Referred from FP forum.

RichardNixonsHead · February 3, 2009

I made a post in the False Positives section of th eforum because that it was I thought I might have. However, I ended up being directed over to here.

Background:

I'm running a work laptop, with very clean habits, use MS Forefront Client Security (corporate AV), Spybot S&D, CCleaner, Pest Patrol and MBAM. Everything was fine until I loaded MBAM v1.33. Subsequent Full and Quick scans find 14-26 'infected' files containing anything from trojan.fakealert, to trojan.agent, to backdoor.bot (see log attached). The number seems to depend on what files/folders I have in D:\Temp.

Anyway, If I search, I can't find any of the 'infected files' listed (and I have checked "show hidden files" etc. in Win Ex) AND none of these infections show when I scan with the computer in 'safe mode'. What

1972vet · February 3, 2009

I see several problems with the entries produced in those logs. First I'd like to mention that the service you have running for AT&T which appears in your HijackThis log here:

O23 - Service: Network Configuration Service (NetCfgSvr) - AT&T - C:\PROGRA~1\IRCOIN~1\NetCfgSv.EXE

...may be at least in part, responsible for some of the entries that appear in the mbam log and the resulting return with each reboot. Pest Patrol, quite an old piece of software by the way, is also likely to interfere.

In addition to this, your Spybot Search and Destroy's Tea Timer function is actually a registry protection feature that will wrestle with any of your security application's removal efforts. You should remember to disable these security software protection features before running your scanning software...and in particular, you need to disable them if we want to succeed with our fix instructions below.

To disable Tea Timer, please do this:

1) Run Spybot-S&D

2) Go to the Mode menu, and make sure "Advanced Mode" is selected

3) On the left hand side, choose Tools -> Resident

4) Uncheck "Resident TeaTimer" and OK any prompts

5) Restart your computer.

Please remember to re-enable these once we are certain your system has been cleared up of these present issues you are experiencing.

Viewpoint Service is Foistware. You probably did not intend to download this program...more than likely it was forced upon you, bundled with some other download. To remove it, click start-->control panel-->add/remove programs.

Scroll down the list to locate the program name, click on it to highlight it, then click Remove. Reboot the computer when the uninstallation completes.

You have a proxy server setup to connect through a server located in Melbourne Austrailia...is this correct? Do you have a particular reason why you added the "Ingersoll Rand Company" to your hosts file?

You can run HijackThis again and check the box next to these entries:

O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file)

O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)

The "O6" entry below is normally seen when the user has employed the protective "Administrative Locking Features" available from Spybot Search and Destroy (and some other applications)...if you know with certainty that you do NOT use this feature, then place a check next to this one too:

O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present

As with these entries from I.B.M., you can place anything you want into your trusted zone but in so doing, it is equal to leaving the keys to your front door in the lock as you go away on vacation. If you agree that is a bad idea, then place a check next to these "O15" entries as well:

O15 - Trusted Zone: c42sjcuxs01.corio.com

O15 - Trusted Zone: c42sjcuxs07.corio.com

O15 - Trusted Zone: c48temuxs23.corio.com

O15 - Trusted Zone: c4ksjduxs01.corio.com

O15 - Trusted Zone: c4ksjduxs02.corio.com

O15 - Trusted Zone: *.corio.com

O16 - DPF: {00120000-B1BA-11CE-ABC6-F5B2E79D9E3F} (LEAD Main Control (12.0)) - http://216.115.165.51/ltocx12n.cab

O16 - DPF: {9b935470-ad4a-11d5-b63e-00c04faedb18} -

O16 - DPF: {CAFECAFE-0013-0001-0028-ABCDEFABCDEF} (JInitiator 1.3.1.28) -

O16 - DPF: {F694EA1F-2EC1-445D-8988-1862AD0CC4C8} (pvvercheck_ie Control) - https://windchill.ingersollrand.com/Windchi...vercheck_ie.cab

O23 - Service: ZJKXKHSPBKP - Unknown owner - D:\TEMP\ZJKXKHSPBKP.exe (file missing)

Please close all other windows you have open now (including this browser window)...leaving only the HijackThis application's window open, check the Fix Checked button.

Reboot the computer.

When the system comes back up, please open a command prompt...click start-->run

...then, type CMD in the run box and click "OK". When the command prompt window opens, copy and paste the following, then press your enter key:

sc delete ZJKXKHSPBKP

You should receive a "Successful" message returned. Please reboot again to properly record these changes made to your hard disk. Please run a manual update to your on board mbam and perform another quick scan. Please post back that log along with a fresh HijackThis log and advise how the system is behaving and remember to answer these:

"You have a proxy server setup to connect through a server located in Melbourne Australia...is this correct? Do you have a particular reason why you added the "Ingersoll Rand Company" to your hosts file?"

Are you having any other issues? Thanks!

RichardNixonsHead · February 3, 2009

Thanks for the prompt response!

Before I go through all the actions (thanks for the very thourough explaination), I just wanted to check a couple of things.

1) - Do you think I should drop Pest Patrol? It still updates but I know it's old

2) - Going to check with someone on the proxy in Melbourne, but it doesn't sound quite right as I'm based at our corporate headquaters in NC, USA.

3) Ingersoll Rand Co is my employer but (hate to bother you for more info...) what is the consequence of them being "added to my host files"? - Does this sound like a legitimate action for my employer?

4) - RE: O16 - DPF: {F694EA1F-2EC1-445D-8988-1862AD0CC4C8} (pvvercheck_ie Control) - https://windchill.ingersollrand.com/Windchi...vercheck_ie.cab

We use indchill (a PTC product) as a project, web based, file managament system. Knowing this, do yo ustill recommend removing this entry with HJT?

As soon as I know about the Melbourne Proxy and you let me know about a couple of these points, i'll run through the clean up.

THanks for your assistance.

1972vet · February 3, 2009

Pest Patrol by itself is fine although the active guard process is one which may conflict with any removal effort so it should be disabled during the cleanup.

Adding Ingersoll Rand Co to your hosts file is fine since you know the particular IP is for your employer...it's just not really necessary since your browser will look up the url when entered and convert it to the proper IP for it's target.

Entering the IP into the hosts file is just a safe bet that you will connect...however, if entered wrong, it can redirect your browser to the IP that was entered incorrectly.

The IP of 127.0.0.1 is the universal name for your own computer...everyone's computer is named by default with the same IP so that it can be used for safety reasons to prevent your browser from connecting to web sites that are not considered safe. On the other hand, it can be used by ill intentioned users to redirect your connection attempt.

For example:

if I enter in my host file:

127.0.0.1 www.malwarebytes.com

and you try to go to www.malwarebytes.com, it will check the hosts file, see the entry and convert that to the IP address of 127.0.0.1 instead of its correct address. In that example, the browser would not connect to the web site "MalwareBytes".

Host file redirection is when a hijacker changes your hosts file to redirect your attempts to reach a certain web site to another site. So if someone added an entry like:

127.0.0.1 www.google.com

and you tried to go to www.google.com, you would instead get redirected to 127.0.0.1 which is your own computer.

Lastly, the O16 entry you reference is fine since you know it's purpose. The web did not return much "English" information about it's cabinet file. Keeping it does no harm...removing it does no harm either as you would just download the active X for that web site the next time you visited. Hope this helps.

RichardNixonsHead · February 3, 2009

Great, I think I'm ready to roll.

As an update,:

O16 - DPF: {00120000-B1BA-11CE-ABC6-F5B2E79D9E3F} (LEAD Main Control (12.0)) - http://216.115.165.51/ltocx12n.cab

refers to an external Purchase Order approval system we use, and:

O16 - DPF: {CAFECAFE-0013-0001-0028-ABCDEFABCDEF} (JInitiator 1.3.1.28) -

Is probably Java related, which we use extensively with Oracle systems.

Melbourne seems like a definite no, no for a proxy. When I use a "whatsmyip" type website, I get the following response:

Hostname: (Withheld by me!)

ISP: Verizon Business

Organization: AFFILIATED COMPUTER SERVICES

Proxy: None detected

Type: Corporate

Country: United States

State/Region: TX

City: Dallas

Latitude: 32.8019

Longitude: -96.7884

Area Code: 214

I have verified that Dallas is the correct corporate location.

Are these websites actually completely accurate in detecting all proxys? Am I still using a proxy contrary to this report?

Anyway, i'll plow on with the clean up. Will post back soon.

Thanks again,

1972vet · February 3, 2009

The Melbourne reference is an error on my part...it came from the HijackThis log entry here:

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 79.99.43.128:3128

...the IP address there is indeed for a server located in Great Britton but the local mail address is referencing Melbourne Derbyshire GB. This was my mistake at a first glance I took Melbourne and ran with that. Sorry. If you know this server is ok then it's fine to leave it...but if not, you should add that HijackThis log entry as one to remove with the others.

RichardNixonsHead · February 3, 2009

Update:

Uninstalled Pest Patrol, deactivatged tea timer (temporary), sc delete worked, got rid of the 79.99 proxy, and cleared my D:Temp.

Here are new mbam and HJT logs:

Malwarebytes' Anti-Malware 1.33

Database version: 1718

Windows 5.1.2600 Service Pack 2

2/3/2009 12:11:11 PM

mbam-log-2009-02-03 (12-11-11).txt

Scan type: Quick Scan

Objects scanned: 70460

Time elapsed: 7 minute(s), 52 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 0

Registry Values Infected: 0

Registry Data Items Infected: 0

Folders Infected: 0

Files Infected: 16

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

(No malicious items detected)

Registry Values Infected:

(No malicious items detected)

Registry Data Items Infected:

(No malicious items detected)

Folders Infected:

(No malicious items detected)

Files Infected:

C:\WINDOWS\scvhost.exe (Backdoor.Bot) -> Delete on reboot.

C:\WINDOWS\system32\crss.exe (Backdoor.Bot) -> Delete on reboot.

C:\WINDOWS\rundll16.exe (Fake.Dropped.Malware) -> Delete on reboot.

C:\WINDOWS\FVProtect.exe (Fake.Dropped.Malware) -> Delete on reboot.

C:\WINDOWS\system32\nsosscfg.exe (Spyware.MarketScore) -> Delete on reboot.

D:\TEMP\VBE\installer_sbd_en.exe (Trojan.FakeAlert) -> Delete on reboot.

C:\WINDOWS\Logo1_.exe (Worm.Viking) -> Delete on reboot.

C:\WINDOWS\Downloaded Program Files\EGDAccess.inf (Adware.EGDAccess) -> Delete on reboot.

C:\WINDOWS\Downloaded Program Files\EGDAccess_ASPIV4.inf (Adware.EGDAccess) -> Delete on reboot.

C:\WINDOWS\Downloaded Program Files\Netslv32.inf (Adware.EGDAccess) -> Delete on reboot.

C:\WINDOWS\Downloaded Program Files\Netslv32.dll (Adware.EGDAccess) -> Delete on reboot.

C:\WINDOWS\system32\mksc.exe (Spyware.MarketScore) -> Delete on reboot.

C:\WINDOWS\system32\ossproxy.exe (Spyware.MarketScore) -> Delete on reboot.

C:\WINDOWS\system32\sss.exe (Trojan.Agent) -> Delete on reboot.

C:\WINDOWS\Temp\installer_sbd_en.exe (Trojan.FakeAlert) -> Delete on reboot.

D:\TEMP\WPDNSE\installer_sbd_en.exe (Trojan.FakeAlert) -> Delete on reboot.

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 12:11:41 PM, on 2/3/2009

Platform: Windows XP SP2 (WinNT 5.01.2600)

MSIE: Internet Explorer v7.00 (7.00.6000.16762)

Boot mode: Normal

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\Program Files\lotus\notes\nslsvice.exe

C:\WINDOWS\system32\svchost.exe

C:\Program Files\Cisco Systems\CSAgent\bin\CSAControl.exe

C:\Program Files\Cisco Systems\CSAgent\bin\leventmgr.exe

C:\Program Files\Microsoft Forefront\Client Security\Client\Antimalware\MsMpEng.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\spoolsv.exe

C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe

C:\WINDOWS\System32\basfipm.exe

C:\Program Files\IVT Corporation\BlueSoleil\BTNtService.exe

C:\Program Files\Bonjour\mDNSResponder.exe

C:\WINDOWS\system32\cisvc.exe

C:\Program Files\Microsoft Forefront\Client Security\Client\SSA\FcsSas.exe

C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe

C:\WINDOWS\System32\idr3hlpr.exe

C:\Program Files\Java\jre6\bin\jqs.exe

C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE

C:\PROGRA~1\IRCOIN~1\NetCfgSv.EXE

C:\WINDOWS\system32\nvsvc32.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\System32\wltrysvc.exe

C:\WINDOWS\System32\bcmwltry.exe

C:\WINDOWS\system32\CCM\CcmExec.exe

C:\Program Files\Microsoft Forefront\Client Security\Client\Microsoft Operations Manager 2005\MOMService.exe

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\Logi_MwX.Exe

C:\Program Files\HP\Dfawep\bin\hpbdfawep.exe

C:\Program Files\Microsoft Forefront\Client Security\Client\Antimalware\MSASCui.exe

C:\Program Files\Microsoft Office Communicator\communicator.exe

C:\Program Files\Java\jre6\bin\jusched.exe

D:\Soft Prog Files\Multimedia\iTunesHelper.exe

C:\WINDOWS\system32\ctfmon.exe

C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe

C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe

C:\Program Files\IVT Corporation\BlueSoleil\BlueSoleil.exe

C:\Program Files\Logitech\SetPoint\SetPoint.exe

C:\Program Files\Qlock\qlock.exe

C:\Program Files\Common Files\Logishrd\KHAL2\KHALMNPR.EXE

C:\Program Files\iPod\bin\iPodService.exe

C:\WINDOWS\system32\NOTEPAD.EXE

D:\Soft Prog Files\Anti-viral\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://edrawings1/eDrawings/irMatrix/LogIn.asp

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = local;*.local

O1 - Hosts: 168.65.180.20 Ilink-Vaults

O2 - BHO: (no name) - AutorunsDisabled - (no file)

O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll

O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - D:\SOFTPR~1\ANTI-V~1\SPYBOT~1\SDHelper.dll

O2 - BHO: Java Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll

O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll

O2 - BHO: Java Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll

O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.Exe

O4 - HKLM\..\Run: [hpbdfawep] C:\Program Files\HP\Dfawep\bin\hpbdfawep.exe 1

O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup

O4 - HKLM\..\Run: [Kernel and Hardware Abstraction Layer] KHALMNPR.EXE

O4 - HKLM\..\Run: [Microsoft Forefront Client Security Antimalware Service] "C:\Program Files\Microsoft Forefront\Client Security\Client\Antimalware\MSASCui.exe" -hide

O4 - HKLM\..\Run: [Communicator] "C:\Program Files\Microsoft Office Communicator\communicator.exe" /fromrunkey

O4 - HKLM\..\Run: [sunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"

O4 - HKLM\..\Run: [AppleSyncNotifier] C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe

O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime

O4 - HKLM\..\Run: [iTunesHelper] "D:\Soft Prog Files\Multimedia\iTunesHelper.exe"

O4 - HKLM\..\RunOnce: [Malwarebytes Anti-Malware (reboot)] "D:\Soft Prog Files\Anti-viral\Malwarebytes' Anti-Malware\mbam.exe" /runcleanupscript

O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe

O4 - HKCU\..\Run: [iSUSPM] "C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe" -scheduler

O4 - HKCU\..\Run: [spybotSD TeaTimer] D:\Soft Prog Files\Anti-viral\Spybot - Search & Destroy\TeaTimer.exe

O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe

O4 - HKUS\S-1-5-18\..\Run: [DWQueuedReporting] "C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'SYSTEM')

O4 - HKUS\.DEFAULT\..\Run: [DWQueuedReporting] "C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'Default user')

O4 - .DEFAULT User Startup: Installation Notes.txt (User 'Default user')

O4 - Startup: qlock.lnk = C:\Program Files\Qlock\qlock.exe

O4 - Global Startup: BlueSoleil.lnk = ?

O4 - Global Startup: Logitech SetPoint.lnk = C:\Program Files\Logitech\SetPoint\SetPoint.exe

O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office12\EXCEL.EXE/3000

O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL

O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - D:\SOFTPR~1\ANTI-V~1\SPYBOT~1\SDHelper.dll

O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - D:\SOFTPR~1\ANTI-V~1\SPYBOT~1\SDHelper.dll

O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O16 - DPF: {00120000-B1BA-11CE-ABC6-F5B2E79D9E3F} (LEAD Main Control (12.0)) - http://216.115.165.51/ltocx12n.cab

O16 - DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} (Snapfish Activia) - http://www.truprint.co.uk/TruprintActivia.cab

O16 - DPF: {44990301-3C9D-426D-81DF-AAB636FA4345} (Symantec Script Runner Class) - https://www-secure.symantec.com/techsupp/as...abs/tgctlsr.cab

O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftu...b?1229624767413

O16 - DPF: {9600F64D-755F-11D4-A47F-0001023E6D5A} (Shutterfly Picture Upload Plugin) - http://web1.shutterfly.com/downloads/Uploader.cab

O16 - DPF: {E87F6C8E-16C0-11D3-BEF7-009027438003} (Persits Software XUpload) - http://maysql.ingerrand.com/airsolutions/XUpload.ocx

O16 - DPF: {F694EA1F-2EC1-445D-8988-1862AD0CC4C8} (pvvercheck_ie Control) - https://windchill.ingersollrand.com/Windchi...vercheck_ie.cab

O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = corp.irco.com

O17 - HKLM\Software\..\Telephony: DomainName = corp.irco.com

O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = corp.irco.com

O17 - HKLM\System\CS1\Services\Tcpip\Parameters: SearchList = ingerrand.com

O17 - HKLM\System\CS3\Services\Tcpip\Parameters: Domain = corp.irco.com

O17 - HKLM\System\CS3\Services\Tcpip\Parameters: SearchList = ingerrand.com

O17 - HKLM\System\CCS\Services\Tcpip\Parameters: SearchList = ingerrand.com

O20 - AppInit_DLLs: csauser.dll

O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe

O23 - Service: Broadcom ASF IP monitoring service v6.0.4 (BAsfIpM) - Broadcom Corp. - C:\WINDOWS\System32\basfipm.exe

O23 - Service: BlueSoleil Hid Service - Unknown owner - C:\Program Files\IVT Corporation\BlueSoleil\BTNtService.exe

O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe

O23 - Service: Canon Camera Access Library 8 (CCALib8) - Canon Inc. - C:\Program Files\Canon\CAL\CALMAIN.exe

O23 - Service: CentennialClientAgent - Centennial Software Limited - C:\Centenn.ial\Audit\CAgent32.exe

O23 - Service: CentennialIPTransferAgent - Centennial Software Limited - C:\Centenn.ial\Audit\xferwan.exe

O23 - Service: Cisco Security Agent (CSAgent) - Cisco Systems, Inc. - C:\Program Files\Cisco Systems\CSAgent\bin\CSAControl.exe

O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe

O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe

O23 - Service: NFS Client (InterDrive NT) Helper (InterDrive) - FTP Software, Inc. - C:\WINDOWS\System32\idr3hlpr.exe

O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe

O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe

O23 - Service: Logitech Bluetooth Service (LBTServ) - Logitech, Inc. - C:\Program Files\Common Files\Logitech\Bluetooth\LBTServ.exe

O23 - Service: Lotus Notes Single Logon - IBM Corp - C:\Program Files\lotus\notes\nslsvice.exe

O23 - Service: Network Configuration Service (NetCfgSvr) - AT&T - C:\PROGRA~1\IRCOIN~1\NetCfgSv.EXE

O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe

O23 - Service: OracleClientCache80 - Unknown owner - C:\orant\BIN\ONRSD80.EXE

O23 - Service: Roxio UPnP Renderer 9 - Sonic Solutions - C:\Program Files\Roxio\Digital Home 9\RoxioUPnPRenderer9.exe

O23 - Service: RoxMediaDB9 - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxMediaDB9.exe

O23 - Service: Dell Wireless WLAN Tray Service (wltrysvc) - Unknown owner - C:\WINDOWS\System32\wltrysvc.exe

--

End of file - 10570 bytes

Still getting the hits on mbam , which are now reduced due to clearing D:\Temp, although I note your ref to the AT&T app. THis is a VPN application for corp network.

THanks,

1972vet · February 3, 2009

Before we attempt to use a bigger gun, let's try to reset the router:

1. Unplug or turn off your DSL/cable modem.

2. Locate the router's reset button.

3. Press, and hold, the Reset button down for 30 seconds.

4. Wait for your Power, WLAN and Internet light to turn on. (On the router)

5. Plug in or turn on your modem.(if it is separate from the router)

6. Open your web browser to see if you have an internet connection. If you still don't have an internet connection you may need to restart your computer.

Having reset the router, a default password will never do...please create a strong password now in order to strengthen security of your wireless connection. Once this is completed, please run another quick scan using mbam and post back THAT log. Thanks!

RichardNixonsHead · February 3, 2009

Right now, I'm on the corporate hardwire and wireless

1972vet · February 3, 2009

Then I think we should really wait until you can sit at the infected computer. Please let us know when you are available. Thanks!

RichardNixonsHead · February 4, 2009

OK,

Reset the wireless passwords etc.

Here is the latest log:

Malwarebytes' Anti-Malware 1.33

Database version: 1724

Windows 5.1.2600 Service Pack 2

2/3/2009 10:14:31 PM

mbam-log-2009-02-03 (22-14-31).txt

Scan type: Quick Scan

Objects scanned: 70989

Time elapsed: 9 minute(s), 41 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 0

Registry Values Infected: 0

Registry Data Items Infected: 0

Folders Infected: 0

Files Infected: 17

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

(No malicious items detected)

Registry Values Infected:

(No malicious items detected)

Registry Data Items Infected:

(No malicious items detected)

Folders Infected:

(No malicious items detected)

Files Infected:

C:\WINDOWS\scvhost.exe (Backdoor.Bot) -> Delete on reboot.

C:\WINDOWS\system32\crss.exe (Backdoor.Bot) -> Delete on reboot.

C:\WINDOWS\rundll16.exe (Fake.Dropped.Malware) -> Delete on reboot.

C:\WINDOWS\FVProtect.exe (Fake.Dropped.Malware) -> Delete on reboot.

C:\WINDOWS\system32\nsosscfg.exe (Spyware.MarketScore) -> Delete on reboot.

D:\TEMP\msohtmlclip1\installer_sbd_en.exe (Trojan.FakeAlert) -> Delete on reboot.