John26

Members

View Profile See their activity

Posts
10
Joined
March 27, 2010
Last visited
April 15, 2010

Content Type

All Activity

Events

Profiles

Forums

Topics
Posts

Everything posted by John26

Trojan Agent in Registry, userinit.exe uid backdoor.bot and rundll32.exe problem

John26 replied to John26's topic in Resolved Malware Removal Logs

Hi, sorry its been so long for me to respond, but I've been away for easter hols and didn't have good internet access for the 2hr Eset scan. These are the 7 files it deleted after the scan: C:\Qoobox\Quarantine\C\WINDOWS\uholekoconisi.dll.vir a variant of Win32/Cimag.BQ trojan cleaned by deleting - quarantined C:\Qoobox\Quarantine\C\WINDOWS\system32\userinit.exe.vir Win32/TrojanDownloader.FakeAlert.AAB trojan cleaned by deleting - quarantined C:\System Volume Information\_restore{A44DC278-4675-40AC-9A92-6FF66A1FD2E2}\RP92\A0022213.exe probably a variant of Win32/Agent trojan deleted - quarantined C:\System Volume Information\_restore{A44DC278-4675-40AC-9A92-6FF66A1FD2E2}\RP92\A0022250.exe Win32/TrojanDownloader.FakeAlert.AAB trojan cleaned by deleting - quarantined C:\System Volume Information\_restore{A44DC278-4675-40AC-9A92-6FF66A1FD2E2}\RP92\A0022264.dll a variant of Win32/Cimag.BQ trojan cleaned by deleting - quarantined C:\System Volume Information\_restore{A44DC278-4675-40AC-9A92-6FF66A1FD2E2}\RP96\A0023421.dll probably a variant of Win32/Agent trojan cleaned by deleting - quarantined C:\System Volume Information\_restore{A44DC278-4675-40AC-9A92-6FF66A1FD2E2}\RP96\A0023422.exe probably a variant of Win32/Agent trojan deleted - quarantined Thank you for all your help
- April 13, 2010
- 17 replies
Trojan Agent in Registry, userinit.exe uid backdoor.bot and rundll32.exe problem

John26 replied to John26's topic in Resolved Malware Removal Logs

Wow, had no idea malware can create really hidden stuff that has no effect on the system but is essentially an infection fast track. Thanks, I've seen quite a few online virus scans but didn't really trust them. I saw VirusTotal mentioned on a forum, sent my userinit.exe file and it found 5/42. I'll definatly give this recommended one a look Followed the steps, here is the combofix log: ComboFix 10-03-29.04 - John Murphy 02/04/2010 15:40:03.6.2 - x86 Microsoft Windows XP Professional 5.1.2600.2.1252.44.1033.18.1014.561 [GMT 1:00] Running from: c:\documents and settings\John Murphy\Desktop\ComboFix.exe Command switches used :: c:\documents and settings\John Murphy\Desktop\CFScript.txt . ((((((((((((((((((((((((((((((((((((((( Other Deletions ))))))))))))))))))))))))))))))))))))))))))))))))) . c:\program files\Internet Explorer\SET5B.tmp c:\program files\Internet Explorer\SET5C.tmp . ((((((((((((((((((((((((( Files Created from 2010-03-02 to 2010-04-02 ))))))))))))))))))))))))))))))) . 2010-04-02 14:02 . 2010-04-02 14:02 -------- d-----w- c:\windows\LastGood 2010-03-27 00:11 . 2010-03-27 00:11 -------- d-----w- c:\program files\Trend Micro 2010-03-26 16:38 . 2010-03-26 16:38 -------- d-----w- c:\windows\system32\wbem\Repository 2010-03-16 21:58 . 2004-08-04 04:00 24576 ----a-w- c:\windows\system32\stu2.exe 2010-03-09 15:27 . 2010-03-09 15:27 -------- d-sh--w- c:\documents and settings\John Murphy\IECompatCache . (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2010-04-02 14:47 . 2008-11-21 21:16 -------- d-----w- c:\documents and settings\All Users\Application Data\Kontiki 2010-03-30 20:57 . 2009-11-10 04:51 -------- d-----w- c:\documents and settings\John Murphy\Application Data\Any Video Converter 2010-03-30 18:52 . 2009-05-29 21:25 12 ----a-w- c:\windows\bthservsdp.dat 2010-03-29 22:13 . 2007-08-16 16:28 230432 ----a-w- C:\StiImg.dat 2010-03-26 23:39 . 2007-08-07 17:19 -------- d-----w- c:\documents and settings\All Users\Application Data\Viewpoint 2010-03-26 18:22 . 2009-05-25 23:04 -------- d-----w- c:\program files\CCleaner 2010-03-26 16:21 . 2010-03-26 16:30 214978 ----a-w- c:\windows\pchealth\helpctr\Config\Cache\Professional_32_1033.dat 2010-03-26 02:50 . 2007-08-07 16:54 -------- d-----w- c:\documents and settings\John Murphy\Application Data\Skype 2010-03-01 19:15 . 2009-06-22 18:21 315736 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\threatwork.exe 2010-03-01 19:15 . 2009-06-22 18:21 25440 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\savapibridge.dll 2010-03-01 19:15 . 2009-06-22 18:21 173408 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\lavamessage.dll 2010-03-01 19:15 . 2009-06-01 18:14 15688 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\lsdelete.exe 2010-03-01 19:15 . 2009-05-05 18:33 15688 ----a-w- c:\windows\system32\lsdelete.exe 2010-03-01 19:15 . 2009-06-22 18:20 350544 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\lavalicense.dll 2010-03-01 19:15 . 2009-06-22 18:20 303456 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\UpdateManager.dll 2010-03-01 19:15 . 2009-06-27 16:26 1630560 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\Resources.dll 2010-03-01 19:15 . 2009-06-01 18:14 89952 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\ShellExt.dll 2010-03-01 19:14 . 2009-06-01 18:14 254832 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\RPAPI.dll 2010-03-01 19:14 . 2009-06-01 18:14 45408 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\PrivacyClean.dll 2010-03-01 19:14 . 2009-06-22 18:19 671592 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\CEAPI.dll 2010-03-01 19:14 . 2009-09-28 18:13 3701760 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\AutoLaunch.exe 2010-03-01 19:14 . 2009-06-22 18:18 566648 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\Ad-AwareCommand.exe 2010-03-01 19:14 . 2009-06-22 18:17 567144 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\Ad-AwareAdmin.exe 2010-03-01 19:13 . 2009-06-22 18:17 2357064 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\Ad-Aware.exe 2010-03-01 19:13 . 2009-06-22 18:15 524632 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\AAWTray.exe 2010-03-01 19:13 . 2009-06-22 18:15 1029456 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\AAWService.exe 2010-02-25 10:54 . 2010-02-25 10:54 11070976 ----a-w- c:\windows\system32\SET58.tmp 2010-02-25 06:24 . 2010-03-31 03:22 916480 ------w- c:\windows\system32\SET4D.tmp 2010-02-25 06:24 . 2010-03-31 03:22 1209344 ----a-w- c:\windows\system32\SET4E.tmp 2010-02-25 06:24 . 2010-03-31 03:22 5944832 ------w- c:\windows\system32\SET51.tmp 2010-02-25 06:24 . 2010-03-31 03:22 594432 ----a-w- c:\windows\system32\SET53.tmp 2010-02-25 06:24 . 2010-03-31 03:22 55296 ----a-w- c:\windows\system32\SET52.tmp 2010-02-25 06:24 . 2010-03-31 03:22 184320 ----a-w- c:\windows\system32\SET57.tmp 2010-02-25 06:24 . 2010-03-31 03:22 1985536 ----a-w- c:\windows\system32\SET56.tmp 2010-02-20 11:57 . 2010-02-20 11:57 16 ----a-w- c:\windows\system32\config\systemprofile\Application Data\cqfyto.dat 2010-02-19 03:13 . 2010-02-19 03:13 16 ----a-w- c:\documents and settings\LocalService\Application Data\cqfyto.dat 2010-02-13 16:39 . 2010-02-13 16:39 50354 ----a-w- c:\documents and settings\John Murphy\Application Data\Facebook\uninstall.exe 2010-02-13 16:39 . 2010-02-13 16:39 -------- d-----w- c:\documents and settings\John Murphy\Application Data\Facebook 2010-02-12 10:03 . 2010-02-25 15:44 293376 ------w- c:\windows\system32\browserchoice.exe 2010-02-10 21:00 . 2006-09-22 15:43 49664 ----a-w- c:\documents and settings\John Murphy\Local Settings\Application Data\GDIPFONTCACHEV1.DAT 2010-02-10 19:15 . 2010-02-10 19:15 1024 ----a-w- c:\windows\system32\grcauth2.dll 2010-02-10 19:15 . 2010-02-10 19:15 1024 ----a-w- c:\windows\system32\grcauth1.dll 2010-02-10 19:15 . 2010-02-10 19:15 16 ---h--w- c:\documents and settings\All Users\Application Data\SafeNet Sentinel\Sentinel RMS Development Kit\System\e563io5.dll 2010-02-10 19:15 . 2010-02-10 19:14 1024 ----a-w- c:\documents and settings\All Users\Application Data\SafeNet Sentinel\Sentinel RMS Development Kit\System\clauth2.dll 2010-02-10 19:07 . 2010-02-10 19:07 -------- d-----w- c:\documents and settings\All Users\Application Data\SPSS 2010-02-10 19:07 . 2010-02-10 19:07 -------- d-----w- c:\program files\Common Files\SPSS 2010-02-10 19:07 . 2010-02-10 19:07 -------- d-----w- c:\program files\SPSSInc 2010-02-10 19:06 . 2010-02-10 19:06 1025 ----a-w- c:\windows\system32\sysprs7.dll 2010-02-01 22:04 . 2010-02-01 22:04 847040 ----a-w- c:\documents and settings\John Murphy\Application Data\Facebook\axfbootloader.dll 2010-02-01 22:04 . 2010-02-01 22:04 5578752 ----a-w- c:\documents and settings\John Murphy\Application Data\Facebook\npfbplugin_1_0_1.dll 2010-01-28 16:52 . 2009-05-29 16:19 5115824 -c--a-w- c:\documents and settings\All Users\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\mbam-setup.exe 2010-01-28 00:31 . 2008-01-16 23:04 2434 ----a-w- c:\documents and settings\John Murphy\Application Data\SAS7_000.DAT 2010-01-14 12:01 . 2006-09-25 10:18 69878 -c--a-w- c:\windows\hpoins05.dat 2010-01-07 16:07 . 2008-11-05 00:37 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys 2010-01-07 16:07 . 2008-11-05 00:37 19160 ----a-w- c:\windows\system32\drivers\mbam.sys 2007-08-07 17:44 . 2007-08-07 17:43 411248 -c--a-w- c:\program files\FLV PlayerRCSetup.exe 2009-04-19 11:32 . 2007-08-18 23:47 67688 -c--a-w- c:\program files\mozilla firefox\components\jar50.dll 2009-04-19 11:32 . 2007-08-18 23:47 54368 -c--a-w- c:\program files\mozilla firefox\components\jsd3250.dll 2009-04-19 11:32 . 2007-08-18 23:47 34944 -c--a-w- c:\program files\mozilla firefox\components\myspell.dll 2009-04-19 11:32 . 2007-08-18 23:47 46712 -c--a-w- c:\program files\mozilla firefox\components\spellchk.dll 2009-04-19 11:32 . 2007-08-18 23:47 172136 -c--a-w- c:\program files\mozilla firefox\components\xpinstal.dll . ((((((((((((((((((((((((((((( SnapShot@2010-03-28_05.06.37 ))))))))))))))))))))))))))))))))))))))))) . + 2010-03-30 18:53 . 2010-03-30 18:53 16384 c:\windows\Temp\Perflib_Perfdata_764.dat - 2006-09-25 11:12 . 2009-12-11 23:08 74048 c:\windows\system32\perfc009.dat + 2006-09-25 11:12 . 2010-03-28 05:52 74048 c:\windows\system32\perfc009.dat - 2006-06-23 11:25 . 2009-12-21 19:14 25600 c:\windows\system32\jsproxy.dll + 2006-06-23 11:25 . 2010-02-25 06:24 25600 c:\windows\system32\jsproxy.dll + 2009-11-04 20:23 . 2010-02-25 06:24 12800 c:\windows\system32\dllcache\xpshims.dll - 2009-11-04 20:23 . 2009-12-21 19:14 12800 c:\windows\system32\dllcache\xpshims.dll + 2007-04-25 08:41 . 2010-02-25 06:24 55296 c:\windows\system32\dllcache\msfeedsbs.dll - 2007-04-25 08:41 . 2009-12-21 19:14 55296 c:\windows\system32\dllcache\msfeedsbs.dll + 2006-06-23 11:25 . 2010-02-25 06:24 25600 c:\windows\system32\dllcache\jsproxy.dll - 2006-06-23 11:25 . 2009-12-21 19:14 25600 c:\windows\system32\dllcache\jsproxy.dll + 2004-08-04 04:00 . 2004-08-04 04:00 71680 c:\windows\system32\dllcache\blastcln.exe + 2010-04-02 14:03 . 2009-12-21 19:14 12800 c:\windows\ie8updates\KB980182-IE8\xpshims.dll + 2010-04-02 14:03 . 2009-12-21 19:14 55296 c:\windows\ie8updates\KB980182-IE8\msfeedsbs.dll + 2010-04-02 14:03 . 2009-12-21 19:14 25600 c:\windows\ie8updates\KB980182-IE8\jsproxy.dll + 2004-08-04 04:00 . 2004-08-04 04:00 5632 c:\windows\system32\dllcache\write.exe + 2004-08-04 04:00 . 2004-08-04 04:00 9216 c:\windows\system32\dllcache\proxycfg.exe - 2006-09-25 11:12 . 2009-12-11 23:08 447200 c:\windows\system32\perfh009.dat + 2006-09-25 11:12 . 2010-03-28 05:52 447200 c:\windows\system32\perfh009.dat + 2004-08-04 04:00 . 2010-02-25 06:24 206848 c:\windows\system32\occache.dll - 2004-08-04 04:00 . 2009-12-21 19:14 206848 c:\windows\system32\occache.dll - 2006-06-23 11:25 . 2009-03-08 04:32 611840 c:\windows\system32\mstime.dll + 2006-06-23 11:25 . 2010-02-25 06:24 611840 c:\windows\system32\mstime.dll + 2004-08-04 04:00 . 2010-02-25 06:24 387584 c:\windows\system32\iedkcs32.dll - 2004-08-04 04:00 . 2009-12-21 19:14 387584 c:\windows\system32\iedkcs32.dll + 2004-08-04 04:00 . 2010-02-24 09:54 173056 c:\windows\system32\ie4uinit.exe - 2004-08-04 04:00 . 2009-12-21 13:19 173056 c:\windows\system32\ie4uinit.exe + 2004-08-04 04:00 . 2004-08-04 04:00 358912 c:\windows\system32\dllcache\wmic.exe + 2004-08-04 04:00 . 2004-08-04 04:00 126464 c:\windows\system32\dllcache\wmiapsrv.exe + 2006-06-23 11:25 . 2010-02-25 06:24 916480 c:\windows\system32\dllcache\wininet.dll - 2006-06-23 11:25 . 2009-12-21 19:14 916480 c:\windows\system32\dllcache\wininet.dll + 2004-08-04 04:00 . 2004-08-04 04:00 283648 c:\windows\system32\dllcache\winhlp32.exe + 2004-08-04 04:00 . 2004-08-04 04:00 121856 c:\windows\system32\dllcache\sctasks.exe - 2004-08-04 04:00 . 2009-12-21 19:14 206848 c:\windows\system32\dllcache\occache.dll + 2004-08-04 04:00 . 2010-02-25 06:24 206848 c:\windows\system32\dllcache\occache.dll - 2006-06-23 11:25 . 2009-03-08 04:32 611840 c:\windows\system32\dllcache\mstime.dll + 2006-06-23 11:25 . 2010-02-25 06:24 611840 c:\windows\system32\dllcache\mstime.dll + 2007-04-25 08:41 . 2010-02-25 06:24 594432 c:\windows\system32\dllcache\msfeeds.dll - 2007-04-25 08:41 . 2009-12-21 19:14 594432 c:\windows\system32\dllcache\msfeeds.dll + 2009-11-04 20:23 . 2010-02-25 06:24 247808 c:\windows\system32\dllcache\ieproxy.dll - 2009-03-08 04:31 . 2009-12-21 19:14 184320 c:\windows\system32\dllcache\iepeers.dll + 2009-03-08 04:31 . 2010-02-25 06:24 184320 c:\windows\system32\dllcache\iepeers.dll + 2004-08-04 04:00 . 2010-02-25 06:24 387584 c:\windows\system32\dllcache\iedkcs32.dll - 2004-08-04 04:00 . 2009-12-21 19:14 387584 c:\windows\system32\dllcache\iedkcs32.dll + 2004-08-04 04:00 . 2010-02-24 09:54 173056 c:\windows\system32\dllcache\ie4uinit.exe - 2004-08-04 04:00 . 2009-12-21 13:19 173056 c:\windows\system32\dllcache\ie4uinit.exe + 2010-04-02 14:03 . 2009-12-21 19:14 916480 c:\windows\ie8updates\KB980182-IE8\wininet.dll + 2010-04-02 14:03 . 2009-05-26 11:40 382840 c:\windows\ie8updates\KB980182-IE8\spuninst\updspapi.dll + 2010-04-02 14:03 . 2009-05-26 11:40 231288 c:\windows\ie8updates\KB980182-IE8\spuninst\spuninst.exe + 2010-04-02 14:03 . 2009-12-21 19:14 206848 c:\windows\ie8updates\KB980182-IE8\occache.dll + 2010-04-02 14:03 . 2009-03-08 04:32 611840 c:\windows\ie8updates\KB980182-IE8\mstime.dll + 2010-04-02 14:03 . 2009-12-21 19:14 594432 c:\windows\ie8updates\KB980182-IE8\msfeeds.dll + 2010-04-02 14:03 . 2009-12-21 19:14 246272 c:\windows\ie8updates\KB980182-IE8\ieproxy.dll + 2010-04-02 14:03 . 2009-12-21 19:14 184320 c:\windows\ie8updates\KB980182-IE8\iepeers.dll + 2010-04-02 14:03 . 2009-12-21 19:14 387584 c:\windows\ie8updates\KB980182-IE8\iedkcs32.dll + 2010-04-02 14:03 . 2009-12-21 13:19 173056 c:\windows\ie8updates\KB980182-IE8\ie4uinit.exe + 2006-07-25 20:42 . 2010-02-25 06:24 1209344 c:\windows\system32\dllcache\urlmon.dll + 2006-07-28 11:30 . 2010-02-25 06:24 5944832 c:\windows\system32\dllcache\mshtml.dll - 2007-04-25 08:41 . 2009-12-21 19:14 1985536 c:\windows\system32\dllcache\iertutil.dll + 2007-04-25 08:41 . 2010-02-25 06:24 1985536 c:\windows\system32\dllcache\iertutil.dll + 2010-04-02 14:03 . 2009-12-21 19:14 1208832 c:\windows\ie8updates\KB980182-IE8\urlmon.dll + 2010-04-02 14:03 . 2009-12-21 19:14 5942784 c:\windows\ie8updates\KB980182-IE8\mshtml.dll + 2010-04-02 14:03 . 2009-12-21 19:14 1985536 c:\windows\ie8updates\KB980182-IE8\iertutil.dll + 2007-04-25 08:41 . 2010-02-25 10:54 11070976 c:\windows\system32\dllcache\ieframe.dll + 2010-04-02 14:03 . 2009-12-21 19:14 11070464 c:\windows\ie8updates\KB980182-IE8\ieframe.dll . -- Snapshot reset to current date -- . ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) . . *Note* empty entries & legit default entries are not shown REGEDIT4 [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "Yahoo! Pager"="c:\program files\Yahoo!\Messenger\YahooMessenger.exe" [2007-07-16 4670704] "updateMgr"="c:\program files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" [2006-03-30 313472] "ISUSPM"="c:\program files\Common Files\InstallShield\UpdateService\isuspm.exe" [2006-09-11 218032] "Eyeball Chat"="c:\program files\Eyeball\Eyeball Chat\EyeballChat.exe" [2002-10-11 2863176] "kdx"="c:\program files\Kontiki\KHost.exe" [2008-02-27 1032376] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "LaunchApp"="Alaunch" [X] "ePower_DMC"="c:\acer\Empowering Technology\ePower\ePower_DMC.exe" [2006-05-09 352256] "ISUSPM Startup"="c:\program files\Common Files\InstallShield\UpdateService\isuspm.exe" [2006-09-11 218032] "SunJavaUpdateSched"="c:\program files\Java\jre1.6.0_05\bin\jusched.exe" [2008-02-22 144784] "SSBkgdUpdate"="c:\program files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" [2003-09-29 155648] "DNS7reminder"="c:\program files\Nuance\NaturallySpeaking9\Program\ereg.exe" [2006-06-28 1404928] "SynTPLpr"="c:\program files\Synaptics\SynTP\SynTPLpr.exe" [2005-11-01 102491] "SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2005-11-01 692315] "RTHDCPL"="RTHDCPL.EXE" [2006-04-04 16120832] "RemoteControl"="c:\program files\CyberLink\PowerDVD\PDVDServ.exe" [2004-11-02 32768] "Realtime Monitor"="c:\progra~1\CA\ETRUST~1\realmon.exe" [2004-04-06 504080] "QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2006-09-23 155648] "PHIME2002ASync"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2004-08-04 455168] "PHIME2002A"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2004-08-04 455168] "ntiMUI"="c:\program files\NewTech Infosystems\NTI CD & DVD-Maker 7\ntiMUI.exe" [2005-05-11 45056] "MSPY2002"="c:\windows\system32\IME\PINTLGNT\ImScInst.exe" [2004-08-04 59392] "LManager"="c:\progra~1\LAUNCH~1\QtZgAcer.EXE" [2006-04-03 471040] "itype"="c:\program files\Microsoft IntelliType Pro\itype.exe" [2005-12-05 437008] "ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2006-09-11 86960] "IntelliPoint"="c:\program files\Microsoft IntelliPoint\ipoint.exe" [2005-12-05 461584] "IMJPMIG8.1"="c:\windows\IME\imjp8_1\IMJPMIG.EXE" [2004-08-04 208952] "igfxtray"="c:\windows\system32\igfxtray.exe" [2005-11-02 98304] "igfxpers"="c:\windows\system32\igfxpers.exe" [2005-11-02 118784] "igfxhkcmd"="c:\windows\system32\hkcmd.exe" [2005-11-02 77824] "HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2004-09-13 49152] "eRecoveryService"="c:\acer\Empowering Technology\eRecovery\Monitor.exe" [2006-01-24 397312] "eDataSecurity Loader"="c:\acer\Empowering Technology\eDataSecurity\eDSloader.exe" [2005-12-27 69632] "AzMixerSel"="c:\program files\Realtek\InstallShield\AzMixerSel.exe" [2005-08-24 53248] "ADMTray.exe"="c:\acer\Empowering Technology\admtray.exe" [2005-10-24 2462208] "Acer ePower Management"="c:\acer\Empowering Technology\ePower\Acer ePower Management.exe" [2006-05-08 3080704] "SsAAD.exe"="c:\progra~1\Sony\SONICS~1\SsAAD.exe" [2005-01-24 81920] "TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2007-11-20 185896] "4oD"="c:\program files\Kontiki\KHost.exe" [2008-02-27 1032376] "Ad-Watch"="c:\program files\Lavasoft\Ad-Aware\AAWTray.exe" [2010-03-01 524632] "BluetoothAuthenticationAgent"="bthprops.cpl" [2004-08-04 110592] [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run] "CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2004-08-04 15360] c:\documents and settings\All Users\Start Menu\Programs\Startup\ Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-9-23 29696] Bluetooth Manager.lnk - c:\program files\Toshiba\Bluetooth Toshiba Stack\TosBtMng.exe [2007-1-18 2752512] DSLMON.lnk - c:\program files\SAGEM\SAGEM F@st 800-840\dslmon.exe [2007-8-7 962660] HP Digital Imaging Monitor.lnk - c:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2004-11-4 258048] HP Image Zone Fast Start.lnk - c:\program files\HP\Digital Imaging\bin\hpqthb08.exe [2004-11-4 53248] [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Lavasoft Ad-Aware Service] @="Service" [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile] "EnableFirewall"= 0 (0x0) [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List] "%windir%\\system32\\sessmgr.exe"= "c:\\program files\\texthelp systems\\read and write 8\\mind mapper\\Property Controller.exe"= c:\\Program Files\\Texthelp Systems\\Read And Write 8\\Mind Mapper\\Property Controller.exe "c:\\program files\\texthelp systems\\read and write 8\\mind mapper\\MindMapLauncher.exe"= c:\\Program Files\\Texthelp Systems\\Read And Write 8\\Mind Mapper\\MindMapLauncher.exe "c:\\program files\\texthelp systems\\read and write 8\\RW8.exe"= c:\\Program Files\\Texthelp Systems\\Read And Write 8\\RW8.exe "%windir%\\Network Diagnostic\\xpnetdiag.exe"= "c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"= "c:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"= "c:\\Program Files\\CA\\eTrust Antivirus\\InocIT.exe"= "d:\\My Data\\Limewire\\LimeWire.exe"= "c:\\Program Files\\Bonjour\\mDNSResponder.exe"= "c:\\Program Files\\Adobe\\Adobe After Effects CS3\\Support Files\\AfterFX.exe"= "c:\\Program Files\\Multimedia Fusion 2\\Data\\Runtime\\edrt.exe"= "c:\\Program Files\\Real\\RealPlayer\\realplay.exe"= "c:\\Program Files\\Messenger\\msmsgs.exe"= "c:\\Program Files\\Sony\\Station\\LaunchPad\\LaunchPad.exe"= "c:\\WINDOWS\\pchealth\\helpctr\\binaries\\HelpCtr.exe"= "c:\\WINDOWS\\system32\\dpvsetup.exe"= "c:\\Program Files\\CA\\eTrust Antivirus\\Realmon.exe"= "c:\\Program Files\\CA\\eTrust Antivirus\\Shellscn.exe"= "c:\\Program Files\\Kontiki\\KService.exe"= "c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"= "c:\\Program Files\\Windows Live\\Contacts\\wlcomm.exe"= "c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"= "c:\\Program Files\\SPSSInc\\Statistics17\\statistics.com"= "c:\\Program Files\\SPSSInc\\Statistics17\\statistics.exe"= "c:\\Program Files\\SPSSInc\\Statistics17\\SPSSWinWrapIDE.exe"= "c:\\Program Files\\Skype\\Phone\\Skype.exe"= [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List] "3724:TCP"= 3724:TCP:Blizzard Downloader: 3724 R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [25/04/2009 19:13 64160] R3 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\Lavasoft\Ad-Aware\AAWService.exe [09/03/2009 20:06 1029456] S2 SIMUL8Parallel;SIMUL8 Parallel Processor;c:\progra~1\SIMUL8\SIMUL8_ParallelSVC.exe [14/01/2008 20:31 502272] S3 PAC207;SoC PC-Camer@;c:\windows\system32\drivers\PFC027.sys [24/02/2005 12:29 162176] . Contents of the 'Scheduled Tasks' folder 2010-03-29 c:\windows\Tasks\Ad-Aware Update (Weekly).job - c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2009-03-09 19:14] 2010-03-31 c:\windows\Tasks\HPpromotions journeysoftware.job - c:\program files\hp\digital imaging\bin\hp promotions\journeysoftware\HPpromo.exe [2005-04-22 16:36] 2010-04-02 c:\windows\Tasks\User_Feed_Synchronization-{2AF3A6D8-46D6-4A7E-B7DE-7188C750983E}.job - c:\windows\system32\msfeedssync.exe [2006-10-17 04:31] 2010-03-30 c:\windows\Tasks\WGASetup.job - c:\windows\system32\KB905474\wgasetup.exe [2009-04-28 21:18] . . ------- Supplementary Scan ------- . uStart Page = about:tabs uInternet Connection Wizard,ShellNext = wmplayer.exe //ICWLaunch IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000 Trusted Zone: reallusion.com\www DPF: CabBuilder - hxxp://kiw.imgag.com/imgag/kiw/toolbar/download/InstallerControl.cab DPF: {AC120B1D-9411-4111-AF52-118052D85D45} - hxxp://67.15.101.33/g_bin/eng/darts_2_0_0_42.cab FF - ProfilePath - c:\documents and settings\John Murphy\Application Data\Mozilla\Firefox\Profiles\3z63gkqu.default\ FF - prefs.js: browser.search.defaulturl - hxxp://www.google.com/search?lr=&ie=UTF-8&oe=UTF-8&q= FF - prefs.js: browser.search.selectedEngine - Google FF - prefs.js: network.proxy.type - 4 FF - component: c:\program files\Mozilla Firefox\components\xpinstal.dll FF - component: c:\program files\Mozilla Firefox\extensions\talkback@mozilla.org\components\qfaservices.dll FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\ . ************************************************************************** catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2010-04-02 15:47 Windows 5.1.2600 Service Pack 2 NTFS scanning hidden processes ... scanning hidden autostart entries ... scanning hidden files ... scan completed successfully hidden files: 0 ************************************************************************** . --------------------- DLLs Loaded Under Running Processes --------------------- - - - - - - - > 'winlogon.exe'(920) c:\windows\system32\Ati2evxx.dll c:\windows\system32\igfxdev.dll . Completion time: 2010-04-02 15:50:31 ComboFix-quarantined-files.txt 2010-04-02 14:50 ComboFix2.txt 2010-03-30 19:03 ComboFix3.txt 2010-03-28 05:56 ComboFix4.txt 2010-03-28 05:28 ComboFix5.txt 2010-04-02 14:38 Pre-Run: 1,114,902,528 bytes free Post-Run: 1,355,878,400 bytes free - - End Of File - - 3B2B64B930E090FA4021C9A4206A9F76
- April 2, 2010
- 17 replies
Trojan Agent in Registry, userinit.exe uid backdoor.bot and rundll32.exe problem

John26 replied to John26's topic in Resolved Malware Removal Logs

Ok, thank you for clearing that up and I'm sorry for any offence, really grateful for your instructions here. Wow everything is running fine, Malwarebytes isn't finding anything, but the system isn't actually clean. Just out of interest, the infected file/drivers don't seem to be affecting anything, what are they and what do they do? Here is the combofix log: ComboFix 10-03-29.04 - John Murphy 30/03/2010 19:44:46.5.2 - x86 Microsoft Windows XP Professional 5.1.2600.2.1252.44.1033.18.1014.469 [GMT 1:00] Running from: c:\documents and settings\John Murphy\Desktop\ComboFix.exe Command switches used :: c:\documents and settings\John Murphy\Desktop\CFScript.txt FILE :: "c:\windows\Thokacupodovujep.dat" "c:\windows\Vviwazukohomalok.bin" . ((((((((((((((((((((((((((((((((((((((( Other Deletions ))))))))))))))))))))))))))))))))))))))))))))))))) . c:\windows\Thokacupodovujep.dat c:\windows\Vviwazukohomalok.bin . ((((((((((((((((((((((((((((((((((((((( Drivers/Services ))))))))))))))))))))))))))))))))))))))))))))))))) . -------\Legacy_OSMSWIAK -------\Service_osmswiak -------\Service_scrcap ((((((((((((((((((((((((( Files Created from 2010-02-28 to 2010-03-30 ))))))))))))))))))))))))))))))) . 2010-03-27 00:11 . 2010-03-27 00:11 -------- d-----w- c:\program files\Trend Micro 2010-03-26 16:38 . 2010-03-26 16:38 -------- d-----w- c:\windows\system32\wbem\Repository 2010-03-16 21:58 . 2004-08-04 04:00 24576 ----a-w- c:\windows\system32\stu2.exe 2010-03-09 15:27 . 2010-03-09 15:27 -------- d-sh--w- c:\documents and settings\John Murphy\IECompatCache . (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2010-03-30 18:58 . 2008-11-21 21:16 -------- d-----w- c:\documents and settings\All Users\Application Data\Kontiki 2010-03-30 18:52 . 2009-05-29 21:25 12 ----a-w- c:\windows\bthservsdp.dat 2010-03-30 09:19 . 2009-11-10 04:51 -------- d-----w- c:\documents and settings\John Murphy\Application Data\Any Video Converter 2010-03-29 22:13 . 2007-08-16 16:28 230432 ----a-w- C:\StiImg.dat 2010-03-26 23:39 . 2007-08-07 17:19 -------- d-----w- c:\documents and settings\All Users\Application Data\Viewpoint 2010-03-26 18:22 . 2009-05-25 23:04 -------- d-----w- c:\program files\CCleaner 2010-03-26 16:21 . 2010-03-26 16:30 214978 ----a-w- c:\windows\pchealth\helpctr\Config\Cache\Professional_32_1033.dat 2010-03-26 02:50 . 2007-08-07 16:54 -------- d-----w- c:\documents and settings\John Murphy\Application Data\Skype 2010-03-01 19:15 . 2009-06-22 18:21 315736 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\threatwork.exe 2010-03-01 19:15 . 2009-06-22 18:21 25440 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\savapibridge.dll 2010-03-01 19:15 . 2009-06-22 18:21 173408 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\lavamessage.dll 2010-03-01 19:15 . 2009-06-01 18:14 15688 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\lsdelete.exe 2010-03-01 19:15 . 2009-05-05 18:33 15688 ----a-w- c:\windows\system32\lsdelete.exe 2010-03-01 19:15 . 2009-06-22 18:20 350544 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\lavalicense.dll 2010-03-01 19:15 . 2009-06-22 18:20 303456 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\UpdateManager.dll 2010-03-01 19:15 . 2009-06-27 16:26 1630560 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\Resources.dll 2010-03-01 19:15 . 2009-06-01 18:14 89952 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\ShellExt.dll 2010-03-01 19:14 . 2009-06-01 18:14 254832 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\RPAPI.dll 2010-03-01 19:14 . 2009-06-01 18:14 45408 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\PrivacyClean.dll 2010-03-01 19:14 . 2009-06-22 18:19 671592 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\CEAPI.dll 2010-03-01 19:14 . 2009-09-28 18:13 3701760 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\AutoLaunch.exe 2010-03-01 19:14 . 2009-06-22 18:18 566648 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\Ad-AwareCommand.exe 2010-03-01 19:14 . 2009-06-22 18:17 567144 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\Ad-AwareAdmin.exe 2010-03-01 19:13 . 2009-06-22 18:17 2357064 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\Ad-Aware.exe 2010-03-01 19:13 . 2009-06-22 18:15 524632 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\AAWTray.exe 2010-03-01 19:13 . 2009-06-22 18:15 1029456 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\AAWService.exe 2010-02-20 11:57 . 2010-02-20 11:57 16 ----a-w- c:\windows\system32\config\systemprofile\Application Data\cqfyto.dat 2010-02-19 03:13 . 2010-02-19 03:13 16 ----a-w- c:\documents and settings\LocalService\Application Data\cqfyto.dat 2010-02-13 16:39 . 2010-02-13 16:39 50354 ----a-w- c:\documents and settings\John Murphy\Application Data\Facebook\uninstall.exe 2010-02-13 16:39 . 2010-02-13 16:39 -------- d-----w- c:\documents and settings\John Murphy\Application Data\Facebook 2010-02-12 10:03 . 2010-02-25 15:44 293376 ------w- c:\windows\system32\browserchoice.exe 2010-02-10 21:00 . 2006-09-22 15:43 49664 ----a-w- c:\documents and settings\John Murphy\Local Settings\Application Data\GDIPFONTCACHEV1.DAT 2010-02-10 19:15 . 2010-02-10 19:15 1024 ----a-w- c:\windows\system32\grcauth2.dll 2010-02-10 19:15 . 2010-02-10 19:15 1024 ----a-w- c:\windows\system32\grcauth1.dll 2010-02-10 19:15 . 2010-02-10 19:15 16 ---h--w- c:\documents and settings\All Users\Application Data\SafeNet Sentinel\Sentinel RMS Development Kit\System\e563io5.dll 2010-02-10 19:15 . 2010-02-10 19:14 1024 ----a-w- c:\documents and settings\All Users\Application Data\SafeNet Sentinel\Sentinel RMS Development Kit\System\clauth2.dll 2010-02-10 19:07 . 2010-02-10 19:07 -------- d-----w- c:\documents and settings\All Users\Application Data\SPSS 2010-02-10 19:07 . 2010-02-10 19:07 -------- d-----w- c:\program files\Common Files\SPSS 2010-02-10 19:07 . 2010-02-10 19:07 -------- d-----w- c:\program files\SPSSInc 2010-02-10 19:06 . 2010-02-10 19:06 1025 ----a-w- c:\windows\system32\sysprs7.dll 2010-02-01 22:04 . 2010-02-01 22:04 847040 ----a-w- c:\documents and settings\John Murphy\Application Data\Facebook\axfbootloader.dll 2010-02-01 22:04 . 2010-02-01 22:04 5578752 ----a-w- c:\documents and settings\John Murphy\Application Data\Facebook\npfbplugin_1_0_1.dll 2010-01-28 16:52 . 2009-05-29 16:19 5115824 -c--a-w- c:\documents and settings\All Users\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\mbam-setup.exe 2010-01-28 00:31 . 2008-01-16 23:04 2434 ----a-w- c:\documents and settings\John Murphy\Application Data\SAS7_000.DAT 2010-01-14 12:01 . 2006-09-25 10:18 69878 -c--a-w- c:\windows\hpoins05.dat 2010-01-07 16:07 . 2008-11-05 00:37 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys 2010-01-07 16:07 . 2008-11-05 00:37 19160 ----a-w- c:\windows\system32\drivers\mbam.sys 2009-12-31 16:14 . 2006-04-21 06:12 352640 ----a-w- c:\windows\system32\drivers\srv.sys 2007-08-07 17:44 . 2007-08-07 17:43 411248 -c--a-w- c:\program files\FLV PlayerRCSetup.exe 2009-04-19 11:32 . 2007-08-18 23:47 67688 -c--a-w- c:\program files\mozilla firefox\components\jar50.dll 2009-04-19 11:32 . 2007-08-18 23:47 54368 -c--a-w- c:\program files\mozilla firefox\components\jsd3250.dll 2009-04-19 11:32 . 2007-08-18 23:47 34944 -c--a-w- c:\program files\mozilla firefox\components\myspell.dll 2009-04-19 11:32 . 2007-08-18 23:47 46712 -c--a-w- c:\program files\mozilla firefox\components\spellchk.dll 2009-04-19 11:32 . 2007-08-18 23:47 172136 -c--a-w- c:\program files\mozilla firefox\components\xpinstal.dll . ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) . . *Note* empty entries & legit default entries are not shown REGEDIT4 [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "Yahoo! Pager"="c:\program files\Yahoo!\Messenger\YahooMessenger.exe" [2007-07-16 4670704] "updateMgr"="c:\program files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" [2006-03-30 313472] "ISUSPM"="c:\program files\Common Files\InstallShield\UpdateService\isuspm.exe" [2006-09-11 218032] "Eyeball Chat"="c:\program files\Eyeball\Eyeball Chat\EyeballChat.exe" [2002-10-11 2863176] "kdx"="c:\program files\Kontiki\KHost.exe" [2008-02-27 1032376] "ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2004-08-04 15360] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "LaunchApp"="Alaunch" [X] "ePower_DMC"="c:\acer\Empowering Technology\ePower\ePower_DMC.exe" [2006-05-09 352256] "ISUSPM Startup"="c:\program files\Common Files\InstallShield\UpdateService\isuspm.exe" [2006-09-11 218032] "SunJavaUpdateSched"="c:\program files\Java\jre1.6.0_05\bin\jusched.exe" [2008-02-22 144784] "SSBkgdUpdate"="c:\program files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" [2003-09-29 155648] "DNS7reminder"="c:\program files\Nuance\NaturallySpeaking9\Program\ereg.exe" [2006-06-28 1404928] "SynTPLpr"="c:\program files\Synaptics\SynTP\SynTPLpr.exe" [2005-11-01 102491] "SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2005-11-01 692315] "RTHDCPL"="RTHDCPL.EXE" [2006-04-04 16120832] "RemoteControl"="c:\program files\CyberLink\PowerDVD\PDVDServ.exe" [2004-11-02 32768] "Realtime Monitor"="c:\progra~1\CA\ETRUST~1\realmon.exe" [2004-04-06 504080] "QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2006-09-23 155648] "PHIME2002ASync"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2004-08-04 455168] "PHIME2002A"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2004-08-04 455168] "ntiMUI"="c:\program files\NewTech Infosystems\NTI CD & DVD-Maker 7\ntiMUI.exe" [2005-05-11 45056] "MSPY2002"="c:\windows\system32\IME\PINTLGNT\ImScInst.exe" [2004-08-04 59392] "LManager"="c:\progra~1\LAUNCH~1\QtZgAcer.EXE" [2006-04-03 471040] "itype"="c:\program files\Microsoft IntelliType Pro\itype.exe" [2005-12-05 437008] "ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2006-09-11 86960] "IntelliPoint"="c:\program files\Microsoft IntelliPoint\ipoint.exe" [2005-12-05 461584] "IMJPMIG8.1"="c:\windows\IME\imjp8_1\IMJPMIG.EXE" [2004-08-04 208952] "igfxtray"="c:\windows\system32\igfxtray.exe" [2005-11-02 98304] "igfxpers"="c:\windows\system32\igfxpers.exe" [2005-11-02 118784] "igfxhkcmd"="c:\windows\system32\hkcmd.exe" [2005-11-02 77824] "HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2004-09-13 49152] "eRecoveryService"="c:\acer\Empowering Technology\eRecovery\Monitor.exe" [2006-01-24 397312] "eDataSecurity Loader"="c:\acer\Empowering Technology\eDataSecurity\eDSloader.exe" [2005-12-27 69632] "AzMixerSel"="c:\program files\Realtek\InstallShield\AzMixerSel.exe" [2005-08-24 53248] "ADMTray.exe"="c:\acer\Empowering Technology\admtray.exe" [2005-10-24 2462208] "Acer ePower Management"="c:\acer\Empowering Technology\ePower\Acer ePower Management.exe" [2006-05-08 3080704] "SsAAD.exe"="c:\progra~1\Sony\SONICS~1\SsAAD.exe" [2005-01-24 81920] "TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2007-11-20 185896] "4oD"="c:\program files\Kontiki\KHost.exe" [2008-02-27 1032376] "Ad-Watch"="c:\program files\Lavasoft\Ad-Aware\AAWTray.exe" [2010-03-01 524632] "BluetoothAuthenticationAgent"="bthprops.cpl" [2004-08-04 110592] [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run] "CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2004-08-04 15360] c:\documents and settings\All Users\Start Menu\Programs\Startup\ Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-9-23 29696] Bluetooth Manager.lnk - c:\program files\Toshiba\Bluetooth Toshiba Stack\TosBtMng.exe [2007-1-18 2752512] DSLMON.lnk - c:\program files\SAGEM\SAGEM F@st 800-840\dslmon.exe [2007-8-7 962660] HP Digital Imaging Monitor.lnk - c:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2004-11-4 258048] HP Image Zone Fast Start.lnk - c:\program files\HP\Digital Imaging\bin\hpqthb08.exe [2004-11-4 53248] [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Lavasoft Ad-Aware Service] @="Service" [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile] "EnableFirewall"= 0 (0x0) [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List] "%windir%\\system32\\sessmgr.exe"= "c:\\program files\\texthelp systems\\read and write 8\\mind mapper\\Property Controller.exe"= c:\\Program Files\\Texthelp Systems\\Read And Write 8\\Mind Mapper\\Property Controller.exe "c:\\program files\\texthelp systems\\read and write 8\\mind mapper\\MindMapLauncher.exe"= c:\\Program Files\\Texthelp Systems\\Read And Write 8\\Mind Mapper\\MindMapLauncher.exe "c:\\program files\\texthelp systems\\read and write 8\\RW8.exe"= c:\\Program Files\\Texthelp Systems\\Read And Write 8\\RW8.exe "%windir%\\Network Diagnostic\\xpnetdiag.exe"= "c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"= "c:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"= "c:\\Program Files\\CA\\eTrust Antivirus\\InocIT.exe"= "d:\\My Data\\Limewire\\LimeWire.exe"= "c:\\Program Files\\Bonjour\\mDNSResponder.exe"= "c:\\Program Files\\Adobe\\Adobe After Effects CS3\\Support Files\\AfterFX.exe"= "c:\\Program Files\\Multimedia Fusion 2\\Data\\Runtime\\edrt.exe"= "c:\\Program Files\\Real\\RealPlayer\\realplay.exe"= "c:\\Program Files\\Messenger\\msmsgs.exe"= "c:\\Program Files\\Sony\\Station\\LaunchPad\\LaunchPad.exe"= "c:\\WINDOWS\\pchealth\\helpctr\\binaries\\HelpCtr.exe"= "c:\\WINDOWS\\system32\\dpvsetup.exe"= "c:\\Program Files\\CA\\eTrust Antivirus\\Realmon.exe"= "c:\\Program Files\\CA\\eTrust Antivirus\\Shellscn.exe"= "c:\\Program Files\\Kontiki\\KService.exe"= "c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"= "c:\\Program Files\\Windows Live\\Contacts\\wlcomm.exe"= "c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"= "c:\\Program Files\\SPSSInc\\Statistics17\\statistics.com"= "c:\\Program Files\\SPSSInc\\Statistics17\\statistics.exe"= "c:\\Program Files\\SPSSInc\\Statistics17\\SPSSWinWrapIDE.exe"= "c:\\Program Files\\Skype\\Phone\\Skype.exe"= [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List] "3724:TCP"= 3724:TCP:Blizzard Downloader: 3724 R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [25/04/2009 19:13 64160] R2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\Lavasoft\Ad-Aware\AAWService.exe [09/03/2009 20:06 1029456] S2 SIMUL8Parallel;SIMUL8 Parallel Processor;c:\progra~1\SIMUL8\SIMUL8_ParallelSVC.exe [14/01/2008 20:31 502272] S3 PAC207;SoC PC-Camer@;c:\windows\system32\drivers\PFC027.sys [24/02/2005 12:29 162176] . Contents of the 'Scheduled Tasks' folder 2010-03-29 c:\windows\Tasks\Ad-Aware Update (Weekly).job - c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2009-03-09 19:14] 2010-03-30 c:\windows\Tasks\HPpromotions journeysoftware.job - c:\program files\hp\digital imaging\bin\hp promotions\journeysoftware\HPpromo.exe [2005-04-22 16:36] 2010-03-30 c:\windows\Tasks\User_Feed_Synchronization-{2AF3A6D8-46D6-4A7E-B7DE-7188C750983E}.job - c:\windows\system32\msfeedssync.exe [2006-10-17 04:31] 2010-03-30 c:\windows\Tasks\WGASetup.job - c:\windows\system32\KB905474\wgasetup.exe [2009-04-28 21:18] . . ------- Supplementary Scan ------- . uStart Page = about:tabs uInternet Connection Wizard,ShellNext = wmplayer.exe //ICWLaunch IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000 Trusted Zone: reallusion.com\www DPF: CabBuilder - hxxp://kiw.imgag.com/imgag/kiw/toolbar/download/InstallerControl.cab DPF: {AC120B1D-9411-4111-AF52-118052D85D45} - hxxp://67.15.101.33/g_bin/eng/darts_2_0_0_42.cab FF - ProfilePath - c:\documents and settings\John Murphy\Application Data\Mozilla\Firefox\Profiles\3z63gkqu.default\ FF - prefs.js: browser.search.defaulturl - hxxp://www.google.com/search?lr=&ie=UTF-8&oe=UTF-8&q= FF - prefs.js: browser.search.selectedEngine - Google FF - prefs.js: network.proxy.type - 4 FF - component: c:\program files\Mozilla Firefox\components\xpinstal.dll FF - component: c:\program files\Mozilla Firefox\extensions\talkback@mozilla.org\components\qfaservices.dll FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\ . ************************************************************************** catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2010-03-30 19:54 Windows 5.1.2600 Service Pack 2 NTFS scanning hidden processes ... scanning hidden autostart entries ... scanning hidden files ... scan completed successfully hidden files: 0 ************************************************************************** . --------------------- LOCKED REGISTRY KEYS --------------------- [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{71A78D8C-2A2C-F1E0-42C57DD6D788EDD0}\{92C0E49C-6DF5-7FD3-2A5D5DA34780C80D}\{FCC2AF23-71C0-A57B-CCE1F90128BA76FE}*] "JWOYTVPITEDJCHYUGDR5XL6BSC1"=hex:01,00,01,00,00,00,00,00,b1,dc,8a,ef,e5,23,43, 80,35,81,92,71,e8,29,5a,84,14,35,16,70,d8,6e,ff,61 [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{D6C53DCC-FBE6-A484-895E707488E1192C}\{427B1CEB-CDC7-050B-E6202C9404952D54}\{86A51E58-9B8E-E4EB-26F8074E7F2FD295}*] "JWOYTVPITEDJCHYUGDR5XL6BSC1"=hex:01,00,01,00,00,00,00,00,b1,dc,8a,ef,e5,23,43, 80,35,81,92,71,e8,29,5a,84,14,35,16,70,d8,6e,ff,61 . --------------------- DLLs Loaded Under Running Processes --------------------- - - - - - - - > 'winlogon.exe'(920) c:\windows\system32\Ati2evxx.dll - - - - - - - > 'explorer.exe'(3956) c:\windows\system32\WININET.dll c:\windows\system32\MSNChatHook.dll c:\windows\system32\sysenv.dll c:\windows\system32\MSVCR71.dll c:\windows\system32\ieframe.dll c:\windows\system32\webcheck.dll c:\windows\system32\WPDShServiceObj.dll c:\windows\system32\PortableDeviceTypes.dll c:\windows\system32\PortableDeviceApi.dll c:\acer\Empowering Technology\ePower\SysHook.dll c:\windows\system32\browselc.dll . ------------------------ Other Running Processes ------------------------ . c:\program files\Intel\Wireless\Bin\EvtEng.exe c:\program files\Intel\Wireless\Bin\S24EvMon.exe c:\acer\Empowering Technology\admServ.exe c:\program files\Bonjour\mDNSResponder.exe c:\windows\system32\crypserv.exe c:\program files\Olympus\DeviceDetector\DM1Service.exe c:\program files\CA\eTrust Antivirus\InoRpc.exe c:\program files\CA\eTrust Antivirus\InoRT.exe c:\program files\CA\eTrust Antivirus\InoTask.exe c:\program files\Kontiki\KService.exe c:\program files\Common Files\LightScribe\LSSrvc.exe c:\program files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE c:\program files\Intel\Wireless\Bin\RegSrvc.exe c:\windows\System32\PAStiSvc.exe c:\program files\Toshiba\Bluetooth Toshiba Stack\TosBtSrv.exe c:\windows\system32\wscntfy.exe c:\windows\system32\wbem\unsecapp.exe c:\windows\RTHDCPL.EXE c:\windows\system32\igfxsrvc.exe c:\windows\system32\igfxext.exe c:\windows\system32\wbem\unsecapp.exe c:\windows\system32\rundll32.exe c:\program files\Common Files\Sony Shared\AVLib\SSScsiSV.exe c:\docume~1\JOHNMU~1\LOCALS~1\Temp\RtkBtMnt.exe c:\program files\HP\Digital Imaging\bin\hpqgalry.exe c:\program files\Toshiba\Bluetooth Toshiba Stack\TosA2dp.exe c:\program files\Yahoo!\Messenger\ymsgr_tray.exe c:\program files\Toshiba\Bluetooth Toshiba Stack\TosBtHid.exe c:\program files\Toshiba\Bluetooth Toshiba Stack\TosBtHsp.exe . ************************************************************************** . Completion time: 2010-03-30 20:03:31 - machine was rebooted ComboFix-quarantined-files.txt 2010-03-30 19:03 ComboFix2.txt 2010-03-28 05:56 ComboFix3.txt 2010-03-28 05:28 ComboFix4.txt 2010-03-28 05:08 ComboFix5.txt 2010-03-30 18:43 Pre-Run: 1,673,932,800 bytes free Post-Run: 2,008,178,688 bytes free - - End Of File - - 9B2255DF1DB60F9CF5D4A320E45DFD8A Thank you so much for helping me, sorry I caused you some grief by trying to sort it out myself haha (As I said I've removed a rootkit and TDSS myself). Guess I should turn that 'passion to solve things' to my mathematical studies, need to get myself to do revision and lots to solve there.
- March 30, 2010
- 17 replies
Trojan Agent in Registry, userinit.exe uid backdoor.bot and rundll32.exe problem

John26 replied to John26's topic in Resolved Malware Removal Logs

I asked you to finish this in my last post, If you look it is written "as far as i can tell this issue is resolved, but if you can see something I can't here is the last combofix log". I added the combofix log so that you could see it and tell me if anything is wrong Also, I have a question, Did you hand write your first post or did you as it appears just change the name? I just spoke on what I was percieving, look at my first post, I mentioned that I had an issue with XBOX Support which they could've sorted in a day but because of the already written out responses it took a week to sort out. My issue with xbox was mistreated as a low level enquiry and your first post made me think you were treating this as a low level enquiry as it seems you did not personally write that response, I never said anywhere that you don't know what you are doing. And can I ask you why do you think I said "I think it would be much better if there was a way you could've just pointed it out in the first post"?? I said that because I do understand that is not the way things are done and I feel that would sort the problem faster. So the combofix log is in my last post, does it look ok?
- March 29, 2010
- 17 replies
Trojan Agent in Registry, userinit.exe uid backdoor.bot and rundll32.exe problem

John26 replied to John26's topic in Resolved Malware Removal Logs

Makes a little bit of sense, but not much sense. I think it would be much better if there was a way you could've just pointed it out in the first post, then I wouldn't have had to spend the night deleting UID manually from registry every 10mins when it came back. As you saw with the posts I left, after userinit.exe was restored I was stuck with a reinfecting UID downloading Backdoor.bots. Refering back to my first post, I have removed a rootkit disguised as a .sys and removed a Trojan.TDSS on my own, so this isn't the first time I've tried to solve it myself. I started the topic cause I knew I couldn't restore the userinit.exe on my own (which I am really gratefull for your help on that) and I'm glad I found that other topic to help me throught the rest. Malwarebytes scans are coming up clean, things seem to be running fine. As far as I can tell this issue is resolved But if you can see something I can't, here is the last Combofix Log: ComboFix 10-03-26.02 - John Murphy 28/03/2010 6:41.4.2 - x86 Microsoft Windows XP Professional 5.1.2600.2.1252.44.1033.18.1014.521 [GMT 1:00] Running from: c:\documents and settings\John Murphy\Desktop\ComboFix.exe Command switches used :: c:\documents and settings\John Murphy\Desktop\CFScript.txt file zipped: c:\windows\system32\msfqqn32.exe . ((((((((((((((((((((((((((((((((((((((( Other Deletions ))))))))))))))))))))))))))))))))))))))))))))))))) . c:\windows\system32\msfqqn32.exe . ((((((((((((((((((((((((( Files Created from 2010-02-28 to 2010-03-28 ))))))))))))))))))))))))))))))) . 2010-03-27 00:11 . 2010-03-27 00:11 -------- d-----w- c:\program files\Trend Micro 2010-03-26 16:38 . 2010-03-26 16:38 -------- d-----w- c:\windows\system32\wbem\Repository 2010-03-16 21:58 . 2004-08-04 04:00 24576 ----a-w- c:\windows\system32\stu2.exe 2010-03-09 15:27 . 2010-03-09 15:27 -------- d-sh--w- c:\documents and settings\John Murphy\IECompatCache . (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2010-03-28 05:53 . 2008-11-21 21:16 -------- d-----w- c:\documents and settings\All Users\Application Data\Kontiki 2010-03-28 05:47 . 2009-05-29 21:25 12 ----a-w- c:\windows\bthservsdp.dat 2010-03-27 19:23 . 2010-02-19 03:17 120 ----a-w- c:\windows\Thokacupodovujep.dat 2010-03-27 01:29 . 2010-02-19 03:17 0 ----a-w- c:\windows\Vviwazukohomalok.bin 2010-03-26 23:39 . 2007-08-07 17:19 -------- d-----w- c:\documents and settings\All Users\Application Data\Viewpoint 2010-03-26 18:22 . 2009-05-25 23:04 -------- d-----w- c:\program files\CCleaner 2010-03-26 16:21 . 2010-03-26 16:30 214978 ----a-w- c:\windows\pchealth\helpctr\Config\Cache\Professional_32_1033.dat 2010-03-26 02:50 . 2007-08-07 16:54 -------- d-----w- c:\documents and settings\John Murphy\Application Data\Skype 2010-03-09 05:01 . 2009-11-10 04:51 -------- d-----w- c:\documents and settings\John Murphy\Application Data\Any Video Converter 2010-03-01 19:15 . 2009-06-22 18:21 315736 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\threatwork.exe 2010-03-01 19:15 . 2009-06-22 18:21 25440 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\savapibridge.dll 2010-03-01 19:15 . 2009-06-22 18:21 173408 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\lavamessage.dll 2010-03-01 19:15 . 2009-06-01 18:14 15688 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\lsdelete.exe 2010-03-01 19:15 . 2009-05-05 18:33 15688 ----a-w- c:\windows\system32\lsdelete.exe 2010-03-01 19:15 . 2009-06-22 18:20 350544 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\lavalicense.dll 2010-03-01 19:15 . 2009-06-22 18:20 303456 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\UpdateManager.dll 2010-03-01 19:15 . 2009-06-27 16:26 1630560 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\Resources.dll 2010-03-01 19:15 . 2009-06-01 18:14 89952 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\ShellExt.dll 2010-03-01 19:14 . 2009-06-01 18:14 254832 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\RPAPI.dll 2010-03-01 19:14 . 2009-06-01 18:14 45408 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\PrivacyClean.dll 2010-03-01 19:14 . 2009-06-22 18:19 671592 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\CEAPI.dll 2010-03-01 19:14 . 2009-09-28 18:13 3701760 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\AutoLaunch.exe 2010-03-01 19:14 . 2009-06-22 18:18 566648 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\Ad-AwareCommand.exe 2010-03-01 19:14 . 2009-06-22 18:17 567144 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\Ad-AwareAdmin.exe 2010-03-01 19:13 . 2009-06-22 18:17 2357064 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\Ad-Aware.exe 2010-03-01 19:13 . 2009-06-22 18:15 524632 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\AAWTray.exe 2010-03-01 19:13 . 2009-06-22 18:15 1029456 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\AAWService.exe 2010-02-20 11:57 . 2010-02-20 11:57 16 ----a-w- c:\windows\system32\config\systemprofile\Application Data\cqfyto.dat 2010-02-19 03:13 . 2010-02-19 03:13 16 ----a-w- c:\documents and settings\LocalService\Application Data\cqfyto.dat 2010-02-13 16:39 . 2010-02-13 16:39 50354 ----a-w- c:\documents and settings\John Murphy\Application Data\Facebook\uninstall.exe 2010-02-13 16:39 . 2010-02-13 16:39 -------- d-----w- c:\documents and settings\John Murphy\Application Data\Facebook 2010-02-12 10:03 . 2010-02-25 15:44 293376 ------w- c:\windows\system32\browserchoice.exe 2010-02-10 21:00 . 2006-09-22 15:43 49664 ----a-w- c:\documents and settings\John Murphy\Local Settings\Application Data\GDIPFONTCACHEV1.DAT 2010-02-10 19:15 . 2010-02-10 19:15 1024 ----a-w- c:\windows\system32\grcauth2.dll 2010-02-10 19:15 . 2010-02-10 19:15 1024 ----a-w- c:\windows\system32\grcauth1.dll 2010-02-10 19:15 . 2010-02-10 19:15 16 ---h--w- c:\documents and settings\All Users\Application Data\SafeNet Sentinel\Sentinel RMS Development Kit\System\e563io5.dll 2010-02-10 19:15 . 2010-02-10 19:14 1024 ----a-w- c:\documents and settings\All Users\Application Data\SafeNet Sentinel\Sentinel RMS Development Kit\System\clauth2.dll 2010-02-10 19:07 . 2010-02-10 19:07 -------- d-----w- c:\documents and settings\All Users\Application Data\SPSS 2010-02-10 19:07 . 2010-02-10 19:07 -------- d-----w- c:\program files\Common Files\SPSS 2010-02-10 19:07 . 2010-02-10 19:07 -------- d-----w- c:\program files\SPSSInc 2010-02-10 19:06 . 2010-02-10 19:06 1025 ----a-w- c:\windows\system32\sysprs7.dll 2010-02-01 22:04 . 2010-02-01 22:04 847040 ----a-w- c:\documents and settings\John Murphy\Application Data\Facebook\axfbootloader.dll 2010-02-01 22:04 . 2010-02-01 22:04 5578752 ----a-w- c:\documents and settings\John Murphy\Application Data\Facebook\npfbplugin_1_0_1.dll 2010-01-28 16:52 . 2008-11-05 00:37 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware 2010-01-28 16:52 . 2009-05-29 16:19 5115824 -c--a-w- c:\documents and settings\All Users\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\mbam-setup.exe 2010-01-28 00:31 . 2008-01-16 23:04 2434 ----a-w- c:\documents and settings\John Murphy\Application Data\SAS7_000.DAT 2010-01-14 12:01 . 2006-09-25 10:18 69878 -c--a-w- c:\windows\hpoins05.dat 2010-01-07 16:07 . 2008-11-05 00:37 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys 2010-01-07 16:07 . 2008-11-05 00:37 19160 ----a-w- c:\windows\system32\drivers\mbam.sys 2009-12-31 16:14 . 2006-04-21 06:12 352640 ----a-w- c:\windows\system32\drivers\srv.sys 2007-08-07 17:44 . 2007-08-07 17:43 411248 -c--a-w- c:\program files\FLV PlayerRCSetup.exe 2009-04-19 11:32 . 2007-08-18 23:47 67688 -c--a-w- c:\program files\mozilla firefox\components\jar50.dll 2009-04-19 11:32 . 2007-08-18 23:47 54368 -c--a-w- c:\program files\mozilla firefox\components\jsd3250.dll 2009-04-19 11:32 . 2007-08-18 23:47 34944 -c--a-w- c:\program files\mozilla firefox\components\myspell.dll 2009-04-19 11:32 . 2007-08-18 23:47 46712 -c--a-w- c:\program files\mozilla firefox\components\spellchk.dll 2009-04-19 11:32 . 2007-08-18 23:47 172136 -c--a-w- c:\program files\mozilla firefox\components\xpinstal.dll . ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) . . *Note* empty entries & legit default entries are not shown REGEDIT4 [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "Yahoo! Pager"="c:\program files\Yahoo!\Messenger\YahooMessenger.exe" [2007-07-16 4670704] "updateMgr"="c:\program files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" [2006-03-30 313472] "ISUSPM"="c:\program files\Common Files\InstallShield\UpdateService\isuspm.exe" [2006-09-11 218032] "Eyeball Chat"="c:\program files\Eyeball\Eyeball Chat\EyeballChat.exe" [2002-10-11 2863176] "kdx"="c:\program files\Kontiki\KHost.exe" [2008-02-27 1032376] "ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2004-08-04 15360] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "LaunchApp"="Alaunch" [X] "ePower_DMC"="c:\acer\Empowering Technology\ePower\ePower_DMC.exe" [2006-05-09 352256] "ISUSPM Startup"="c:\program files\Common Files\InstallShield\UpdateService\isuspm.exe" [2006-09-11 218032] "SunJavaUpdateSched"="c:\program files\Java\jre1.6.0_05\bin\jusched.exe" [2008-02-22 144784] "SSBkgdUpdate"="c:\program files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" [2003-09-29 155648] "DNS7reminder"="c:\program files\Nuance\NaturallySpeaking9\Program\ereg.exe" [2006-06-28 1404928] "SynTPLpr"="c:\program files\Synaptics\SynTP\SynTPLpr.exe" [2005-11-01 102491] "SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2005-11-01 692315] "RTHDCPL"="RTHDCPL.EXE" [2006-04-04 16120832] "RemoteControl"="c:\program files\CyberLink\PowerDVD\PDVDServ.exe" [2004-11-02 32768] "Realtime Monitor"="c:\progra~1\CA\ETRUST~1\realmon.exe" [2004-04-06 504080] "QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2006-09-23 155648] "PHIME2002ASync"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2004-08-04 455168] "PHIME2002A"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2004-08-04 455168] "ntiMUI"="c:\program files\NewTech Infosystems\NTI CD & DVD-Maker 7\ntiMUI.exe" [2005-05-11 45056] "MSPY2002"="c:\windows\system32\IME\PINTLGNT\ImScInst.exe" [2004-08-04 59392] "LManager"="c:\progra~1\LAUNCH~1\QtZgAcer.EXE" [2006-04-03 471040] "itype"="c:\program files\Microsoft IntelliType Pro\itype.exe" [2005-12-05 437008] "ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2006-09-11 86960] "IntelliPoint"="c:\program files\Microsoft IntelliPoint\ipoint.exe" [2005-12-05 461584] "IMJPMIG8.1"="c:\windows\IME\imjp8_1\IMJPMIG.EXE" [2004-08-04 208952] "igfxtray"="c:\windows\system32\igfxtray.exe" [2005-11-02 98304] "igfxpers"="c:\windows\system32\igfxpers.exe" [2005-11-02 118784] "igfxhkcmd"="c:\windows\system32\hkcmd.exe" [2005-11-02 77824] "HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2004-09-13 49152] "eRecoveryService"="c:\acer\Empowering Technology\eRecovery\Monitor.exe" [2006-01-24 397312] "eDataSecurity Loader"="c:\acer\Empowering Technology\eDataSecurity\eDSloader.exe" [2005-12-27 69632] "AzMixerSel"="c:\program files\Realtek\InstallShield\AzMixerSel.exe" [2005-08-24 53248] "ADMTray.exe"="c:\acer\Empowering Technology\admtray.exe" [2005-10-24 2462208] "Acer ePower Management"="c:\acer\Empowering Technology\ePower\Acer ePower Management.exe" [2006-05-08 3080704] "SsAAD.exe"="c:\progra~1\Sony\SONICS~1\SsAAD.exe" [2005-01-24 81920] "TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2007-11-20 185896] "4oD"="c:\program files\Kontiki\KHost.exe" [2008-02-27 1032376] "Ad-Watch"="c:\program files\Lavasoft\Ad-Aware\AAWTray.exe" [2010-03-01 524632] "BluetoothAuthenticationAgent"="bthprops.cpl" [2004-08-04 110592] [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run] "CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2004-08-04 15360] c:\documents and settings\All Users\Start Menu\Programs\Startup\ Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-9-23 29696] Bluetooth Manager.lnk - c:\program files\Toshiba\Bluetooth Toshiba Stack\TosBtMng.exe [2007-1-18 2752512] DSLMON.lnk - c:\program files\SAGEM\SAGEM F@st 800-840\dslmon.exe [2007-8-7 962660] HP Digital Imaging Monitor.lnk - c:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2004-11-4 258048] HP Image Zone Fast Start.lnk - c:\program files\HP\Digital Imaging\bin\hpqthb08.exe [2004-11-4 53248] [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Lavasoft Ad-Aware Service] @="Service" [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile] "EnableFirewall"= 0 (0x0) [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List] "%windir%\\system32\\sessmgr.exe"= "c:\\program files\\texthelp systems\\read and write 8\\mind mapper\\Property Controller.exe"= c:\\Program Files\\Texthelp Systems\\Read And Write 8\\Mind Mapper\\Property Controller.exe "c:\\program files\\texthelp systems\\read and write 8\\mind mapper\\MindMapLauncher.exe"= c:\\Program Files\\Texthelp Systems\\Read And Write 8\\Mind Mapper\\MindMapLauncher.exe "c:\\program files\\texthelp systems\\read and write 8\\RW8.exe"= c:\\Program Files\\Texthelp Systems\\Read And Write 8\\RW8.exe "%windir%\\Network Diagnostic\\xpnetdiag.exe"= "c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"= "c:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"= "c:\\Program Files\\CA\\eTrust Antivirus\\InocIT.exe"= "d:\\My Data\\Limewire\\LimeWire.exe"= "c:\\Program Files\\Bonjour\\mDNSResponder.exe"= "c:\\Program Files\\Adobe\\Adobe After Effects CS3\\Support Files\\AfterFX.exe"= "c:\\Program Files\\Multimedia Fusion 2\\Data\\Runtime\\edrt.exe"= "c:\\Program Files\\Real\\RealPlayer\\realplay.exe"= "c:\\Program Files\\Messenger\\msmsgs.exe"= "c:\\Program Files\\Sony\\Station\\LaunchPad\\LaunchPad.exe"= "c:\\WINDOWS\\pchealth\\helpctr\\binaries\\HelpCtr.exe"= "c:\\WINDOWS\\system32\\dpvsetup.exe"= "c:\\Program Files\\CA\\eTrust Antivirus\\Realmon.exe"= "c:\\Program Files\\CA\\eTrust Antivirus\\Shellscn.exe"= "c:\\Program Files\\Kontiki\\KService.exe"= "c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"= "c:\\Program Files\\Windows Live\\Contacts\\wlcomm.exe"= "c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"= "c:\\Program Files\\SPSSInc\\Statistics17\\statistics.com"= "c:\\Program Files\\SPSSInc\\Statistics17\\statistics.exe"= "c:\\Program Files\\SPSSInc\\Statistics17\\SPSSWinWrapIDE.exe"= "c:\\Program Files\\Skype\\Phone\\Skype.exe"= [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List] "3724:TCP"= 3724:TCP:Blizzard Downloader: 3724 R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [25/04/2009 19:13 64160] S0 osmswiak;osmswiak; [x] S2 SIMUL8Parallel;SIMUL8 Parallel Processor;c:\progra~1\SIMUL8\SIMUL8_ParallelSVC.exe [14/01/2008 20:31 502272] S3 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\Lavasoft\Ad-Aware\AAWService.exe [09/03/2009 20:06 1029456] S3 PAC207;SoC PC-Camer@;c:\windows\system32\drivers\PFC027.sys [24/02/2005 12:29 162176] S3 scrcap;scrcap;c:\windows\system32\DRIVERS\scrcap.sys --> c:\windows\system32\DRIVERS\scrcap.sys [?] --- Other Services/Drivers In Memory --- *NewlyCreated* - INT15.SYS . Contents of the 'Scheduled Tasks' folder 2010-03-22 c:\windows\Tasks\Ad-Aware Update (Weekly).job - c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2009-03-09 19:14] 2010-03-28 c:\windows\Tasks\HPpromotions journeysoftware.job - c:\program files\hp\digital imaging\bin\hp promotions\journeysoftware\HPpromo.exe [2005-04-22 16:36] 2010-03-28 c:\windows\Tasks\User_Feed_Synchronization-{2AF3A6D8-46D6-4A7E-B7DE-7188C750983E}.job - c:\windows\system32\msfeedssync.exe [2006-10-17 04:31] 2010-03-28 c:\windows\Tasks\WGASetup.job - c:\windows\system32\KB905474\wgasetup.exe [2009-04-28 21:18] . . ------- Supplementary Scan ------- . uStart Page = about:tabs uInternet Connection Wizard,ShellNext = wmplayer.exe //ICWLaunch IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000 Trusted Zone: reallusion.com\www DPF: CabBuilder - hxxp://kiw.imgag.com/imgag/kiw/toolbar/download/InstallerControl.cab DPF: {AC120B1D-9411-4111-AF52-118052D85D45} - hxxp://67.15.101.33/g_bin/eng/darts_2_0_0_42.cab FF - ProfilePath - c:\documents and settings\John Murphy\Application Data\Mozilla\Firefox\Profiles\3z63gkqu.default\ FF - prefs.js: browser.search.defaulturl - hxxp://www.google.com/search?lr=&ie=UTF-8&oe=UTF-8&q= FF - prefs.js: browser.search.selectedEngine - Google FF - prefs.js: network.proxy.type - 4 FF - component: c:\program files\Mozilla Firefox\components\xpinstal.dll FF - component: c:\program files\Mozilla Firefox\extensions\talkback@mozilla.org\components\qfaservices.dll FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\ . ************************************************************************** catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2010-03-28 06:49 Windows 5.1.2600 Service Pack 2 NTFS scanning hidden processes ... scanning hidden autostart entries ... scanning hidden files ... scan completed successfully hidden files: 0 ************************************************************************** . --------------------- LOCKED REGISTRY KEYS --------------------- [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{71A78D8C-2A2C-F1E0-42C57DD6D788EDD0}\{92C0E49C-6DF5-7FD3-2A5D5DA34780C80D}\{FCC2AF23-71C0-A57B-CCE1F90128BA76FE}*] "JWOYTVPITEDJCHYUGDR5XL6BSC1"=hex:01,00,01,00,00,00,00,00,b1,dc,8a,ef,e5,23,43, 80,35,81,92,71,e8,29,5a,84,14,35,16,70,d8,6e,ff,61 [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{D6C53DCC-FBE6-A484-895E707488E1192C}\{427B1CEB-CDC7-050B-E6202C9404952D54}\{86A51E58-9B8E-E4EB-26F8074E7F2FD295}*] "JWOYTVPITEDJCHYUGDR5XL6BSC1"=hex:01,00,01,00,00,00,00,00,b1,dc,8a,ef,e5,23,43, 80,35,81,92,71,e8,29,5a,84,14,35,16,70,d8,6e,ff,61 . --------------------- DLLs Loaded Under Running Processes --------------------- - - - - - - - > 'winlogon.exe'(920) c:\windows\system32\Ati2evxx.dll - - - - - - - > 'explorer.exe'(2596) c:\windows\system32\WININET.dll c:\windows\system32\MSNChatHook.dll c:\windows\system32\sysenv.dll c:\windows\system32\MSVCR71.dll c:\windows\system32\ieframe.dll c:\acer\Empowering Technology\ePower\SysHook.dll c:\windows\system32\webcheck.dll c:\windows\system32\WPDShServiceObj.dll c:\windows\system32\PortableDeviceTypes.dll c:\windows\system32\PortableDeviceApi.dll . ------------------------ Other Running Processes ------------------------ . c:\program files\Intel\Wireless\Bin\EvtEng.exe c:\program files\Intel\Wireless\Bin\S24EvMon.exe c:\acer\Empowering Technology\admServ.exe c:\program files\Bonjour\mDNSResponder.exe c:\windows\system32\crypserv.exe c:\program files\Olympus\DeviceDetector\DM1Service.exe c:\program files\CA\eTrust Antivirus\InoRpc.exe c:\program files\CA\eTrust Antivirus\InoRT.exe c:\program files\CA\eTrust Antivirus\InoTask.exe c:\program files\Kontiki\KService.exe c:\program files\Common Files\LightScribe\LSSrvc.exe c:\program files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE c:\program files\Intel\Wireless\Bin\RegSrvc.exe c:\windows\System32\PAStiSvc.exe c:\program files\Toshiba\Bluetooth Toshiba Stack\TosBtSrv.exe c:\windows\system32\wscntfy.exe c:\windows\RTHDCPL.EXE c:\windows\system32\igfxext.exe c:\windows\system32\igfxsrvc.exe c:\program files\Common Files\Sony Shared\AVLib\SSScsiSV.exe c:\windows\system32\rundll32.exe c:\windows\system32\wbem\unsecapp.exe c:\program files\Toshiba\Bluetooth Toshiba Stack\TosA2dp.exe c:\program files\Toshiba\Bluetooth Toshiba Stack\TosBtHid.exe c:\program files\HP\Digital Imaging\bin\hpqgalry.exe c:\docume~1\JOHNMU~1\LOCALS~1\Temp\RtkBtMnt.exe c:\program files\Toshiba\Bluetooth Toshiba Stack\TosBtHsp.exe c:\program files\Yahoo!\Messenger\ymsgr_tray.exe . ************************************************************************** . Completion time: 2010-03-28 06:56:47 - machine was rebooted ComboFix-quarantined-files.txt 2010-03-28 05:56 ComboFix2.txt 2010-03-28 05:28 ComboFix3.txt 2010-03-28 05:08 ComboFix4.txt 2010-03-27 20:09 Pre-Run: 1,956,880,384 bytes free Post-Run: 2,407,936,000 bytes free - - End Of File - - F503B4AF47F07CCE8E8634FB5BF492D1 Thank You
- March 28, 2010
- 17 replies
Trojan Agent in Registry, userinit.exe uid backdoor.bot and rundll32.exe problem

John26 replied to John26's topic in Resolved Malware Removal Logs

Fact: The first post had a HTJ that showed ms****.exe and you appear to have missed that, and I did say "I am sorry but..." I saw a difference between the topics. There was clearly a ms****.exe problem that you missed but Mikemoes saw on another very similar topic. I have followed what Mikemoes suggested in the other topic and now everything seems to be fine Again, I said "I am sorry but", and again, you missed the ms****.exe part, and again now everything seems to be fine If you look back I tried to be clear and respectful, as I said "Sorry if I sound like I'm not gratful, I am grateful"
- March 28, 2010
- 17 replies
Trojan Agent in Registry, userinit.exe uid backdoor.bot and rundll32.exe problem

John26 replied to John26's topic in Resolved Malware Removal Logs

Been doing stuff by myself and I'm sorry but I don't believe you actually looked at my HijackThis Log properly. Seems like you saw infected userinit and simply suggested Combofix to restore it. Now I'm left with uid coming back and downloading backdoor.bots, and I think user miekiemoes has just inadvertently helped me in another topic which is almost identical to the stage I'm at now. In http://forums.malwarebytes.org/index.php?showtopic=40652 the problem is uid and 4 backdoor.bots. miekiemoes in his first post response noticed UserInit=C:\WINDOWS\system32\userinit.exe,C:\WINDOWS\system32\mskqyj32.exe in the HJT, identical to my "F2 - REG:system.ini: UserInit=C:\WINDOWS\system32 \userinit.exe,C:\WINDOWS\system32\msfqqn32.exe" its the exact same ms****32.exe in userinit producing the same results in malwarebytes scan (uid and # of backdoor.bot) So I'm going to take this matter myself and follow his steps http://forums.malwarebytes.org/index.php?s...rt=#entry202503
- March 28, 2010
- 17 replies
Trojan Agent in Registry, userinit.exe uid backdoor.bot and rundll32.exe problem

John26 replied to John26's topic in Resolved Malware Removal Logs

The userinit.exe seems to be ok now, Seems the root of the problem is uid. The backdoor.bots remove easily, uid is coming back and downloading the backdoor.bots. So, what is HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Network\uid ?? UID keeps coming back after deletion, is uid part of a virus or is it an infected windows file like userinit.exe was?
- March 28, 2010
- 17 replies
Trojan Agent in Registry, userinit.exe uid backdoor.bot and rundll32.exe problem

John26 replied to John26's topic in Resolved Malware Removal Logs

Thank you, I hope you gave me a personal response and not a Generalised Already Writen Response. Combofix went throught a whole process to find the infected file, which I already knew was userinit.exe thats why I posted here. I've removed lots of virus without asking for help and this is the first time becuase usernit is an infected file that can't be deleted and I can't fix it myself. Sorry if I sound like I'm not gratful, I am grateful its just that I don't want to be classed as "Low Level Inquiry" (Thats how it took a week for xbox support to answer something they could've answered in a day!!) Here is the combofix.txt: ComboFix 10-03-26.02 - John Murphy 27/03/2010 19:46:07.1.2 - x86 Microsoft Windows XP Professional 5.1.2600.2.1252.44.1033.18.1014.585 [GMT 0:00] Running from: c:\documents and settings\John Murphy\Desktop\ComboFix.exe . ((((((((((((((((((((((((((((((((((((((( Other Deletions ))))))))))))))))))))))))))))))))))))))))))))))))) . c:\documents and settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat c:\documents and settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat c:\documents and settings\John Murphy\Local Settings\Application Data\{8269CA71-FA11-47E4-81BF-628E253C3789} c:\documents and settings\John Murphy\Local Settings\Application Data\{8269CA71-FA11-47E4-81BF-628E253C3789}\chrome.manifest c:\documents and settings\John Murphy\Local Settings\Application Data\{8269CA71-FA11-47E4-81BF-628E253C3789}\chrome\content\_cfg.js c:\documents and settings\John Murphy\Local Settings\Application Data\{8269CA71-FA11-47E4-81BF-628E253C3789}\chrome\content\overlay.xul c:\documents and settings\John Murphy\Local Settings\Application Data\{8269CA71-FA11-47E4-81BF-628E253C3789}\install.rdf c:\program files\WinPCap c:\program files\WinPCap\daemon_mgm.exe c:\program files\WinPCap\npf_mgm.exe c:\program files\WinPCap\rpcapd.exe c:\windows\Downloaded Program Files\f3initialsetup1.0.0.15-3.inf c:\windows\Downloaded Program Files\f3initialsetup1.0.1.1.inf c:\windows\Downloaded Program Files\popcaploader.inf c:\windows\eSellerateEngine.dll c:\windows\jestertb.dll c:\windows\system32\drivers\npf.sys c:\windows\system32\dz1.txt c:\windows\system32\lsprst7.dll c:\windows\system32\p1.txt c:\windows\system32\Packet.dll c:\windows\system32\prsgrc.dll c:\windows\system32\pthreadVC.dll c:\windows\system32\r24.txt c:\windows\system32\sblog.txt c:\windows\system32\WanPacket.dll c:\windows\system32\wpcap.dll c:\windows\uholekoconisi.dll ----- BITS: Possible infected sites ----- hxxp://oft.ag Infected copy of c:\windows\system32\userinit.exe was found and disinfected Restored copy from - c:\system volume information\_restore{A44DC278-4675-40AC-9A92-6FF66A1FD2E2}\RP83\A0017969.exe . ((((((((((((((((((((((((((((((((((((((( Drivers/Services ))))))))))))))))))))))))))))))))))))))))))))))))) . -------\Service_NPF ((((((((((((((((((((((((( Files Created from 2010-02-27 to 2010-03-27 ))))))))))))))))))))))))))))))) . 2010-03-27 00:11 . 2010-03-27 00:11 -------- d-----w- c:\program files\Trend Micro 2010-03-26 16:38 . 2010-03-26 16:38 -------- d-----w- c:\windows\system32\wbem\Repository 2010-03-16 21:58 . 2004-08-04 04:00 24576 ----a-w- c:\windows\system32\stu2.exe 2010-03-09 15:27 . 2010-03-09 15:27 -------- d-sh--w- c:\documents and settings\John Murphy\IECompatCache . (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2010-03-27 20:04 . 2008-11-21 21:16 -------- d-----w- c:\documents and settings\All Users\Application Data\Kontiki 2010-03-27 19:58 . 2009-05-29 21:25 12 ----a-w- c:\windows\bthservsdp.dat 2010-03-27 19:23 . 2010-02-19 03:17 120 ----a-w- c:\windows\Thokacupodovujep.dat 2010-03-27 01:29 . 2010-02-19 03:17 0 ----a-w- c:\windows\Vviwazukohomalok.bin 2010-03-26 23:39 . 2007-08-07 17:19 -------- d-----w- c:\documents and settings\All Users\Application Data\Viewpoint 2010-03-26 18:22 . 2009-05-25 23:04 -------- d-----w- c:\program files\CCleaner 2010-03-26 17:01 . 2007-08-07 17:19 -------- d-----w- c:\program files\Viewpoint 2010-03-26 16:21 . 2010-03-26 16:30 214978 ----a-w- c:\windows\pchealth\helpctr\Config\Cache\Professional_32_1033.dat 2010-03-26 02:50 . 2007-08-07 16:54 -------- d-----w- c:\documents and settings\John Murphy\Application Data\Skype 2010-03-09 05:01 . 2009-11-10 04:51 -------- d-----w- c:\documents and settings\John Murphy\Application Data\Any Video Converter 2010-03-01 19:15 . 2009-06-22 18:21 315736 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\threatwork.exe 2010-03-01 19:15 . 2009-06-22 18:21 25440 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\savapibridge.dll 2010-03-01 19:15 . 2009-06-22 18:21 173408 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\lavamessage.dll 2010-03-01 19:15 . 2009-06-01 18:14 15688 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\lsdelete.exe 2010-03-01 19:15 . 2009-05-05 18:33 15688 ----a-w- c:\windows\system32\lsdelete.exe 2010-03-01 19:15 . 2009-06-22 18:20 350544 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\lavalicense.dll 2010-03-01 19:15 . 2009-06-22 18:20 303456 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\UpdateManager.dll 2010-03-01 19:15 . 2009-06-27 16:26 1630560 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\Resources.dll 2010-03-01 19:15 . 2009-06-01 18:14 89952 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\ShellExt.dll 2010-03-01 19:14 . 2009-06-01 18:14 254832 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\RPAPI.dll 2010-03-01 19:14 . 2009-06-01 18:14 45408 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\PrivacyClean.dll 2010-03-01 19:14 . 2009-06-22 18:19 671592 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\CEAPI.dll 2010-03-01 19:14 . 2009-09-28 18:13 3701760 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\AutoLaunch.exe 2010-03-01 19:14 . 2009-06-22 18:18 566648 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\Ad-AwareCommand.exe 2010-03-01 19:14 . 2009-06-22 18:17 567144 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\Ad-AwareAdmin.exe 2010-03-01 19:13 . 2009-06-22 18:17 2357064 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\Ad-Aware.exe 2010-03-01 19:13 . 2009-06-22 18:15 524632 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\AAWTray.exe 2010-03-01 19:13 . 2009-06-22 18:15 1029456 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\AAWService.exe 2010-02-20 11:57 . 2010-02-20 11:57 16 ----a-w- c:\windows\system32\config\systemprofile\Application Data\cqfyto.dat 2010-02-19 03:13 . 2010-02-19 03:13 16 ----a-w- c:\documents and settings\LocalService\Application Data\cqfyto.dat 2010-02-13 16:39 . 2010-02-13 16:39 50354 ----a-w- c:\documents and settings\John Murphy\Application Data\Facebook\uninstall.exe 2010-02-13 16:39 . 2010-02-13 16:39 -------- d-----w- c:\documents and settings\John Murphy\Application Data\Facebook 2010-02-12 10:03 . 2010-02-25 15:44 293376 ------w- c:\windows\system32\browserchoice.exe 2010-02-10 21:00 . 2006-09-22 15:43 49664 ----a-w- c:\documents and settings\John Murphy\Local Settings\Application Data\GDIPFONTCACHEV1.DAT 2010-02-10 19:15 . 2010-02-10 19:15 1024 ----a-w- c:\windows\system32\grcauth2.dll 2010-02-10 19:15 . 2010-02-10 19:15 1024 ----a-w- c:\windows\system32\grcauth1.dll 2010-02-10 19:15 . 2010-02-10 19:15 16 ---h--w- c:\documents and settings\All Users\Application Data\SafeNet Sentinel\Sentinel RMS Development Kit\System\e563io5.dll 2010-02-10 19:15 . 2010-02-10 19:14 1024 ----a-w- c:\documents and settings\All Users\Application Data\SafeNet Sentinel\Sentinel RMS Development Kit\System\clauth2.dll 2010-02-10 19:07 . 2010-02-10 19:07 -------- d-----w- c:\documents and settings\All Users\Application Data\SPSS 2010-02-10 19:07 . 2010-02-10 19:07 -------- d-----w- c:\program files\Common Files\SPSS 2010-02-10 19:07 . 2010-02-10 19:07 -------- d-----w- c:\program files\SPSSInc 2010-02-10 19:06 . 2010-02-10 19:06 1025 ----a-w- c:\windows\system32\sysprs7.dll 2010-02-01 22:04 . 2010-02-01 22:04 847040 ----a-w- c:\documents and settings\John Murphy\Application Data\Facebook\axfbootloader.dll 2010-02-01 22:04 . 2010-02-01 22:04 5578752 ----a-w- c:\documents and settings\John Murphy\Application Data\Facebook\npfbplugin_1_0_1.dll 2010-01-28 16:52 . 2008-11-05 00:37 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware 2010-01-28 16:52 . 2009-05-29 16:19 5115824 -c--a-w- c:\documents and settings\All Users\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\mbam-setup.exe 2010-01-28 00:31 . 2008-01-16 23:04 2434 ----a-w- c:\documents and settings\John Murphy\Application Data\SAS7_000.DAT 2010-01-14 12:01 . 2006-09-25 10:18 69878 -c--a-w- c:\windows\hpoins05.dat 2010-01-07 16:07 . 2008-11-05 00:37 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys 2010-01-07 16:07 . 2008-11-05 00:37 19160 ----a-w- c:\windows\system32\drivers\mbam.sys 2009-12-31 16:14 . 2006-04-21 06:12 352640 ----a-w- c:\windows\system32\drivers\srv.sys 2007-08-07 17:44 . 2007-08-07 17:43 411248 -c--a-w- c:\program files\FLV PlayerRCSetup.exe 2009-04-19 11:32 . 2007-08-18 23:47 67688 -c--a-w- c:\program files\mozilla firefox\components\jar50.dll 2009-04-19 11:32 . 2007-08-18 23:47 54368 -c--a-w- c:\program files\mozilla firefox\components\jsd3250.dll 2009-04-19 11:32 . 2007-08-18 23:47 34944 -c--a-w- c:\program files\mozilla firefox\components\myspell.dll 2009-04-19 11:32 . 2007-08-18 23:47 46712 -c--a-w- c:\program files\mozilla firefox\components\spellchk.dll 2009-04-19 11:32 . 2007-08-18 23:47 172136 -c--a-w- c:\program files\mozilla firefox\components\xpinstal.dll . ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) . . *Note* empty entries & legit default entries are not shown REGEDIT4 [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "Yahoo! Pager"="c:\program files\Yahoo!\Messenger\YahooMessenger.exe" [2007-07-16 4670704] "updateMgr"="c:\program files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" [2006-03-30 313472] "ISUSPM"="c:\program files\Common Files\InstallShield\UpdateService\isuspm.exe" [2006-09-11 218032] "Eyeball Chat"="c:\program files\Eyeball\Eyeball Chat\EyeballChat.exe" [2002-10-11 2863176] "kdx"="c:\program files\Kontiki\KHost.exe" [2008-02-27 1032376] "ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2004-08-04 15360] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "LaunchApp"="Alaunch" [X] "ePower_DMC"="c:\acer\Empowering Technology\ePower\ePower_DMC.exe" [2006-05-09 352256] "ISUSPM Startup"="c:\program files\Common Files\InstallShield\UpdateService\isuspm.exe" [2006-09-11 218032] "SunJavaUpdateSched"="c:\program files\Java\jre1.6.0_05\bin\jusched.exe" [2008-02-22 144784] "SSBkgdUpdate"="c:\program files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" [2003-09-29 155648] "DNS7reminder"="c:\program files\Nuance\NaturallySpeaking9\Program\ereg.exe" [2006-06-28 1404928] "SynTPLpr"="c:\program files\Synaptics\SynTP\SynTPLpr.exe" [2005-11-01 102491] "SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2005-11-01 692315] "RTHDCPL"="RTHDCPL.EXE" [2006-04-04 16120832] "RemoteControl"="c:\program files\CyberLink\PowerDVD\PDVDServ.exe" [2004-11-02 32768] "Realtime Monitor"="c:\progra~1\CA\ETRUST~1\realmon.exe" [2004-04-06 504080] "QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2006-09-23 155648] "PHIME2002ASync"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2004-08-04 455168] "PHIME2002A"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2004-08-04 455168] "ntiMUI"="c:\program files\NewTech Infosystems\NTI CD & DVD-Maker 7\ntiMUI.exe" [2005-05-11 45056] "MSPY2002"="c:\windows\system32\IME\PINTLGNT\ImScInst.exe" [2004-08-04 59392] "LManager"="c:\progra~1\LAUNCH~1\QtZgAcer.EXE" [2006-04-03 471040] "itype"="c:\program files\Microsoft IntelliType Pro\itype.exe" [2005-12-05 437008] "ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2006-09-11 86960] "IntelliPoint"="c:\program files\Microsoft IntelliPoint\ipoint.exe" [2005-12-05 461584] "IMJPMIG8.1"="c:\windows\IME\imjp8_1\IMJPMIG.EXE" [2004-08-04 208952] "igfxtray"="c:\windows\system32\igfxtray.exe" [2005-11-02 98304] "igfxpers"="c:\windows\system32\igfxpers.exe" [2005-11-02 118784] "igfxhkcmd"="c:\windows\system32\hkcmd.exe" [2005-11-02 77824] "HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2004-09-13 49152] "eRecoveryService"="c:\acer\Empowering Technology\eRecovery\Monitor.exe" [2006-01-24 397312] "eDataSecurity Loader"="c:\acer\Empowering Technology\eDataSecurity\eDSloader.exe" [2005-12-27 69632] "AzMixerSel"="c:\program files\Realtek\InstallShield\AzMixerSel.exe" [2005-08-24 53248] "ADMTray.exe"="c:\acer\Empowering Technology\admtray.exe" [2005-10-24 2462208] "Acer ePower Management"="c:\acer\Empowering Technology\ePower\Acer ePower Management.exe" [2006-05-08 3080704] "SsAAD.exe"="c:\progra~1\Sony\SONICS~1\SsAAD.exe" [2005-01-24 81920] "TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2007-11-20 185896] "4oD"="c:\program files\Kontiki\KHost.exe" [2008-02-27 1032376] "Ad-Watch"="c:\program files\Lavasoft\Ad-Aware\AAWTray.exe" [2010-03-01 524632] "BluetoothAuthenticationAgent"="bthprops.cpl" [2004-08-04 110592] [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run] "CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2004-08-04 15360] c:\documents and settings\All Users\Start Menu\Programs\Startup\ Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-9-23 29696] Bluetooth Manager.lnk - c:\program files\Toshiba\Bluetooth Toshiba Stack\TosBtMng.exe [2007-1-18 2752512] DSLMON.lnk - c:\program files\SAGEM\SAGEM F@st 800-840\dslmon.exe [2007-8-7 962660] HP Digital Imaging Monitor.lnk - c:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2004-11-4 258048] HP Image Zone Fast Start.lnk - c:\program files\HP\Digital Imaging\bin\hpqthb08.exe [2004-11-4 53248] [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon] "Userinit"="c:\windows\system32\userinit.exe,c:\windows\system32\msfqqn32.exe," [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Lavasoft Ad-Aware Service] @="Service" [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile] "EnableFirewall"= 0 (0x0) [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List] "%windir%\\system32\\sessmgr.exe"= "c:\\program files\\texthelp systems\\read and write 8\\mind mapper\\Property Controller.exe"= c:\\Program Files\\Texthelp Systems\\Read And Write 8\\Mind Mapper\\Property Controller.exe "c:\\program files\\texthelp systems\\read and write 8\\mind mapper\\MindMapLauncher.exe"= c:\\Program Files\\Texthelp Systems\\Read And Write 8\\Mind Mapper\\MindMapLauncher.exe "c:\\program files\\texthelp systems\\read and write 8\\RW8.exe"= c:\\Program Files\\Texthelp Systems\\Read And Write 8\\RW8.exe "%windir%\\Network Diagnostic\\xpnetdiag.exe"= "c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"= "c:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"= "c:\\Program Files\\CA\\eTrust Antivirus\\InocIT.exe"= "d:\\My Data\\Limewire\\LimeWire.exe"= "c:\\Program Files\\Bonjour\\mDNSResponder.exe"= "c:\\Program Files\\Adobe\\Adobe After Effects CS3\\Support Files\\AfterFX.exe"= "c:\\Program Files\\Multimedia Fusion 2\\Data\\Runtime\\edrt.exe"= "c:\\Program Files\\Real\\RealPlayer\\realplay.exe"= "c:\\Program Files\\Messenger\\msmsgs.exe"= "c:\\Program Files\\Sony\\Station\\LaunchPad\\LaunchPad.exe"= "c:\\WINDOWS\\pchealth\\helpctr\\binaries\\HelpCtr.exe"= "c:\\WINDOWS\\system32\\dpvsetup.exe"= "c:\\Program Files\\CA\\eTrust Antivirus\\Realmon.exe"= "c:\\Program Files\\CA\\eTrust Antivirus\\Shellscn.exe"= "c:\\Program Files\\Kontiki\\KService.exe"= "c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"= "c:\\Program Files\\Windows Live\\Contacts\\wlcomm.exe"= "c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"= "c:\\Program Files\\SPSSInc\\Statistics17\\statistics.com"= "c:\\Program Files\\SPSSInc\\Statistics17\\statistics.exe"= "c:\\Program Files\\SPSSInc\\Statistics17\\SPSSWinWrapIDE.exe"= "c:\\Program Files\\Skype\\Phone\\Skype.exe"= [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List] "3724:TCP"= 3724:TCP:Blizzard Downloader: 3724 R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [25/04/2009 18:13 64160] S0 osmswiak;osmswiak; [x] S2 SIMUL8Parallel;SIMUL8 Parallel Processor;c:\progra~1\SIMUL8\SIMUL8_ParallelSVC.exe [14/01/2008 19:31 502272] S3 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\Lavasoft\Ad-Aware\AAWService.exe [09/03/2009 19:06 1029456] S3 PAC207;SoC PC-Camer@;c:\windows\system32\drivers\PFC027.sys [24/02/2005 11:29 162176] S3 scrcap;scrcap;c:\windows\system32\DRIVERS\scrcap.sys --> c:\windows\system32\DRIVERS\scrcap.sys [?] . Contents of the 'Scheduled Tasks' folder 2010-03-22 c:\windows\Tasks\Ad-Aware Update (Weekly).job - c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2009-03-09 19:14] 2010-03-27 c:\windows\Tasks\HPpromotions journeysoftware.job - c:\program files\hp\digital imaging\bin\hp promotions\journeysoftware\HPpromo.exe [2005-04-22 16:36] 2010-03-27 c:\windows\Tasks\User_Feed_Synchronization-{2AF3A6D8-46D6-4A7E-B7DE-7188C750983E}.job - c:\windows\system32\msfeedssync.exe [2006-10-17 04:31] 2010-03-27 c:\windows\Tasks\WGASetup.job - c:\windows\system32\KB905474\wgasetup.exe [2009-04-28 21:18] . . ------- Supplementary Scan ------- . uStart Page = about:tabs uInternet Connection Wizard,ShellNext = wmplayer.exe //ICWLaunch IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000 Trusted Zone: reallusion.com\www DPF: CabBuilder - hxxp://kiw.imgag.com/imgag/kiw/toolbar/download/InstallerControl.cab DPF: {AC120B1D-9411-4111-AF52-118052D85D45} - hxxp://67.15.101.33/g_bin/eng/darts_2_0_0_42.cab FF - ProfilePath - c:\documents and settings\John Murphy\Application Data\Mozilla\Firefox\Profiles\3z63gkqu.default\ FF - prefs.js: browser.search.defaulturl - hxxp://www.google.com/search?lr=&ie=UTF-8&oe=UTF-8&q= FF - prefs.js: browser.search.selectedEngine - Google FF - prefs.js: network.proxy.type - 4 FF - component: c:\program files\Mozilla Firefox\components\xpinstal.dll FF - component: c:\program files\Mozilla Firefox\extensions\talkback@mozilla.org\components\qfaservices.dll FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\ . - - - - ORPHANS REMOVED - - - - WebBrowser-{6638A9DE-0745-4292-8A2E-AE530E7B9B3F} - (no file) HKLM-Run-adiras - adiras.exe HKLM-Run-Chozemunajazetij - c:\windows\uholekoconisi.dll ActiveSetup-{2E1A9DE4-ADA0-4501-A46E-6633CDB01654} - xagkf32.dll ************************************************************************** catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2010-03-27 20:00 Windows 5.1.2600 Service Pack 2 NTFS scanning hidden processes ... scanning hidden autostart entries ... scanning hidden files ... scan completed successfully hidden files: 0 ************************************************************************** . --------------------- LOCKED REGISTRY KEYS --------------------- [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{71A78D8C-2A2C-F1E0-42C57DD6D788EDD0}\{92C0E49C-6DF5-7FD3-2A5D5DA34780C80D}\{FCC2AF23-71C0-A57B-CCE1F90128BA76FE}*] "JWOYTVPITEDJCHYUGDR5XL6BSC1"=hex:01,00,01,00,00,00,00,00,b1,dc,8a,ef,e5,23,43, 80,35,81,92,71,e8,29,5a,84,14,35,16,70,d8,6e,ff,61 [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{D6C53DCC-FBE6-A484-895E707488E1192C}\{427B1CEB-CDC7-050B-E6202C9404952D54}\{86A51E58-9B8E-E4EB-26F8074E7F2FD295}*] "JWOYTVPITEDJCHYUGDR5XL6BSC1"=hex:01,00,01,00,00,00,00,00,b1,dc,8a,ef,e5,23,43, 80,35,81,92,71,e8,29,5a,84,14,35,16,70,d8,6e,ff,61 . --------------------- DLLs Loaded Under Running Processes --------------------- - - - - - - - > 'winlogon.exe'(920) c:\windows\system32\Ati2evxx.dll c:\windows\system32\wininet.dll - - - - - - - > 'lsass.exe'(980) c:\windows\system32\wininet.dll - - - - - - - > 'explorer.exe'(3116) c:\windows\system32\WININET.dll c:\windows\system32\MSNChatHook.dll c:\windows\system32\sysenv.dll c:\windows\system32\MSVCR71.dll c:\windows\system32\ieframe.dll c:\windows\system32\webcheck.dll c:\windows\system32\WPDShServiceObj.dll c:\windows\system32\PortableDeviceTypes.dll c:\windows\system32\PortableDeviceApi.dll c:\acer\Empowering Technology\ePower\SysHook.dll . ------------------------ Other Running Processes ------------------------ . c:\program files\Intel\Wireless\Bin\EvtEng.exe c:\program files\Intel\Wireless\Bin\S24EvMon.exe c:\acer\Empowering Technology\admServ.exe c:\program files\Bonjour\mDNSResponder.exe c:\windows\system32\crypserv.exe c:\program files\Olympus\DeviceDetector\DM1Service.exe c:\program files\CA\eTrust Antivirus\InoRpc.exe c:\program files\CA\eTrust Antivirus\InoRT.exe c:\program files\CA\eTrust Antivirus\InoTask.exe c:\program files\Kontiki\KService.exe c:\program files\Common Files\LightScribe\LSSrvc.exe c:\program files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE c:\program files\Intel\Wireless\Bin\RegSrvc.exe c:\windows\System32\PAStiSvc.exe c:\program files\Toshiba\Bluetooth Toshiba Stack\TosBtSrv.exe c:\windows\system32\wscntfy.exe c:\windows\RTHDCPL.EXE c:\windows\system32\wbem\unsecapp.exe c:\windows\system32\igfxext.exe c:\windows\system32\igfxsrvc.exe c:\program files\Common Files\Sony Shared\AVLib\SSScsiSV.exe c:\windows\system32\rundll32.exe c:\program files\HP\Digital Imaging\bin\hpqgalry.exe c:\program files\Toshiba\Bluetooth Toshiba Stack\TosA2dp.exe c:\program files\Yahoo!\Messenger\ymsgr_tray.exe c:\program files\Toshiba\Bluetooth Toshiba Stack\TosBtHid.exe c:\program files\Toshiba\Bluetooth Toshiba Stack\TosBtHsp.exe c:\docume~1\JOHNMU~1\LOCALS~1\Temp\RtkBtMnt.exe c:\program files\Java\jre1.6.0_05\bin\jucheck.exe . ************************************************************************** . Completion time: 2010-03-27 20:09:47 - machine was rebooted ComboFix-quarantined-files.txt 2010-03-27 20:09 Pre-Run: 2,080,817,152 bytes free Post-Run: 2,409,046,016 bytes free WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe [boot loader] timeout=2 default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS [operating systems] c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect - - End Of File - - 904AD04B98EE1D32987EB017F3BF7571
- March 27, 2010
- 17 replies
Trojan Agent in Registry, userinit.exe uid backdoor.bot and rundll32.exe problem

John26 posted a topic in Resolved Malware Removal Logs

Hi, This is my first time posting, on my own I've removed a lot of viruses that come back after malwarebytes removes and reboots, and I learnt a lot through using a search engine to find other instances of the same virus on forums. I even tried to avoid solutions involing HijackThis. One I had came up on mb scan as an .sys & came back after rebooting. I found out that I had to use rootkit to wipe the .sys file, re-run mb and mb found other files with the same name, removed them and that was the end of it. Unfortunatly from what I can see there isn't much more I can do on my own, even thought I've had a virus that almost grounded the system to a stop, this time is worse cause I can't remove it by myself. From what I have gathered, the backdoor.bots aren't severe in terms of backdoor.bots and the userinit shouldn't be deleted but is infected. I sent the infected userinit.exe to virustotal.com for an analysis and it came back 5/42. also, as I saw in http://forums.malwarebytes.org/index.php?showtopic=5591 I have an infected userinit.exe, Upon login when I sign into my account the system 'hangs' and I have to open task manager and manually get it to load the desktop (I click new task, right click a folder, click explore, and that starts 'explorer.exe' loads the desktop with the start button) and I also get error messages saying rundll32.exe fails to initialise properly. Here is Malwarebytes output: Malwarebytes' Anti-Malware 1.44 Database version: 3917 Windows 5.1.2600 Service Pack 2 Internet Explorer 8.0.6001.18702 27/03/2010 00:45:11 mbam-log-2010-03-27 (00-45-11).txt Scan type: Quick Scan Objects scanned: 161297 Time elapsed: 9 minute(s), 11 second(s) Memory Processes Infected: 0 Memory Modules Infected: 0 Registry Keys Infected: 2 Registry Values Infected: 1 Registry Data Items Infected: 2 Folders Infected: 0 Files Infected: 0 Memory Processes Infected: (No malicious items detected) Memory Modules Infected: (No malicious items detected) Registry Keys Infected: HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\{43bf8cd1-c5d5-2230-7bb2-98f22c2b7dc6} (Backdoor.Bot) -> Quarantined and deleted successfully. HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\{43bf8cd1-c5d5-2230-7bb2-98f22c2b7dc6} (Backdoor.Bot) -> Quarantined and deleted successfully. Registry Values Infected: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Network\uid (Malware.Trace) -> Quarantined and deleted successfully. Registry Data Items Infected: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit (Trojan.Agent.Gen) -> Data: c:\windows\system32\userinit.exe -> Quarantined and deleted successfully. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit (Trojan.Agent.Gen) -> Data: system32\userinit.exe -> Quarantined and deleted successfully. Folders Infected: (No malicious items detected) Files Infected: (No malicious items detected) And the HijackThis Log: Logfile of Trend Micro HijackThis v2.0.2 Scan saved at 00:11:28, on 27/03/2010 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v8.00 (8.00.6001.18702) Boot mode: Normal Running processes: C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\Program Files\Intel\Wireless\Bin\EvtEng.exe C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe C:\WINDOWS\system32\spoolsv.exe C:\Acer\Empowering Technology\admServ.exe C:\Program Files\Bonjour\mDNSResponder.exe C:\WINDOWS\system32\crypserv.exe C:\Program Files\Olympus\DeviceDetector\DM1Service.exe C:\Program Files\CA\eTrust Antivirus\InoRpc.exe C:\Program Files\CA\eTrust Antivirus\InoRT.exe C:\Program Files\CA\eTrust Antivirus\InoTask.exe C:\Program Files\Kontiki\KService.exe C:\Program Files\Common Files\LightScribe\LSSrvc.exe C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe C:\WINDOWS\System32\PAStiSvc.exe C:\WINDOWS\system32\svchost.exe C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtSrv.exe C:\WINDOWS\system32\taskmgr.exe C:\Program Files\Internet Explorer\IEXPLORE.EXE C:\Program Files\Internet Explorer\IEXPLORE.EXE C:\WINDOWS\system32\ctfmon.exe C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe C:\WINDOWS\Explorer.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\wuauclt.exe C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe C:\Acer\Empowering Technology\ePower\ePower_DMC.exe C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe C:\Program Files\Synaptics\SynTP\SynTPLpr.exe C:\Program Files\Synaptics\SynTP\SynTPEnh.exe C:\WINDOWS\RTHDCPL.EXE C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe C:\PROGRA~1\CA\ETRUST~1\realmon.exe C:\PROGRA~1\LAUNCH~1\QtZgAcer.EXE C:\Program Files\Microsoft IntelliType Pro\itype.exe C:\Program Files\Microsoft IntelliPoint\ipoint.exe C:\WINDOWS\system32\igfxpers.exe C:\WINDOWS\system32\hkcmd.exe C:\Program Files\HP\HP Software Update\HPWuSchd2.exe C:\Acer\Empowering Technology\eRecovery\Monitor.exe C:\Acer\Empowering Technology\eDataSecurity\eDSloader.exe C:\Acer\Empowering Technology\admtray.exe C:\WINDOWS\system32\igfxext.exe C:\PROGRA~1\Sony\SONICS~1\SsAAD.exe C:\Program Files\Common Files\Real\Update_OB\realsched.exe C:\WINDOWS\system32\igfxsrvc.exe C:\WINDOWS\system32\rundll32.exe C:\Program Files\Common Files\Sony Shared\AVLib\SSScsiSV.exe C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe C:\Program Files\SAGEM\SAGEM F@st 800-840\dslmon.exe C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe C:\DOCUME~1\JOHNMU~1\LOCALS~1\Temp\RtkBtMnt.exe C:\WINDOWS\system32\wbem\unsecapp.exe C:\Program Files\HP\Digital Imaging\bin\hpqgalry.exe C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe C:\Program Files\Java\jre1.6.0_05\bin\jucheck.exe C:\Program Files\Internet Explorer\IEXPLORE.EXE C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files\Adobe\Acrobat 7.0\Reader\AcroRd32.exe C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files\QuickTime\QuickTimePlayer.exe C:\Program Files\Trend Micro\HijackThis\HijackThis.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:tabs R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896 R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157 R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = wmplayer.exe //ICWLaunch F2 - REG:system.ini: UserInit=C:\WINDOWS\system32 \userinit.exe,C:\WINDOWS\system32\msfqqn32.exe, O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - (no file) O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC- 5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll O3 - Toolbar: Acer eDataSecurity Management - {5CBE3B7C-1E47-477e-A7DD- 396DB0476E29} - C:\WINDOWS\system32\eDStoolbar.dll O4 - HKLM\..\Run: [ePower_DMC] C:\Acer\Empowering Technology\ePower\ePower_DMC.exe O4 - HKLM\..\Run: [iSUSPM Startup] "c:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe" -startup O4 - HKLM\..\Run: [sunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe" O4 - HKLM\..\Run: [sSBkgdUpdate] C:\Program Files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe -Embedding -boot O4 - HKLM\..\Run: [DNS7reminder] "C:\Program Files\Nuance\NaturallySpeaking9\Program\ereg.exe" -r "C:\Program Files\Nuance\NaturallySpeaking9\Program\ereg.ini" O4 - HKLM\..\Run: [synTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe O4 - HKLM\..\Run: [synTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe" O4 - HKLM\..\Run: [Realtime Monitor] C:\PROGRA~1\CA\ETRUST~1\realmon.exe -s O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\system32 \IME\TINTLGNT\TINTSETP.EXE /SYNC O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32 \IME\TINTLGNT\TINTSETP.EXE /IMEName O4 - HKLM\..\Run: [ntiMUI] C:\Program Files\NewTech Infosystems\NTI CD & DVD-Maker 7\ntiMUI.exe O4 - HKLM\..\Run: [MSPY2002] C:\WINDOWS\system32 \IME\PINTLGNT\ImScInst.exe /SYNC O4 - HKLM\..\Run: [LManager] C:\PROGRA~1\LAUNCH~1\QtZgAcer.EXE O4 - HKLM\..\Run: [LaunchApp] Alaunch O4 - HKLM\..\Run: [itype] "C:\Program Files\Microsoft IntelliType Pro\itype.exe" O4 - HKLM\..\Run: [iSUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start O4 - HKLM\..\Run: [intelliPoint] "C:\Program Files\Microsoft IntelliPoint\ipoint.exe" O4 - HKLM\..\Run: [iMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32 O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe O4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\HP\HP Software Update\HPWuSchd2.exe" O4 - HKLM\..\Run: [eRecoveryService] C:\Acer\Empowering Technology\eRecovery\Monitor.exe O4 - HKLM\..\Run: [eDataSecurity Loader] C:\Acer\Empowering Technology\eDataSecurity\eDSloader.exe O4 - HKLM\..\Run: [AzMixerSel] C:\Program Files\Realtek\InstallShield\AzMixerSel.exe O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE O4 - HKLM\..\Run: [ADMTray.exe] "C:\Acer\Empowering Technology\admtray.exe" O4 - HKLM\..\Run: [Acer ePower Management] C:\Acer\Empowering Technology\ePower\Acer ePower Management.exe boot O4 - HKLM\..\Run: [adiras] adiras.exe O4 - HKLM\..\Run: [ssAAD.exe] C:\PROGRA~1\Sony\SONICS~1\SsAAD.exe O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot O4 - HKLM\..\Run: [4oD] "C:\Program Files\Kontiki\KHost.exe" -all O4 - HKLM\..\Run: [Ad-Watch] C:\Program Files\Lavasoft\Ad- Aware\AAWTray.exe O4 - HKLM\..\Run: [bluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent O4 - HKLM\..\Run: [Chozemunajazetij] rundll32.exe "C:\WINDOWS\uholekoconisi.dll",Startup O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo! \Messenger\YahooMessenger.exe" -quiet O4 - HKCU\..\Run: [updateMgr] "C:\Program Files\Adobe\Acrobat 7.0 \Reader\AdobeUpdateManager.exe" AcRdB7_0_8 -reboot 1 O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe O4 - HKCU\..\Run: [iSUSPM] "C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe" -scheduler O4 - HKCU\..\Run: [Eyeball Chat] "C:\Program Files\Eyeball\Eyeball Chat\EyeballChat.exe" -min O4 - HKCU\..\Run: [kdx] C:\Program Files\Kontiki\KHost.exe -all O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM') O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user') O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe O4 - Global Startup: Bluetooth Manager.lnk = ? O4 - Global Startup: DSLMON.lnk = C:\Program Files\SAGEM\SAGEM F@st 800- 840\dslmon.exe O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe O4 - Global Startup: HP Image Zone Fast Start.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqthb08.exe O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000 O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5 -00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll O9 - Extra button: Skype - {77BF5300-1474-4EC7-9980-D32B190E9B07} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MI1933~1\OFFICE11\REFIEBAR.DLL O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134- 82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2- BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O10 - Unknown file in Winsock LSP: c:\windows\system32\lspsou.dll O15 - Trusted Zone: http://www.reallusion.com O16 - DPF: CabBuilder - http://kiw.imgag.com/imgag/kiw/toolbar/dow...llerControl.cab O16 - DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} (Facebook Photo Uploader 5 Control) - http://upload.facebook.com/controls/2008.1...bookPhotoUpload er5.cab O16 - DPF: {149E45D8-163E-4189-86FC-45022AB2B6C9} (SpinTop DRM Control) - file:///C:/Program%20Files/Monopoly%20Here%20and%20Now/Images/stg_drm.ocx O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204 O16 - DPF: {20A60F0D-9AFA-4515-A0FD-83BD84642501} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab56986.cab O16 - DPF: {4871A87A-BFDD-4106-8153-FFDE2BAC2967} (DLM Control) - http://dlm.tools.akamai.com/dlmanager/vers...ex/dlm-activex- 2.2.3.5.cab O16 - DPF: {5C051655-FCD5-4969-9182-770EA5AA5565} (Solitaire Showdown Class) - http://messenger.zone.msn.com/binary/Solit...wn.cab56986.cab O16 - DPF: {5D6F45B3-9043-443D-A792-115447494D24} (UnoCtrl Class) - http://messenger.zone.msn.com/EN-US/a-UNO1/GAME_UNO1.cab O16 - DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} (DivXBrowserPlugin Object) - http://download.divx.com/player/DivXBrowserPlugin.cab O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...en/x86/client/m uweb_site.cab?1159189640140 O16 - DPF: {7E980B9B-8AE5-466A-B6D6-DA8CF814E78A} (MJLauncherCtrl Class) - http://messenger.zone.msn.com/EN-US/a-LUXR/mjolauncher.cab O16 - DPF: {AC120B1D-9411-4111-AF52-118052D85D45} (GameDesire Darts Games) - http://67.15.101.33/g_bin/eng/darts_2_0_0_42.cab O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...nt.cab56907.cab O16 - DPF: {CC450D71-CC90-424C-8638-1F2DBAC87A54} (ArmHelper Control) - file:///C:/Program%20Files/Monopoly%20Here%20and% 20Now/Images/armhelper.ocx O16 - DPF: {E77F23EB-E7AB-4502-8F37-247DBAF1A147} (Windows Live Hotmail Photo Upload Tool) - http://gfx1.hotmail.com/mail/w4/pr01/photo...ol/MSNPUpld.cab O16 - DPF: {EB6D7E70-AAA9-40D9-BA05-F214089F2275} (Vitalize Class) - http://download.clickteam.com/vitalize3/vitalize.cab O16 - DPF: {FFBB3F3B-0A5A-4106-BE53-DFE1E2340CB1} (DownloadManager Control) - http://dlm.tools.akamai.com/dlmanager/versions/activex/dlm- activex-2.2.1.6.cab O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe O23 - Service: AdminWorks Agent X6 (AWService) - Avocent Inc. - C:\Acer\Empowering Technology\admServ.exe O23 - Service: ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762## (Bonjour Service) - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe O23 - Service: Crypkey License - CrypKey (Canada) Ltd. - C:\WINDOWS\SYSTEM32\crypserv.exe O23 - Service: DM1Service - OLYMPUS Corporation - C:\Program Files\Olympus\DeviceDetector\DM1Service.exe O23 - Service: Intel® PROSet/Wireless Event Log (EvtEng) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050 \Intel 32\IDriverT.exe O23 - Service: eTrust Antivirus RPC Server (InoRPC) - Computer Associates International, Inc. - C:\Program Files\CA\eTrust Antivirus\InoRpc.exe O23 - Service: eTrust Antivirus Realtime Server (InoRT) - Computer Associates International, Inc. - C:\Program Files\CA\eTrust Antivirus\InoRT.exe O23 - Service: eTrust Antivirus Job Server (InoTask) - Computer Associates International, Inc. - C:\Program Files\CA\eTrust Antivirus\InoTask.exe O23 - Service: KService - Kontiki Inc. - C:\Program Files\Kontiki\KService.exe O23 - Service: Lavasoft Ad-Aware Service - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe O23 - Service: MSCSPTISRV - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\MSCSPTISRV.exe O23 - Service: PACSPTISVR - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\PACSPTISVR.exe O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe O23 - Service: Intel® PROSet/Wireless Registry Service (RegSrvc) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - CACE Technologies - C:\Program Files\WinPcap\rpcapd.exe O23 - Service: Intel® PROSet/Wireless Service (S24EventMonitor) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe O23 - Service: SIMUL8 Parallel Processor (SIMUL8Parallel) - SIMUL8 Corporation - C:\PROGRA~1\SIMUL8\SIMUL8_ParallelSVC.exe O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SPTISRV.exe O23 - Service: SonicStage SCSI Service (SSScsiSV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SSScsiSV.exe O23 - Service: STI Simulator - Unknown owner - C:\WINDOWS\System32 \PAStiSvc.exe O23 - Service: TOSHIBA Bluetooth Service - TOSHIBA CORPORATION - C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtSrv.exe -- End of file - 15843 bytes Appreciate the Help
- March 27, 2010
- 17 replies

Sign In

John26

Posts

Joined

Last visited

Content Type

Events

Profiles

Forums

Everything posted by John26

Trojan Agent in Registry, userinit.exe uid backdoor.bot and rundll32.exe problem

Trojan Agent in Registry, userinit.exe uid backdoor.bot and rundll32.exe problem

Trojan Agent in Registry, userinit.exe uid backdoor.bot and rundll32.exe problem

Trojan Agent in Registry, userinit.exe uid backdoor.bot and rundll32.exe problem

Trojan Agent in Registry, userinit.exe uid backdoor.bot and rundll32.exe problem

Trojan Agent in Registry, userinit.exe uid backdoor.bot and rundll32.exe problem

Trojan Agent in Registry, userinit.exe uid backdoor.bot and rundll32.exe problem

Trojan Agent in Registry, userinit.exe uid backdoor.bot and rundll32.exe problem

Trojan Agent in Registry, userinit.exe uid backdoor.bot and rundll32.exe problem

Trojan Agent in Registry, userinit.exe uid backdoor.bot and rundll32.exe problem

Browse

Activity

Personal

Business

Business Modules

Partners

Learn

Start here

Type of malware/attacks

How does it get on my computer?

Scams and grifts

Support

Important Information