beaverteeth92

Members

View Profile See their activity

Posts
5
Joined
April 30, 2009
Last visited
June 3, 2014

Reputation

0 Neutral

Infected Userinit

beaverteeth92 replied to beaverteeth92's topic in Resolved Malware Removal Logs

It's fixed permanently. Thanks so much! For the future, should I keep that script saved somewhere in case Userinit gets infected again? Or is that only for that one use?
- May 4, 2009
- 8 replies
Infected Userinit

beaverteeth92 replied to beaverteeth92's topic in Resolved Malware Removal Logs

ComboFix 09-05-02.4 - Brandon Sherman 05/02/2009 16:21.2 - NTFSx86 Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.502.278 [GMT -4:00] Running from: c:\documents and settings\Brandon Sherman\Desktop\ComboFix.exe Command switches used :: c:\documents and settings\Brandon Sherman\Desktop\CFScript.txt . ((((((((((((((((((((((((((((((((((((((( Other Deletions ))))))))))))))))))))))))))))))))))))))))))))))))) . c:\docume~1\BRANDO~1\LOCALS~1\Temp\ovfsthitqsbcjpec.tmp c:\docume~1\BRANDO~1\LOCALS~1\Temp\ovfsthivteqvuexn.tmp c:\docume~1\BRANDO~1\LOCALS~1\Temp\ovfsthqriyusprxv.tmp c:\docume~1\BRANDO~1\LOCALS~1\Temp\ovfsthx000 c:\windows\system32\drivers\ovfsthdlthqnghdhuvmenjwurwwfirvnpxuiyc.sys c:\windows\system32\lmppcsetup.exe c:\windows\system32\ovfsthelxfmtvpuxiiqmttfipabajxwafwppxs.dat c:\windows\system32\ovfsthjamsjbtrhixwuoacqrswhdwmafahekdu.dll c:\windows\system32\ovfsthlvjlkibcimfpteyqqclnjgyktnltywba.dll c:\windows\system32\ovfsthpbavlbdssoehyiglkonwuffwqbimpvay.dll c:\windows\system32\ovfsthqstdlrusieqqarjpvyrlkolgdxwnevmp.dat . ((((((((((((((((((((((((((((((((((((((( Drivers/Services ))))))))))))))))))))))))))))))))))))))))))))))))) . -------\Service_mpboyno ((((((((((((((((((((((((( Files Created from 2009-04-02 to 2009-05-02 ))))))))))))))))))))))))))))))) . 2009-05-02 02:03 . 2009-05-02 02:03 -------- d-----w c:\program files\Trend Micro 2009-05-01 01:35 . 2009-05-02 03:59 -------- d-----w c:\documents and settings\Brandon Sherman\Application Data\BitTorrent 2009-05-01 01:35 . 2009-05-01 01:35 -------- d-----w c:\documents and settings\Brandon Sherman\Local Settings\Application Data\DNA 2009-05-01 01:35 . 2009-05-02 20:25 -------- d-----w c:\program files\DNA 2009-05-01 01:35 . 2009-05-02 20:25 -------- d-----w c:\documents and settings\Brandon Sherman\Application Data\DNA 2009-05-01 01:35 . 2009-05-01 01:35 -------- d-----w c:\program files\BitTorrent 2009-05-01 01:35 . 2009-05-01 01:35 -------- d-----w c:\program files\AskSearch 2009-05-01 01:33 . 2009-05-01 01:33 -------- d-----w c:\documents and settings\Brandon Sherman\Application Data\Apple Computer 2009-05-01 01:33 . 2009-03-19 20:32 23400 ----a-w c:\windows\system32\drivers\GEARAspiWDM.sys 2009-05-01 01:33 . 2008-04-17 16:12 107368 ----a-w c:\windows\system32\GEARAspi.dll 2009-05-01 01:30 . 2009-05-01 01:30 -------- d-----w c:\program files\Common Files\Hewlett-Packard 2009-05-01 01:29 . 2009-05-01 01:29 -------- d-----w c:\documents and settings\All Users\Application Data\Hewlett-Packard 2009-05-01 01:29 . 2007-03-15 19:32 118272 ----a-w c:\windows\system32\hpz3l5ha.dll 2009-05-01 01:28 . 2001-08-17 17:53 6784 ----a-w c:\windows\system32\dllcache\serscan.sys 2009-05-01 01:28 . 2001-08-17 17:53 6784 ----a-w c:\windows\system32\drivers\serscan.sys 2009-05-01 01:23 . 2007-12-07 15:55 271704 ----a-w c:\windows\system32\hpzids01.dll 2009-05-01 01:23 . 2007-11-02 02:28 970752 ----a-w c:\windows\system32\hpotiop5.dll 2009-05-01 01:23 . 2007-11-02 02:28 303104 ----a-w c:\windows\system32\hpovst12.dll 2009-05-01 01:23 . 2007-11-02 02:28 364544 ----a-w c:\windows\system32\hppldcoi.dll 2009-05-01 01:23 . 2007-11-02 02:28 309760 ----a-w c:\windows\system32\difxapi.dll 2009-05-01 01:23 . 2007-11-02 02:28 729088 ----a-w c:\windows\system32\hpowiax5.dll 2009-05-01 01:23 . 2009-05-01 01:33 -------- dc----w c:\windows\system32\DRVSTORE 2009-05-01 01:23 . 2004-08-04 03:01 25856 ----a-w c:\windows\system32\dllcache\usbprint.sys 2009-05-01 01:23 . 2004-08-04 03:01 25856 ----a-w c:\windows\system32\drivers\usbprint.sys 2009-05-01 01:23 . 2004-08-04 03:08 31616 ----a-w c:\windows\system32\dllcache\usbccgp.sys 2009-05-01 01:23 . 2004-08-04 03:08 31616 ----a-w c:\windows\system32\drivers\usbccgp.sys 2009-05-01 01:22 . 2009-05-01 01:30 142919 ----a-w c:\windows\hpoins21.dat 2009-05-01 01:22 . 2008-01-24 02:29 7262 ------w c:\windows\hpomdl21.dat 2009-04-30 01:15 . 2009-04-30 01:15 -------- d-----w c:\documents and settings\Brandon Sherman\Application Data\OpenOffice.org 2009-04-29 23:27 . 2009-04-29 23:27 -------- d-----w c:\program files\JRE 2009-04-29 23:27 . 2009-04-29 23:27 -------- d-----w c:\program files\OpenOffice.org 3 2009-04-29 00:04 . 2009-04-29 00:04 -------- d-----w c:\documents and settings\Brandon Sherman\Application Data\acccore 2009-04-29 00:02 . 2009-04-29 00:02 -------- d-----w c:\documents and settings\Brandon Sherman\Local Settings\Application Data\AOL OCP 2009-04-29 00:02 . 2009-04-29 00:02 -------- d-----w c:\documents and settings\Brandon Sherman\Local Settings\Application Data\AOL 2009-04-29 00:02 . 2009-04-29 00:02 -------- d-----w c:\documents and settings\All Users\Application Data\Viewpoint 2009-04-29 00:02 . 2009-04-29 00:02 -------- d-----w c:\program files\Viewpoint 2009-04-29 00:02 . 2009-04-29 00:02 -------- d-----w c:\documents and settings\All Users\Application Data\acccore 2009-04-29 00:02 . 2009-04-29 00:03 -------- d-----w c:\documents and settings\All Users\Application Data\AOL OCP 2009-04-29 00:02 . 2009-04-29 00:02 -------- d-----w c:\documents and settings\All Users\Application Data\AOL 2009-04-29 00:01 . 2009-04-29 00:01 -------- d-----w c:\program files\Common Files\AOL 2009-04-29 00:01 . 2009-04-29 00:02 -------- d-----w c:\program files\AIM6 2009-04-28 23:54 . 2008-07-14 09:09 205560 ----a-w c:\windows\UNBOC.EXE 2009-04-28 23:54 . 2008-07-14 09:09 212728 ----a-w c:\windows\CMDLIC.DLL 2009-04-28 23:54 . 2009-04-29 18:48 -------- d-----w c:\documents and settings\All Users\Application Data\BOC427 2009-04-28 23:54 . 2009-04-28 23:54 -------- d-----w c:\program files\Comodo 2009-04-28 23:53 . 2009-04-28 23:53 -------- d-----w c:\documents and settings\Brandon Sherman\Application Data\Malwarebytes 2009-04-28 23:52 . 2009-04-06 19:32 15504 ----a-w c:\windows\system32\drivers\mbam.sys 2009-04-28 23:52 . 2009-04-06 19:32 38496 ----a-w c:\windows\system32\drivers\mbamswissarmy.sys 2009-04-28 23:52 . 2009-04-28 23:52 -------- d-----w c:\documents and settings\All Users\Application Data\Malwarebytes 2009-04-28 23:52 . 2009-04-28 23:53 -------- d-----w c:\program files\Malwarebytes' Anti-Malware 2009-04-28 23:52 . 2009-04-28 23:52 -------- d-----w c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com 2009-04-28 23:52 . 2009-04-28 23:52 -------- d-----w c:\program files\SUPERAntiSpyware 2009-04-28 23:52 . 2009-04-28 23:52 -------- d-----w c:\documents and settings\Brandon Sherman\Application Data\SUPERAntiSpyware.com 2009-04-28 23:52 . 2009-04-28 23:52 -------- d-----w c:\program files\Common Files\Wise Installation Wizard 2009-04-28 23:51 . 2009-04-28 23:51 -------- d-----w c:\program files\CCleaner 2009-04-28 23:49 . 2009-04-28 23:49 -------- d-----w c:\windows\Sun 2009-04-28 23:48 . 2009-04-28 23:49 -------- d-----w c:\documents and settings\Brandon Sherman\Local Settings\Application Data\Adobe 2009-04-28 23:19 . 2009-04-28 23:19 0 ----a-w c:\windows\nsreg.dat 2009-04-28 23:19 . 2009-04-28 23:19 -------- d-----w c:\documents and settings\Brandon Sherman\Local Settings\Application Data\Mozilla 2009-04-28 23:16 . 2009-04-28 23:16 -------- d-s---w c:\documents and settings\Brandon Sherman\UserData 2009-04-28 23:14 . 2009-04-28 23:14 -------- d-s---w c:\documents and settings\Brandon Sherman\History 2009-04-28 23:14 . 2009-05-02 20:25 -------- d-s---w c:\documents and settings\Brandon Sherman\Temporary Internet Files 2009-04-28 23:11 . 2009-04-28 15:07 -------- d-----w c:\windows\system32\config\systemprofile\Application Data\Intuit 2009-04-28 23:11 . 2009-04-28 14:37 -------- d-----w c:\windows\system32\config\systemprofile\Application Data\Symantec 2009-04-28 16:00 . 2006-03-16 03:00 185344 ----a-w c:\windows\system32\Thawbrkr.dll 2009-04-28 16:00 . 2006-03-16 03:00 10752 ----a-w c:\windows\system32\c_iscii.dll 2009-04-28 16:00 . 2006-03-16 03:00 5632 ----a-w c:\windows\system32\kbdusa.dll 2009-04-28 16:00 . 2006-03-16 03:00 6144 ----a-w c:\windows\system32\ftlx041e.dll 2009-04-28 15:37 . 2009-04-28 15:37 -------- d-----w c:\windows\CREATOR 2009-04-28 15:19 . 2005-10-10 19:03 266240 ----a-w c:\windows\system32\ShellvRTF64.dll 2009-04-28 15:19 . 2005-10-10 19:03 237568 ----a-w c:\windows\system32\ShellvRTF.dll 2009-04-28 15:18 . 2009-04-28 15:19 -------- d-----w c:\program files\Common Files\LightScribe 2009-04-28 15:18 . 2004-08-04 05:58 14848 ----a-w c:\windows\system32\dllcache\kbdhid.sys 2009-04-28 15:18 . 2004-08-04 05:58 14848 ----a-w c:\windows\system32\drivers\kbdhid.sys 2009-04-28 15:18 . 2005-09-19 21:24 5760 ----a-w c:\windows\system32\drivers\EabUsb.sys 2009-04-28 15:18 . 2005-09-19 21:23 7808 ----a-w c:\windows\system32\drivers\eabfiltr.sys 2009-04-28 15:18 . 2005-09-19 21:24 9344 ----a-w c:\windows\system32\drivers\CPQBttn.sys 2009-04-28 15:18 . 2006-06-19 20:28 999424 ----a-w c:\windows\system32\BttnCmns.dll 2009-04-28 15:18 . 2005-10-31 22:30 987136 ----a-w c:\windows\system32\BttnCmn.dll 2009-04-28 15:16 . 2009-04-28 15:17 -------- d-----w c:\program files\HP Rhapsody 2009-04-28 15:08 . 2009-04-28 15:08 -------- d-----w c:\windows\Downloaded Installations 2009-04-28 15:08 . 2009-04-28 15:08 -------- d-----w C:\vongo 2009-04-28 15:08 . 2005-12-07 23:38 1667072 ----a-w c:\windows\system32\cdintf250.dll 2009-04-28 15:08 . 2009-04-28 15:08 -------- d-----w c:\program files\Common Files\Palo Alto Software 2009-04-28 15:08 . 2009-04-28 15:08 -------- d-----w c:\program files\Common Files\Intuit 2009-04-28 15:07 . 2009-04-28 15:08 -------- d-----w c:\program files\Quicken 2009-04-28 15:07 . 2009-04-28 15:07 -------- d-----w c:\documents and settings\Administrator\Application Data\Intuit 2009-04-28 15:07 . 2009-04-28 15:07 -------- d-----w c:\documents and settings\All Users\Application Data\Intuit 2009-04-28 15:07 . 2009-04-28 15:07 -------- d-----w c:\program files\Quickensetup 2009-04-28 15:07 . 2009-04-28 15:07 -------- d-----w c:\program files\Windows Media Connect 2 2009-04-28 15:06 . 2009-04-28 15:06 -------- d-----w c:\program files\Microsoft Office Trial Wizard 2009-04-28 15:06 . 2009-04-28 15:06 -------- d-----w c:\program files\DivX 2009-04-28 15:06 . 2009-04-28 15:06 -------- d-----w c:\program files\muvee Technologies 2009-04-28 15:06 . 2009-04-28 15:06 -------- d-----w c:\program files\Common Files\muvee Technologies 2009-04-28 15:05 . 2009-04-28 15:05 -------- d-----w c:\documents and settings\Administrator\Local Settings\Application Data\BVRP Software 2009-04-28 15:05 . 2009-04-28 15:05 -------- d-----w c:\program files\NetWaiting 2009-04-28 15:04 . 2009-04-28 15:04 -------- d-----w c:\program files\music_now 2009-04-28 15:03 . 2005-08-18 20:33 45929 ----a-w c:\windows\NSSetDefaultBrowser.EXE 2009-04-28 15:03 . 2009-04-28 15:03 -------- d-----w c:\program files\Netscape 2009-04-28 15:03 . 2009-04-29 01:03 -------- d-----w c:\program files\Yahoo! 2009-04-28 14:56 . 2009-04-28 15:01 -------- d-----w c:\documents and settings\All Users\Application Data\WildTangent 2009-04-28 14:56 . 2009-04-28 14:56 -------- d-----w c:\documents and settings\Administrator\Local Settings\Application Data\Wildtangent 2009-04-28 14:56 . 2009-04-28 14:56 -------- d-----w c:\windows\wt 2009-04-28 14:56 . 2009-04-28 14:56 -------- d-----w c:\program files\WildTangent 2009-04-28 14:56 . 2009-04-28 15:01 -------- d-----w c:\program files\HP Games 2009-04-28 14:53 . 2009-04-28 14:53 -------- d-----w c:\program files\Common Files\Adobe 2009-04-28 14:52 . 2009-04-28 14:52 -------- d-----w c:\documents and settings\All Users\Application Data\HP 2009-04-28 14:52 . 2009-04-28 14:52 -------- d-----w c:\documents and settings\All Users\Application Data\CyberLink 2009-04-28 14:52 . 2006-07-19 22:14 44544 ----a-w c:\windows\system32\msxml4a.dll 2009-04-28 14:51 . 2006-06-17 12:25 69721 ----a-w c:\windows\system32\SynTPFcs.dll 2009-04-28 14:51 . 2006-06-17 12:30 81920 ----a-w c:\windows\system32\SynTPCo2.dll 2009-04-28 14:51 . 2006-06-17 11:54 94297 ----a-w c:\windows\system32\SynTPAPI.dll 2009-04-28 14:51 . 2006-06-17 11:40 193120 ----a-w c:\windows\system32\drivers\SynTP.sys 2009-04-28 14:51 . 2006-06-17 11:54 114688 ----a-w c:\windows\system32\SynCtrl.dll 2009-04-28 14:51 . 2006-06-17 11:53 82012 ----a-w c:\windows\system32\SynCOM.dll 2009-04-28 14:51 . 2009-04-28 14:51 -------- d-----w c:\program files\Synaptics 2009-04-28 14:50 . 2003-06-19 00:31 17920 ----a-w c:\windows\system32\mdimon.dll 2009-04-28 14:48 . 2009-04-28 14:48 -------- d-----w c:\program files\Microsoft Works 2009-04-28 14:47 . 2009-04-28 14:47 -------- d-----w c:\program files\Encarta Online 2009-04-28 14:46 . 2009-04-28 14:46 -------- d-----w c:\program files\RGB 2009-04-28 14:44 . 2009-04-29 00:47 -------- d-----w c:\program files\GemMaster 2009-04-28 14:44 . 2009-04-28 14:44 -------- d-----w c:\program files\EnglishOtto 2009-04-28 14:38 . 2002-10-15 18:13 32356 ----a-w c:\windows\system32\pusbfd1.sys 2009-04-28 14:37 . 2009-04-28 23:14 -------- d---a-w c:\windows\system32\pcintro 2009-04-28 14:37 . 2009-04-28 23:14 -------- d-----w C:\hp . (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2009-05-02 20:25 . 2006-06-30 02:18 6 ---ha-w c:\windows\Tasks\SA.DAT 2009-05-01 01:33 . 2009-05-01 01:32 -------- d-----w c:\program files\iTunes 2009-05-01 01:33 . 2009-05-01 01:33 -------- d-----w c:\program files\iPod 2009-05-01 01:32 . 2009-05-01 01:32 -------- d-----w c:\program files\Bonjour 2009-05-01 01:32 . 2009-05-01 01:32 -------- d-----w c:\program files\QuickTime 2009-05-01 01:31 . 2009-05-01 01:31 284 ----a-w c:\windows\Tasks\AppleSoftwareUpdate.job 2009-05-01 01:31 . 2009-05-01 01:31 -------- d-----w c:\program files\Apple Software Update 2009-05-01 01:31 . 2009-05-01 01:31 -------- d-----w c:\program files\Common Files\Apple 2009-04-29 23:27 . 2009-04-28 13:16 -------- d-----w c:\program files\Java 2009-04-29 01:06 . 2009-04-28 14:30 -------- d-----w c:\program files\Common Files\Symantec Shared 2009-04-28 23:15 . 2009-04-28 23:12 138 ----a-w c:\documents and settings\Brandon Sherman\Local Settings\Application Data\fusioncache.dat 2009-04-28 23:13 . 2009-04-28 14:39 1706 --sha-r c:\windows\system32\drivers\103C_HP_NTBK_Presario V6000 (RG390UA#ABA)_YN_0Pres_QCNF6444P72_E419857002_46_I30BB_SQuanta_V66.21_BF.06_T061 026_WXP2_L409_M503_J100_7Intel_8Celeron M 430_91.73_#090428_N14E44311_(RG390UA#ABA)_XMOBILE_CN10_Z_2Rev 1.MRK 2009-04-28 15:29 . 2009-04-28 23:12 51192 ----a-w c:\documents and settings\Brandon Sherman\Local Settings\Application Data\GDIPFONTCACHEV1.DAT 2009-04-28 15:29 . 2009-04-28 13:16 -------- d-----w c:\program files\Hewlett-Packard 2009-04-28 15:19 . 2009-04-28 13:16 -------- d--h--w c:\program files\InstallShield Installation Information 2009-04-28 15:18 . 2006-06-30 01:43 92447 ----a-w c:\windows\pchealth\helpctr\OfflineCache\index.dat 2009-04-28 15:01 . 2009-04-28 13:16 -------- d-----w c:\program files\HP 2009-04-28 14:40 . 2009-04-28 13:16 -------- d-----w c:\program files\HPQ 2009-04-28 14:39 . 2009-04-28 13:16 -------- d-----w c:\program files\Common Files\InstallShield 2009-04-28 13:16 . 2009-04-28 13:16 -------- d-----w c:\program files\Windows Plus 2009-04-28 13:16 . 2009-04-28 13:16 -------- d-----w c:\program files\Sonic 2009-04-28 13:16 . 2009-04-28 13:16 -------- d-----w c:\program files\microsoft frontpage 2009-04-28 13:16 . 2009-04-28 13:16 -------- d-----w c:\program files\Common Files\TiVo Shared 2009-04-28 13:16 . 2009-04-28 13:16 -------- d-----w c:\program files\Common Files\SureThing Shared 2009-04-28 13:16 . 2009-04-28 13:16 -------- d-----w c:\program files\Common Files\Sonic Shared 2009-04-28 13:16 . 2009-04-28 13:16 -------- d-----w c:\program files\Common Files\Java 2009-04-28 13:16 . 2009-04-28 13:16 -------- d-----w c:\program files\Common Files\HP 2009-03-26 19:23 . 2009-05-01 01:31 36864 ----a-w c:\windows\system32\drivers\usbaapl.sys 2009-03-26 19:23 . 2009-05-01 01:31 1900544 ----a-w c:\windows\system32\usbaaplrc.dll . ((((((((((((((((((((((((((((( SnapShot@2009-05-02_15.31.31 ))))))))))))))))))))))))))))))))))))))))) . - 2006-06-30 01:27 . 2009-05-02 15:22 56124 c:\windows\system32\perfc009.dat + 2006-06-30 01:27 . 2009-05-02 15:35 56124 c:\windows\system32\perfc009.dat - 2009-04-28 14:29 . 2009-05-02 15:30 32768 c:\windows\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat + 2009-04-28 14:29 . 2009-05-02 20:20 32768 c:\windows\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat - 2009-04-28 14:29 . 2009-05-02 15:30 32768 c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat + 2009-04-28 14:29 . 2009-05-02 20:20 32768 c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat - 2009-04-28 14:29 . 2009-05-02 15:30 32768 c:\windows\system32\config\systemprofile\Cookies\index.dat + 2009-04-28 14:29 . 2009-05-02 20:20 32768 c:\windows\system32\config\systemprofile\Cookies\index.dat + 2009-05-02 15:34 . 2009-05-02 15:34 16746 c:\windows\SoftwareDistribution\EventCache\{0483D4FD-3A1D-4A7D-A02B-E4D1F7674F64}.bin + 2006-06-30 01:27 . 2009-05-02 15:35 391638 c:\windows\system32\perfh009.dat - 2006-06-30 01:27 . 2009-05-02 15:22 391638 c:\windows\system32\perfh009.dat . ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) . . *Note* empty entries & legit default entries are not shown REGEDIT4 [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "SUPERAntiSpyware"="c:\program files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2009-03-23 1830128] "Aim6"="c:\program files\AIM6\aim6.exe" [2009-04-27 49968] "BitTorrent DNA"="c:\program files\DNA\btdna.exe" [2009-05-01 321344] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "ehTray"="c:\windows\ehome\ehtray.exe" [2005-08-06 64512] "hpWirelessAssistant"="c:\program files\hpq\HP Wireless Assistant\HP Wireless Assistant.exe" [2006-05-04 458752] "SunJavaUpdateSched"="c:\program files\Java\jre1.6.0_07\bin\jusched.exe" [2008-06-10 144784] "igfxtray"="c:\windows\system32\igfxtray.exe" [2006-03-23 94208] "igfxhkcmd"="c:\windows\system32\hkcmd.exe" [2006-03-23 77824] "igfxpers"="c:\windows\system32\igfxpers.exe" [2006-03-23 118784] "SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2006-06-17 794713] "QPService"="c:\program files\HP\QuickPlay\QPService.exe" [2006-07-19 102400] "HP Software Update"="c:\program files\Hp\HP Software Update\HPWuSchd2.exe" [2005-02-17 49152] "ISUSPM Startup"="c:\program files\Common Files\InstallShield\UpdateService\ISUSPM.exe" [2005-08-11 249856] "ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2005-08-11 81920] "QlbCtrl"="c:\program files\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe" [2006-06-19 163840] "Cpqset"="c:\program files\Hewlett-Packard\Default Settings\cpqset.exe" [2006-06-19 40960] "RecGuard"="c:\windows\SMINST\RecGuard.exe" [2005-10-11 1187840] "Reminder"="c:\windows\CREATOR\Remind_XP.exe" [2006-02-09 643072] "BOC-427"="c:\progra~1\Comodo\CBOClean\BOC427.exe" [2008-07-14 351480] "QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2009-01-05 413696] "iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2009-04-02 342312] "High Definition Audio Property Page Shortcut"="CHDAudPropShortcut.exe" - c:\windows\system32\CHDAudPropShortcut.exe [2006-06-02 61952] c:\documents and settings\Brandon Sherman\Start Menu\Programs\Startup\ OpenOffice.org 3.0.lnk - c:\program files\OpenOffice.org 3\program\quickstart.exe [2008-12-15 384000] c:\documents and settings\All Users\Start Menu\Programs\Startup\ Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-9-24 29696] HP Photosmart Premier Fast Start.lnk - c:\program files\HP\Digital Imaging\bin\hpqthb08.exe [2005-9-24 73728] [HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer] "NoSetActiveDesktop"= 1 (0x1) "NoActiveDesktopChanges"= 1 (0x1) [hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks] "{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824] [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon] 2008-12-22 16:05 356352 ----a-w c:\program files\SUPERAntiSpyware\SASWINLO.dll [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile] "EnableFirewall"= 0 (0x0) [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List] "%windir%\\system32\\sessmgr.exe"= "c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"= "c:\\Program Files\\AIM6\\aim6.exe"= "c:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqPhUnl.exe"= "c:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqDIA.exe"= "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpiscnapp.exe"= "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"= "c:\\Program Files\\Bonjour\\mDNSResponder.exe"= "c:\\Program Files\\iTunes\\iTunes.exe"= "c:\\Program Files\\DNA\\btdna.exe"= "c:\\Program Files\\BitTorrent\\bittorrent.exe"= S1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\SASDIFSV.SYS [2009-03-23 9968] S1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.sys [2009-03-23 72944] S2 BOCore;BOCore;c:\program files\Comodo\CBOClean\BOCORE.exe [2008-07-14 73464] S2 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\Viewpoint\Common\ViewpointService.exe [2007-01-04 24652] S3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [2009-03-23 7408] [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost] HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12 HPService REG_MULTI_SZ HPSLPSVC . Contents of the 'Scheduled Tasks' folder 2009-05-01 c:\windows\Tasks\AppleSoftwareUpdate.job - c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 16:34] . . ------- Supplementary Scan ------- . uStart Page = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=64&bd=presario&pf=laptop uInternet Connection Wizard,ShellNext = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=64&bd=presario&pf=laptop uInternet Settings,ProxyOverride = *.local IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~4\OFFICE11\EXCEL.EXE/3000 FF - ProfilePath - c:\documents and settings\Brandon Sherman\Application Data\Mozilla\Firefox\Profiles\ajvbdxqv.default\ FF - prefs.js: browser.search.selectedEngine - Ask FF - prefs.js: browser.startup.homepage - www.facebook.com FF - prefs.js: keyword.URL - hxxp://toolbar.ask.com/toolbarv/askRedirect?o=101757&gct=&gc=1&q= FF - plugin: c:\program files\Mozilla Firefox\plugins\npbittorrent.dll FF - plugin: c:\program files\Mozilla Firefox\plugins\npViewpoint.dll FF - plugin: c:\program files\Viewpoint\Viewpoint Media Player\npViewpoint.dll . ************************************************************************** catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2009-05-02 16:26 Windows 5.1.2600 Service Pack 2 NTFS scanning hidden processes ... scanning hidden autostart entries ... HKLM\Software\Microsoft\Windows\CurrentVersion\Run Cpqset = c:\program files\Hewlett-Packard\Default Settings\cpqset.exe????????????L?@? ????X??????`?@?????L?@ scanning hidden files ... scan completed successfully hidden files: 0 ************************************************************************** . --------------------- DLLs Loaded Under Running Processes --------------------- - - - - - - - > 'winlogon.exe'(864) c:\program files\SUPERAntiSpyware\SASWINLO.dll - - - - - - - > 'explorer.exe'(3716) c:\windows\system32\shdoclc.dll c:\windows\system32\xpsp3res.dll c:\windows\system32\msi.dll . ------------------------ Other Running Processes ------------------------ . c:\program files\OpenOffice.org 3\program\soffice.exe c:\program files\OpenOffice.org 3\program\soffice.bin c:\program files\HP\Digital Imaging\bin\hpqimzone.exe c:\progra~1\COMMON~1\Apple\MOBILE~1\bin\APPLEM~3.EXE c:\progra~1\Comodo\CBOClean\BOCore.exe c:\progra~1\Bonjour\MDNSRE~1.EXE c:\windows\ehome\ehrecvr.exe c:\windows\ehome\ehSched.exe c:\progra~1\COMMON~1\LIGHTS~1\LSSrvc.exe c:\progra~1\HEWLET~1\Shared\hpqwmiex.exe c:\windows\ehome\mcrdsvc.exe c:\progra~1\iPod\bin\IPODSE~1.EXE c:\windows\system32\wscntfy.exe c:\windows\system32\dllhost.exe c:\windows\ehome\ehmsas.exe . ************************************************************************** . Completion time: 2009-05-02 16:29 - machine was rebooted ComboFix-quarantined-files.txt 2009-05-02 20:29 ComboFix2.txt 2009-05-02 15:34 Pre-Run: 71,848,906,752 bytes free Post-Run: 71,726,538,752 bytes free 325
- May 2, 2009
- 8 replies
Infected Userinit

beaverteeth92 replied to beaverteeth92's topic in Resolved Malware Removal Logs

ComboFix 09-05-02.4 - Brandon Sherman 05/02/2009 11:27.1 - NTFSx86 Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.502.280 [GMT -4:00] Running from: c:\documents and settings\Brandon Sherman\Desktop\ComboFix.exe . ((((((((((((((((((((((((((((((((((((((( Other Deletions ))))))))))))))))))))))))))))))))))))))))))))))))) . c:\documents and settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat c:\documents and settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat c:\windows\system32\uniq.tll c:\windows\system32\vozutiso.dll D:\Autorun.inf ----- BITS: Possible infected sites ----- hxxp://62.4.83.201 Infected copy of c:\windows\system32\userinit.exe was found and disinfected Restored copy from - c:\windows\system32\init32.exe . ((((((((((((((((((((((((( Files Created from 2009-04-02 to 2009-05-02 ))))))))))))))))))))))))))))))) . 2009-05-02 02:03 . 2009-05-02 02:03 -------- d-----w c:\program files\Trend Micro 2009-05-01 01:35 . 2009-05-02 03:59 -------- d-----w c:\documents and settings\Brandon Sherman\Application Data\BitTorrent 2009-05-01 01:35 . 2009-05-01 01:35 -------- d-----w c:\documents and settings\Brandon Sherman\Local Settings\Application Data\DNA 2009-05-01 01:35 . 2009-05-02 15:30 -------- d-----w c:\program files\DNA 2009-05-01 01:35 . 2009-05-02 15:30 -------- d-----w c:\documents and settings\Brandon Sherman\Application Data\DNA 2009-05-01 01:35 . 2009-05-01 01:35 -------- d-----w c:\program files\BitTorrent 2009-05-01 01:35 . 2009-05-01 01:35 -------- d-----w c:\program files\AskSearch 2009-05-01 01:33 . 2009-05-01 01:33 -------- d-----w c:\documents and settings\Brandon Sherman\Application Data\Apple Computer 2009-05-01 01:33 . 2009-03-19 20:32 23400 ----a-w c:\windows\system32\drivers\GEARAspiWDM.sys 2009-05-01 01:33 . 2008-04-17 16:12 107368 ----a-w c:\windows\system32\GEARAspi.dll 2009-05-01 01:30 . 2009-05-01 01:30 -------- d-----w c:\program files\Common Files\Hewlett-Packard 2009-05-01 01:29 . 2009-05-01 01:29 -------- d-----w c:\documents and settings\All Users\Application Data\Hewlett-Packard 2009-05-01 01:29 . 2007-03-15 19:32 118272 ----a-w c:\windows\system32\hpz3l5ha.dll 2009-05-01 01:28 . 2001-08-17 17:53 6784 ----a-w c:\windows\system32\dllcache\serscan.sys 2009-05-01 01:28 . 2001-08-17 17:53 6784 ----a-w c:\windows\system32\drivers\serscan.sys 2009-05-01 01:23 . 2007-12-07 15:55 271704 ----a-w c:\windows\system32\hpzids01.dll 2009-05-01 01:23 . 2007-11-02 02:28 970752 ----a-w c:\windows\system32\hpotiop5.dll 2009-05-01 01:23 . 2007-11-02 02:28 303104 ----a-w c:\windows\system32\hpovst12.dll 2009-05-01 01:23 . 2007-11-02 02:28 364544 ----a-w c:\windows\system32\hppldcoi.dll 2009-05-01 01:23 . 2007-11-02 02:28 309760 ----a-w c:\windows\system32\difxapi.dll 2009-05-01 01:23 . 2007-11-02 02:28 729088 ----a-w c:\windows\system32\hpowiax5.dll 2009-05-01 01:23 . 2009-05-01 01:33 -------- dc----w c:\windows\system32\DRVSTORE 2009-05-01 01:23 . 2004-08-04 03:01 25856 ----a-w c:\windows\system32\dllcache\usbprint.sys 2009-05-01 01:23 . 2004-08-04 03:01 25856 ----a-w c:\windows\system32\drivers\usbprint.sys 2009-05-01 01:23 . 2004-08-04 03:08 31616 ----a-w c:\windows\system32\dllcache\usbccgp.sys 2009-05-01 01:23 . 2004-08-04 03:08 31616 ----a-w c:\windows\system32\drivers\usbccgp.sys 2009-05-01 01:22 . 2009-05-01 01:30 142919 ----a-w c:\windows\hpoins21.dat 2009-05-01 01:22 . 2008-01-24 02:29 7262 ------w c:\windows\hpomdl21.dat 2009-04-30 01:15 . 2009-04-30 01:15 -------- d-----w c:\documents and settings\Brandon Sherman\Application Data\OpenOffice.org 2009-04-29 23:27 . 2009-04-29 23:27 -------- d-----w c:\program files\JRE 2009-04-29 23:27 . 2009-04-29 23:27 -------- d-----w c:\program files\OpenOffice.org 3 2009-04-29 00:04 . 2009-04-29 00:04 -------- d-----w c:\documents and settings\Brandon Sherman\Application Data\acccore 2009-04-29 00:02 . 2009-04-29 00:02 -------- d-----w c:\documents and settings\Brandon Sherman\Local Settings\Application Data\AOL OCP 2009-04-29 00:02 . 2009-04-29 00:02 -------- d-----w c:\documents and settings\Brandon Sherman\Local Settings\Application Data\AOL 2009-04-29 00:02 . 2009-04-29 00:02 -------- d-----w c:\documents and settings\All Users\Application Data\Viewpoint 2009-04-29 00:02 . 2009-04-29 00:02 -------- d-----w c:\program files\Viewpoint 2009-04-29 00:02 . 2009-04-29 00:02 -------- d-----w c:\documents and settings\All Users\Application Data\acccore 2009-04-29 00:02 . 2009-04-29 00:03 -------- d-----w c:\documents and settings\All Users\Application Data\AOL OCP 2009-04-29 00:02 . 2009-04-29 00:02 -------- d-----w c:\documents and settings\All Users\Application Data\AOL 2009-04-29 00:01 . 2009-04-29 00:01 -------- d-----w c:\program files\Common Files\AOL 2009-04-29 00:01 . 2009-04-29 00:02 -------- d-----w c:\program files\AIM6 2009-04-28 23:54 . 2008-07-14 09:09 205560 ----a-w c:\windows\UNBOC.EXE 2009-04-28 23:54 . 2008-07-14 09:09 212728 ----a-w c:\windows\CMDLIC.DLL 2009-04-28 23:54 . 2009-04-29 18:48 -------- d-----w c:\documents and settings\All Users\Application Data\BOC427 2009-04-28 23:54 . 2009-04-28 23:54 -------- d-----w c:\program files\Comodo 2009-04-28 23:53 . 2009-04-28 23:53 -------- d-----w c:\documents and settings\Brandon Sherman\Application Data\Malwarebytes 2009-04-28 23:52 . 2009-04-06 19:32 15504 ----a-w c:\windows\system32\drivers\mbam.sys 2009-04-28 23:52 . 2009-04-06 19:32 38496 ----a-w c:\windows\system32\drivers\mbamswissarmy.sys 2009-04-28 23:52 . 2009-04-28 23:52 -------- d-----w c:\documents and settings\All Users\Application Data\Malwarebytes 2009-04-28 23:52 . 2009-04-28 23:53 -------- d-----w c:\program files\Malwarebytes' Anti-Malware 2009-04-28 23:52 . 2009-04-28 23:52 -------- d-----w c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com 2009-04-28 23:52 . 2009-04-28 23:52 -------- d-----w c:\program files\SUPERAntiSpyware 2009-04-28 23:52 . 2009-04-28 23:52 -------- d-----w c:\documents and settings\Brandon Sherman\Application Data\SUPERAntiSpyware.com 2009-04-28 23:52 . 2009-04-28 23:52 -------- d-----w c:\program files\Common Files\Wise Installation Wizard 2009-04-28 23:51 . 2009-04-28 23:51 -------- d-----w c:\program files\CCleaner 2009-04-28 23:49 . 2009-04-28 23:49 -------- d-----w c:\windows\Sun 2009-04-28 23:48 . 2009-04-28 23:49 -------- d-----w c:\documents and settings\Brandon Sherman\Local Settings\Application Data\Adobe 2009-04-28 23:19 . 2009-04-28 23:19 0 ----a-w c:\windows\nsreg.dat 2009-04-28 23:19 . 2009-04-28 23:19 -------- d-----w c:\documents and settings\Brandon Sherman\Local Settings\Application Data\Mozilla 2009-04-28 23:16 . 2009-04-28 23:16 -------- d-s---w c:\documents and settings\Brandon Sherman\UserData 2009-04-28 23:14 . 2009-04-28 23:14 -------- d-s---w c:\documents and settings\Brandon Sherman\History 2009-04-28 23:14 . 2009-05-02 15:30 -------- d-s---w c:\documents and settings\Brandon Sherman\Temporary Internet Files 2009-04-28 23:11 . 2009-04-28 15:07 -------- d-----w c:\windows\system32\config\systemprofile\Application Data\Intuit 2009-04-28 23:11 . 2009-04-28 14:37 -------- d-----w c:\windows\system32\config\systemprofile\Application Data\Symantec 2009-04-28 16:00 . 2006-03-16 03:00 185344 ----a-w c:\windows\system32\Thawbrkr.dll 2009-04-28 16:00 . 2006-03-16 03:00 10752 ----a-w c:\windows\system32\c_iscii.dll 2009-04-28 16:00 . 2006-03-16 03:00 5632 ----a-w c:\windows\system32\kbdusa.dll 2009-04-28 16:00 . 2006-03-16 03:00 6144 ----a-w c:\windows\system32\ftlx041e.dll 2009-04-28 15:37 . 2009-04-28 15:37 -------- d-----w c:\windows\CREATOR 2009-04-28 15:19 . 2005-10-10 19:03 266240 ----a-w c:\windows\system32\ShellvRTF64.dll 2009-04-28 15:19 . 2005-10-10 19:03 237568 ----a-w c:\windows\system32\ShellvRTF.dll 2009-04-28 15:18 . 2009-04-28 15:19 -------- d-----w c:\program files\Common Files\LightScribe 2009-04-28 15:18 . 2004-08-04 05:58 14848 ----a-w c:\windows\system32\dllcache\kbdhid.sys 2009-04-28 15:18 . 2004-08-04 05:58 14848 ----a-w c:\windows\system32\drivers\kbdhid.sys 2009-04-28 15:18 . 2005-09-19 21:24 5760 ----a-w c:\windows\system32\drivers\EabUsb.sys 2009-04-28 15:18 . 2005-09-19 21:23 7808 ----a-w c:\windows\system32\drivers\eabfiltr.sys 2009-04-28 15:18 . 2005-09-19 21:24 9344 ----a-w c:\windows\system32\drivers\CPQBttn.sys 2009-04-28 15:18 . 2006-06-19 20:28 999424 ----a-w c:\windows\system32\BttnCmns.dll 2009-04-28 15:18 . 2005-10-31 22:30 987136 ----a-w c:\windows\system32\BttnCmn.dll 2009-04-28 15:16 . 2009-04-28 15:17 -------- d-----w c:\program files\HP Rhapsody 2009-04-28 15:08 . 2009-04-28 15:08 -------- d-----w c:\windows\Downloaded Installations 2009-04-28 15:08 . 2009-04-28 15:08 -------- d-----w C:\vongo 2009-04-28 15:08 . 2005-12-07 23:38 1667072 ----a-w c:\windows\system32\cdintf250.dll 2009-04-28 15:08 . 2009-04-28 15:08 -------- d-----w c:\program files\Common Files\Palo Alto Software 2009-04-28 15:08 . 2009-04-28 15:08 -------- d-----w c:\program files\Common Files\Intuit 2009-04-28 15:07 . 2009-04-28 15:08 -------- d-----w c:\program files\Quicken 2009-04-28 15:07 . 2009-04-28 15:07 -------- d-----w c:\documents and settings\Administrator\Application Data\Intuit 2009-04-28 15:07 . 2009-04-28 15:07 -------- d-----w c:\documents and settings\All Users\Application Data\Intuit 2009-04-28 15:07 . 2009-04-28 15:07 -------- d-----w c:\program files\Quickensetup 2009-04-28 15:07 . 2009-04-28 15:07 -------- d-----w c:\program files\Windows Media Connect 2 2009-04-28 15:06 . 2009-04-28 15:06 -------- d-----w c:\program files\Microsoft Office Trial Wizard 2009-04-28 15:06 . 2009-04-28 15:06 -------- d-----w c:\program files\DivX 2009-04-28 15:06 . 2009-04-28 15:06 -------- d-----w c:\program files\muvee Technologies 2009-04-28 15:06 . 2009-04-28 15:06 -------- d-----w c:\program files\Common Files\muvee Technologies 2009-04-28 15:05 . 2009-04-28 15:05 -------- d-----w c:\documents and settings\Administrator\Local Settings\Application Data\BVRP Software 2009-04-28 15:05 . 2009-04-28 15:05 -------- d-----w c:\program files\NetWaiting 2009-04-28 15:04 . 2009-04-28 15:04 -------- d-----w c:\program files\music_now 2009-04-28 15:03 . 2005-08-18 20:33 45929 ----a-w c:\windows\NSSetDefaultBrowser.EXE 2009-04-28 15:03 . 2009-04-28 15:03 -------- d-----w c:\program files\Netscape 2009-04-28 15:03 . 2009-04-29 01:03 -------- d-----w c:\program files\Yahoo! 2009-04-28 14:56 . 2009-04-28 15:01 -------- d-----w c:\documents and settings\All Users\Application Data\WildTangent 2009-04-28 14:56 . 2009-04-28 14:56 -------- d-----w c:\documents and settings\Administrator\Local Settings\Application Data\Wildtangent 2009-04-28 14:56 . 2009-04-28 14:56 -------- d-----w c:\windows\wt 2009-04-28 14:56 . 2009-04-28 14:56 -------- d-----w c:\program files\WildTangent 2009-04-28 14:56 . 2009-04-28 15:01 -------- d-----w c:\program files\HP Games 2009-04-28 14:53 . 2009-04-28 14:53 -------- d-----w c:\program files\Common Files\Adobe 2009-04-28 14:52 . 2009-04-28 14:52 -------- d-----w c:\documents and settings\All Users\Application Data\HP 2009-04-28 14:52 . 2009-04-28 14:52 -------- d-----w c:\documents and settings\All Users\Application Data\CyberLink 2009-04-28 14:52 . 2006-07-19 22:14 44544 ----a-w c:\windows\system32\msxml4a.dll 2009-04-28 14:51 . 2006-06-17 12:25 69721 ----a-w c:\windows\system32\SynTPFcs.dll 2009-04-28 14:51 . 2006-06-17 12:30 81920 ----a-w c:\windows\system32\SynTPCo2.dll 2009-04-28 14:51 . 2006-06-17 11:54 94297 ----a-w c:\windows\system32\SynTPAPI.dll 2009-04-28 14:51 . 2006-06-17 11:40 193120 ----a-w c:\windows\system32\drivers\SynTP.sys 2009-04-28 14:51 . 2006-06-17 11:54 114688 ----a-w c:\windows\system32\SynCtrl.dll 2009-04-28 14:51 . 2006-06-17 11:53 82012 ----a-w c:\windows\system32\SynCOM.dll 2009-04-28 14:51 . 2009-04-28 14:51 -------- d-----w c:\program files\Synaptics 2009-04-28 14:50 . 2003-06-19 00:31 17920 ----a-w c:\windows\system32\mdimon.dll 2009-04-28 14:48 . 2009-04-28 14:48 -------- d-----w c:\program files\Microsoft Works 2009-04-28 14:47 . 2009-04-28 14:47 -------- d-----w c:\program files\Encarta Online 2009-04-28 14:46 . 2009-04-28 14:46 -------- d-----w c:\program files\RGB 2009-04-28 14:44 . 2009-04-29 00:47 -------- d-----w c:\program files\GemMaster 2009-04-28 14:44 . 2009-04-28 14:44 -------- d-----w c:\program files\EnglishOtto 2009-04-28 14:38 . 2002-10-15 18:13 32356 ----a-w c:\windows\system32\pusbfd1.sys 2009-04-28 14:37 . 2009-04-28 23:14 -------- d---a-w c:\windows\system32\pcintro 2009-04-28 14:37 . 2009-04-28 23:14 -------- d-----w C:\hp . (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2009-05-02 15:30 . 2006-06-30 02:18 6 ---ha-w c:\windows\Tasks\SA.DAT 2009-05-01 01:33 . 2009-05-01 01:32 -------- d-----w c:\program files\iTunes 2009-05-01 01:33 . 2009-05-01 01:33 -------- d-----w c:\program files\iPod 2009-05-01 01:32 . 2009-05-01 01:32 -------- d-----w c:\program files\Bonjour 2009-05-01 01:32 . 2009-05-01 01:32 -------- d-----w c:\program files\QuickTime 2009-05-01 01:31 . 2009-05-01 01:31 284 ----a-w c:\windows\Tasks\AppleSoftwareUpdate.job 2009-05-01 01:31 . 2009-05-01 01:31 -------- d-----w c:\program files\Apple Software Update 2009-05-01 01:31 . 2009-05-01 01:31 -------- d-----w c:\program files\Common Files\Apple 2009-04-29 23:27 . 2009-04-28 13:16 -------- d-----w c:\program files\Java 2009-04-29 01:06 . 2009-04-28 14:30 -------- d-----w c:\program files\Common Files\Symantec Shared 2009-04-28 23:15 . 2009-04-28 23:12 138 ----a-w c:\documents and settings\Brandon Sherman\Local Settings\Application Data\fusioncache.dat 2009-04-28 23:13 . 2009-04-28 14:39 1706 --sha-r c:\windows\system32\drivers\103C_HP_NTBK_Presario V6000 (RG390UA#ABA)_YN_0Pres_QCNF6444P72_E419857002_46_I30BB_SQuanta_V66.21_BF.06_T061 026_WXP2_L409_M503_J100_7Intel_8Celeron M 430_91.73_#090428_N14E44311_(RG390UA#ABA)_XMOBILE_CN10_Z_2Rev 1.MRK 2009-04-28 15:29 . 2009-04-28 23:12 51192 ----a-w c:\documents and settings\Brandon Sherman\Local Settings\Application Data\GDIPFONTCACHEV1.DAT 2009-04-28 15:29 . 2009-04-28 13:16 -------- d-----w c:\program files\Hewlett-Packard 2009-04-28 15:19 . 2009-04-28 13:16 -------- d--h--w c:\program files\InstallShield Installation Information 2009-04-28 15:18 . 2006-06-30 01:43 92447 ----a-w c:\windows\pchealth\helpctr\OfflineCache\index.dat 2009-04-28 15:01 . 2009-04-28 13:16 -------- d-----w c:\program files\HP 2009-04-28 14:40 . 2009-04-28 13:16 -------- d-----w c:\program files\HPQ 2009-04-28 14:39 . 2009-04-28 13:16 -------- d-----w c:\program files\Common Files\InstallShield 2009-04-28 13:16 . 2009-04-28 13:16 -------- d-----w c:\program files\Windows Plus 2009-04-28 13:16 . 2009-04-28 13:16 -------- d-----w c:\program files\Sonic 2009-04-28 13:16 . 2009-04-28 13:16 -------- d-----w c:\program files\microsoft frontpage 2009-04-28 13:16 . 2009-04-28 13:16 -------- d-----w c:\program files\Common Files\TiVo Shared 2009-04-28 13:16 . 2009-04-28 13:16 -------- d-----w c:\program files\Common Files\SureThing Shared 2009-04-28 13:16 . 2009-04-28 13:16 -------- d-----w c:\program files\Common Files\Sonic Shared 2009-04-28 13:16 . 2009-04-28 13:16 -------- d-----w c:\program files\Common Files\Java 2009-04-28 13:16 . 2009-04-28 13:16 -------- d-----w c:\program files\Common Files\HP 2009-03-26 19:23 . 2009-05-01 01:31 36864 ----a-w c:\windows\system32\drivers\usbaapl.sys 2009-03-26 19:23 . 2009-05-01 01:31 1900544 ----a-w c:\windows\system32\usbaaplrc.dll . ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) . . *Note* empty entries & legit default entries are not shown REGEDIT4 [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "SUPERAntiSpyware"="c:\program files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2009-03-23 1830128] "Aim6"="c:\program files\AIM6\aim6.exe" [2009-04-27 49968] "BitTorrent DNA"="c:\program files\DNA\btdna.exe" [2009-05-01 321344] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "ehTray"="c:\windows\ehome\ehtray.exe" [2005-08-06 64512] "hpWirelessAssistant"="c:\program files\hpq\HP Wireless Assistant\HP Wireless Assistant.exe" [2006-05-04 458752] "SunJavaUpdateSched"="c:\program files\Java\jre1.6.0_07\bin\jusched.exe" [2008-06-10 144784] "igfxtray"="c:\windows\system32\igfxtray.exe" [2006-03-23 94208] "igfxhkcmd"="c:\windows\system32\hkcmd.exe" [2006-03-23 77824] "igfxpers"="c:\windows\system32\igfxpers.exe" [2006-03-23 118784] "SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2006-06-17 794713] "QPService"="c:\program files\HP\QuickPlay\QPService.exe" [2006-07-19 102400] "HP Software Update"="c:\program files\Hp\HP Software Update\HPWuSchd2.exe" [2005-02-17 49152] "ISUSPM Startup"="c:\program files\Common Files\InstallShield\UpdateService\ISUSPM.exe" [2005-08-11 249856] "ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2005-08-11 81920] "QlbCtrl"="c:\program files\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe" [2006-06-19 163840] "Cpqset"="c:\program files\Hewlett-Packard\Default Settings\cpqset.exe" [2006-06-19 40960] "RecGuard"="c:\windows\SMINST\RecGuard.exe" [2005-10-11 1187840] "Reminder"="c:\windows\CREATOR\Remind_XP.exe" [2006-02-09 643072] "BOC-427"="c:\progra~1\Comodo\CBOClean\BOC427.exe" [2008-07-14 351480] "QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2009-01-05 413696] "iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2009-04-02 342312] "High Definition Audio Property Page Shortcut"="CHDAudPropShortcut.exe" - c:\windows\system32\CHDAudPropShortcut.exe [2006-06-02 61952] c:\documents and settings\Brandon Sherman\Start Menu\Programs\Startup\ OpenOffice.org 3.0.lnk - c:\program files\OpenOffice.org 3\program\quickstart.exe [2008-12-15 384000] c:\documents and settings\All Users\Start Menu\Programs\Startup\ Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-9-24 29696] HP Photosmart Premier Fast Start.lnk - c:\program files\HP\Digital Imaging\bin\hpqthb08.exe [2005-9-24 73728] [HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer] "NoSetActiveDesktop"= 1 (0x1) "NoActiveDesktopChanges"= 1 (0x1) [hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks] "{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824] [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon] 2008-12-22 16:05 356352 ----a-w c:\program files\SUPERAntiSpyware\SASWINLO.dll [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile] "EnableFirewall"= 0 (0x0) [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List] "%windir%\\system32\\sessmgr.exe"= "c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"= "c:\\Program Files\\AIM6\\aim6.exe"= "c:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqPhUnl.exe"= "c:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqDIA.exe"= "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpiscnapp.exe"= "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"= "c:\\Program Files\\Bonjour\\mDNSResponder.exe"= "c:\\Program Files\\iTunes\\iTunes.exe"= "c:\\Program Files\\DNA\\btdna.exe"= "c:\\Program Files\\BitTorrent\\bittorrent.exe"= R0 mpboyno;mpboyno; [x] S1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\SASDIFSV.SYS [2009-03-23 9968] S1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.sys [2009-03-23 72944] S2 BOCore;BOCore;c:\program files\Comodo\CBOClean\BOCORE.exe [2008-07-14 73464] S2 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\Viewpoint\Common\ViewpointService.exe [2007-01-04 24652] S3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [2009-03-23 7408] [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost] HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12 HPService REG_MULTI_SZ HPSLPSVC . Contents of the 'Scheduled Tasks' folder 2009-05-01 c:\windows\Tasks\AppleSoftwareUpdate.job - c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 16:34] . . ------- Supplementary Scan ------- . uStart Page = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=64&bd=presario&pf=laptop uInternet Connection Wizard,ShellNext = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=64&bd=presario&pf=laptop uInternet Settings,ProxyOverride = *.local IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~4\OFFICE11\EXCEL.EXE/3000 FF - ProfilePath - c:\documents and settings\Brandon Sherman\Application Data\Mozilla\Firefox\Profiles\ajvbdxqv.default\ FF - prefs.js: browser.search.selectedEngine - Ask FF - prefs.js: browser.startup.homepage - www.facebook.com FF - prefs.js: keyword.URL - hxxp://toolbar.ask.com/toolbarv/askRedirect?o=101757&gct=&gc=1&q= FF - plugin: c:\program files\Mozilla Firefox\plugins\npbittorrent.dll FF - plugin: c:\program files\Mozilla Firefox\plugins\npViewpoint.dll FF - plugin: c:\program files\Viewpoint\Viewpoint Media Player\npViewpoint.dll . ************************************************************************** catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2009-05-02 11:31 Windows 5.1.2600 Service Pack 2 NTFS scanning hidden processes ... scanning hidden autostart entries ... HKLM\Software\Microsoft\Windows\CurrentVersion\Run Cpqset = c:\program files\Hewlett-Packard\Default Settings\cpqset.exe????????????L?@? ????X??????`?@?????L?@ scanning hidden files ... c:\windows\system32\drivers\ovfsthdlthqnghdhuvmenjwurwwfirvnpxuiyc.sys 83968 bytes executable c:\docume~1\BRANDO~1\LOCALS~1\Temp\ovfsthitqsbcjpec.tmp 107520 bytes executable c:\docume~1\BRANDO~1\LOCALS~1\Temp\ovfsthivteqvuexn.tmp 133632 bytes executable c:\docume~1\BRANDO~1\LOCALS~1\Temp\ovfsthqriyusprxv.tmp 343040 bytes executable c:\docume~1\BRANDO~1\LOCALS~1\Temp\ovfsthx000 0 bytes c:\windows\system32\ovfsthelxfmtvpuxiiqmttfipabajxwafwppxs.dat 43 bytes c:\windows\system32\ovfsthjamsjbtrhixwuoacqrswhdwmafahekdu.dll 18432 bytes executable c:\windows\system32\ovfsthlvjlkibcimfpteyqqclnjgyktnltywba.dll 18944 bytes executable c:\windows\system32\ovfsthpbavlbdssoehyiglkonwuffwqbimpvay.dll 60928 bytes executable c:\windows\system32\ovfsthqstdlrusieqqarjpvyrlkolgdxwnevmp.dat 75454 bytes scan completed successfully hidden files: 10 ************************************************************************** . --------------------- DLLs Loaded Under Running Processes --------------------- - - - - - - - > 'winlogon.exe'(864) c:\program files\SUPERAntiSpyware\SASWINLO.dll - - - - - - - > 'explorer.exe'(280) c:\windows\system32\msls31.dll c:\windows\system32\shdoclc.dll c:\windows\system32\msimtf.dll c:\windows\system32\MSCTF.dll c:\windows\system32\xpsp3res.dll . ------------------------ Other Running Processes ------------------------ . c:\program files\OpenOffice.org 3\program\soffice.exe c:\program files\OpenOffice.org 3\program\soffice.bin c:\program files\HP\Digital Imaging\bin\hpqimzone.exe c:\progra~1\COMMON~1\Apple\MOBILE~1\bin\APPLEM~3.EXE c:\progra~1\Comodo\CBOClean\BOCore.exe c:\progra~1\Bonjour\MDNSRE~1.EXE c:\windows\ehome\ehrecvr.exe c:\windows\ehome\ehSched.exe c:\progra~1\COMMON~1\LIGHTS~1\LSSrvc.exe c:\progra~1\HEWLET~1\Shared\hpqwmiex.exe c:\windows\ehome\mcrdsvc.exe c:\progra~1\iPod\bin\IPODSE~1.EXE c:\windows\system32\wscntfy.exe c:\windows\system32\dllhost.exe c:\windows\ehome\ehmsas.exe . ************************************************************************** . Completion time: 2009-05-02 11:34 - machine was rebooted ComboFix-quarantined-files.txt 2009-05-02 15:34 Pre-Run: 71,642,030,080 bytes free Post-Run: 71,845,326,848 bytes free WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe [boot loader] timeout=2 default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS [operating systems] c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Windows XP Media Center Edition" /noexecute=optin /fastdetect 324
- May 2, 2009
- 8 replies
Infected Userinit

beaverteeth92 posted a topic in Resolved Malware Removal Logs

I've ran the same scan like 9 times, and each time, it's failed to fix my infected UserInit file. It's left over from a massive infection I had (Vundo, numerous worms, etc.), and I don't want to mess with such an important file. Here's my log from my initial scan, followed by my newest log, and my HijackThis log: Malwarebytes' Anti-Malware 1.36 Database version: 2056 Windows 5.1.2600 Service Pack 2 4/29/2009 3:34:46 PM mbam-log-2009-04-29 (15-34-46).txt Scan type: Full Scan (C:\|D:\|) Objects scanned: 144307 Time elapsed: 21 minute(s), 34 second(s) Memory Processes Infected: 3 Memory Modules Infected: 7 Registry Keys Infected: 12 Registry Values Infected: 20 Registry Data Items Infected: 14 Folders Infected: 1 Files Infected: 45 Memory Processes Infected: C:\Documents and Settings\Brandon Sherman\Application Data\pidle\pidle.exe (Trojan.Downloader) -> Unloaded process successfully. C:\Documents and Settings\Brandon Sherman\Local Settings\Temp\1485151673.exe (Trojan.Downloader) -> Unloaded process successfully. C:\WINDOWS\system32\frmwrk32.exe (Trojan.FakeAlert) -> Unloaded process successfully. Memory Modules Infected: C:\WINDOWS\system32\kekiyala.dll (Trojan.Vundo.H) -> Delete on reboot. c:\WINDOWS\system32\bamezafu.dll (Trojan.Vundo.H) -> Delete on reboot. C:\WINDOWS\system32\nukinihe.dll (Trojan.Vundo.H) -> Delete on reboot. C:\WINDOWS\system32\autochk.dll (Worm.Autorun) -> Delete on reboot. C:\WINDOWS\system32\sohafafe.dll (Trojan.Vundo.H) -> Delete on reboot. C:\WINDOWS\system32\yhs783ijfo3fe.dll (Roorkit.Agent) -> Delete on reboot. C:\WINDOWS\temp\ntdll64.dll (Trojan.FakeAlert) -> Delete on reboot. Registry Keys Infected: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{5b930be3-1f5d-4638-90d6-d1da60aa4511} (Trojan.Vundo.H) -> Quarantined and deleted successfully. HKEY_CLASSES_ROOT\CLSID\{5b930be3-1f5d-4638-90d6-d1da60aa4511} (Trojan.Vundo.H) -> Quarantined and deleted successfully. HKEY_CLASSES_ROOT\CLSID\{b2ba40a2-74f0-42bd-f434-12345a2c8953} (Trojan.Zlob.H) -> Quarantined and deleted successfully. HKEY_CLASSES_ROOT\CLSID\{ec43e3fd-5c60-46a6-97d7-e0b85dbdd6c4} (Trojan.Vundo.H) -> Quarantined and deleted successfully. HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{5b930be3-1f5d-4638-90d6-d1da60aa4511} (Trojan.Vundo.H) -> Quarantined and deleted successfully. HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{b2ba40a2-74f0-42bd-f434-12345a2c8953} (Roorkit.Agent) -> Quarantined and deleted successfully. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{b2ba40a2-74f0-42bd-f434-12345a2c8953} (Roorkit.Agent) -> Quarantined and deleted successfully. HKEY_CLASSES_ROOT\CLSID\{7e0b9c4f-caf8-4c67-9a0a-b84269035794} (Trojan.Downloader) -> Quarantined and deleted successfully. HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{7e0b9c4f-caf8-4c67-9a0a-b84269035794} (Trojan.Downloader) -> Quarantined and deleted successfully. HKEY_LOCAL_MACHINE\SOFTWARE\xpreapp (Malware.Trace) -> Quarantined and deleted successfully. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\dslcnnct (Trojan.Vundo) -> Quarantined and deleted successfully. KHKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\prnet (Trojan.Downloader) -> Quarantined and deleted successfully. Registry Values Infected: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\baluvipike (Trojan.Vundo.H) -> Quarantined and deleted successfully. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\cpmff24bac1 (Trojan.Vundo.H) -> Delete on reboot. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler\{b2ba40a2-74f0-42bd-f434-12345a2c8953} (Trojan.Zlob.H) -> Quarantined and deleted successfully. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler\{ec43e3fd-5c60-46a6-97d7-e0b85dbdd6c4} (Trojan.Vundo.H) -> Quarantined and deleted successfully. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\ssodl (Trojan.Vundo.H) -> Quarantined and deleted successfully. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\autochk (Worm.Autorun) -> Quarantined and deleted successfully. HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\pidle (Trojan.Downloader) -> Quarantined and deleted successfully. HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\prnet (Trojan.Downloader) -> Quarantined and deleted successfully. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\prnet (Trojan.Downloader) -> Quarantined and deleted successfully. HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\autochk (Worm.Autorun) -> Quarantined and deleted successfully. HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ (Trojan.Agent) -> Quarantined and deleted successfully. HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\windows resurections (Trojan.Agent) -> Quarantined and deleted successfully. HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\diagnostic manager (Trojan.Downloader) -> Quarantined and deleted successfully. HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\autochk (Worm.Autorun) -> Quarantined and deleted successfully. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Settings\bf (Trojan.Agent) -> Quarantined and deleted successfully. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Settings\bk (Trojan.Agent) -> Quarantined and deleted successfully. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Settings\iu (Trojan.Agent) -> Quarantined and deleted successfully. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Settings\mu (Trojan.Agent) -> Quarantined and deleted successfully. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Framework Windows (Trojan.FakeAlert) -> Quarantined and deleted successfully. HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\diagnostic manager (Trojan.Downloader) -> Quarantined and deleted successfully. Registry Data Items Infected: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\AppInit_DLLs (Trojan.Vundo.H) -> Data: c:\windows\system32\kekiyala.dll -> Quarantined and deleted successfully. HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\LSA\Notification Packages (Trojan.Vundo.H) -> Data: c:\windows\system32\kekiyala.dll -> Quarantined and deleted successfully. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\AppInit_DLLs (Trojan.Vundo.H) -> Data: c:\windows\system32\bamezafu.dll -> Delete on reboot. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit (Trojan.Agent) -> Data: c:\windows\system32\userinit.exe -> Quarantined and deleted successfully. HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools (Hijack.Regedit) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully. HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableTaskMgr (Hijack.TaskManager) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully. HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions (Hijack.FolderOptions) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully. HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\ActiveDesktop\NoChangingWallpaper (Hijack.DisplayProperties) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\activedesktop\NoChangingWallpaper (Hijack.DisplayProperties) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoSetActiveDesktop (Hijack.DisplayProperties) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoActiveDesktopChanges (Hijack.DisplayProperties) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully. HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoSetActiveDesktop (Hijack.DisplayProperties) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully. HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoActiveDesktopChanges (Hijack.DisplayProperties) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\UpdatesDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully. Folders Infected: C:\Documents and Settings\Brandon Sherman\Application Data\pidle (Trojan.Agent) -> Quarantined and deleted successfully. Files Infected: C:\WINDOWS\system32\nukinihe.dll (Trojan.Vundo.H) -> Delete on reboot. c:\WINDOWS\system32\bamezafu.dll (Trojan.Vundo.H) -> Delete on reboot. C:\WINDOWS\system32\sohafafe.dll (Trojan.Vundo.H) -> Delete on reboot. C:\WINDOWS\system32\yhs783ijfo3fe.dll (Trojan.Zlob.H) -> Delete on reboot. C:\WINDOWS\system32\kekiyala.dll (Trojan.Vundo.H) -> Delete on reboot. C:\WINDOWS\system32\autochk.dll (Worm.Autorun) -> Delete on reboot. C:\Documents and Settings\Brandon Sherman\Application Data\pidle\pidle.exe (Trojan.Downloader) -> Quarantined and deleted successfully. C:\Documents and Settings\Brandon Sherman\Local Settings\Temp\1485151673.exe (Trojan.Downloader) -> Quarantined and deleted successfully. C:\WINDOWS\system32\prnet.tmp (Trojan.Downloader) -> Quarantined and deleted successfully. C:\Documents and Settings\Brandon Sherman\protect.dll (Worm.Autorun) -> Quarantined and deleted successfully. C:\WINDOWS\temp\sx88zuh.exe (Trojan.Agent) -> Quarantined and deleted successfully. C:\WINDOWS\temp\2023745423.exe (Trojan.Downloader) -> Quarantined and deleted successfully. C:\WINDOWS\system32\config\systemprofile\protect.dll (Worm.Autorun) -> Quarantined and deleted successfully. C:\Documents and Settings\Brandon Sherman\Local Settings\Temp\2427413508.exe (Trojan.Downloader) -> Quarantined and deleted successfully. C:\Documents and Settings\Brandon Sherman\Local Settings\Temp\4054617515.exe (Trojan.Downloader) -> Quarantined and deleted successfully. C:\Documents and Settings\Brandon Sherman\Local Settings\Temp\merawxsocn.tmp (Trojan.Downloader) -> Quarantined and deleted successfully. C:\Documents and Settings\Brandon Sherman\Local Settings\Temp\prun.tmp (Trojan.Downloader) -> Quarantined and deleted successfully. C:\Documents and Settings\Brandon Sherman\Local Settings\Temp\rasesnet.tmp (Trojan.Vundo.H) -> Quarantined and deleted successfully. C:\Documents and Settings\Brandon Sherman\Start Menu\Programs\Startup\ChkDisk.dll (Worm.Autorun) -> Quarantined and deleted successfully. C:\System Volume Information\_restore{3A579F61-82CF-4117-919A-DB7B394CD5BC}\RP1\A0000187.exe (Rogue.Installer) -> Quarantined and deleted successfully. C:\WINDOWS\system32\ak1.exe (Spyware.OnlineGames) -> Quarantined and deleted successfully. C:\WINDOWS\system32\at.dll (Trojan.Downloader) -> Quarantined and deleted successfully. C:\WINDOWS\system32\talogevi.exe (Trojan.Vundo.V) -> Quarantined and deleted successfully. C:\WINDOWS\system32\config\systemprofile\Start Menu\Programs\Startup\ChkDisk.dll (Worm.Autorun) -> Quarantined and deleted successfully. C:\WINDOWS\temp\4013836265.exe (Trojan.Downloader) -> Quarantined and deleted successfully. C:\WINDOWS\temp\4014773765.exe (Trojan.Downloader) -> Quarantined and deleted successfully. C:\WINDOWS\temp\4035867515.exe (Trojan.Downloader) -> Quarantined and deleted successfully. C:\WINDOWS\temp\4101023765.exe (Trojan.Downloader) -> Quarantined and deleted successfully. C:\WINDOWS\temp\arag4qgfgdf.exe (Trojan.Downloader) -> Quarantined and deleted successfully. C:\WINDOWS\temp\msb.dll (Worm.Autorun) -> Quarantined and deleted successfully. C:\WINDOWS\system32\ntdll64.exe (Trojan.Agent) -> Quarantined and deleted successfully. C:\Documents and Settings\Brandon Sherman\Local Settings\Temp\mousehook.dll (Trojan.Agent) -> Quarantined and deleted successfully. C:\WINDOWS\temp\mousehook.dll (Trojan.Agent) -> Quarantined and deleted successfully. C:\WINDOWS\system32\p2hhr.bat (Malware.Trace) -> Quarantined and deleted successfully. C:\WINDOWS\system32\muyasera.dll (Trojan.Vundo) -> Quarantined and deleted successfully. C:\Documents and Settings\Brandon Sherman\Start Menu\Programs\Startup\ChkDisk.lnk (Trojan.FakeAlert) -> Quarantined and deleted successfully. C:\WINDOWS\system32\warning.gif (Trojan.FakeAlert) -> Quarantined and deleted successfully. C:\WINDOWS\system32\ahtn.htm (Trojan.FakeAlert) -> Quarantined and deleted successfully. C:\WINDOWS\system32\frmwrk32.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully. C:\Documents and Settings\Brandon Sherman\Local Settings\Temp\ntdll64.dll (Trojan.FakeAlert) -> Quarantined and deleted successfully. C:\WINDOWS\temp\ntdll64.dll (Trojan.FakeAlert) -> Delete on reboot. C:\WINDOWS\system32\win32hlp.cnf (Trojan.Agent) -> Quarantined and deleted successfully. C:\Documents and Settings\Brandon Sherman\Local Settings\Temp\nsrbgxod.bak (Trojan.Agent) -> Delete on reboot. C:\WINDOWS\temp\nsrbgxod.bak (Trojan.Agent) -> Quarantined and deleted successfully. C:\WINDOWS\system32\wisepale.dll (Trojan.Vundo) -> Quarantined and deleted successfully. Malwarebytes' Anti-Malware 1.36 Database version: 2066 Windows 5.1.2600 Service Pack 2 5/1/2009 9:14:54 PM mbam-log-2009-05-01 (21-14-54).txt Scan type: Full Scan (C:\|D:\|) Objects scanned: 154019 Time elapsed: 41 minute(s), 7 second(s) Memory Processes Infected: 0 Memory Modules Infected: 0 Registry Keys Infected: 0 Registry Values Infected: 0 Registry Data Items Infected: 1 Folders Infected: 0 Files Infected: 1 Memory Processes Infected: (No malicious items detected) Memory Modules Infected: (No malicious items detected) Registry Keys Infected: (No malicious items detected) Registry Values Infected: (No malicious items detected) Registry Data Items Infected: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit (Trojan.Agent) -> Data: c:\windows\system32\userinit.exe -> Quarantined and deleted successfully. Folders Infected: (No malicious items detected) Files Infected: C:\WINDOWS\system32\lmppcsetup.exe (Trojan.Downloader) -> Quarantined and deleted successfully. Logfile of Trend Micro HijackThis v2.0.2 Scan saved at 10:03:42 PM, on 5/1/2009 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180) Boot mode: Normal Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\Explorer.EXE C:\WINDOWS\system32\spoolsv.exe C:\WINDOWS\ehome\ehtray.exe C:\Program Files\hpq\HP Wireless Assistant\HP Wireless Assistant.exe C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe C:\WINDOWS\system32\igfxtray.exe C:\WINDOWS\system32\hkcmd.exe C:\WINDOWS\system32\igfxpers.exe C:\Program Files\Synaptics\SynTP\SynTPEnh.exe C:\Program Files\HP\QuickPlay\QPService.exe C:\Program Files\Hp\HP Software Update\HPWuSchd2.exe C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe C:\PROGRA~1\Comodo\CBOClean\BOC427.exe C:\Program Files\iTunes\iTunesHelper.exe C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe C:\Program Files\DNA\btdna.exe C:\Program Files\OpenOffice.org 3\program\soffice.exe C:\Program Files\OpenOffice.org 3\program\soffice.bin C:\Program Files\HP\Digital Imaging\bin\hpqimzone.exe C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe C:\Program Files\Comodo\CBOClean\BOCORE.exe C:\Program Files\Bonjour\mDNSResponder.exe C:\WINDOWS\eHome\ehRecvr.exe C:\WINDOWS\eHome\ehSched.exe C:\WINDOWS\system32\svchost.exe C:\Program Files\Common Files\LightScribe\LSSrvc.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\svchost.exe C:\Program Files\Viewpoint\Common\ViewpointService.exe C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe C:\WINDOWS\system32\dllhost.exe C:\Program Files\iPod\bin\iPodService.exe C:\WINDOWS\system32\wscntfy.exe C:\WINDOWS\eHome\ehmsas.exe C:\WINDOWS\System32\svchost.exe C:\Program Files\AIM6\aim6.exe C:\Program Files\AIM6\aolsoftware.exe C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Java\jre1.6.0_07\bin\jucheck.exe C:\Program Files\Trend Micro\HijackThis\HijackThis.exe R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://ie.redirect.hp.com/svs/rdr?TYPE=3&a...o&pf=laptop R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://ie.redirect.hp.com/svs/rdr?TYPE=3&a...o&pf=laptop R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://ie.redirect.hp.com/svs/rdr?TYPE=3&a...o&pf=laptop R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://ie.redirect.hp.com/svs/rdr?TYPE=3&a...o&pf=laptop R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file) R3 - URLSearchHook: DefaultSearchHook Class - {C94E154B-1459-4A47-966B-4B843BEFC7DB} - C:\Program Files\AskSearch\bin\DefaultSearch.dll O2 - BHO: AskBar BHO - {201f27d4-3704-41d6-89c1-aa35e39143ed} - C:\Program Files\AskBarDis\bar\bin\askBar.dll O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll O3 - Toolbar: Ask Toolbar - {3041d03e-fd4b-44e0-b742-2d9b88305f98} - C:\Program Files\AskBarDis\bar\bin\askBar.dll O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe O4 - HKLM\..\Run: [hpWirelessAssistant] C:\Program Files\hpq\HP Wireless Assistant\HP Wireless Assistant.exe O4 - HKLM\..\Run: [sunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe" O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe O4 - HKLM\..\Run: [High Definition Audio Property Page Shortcut] CHDAudPropShortcut.exe O4 - HKLM\..\Run: [synTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe O4 - HKLM\..\Run: [QPService] "C:\Program Files\HP\QuickPlay\QPService.exe" O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\Hp\HP Software Update\HPWuSchd2.exe O4 - HKLM\..\Run: [iSUSPM Startup] "C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe" -startup O4 - HKLM\..\Run: [iSUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start O4 - HKLM\..\Run: [QlbCtrl] %ProgramFiles%\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe /Start O4 - HKLM\..\Run: [Cpqset] C:\Program Files\Hewlett-Packard\Default Settings\cpqset.exe O4 - HKLM\..\Run: [RecGuard] C:\Windows\SMINST\RecGuard.exe O4 - HKLM\..\Run: [Reminder] C:\Windows\CREATOR\Remind_XP.exe O4 - HKLM\..\Run: [bOC-427] C:\PROGRA~1\Comodo\CBOClean\BOC427.exe O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe" O4 - HKLM\..\RunOnce: [Malwarebytes Anti-Malware (reboot)] "C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe" /runcleanupscript O4 - HKCU\..\Run: [sUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe O4 - HKCU\..\Run: [Aim6] "C:\Program Files\AIM6\aim6.exe" /d locale=en-US ee://aol/imApp O4 - HKCU\..\Run: [bitTorrent DNA] "C:\Program Files\DNA\btdna.exe" O4 - S-1-5-18 Startup: OpenOffice.org 3.0.lnk = C:\Program Files\OpenOffice.org 3\program\quickstart.exe (User 'SYSTEM') O4 - .DEFAULT Startup: OpenOffice.org 3.0.lnk = C:\Program Files\OpenOffice.org 3\program\quickstart.exe (User 'Default user') O4 - .DEFAULT User Startup: Vongo Tray.lnk = C:\Program Files\Vongo\Tray.exe (User 'Default user') O4 - Startup: OpenOffice.org 3.0.lnk = C:\Program Files\OpenOffice.org 3\program\quickstart.exe O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe O4 - Global Startup: HP Photosmart Premier Fast Start.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqthb08.exe O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000 O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O14 - IERESET.INF: START_PAGE_URL=http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=64&bd=presario&pf=laptop O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll O23 - Service: AddFiltr - Hewlett-Packard Development Company, L.P. - C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\AddFiltr.exe O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe O23 - Service: BOCore - COMODO - C:\Program Files\Comodo\CBOClean\BOCORE.exe O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe O23 - Service: hpqwmiex - Hewlett-Packard Development Company, L.P. - C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe -- End of file - 8222 bytes
- May 2, 2009
- 8 replies
MalwareBytes can't fix UserInit

beaverteeth92 posted a topic in Malwarebytes for Windows Support Forum

I've ran the same scan like 9 times, and each time, it's failed to fix my infected UserInit file. It's left over from a massive Vundo infection I had, and I don't want to mess with such an important file. Here's my log from my initial scan: Malwarebytes' Anti-Malware 1.36 Database version: 2056 Windows 5.1.2600 Service Pack 2 4/29/2009 3:34:46 PM mbam-log-2009-04-29 (15-34-46).txt Scan type: Full Scan (C:\|D:\|) Objects scanned: 144307 Time elapsed: 21 minute(s), 34 second(s) Memory Processes Infected: 3 Memory Modules Infected: 7 Registry Keys Infected: 12 Registry Values Infected: 20 Registry Data Items Infected: 14 Folders Infected: 1 Files Infected: 45 Memory Processes Infected: C:\Documents and Settings\Brandon Sherman\Application Data\pidle\pidle.exe (Trojan.Downloader) -> Unloaded process successfully. C:\Documents and Settings\Brandon Sherman\Local Settings\Temp\1485151673.exe (Trojan.Downloader) -> Unloaded process successfully. C:\WINDOWS\system32\frmwrk32.exe (Trojan.FakeAlert) -> Unloaded process successfully. Memory Modules Infected: C:\WINDOWS\system32\kekiyala.dll (Trojan.Vundo.H) -> Delete on reboot. c:\WINDOWS\system32\bamezafu.dll (Trojan.Vundo.H) -> Delete on reboot. C:\WINDOWS\system32\nukinihe.dll (Trojan.Vundo.H) -> Delete on reboot. C:\WINDOWS\system32\autochk.dll (Worm.Autorun) -> Delete on reboot. C:\WINDOWS\system32\sohafafe.dll (Trojan.Vundo.H) -> Delete on reboot. C:\WINDOWS\system32\yhs783ijfo3fe.dll (Roorkit.Agent) -> Delete on reboot. C:\WINDOWS\temp\ntdll64.dll (Trojan.FakeAlert) -> Delete on reboot. Registry Keys Infected: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{5b930be3-1f5d-4638-90d6-d1da60aa4511} (Trojan.Vundo.H) -> Quarantined and deleted successfully. HKEY_CLASSES_ROOT\CLSID\{5b930be3-1f5d-4638-90d6-d1da60aa4511} (Trojan.Vundo.H) -> Quarantined and deleted successfully. HKEY_CLASSES_ROOT\CLSID\{b2ba40a2-74f0-42bd-f434-12345a2c8953} (Trojan.Zlob.H) -> Quarantined and deleted successfully. HKEY_CLASSES_ROOT\CLSID\{ec43e3fd-5c60-46a6-97d7-e0b85dbdd6c4} (Trojan.Vundo.H) -> Quarantined and deleted successfully. HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{5b930be3-1f5d-4638-90d6-d1da60aa4511} (Trojan.Vundo.H) -> Quarantined and deleted successfully. HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{b2ba40a2-74f0-42bd-f434-12345a2c8953} (Roorkit.Agent) -> Quarantined and deleted successfully. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{b2ba40a2-74f0-42bd-f434-12345a2c8953} (Roorkit.Agent) -> Quarantined and deleted successfully. HKEY_CLASSES_ROOT\CLSID\{7e0b9c4f-caf8-4c67-9a0a-b84269035794} (Trojan.Downloader) -> Quarantined and deleted successfully. HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{7e0b9c4f-caf8-4c67-9a0a-b84269035794} (Trojan.Downloader) -> Quarantined and deleted successfully. HKEY_LOCAL_MACHINE\SOFTWARE\xpreapp (Malware.Trace) -> Quarantined and deleted successfully. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\dslcnnct (Trojan.Vundo) -> Quarantined and deleted successfully. KHKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\prnet (Trojan.Downloader) -> Quarantined and deleted successfully. Registry Values Infected: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\baluvipike (Trojan.Vundo.H) -> Quarantined and deleted successfully. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\cpmff24bac1 (Trojan.Vundo.H) -> Delete on reboot. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler\{b2ba40a2-74f0-42bd-f434-12345a2c8953} (Trojan.Zlob.H) -> Quarantined and deleted successfully. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler\{ec43e3fd-5c60-46a6-97d7-e0b85dbdd6c4} (Trojan.Vundo.H) -> Quarantined and deleted successfully. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\ssodl (Trojan.Vundo.H) -> Quarantined and deleted successfully. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\autochk (Worm.Autorun) -> Quarantined and deleted successfully. HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\pidle (Trojan.Downloader) -> Quarantined and deleted successfully. HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\prnet (Trojan.Downloader) -> Quarantined and deleted successfully. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\prnet (Trojan.Downloader) -> Quarantined and deleted successfully. HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\autochk (Worm.Autorun) -> Quarantined and deleted successfully. HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ (Trojan.Agent) -> Quarantined and deleted successfully. HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\windows resurections (Trojan.Agent) -> Quarantined and deleted successfully. HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\diagnostic manager (Trojan.Downloader) -> Quarantined and deleted successfully. HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\autochk (Worm.Autorun) -> Quarantined and deleted successfully. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Settings\bf (Trojan.Agent) -> Quarantined and deleted successfully. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Settings\bk (Trojan.Agent) -> Quarantined and deleted successfully. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Settings\iu (Trojan.Agent) -> Quarantined and deleted successfully. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Settings\mu (Trojan.Agent) -> Quarantined and deleted successfully. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Framework Windows (Trojan.FakeAlert) -> Quarantined and deleted successfully. HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\diagnostic manager (Trojan.Downloader) -> Quarantined and deleted successfully. Registry Data Items Infected: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\AppInit_DLLs (Trojan.Vundo.H) -> Data: c:\windows\system32\kekiyala.dll -> Quarantined and deleted successfully. HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\LSA\Notification Packages (Trojan.Vundo.H) -> Data: c:\windows\system32\kekiyala.dll -> Quarantined and deleted successfully. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\AppInit_DLLs (Trojan.Vundo.H) -> Data: c:\windows\system32\bamezafu.dll -> Delete on reboot. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit (Trojan.Agent) -> Data: c:\windows\system32\userinit.exe -> Quarantined and deleted successfully. HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools (Hijack.Regedit) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully. HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableTaskMgr (Hijack.TaskManager) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully. HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions (Hijack.FolderOptions) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully. HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\ActiveDesktop\NoChangingWallpaper (Hijack.DisplayProperties) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\activedesktop\NoChangingWallpaper (Hijack.DisplayProperties) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoSetActiveDesktop (Hijack.DisplayProperties) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoActiveDesktopChanges (Hijack.DisplayProperties) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully. HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoSetActiveDesktop (Hijack.DisplayProperties) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully. HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoActiveDesktopChanges (Hijack.DisplayProperties) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\UpdatesDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully. Folders Infected: C:\Documents and Settings\Brandon Sherman\Application Data\pidle (Trojan.Agent) -> Quarantined and deleted successfully. Files Infected: C:\WINDOWS\system32\nukinihe.dll (Trojan.Vundo.H) -> Delete on reboot. c:\WINDOWS\system32\bamezafu.dll (Trojan.Vundo.H) -> Delete on reboot. C:\WINDOWS\system32\sohafafe.dll (Trojan.Vundo.H) -> Delete on reboot. C:\WINDOWS\system32\yhs783ijfo3fe.dll (Trojan.Zlob.H) -> Delete on reboot. C:\WINDOWS\system32\kekiyala.dll (Trojan.Vundo.H) -> Delete on reboot. C:\WINDOWS\system32\autochk.dll (Worm.Autorun) -> Delete on reboot. C:\Documents and Settings\Brandon Sherman\Application Data\pidle\pidle.exe (Trojan.Downloader) -> Quarantined and deleted successfully. C:\Documents and Settings\Brandon Sherman\Local Settings\Temp\1485151673.exe (Trojan.Downloader) -> Quarantined and deleted successfully. C:\WINDOWS\system32\prnet.tmp (Trojan.Downloader) -> Quarantined and deleted successfully. C:\Documents and Settings\Brandon Sherman\protect.dll (Worm.Autorun) -> Quarantined and deleted successfully. C:\WINDOWS\temp\sx88zuh.exe (Trojan.Agent) -> Quarantined and deleted successfully. C:\WINDOWS\temp\2023745423.exe (Trojan.Downloader) -> Quarantined and deleted successfully. C:\WINDOWS\system32\config\systemprofile\protect.dll (Worm.Autorun) -> Quarantined and deleted successfully. C:\Documents and Settings\Brandon Sherman\Local Settings\Temp\2427413508.exe (Trojan.Downloader) -> Quarantined and deleted successfully. C:\Documents and Settings\Brandon Sherman\Local Settings\Temp\4054617515.exe (Trojan.Downloader) -> Quarantined and deleted successfully. C:\Documents and Settings\Brandon Sherman\Local Settings\Temp\merawxsocn.tmp (Trojan.Downloader) -> Quarantined and deleted successfully. C:\Documents and Settings\Brandon Sherman\Local Settings\Temp\prun.tmp (Trojan.Downloader) -> Quarantined and deleted successfully. C:\Documents and Settings\Brandon Sherman\Local Settings\Temp\rasesnet.tmp (Trojan.Vundo.H) -> Quarantined and deleted successfully. C:\Documents and Settings\Brandon Sherman\Start Menu\Programs\Startup\ChkDisk.dll (Worm.Autorun) -> Quarantined and deleted successfully. C:\System Volume Information\_restore{3A579F61-82CF-4117-919A-DB7B394CD5BC}\RP1\A0000187.exe (Rogue.Installer) -> Quarantined and deleted successfully. C:\WINDOWS\system32\ak1.exe (Spyware.OnlineGames) -> Quarantined and deleted successfully. C:\WINDOWS\system32\at.dll (Trojan.Downloader) -> Quarantined and deleted successfully. C:\WINDOWS\system32\talogevi.exe (Trojan.Vundo.V) -> Quarantined and deleted successfully. C:\WINDOWS\system32\config\systemprofile\Start Menu\Programs\Startup\ChkDisk.dll (Worm.Autorun) -> Quarantined and deleted successfully. C:\WINDOWS\temp\4013836265.exe (Trojan.Downloader) -> Quarantined and deleted successfully. C:\WINDOWS\temp\4014773765.exe (Trojan.Downloader) -> Quarantined and deleted successfully. C:\WINDOWS\temp\4035867515.exe (Trojan.Downloader) -> Quarantined and deleted successfully. C:\WINDOWS\temp\4101023765.exe (Trojan.Downloader) -> Quarantined and deleted successfully. C:\WINDOWS\temp\arag4qgfgdf.exe (Trojan.Downloader) -> Quarantined and deleted successfully. C:\WINDOWS\temp\msb.dll (Worm.Autorun) -> Quarantined and deleted successfully. C:\WINDOWS\system32\ntdll64.exe (Trojan.Agent) -> Quarantined and deleted successfully. C:\Documents and Settings\Brandon Sherman\Local Settings\Temp\mousehook.dll (Trojan.Agent) -> Quarantined and deleted successfully. C:\WINDOWS\temp\mousehook.dll (Trojan.Agent) -> Quarantined and deleted successfully. C:\WINDOWS\system32\p2hhr.bat (Malware.Trace) -> Quarantined and deleted successfully. C:\WINDOWS\system32\muyasera.dll (Trojan.Vundo) -> Quarantined and deleted successfully. C:\Documents and Settings\Brandon Sherman\Start Menu\Programs\Startup\ChkDisk.lnk (Trojan.FakeAlert) -> Quarantined and deleted successfully. C:\WINDOWS\system32\warning.gif (Trojan.FakeAlert) -> Quarantined and deleted successfully. C:\WINDOWS\system32\ahtn.htm (Trojan.FakeAlert) -> Quarantined and deleted successfully. C:\WINDOWS\system32\frmwrk32.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully. C:\Documents and Settings\Brandon Sherman\Local Settings\Temp\ntdll64.dll (Trojan.FakeAlert) -> Quarantined and deleted successfully. C:\WINDOWS\temp\ntdll64.dll (Trojan.FakeAlert) -> Delete on reboot. C:\WINDOWS\system32\win32hlp.cnf (Trojan.Agent) -> Quarantined and deleted successfully. C:\Documents and Settings\Brandon Sherman\Local Settings\Temp\nsrbgxod.bak (Trojan.Agent) -> Delete on reboot. C:\WINDOWS\temp\nsrbgxod.bak (Trojan.Agent) -> Quarantined and deleted successfully. C:\WINDOWS\system32\wisepale.dll (Trojan.Vundo) -> Quarantined and deleted successfully. And here's my most recent scan from about 20 minutes ago: Malwarebytes' Anti-Malware 1.36 Database version: 2062 Windows 5.1.2600 Service Pack 2 4/30/2009 6:22:02 PM mbam-log-2009-04-30 (18-22-02).txt Scan type: Full Scan (C:\|D:\|) Objects scanned: 148350 Time elapsed: 15 minute(s), 7 second(s) Memory Processes Infected: 0 Memory Modules Infected: 0 Registry Keys Infected: 0 Registry Values Infected: 0 Registry Data Items Infected: 1 Folders Infected: 0 Files Infected: 1 Memory Processes Infected: (No malicious items detected) Memory Modules Infected: (No malicious items detected) Registry Keys Infected: (No malicious items detected) Registry Values Infected: (No malicious items detected) Registry Data Items Infected: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit (Trojan.Agent) -> Data: c:\windows\system32\userinit.exe -> Quarantined and deleted successfully. Folders Infected: (No malicious items detected) Files Infected: C:\WINDOWS\system32\lmppcsetup.exe (Trojan.Downloader) -> Quarantined and deleted successfully.
- April 30, 2009
- 1 reply

Sign In

beaverteeth92

Posts

Joined

Last visited

Reputation

Infected Userinit

Infected Userinit

Infected Userinit

Infected Userinit

MalwareBytes can't fix UserInit

Browse

Activity

Personal

Business

Business Modules

Partners

Learn

Start here

Type of malware/attacks

How does it get on my computer?

Scams and grifts

Support

Important Information