Solved cant access any files and programs.

I'd like to see what some files are about since they came back. Once again, please disable any realtime protection applications. Highlight and copy the contents of the code box below and paste it into a blank notepad, then save it to your desktop as;

Filename: CFScript.txt
Save As Type: All Files (*.*)

Code:

http://www.windowsbbs.com/newreply.php?do=newreply&noquote=1&p=428142

Suspect::[22]
c:\windows\system32\rrt_is.wav
c:\windows\system32\rrt_vf.wav
c:\windows\system32\rrt_tv.wav
c:\windows\system32\rrt_tn.wav

Close all other windows and programs. Now drag the CFScript.txt onto ComboFix.exe and drop it, using the left mouse button. Combofix should run and may reboot the computer when it's done. A log will open when it's complete. Post the contents of that log and a fresh HijackThis log.

Please do not click on the ComboFix window while it is running a scan. This can cause it to stall.


Please note that I have instructed CFScript to collect some files for analysis. This means that when ComboFix finishes, you will be prompted to allow ComboFix to upload a zip file that was created. The zip contains the aforementioned files. Please copy the path shown in the prompt and paste it into the box, then click Send.
Thanks!


Is your connection still playing up?

 

My connection is running fine again.. It was set to a lower speed in the registry and a lot of keys were apparently absent as well. I downloaded TCPoptimiser, and it did a great job. My connection runs just fine now!
I have reinstalled Comodo (This time the whole security pack -Firewall+antivir)
and it gaves me again a big headach; Even when I thought it was turned off, it didnt want to let ComboFix run!
But it successed, and the zip file has been sendt (I hope Comodo didnt interfered too much) and here is the log:

ComboFix 08-11-22.02 - Hugues 2008-11-23 19:06:10.17 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.671 [GMT 1:00]
Running from: C:\ComboFix.exe
Command switches used :: C:\CFScript.txt
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((( Files Created from 2008-10-23 to 2008-11-23 )))))))))))))))))))))))))))))))
.

2008-11-23 18:54 . 2008-11-23 18:54 143,096 --a------ c:\windows\system32\guard32.dll
2008-11-23 18:54 . 2008-11-23 18:54 99,216 --a------ c:\windows\system32\drivers\cmdguard.sys
2008-11-23 18:54 . 2008-11-23 18:54 31,504 --a------ c:\windows\system32\drivers\cmdhlp.sys
2008-11-22 14:22 . 2008-11-22 14:22 <DIR> d-------- c:\program files\Tweaking Toolbox XP 2
2008-11-22 14:22 . 2008-11-22 14:23 122 --a------ c:\windows\_vmtel.INI
2008-11-22 13:23 . 2008-11-22 13:23 <DIR> d-------- c:\documents and settings\All Users.WINDOWS\Application Data\Avg8
2008-11-21 22:13 . 2008-11-21 22:13 <DIR> d-------- c:\program files\Digital Dutch
2008-11-19 21:16 . 2008-11-19 21:26 <DIR> d-------- c:\program files\CD-Cover Editor
2008-11-18 23:44 . 2008-11-18 23:44 16,244 --a------ c:\windows\system32\rrt_is.wav
2008-11-18 23:44 . 2008-11-18 23:44 7,302 --a------ c:\windows\system32\rrt_vf.wav
2008-11-18 23:44 . 2008-11-18 23:44 7,148 --a------ c:\windows\system32\rrt_tv.wav
2008-11-18 23:44 . 2008-11-18 23:44 6,282 --a------ c:\windows\system32\rrt_tn.wav
2008-11-15 23:30 . 2008-11-15 23:30 <DIR> d-------- c:\program files\Spybot - Search & Destroy
2008-11-15 23:30 . 2008-11-15 23:34 <DIR> d-------- c:\documents and settings\All Users.WINDOWS\Application Data\Spybot - Search & Destroy
2008-11-15 13:53 . 2008-11-15 13:53 <DIR> d-------- c:\documents and settings\Administrator.H-V6CG5K9NS9FZA\Application Data\WinPatrol
2008-11-14 18:43 . 2008-11-14 18:43 <DIR> d-------- c:\documents and settings\Hugues1
2008-11-13 19:16 . 2008-09-04 18:15 1,106,944 -----c--- c:\windows\system32\dllcache\msxml3.dll
2008-11-13 19:16 . 2008-10-24 12:21 455,296 -----c--- c:\windows\system32\dllcache\mrxsmb.sys
2008-11-11 15:07 . 2008-11-23 19:01 3,052,161 -ra------ C:\ComboFix.exe
2008-11-09 20:37 . 2008-11-18 21:14 <DIR> d-------- C:\rsit
2008-11-09 18:30 . 2008-11-09 18:30 <DIR> d-------- c:\program files\Ace Utilities
2008-11-09 17:48 . 2008-11-09 17:48 <DIR> d-------- c:\documents and settings\Guest
2008-11-09 12:28 . 2004-08-04 00:56 33,280 --a------ c:\windows\system32\rundll32.exe
2008-10-28 17:46 . 2008-10-28 17:46 <DIR> d--h----- c:\windows\system32\GroupPolicy
2008-10-24 13:59 . 2008-10-15 17:34 337,408 --a--c--- c:\windows\system32\dllcache\netapi32.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-11-23 17:58 --------- d-----w c:\program files\SPAMfighter
2008-11-23 17:57 --------- d-----w c:\documents and settings\All Users.WINDOWS\Application Data\Comodo
2008-11-23 17:54 --------- d-----w c:\program files\COMODO
2008-11-18 22:42 --------- d-----w c:\documents and settings\Hugues.H-V6CG5K9NS9FZA\Application Data\Comodo
2008-11-13 21:09 --------- d-----w c:\documents and settings\Hugues.H-V6CG5K9NS9FZA\Application Data\Apple Computer
2008-10-28 19:52 --------- d-----w c:\program files\Malwarebytes' Anti-Malware
2008-10-24 11:21 455,296 ----a-w c:\windows\system32\drivers\mrxsmb.sys
2008-10-22 15:10 38,496 ----a-w c:\windows\system32\drivers\mbamswissarmy.sys
2008-10-22 15:10 15,504 ----a-w c:\windows\system32\drivers\mbam.sys
2008-10-16 13:13 202,776 ----a-w c:\windows\system32\wuweb.dll
2008-10-16 13:13 1,809,944 ----a-w c:\windows\system32\wuaueng.dll
2008-10-16 13:12 561,688 ----a-w c:\windows\system32\wuapi.dll
2008-10-16 13:12 323,608 ----a-w c:\windows\system32\wucltui.dll
2008-10-16 13:09 92,696 ----a-w c:\windows\system32\cdm.dll
2008-10-16 13:09 51,224 ----a-w c:\windows\system32\wuauclt.exe
2008-10-16 13:09 43,544 ----a-w c:\windows\system32\wups2.dll
2008-10-16 13:08 34,328 ----a-w c:\windows\system32\wups.dll
2008-10-16 13:06 268,648 ----a-w c:\windows\system32\mucltui.dll
2008-10-16 13:06 208,744 ----a-w c:\windows\system32\muweb.dll
2008-10-12 01:46 --------- d-----w c:\documents and settings\Hugues.H-V6CG5K9NS9FZA\Application Data\BitTorrent
2008-10-03 14:48 --------- d-----w c:\program files\VDMSound
2008-09-28 22:21 249,592 ----a-w c:\windows\system32\cssdll32.dll
2008-09-28 22:21 --------- d-----w c:\program files\AskSBar
2008-09-26 13:35 --------- d-----w c:\documents and settings\Hugues.H-V6CG5K9NS9FZA\Application Data\SPAMfighter
2008-09-23 15:46 245,408 ----a-w c:\windows\system32\unicows.dll
2008-09-15 12:12 1,846,400 ----a-w c:\windows\system32\win32k.sys
2008-09-10 01:14 1,307,648 ----a-w c:\windows\system32\msxml6.dll
2008-09-04 17:15 1,106,944 ----a-w c:\windows\system32\msxml3.dll
2008-08-26 07:24 826,368 ----a-w c:\windows\system32\wininet.dll
2008-06-28 21:47 22,328 ----a-w c:\documents and settings\Hugues.H-V6CG5K9NS9FZA\Application Data\PnkBstrK.sys
2007-03-30 22:44 356,352 ----a-w c:\documents and settings\Hugues.HOME\cwshredder.dll
2006-10-08 13:36 81,920 -c--a-w c:\documents and settings\Hugues.HOME\Application Data\ezpinst.exe
2006-10-08 13:36 47,360 -c--a-w c:\documents and settings\Hugues.HOME\Application Data\pcouffin.sys
2006-01-31 15:28 85,428 -c--a-w c:\program files\Uninstal.exe
2006-01-21 14:45 302 -c--a-w c:\program files\Utils.ini
2006-01-21 13:28 1,655 -c--a-w c:\program files\Config.ini
2006-01-15 20:28 2,238 -c--a-w c:\program files\chawkizzico.ico
2005-09-09 18:55 7,155,864 -c--a-w c:\program files\NGhost10.msi
2005-09-09 18:55 37,766,164 -c--a-w c:\program files\Data1.cab
2005-09-09 18:55 35 -c--a-w c:\program files\SCSSDist.ini
2004-09-28 02:00 26,240 ----a-w c:\windows\inf\RAMDSK.SYS
2004-04-07 15:59 19 -c--a-w c:\program files\Answer.txt
2003-07-12 02:58 777 -c--a-w c:\program files\trial_setup.ini
2003-07-12 02:58 40,448 -c--a-w c:\program files\trial_setup.exe
2003-07-12 02:58 4,226,048 -c--a-w c:\program files\trial_setup.msi
2003-06-15 20:55 560 -c--a-w c:\program files\Global.sw
2003-04-17 08:16 447,616 ----a-w c:\windows\inf\EL2K_N64.sys
2003-04-17 08:15 147,328 ----a-w c:\windows\inf\EL2K_XP.sys
2003-04-17 08:15 147,200 ----a-w c:\windows\inf\EL2K_2K.sys
2001-06-03 07:35 395 -c--a-w c:\program files\Read_me_first.txt
2001-05-31 23:02 40,582 -c--a-w c:\program files\060101.seu
2001-05-31 23:01 8,198 -c--a-w c:\program files\Serials2000.nfo
2001-05-31 23:01 528 -c--a-w c:\program files\file_id.diz
.

((((((((((((((((((((((((((((( snapshot@2008-11-11_15.21.40.12 )))))))))))))))))))))))))))))))))))))))))
.
+ 2008-09-10 01:10:56 1,379,840 ----a-w c:\windows\$hf_mig$\KB954459\SP3QFE\msxml6.dll
+ 2007-11-30 12:39:22 17,272 ----a-w c:\windows\$hf_mig$\KB954459\spmsg.dll
+ 2007-11-30 12:39:22 231,288 ----a-w c:\windows\$hf_mig$\KB954459\spuninst.exe
+ 2007-11-30 12:39:22 26,488 ----a-w c:\windows\$hf_mig$\KB954459\update\spcustom.dll
+ 2007-11-30 12:39:22 755,576 ----a-w c:\windows\$hf_mig$\KB954459\update\update.exe
+ 2007-11-30 12:39:22 382,840 ----a-w c:\windows\$hf_mig$\KB954459\update\updspapi.dll
+ 2008-10-24 11:21:09 455,296 ------w c:\windows\Driver Cache\i386\mrxsmb.sys
- 2008-10-17 01:59:23 38,240 ----a-r c:\windows\Installer\{90120000-0020-0406-0000-0000000FF1CE}\O12ConvIcon.exe
+ 2008-11-19 16:12:10 38,240 ----a-r c:\windows\Installer\{90120000-0020-0406-0000-0000000FF1CE}\O12ConvIcon.exe
- 2008-07-18 20:10:48 94,920 -c--a-w c:\windows\system32\dllcache\cdm.dll
+ 2008-10-16 13:09:44 92,696 -c--a-w c:\windows\system32\dllcache\cdm.dll
- 2008-04-14 00:12:01 1,306,624 -c----w c:\windows\system32\dllcache\msxml6.dll
+ 2008-09-10 01:14:56 1,307,648 -c--a-w c:\windows\system32\dllcache\msxml6.dll
- 2008-07-18 20:09:44 563,912 -c--a-w c:\windows\system32\dllcache\wuapi.dll
+ 2008-10-16 13:12:20 561,688 -c--a-w c:\windows\system32\dllcache\wuapi.dll
- 2008-07-18 20:10:42 53,448 -c--a-w c:\windows\system32\dllcache\wuauclt.exe
+ 2008-10-16 13:09:44 51,224 -c--a-w c:\windows\system32\dllcache\wuauclt.exe
- 2008-07-18 20:09:42 1,811,656 -c--a-w c:\windows\system32\dllcache\wuaueng.dll
+ 2008-10-16 13:13:40 1,809,944 -c--a-w c:\windows\system32\dllcache\wuaueng.dll
- 2008-07-18 20:09:46 325,832 -c--a-w c:\windows\system32\dllcache\wucltui.dll
+ 2008-10-16 13:12:22 323,608 -c--a-w c:\windows\system32\dllcache\wucltui.dll
- 2008-07-18 20:10:20 36,552 -c--a-w c:\windows\system32\dllcache\wups.dll
+ 2008-10-16 13:08:58 34,328 -c--a-w c:\windows\system32\dllcache\wups.dll
- 2008-07-18 20:09:44 205,000 -c--a-w c:\windows\system32\dllcache\wuweb.dll
+ 2008-10-16 13:13:40 202,776 -c--a-w c:\windows\system32\dllcache\wuweb.dll
- 2008-10-30 23:16:59 79,504 ----a-w c:\windows\system32\drivers\inspect.sys
+ 2008-11-23 17:54:34 79,504 ----a-w c:\windows\system32\drivers\inspect.sys
- 2008-10-17 09:13:18 251,088 ----a-w c:\windows\system32\FNTCACHE.DAT
+ 2008-11-18 15:21:25 251,088 ----a-w c:\windows\system32\FNTCACHE.DAT
- 2008-10-07 19:19:40 16,721,856 ----a-w c:\windows\system32\MRT.exe
+ 2008-11-04 00:10:25 17,318,336 ----a-w c:\windows\system32\MRT.exe
+ 2008-10-16 13:08:58 34,328 ----a-w c:\windows\system32\SoftwareDistribution\Setup\ServiceStartup\wups.dll\7.2.6001.788\wups.dll
+ 2008-10-16 13:09:44 43,544 ----a-w c:\windows\system32\SoftwareDistribution\Setup\ServiceStartup\wups2.dll\7.2.6001.788\wups2.dll
- 2007-11-30 11:18:51 17,272 ------w c:\windows\system32\spmsg.dll
+ 2008-07-08 13:02:01 17,272 ------w c:\windows\system32\spmsg.dll
+ 2008-11-23 17:57:19 16,384 ----atw c:\windows\temp\Perflib_Perfdata_794.dat
.
-- Snapshot reset to current date --
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe "= "c:\windows\system32\ctfmon.exe" [2008-04-14 15360]
"MsnMsgr "= "c:\program files\Windows Live\Messenger\MsnMsgr.Exe" [2007-10-18 5724184]
"NVIDIA nTune "= "c:\program files\NVIDIA Corporation\nTune\nTuneCmd.exe" [2007-04-04 81920]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon "= "c:\windows\system32\NvCpl.dll" [2008-05-02 13529088]
"WinPatrol "= "c:\program files\BillP Studios\WinPatrol\winpatrol.exe" [2008-10-09 333120]
"AppleSyncNotifier "= "c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe" [2008-07-22 116040]
"QuickTime Task "= "c:\program files\QuickTime\QTTask.exe" [2008-05-27 413696]
"SPAMfighter Agent "= "c:\program files\SPAMfighter\SFAgent.exe" [2008-09-22 324232]
"COMODO Internet Security "= "c:\program files\COMODO\COMODO Internet Security\cfp.exe" [2008-11-23 1796856]
"nwiz "= "nwiz.exe" [2008-05-02 c:\windows\system32\nwiz.exe]
"CTHelper "= "CTHELPER.EXE" [2006-08-11 c:\windows\CTHELPER.EXE]
"CTxfiHlp "= "CTXFIHLP.EXE" [2006-08-11 c:\windows\system32\CTXFIHLP.EXE]

c:\documents and settings\All Users.WINDOWS\Start Menu\Programs\Startup\
Adobe Reader Hurtigstart.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2008-04-23 29696]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoViewOnDrive "= 0 (0x0)
"NoLogoff "= 0 (0x0)

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA} "= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2007-04-19 12:41 294912 c:\program files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"appinit_dlls "= c:\windows\system32\guard32.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
--a------ 2008-04-14 01:12 1695232 c:\program files\messenger\msmsgs.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvMediaCenter]
--a------ 2008-05-02 21:46 86016 c:\windows\system32\nvmctray.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SUPERAntiSpyware]
--a------ 2008-05-28 09:33 1506544 c:\program files\SUPERAntiSpyware\SUPERAntiSpyware.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"PnkBstrA "=2 (0x2)
"PACSPTISVR "=3 (0x3)
"MSCSPTISRV "=3 (0x3)
"IDriverT "=3 (0x3)
"IcVzMonLauncher "=3 (0x3)
"Bonjour Service "=2 (0x2)
"AcrSch2Svc "=2 (0x2)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall "= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe "=
"c:\\Program Files\\messenger\\msmsgs.exe "=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe "=
"c:\\Program Files\\Electronic Arts\\Crytek\\Crysis\\Bin32\\Crysis.exe "=
"c:\\Program Files\\Electronic Arts\\Crytek\\Crysis\\Bin32\\CrysisDedicatedServer.exe "=
"c:\\WINDOWS\\system32\\PnkBstrA.exe "=
"c:\\WINDOWS\\system32\\PnkBstrB.exe "=
"c:\\Program Files\\iTunes\\iTunes.exe "=
"%windir%\\Network Diagnostic\\xpnetdiag.exe "=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe "=
"c:\\Program Files\\Windows Live\\Messenger\\livecall.exe "=
"c:\\Program Files\\BitTorrent\\bittorrent.exe "=

R1 cmdGuard;COMODO Internet Security Sandbox Driver;c:\windows\system32\DRIVERS\cmdguard.sys [2008-11-23 99216]
R1 cmdHlp;COMODO Internet Security Helper Driver;c:\windows\system32\DRIVERS\cmdhlp.sys [2008-11-23 31504]
R2 SPAMfighter Update Service;SPAMfighter Update Service; "c:\program files\SPAMfighter\sfus.exe" [2008-09-22 184968]
S0 NVStrap;NVStrap;c:\windows\system32\drivers\NVStrap.sys [2007-05-18 4224]
S3 ICScsiSV;Image Converter SCSI Service;c:\program files\Sony\IMAGE CONVERTER 3\ICScsiSV.exe [2008-04-13 75952]
S3 Image Converter video recording monitor for VAIO Entertainment;Image Converter video recording monitor for VAIO Entertainment;c:\program files\Sony\IMAGE CONVERTER 3\IcVzMon.exe [2008-04-13 43184]
S3 MovRVDrv32;MovRVDrv32;c:\windows\system32\DRIVERS\MovRVDrv32.sys [2007-12-16 3768]
S3 NPF;NetGroup Packet Filter Driver;c:\windows\system32\drivers\npf.sys [2007-01-25 42000]
S3 SndTDriverV32;SndTDriverV32;c:\windows\system32\drivers\SndTDriverV32.sys [2007-12-16 513152]
S4 hpt3xx;hpt3xx; []
S4 IcVzMonLauncher;IcVzMonLauncher; "c:\program files\Sony\IMAGE CONVERTER 3\IcVzMonLauncher.exe" [2008-04-13 67760]

*Newly Created Service* - CATCHME
.
Contents of the 'Scheduled Tasks' folder

2008-11-19 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-04-11 16:57]
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-11-23 19:18:21
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(808)
c:\program files\SUPERAntiSpyware\SASWINLO.dll
.
Completion time: 2008-11-23 19:20:17
ComboFix-quarantined-files.txt 2008-11-23 18:20:13
ComboFix2.txt 2008-11-18 16:45:54
ComboFix3.txt 2008-11-17 00:10:43
ComboFix4.txt 2008-11-16 23:34:46
ComboFix5.txt 2008-11-18 17:26:06

Pre-Run: 14.531.518.464 bytes free
Post-Run: 14,888,296,448 bytes free

231 --- E O F --- 2008-11-19 16:14:55

 

I cannot find any information on those .wav files, nor do they appear to be valid files. They will not play with any media player. I recommend they be removed. You can delete them manually, then empty the recycle bin.

c:\windows\system32\rrt_is.wav
c:\windows\system32\rrt_vf.wav
c:\windows\system32\rrt_tv.wav
c:\windows\system32\rrt_tn.wav


Lets clean up now. You may need to again shut down Comodo so it does not interfere. Click Start>Run and type ComboFix /u then hit Enter to uninstall ComboFix and remove the files it has quarantined. This action will also reset the System Restore points, removing any infected files there as well.
Verify the C:\Qoobox and C:\ComboFix folders were removed, as well as the C:\ComboFix.txt file.
You can delete any other logs that were created/saved too.

Provided there are no other issues, I'd say we're finished here.

 

I have deleted the rrt.* files as asked, and ran uninstallation of combofix, and everything have run smooth! Sorry for the delay, I have been busy these last days!
I really want to thank you for the great help you have given me! Without it, I would have reinstalled (and lost!) everything!
Yes were finished, and you can close this thread/case! :-D
-Maroan

 

I'm happy to hear all is well, and glad I could help. Geri has posted some very helpful information and recommendations regarding future protection in the following link.

http://www.windowsbbs.com/showthread.php?t=67958

Surf safe!