/how-to-use-combofix

missile · 15 June 2010 at 12:36PM

fiddiwebb wrote: »

If you check the date for that thread it was for Dec 2009, Combofix is working fine and has had no problems since last year.

Sorry, for the missquote:o
For whatever reason ComboFix did not work on my PC. At start up, I get the blue Combofix screen > http://www.bleepingcomputer.com/forums/lofiversion/index.php/t220811.html

aliEnRIK · 15 June 2010 at 12:44PM

When you boot, bring up task manger and let us know whats taking up all the cpu

fiddiwebb · 15 June 2010 at 12:46PM

missile wrote: »

Sorry, for the missquote:o
For whatever reason ComboFix did not work on my PC. At start up, I get the blue Combofix screen > http://www.bleepingcomputer.com/forums/lofiversion/index.php/t220811.html

Hi missile

No problem, if you wait till RIK pops up or one of the others who are au fait with Combofix he/they will be able to advise you further.

missile · 15 June 2010 at 3:15PM

aliEnRIK wrote: »

When you boot, bring up task manger and let us know whats taking up all the cpu

I have re-installed, updated CombiFix and it worked perfectly this time round:j. Please see attached log file>

ComboFix 10-06-14.03 - bob 15/06/2010 12:44:54.1.2 - x86
Microsoft® Windows Vista™ Home Premium 6.0.6002.2.1252.44.1033.18.2046.1060 [GMT 1:00]
Running from: c:\users\bob\Downloads\ComboFix.exe
Command switches used :: /u
AV: AntiVir Desktop *On-access scanning disabled* (Outdated) {AD166499-45F9-482A-A743-FDD3350758C7}
SP: AVG Anti-Spyware *disabled* (Outdated) {48F2E28D-ED66-4646-9C11-B3055B0AF604}
SP: SUPERAntiSpyware *disabled* (Updated) {222A897C-5018-402e-943F-7E7AC8560DA7}
SP: Windows Defender *disabled* (Updated) {D68DDC3A-831F-4FAE-9E44-DA132C1ACF46}
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
---- Previous Run

.
c:\users\bob\AppData\Local\Temp\CmdLineExt.dll
c:\windows\system32\%appdata%
c:\windows\system32\dumphive.exe
c:\windows\system32\Process.exe
c:\windows\system32\SrchSTS.exe
c:\windows\system32\tmp.reg
c:\windows\system32\VCCLSID.exe
c:\windows\system32\WS2Fix.exe
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

\Service_NPF

((((((((((((((((((((((((( Files Created from 2010-05-15 to 2010-06-15 )))))))))))))))))))))))))))))))
.
No new files created in this timespan
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-06-14 23:38 . 2009-12-23 14:39

d

w- c:\program files\NETGEAR
2010-06-14 17:39 . 2009-01-26 11:29

d

w- c:\progra~2\NOS
2010-06-14 11:23 . 2007-12-12 22:32 42369 ----a-w- c:\users\bob\AppData\Roaming\nvModes.dat
2010-06-09 02:41 . 2006-11-02 11:18

d

w- c:\program files\Windows Mail
2010-06-09 02:14 . 2007-07-27 21:33

d

w- c:\progra~2\Microsoft Help
2010-06-07 19:27 . 2009-10-30 11:06

d

w- c:\program files\Defraggler
2010-06-07 18:07 . 2007-12-28 06:57

d

w- c:\progra~2\Spybot - Search & Destroy
2010-06-07 18:06 . 2010-06-07 18:05

d

w- c:\program files\CCleaner
2010-06-06 21:55 . 2009-05-31 13:46

d

w- c:\program files\SpywareBlaster
2010-06-06 12:21 . 2009-08-16 09:52

d

w- c:\program files\Microsoft Silverlight
2010-05-26 17:06 . 2010-06-09 01:17 34304 ----a-w- c:\windows\system32\atmlib.dll
2010-05-26 14:47 . 2010-06-09 01:17 289792 ----a-w- c:\windows\system32\atmfd.dll
2010-05-26 14:43 . 2010-01-22 02:12

d

w- c:\program files\Common Files\Adobe AIR
2010-05-12 10:21 . 2009-10-13 07:00 221568

w- c:\windows\system32\MpSigStub.exe
2010-05-05 22:04 . 2007-12-14 18:11

d

w- c:\users\bob\AppData\Roaming\Skype
2010-05-05 16:32 . 2009-08-11 07:51

d

w- c:\users\bob\AppData\Roaming\skypePM
2010-05-04 05:59 . 2010-06-09 01:17 916480 ----a-w- c:\windows\system32\wininet.dll
2010-05-04 05:55 . 2010-06-09 01:17 71680 ----a-w- c:\windows\system32\iesetup.dll
2010-05-04 05:55 . 2010-06-09 01:17 109056 ----a-w- c:\windows\system32\iesysprep.dll
2010-05-04 04:31 . 2010-06-09 01:17 133632 ----a-w- c:\windows\system32\ieUnatt.exe
2010-05-02 09:15 . 2009-07-07 04:24

d

w- c:\program files\Malwarebytes' Anti-Malware
2010-05-02 04:49 . 2007-07-26 20:45

d

w- c:\program files\Google
2010-05-01 14:13 . 2010-06-09 01:17 2037248 ----a-w- c:\windows\system32\win32k.sys
2010-04-29 14:39 . 2009-07-07 04:24 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-04-29 14:39 . 2009-07-07 04:24 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-04-23 14:13 . 2010-05-26 08:27 2048 ----a-w- c:\windows\system32\tzres.dll
2010-04-05 17:01 . 2010-06-09 01:17 67072 ----a-w- c:\windows\system32\asycfilt.dll
2009-03-29 13:25 . 2009-03-28 21:44 2048 --sha-w- c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.dat
2009-03-29 13:25 . 2009-03-28 21:44 2048 --sha-w- c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.dat
2009-08-21 22:25 . 2009-02-19 11:49 952 --sha-w- c:\windows\System32\KGyGaAvL.sys
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ehTray.exe"="c:\windows\ehome\ehTray.exe" [2008-01-19 125952]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Windows Defender"="c:\program files\Windows Defender\MSASCui.exe" [2008-01-19 1008184]
"AppMon Utility"="c:\program files\Sony\AppMonUtil\AppMonUtility.exe" [2007-07-12 534392]
"NvSvc"="c:\windows\system32\nvsvc.dll" [2007-11-07 86016]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2007-11-07 81920]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2009-11-10 417792]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-01-11 246504]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2010-04-04 36272]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-03-24 952768]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2010-01-22 141608]
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"Picasa Media Detector"="c:\program files\Picasa2\PicasaMediaDetector.exe" [2008-02-26 443968]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableUIADesktopToggle"= 0 (0x0)
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2007-04-19 12:41 294912 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.dll
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\VESWinlogon]
2007-07-25 02:26 98304 ----a-w- c:\windows\System32\VESWinlogon.dll
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"mixer2"=wdmaud.drv
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend]
@="Service"
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\EPSON Stylus DX4800 Series]
2005-02-02 04:00 98304 ----a-w- c:\windows\System32\spool\drivers\w32x86\3\E_FATIADE.EXE
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\GrooveMonitor]
2008-10-25 10:44 31072 ----a-w- c:\program files\Microsoft Office\Office12\GrooveMonitor.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
2010-01-22 19:16 141608 ----a-w- c:\program files\iTunes\iTunesHelper.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\kdx]
2008-10-21 09:26 1032640 ----a-w- c:\program files\Kontiki\KHost.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvCplDaemon]
2007-11-07 02:35 8534560 ----a-w- c:\windows\System32\nvcpl.dll
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
2009-11-10 23:08 417792 ----a-w- c:\program files\QuickTime\QTTask.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
2007-03-14 10:43 83608 ----a-w- c:\program files\Java\jre1.6.0_01\bin\jusched.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TomTomHOME.exe]
2009-11-13 11:31 247144 ----a-w- c:\program files\TomTom HOME 2\TomTomHOMERunner.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WMPNSCFG]
2008-01-19 07:33 202240 ----a-w- c:\program files\Windows Media Player\wmpnscfg.exe
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Svc]
"VistaSp2"=hex(b):a0,ad,21,fa,2a,3b,ca,01
R2 gupdate1c9da27f532e8b6;Google Update Service (gupdate1c9da27f532e8b6);c:\program files\Google\Update\GoogleUpdate.exe [2009-05-21 133104]
R2 ioloFileInfoList;iolo FileInfoList Service; [x]
R2 ioloSystemService;iolo System Service; [x]
R3 motccgp;Motorola USB Composite Device Driver;c:\windows\system32\DRIVERS\motccgp.sys [2007-11-02 18176]
R3 motccgpfl;MotCcgpFlService;c:\windows\system32\DRIVERS\motccgpfl.sys [2007-01-23 7680]
R3 MotDev;Motorola Inc. USB Device;c:\windows\system32\DRIVERS\motodrv.sys [2007-10-10 42112]
R3 PLCND532;PLCND532 NDIS Protocol Driver;c:\windows\system32\Drivers\PLCND532.sys [2008-03-05 26656]
R3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [2008-05-13 7408]
R3 ST330;ST330;c:\windows\system32\drivers\st330.sys [2007-12-13 30464]
R3 STBUS;STBUS;c:\windows\system32\drivers\stbus.sys [2007-12-13 12672]
R3 stppp;Speedtouch PPP Adapter Adapter;c:\windows\system32\DRIVERS\stppp.sys [2007-12-13 35328]
R3 TfBulk;TfBulk;c:\windows\system32\DRIVERS\TfBulk.sys [2007-05-31 13312]
R3 VAIOMediaPlatform-UCLS-AppServer;VAIO Media Content Collection;c:\program files\Sony\VAIO Media Integrated Server\UCLS.exe [2007-01-10 745472]
R3 VAIOMediaPlatform-UCLS-HTTP;VAIO Media Content Collection (HTTP);c:\program files\Sony\VAIO Media Integrated Server\Platform\SV_Httpd.exe [2007-06-20 397312]
R3 VAIOMediaPlatform-UCLS-UPnP;VAIO Media Content Collection (UPnP);c:\program files\Sony\VAIO Media Integrated Server\Platform\UPnPFramework.exe [2007-06-20 1089536]
R3 VcmIAlzMgr;VAIO Content Metadata Intelligent Analyzing Manager;c:\program files\Sony\VCM Intelligent Analyzing Manager\VcmIAlzMgr.exe [2008-03-03 333088]
R3 VcmXmlIfHelper;VAIO Content Metadata XML Interface;c:\program files\Common Files\Sony Shared\VcmXml\VcmXmlIfHelper.exe [2008-03-17 87328]
R4 PCPitstop Scheduling;PCPitstop Scheduling;c:\program files\PCPitstop\PCPitstopScheduleService.exe [2009-06-26 85504]
S0 sptd;sptd;c:\windows\System32\Drivers\sptd.sys [2007-12-31 715248]
S1 ElRawDisk;ElRawDisk;c:\windows\system32\drivers\elrawdsk.sys [2007-09-20 12800]
S1 RapportBuka;RapportBuka;c:\windows\system32\drivers\RapportBuka.sys [2010-02-25 390528]
S1 RapportKELL;RapportKELL;c:\program files\Trusteer\Rapport\bin\RapportKELL.sys [2010-06-07 59240]
S1 RapportPG;RapportPG;c:\program files\Trusteer\Rapport\bin\RapportPG.sys [2010-06-07 166632]
S1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\SASDIFSV.SYS [2008-05-13 8944]
S1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.sys [2008-05-13 55024]
S2 AdobeActiveFileMonitor7.0;Adobe Active File Monitor V7;c:\program files\Adobe\Photoshop Elements 7.0\PhotoshopElementsFileAgent.exe [2008-09-16 169312]
S2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\Avira\AntiVir Desktop\sched.exe [2009-05-13 108289]
S2 NSUService;NSUService;c:\program files\Sony\Network Utility\NSUService.exe [2008-11-03 299008]
S2 RapportMgmtService;Rapport Management Service;c:\program files\Trusteer\Rapport\bin\RapportMgmtService.exe [2010-06-07 840936]
S2 regi;regi;c:\windows\system32\drivers\regi.sys [2007-04-18 11032]
S2 sprtlisten;SupportSoft Listener Service;c:\program files\Common Files\supportsoft\bin\sprtlisten.exe [2007-10-15 1213728]
S2 TomTomHOMEService;TomTomHOMEService;c:\program files\TomTom HOME 2\TomTomHOMEService.exe [2009-11-13 92008]
S3 AVerM115S;AVerM115S service;c:\windows\system32\DRIVERS\AVerM115S.sys [2007-07-16 789504]
S3 R5U870FLx86;R5U870 UVC Lower Filter ;c:\windows\system32\Drivers\R5U870FLx86.sys [2007-04-20 73472]
S3 R5U870FUx86;R5U870 UVC Upper Filter ;c:\windows\system32\Drivers\R5U870FUx86.sys [2007-04-20 43904]
S3 ti21sony;ti21sony;c:\windows\system32\drivers\ti21sony.sys [2007-06-06 812544]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
LocalServiceAndNoImpersonation REG_MULTI_SZ FontCache
getPlusHelper REG_MULTI_SZ getPlusHelper
.
Contents of the 'Scheduled Tasks' folder
2010-06-15 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-05-21 15:22]
2010-06-15 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-05-21 15:22]
.
.

Supplementary Scan

.
uStart Page = hxxp://sn131w.snt131.mail.live.com/default.aspx?wa=wsignin1.0
uInternet Settings,ProxyOverride = <local>
.
- - - - ORPHANS REMOVED - - - -
ShellExecuteHooks-{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA} - (no file)
MSConfigStartUp-FlashPlayerUpdate - c:\windows\system32\Macromed\Flash\FlashUtil10b.exe

**************************************************************************
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-06-15 13:06
Windows 6.0.6002 Service Pack 2 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...

c:\windows\TEMP\TMP00000010A54E51AB59B6B838
scan completed successfully
hidden files: 1
**************************************************************************
Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net
device: opened successfully
user: MBR read successfully
called modules: ntkrnlpa.exe CLASSPNP.SYS disk.sys acpi.sys hal.dll iaStor.sys spxf.sys >>UNKNOWN [0x865D3944]<<
kernel: MBR read successfully
detected MBR rootkit hooks:
\Driver\Disk -> CLASSPNP.SYS @ 0x899acd24
\Driver\ACPI -> acpi.sys @ 0x83e17d68
\Driver\atapi -> 0x8661d1f8
\Driver\iaStor -> iaStor.sys @ 0x83f7bd30
IoDeviceObjectType ->\Device\Harddisk0\DR0 ->Warning: possible MBR rootkit infection !
user & kernel MBR OK
**************************************************************************
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\st330service]
"ImagePath"="C:\Program Files/Thomson/ST330/service/st330service.exe -service"
.

LOCKED REGISTRY KEYS

[HKEY_USERS\S-1-5-21-2047142807-3487124776-2850989429-1000\Software\SecuROM\!CAUTION! NEVER A OR CHANGE ANY KEY*]
@Allowed: (Read) (RestrictedCode)
"??"=hex:ed,58,eb,4d,da,7c,e0,2a,84,e0,70,07,d2,0f,b3,72,1d,07,54,ee,06,d2,f2,
4c,58,a1,a3,9c,c5,11,d5,a7,1a,b4,33,78,3e,02,bf,37,76,d8,c5,1b,f7,81,03,3e,\
"??"=hex:dc,93,ea,63,b1,0b,e3,96,f9,d1,f5,71,73,7a,f5,c2
[HKEY_USERS\S-1-5-21-2047142807-3487124776-2850989429-1000\Software\SecuROM\License information*]
"datasecu"=hex:8a,ed,6c,41,54,0d,7f,3c,a3,cc,ff,05,31,7d,05,c6,9a,d3,e4,cb,4a,
3a,af,2c,d1,70,6c,eb,7c,03,c8,8f,d4,89,22,84,14,bf,be,27,56,9f,96,6b,dc,93,\
"rkeysecu"=hex:7a,27,04,2f,19,0c,49,c3,75,ef,02,b3,93,09,94,a1
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
"MSCurrentCountry"=dword:000000b4
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0001\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.

DLLs Loaded Under Running Processes

- - - - - - - > 'Explorer.exe'(7540)
c:\program files\Trusteer\Rapport\bin\rooksbas.dll
.

Other Running Processes

.
c:\program files\Thomson\ST330\service\st330service.exe
c:\program files\Sony\VAIO Update 4\VAIOUpdt.exe
c:\program files\Avira\AntiVir Desktop\avguard.exe
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\Common Files\InterVideo\RegMgr\iviRegMgr.exe
c:\program files\Kontiki\KService.exe
c:\program files\CDBurnerXP\NMSAccessU.exe
c:\windows\system32\stacsv.exe
c:\program files\Sony\VAIO Event Service\VESMgr.exe
c:\program files\Common Files\Sony Shared\VAIO Entertainment Platform\VCSW\VCSW.exe
c:\program files\Sony\VAIO Event Service\VESMgrSub.exe
c:\windows\system32\DRIVERS\xaudio.exe
c:\program files\Common Files\Sony Shared\VAIO Entertainment Platform\VzCdb\VzCdbSvc.exe
c:\program files\Common Files\Sony Shared\VAIO Entertainment Platform\VzCdb\VzFw.exe
c:\windows\system32\WUDFHost.exe
c:\windows\ehome\ehsched.exe
c:\windows\system32\wbem\unsecapp.exe
c:\windows\ehome\ehRecvr.exe
c:\windows\system32\DllHost.exe
c:\program files\Windows Media Player\wmpnetwk.exe
.
**************************************************************************
.
Completion time: 2010-06-15 13:24:29 - machine was rebooted
ComboFix-quarantined-files.txt 2010-06-15 12:24
Pre-Run: 82,164,158,464 bytes free
Post-Run: 81,840,869,376 bytes free
- - End Of File - - 893BC667C5F8EA3E8BB959C8CE29C254

++++++++++++++++++++++++++++++++++++++++++++++

This is the contents of CombiFix quaranteen file>

2010-06-15 12:23:11 . 2010-06-15 12:23:11 942 ----a-w- C:\Qoobox\Quarantine\Registry_backups\MSConfigStartUp-FlashPlayerUpdate.reg.dat
2010-06-15 12:23:09 . 2010-06-15 12:23:09 146 ----a-w- C:\Qoobox\Quarantine\Registry_backups\ShellExecuteHooks-{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}.reg.dat
2010-06-14 22:16:28 . 2010-06-14 22:16:28 246 ----a-w- C:\Qoobox\Quarantine\Registry_backups\Service_NPF.reg.dat
2010-06-14 22:16:06 . 2010-06-15 11:55:14 4,971 ----a-w- C:\Qoobox\Quarantine\Registry_backups\tcpip.reg
2010-06-14 20:33:16 . 2010-06-15 11:44:54 317 ----a-w- C:\Qoobox\Quarantine\catchme.log
2009-12-30 09:45:13 . 2009-12-30 09:45:13 107,888 ----a-w- C:\Qoobox\Quarantine\C\Users\bob\AppData\Local\Temp\CmdLineExt.dll.vir
2009-09-22 09:12:06 . 2009-09-22 09:12:06 3,140 ----a-w- C:\Qoobox\Quarantine\C\Windows\System32\tmp.reg.vir
2009-09-22 09:11:07 . 2009-06-02 10:17:27 75,776 ----a-w- C:\Qoobox\Quarantine\C\Windows\System32\WS2Fix.exe.vir
2009-09-22 09:11:07 . 2004-07-31 17:50:36 51,200 ----a-w- C:\Qoobox\Quarantine\C\Windows\System32\dumphive.exe.vir
2009-09-22 09:11:07 . 2006-04-27 16:49:30 288,417 ----a-w- C:\Qoobox\Quarantine\C\Windows\System32\SrchSTS.exe.vir
2009-09-22 09:11:07 . 2007-09-05 23:22:23 289,144 ----a-w- C:\Qoobox\Quarantine\C\Windows\System32\VCCLSID.exe.vir
2009-09-22 09:11:07 . 2003-06-05 20:13:00 53,248 ----a-w- C:\Qoobox\Quarantine\C\Windows\System32\Process.exe.vir

+++++++++++++++++++++++++++++++++++++++++

I would appreciate your advice re these items. Please be advised, I no longer use AVG anti-virus, netgear and ST330 modems. Plus any other problems you may have identified.

I am pleased to report C:\Combofix 10.8 MB containing 242 files, has been deleted this time round. Can I safely delete the Qoobox folder and files?

I shall try a few reboots and report re task manager.
Many Thanks, Bob :beer:

aliEnRIK · 15 June 2010 at 4:12PM

c:\program files\NETGEAR
Uninstall anything netgear related and delete the folders

c:\program files\Thomson\ST330\service\st330service.exe
goto ADMIN TOOLS and SERVICES and DISABLE the service

IoDeviceObjectType ->\Device\Harddisk0\DR0 ->Warning: possible MBR rootkit infection !
I wouldnt read too much into it
But if you wish to scan for rootkits ~
http://www.sophos.com/products/free-tools/sophos-anti-rootkit.html

missile · 15 June 2010 at 10:50PM

Done that and PC seems to be more responsive on reboot. This is info from Task Manager>

Processes 78 (all users)>
alg.exe
AppleMobileDeviceServices.exe
AppMonUtility.exe
audiodg.exe
avguard.exe
csrss.exe
csrss.exe
dwm.exe
ehmsas.exe
ehrecvr.exe
ehtray.exe
explorer.exe
FlashUtil10h_ActiveX.exe
iexplore.exe
iexplore.exe
iPodService.exe
iviRegMgr.exe
jucheck.exe
KService.exe
lsass.exe
mDNSResponder.exe
MSASACui.exe
NSUService.exe
PhotoshopElementsFileAgent.exe
RapportMgmtService.exe
rundll32.exe
rundll32.exe
sched.exe
SearchFilterHost.exe
SearchIndexer.exe
SearchProtocolHost.exe
services.exe
SLsvc.exe
smss.exe
sprtlisten.exe
stacsv.exe
svchost.exe
svchost.exe
svchost.exe
svchost.exe
svchost.exe
svchost.exe
svchost.exe
svchost.exe
svchost.exe
svchost.exe
svchost.exe
svchost.exe
svchost.exe
svchost.exe
svchost.exe
System
System Idle Process
taskeng.exe
taskeng.exe
taskeng.exe
Tom TomHOMEServices.exe
unsecapp.exe
VAIOUpdt.exe
VCSW.exe
VESMgrSub.exe
VzCdbSvc.exe
VzFw.exe
winit.exe
winlogon.exe
WmiPrvSE.exe
wmplayer.exe
wmpnetwk.exe
wmpnscfg.exe
WUDFHost.exe
XAudio.exe

CPU Usage 3% with occasional spikes

Physical Memory Usage 49% @ 0.99 GB

Avira Scan Report

Comments

Confirm your email address to Create Threads and Reply

🚀 Getting Started

Categories

Is this how you want to be seen?

Get our FREE Weekly email full of deals & guides - and it’s spam-free