Jump to content

Recommended Posts

MBAM keeps showing Userinit.exe as a trojan each time it runs.

Malwarebytes' Anti-Malware 1.39

Database version: 2421

Windows 5.1.2600 Service Pack 3

7/17/2009 7:12:49 AM

mbam-log-2009-07-17 (07-12-49).txt

Scan type: Quick Scan

Objects scanned: 142377

Time elapsed: 13 minute(s), 16 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 0

Registry Values Infected: 0

Registry Data Items Infected: 2

Folders Infected: 0

Files Infected: 0

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

(No malicious items detected)

Registry Values Infected:

(No malicious items detected)

Registry Data Items Infected:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit (Trojan.Agent) -> Data: c:\windows\system32\userinit.exe -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit (Trojan.Agent) -> Data: system32\userinit.exe -> Quarantined and deleted successfully.

Folders Infected:

(No malicious items detected)

Files Infected:

(No malicious items detected)

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 7:16:16 AM, on 7/17/2009

Platform: Windows XP SP3 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP3 (6.00.2900.5512)

Boot mode: Normal

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\svchost.exe

C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe

C:\WINDOWS\system32\spoolsv.exe

C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe

C:\Program Files\ARX\ARX CryptoKit\utils\ARCLTSRV.EXE

C:\Program Files\ARX\ARX CryptoKit\utils\arcltsrv.exe

C:\Program Files\B's Recorder GOLD8\bgsvc.exe

C:\Program Files\Bonjour\mDNSResponder.exe

C:\Program Files\Brother\BRAdmin Professional 3\bratimer.exe

C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe

C:\Program Files\Intel\Wireless\Bin\EvtEng.exe

C:\GetVxWorksHost_Service\srvany.exe

C:\GetVxWorksHost_Service\GetVxWorksHost.exe

C:\WINDOWS\System32\svchost.exe

C:\Program Files\Intel\Intel Matrix Storage Manager\Iaantmon.exe

C:\Program Files\Google\Update\1.2.183.7\GoogleCrashHandler.exe

C:\WINDOWS\system32\QosServM.exe

C:\Program Files\Common Files\Intuit\Update Service\IntuitUpdateService.exe

C:\Program Files\Java\jre6\bin\jqs.exe

C:\WINDOWS\system32\lkcitdl.exe

C:\WINDOWS\system32\lkads.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\system32\lktsrv.exe

C:\Program Files\Maxtor\Sync\SyncServices.exe

C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe

C:\Program Files\Network Associates\Common Framework\FrameworkService.exe

C:\Program Files\McAfee\VirusScan Enterprise\VsTskMgr.exe

C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE

C:\WINDOWS\system32\svchost.exe

C:\PROGRA~1\MI6841~1\MSSQL\binn\sqlservr.exe

C:\Program Files\National Instruments\MAX\nimxs.exe

C:\Program Files\National Instruments\Shared\Security\nidmsrv.exe

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\system32\nisvcloc.exe

C:\Program Files\National Instruments\Shared\Tagger\tagsrv.exe

C:\Program Files\Panasonic\pcinfo\PCInfoPi.exe

C:\Program Files\Panasonic\pcinfo\PCInfoSV.exe

C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe

C:\WINDOWS\system32\hkcmd.exe

C:\WINDOWS\system32\igfxpers.exe

C:\Program Files\Intel\Intel Matrix Storage Manager\Iaanotif.exe

C:\Program Files\Panasonic\WSwitch\WSwitch.exe

C:\WINDOWS\system32\igfxsrvc.exe

C:\Program Files\Synaptics\SynTP\SynTPLpr.exe

C:\Program Files\Synaptics\SynTP\SynTPEnh.exe

C:\Program Files\Panasonic\Hotkey Appendix\HKEYAPP.EXE

C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe

C:\PROGRA~1\B'SCLI~1\Win2K\BSCLIP.exe

C:\Program Files\Analog Devices\Core\smax4pnp.exe

C:\Program Files\FIDTPU\WIN2K\FTMSFLTU.EXE

C:\Program Files\Intel\Wireless\Bin\iFrmewrk.exe

C:\Program Files\Network Associates\Common Framework\UdaterUI.exe

C:\WINDOWS\system32\RButton.exe

C:\Program Files\McAfee\VirusScan Enterprise\SHSTAT.EXE

C:\Program Files\Network Associates\Common Framework\McTray.exe

C:\Program Files\RightFax\Client\English\FaxCtrl.exe

C:\Program Files\Brother\ControlCenter2\brctrcen.exe

C:\Program Files\Maxtor\OneTouch Status\maxmenumgr.exe

C:\Program Files\Common Files\Research In Motion\Auto Update\RIMAutoUpdate.exe

C:\Program Files\Java\jre6\bin\jusched.exe

C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe

C:\Program Files\iTunes\iTunesHelper.exe

C:\WINDOWS\system32\ctfmon.exe

C:\Program Files\TomTom HOME 2\TomTomHOMERunner.exe

C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe

C:\Program Files\Messenger\msmsgs.exe

C:\Program Files\Common Files\SafeNet Sentinel\Sentinel Keys Server\sntlkeyssrvr.exe

C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIAFA.EXE

C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe

C:\Documents and Settings\DS\Local Settings\Application Data\Google\Update\1.2.183.7\GoogleCrashHandler.exe

C:\Program Files\Sling Media\SlingAgent\SlingAgentService.exe

C:\WINDOWS\system32\svchost.exe

C:\Program Files\Microsoft SQL Server\MSSQL\binn\sqlagent.exe

E:\PortableApps\PortableApps.com\PortableAppsPlatform.exe

C:\WINDOWS\system32\svchost.exe

C:\Program Files\TomTom HOME 2\TomTomHOMEService.exe

c:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtSrv.exe

C:\WINDOWS\system32\CCM\CLICOMP\RemCtrl\Wuser32.exe

C:\WINDOWS\system32\CCM\CcmExec.exe

C:\WINDOWS\system32\nipalsm.exe

C:\Program Files\iPod\bin\iPodService.exe

C:\WINDOWS\system32\svchost.exe

C:\Program Files\Microsoft Office\Office12\OUTLOOK.EXE

C:\iAvenue\Avenue.exe

C:\Program Files\Common Files\Microsoft Shared\Speech\sapisvr.exe

C:\iAvenue\SSAppRegistry.exe

C:\Program Files\Mozilla Firefox\firefox.exe

C:\Program Files\Siber Systems\GoodSync\GoodSync.exe

C:\Program Files\McAfee\VirusScan Enterprise\Mcshield.exe

C:\Program Files\Internet Explorer\iexplore.exe

C:\Documents and Settings\DS\Local Settings\Application Data\Google\Google Talk Plugin\googletalkplugin.exe

C:\Program Files\Adobe\Reader 8.0\Reader\AcroRd32.exe

C:\Program Files\Microsoft Office\Office12\WINWORD.EXE

C:\Program Files\Microsoft Office\Office12\EXCEL.EXE

C:\iAvenue\FSRPrint.exe

C:\WINDOWS\system32\mstsc.exe

C:\Program Files\Intel\Wireless\Bin\Dot1XCfg.exe

C:\Program Files\Internet Explorer\iexplore.exe

C:\Program Files\TC UP\totalcmd.exe

C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe

C:\Program Files\TC UP\PLUGINS\Media\Notepad++\notepad++.exe

C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.med.com/

O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll

O2 - BHO: RoboForm - {724d43a9-0d85-11d4-9908-00400523e39a} - C:\Program Files\Siber Systems\AI RoboForm\roboform.dll

O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - C:\Program Files\McAfee\VirusScan Enterprise\scriptcl.dll

O2 - BHO: Windows Live Toolbar Helper - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll

O2 - BHO: Java Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll

O2 - BHO: Google Gears Helper - {E0FEFE40-FBF9-42AE-BA58-794CA7E3FB53} - C:\Program Files\Google\Google Gears\Internet Explorer\0.5.29.0\gears.dll

O2 - BHO: AvayaIEHlprObj Class - {E6DF0B46-7D6F-407A-A6A2-62D17A021A9A} - C:\Program Files\Avaya\Avaya IP Softphone\AvayaWebDial.dll

O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll

O3 - Toolbar: &RoboForm - {724d43a0-0d85-11d4-9908-00400523e39a} - C:\Program Files\Siber Systems\AI RoboForm\roboform.dll

O3 - Toolbar: Windows Live Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll

O4 - HKLM\..\Run: [igfxTray] C:\WINDOWS\system32\igfxtray.exe

O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe

O4 - HKLM\..\Run: [Persistence] C:\WINDOWS\system32\igfxpers.exe

O4 - HKLM\..\Run: [iAAnotif] "C:\Program Files\Intel\Intel Matrix Storage Manager\Iaanotif.exe"

O4 - HKLM\..\Run: [WSwitch] C:\Program Files\Panasonic\WSwitch\WSwitch.exe

O4 - HKLM\..\Run: [synTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe

O4 - HKLM\..\Run: [synTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe

O4 - HKLM\..\Run: [Panasonic Hotkey Manager] C:\Program Files\Panasonic\Hotkey Appendix\HKEYAPP.EXE

O4 - HKLM\..\Run: [PCinfo] C:\Program Files\Panasonic\pcinfo\PcInfoUt.exe

O4 - HKLM\..\Run: [intelZeroConfig] "C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe"

O4 - HKLM\..\Run: [b'sCLiP] C:\PROGRA~1\B'SCLI~1\Win2K\BSCLIP.exe

O4 - HKLM\..\Run: [soundMAXPnP] C:\Program Files\Analog Devices\Core\smax4pnp.exe

O4 - HKLM\..\Run: [soundMAX] "C:\Program Files\Analog Devices\SoundMAX\Smax4.exe" /tray

O4 - HKLM\..\Run: [FTMSFLT(USB)] C:\Program Files\FIDTPU\WIN2K\FTMSFLTU.EXE

O4 - HKLM\..\Run: [intelWireless] C:\Program Files\Intel\Wireless\Bin\iFrmewrk.exe /tf Intel PROSet/Wireless

O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\Network Associates\Common Framework\UdaterUI.exe" /StartedFromRunKey

O4 - HKLM\..\Run: [shStatEXE] "C:\Program Files\McAfee\VirusScan Enterprise\SHSTAT.EXE" /STANDALONE

O4 - HKLM\..\Run: [PWRESET] C:\Program Files\Avaya\Avaya IP Softphone\IP Service Provider\pwreset.exe

O4 - HKLM\..\Run: [RightFAX Print-to-Fax Driver] C:\Program Files\RightFax\Client\English\FaxCtrl.exe

O4 - HKLM\..\Run: [ControlCenter2.0] C:\Program Files\Brother\ControlCenter2\brctrcen.exe /autorun

O4 - HKLM\..\Run: [mxomssmenu] "C:\Program Files\Maxtor\OneTouch Status\maxmenumgr.exe"

O4 - HKLM\..\Run: [blackBerryAutoUpdate] C:\Program Files\Common Files\Research In Motion\Auto Update\RIMAutoUpdate.exe /background

O4 - HKLM\..\Run: [RoxWatchTray] "C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatchTray9.exe"

O4 - HKLM\..\Run: [PRunOnce] C:\util\prunonce\PRunOnce.exe

O4 - HKLM\..\Run: [sunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"

O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime

O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"

O4 - HKLM\..\RunOnce: [Malwarebytes' Anti-Malware] C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe /install /silent

O4 - HKLM\..\RunOnce: [innoSetupRegFile.0000000001] "C:\WINDOWS\is-LHJKD.exe" /REG

O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe

O4 - HKCU\..\Run: [TomTomHOME.exe] "C:\Program Files\TomTom HOME 2\TomTomHOMERunner.exe"

O4 - HKCU\..\Run: [Google Update] "C:\Documents and Settings\DS\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" /c

O4 - HKCU\..\Run: [iSUSPM] "C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe" -scheduler

O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background

O4 - HKCU\..\Run: [EPSON Stylus CX7800 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIAFA.EXE /FU "C:\WINDOWS\TEMP\E_S11D.tmp" /EF "HKCU"

O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe

O4 - HKUS\S-1-5-19\..\Run: [Communicator] "C:\Program Files\Microsoft Office Communicator\Communicator.exe" (User 'LOCAL SERVICE')

O4 - HKUS\S-1-5-20\..\Run: [Communicator] "C:\Program Files\Microsoft Office Communicator\Communicator.exe" (User 'NETWORK SERVICE')

O4 - HKUS\S-1-5-18\..\Run: [Communicator] "C:\Program Files\Microsoft Office Communicator\Communicator.exe" (User 'SYSTEM')

O4 - HKUS\S-1-5-18\..\RunOnce: [TSClientMSIUninstaller] cmd.exe /C "cscript %systemroot%\Installer\TSClientMsiTrans\tscuinst.vbs" (User 'SYSTEM')

O4 - HKUS\.DEFAULT\..\Run: [Communicator] "C:\Program Files\Microsoft Office Communicator\Communicator.exe" (User 'Default user')

O4 - HKUS\.DEFAULT\..\RunOnce: [TSClientMSIUninstaller] cmd.exe /C "cscript %systemroot%\Installer\TSClientMsiTrans\tscuinst.vbs" (User 'Default user')

O4 - Startup: StartPortableApps.lnk = E:\StartPortableApps.exe

O4 - Global Startup: Service Manager.lnk = C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe

O8 - Extra context menu item: Add to Windows &Live Favorites - http://favorites.live.com/quickadd.aspx

O8 - Extra context menu item: Customize Menu - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComCustomizeIEMenu.html

O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000

O8 - Extra context menu item: Fill Forms - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComFillForms.html

O8 - Extra context menu item: Open in new background tab - res://C:\Program Files\Windows Live Toolbar\Components\en-us\msntabres.dll.mui/229?bb4038b5d84247f081b4c4f7687f15fa

O8 - Extra context menu item: Open in new foreground tab - res://C:\Program Files\Windows Live Toolbar\Components\en-us\msntabres.dll.mui/230?bb4038b5d84247f081b4c4f7687f15fa

O8 - Extra context menu item: Save Forms - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComSavePass.html

O9 - Extra button: (no name) - {09C04DA7-5B76-4EBC-BBEE-B25EAC5965F5} - C:\Program Files\Google\Google Gears\Internet Explorer\0.5.29.0\gears.dll

O9 - Extra 'Tools' menuitem: &Gears Settings - {09C04DA7-5B76-4EBC-BBEE-B25EAC5965F5} - C:\Program Files\Google\Google Gears\Internet Explorer\0.5.29.0\gears.dll

O9 - Extra button: Fill Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F46} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComFillForms.html

O9 - Extra 'Tools' menuitem: Fill Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F46} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComFillForms.html

O9 - Extra button: Save - {320AF880-6646-11D3-ABEE-C5DBF3571F49} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComSavePass.html

O9 - Extra 'Tools' menuitem: Save Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F49} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComSavePass.html

O9 - Extra button: RoboForm - {724d43aa-0d85-11d4-9908-00400523e39a} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html

O9 - Extra 'Tools' menuitem: RoboForm Toolbar - {724d43aa-0d85-11d4-9908-00400523e39a} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html

O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL

O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O15 - ESC Trusted Zone: http://runonce.msn.com (HKLM)

O16 - DPF: {05CA9FB0-3E3E-4B36-BF41-0E3A5CAA8CD8} (Office Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=58813

O16 - DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} (Facebook Photo Uploader 5 Control) - http://upload.facebook.com/controls/2008.1...toUploader5.cab

O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1243963751735

O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1243963674594

O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = na.med.com

O17 - HKLM\Software\..\Telephony: DomainName = na.med.com

O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = na.med.com

O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = na.med.com

O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe

O23 - Service: ARcltsrv - Algorithmic Research Ltd. - C:\Program Files\ARX\ARX CryptoKit\utils\ARCLTSRV.EXE

O23 - Service: B's Recorder GOLD Service (bgsvc) - B.H.A Corporation - C:\Program Files\B's Recorder GOLD8\bgsvc.exe

O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe

O23 - Service: Brother BRAdminPro Scheduler (BRA_Scheduler) - Unknown owner - C:\Program Files\Brother\BRAdmin Professional 3\bratimer.exe

O23 - Service: Cisco Systems, Inc. VPN Service (CVPND) - Cisco Systems, Inc. - C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe

O23 - Service: Intel® PROSet/Wireless Event Log (EvtEng) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe

O23 - Service: FileZilla Server FTP server (FileZilla Server) - FileZilla Project - E:\xampp\filezillaftp\filezillaserver.exe

O23 - Service: GetVxWorksHost - Unknown owner - C:\GetVxWorksHost_Service\srvany.exe

O23 - Service: Google Update Service (gupdate1c9be9eb2736671) (gupdate1c9be9eb2736671) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe

O23 - Service: Intel® Matrix Storage Event Monitor (IAANTMON) - Intel Corporation - C:\Program Files\Intel\Intel Matrix Storage Manager\Iaantmon.exe

O23 - Service: iClarityQoSService - AVAYA Communication - C:\WINDOWS\system32\QosServM.exe

O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe

O23 - Service: Intuit Update Service (IntuitUpdateService) - Intuit Inc. - C:\Program Files\Common Files\Intuit\Update Service\IntuitUpdateService.exe

O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe

O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe

O23 - Service: Lookout Citadel Server (LkCitadelServer) - National Instruments, Inc. - C:\WINDOWS\system32\lkcitdl.exe

O23 - Service: National Instruments PSP Server Locator (lkClassAds) - National Instruments Corporation - C:\WINDOWS\system32\lkads.exe

O23 - Service: National Instruments Time Synchronization (lkTimeSync) - National Instruments Corporation - C:\WINDOWS\system32\lktsrv.exe

O23 - Service: Maxtor Service (Maxtor Sync Service) - Seagate Technology LLC - C:\Program Files\Maxtor\Sync\SyncServices.exe

O23 - Service: McAfee Framework Service (McAfeeFramework) - McAfee, Inc. - C:\Program Files\Network Associates\Common Framework\FrameworkService.exe

O23 - Service: McAfee McShield (McShield) - McAfee, Inc. - C:\Program Files\McAfee\VirusScan Enterprise\Mcshield.exe

O23 - Service: McAfee Task Manager (McTaskManager) - McAfee, Inc. - C:\Program Files\McAfee\VirusScan Enterprise\VsTskMgr.exe

O23 - Service: NI Configuration Manager (mxssvr) - National Instruments Corporation - C:\Program Files\National Instruments\MAX\nimxs.exe

O23 - Service: NI Device Loader (nidevldu) - National Instruments Corporation - C:\WINDOWS\system32\nipalsm.exe

O23 - Service: National Instruments Domain Service (NIDomainService) - National Instruments Corporation - C:\Program Files\National Instruments\Shared\Security\nidmsrv.exe

O23 - Service: NILM License Manager - Macrovision Corporation - C:\Program Files\National Instruments\Shared\License Manager\Bin\lmgrd.exe

O23 - Service: NI PXI Resource Manager (nipxirmu) - National Instruments Corporation - C:\WINDOWS\system32\nipalsm.exe

O23 - Service: NI Service Locator (niSvcLoc) - National Instruments Corp. - C:\WINDOWS\system32\nisvcloc.exe

O23 - Service: National Instruments Variable Engine (NITaggerService) - National Instruments, Inc. - C:\Program Files\National Instruments\Shared\Tagger\tagsrv.exe

O23 - Service: Panasonic PC Information Viewer Service 2 (PcInfoPi) - Matsushita Electric Industrial Co., Ltd. - C:\Program Files\Panasonic\pcinfo\PCInfoPi.exe

O23 - Service: Panasonic PC Information Viewer (PcInfoSV) - Matsushita Electric Industrial Co., Ltd. - C:\Program Files\Panasonic\pcinfo\PCInfoSV.exe

O23 - Service: Intel® PROSet/Wireless Registry Service (RegSrvc) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe

O23 - Service: Roxio UPnP Renderer 9 - Sonic Solutions - C:\Program Files\Roxio\Digital Home 9\RoxioUPnPRenderer9.exe

O23 - Service: Roxio Upnp Server 9 - Sonic Solutions - C:\Program Files\Roxio\Digital Home 9\RoxioUpnpService9.exe

O23 - Service: LiveShare P2P Server 9 (RoxLiveShare9) - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxLiveShare9.exe

O23 - Service: RoxMediaDB9 - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxMediaDB9.exe

O23 - Service: Roxio Hard Drive Watcher 9 (RoxWatch9) - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatch9.exe

O23 - Service: Intel® PROSet/Wireless Service (S24EventMonitor) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe

O23 - Service: Sentinel Keys Server (SentinelKeysServer) - SafeNet, Inc. - C:\Program Files\Common Files\SafeNet Sentinel\Sentinel Keys Server\sntlkeyssrvr.exe

O23 - Service: Sentinel Protection Server (SentinelProtectionServer) - SafeNet, Inc - C:\Program Files\Common Files\SafeNet Sentinel\Sentinel Protection Server\WinNT\spnsrvnt.exe

O23 - Service: SlingAgentService - Sling Media Inc. - C:\Program Files\Sling Media\SlingAgent\SlingAgentService.exe

O23 - Service: TomTomHOMEService - TomTom - C:\Program Files\TomTom HOME 2\TomTomHOMEService.exe

O23 - Service: TOSHIBA Bluetooth Service - TOSHIBA CORPORATION - c:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtSrv.exe

--

End of file - 20924 bytes

Link to post
Share on other sites

Hi. :(

Download ComboFix from one of the locations below, and save it to your Desktop.

Double click combofix.exe and follow the prompts. Please, never rename Combofix unless instructed.

When finished, it shall produce a log for you. Post that log and a HijackThis log in your next reply

Note: Do not mouseclick Combofix's window while its running. That may cause it to stall

Link to post
Share on other sites

Thanks for taking up the cause, Tigger93. Here are my logs:

ComboFix 09-07-14.08 - DS 07/18/2009 0:27.1.2 - NTFSx86

Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2038.1016 [GMT -7:00]

Running from: c:\documents and settings\DS\Desktop\ComboFix.exe

AV: VirusScan Enterprise + AntiSpyware Enterprise *On-access scanning enabled* (Updated) {918A2B0B-2C60-4016-A4AB-E868DEABF7F0}

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.

c:\documents and settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat

c:\documents and settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat

c:\program files\sys

c:\windows\Installer\1226390.msi

c:\windows\Installer\1226391.msp

c:\windows\Installer\12c05d9.msi

c:\windows\Installer\12c05dd.msi

c:\windows\Installer\bcabc.msi

c:\windows\system32\config\systemprofile\XP Deluxe Protector

----- BITS: Possible infected sites -----

hxxp://gnbd1.cn

Infected copy of c:\windows\system32\userinit.exe was found and disinfected

Restored copy from - c:\windows\ServicePackFiles\i386\userinit.exe

c:\windows\system32\proquota.exe was missing

Restored copy from - c:\windows\ServicePackFiles\i386\proquota.exe

.

((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))

.

-------\Legacy_SYS

-------\Legacy_SYSDRV

((((((((((((((((((((((((( Files Created from 2009-06-18 to 2009-07-18 )))))))))))))))))))))))))))))))

.

2009-07-18 07:31 . 2008-04-14 00:12 50176 -c--a-w- c:\windows\system32\dllcache\proquota.exe

2009-07-18 07:31 . 2008-04-14 00:12 50176 ----a-w- c:\windows\system32\proquota.exe

2009-07-02 05:44 . 2009-04-15 14:51 585216 -c----w- c:\windows\system32\dllcache\rpcrt4.dll

2009-06-30 19:37 . 2006-01-18 18:17 11904 ----a-w- c:\windows\system32\drivers\BrUsbSer.sys

2009-06-30 19:37 . 2004-09-21 04:11 37888 ----a-w- c:\windows\system32\BrUSi04b.dll

2009-06-30 19:37 . 2006-01-18 13:44 53248 ----a-w- c:\windows\system32\drivers\BrSerIf.sys

2009-06-30 19:37 . 2004-10-15 03:50 15295 ----a-w- c:\windows\system32\drivers\BrScnUsb.sys

2009-06-26 20:41 . 2009-06-26 20:41 -------- d-----w- c:\program files\Trend Micro

2009-06-26 04:49 . 2009-07-17 08:00 3775176 ----a-w- c:\documents and settings\All Users\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\mbam-setup.exe

2009-06-23 23:17 . 2009-06-23 23:17 -------- d-----w- c:\program files\TomTom International B.V

2009-06-23 18:50 . 2009-06-23 18:50 -------- d-----w- c:\program files\Fast Duplicate File Finder

2009-06-22 22:23 . 2009-06-22 22:23 239088 ----a-w- c:\documents and settings\DS\Application Data\Mozilla\plugins\npgoogletalk.dll

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2009-07-18 07:21 . 2008-03-21 17:36 -------- d-----w- c:\program files\Google

2009-07-18 00:20 . 2009-06-02 17:13 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware

2009-07-16 18:18 . 2009-03-13 17:11 -------- d-----w- c:\documents and settings\DS\Application Data\GoodSync

2009-07-13 20:36 . 2009-06-02 17:13 38160 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys

2009-07-13 20:36 . 2009-06-02 17:13 19096 ----a-w- c:\windows\system32\drivers\mbam.sys

2009-07-13 19:23 . 2009-07-13 19:23 -------- d-----w- c:\program files\iTunes

2009-07-13 19:23 . 2009-07-13 19:23 -------- d-----w- c:\program files\iPod

2009-07-13 19:23 . 2008-12-14 18:45 -------- d-----w- c:\program files\Common Files\Apple

2009-07-13 19:20 . 2009-07-13 19:19 -------- d-----w- c:\program files\QuickTime

2009-07-13 19:06 . 2009-07-13 19:06 75048 ----a-w- c:\documents and settings\All Users\Application Data\Apple Computer\Installer Cache\iTunes 8.2.0.23\SetupAdmin.exe

2009-07-11 14:35 . 2008-07-23 01:01 -------- d-----w- c:\program files\Siber Systems

2009-07-06 12:03 . 2008-03-21 18:39 -------- d-----w- c:\documents and settings\All Users\Application Data\Microsoft Help

2009-07-03 03:34 . 2008-07-23 10:16 -------- d-----w- c:\program files\TC UP

2009-06-30 19:41 . 2008-07-28 04:52 65 ----a-w- c:\windows\system32\BD7820N.dat

2009-06-26 00:44 . 2008-03-21 18:13 -------- d-----w- c:\program files\EER

2009-06-24 03:30 . 2008-12-06 00:40 256 ----a-w- c:\windows\system32\pool.bin

2009-06-23 23:16 . 2008-08-09 15:19 -------- d-----w- c:\program files\TomTom HOME 2

2009-06-10 07:39 . 2008-06-19 19:04 -------- d-----w- c:\program files\Java

2009-06-10 07:36 . 2009-06-10 07:36 152576 ----a-w- c:\documents and settings\DS\Application Data\Sun\Java\jre1.6.0_14\lzma.dll

2009-06-10 01:58 . 2007-03-28 02:18 -------- d--h--w- c:\program files\InstallShield Installation Information

2009-06-10 01:57 . 2008-08-22 22:24 -------- d-----w- c:\program files\Sling Media

2009-06-08 15:37 . 2009-06-08 15:37 -------- d-----w- c:\program files\Verizon Wireless

2009-06-07 00:25 . 2008-08-06 00:10 -------- d-----w- c:\program files\Common Files\Research in Motion

2009-06-06 14:14 . 2009-06-06 14:14 -------- d-----w- c:\documents and settings\DS\Application Data\Malwarebytes

2009-06-05 19:06 . 2009-06-05 19:06 0 ----a-w- c:\documents and settings\DS\Application Data\~ygw.tmp

2009-06-04 15:29 . 2009-06-04 15:29 -------- d-----w- c:\program files\Microsoft Visual Studio .NET 2003

2009-06-04 15:29 . 2009-06-04 15:29 -------- d-----w- c:\program files\Common Files\Crystal Decisions

2009-06-04 14:36 . 2008-10-21 21:05 87616 ----a-w- c:\documents and settings\DS\Local Settings\Application Data\GDIPFONTCACHEV1.DAT

2009-06-04 13:44 . 2009-06-02 18:10 -------- d-----w- c:\program files\Microsoft Works

2009-06-04 13:41 . 2009-06-02 18:14 -------- d-----w- c:\program files\MSBuild

2009-06-04 13:41 . 2009-06-04 13:41 -------- d-----w- c:\program files\Microsoft.NET

2009-06-04 13:38 . 2009-06-04 13:38 -------- d-----w- c:\program files\Microsoft Visual Studio 8

2009-06-04 12:16 . 2008-07-26 03:26 -------- d-----w- c:\program files\Live Search Maps for Outlook

2009-06-02 18:36 . 2009-06-02 18:36 -------- d-----w- c:\program files\Reference Assemblies

2009-06-02 18:22 . 2008-04-10 20:01 -------- d-----w- c:\program files\MSECache

2009-06-02 17:13 . 2009-06-02 17:13 -------- d-----w- c:\documents and settings\Administrator\Application Data\Malwarebytes

2009-06-02 17:13 . 2009-06-02 17:13 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes

2009-05-27 23:35 . 2009-05-27 23:35 -------- d-----w- c:\documents and settings\DS\Application Data\TweetDeckFast.F9107117265DB7542C1A806C8DB837742CE14C21.1

2009-05-27 23:35 . 2009-05-27 23:35 -------- d-----w- c:\program files\TweetDeck

2009-05-27 23:35 . 2009-05-27 23:35 -------- d-----w- c:\program files\Common Files\Adobe AIR

2009-05-27 23:34 . 2009-05-27 23:35 38208 ----a-w- c:\documents and settings\DS\Application Data\Macromedia\Flash Player\www.macromedia.com\bin\airappinstaller\airappinstaller.exe

2009-05-21 18:33 . 2009-04-26 18:01 410984 ----a-w- c:\windows\system32\deploytk.dll

2009-04-29 04:46 . 2007-03-27 17:15 666624 ----a-w- c:\windows\system32\wininet.dll

2009-04-29 04:46 . 2007-03-27 17:13 81920 ----a-w- c:\windows\system32\ieencode.dll

2009-04-26 17:49 . 2009-04-26 17:49 152576 ----a-w- c:\documents and settings\DS\Application Data\Sun\Java\jre1.6.0_13\lzma.dll

2004-03-15 21:51 . 2004-03-15 21:51 114688 ------w- c:\program files\internet explorer\plugins\LV71ActiveXControl.dll

2006-01-23 14:32 . 2006-01-23 14:32 131072 ------w- c:\program files\internet explorer\plugins\LV80ActiveXControl.dll

2007-02-08 14:48 . 2007-02-08 14:48 133920 ------w- c:\program files\internet explorer\plugins\LV82ActiveXControl.dll

2007-07-24 23:03 . 2007-07-24 23:03 118784 ------w- c:\program files\internet explorer\plugins\LV85ActiveXControl.dll

2009-06-26 05:17 . 2008-07-23 00:51 137208 ----a-w- c:\program files\mozilla firefox\components\brwsrcmp.dll

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]

"TomTomHOME.exe"="c:\program files\TomTom HOME 2\TomTomHOMERunner.exe" [2009-04-24 251240]

"Google Update"="c:\documents and settings\DS\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" [2008-09-03 133104]

"ISUSPM"="c:\program files\Common Files\InstallShield\UpdateService\ISUSPM.exe" [2007-08-30 205480]

"MSMSGS"="c:\program files\Messenger\msmsgs.exe" [2008-04-14 1695232]

"WMPNSCFG"="c:\program files\Windows Media Player\WMPNSCFG.exe" [2006-10-19 204288]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"UserFaultCheck"="c:\windows\system32\dumprep 0 -u" [X]

"IgfxTray"="c:\windows\system32\igfxtray.exe" [2007-02-26 131072]

"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2007-02-26 155648]

"Persistence"="c:\windows\system32\igfxpers.exe" [2007-02-26 131072]

"IAAnotif"="c:\program files\Intel\Intel Matrix Storage Manager\Iaanotif.exe" [2007-02-12 174872]

"WSwitch"="c:\program files\Panasonic\WSwitch\WSwitch.exe" [2007-03-20 726672]

"SynTPLpr"="c:\program files\Synaptics\SynTP\SynTPLpr.exe" [2004-10-15 98394]

"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2004-10-15 688218]

"Panasonic Hotkey Manager"="c:\program files\Panasonic\Hotkey Appendix\HKEYAPP.EXE" [2006-12-16 976528]

"PCinfo"="c:\program files\Panasonic\pcinfo\PcInfoUt.exe" [2006-11-30 87696]

"IntelZeroConfig"="c:\program files\Intel\Wireless\bin\ZCfgSvc.exe" [2007-02-21 819200]

"B'sCLiP"="c:\progra~1\B'SCLI~1\Win2K\BSCLIP.exe" [2006-01-16 675840]

"SoundMAXPnP"="c:\program files\Analog Devices\Core\smax4pnp.exe" [2007-03-15 868352]

"FTMSFLT(USB)"="c:\program files\FIDTPU\WIN2K\FTMSFLTU.EXE" [2005-06-23 82063]

"IntelWireless"="c:\program files\Intel\Wireless\Bin\iFrmewrk.exe" [2007-02-21 970752]

"McAfeeUpdaterUI"="c:\program files\Network Associates\Common Framework\UdaterUI.exe" [2008-02-20 136512]

"ShStatEXE"="c:\program files\McAfee\VirusScan Enterprise\SHSTAT.EXE" [2008-07-17 111952]

"PWRESET"="c:\program files\Avaya\Avaya IP Softphone\IP Service Provider\pwreset.exe" [2001-10-24 45056]

"RightFAX Print-to-Fax Driver"="c:\program files\RightFax\Client\English\FaxCtrl.exe" [2004-01-18 110592]

"ControlCenter2.0"="c:\program files\Brother\ControlCenter2\brctrcen.exe" [2008-05-24 1011712]

"mxomssmenu"="c:\program files\Maxtor\OneTouch Status\maxmenumgr.exe" [2008-07-21 169312]

"BlackBerryAutoUpdate"="c:\program files\Common Files\Research In Motion\Auto Update\RIMAutoUpdate.exe" [2009-06-05 615696]

"RoxWatchTray"="c:\program files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatchTray9.exe" [2008-09-19 236016]

"PRunOnce"="c:\util\prunonce\PRunOnce.exe" [2004-08-06 110592]

"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-05-21 148888]

"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2009-05-27 413696]

"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2009-06-05 292136]

"Malwarebytes' Anti-Malware"="c:\program files\Malwarebytes' Anti-Malware\mbamgui.exe" [2009-07-13 414992]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]

"Communicator"="c:\program files\Microsoft Office Communicator\Communicator.exe" [2005-05-12 4167376]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]

"TSClientMSIUninstaller"="c:\windows\Installer\TSClientMsiTrans\tscuinst.vbs" [2007-10-30 13801]

c:\documents and settings\DS\Start Menu\Programs\Startup\

StartPortableApps.lnk - E:\StartPortableApps.exe [2009-3-10 89280]

c:\documents and settings\All Users\Start Menu\Programs\Startup\

Service Manager.lnk - c:\program files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe [2008-4-3 81920]

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"%windir%\\system32\\sessmgr.exe"=

"c:\\Program Files\\Network Associates\\Common Framework\\FrameworkService.exe"=

"c:\\Program Files\\Microsoft Office\\Live Meeting 8\\Console\\PWConsole.exe"=

"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

R0 BsStor;B.H.A Storage Helper Driver;c:\windows\system32\drivers\bsstor.sys [3/28/2007 11:54 AM 10112]

R0 nipbcfk;National Instruments Class Upper Filter Driver;c:\windows\system32\drivers\nipbcfk.sys [7/10/2007 4:08 PM 15448]

R0 PzWDM;PzWDM;c:\windows\system32\drivers\PzWDM.sys [3/25/2009 4:00 PM 15172]

R1 VD_FileDisk;VD_FileDisk;c:\windows\system32\drivers\vd_filedisk.sys [1/13/2006 6:00 AM 15872]

R2 bgsvc;B's Recorder GOLD Service;c:\program files\B's Recorder GOLD8\bgsvc.exe [3/28/2007 11:53 AM 81920]

R2 BRA_Scheduler;Brother BRAdminPro Scheduler;c:\program files\Brother\BRAdmin Professional 3\bratimer.exe [8/8/2008 7:23 AM 65536]

R2 BsUDF;BsUDF;c:\windows\system32\drivers\BsUDF.sys [3/28/2007 11:54 AM 164992]

R2 GetVxWorksHost;GetVxWorksHost;c:\getvxworkshost_service\srvany.exe [3/21/2008 11:24 AM 13312]

R2 IntuitUpdateService;Intuit Update Service;c:\program files\Common Files\Intuit\Update Service\IntuitUpdateService.exe [10/10/2008 5:45 AM 13088]

R2 MBAMService;MBAMService;c:\program files\Malwarebytes' Anti-Malware\mbamservice.exe [6/2/2009 10:13 AM 211216]

R2 nidevldu;NI Device Loader;c:\windows\system32\nipalsm.exe [2/16/2007 7:21 AM 12696]

R2 nipxirmk;nipxirmk;c:\windows\system32\drivers\nipxirmkl.sys [9/18/2007 4:24 AM 11552]

R2 NiViPxiK;NI-VISA PXI Driver;c:\windows\system32\drivers\NiViPxiKl.sys [7/19/2007 8:56 AM 11360]

R2 PcInfoPi;Panasonic PC Information Viewer Service 2;c:\program files\Panasonic\pcinfo\PCInfoPi.exe [3/27/2007 8:38 PM 54928]

R2 PcInfoSV;Panasonic PC Information Viewer;c:\program files\Panasonic\pcinfo\PCInfoSV.exe [3/27/2007 8:38 PM 186000]

R2 SDKEY;Panasonic SD Misc. Function Driver;c:\program files\Panasonic\SDKEY\SDKEY.sys [3/27/2007 8:19 PM 8192]

R2 SentinelKeysServer;Sentinel Keys Server;c:\program files\Common Files\SafeNet Sentinel\Sentinel Keys Server\sntlkeyssrvr.exe [3/21/2008 1:20 AM 327800]

R2 SlingAgentService;SlingAgentService;c:\program files\Sling Media\SlingAgent\SlingAgentService.exe [4/27/2009 6:09 PM 93960]

R2 TomTomHOMEService;TomTomHOMEService;c:\program files\TomTom HOME 2\TomTomHOMEService.exe [4/24/2009 4:57 AM 92008]

R3 FIDTPU;Fujitsu Touch Panel (USB);c:\windows\system32\drivers\FIDTPU.sys [3/27/2007 10:20 AM 27031]

R3 IFXTPM;IFXTPM;c:\windows\system32\drivers\ifxtpm.sys [3/27/2007 10:19 AM 36352]

R3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [6/2/2009 10:13 AM 19096]

R3 NewMisc;Panasonic Misc Driver;c:\windows\system32\drivers\newmisc.sys [3/27/2007 10:19 AM 42624]

R3 nidimk;nidimk;c:\windows\system32\drivers\nidimkl.sys [12/14/2007 9:41 AM 11360]

R3 nimru2k;nimru2k;c:\windows\system32\drivers\nimru2kl.sys [12/14/2007 12:06 PM 11360]

R3 nimstsk;nimstsk;c:\windows\system32\drivers\nimstskl.sys [12/18/2007 3:14 PM 11360]

S2 gupdate1c9be9eb2736671;Google Update Service (gupdate1c9be9eb2736671);c:\program files\Google\Update\GoogleUpdate.exe [4/16/2009 7:21 AM 133104]

S3 cglptnt;cglptnt;c:\program files\TC UP\CGLPTNT.SYS [6/24/2009 10:50 PM 7888]

S3 lvalarmk;lvalarmk;c:\windows\system32\drivers\lvalarmk.sys [12/20/2007 6:37 AM 20056]

S3 ni1006k;NI PXI-1006 Chassis Pilot;c:\windows\system32\drivers\ni1006k.sys [10/8/2007 11:10 AM 25888]

S3 ni1045k;NI PXI-1045 Chassis Pilot;c:\windows\system32\drivers\ni1045kl.sys [10/8/2007 11:10 AM 11552]

S3 ni1065k;NI PXIe-1065 Chassis Pilot;c:\windows\system32\drivers\ni1065k.sys [10/8/2007 11:10 AM 22360]

S3 nicdrk;nicdrk;c:\windows\system32\drivers\nicdrkl.sys [12/26/2007 8:53 AM 11352]

S3 nicsrk;nicsrk;c:\windows\system32\drivers\nicsrkl.sys [2/22/2008 8:25 AM 11336]

S3 nidmxfk;nidmxfk;c:\windows\system32\drivers\nidmxfkl.sys [12/18/2007 3:20 PM 11336]

S3 nidsark;nidsark;c:\windows\system32\drivers\nidsarkl.sys [2/15/2008 12:37 PM 11344]

S3 niemrk;niemrk;c:\windows\system32\drivers\niemrkl.sys [2/22/2008 8:25 AM 11336]

S3 niemrkw;niemrkw;c:\windows\system32\drivers\niemrkw.sys [7/10/2008 8:37 AM 11336]

S3 niesrk;niesrk;c:\windows\system32\drivers\niesrkl.sys [2/22/2008 8:25 AM 11336]

S3 nifslk;nifslk;c:\windows\system32\drivers\nifslkl.sys [12/26/2007 8:18 AM 11352]

S3 nimsdrk;nimsdrk;c:\windows\system32\drivers\nimsdrkl.sys [1/11/2008 1:08 PM 11392]

S3 nimslk;nimslk;c:\windows\system32\drivers\nimslk.dll [11/27/2007 10:46 AM 14464]

S3 nimsrlk;nimsrlk;c:\windows\system32\drivers\nimsrlk.dll [11/27/2007 10:46 AM 151683]

S3 nimxpk;nimxpk;c:\windows\system32\drivers\nimxpkl.sys [12/18/2007 3:14 PM 11368]

S3 ninshsdk;ninshsdk;c:\windows\system32\drivers\ninshsdkl.sys [12/27/2007 6:45 AM 11360]

S3 nipalfwedl;nipalfwedl;c:\windows\system32\drivers\nipalfwedl.sys [12/12/2007 8:23 PM 11904]

S3 nipalusbedl;nipalusbedl;c:\windows\system32\drivers\nipalusbedl.sys [12/12/2007 8:22 PM 11896]

S3 nipxigpk;NI PXI Generic Chassis Pilot;c:\windows\system32\drivers\nipxigpk.sys [11/26/2007 2:22 PM 20768]

S3 niscdk;niscdk;c:\windows\system32\drivers\niscdkl.sys [1/7/2008 9:38 PM 11376]

S3 nisdigk;nisdigk;c:\windows\system32\drivers\nisdigkl.sys [1/7/2008 9:21 PM 11352]

S3 nisftk;nisftk;c:\windows\system32\drivers\nisftkl.sys [12/20/2007 12:54 PM 11344]

S3 nispdk;nispdk;c:\windows\system32\drivers\nispdkl.sys [1/7/2008 9:38 PM 11376]

S3 nissrk;nissrk;c:\windows\system32\drivers\nissrkl.sys [2/22/2008 8:25 AM 11336]

S3 nistc2k;nistc2k;c:\windows\system32\drivers\nistc2kl.sys [1/7/2008 9:35 PM 11312]

S3 nistcrk;nistcrk;c:\windows\system32\drivers\nistcrkl.sys [2/14/2008 5:58 PM 11360]

S3 niswdk;niswdk;c:\windows\system32\drivers\niswdkl.sys [1/2/2008 10:14 AM 11336]

S3 nitiork;nitiork;c:\windows\system32\drivers\nitiorkl.sys [2/19/2008 8:56 PM 11360]

S3 niufurk;niufurk;c:\windows\system32\drivers\niufurkl.sys [2/22/2008 8:25 AM 11368]

S3 NiViFWK;NI-VISA FireWire Driver;c:\windows\system32\drivers\NiViFWKl.sys [7/19/2007 8:48 AM 11384]

S3 NiViPciK;NI-VISA PCI Driver;c:\windows\system32\drivers\NiViPciKl.sys [7/19/2007 8:56 AM 11360]

S3 niwfrk;niwfrk;c:\windows\system32\drivers\niwfrkl.sys [2/22/2008 8:25 AM 11336]

S3 nixsrk;nixsrk;c:\windows\system32\drivers\nixsrkl.sys [2/22/2008 8:25 AM 11336]

S3 rismc32;RICOH Smart Card Reader;c:\windows\system32\drivers\rismc32.sys [3/27/2007 10:19 AM 47616]

S3 usb6xxxk;usb6xxxk;\??\c:\windows\system32\drivers\usb6xxxkl.sys --> c:\windows\system32\drivers\usb6xxxkl.sys [?]

S3 usb6xxxkw;usb6xxxkw;c:\windows\system32\drivers\usb6xxxkw.sys [7/10/2008 8:38 AM 11312]

.

Contents of the 'Scheduled Tasks' folder

2009-07-18 c:\windows\Tasks\Check Updates for Windows Live Toolbar.job

- c:\program files\Windows Live Toolbar\MSNTBUP.EXE [2007-02-12 22:54]

2009-07-18 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job

- c:\program files\Google\Update\GoogleUpdate.exe [2009-04-16 14:21]

2009-07-18 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job

- c:\program files\Google\Update\GoogleUpdate.exe [2009-04-16 14:21]

2009-07-16 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-72706444-2128956082-1402864335-27204Core.job

- c:\documents and settings\DS\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2008-09-03 21:57]

2009-07-18 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-72706444-2128956082-1402864335-27204UA.job

- c:\documents and settings\DS\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2008-09-03 21:57]

2009-07-17 c:\windows\Tasks\Malwarebytes' Scheduled Scan for DS.job

- c:\program files\Malwarebytes' Anti-Malware\mbam.exe [2009-06-02 20:36]

2009-07-18 c:\windows\Tasks\Malwarebytes' Scheduled Update for DS.job

- c:\program files\Malwarebytes' Anti-Malware\mbam.exe [2009-06-02 20:36]

2009-04-19 c:\windows\Tasks\Rescue Reminder for 2HAPS7NQ.job

- c:\program files\Maxtor\ManagerApp\MaxUtilities.exe [2008-07-21 23:52]

.

.

------- Supplementary Scan -------

.

uStart Page = hxxp://www.med.com/

IE: Add to Windows &Live Favorites - http://favorites.live.com/quickadd.aspx

IE: Customize Menu - file://c:\program files\Siber Systems\AI RoboForm\RoboFormComCustomizeIEMenu.html

IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000

IE: Fill Forms - file://c:\program files\Siber Systems\AI RoboForm\RoboFormComFillForms.html

IE: Open in new background tab - c:\program files\Windows Live Toolbar\Components\en-us\msntabres.dll.mui/229?bb4038b5d84247f081b4c4f7687f15fa

IE: Open in new foreground tab - c:\program files\Windows Live Toolbar\Components\en-us\msntabres.dll.mui/230?bb4038b5d84247f081b4c4f7687f15fa

IE: Save Forms - file://c:\program files\Siber Systems\AI RoboForm\RoboFormComSavePass.html

FF - ProfilePath - c:\documents and settings\DS\Application Data\Mozilla\Firefox\Profiles\ch0ed4m9.default\

FF - prefs.js: browser.startup.homepage - hxxp://www.med.com/

FF - component: c:\program files\Google\Google Gears\Firefox\lib\ff35\gears.dll

FF - component: c:\program files\Siber Systems\AI RoboForm\Firefox\components\rfproxy_31.dll

FF - plugin: c:\documents and settings\DS\Application Data\Mozilla\plugins\npgoogletalk.dll

FF - plugin: c:\documents and settings\DS\Local Settings\Application Data\Google\Update\1.2.183.7\npGoogleOneClick8.dll

FF - plugin: c:\program files\echospin\npesProxy.dll

FF - plugin: c:\program files\Google\Update\1.2.183.7\npGoogleOneClick8.dll

---- FIREFOX POLICIES ----

c:\program files\Mozilla Firefox\greprefs\all.js - pref("media.enforce_same_site_origin", false);

c:\program files\Mozilla Firefox\greprefs\all.js - pref("media.cache_size", 51200);

c:\program files\Mozilla Firefox\greprefs\all.js - pref("media.ogg.enabled", true);

c:\program files\Mozilla Firefox\greprefs\all.js - pref("media.wave.enabled", true);

c:\program files\Mozilla Firefox\greprefs\all.js - pref("media.autoplay.enabled", true);

c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.urlbar.autocomplete.enabled", true);

c:\program files\Mozilla Firefox\greprefs\all.js - pref("capability.policy.mailnews.*.wholeText", "noAccess");

c:\program files\Mozilla Firefox\greprefs\all.js - pref("dom.storage.default_quota", 5120);

c:\program files\Mozilla Firefox\greprefs\all.js - pref("content.sink.event_probe_rate", 3);

c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.http.prompt-temp-redirect", true);

c:\program files\Mozilla Firefox\greprefs\all.js - pref("layout.css.dpi", -1);

c:\program files\Mozilla Firefox\greprefs\all.js - pref("layout.css.devPixelsPerPx", -1);

c:\program files\Mozilla Firefox\greprefs\all.js - pref("gestures.enable_single_finger_input", true);

c:\program files\Mozilla Firefox\greprefs\all.js - pref("dom.max_chrome_script_run_time", 0);

c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.tcp.sendbuffer", 131072);

c:\program files\Mozilla Firefox\greprefs\all.js - pref("geo.enabled", true);

c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.remember_cert_checkbox_default_setting", true);

c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr", "moz35");

c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-cjkt", "moz35");

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.blocklist.level", 2);

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.urlbar.restrict.typed", "~");

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.urlbar.default.behavior", 0);

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.history", true);

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.formdata", true);

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.passwords", false);

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.downloads", true);

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.cookies", true);

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.cache", true);

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.sessions", true);

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.offlineApps", false);

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.siteSettings", false);

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.history", true);

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.formdata", true);

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.passwords", false);

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.downloads", true);

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.cookies", true);

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.cache", true);

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.sessions", true);

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.offlineApps", false);

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.siteSettings", false);

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.sanitize.migrateFx3Prefs", false);

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.ssl_override_behavior", 2);

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("security.alternate_certificate_error_page", "certerror");

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.privatebrowsing.autostart", false);

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.privatebrowsing.dont_prompt_on_enter", false);

c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("geo.wifi.uri", "https://www.google.com/loc/json");

.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2009-07-18 01:08

Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully

hidden files: 0

**************************************************************************

.

--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\software\DeterministicNetworks\DNE\Parameters]

"SymbolicLinkValue"=hex(6):5c,00,52,00,65,00,67,00,69,00,73,00,74,00,72,00,79,

00,5c,00,4d,00,41,00,43,00,48,00,49,00,4e,00,45,00,5c,00,53,00,79,00,73,00,\

.

--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'explorer.exe'(5700)

c:\windows\IME\SPGRMR.DLL

c:\windows\system32\WPDShServiceObj.dll

c:\windows\system32\PortableDeviceTypes.dll

c:\windows\system32\PortableDeviceApi.dll

.

------------------------ Other Running Processes ------------------------

.

c:\program files\Intel\Wireless\Bin\S24EvMon.exe

c:\windows\system32\scardsvr.exe

c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe

c:\program files\ARX\ARX CryptoKit\utils\ARCLTSRV.EXE

c:\program files\ARX\ARX CryptoKit\utils\ARCLTSRV.EXE

c:\program files\Bonjour\mDNSResponder.exe

c:\program files\Cisco Systems\VPN Client\cvpnd.exe

c:\program files\Intel\Wireless\Bin\EvtEng.exe

c:\getvxworkshost_service\GetVxWorksHost.exe

c:\program files\Intel\Intel Matrix Storage Manager\IAANTmon.exe

c:\windows\system32\qosservm.exe

c:\program files\Google\Update\1.2.183.7\GoogleCrashHandler.exe

c:\program files\Java\jre6\bin\jqs.exe

c:\windows\system32\lkads.exe

c:\windows\system32\lktsrv.exe

c:\program files\Maxtor\Sync\SyncServices.exe

c:\program files\Network Associates\Common Framework\FrameworkService.exe

c:\program files\McAfee\VirusScan Enterprise\Mcshield.exe

c:\program files\McAfee\VirusScan Enterprise\VsTskMgr.exe

c:\program files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE

c:\program files\Network Associates\Common Framework\naPrdMgr.exe

c:\program files\National Instruments\MAX\nimxs.exe

c:\program files\National Instruments\Shared\Security\nidmsrv.exe

c:\windows\system32\nisvcloc.exe

c:\program files\National Instruments\Shared\Tagger\tagsrv.exe

c:\program files\Intel\Wireless\Bin\RegSrvc.exe

c:\program files\Toshiba\Bluetooth Toshiba Stack\TosBtSrv.exe

c:\windows\system32\CCM\clicomp\RemCtrl\Wuser32.exe

c:\program files\Windows Media Player\wmpnetwk.exe

c:\windows\system32\CCM\CcmExec.exe

c:\windows\system32\igfxsrvc.exe

c:\windows\system32\RButton.exe

c:\program files\Network Associates\Common Framework\Mctray.exe

c:\program files\Intel\Wireless\Bin\Dot1XCfg.exe

c:\documents and settings\DS\Local Settings\Application Data\Google\Update\1.2.183.7\GoogleCrashHandler.exe

c:\program files\iPod\bin\iPodService.exe

e:\portableapps\PortableApps.com\PortableAppsPlatform.exe

.

**************************************************************************

.

Completion time: 2009-07-18 1:13 - machine was rebooted

ComboFix-quarantined-files.txt 2009-07-18 08:13

Pre-Run: 15,451,246,592 bytes free

Post-Run: 15,896,334,336 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe

[boot loader]

timeout=2

default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS

[operating systems]

c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons

multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect

376 --- E O F --- 2009-07-06 12:03

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 7:38:50 AM, on 7/18/2009

Platform: Windows XP SP3 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP3 (6.00.2900.5512)

Boot mode: Normal

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\svchost.exe

C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe

C:\WINDOWS\system32\spoolsv.exe

C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe

C:\Program Files\ARX\ARX CryptoKit\utils\ARCLTSRV.EXE

C:\Program Files\ARX\ARX CryptoKit\utils\arcltsrv.exe

C:\Program Files\B's Recorder GOLD8\bgsvc.exe

C:\Program Files\Bonjour\mDNSResponder.exe

C:\Program Files\Brother\BRAdmin Professional 3\bratimer.exe

C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe

C:\Program Files\Intel\Wireless\Bin\EvtEng.exe

C:\GetVxWorksHost_Service\srvany.exe

C:\GetVxWorksHost_Service\GetVxWorksHost.exe

C:\WINDOWS\System32\svchost.exe

C:\Program Files\Intel\Intel Matrix Storage Manager\Iaantmon.exe

C:\WINDOWS\system32\QosServM.exe

C:\Program Files\Google\Update\1.2.183.7\GoogleCrashHandler.exe

C:\Program Files\Common Files\Intuit\Update Service\IntuitUpdateService.exe

C:\Program Files\Java\jre6\bin\jqs.exe

C:\WINDOWS\system32\lkads.exe

C:\WINDOWS\system32\lktsrv.exe

C:\Program Files\Maxtor\Sync\SyncServices.exe

C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe

C:\Program Files\Network Associates\Common Framework\FrameworkService.exe

C:\Program Files\McAfee\VirusScan Enterprise\Mcshield.exe

C:\Program Files\McAfee\VirusScan Enterprise\VsTskMgr.exe

C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE

C:\Program Files\National Instruments\MAX\nimxs.exe

C:\Program Files\National Instruments\Shared\Security\nidmsrv.exe

C:\WINDOWS\system32\nisvcloc.exe

C:\Program Files\National Instruments\Shared\Tagger\tagsrv.exe

C:\Program Files\Panasonic\pcinfo\PCInfoPi.exe

C:\Program Files\Panasonic\pcinfo\PCInfoSV.exe

C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe

C:\Program Files\Common Files\SafeNet Sentinel\Sentinel Keys Server\sntlkeyssrvr.exe

C:\Program Files\Sling Media\SlingAgent\SlingAgentService.exe

C:\WINDOWS\system32\svchost.exe

C:\Program Files\TomTom HOME 2\TomTomHOMEService.exe

c:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtSrv.exe

C:\WINDOWS\system32\CCM\CLICOMP\RemCtrl\Wuser32.exe

C:\WINDOWS\system32\nipalsm.exe

C:\WINDOWS\system32\CCM\CcmExec.exe

C:\WINDOWS\system32\ctfmon.exe

C:\WINDOWS\system32\hkcmd.exe

C:\WINDOWS\system32\igfxpers.exe

C:\WINDOWS\system32\igfxsrvc.exe

C:\Program Files\Intel\Intel Matrix Storage Manager\Iaanotif.exe

C:\Program Files\Panasonic\WSwitch\WSwitch.exe

C:\Program Files\Synaptics\SynTP\SynTPLpr.exe

C:\Program Files\Synaptics\SynTP\SynTPEnh.exe

C:\Program Files\Panasonic\Hotkey Appendix\HKEYAPP.EXE

C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe

C:\PROGRA~1\B'SCLI~1\Win2K\BSCLIP.exe

C:\Program Files\Analog Devices\Core\smax4pnp.exe

C:\Program Files\FIDTPU\WIN2K\FTMSFLTU.EXE

C:\WINDOWS\system32\RButton.exe

C:\Program Files\Intel\Wireless\Bin\iFrmewrk.exe

C:\Program Files\Network Associates\Common Framework\UdaterUI.exe

C:\Program Files\McAfee\VirusScan Enterprise\SHSTAT.EXE

C:\Program Files\RightFax\Client\English\FaxCtrl.exe

C:\Program Files\Brother\ControlCenter2\brctrcen.exe

C:\Program Files\Network Associates\Common Framework\McTray.exe

C:\Program Files\Maxtor\OneTouch Status\maxmenumgr.exe

C:\Program Files\Common Files\Research In Motion\Auto Update\RIMAutoUpdate.exe

C:\Program Files\Java\jre6\bin\jusched.exe

C:\Program Files\Intel\Wireless\Bin\Dot1XCfg.exe

C:\Program Files\iTunes\iTunesHelper.exe

C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe

C:\Program Files\TomTom HOME 2\TomTomHOMERunner.exe

C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe

C:\Documents and Settings\DS\Local Settings\Application Data\Google\Update\1.2.183.7\GoogleCrashHandler.exe

C:\Program Files\Messenger\msmsgs.exe

C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe

C:\Program Files\iPod\bin\iPodService.exe

E:\PortableApps\PortableApps.com\PortableAppsPlatform.exe

C:\WINDOWS\explorer.exe

C:\WINDOWS\system32\notepad.exe

C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.med.com/

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896

O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll

O2 - BHO: RoboForm - {724d43a9-0d85-11d4-9908-00400523e39a} - C:\Program Files\Siber Systems\AI RoboForm\roboform.dll

O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - C:\Program Files\McAfee\VirusScan Enterprise\scriptcl.dll

O2 - BHO: Windows Live Toolbar Helper - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll

O2 - BHO: Java Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll

O2 - BHO: Google Gears Helper - {E0FEFE40-FBF9-42AE-BA58-794CA7E3FB53} - C:\Program Files\Google\Google Gears\Internet Explorer\0.5.30.0\gears.dll

O2 - BHO: AvayaIEHlprObj Class - {E6DF0B46-7D6F-407A-A6A2-62D17A021A9A} - C:\Program Files\Avaya\Avaya IP Softphone\AvayaWebDial.dll

O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll

O3 - Toolbar: &RoboForm - {724d43a0-0d85-11d4-9908-00400523e39a} - C:\Program Files\Siber Systems\AI RoboForm\roboform.dll

O3 - Toolbar: Windows Live Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll

O4 - HKLM\..\Run: [igfxTray] C:\WINDOWS\system32\igfxtray.exe

O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe

O4 - HKLM\..\Run: [Persistence] C:\WINDOWS\system32\igfxpers.exe

O4 - HKLM\..\Run: [iAAnotif] "C:\Program Files\Intel\Intel Matrix Storage Manager\Iaanotif.exe"

O4 - HKLM\..\Run: [WSwitch] C:\Program Files\Panasonic\WSwitch\WSwitch.exe

O4 - HKLM\..\Run: [synTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe

O4 - HKLM\..\Run: [synTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe

O4 - HKLM\..\Run: [Panasonic Hotkey Manager] C:\Program Files\Panasonic\Hotkey Appendix\HKEYAPP.EXE

O4 - HKLM\..\Run: [PCinfo] C:\Program Files\Panasonic\pcinfo\PcInfoUt.exe

O4 - HKLM\..\Run: [intelZeroConfig] "C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe"

O4 - HKLM\..\Run: [b'sCLiP] C:\PROGRA~1\B'SCLI~1\Win2K\BSCLIP.exe

O4 - HKLM\..\Run: [soundMAXPnP] C:\Program Files\Analog Devices\Core\smax4pnp.exe

O4 - HKLM\..\Run: [FTMSFLT(USB)] C:\Program Files\FIDTPU\WIN2K\FTMSFLTU.EXE

O4 - HKLM\..\Run: [intelWireless] C:\Program Files\Intel\Wireless\Bin\iFrmewrk.exe /tf Intel PROSet/Wireless

O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\Network Associates\Common Framework\UdaterUI.exe" /StartedFromRunKey

O4 - HKLM\..\Run: [shStatEXE] "C:\Program Files\McAfee\VirusScan Enterprise\SHSTAT.EXE" /STANDALONE

O4 - HKLM\..\Run: [PWRESET] C:\Program Files\Avaya\Avaya IP Softphone\IP Service Provider\pwreset.exe

O4 - HKLM\..\Run: [RightFAX Print-to-Fax Driver] C:\Program Files\RightFax\Client\English\FaxCtrl.exe

O4 - HKLM\..\Run: [ControlCenter2.0] C:\Program Files\Brother\ControlCenter2\brctrcen.exe /autorun

O4 - HKLM\..\Run: [mxomssmenu] "C:\Program Files\Maxtor\OneTouch Status\maxmenumgr.exe"

O4 - HKLM\..\Run: [blackBerryAutoUpdate] C:\Program Files\Common Files\Research In Motion\Auto Update\RIMAutoUpdate.exe /background

O4 - HKLM\..\Run: [RoxWatchTray] "C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatchTray9.exe"

O4 - HKLM\..\Run: [PRunOnce] C:\util\prunonce\PRunOnce.exe

O4 - HKLM\..\Run: [sunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"

O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime

O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"

O4 - HKLM\..\Run: [Malwarebytes' Anti-Malware] "C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe" /starttray

O4 - HKLM\..\Run: [userFaultCheck] %systemroot%\system32\dumprep 0 -u

O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe

O4 - HKCU\..\Run: [TomTomHOME.exe] "C:\Program Files\TomTom HOME 2\TomTomHOMERunner.exe"

O4 - HKCU\..\Run: [Google Update] "C:\Documents and Settings\DS\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" /c

O4 - HKCU\..\Run: [iSUSPM] "C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe" -scheduler

O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background

O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe

O4 - HKUS\S-1-5-18\..\Run: [Communicator] "C:\Program Files\Microsoft Office Communicator\Communicator.exe" (User 'SYSTEM')

O4 - HKUS\S-1-5-18\..\RunOnce: [TSClientMSIUninstaller] cmd.exe /C "cscript %systemroot%\Installer\TSClientMsiTrans\tscuinst.vbs" (User 'SYSTEM')

O4 - HKUS\.DEFAULT\..\Run: [Communicator] "C:\Program Files\Microsoft Office Communicator\Communicator.exe" (User 'Default user')

O4 - HKUS\.DEFAULT\..\RunOnce: [TSClientMSIUninstaller] cmd.exe /C "cscript %systemroot%\Installer\TSClientMsiTrans\tscuinst.vbs" (User 'Default user')

O4 - Startup: StartPortableApps.lnk = E:\StartPortableApps.exe

O4 - Global Startup: Service Manager.lnk = C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe

O8 - Extra context menu item: Add to Windows &Live Favorites - http://favorites.live.com/quickadd.aspx

O8 - Extra context menu item: Customize Menu - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComCustomizeIEMenu.html

O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000

O8 - Extra context menu item: Fill Forms - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComFillForms.html

O8 - Extra context menu item: Open in new background tab - res://C:\Program Files\Windows Live Toolbar\Components\en-us\msntabres.dll.mui/229?bb4038b5d84247f081b4c4f7687f15fa

O8 - Extra context menu item: Open in new foreground tab - res://C:\Program Files\Windows Live Toolbar\Components\en-us\msntabres.dll.mui/230?bb4038b5d84247f081b4c4f7687f15fa

O8 - Extra context menu item: Save Forms - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComSavePass.html

O9 - Extra button: (no name) - {09C04DA7-5B76-4EBC-BBEE-B25EAC5965F5} - C:\Program Files\Google\Google Gears\Internet Explorer\0.5.30.0\gears.dll

O9 - Extra 'Tools' menuitem: &Gears Settings - {09C04DA7-5B76-4EBC-BBEE-B25EAC5965F5} - C:\Program Files\Google\Google Gears\Internet Explorer\0.5.30.0\gears.dll

O9 - Extra button: Fill Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F46} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComFillForms.html

O9 - Extra 'Tools' menuitem: Fill Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F46} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComFillForms.html

O9 - Extra button: Save - {320AF880-6646-11D3-ABEE-C5DBF3571F49} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComSavePass.html

O9 - Extra 'Tools' menuitem: Save Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F49} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComSavePass.html

O9 - Extra button: RoboForm - {724d43aa-0d85-11d4-9908-00400523e39a} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html

O9 - Extra 'Tools' menuitem: RoboForm Toolbar - {724d43aa-0d85-11d4-9908-00400523e39a} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html

O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL

O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O15 - ESC Trusted Zone: http://runonce.msn.com (HKLM)

O16 - DPF: {05CA9FB0-3E3E-4B36-BF41-0E3A5CAA8CD8} (Office Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=58813

O16 - DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} (Facebook Photo Uploader 5 Control) - http://upload.facebook.com/controls/2008.1...toUploader5.cab

O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1243963751735

O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1243963674594

O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = na.med.com

O17 - HKLM\Software\..\Telephony: DomainName = na.med.com

O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = na.med.com

O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = na.med.com

O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe

O23 - Service: ARcltsrv - Algorithmic Research Ltd. - C:\Program Files\ARX\ARX CryptoKit\utils\ARCLTSRV.EXE

O23 - Service: B's Recorder GOLD Service (bgsvc) - B.H.A Corporation - C:\Program Files\B's Recorder GOLD8\bgsvc.exe

O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe

O23 - Service: Brother BRAdminPro Scheduler (BRA_Scheduler) - Unknown owner - C:\Program Files\Brother\BRAdmin Professional 3\bratimer.exe

O23 - Service: Cisco Systems, Inc. VPN Service (CVPND) - Cisco Systems, Inc. - C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe

O23 - Service: Intel® PROSet/Wireless Event Log (EvtEng) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe

O23 - Service: FileZilla Server FTP server (FileZilla Server) - FileZilla Project - E:\xampp\filezillaftp\filezillaserver.exe

O23 - Service: GetVxWorksHost - Unknown owner - C:\GetVxWorksHost_Service\srvany.exe

O23 - Service: Google Update Service (gupdate1c9be9eb2736671) (gupdate1c9be9eb2736671) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe

O23 - Service: Intel® Matrix Storage Event Monitor (IAANTMON) - Intel Corporation - C:\Program Files\Intel\Intel Matrix Storage Manager\Iaantmon.exe

O23 - Service: iClarityQoSService - AVAYA Communication - C:\WINDOWS\system32\QosServM.exe

O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe

O23 - Service: Intuit Update Service (IntuitUpdateService) - Intuit Inc. - C:\Program Files\Common Files\Intuit\Update Service\IntuitUpdateService.exe

O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe

O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe

O23 - Service: Lookout Citadel Server (LkCitadelServer) - National Instruments, Inc. - C:\WINDOWS\system32\lkcitdl.exe

O23 - Service: National Instruments PSP Server Locator (lkClassAds) - National Instruments Corporation - C:\WINDOWS\system32\lkads.exe

O23 - Service: National Instruments Time Synchronization (lkTimeSync) - National Instruments Corporation - C:\WINDOWS\system32\lktsrv.exe

O23 - Service: Maxtor Service (Maxtor Sync Service) - Seagate Technology LLC - C:\Program Files\Maxtor\Sync\SyncServices.exe

O23 - Service: MBAMService - Malwarebytes Corporation - C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe

O23 - Service: McAfee Framework Service (McAfeeFramework) - McAfee, Inc. - C:\Program Files\Network Associates\Common Framework\FrameworkService.exe

O23 - Service: McAfee McShield (McShield) - McAfee, Inc. - C:\Program Files\McAfee\VirusScan Enterprise\Mcshield.exe

O23 - Service: McAfee Task Manager (McTaskManager) - McAfee, Inc. - C:\Program Files\McAfee\VirusScan Enterprise\VsTskMgr.exe

O23 - Service: NI Configuration Manager (mxssvr) - National Instruments Corporation - C:\Program Files\National Instruments\MAX\nimxs.exe

O23 - Service: NI Device Loader (nidevldu) - National Instruments Corporation - C:\WINDOWS\system32\nipalsm.exe

O23 - Service: National Instruments Domain Service (NIDomainService) - National Instruments Corporation - C:\Program Files\National Instruments\Shared\Security\nidmsrv.exe

O23 - Service: NILM License Manager - Macrovision Corporation - C:\Program Files\National Instruments\Shared\License Manager\Bin\lmgrd.exe

O23 - Service: NI PXI Resource Manager (nipxirmu) - National Instruments Corporation - C:\WINDOWS\system32\nipalsm.exe

O23 - Service: NI Service Locator (niSvcLoc) - National Instruments Corp. - C:\WINDOWS\system32\nisvcloc.exe

O23 - Service: National Instruments Variable Engine (NITaggerService) - National Instruments, Inc. - C:\Program Files\National Instruments\Shared\Tagger\tagsrv.exe

O23 - Service: Panasonic PC Information Viewer Service 2 (PcInfoPi) - Matsushita Electric Industrial Co., Ltd. - C:\Program Files\Panasonic\pcinfo\PCInfoPi.exe

O23 - Service: Panasonic PC Information Viewer (PcInfoSV) - Matsushita Electric Industrial Co., Ltd. - C:\Program Files\Panasonic\pcinfo\PCInfoSV.exe

O23 - Service: Intel® PROSet/Wireless Registry Service (RegSrvc) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe

O23 - Service: Roxio UPnP Renderer 9 - Sonic Solutions - C:\Program Files\Roxio\Digital Home 9\RoxioUPnPRenderer9.exe

O23 - Service: Roxio Upnp Server 9 - Sonic Solutions - C:\Program Files\Roxio\Digital Home 9\RoxioUpnpService9.exe

O23 - Service: LiveShare P2P Server 9 (RoxLiveShare9) - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxLiveShare9.exe

O23 - Service: RoxMediaDB9 - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxMediaDB9.exe

O23 - Service: Roxio Hard Drive Watcher 9 (RoxWatch9) - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatch9.exe

O23 - Service: Intel® PROSet/Wireless Service (S24EventMonitor) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe

O23 - Service: Sentinel Keys Server (SentinelKeysServer) - SafeNet, Inc. - C:\Program Files\Common Files\SafeNet Sentinel\Sentinel Keys Server\sntlkeyssrvr.exe

O23 - Service: Sentinel Protection Server (SentinelProtectionServer) - SafeNet, Inc - C:\Program Files\Common Files\SafeNet Sentinel\Sentinel Protection Server\WinNT\spnsrvnt.exe

O23 - Service: SlingAgentService - Sling Media Inc. - C:\Program Files\Sling Media\SlingAgent\SlingAgentService.exe

O23 - Service: TomTomHOMEService - TomTom - C:\Program Files\TomTom HOME 2\TomTomHOMEService.exe

O23 - Service: TOSHIBA Bluetooth Service - TOSHIBA CORPORATION - c:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtSrv.exe

--

End of file - 19702 bytes

Link to post
Share on other sites

This was not a good experience for me.

After doing as you initially suggested and rebooting, my PC started having some troubling issues.

First I noticed my MSSQL server stopped working. Then my Intel Pro Wireless wasn't working and my DNS settings got reset preventing me from browsing the internet. Next I noticed Remote Desktop Connections stopped working.

I tried a few things in an effort to fix my new problems and was still left with the MSSQL & RDC issues.

I ran MBAM again and got the following log:

Malwarebytes' Anti-Malware 1.39

Database version: 2421

Windows 5.1.2600 Service Pack 3

7/19/2009 1:17:24 PM

mbam-log-2009-07-19 (13-17-24).txt

Scan type: Quick Scan

Objects scanned: 130429

Time elapsed: 11 minute(s), 8 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 4

Registry Values Infected: 1

Registry Data Items Infected: 3

Folders Infected: 3

Files Infected: 5

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\{19127ad2-394b-70f5-c650-b97867baa1f7} (Backdoor.Bot) -> Quarantined and deleted successfully.

HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\{43bf8cd1-c5d5-2230-7bb2-98f22c2b7dc6} (Backdoor.Bot) -> Quarantined and deleted successfully.

HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\{19127ad2-394b-70f5-c650-b97867baa1f7} (Backdoor.Bot) -> Quarantined and deleted successfully.

HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\{43bf8cd1-c5d5-2230-7bb2-98f22c2b7dc6} (Backdoor.Bot) -> Quarantined and deleted successfully.

Registry Values Infected:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Network\UID (Malware.Trace) -> Quarantined and deleted successfully.

Registry Data Items Infected:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit (Backdoor.Bot) -> Data: c:\windows\system32\twext.exe -> Delete on reboot.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit (Backdoor.Bot) -> Data: system32\twext.exe -> Delete on reboot.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit (Hijack.Userinit) -> Bad: (C:\WINDOWS\system32\userinit.exe,C:\WINDOWS\system32\twext.exe,) Good: (Userinit.exe) -> Quarantined and deleted successfully.

Folders Infected:

C:\WINDOWS\system32\twain_32 (Backdoor.Bot) -> Delete on reboot.

C:\Documents and Settings\LocalService\Application Data\twain_32 (Spyware.Zbot) -> Quarantined and deleted successfully.

C:\Documents and Settings\NetworkService\Application Data\twain_32 (Spyware.Zbot) -> Quarantined and deleted successfully.

Files Infected:

c:\WINDOWS\system32\twain_32\local.ds (Backdoor.Bot) -> Delete on reboot.

c:\WINDOWS\system32\twain_32\user.ds (Backdoor.Bot) -> Delete on reboot.

c:\documents and settings\localservice\application data\twain_32\user.ds (Spyware.Zbot) -> Quarantined and deleted successfully.

c:\documents and settings\networkservice\application data\twain_32\user.ds (Spyware.Zbot) -> Quarantined and deleted successfully.

C:\WINDOWS\system32\twext.exe (Backdoor.Bot) -> Delete on reboot.

I can't be certain that combofix caused all the problems as I did a few things while trying to correct my PC issues, but it is more than a little disconcerting. After allowing MBAM to clean the infected items and rebooting, my RDC began working again.

Now I'm still stuck with a hosed MSSQL Server that will require a re-install.

Link to post
Share on other sites

I don't know if Combofix caused the infections, but it did screw up my MSSQL server, Remote Desktop, and cause my networking problems.

Malwarebytes' Anti-Malware 1.39

Database version: 2468

Windows 5.1.2600 Service Pack 3

7/20/2009 8:12:31 PM

mbam-log-2009-07-20 (20-12-31).txt

Scan type: Quick Scan

Objects scanned: 138217

Time elapsed: 8 minute(s), 47 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 0

Registry Values Infected: 0

Registry Data Items Infected: 0

Folders Infected: 0

Files Infected: 0

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

(No malicious items detected)

Registry Values Infected:

(No malicious items detected)

Registry Data Items Infected:

(No malicious items detected)

Folders Infected:

(No malicious items detected)

Files Infected:

(No malicious items detected)

Link to post
Share on other sites

Combofix didn't cause your infections nor your issues. Again, you somehow managed to get reinfected from either not all the malware being removed or you came across it between when you posted last. The fact that things started working again after running Malwarebytes shows the malware was causing the issues - not combofix.

Either way, I see nothing wrong. Are you still having any problems?

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.