MattM22

October 9, 2009

Cool deal. I will go ahead with the reformat and reinstall. Thanks again for all of the assistance. Without your help, I would not have gotten my system stable enough to back up all of my personal data, which I have managed to do successfully.

So thanks a million, and I will see you around! Consider this case closed :lol:

October 9, 2009

Ok, back to it! Ran MBAM today and found a new certstore.dat file. I have uploaded it to the link you indicated a couple posts up. Here is the MBAM log from today's run:

Malwarebytes' Anti-Malware 1.41

Database version: 2925

Windows 6.0.6002 Service Pack 2

10/9/2009 2:47:23 PM

mbam-log-2009-10-09 (14-47-23).txt

Scan type: Quick Scan

Objects scanned: 94471

Time elapsed: 4 minute(s), 11 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 0

Registry Values Infected: 0

Registry Data Items Infected: 0

Folders Infected: 0

Files Infected: 1

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

(No malicious items detected)

Registry Values Infected:

(No malicious items detected)

Registry Data Items Infected:

(No malicious items detected)

Folders Infected:

(No malicious items detected)

Files Infected:

C:\Windows\System32\certstore.dat (Trojan.Agent) -> Quarantined and deleted successfully.

I'm still getting those windows pop up dialogs about services being shut down. I also get a pop up dialog with no body AT ALL, just the title bar. That's kinda weird.

October 8, 2009

Currently not seeing a certstore.dat file. Will play around for a couple hours and see if it shows up again.

The files and folders activity is probably due to me. I'm organizing a ton of files and off loading them to an external drive in case I need to wipe and reinstall.

October 8, 2009

I'm still getting the certstore.dat trojan when I run MBAM. Here's a log from the recent run, which includes most recent updates:

Malwarebytes' Anti-Malware 1.41

Database version: 2925

Windows 6.0.6002 Service Pack 2

10/8/2009 9:08:21 AM

mbam-log-2009-10-08 (09-08-21).txt

Scan type: Quick Scan

Objects scanned: 94016

Time elapsed: 3 minute(s), 24 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 0

Registry Values Infected: 0

Registry Data Items Infected: 0

Folders Infected: 0

Files Infected: 1

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

(No malicious items detected)

Registry Values Infected:

(No malicious items detected)

Registry Data Items Infected:

(No malicious items detected)

Folders Infected:

(No malicious items detected)

Files Infected:

C:\Windows\System32\certstore.dat (Trojan.Agent) -> Quarantined and deleted successfully.

October 8, 2009

All going well so far. Combofix removed, and Kaspersky scan complete. Here is the log:

--------------------------------------------------------------------------------

KASPERSKY ONLINE SCANNER 7.0: scan report

Thursday, October 8, 2009

Operating system: Microsoft Windows Vista Home Premium Edition, 32-bit Service Pack 2 (build 6002)

Kaspersky Online Scanner version: 7.0.26.13

Last database update: Wednesday, October 07, 2009 23:18:54

Records in database: 2931287

--------------------------------------------------------------------------------

Scan settings:

scan using the following database: extended

Scan archives: yes

Scan e-mail databases: yes

Scan area - My Computer:

C:\

D:\

E:\

H:\

I:\

J:\

K:\

Scan statistics:

Objects scanned: 327251

Threats found: 0

Infected objects found: 0

Suspicious objects found: 0

Scan duration: 03:01:30

No threats found. Scanned area is clean.

Selected area has been scanned.

October 7, 2009

* Go to start > run and copy and paste next command in the field:
ComboFix /u

Totally lame question, but I do not see a "run" option off my start menu. I launched a cmd window, but apparently ComboFix is not in the path for it. Am I missing something? running windows vista. Is there a different way I can execute this command?

October 7, 2009

I ran the script as instructed.

When I went to upload the file you requested, I did not find it in the directory you specified. There were four items in that directory:

C

Registry_backups

catchme.log

catchme.txt

The first two are folders. If there is somewhere else I should be browsing for that file, Please advise. There is a file in the qoobox directory named "CFScript_used_2009-10-07_13.29.04.txt", which is similar to what you were looking for. Is that the one??

Here is the combofix log after the script execution:

ComboFix 09-10-06.04 - Matt Munson 10/07/2009 13:29.3.4 - NTFSx86

Microsoft

October 7, 2009

I have reviewed my windows defender settings, and it appears that it was indeed disabled for my last few scans of MBAM and Combofix.

October 7, 2009

Hi,
This could indeed be damage by the malware you were dealing with previously. After all, your pc was severly infected, so with a manual cleanup on such severly infected pc, it's always possible that errors may still appear. Fixing this isn't always easy since it will be searching for a needle in a haystack. After all, malware damages a lot.
Please see here: http://www.online-tech-tips.com/computer-t...topped-working/
Let me know what EXACT errors are displayed there (matching the latest date ofcourse)

I followed the link you provided, and went through the steps described to open my event log. There were a few errors that occurred right around the time the "Host process for windows services stopped working and was closed" dialog was issued. Here are the messsages from those errors;

Error 10/7/2009 12:37:48 PM Application Error 1000 (100)

Faulting application svchost.exe, version 6.0.6001.18000, time stamp 0x4a481bab, faulting module svchost.exe, version 6.0.6001.18000, time stamp 0x4a481bab, exception code 0xc0000005, fault offset 0x000019f8, process id 0xe8c, application start time 0x01ca476c8065c47e.

Error 10/7/2009 12:33:06 PM Application Error 1000 (100)

Faulting application svchost.exe, version 6.0.6001.18000, time stamp 0x4a481bab, faulting module svchost.exe, version 6.0.6001.18000, time stamp 0x4a481bab, exception code 0xc0000005, fault offset 0x000019f8, process id 0x14c4, application start time 0x01ca476bd86ab73e.

Error 10/7/2009 12:31:12 PM Application Error 1000 (100)

Faulting application svchost.exe, version 6.0.6001.18000, time stamp 0x4a481bab, faulting module svchost.exe, version 6.0.6001.18000, time stamp 0x4a481bab, exception code 0xc0000005, fault offset 0x000019f8, process id 0x17ec, application start time 0x01ca476b945cc79e.

I also got a weird warning right after login:

Information 10/7/2009 12:31:09 PM Winlogon 1002 None

The shell stopped unexpectedly and Explorer.exe was restarted.

Please let me know what you think.

October 7, 2009

Also, did malwarebytes reboot afterwards? Because your Windows defender may interfere here with the cleanup script.
Can you navigate to the file C:\Windows\System32\certstore.dat and delete it manually? Is it getting recreated again?

Malware did reboot after the scan.

the certstore.dat file was created again.

I was able to navigate to it and delete it manually.

I did not see any instructions for disabling Windows Defender prior to running MBAM. If that is something you think I should do, please point me to directions on disabling.

I am almost prepared for a full reinstall if necessary. My system is quasi-stable as is, and I'm backing up personal data. So no matter what happens, I am already extremely grateful for your assistance so far. Ideally, I would be able to recover the system, but if that is off the table, I will survive

October 7, 2009

Latest ComboFix log from new download:

ComboFix 09-10-06.04 - Matt Munson 10/07/2009 9:39.2.4 - NTFSx86

Microsoft

October 7, 2009

Miekiemoes, working on responding to your last two posts. Will get back to you on those shortly. Prior to reading those, I downloaded today's update for MBAM and re-ran it, finding one more certstore.dat trojan. Here is the log...

Malwarebytes' Anti-Malware 1.41

Database version: 2917

Windows 6.0.6002 Service Pack 2

10/7/2009 9:25:22 AM

mbam-log-2009-10-07 (09-25-22).txt

Scan type: Quick Scan

Objects scanned: 93122

Time elapsed: 2 minute(s), 26 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 0

Registry Values Infected: 0

Registry Data Items Infected: 0

Folders Infected: 0

Files Infected: 1

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

(No malicious items detected)

Registry Values Infected:

(No malicious items detected)

Registry Data Items Infected:

(No malicious items detected)

Folders Infected:

(No malicious items detected)

Files Infected:

C:\Windows\System32\certstore.dat (Trojan.Agent) -> Quarantined and deleted successfully.

October 7, 2009

Ok, JUST got one. It says "Host process for windows services stopped working and was closed. A problem caused the application to stop working correctly. Windows will notify you if a solution is available".

I NEVER got those prior to infection, now I get them all the time. Not sure if this is caused by some damage a virus may have done, or if it's the OS responding to a virus. Or some third thing.

October 7, 2009

I am still getting the occasional weird pop up from windows that I never got prior to infection. I don't have the text handy, but it was something about stopping a process. I also get pop ups that have no bodies, just a title bar. Really weird. I will screen capture one the next time it shows up.

October 6, 2009

Ok, new log with MBAM updates downloaded directly from the tool:

Malwarebytes' Anti-Malware 1.41

Database version: 2916

Windows 6.0.6002 Service Pack 2

10/6/2009 5:40:45 PM

mbam-log-2009-10-06 (17-40-45).txt

Scan type: Quick Scan

Objects scanned: 92967

Time elapsed: 3 minute(s), 27 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 0

Registry Values Infected: 0

Registry Data Items Infected: 0

Folders Infected: 0

Files Infected: 1

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

(No malicious items detected)

Registry Values Infected:

(No malicious items detected)

Registry Data Items Infected:

(No malicious items detected)

Folders Infected:

(No malicious items detected)

Files Infected:

C:\Windows\System32\certstore.dat (Trojan.Agent) -> Quarantined and deleted successfully.

October 6, 2009

The infected PC is not connected to the internet, so I downloaded the MBAM update from this URL

http://www.malwarebytes.org/mbam/database/mbam-rules.exe

and installed it. Here is the log from the run:

Malwarebytes' Anti-Malware 1.41

Database version: 2896

Windows 6.0.6002 Service Pack 2

10/6/2009 12:35:59 PM

mbam-log-2009-10-06 (12-35-59).txt

Scan type: Quick Scan

Objects scanned: 92338

Time elapsed: 3 minute(s), 27 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 1

Registry Values Infected: 1

Registry Data Items Infected: 0

Folders Infected: 0

Files Infected: 2

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\mdtdisk (Spyware.OnlineGames) -> Quarantined and deleted successfully.

Registry Values Infected:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\mBt (Backdoor.Bot) -> Quarantined and deleted successfully.

Registry Data Items Infected:

(No malicious items detected)

Folders Infected:

(No malicious items detected)

Files Infected:

C:\Windows\System32\mdtdisk.sys (Spyware.OnlineGames) -> Quarantined and deleted successfully.

C:\Windows\System32\lsm32.sys (Backdoor.Bot) -> Quarantined and deleted successfully.

Still bad stuff showing up! That PC has been disconnected from the internet for days now, by the way.

Here is the hijack this log I ran immediately after the MBAM restart:

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 12:39:10 PM, on 10/6/2009

Platform: Windows Vista SP2 (WinNT 6.00.1906)

MSIE: Internet Explorer v8.00 (8.00.6001.18813)

Boot mode: Normal

Running processes:

C:\Windows\system32\Dwm.exe

C:\Windows\system32\taskeng.exe

C:\Windows\Explorer.EXE

C:\hp\support\hpsysdrv.exe

C:\hp\KBD\KbdStub.exe

C:\Program Files\Intel\Intel Matrix Storage Manager\IAAnotif.exe

C:\Windows\RtHDVCpl.exe

C:\Program Files\HP\HP Software Update\hpwuSchd2.exe

C:\Windows\system32\schtasks.exe

C:\Program Files\Portrait Displays\Pivot Software\wpCtrl.exe

C:\Program Files\Portrait Displays\HP My Display\dthtml.exe

C:\Windows\system32\jusched.exe

C:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe

C:\Program Files\Common Files\Grass Valley\ProCoder 3\Kernel\PNXSERVR.exe

C:\Program Files\Portrait Displays\Pivot Software\floater.exe

C:\Program Files\Alwil Software\Avast4\ashDisp.exe

C:\Windows\System32\rundll32.exe

C:\Program Files\Common Files\Portrait Displays\Shared\HookManager.exe

C:\Windows\System32\rundll32.exe

C:\Program Files\Adobe\Reader 8.0\Reader\reader_sl.exe

C:\Program Files\iTunes\iTunesHelper.exe

C:\Program Files\Roxio\Media Experience\DMXLauncher.exe

C:\Windows\ehome\ehtray.exe

C:\Program Files\Common Files\LightScribe\LightScribeControlPanel.exe

C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe

C:\Windows\ehome\ehmsas.exe

C:\Program Files\Panasonic\MotionSD STUDIO\SD_Browser\AutoLauncher.exe

C:\Windows\System32\mobsync.exe

C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe

C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe

C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://mail.yahoo.com/

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://ie.redirect.hp.com/svs/rdr?TYPE=3&a...&pf=desktop

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local

R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =

O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file)

O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll

O2 - BHO: NCO 2.0 IE BHO - {602ADB0E-4AFF-4217-8AA1-95DAC4DFA408} - (no file)

O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll

O2 - BHO: Adobe PDF Conversion Toolbar Helper - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll

O3 - Toolbar: (no name) - {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - (no file)

O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll

O4 - HKLM\..\Run: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide

O4 - HKLM\..\Run: [hpsysdrv] c:\hp\support\hpsysdrv.exe

O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KbdStub.EXE

O4 - HKLM\..\Run: [iAAnotif] "C:\Program Files\Intel\Intel Matrix Storage Manager\Iaanotif.exe"

O4 - HKLM\..\Run: [RtHDVCpl] RtHDVCpl.exe

O4 - HKLM\..\Run: [sunJavaUpdateReg] "C:\Windows\system32\jureg.exe"

O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe

O4 - HKLM\..\Run: [PivotSoftware] "C:\Program Files\Portrait Displays\Pivot Software\wpctrl.exe"

O4 - HKLM\..\Run: [DT HPW] C:\Program Files\Portrait Displays\HP My Display\DTHtml.exe -startup_folder

O4 - HKLM\..\Run: [Acrobat Assistant 8.0] "C:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe"

O4 - HKLM\..\Run: [NexusServer] "C:\Program Files\Common Files\Grass Valley\ProCoder 3\Kernel\PNXSERVR.exe" -SelfLaunch

O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe

O4 - HKLM\..\Run: [NvSvc] RUNDLL32.EXE C:\Windows\system32\nvsvc.dll,nvsvcStart

O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\Windows\system32\NvCpl.dll,NvStartup

O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\Windows\system32\NvMcTray.dll,NvTaskbarInit

O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"

O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"

O4 - HKLM\..\Run: [DMXLauncher] "C:\Program Files\Roxio\Media Experience\DMXLauncher.exe"

O4 - HKLM\..\Run: [Malwarebytes Anti-Malware (reboot)] "C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe" /runcleanupscript

O4 - HKCU\..\Run: [ehTray.exe] C:\Windows\ehome\ehTray.exe

O4 - HKCU\..\Run: [LightScribe Control Panel] C:\Program Files\Common Files\LightScribe\LightScribeControlPanel.exe -hidden

O4 - Startup: ePrompter.lnk = C:\Program Files\ePrompter\ePrompter.exe

O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe

O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE

O4 - Global Startup: MotionSD STUDIO - SD Browser auto start -.lnk = C:\Program Files\Panasonic\MotionSD STUDIO\SD_Browser\AutoLauncher.exe

O8 - Extra context menu item: Append to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html

O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html

O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html

O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html

O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html

O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html

O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html

O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html

O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office10\EXCEL.EXE/3000

O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll

O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll

O16 - DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} (Facebook Photo Uploader 5 Control) - http://upload.facebook.com/controls/2008.1...toUploader5.cab

O16 - DPF: {26B2A5DA-BFD6-422F-A89A-28A54C74B12B} (Photo Upload Plugin Class) - http://www.costcophotocenter.com/upload/ac...veX_Control.cab

O16 - DPF: {8100D56A-5661-482C-BEE8-AFECE305D968} (Facebook Photo Uploader 5 Control) - http://upload.facebook.com/controls/2009.0...oUploader55.cab

O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab

O16 - DPF: {F27237D7-93C8-44C2-AC6E-D6057B9A918F} (JuniperSetupClientControl Class) - https://webvpn.jpmorganchase.com/dana-cache...SetupClient.cab

O16 - DPF: {FD0B6769-6490-4A91-AA0A-B5AE0DC75AC9} (Performance Viewer Activex Control) - https://secure.logmein.com/activex/ractrl.cab?lmi=100

O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe

O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe

O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe

O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe

O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe

O23 - Service: B's Recorder GOLD Library General Service (bgsvcgen) - B.H.A Corporation - C:\Windows\System32\bgsvcgen.exe

O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe

O23 - Service: Portrait Displays Display Tune Service (DTSRVC) - Unknown owner - C:\Program Files\Common Files\Portrait Displays\Shared\DTSRVC.exe

O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe

O23 - Service: HauppaugeTVServer - Hauppauge Computer Works - C:\PROGRA~1\WinTV\HCWTVS~1.EXE

O23 - Service: HP Health Check Service - Hewlett-Packard - c:\Program Files\Hewlett-Packard\HP Health Check\hphc_service.exe

O23 - Service: Intel® Matrix Storage Event Monitor (IAANTMON) - Intel Corporation - C:\Program Files\Intel\Intel Matrix Storage Manager\Iaantmon.exe

O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe

O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe

O23 - Service: Lavasoft Ad-Aware Service - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe

O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - c:\Program Files\Common Files\LightScribe\LSSrvc.exe

O23 - Service: Roxio UPnP Renderer 9 - Sonic Solutions - C:\Program Files\Common Files\Sonic Shared\RoxioUPnPRenderer9.exe

O23 - Service: Roxio Upnp Server 9 - Sonic Solutions - C:\Program Files\Common Files\Sonic Shared\RoxioUpnpService9.exe

O23 - Service: RoxMediaDB9 - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxMediaDB9.exe

O23 - Service: StarWind AE Service (StarWindServiceAE) - Rocket Division Software - C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe

O23 - Service: stllssvr - MicroVision Development, Inc. - C:\Program Files\Common Files\SureThing Shared\stllssvr.exe

O23 - Service: XAudioService - Conexant Systems, Inc. - C:\Windows\system32\DRIVERS\xaudio.exe

--

End of file - 10775 bytes

Thanks again for all of the assistance.

October 5, 2009

Thanks for your time, and the new instructions. Prior to reading your response, I ran Malwarebytes again, and it found another trojan. So they are still popping up! I can post the log for that if you are interested.

Here is the ComboFix log...

ComboFix 09-10-04.01 - Matt Munson 10/05/2009 17:42.1.4 - NTFSx86

Microsoft

October 1, 2009

Greetings all. First time poster, and sorry that it is not under better circumstances.

I was infected a few days ago with a nasty virus that brought my computer to it's knees, but with the help of malwarebytes, I am back to a point where I have been able to back up all of my files.

HOWEVER, I keep running Malwarebytes just to be sure that the system is clean, and almost every time, it finds a new virus or trojan horse. I instruct mwb to remove it, which it does, but a few hours later, something new shows up. My infected machine has been disconnected from the network for days.

Here is the first MWB log from my very first scan:

Malwarebytes' Anti-Malware 1.41

Database version: 2775

Windows 6.0.6001 Service Pack 1 (Safe Mode)

9/27/2009 4:20:30 PM

mbam-log-2009-09-27 (16-20-30).txt

Scan type: Quick Scan

Objects scanned: 85425

Time elapsed: 3 minute(s), 27 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 7

Registry Values Infected: 14

Registry Data Items Infected: 3

Folders Infected: 1

Files Infected: 11

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

HKEY_CLASSES_ROOT\CLSID\{59006ffb-69cc-4263-b2da-d7a545faa510} (Trojan.Vundo.H) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\btwsrv (Trojan.Agent) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\btwsrv (Trojan.Agent) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\btwsrv (Trojan.Agent) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\sofatnet (Backdoor.Bot) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\sofatnet (Backdoor.Bot) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\sofatnet (Backdoor.Bot) -> Quarantined and deleted successfully.

Registry Values Infected:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\hazelemus (Trojan.Vundo.H) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\19181894 (Rogue.Multiple.H) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler\{59006ffb-69cc-4263-b2da-d7a545faa510} (Trojan.Vundo.H) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\norafilav (Trojan.Vundo.H) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\BuildW (Malware.Trace) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\FirstInstallFlag (Malware.Trace) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\guid (Malware.Trace) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\i (Malware.Trace) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\mso (Malware.Trace) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\udso (Malware.Trace) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\uid (Malware.Trace) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\Ulrn (Malware.Trace) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\Update (Malware.Trace) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\UpdateNew (Malware.Trace) -> Quarantined and deleted successfully.

Registry Data Items Infected:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\AppInit_DLLs (Trojan.Vundo.H) -> Data: c:\windows\system32\meridewa.dll -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\AppInit_DLLs (Trojan.Vundo.H) -> Data: system32\meridewa.dll -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\UpdatesDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.

Folders Infected:

C:\ProgramData\19181894 (Rogue.Multiple.H) -> Quarantined and deleted successfully.

Files Infected:

c:\Windows\System32\meridewa.dll (Trojan.Vundo.H) -> Quarantined and deleted successfully.

C:\ProgramData\19181894\19181894 (Rogue.Multiple.H) -> Quarantined and deleted successfully.

C:\ProgramData\19181894\19181894.exe (Rogue.Multiple.H) -> Quarantined and deleted successfully.

C:\ProgramData\19181894\pc19181894ins (Rogue.Multiple.H) -> Quarantined and deleted successfully.

C:\Windows\System32\BtwSrv.dll (Trojan.Agent) -> Quarantined and deleted successfully.

C:\Windows\System32\sofatnet.exe (Backdoor.Bot) -> Quarantined and deleted successfully.

C:\Windows\System32\wiwow64.exe (Backdoor.Bot) -> Quarantined and deleted successfully.

C:\Windows\System32\wmdtc.exe (Backdoor.Bot) -> Quarantined and deleted successfully.

C:\Windows\System32\certstore.dat (Trojan.Agent) -> Quarantined and deleted successfully.

C:\Windows\System32\FInstall.sys (Backdoor.Bot) -> Quarantined and deleted successfully.

C:\Windows\System32\nabukeyu.dll (Trojan.Vundo) -> Quarantined and deleted successfully.

Here is the log from a scan I did tonight:

Malwarebytes' Anti-Malware 1.41

Database version: 2867

Windows 6.0.6002 Service Pack 2

10/1/2009 2:12:46 AM

mbam-log-2009-10-01 (02-12-46).txt

Scan type: Quick Scan

Objects scanned: 90375

Time elapsed: 3 minute(s), 20 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 0

Registry Values Infected: 0

Registry Data Items Infected: 0

Folders Infected: 0

Files Infected: 1

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

(No malicious items detected)

Registry Values Infected:

(No malicious items detected)

Registry Data Items Infected:

(No malicious items detected)

Folders Infected:

(No malicious items detected)

Files Infected:

C:\Windows\System32\certstore.dat (Trojan.Agent) -> Quarantined and deleted successfully.

Here is my hijack this log:

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 2:32:45 AM, on 10/1/2009

Platform: Windows Vista SP2 (WinNT 6.00.1906)

MSIE: Internet Explorer v8.00 (8.00.6001.18813)

Boot mode: Normal

Running processes:

C:\Windows\system32\Dwm.exe

C:\Windows\system32\taskeng.exe

C:\Windows\Explorer.EXE

C:\hp\support\hpsysdrv.exe

C:\Program Files\Intel\Intel Matrix Storage Manager\IAAnotif.exe

C:\Windows\RtHDVCpl.exe

C:\Program Files\HP\HP Software Update\hpwuSchd2.exe

C:\Program Files\Portrait Displays\Pivot Software\wpCtrl.exe

C:\Program Files\Portrait Displays\HP My Display\dthtml.exe

C:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe

C:\Windows\system32\schtasks.exe

C:\Program Files\Common Files\Grass Valley\ProCoder 3\Kernel\PNXSERVR.exe

C:\Program Files\Alwil Software\Avast4\ashDisp.exe

C:\Windows\System32\rundll32.exe

C:\Program Files\iTunes\iTunesHelper.exe

C:\Program Files\Roxio\Media Experience\DMXLauncher.exe

C:\Windows\ehome\ehtray.exe

C:\Program Files\Common Files\LightScribe\LightScribeControlPanel.exe

C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe

C:\Program Files\Panasonic\MotionSD STUDIO\SD_Browser\AutoLauncher.exe

C:\Windows\system32\jusched.exe

C:\Windows\ehome\ehmsas.exe

C:\Program Files\Common Files\Portrait Displays\Shared\HookManager.exe

C:\Windows\System32\rundll32.exe

C:\Program Files\Portrait Displays\Pivot Software\floater.exe

C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe

C:\hp\kbd\kbd.exe

C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://mail.yahoo.com/

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://ie.redirect.hp.com/svs/rdr?TYPE=3&a...&pf=desktop

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://ie.redirect.hp.com/svs/rdr?TYPE=3&a...&pf=desktop

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local

R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =

O1 - Hosts: ::1 localhost