Jump to content

system32/regedit and oashdihasidhasuidhiasdhiashdiuasdhasd


Recommended Posts

Hello,

I hope I am in the correct place; I followed the "I'm infected" link of another part of this site. I am having a problem with the constant returning of these two items;

1) C:\Documents and Settings\LocalService\oashdihasidhasuidhiasdhiashdiuasdhasd ...a 1k file

2) HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Regedit32

I removed the actual Regedit trojan program (c:\windows\system32\regedit.exe) being called by the run command. The registry entry continues to return but it is referencing a program that does not exist any longer and has not returned (after my one delete). mbam will remove these 2 items and that prevents the repeated attempt to add the registry key (#2 above) and removes oashdihasidhasuidhiasdhiashdiuasdhasd ...until the next reboot.

I have had Winpatrol installed for years and it keeps catching this regedit addition to startup. If I disallow its addition, it comes back every 3 minutes or so. Since Winpatrol keeps catching the registry addition every 3 minutes or so, I thought I could just start killing off services and programs until the attempts to re-add it ended, thus reveling the offending program. I stopped every running service and then every running program via task manager, that could be stopped without crashing or shutting down Windows, yet the registry entry persisted like clockwork. If I let mbam remove these (which it lists a Trace.Pendex), it does stop the attempts right then... until reboot. I also used Winpatrol to disable every startup program and I switched some non-critical services from auto to manual, but this did not prevent the re-infection.

I am running Windows XP Pro with all possible updates from Microsoft (other than IE8) on a Dell d620 laptop. I also have Adaware installed, but I think it either does the same as mbam or does not find them. Micro Trend anti-virus does not find anything. I made sure these two and mbam have up-to-date definition files.

Per the instructions of the page linking me here; I am pasting the hijack-this log and the mbam log. Both of these logs show Trace.Pandex present; if I allow mbam to clean it; I think the initial reboot is clean and mbam finds nothing, but a subsequent reboot will have them back, identical to the previous infection.

Thanks! ---Matt Davis

-------------------------------------------------------------------------------------------

Malwarebytes' Anti-Malware 1.40

Database version: 2710

Windows 5.1.2600 Service Pack 3

8/28/2009 9:25:53 PM

mbam-log-2009-08-28 (21-25-48).txt

Scan type: Quick Scan

Objects scanned: 128313

Time elapsed: 8 minute(s), 37 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 0

Registry Values Infected: 1

Registry Data Items Infected: 0

Folders Infected: 0

Files Infected: 2

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

(No malicious items detected)

Registry Values Infected:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Regedit32 (Trojan.Agent) -> No action taken.

Registry Data Items Infected:

(No malicious items detected)

Folders Infected:

(No malicious items detected)

Files Infected:

C:\Documents and Settings\LocalService\oashdihasidhasuidhiasdhiashdiuasdhasd (Trace.Pandex) -> No action taken.

---------------------------------------------------------------------------------------------------------------------------------------------------------------------

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 9:16:00 PM, on 8/28/2009

Platform: Windows XP SP3 (WinNT 5.01.2600)

MSIE: Internet Explorer v7.00 (7.00.6000.16876)

Boot mode: Normal

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe

C:\WINDOWS\system32\spoolsv.exe

C:\WINDOWS\Explorer.EXE

C:\Program Files\BillP Studios\WinPatrol\winpatrol.exe

C:\Program Files\Trend Micro\OfficeScan Client\pccntmon.exe

C:\WINDOWS\system32\ctfmon.exe

C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe

C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe

C:\Program Files\Java\jre6\bin\jqs.exe

C:\Program Files\TechSmith\SnagIt\SnagIt32.exe

C:\Program Files\POP Peeper\poppeeper.exe

C:\Program Files\Microsoft SQL Server\MSSQL.3\OLAP\bin\msmdsrv.exe

C:\Program Files\Microsoft SQL Server\MSSQL.2\MSSQL\Binn\sqlservr.exe

C:\PROGRA~1\MI6841~1\MSSQL\binn\sqlservr.exe

C:\Program Files\Microsoft SQL Server\MSSQL.1\OLAP\bin\msmdsrv.exe

C:\Program Files\Trend Micro\OfficeScan Client\ntrtscan.exe

C:\SFU\common\rshsvc.exe

C:\tm\tmsimg\bin\startsvc.exe

C:\Program Files\Microsoft SQL Server\90\Shared\sqlbrowser.exe

C:\WINDOWS\system32\svchost.exe

C:\tm\tmsimg\bin\ftsrvr.exe

C:\WINDOWS\system32\PSXRUN.EXE

C:\WINDOWS\system32\psxss.exe

C:\Program Files\Microsoft SQL Server\MSSQL.2\MSSQL\Binn\msftesql.exe

C:\Program Files\Trend Micro\OfficeScan Client\tmlisten.exe

C:\SFU\usr\sbin\zzInterix

C:\SFU\usr\sbin\init

C:\SFU\usr\sbin\inetd

C:\SFU\Mapper\mapsvc.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\SFU\usr\sbin\cron

C:\Program Files\Trend Micro\OfficeScan Client\CNTAoSMgr.exe

C:\WINDOWS\TEMP\KV2D5.EXE

C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe

C:\WINDOWS\system32\wuauclt.exe

C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = www.google.com/ig/dell?hl=en&client=dell-usuk-rel&channel=us&ibd=6060927

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKLM\Software\Microsoft\Internet Explorer\Search,Default_Page_URL = www.google.com/ig/dell?hl=en&client=dell-usuk-rel&channel=us&ibd=6060927

O2 - BHO: Java Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll

O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll

O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.2.4204.1700\swg.dll

O2 - BHO: Google Dictionary Compression sdch - {C84D72FE-E17D-4195-BB24-76C02E2E7C4E} - C:\Program Files\Google\Google Toolbar\Component\fastsearch_B7C5AC242193BB3E.dll

O2 - BHO: Java Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll

O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll

O3 - Toolbar: Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll

O4 - HKLM\..\Run: [WinPatrol] C:\Program Files\BillP Studios\WinPatrol\winpatrol.exe -expressboot

O4 - HKLM\..\Run: [OfficeScanNT Monitor] "C:\Program Files\Trend Micro\OfficeScan Client\pccntmon.exe" -HideWindow

O4 - HKLM\..\Run: [Regedit32] C:\WINDOWS\system32\regedit.exe

O4 - HKLM\..\RunOnce: [Malwarebytes Anti-Malware (reboot)] "C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe" /runcleanupscript

O4 - Startup: beep.bat

O4 - Startup: POP Peeper.lnk = C:\Program Files\POP Peeper\POPPeeper.exe

O4 - Global Startup: SnagIt 5.lnk = C:\Program Files\TechSmith\SnagIt\SnagIt32.exe

O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000

O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O16 - DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} (Facebook Photo Uploader 5 Control) - http://upload.facebook.com/controls/2008.1...toUploader5.cab

O16 - DPF: {238F6F83-B8B4-11CF-8771-00A024541EE3} (Citrix ICA Client) - https://cag1.intd.com/CitrixSessionInit/ICA...ca32/wficat.cab

O16 - DPF: {44C1E3A2-B594-401C-B27A-D1B4476E4797} (XTSAC Control) - https://sslvpn.skinnertrans.net/XTSAC.cab

O16 - DPF: {7B133798-FAA8-4A7E-950D-BEB35D3363AF} (LinksysViewer Control) - http://71.8.85.66:1024/img/LinksysViewer.cab

O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shoc...ash/swflash.cab

O16 - DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} (GpcContainer Class) - https://mcleodsoftware.webex.com/client/T26...bex/ieatgpc.cab

O16 - DPF: {FD0B6769-6490-4A91-AA0A-B5AE0DC75AC9} (Performance Viewer Activex Control) - https://secure.logmein.com/activex/ractrl.cab?lmi=100

O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = tmscorp.com

O17 - HKLM\Software\..\Telephony: DomainName = tmscorp.com

O20 - AppInit_DLLs:

O23 - Service: BitDefender Deployment Service (bddepsrv) - Unknown owner - C:\WINDOWS\_BDDEP_\bddepsrv.exe

O23 - Service: BrSplService (Brother XP spl Service) - brother Industries Ltd - C:\WINDOWS\system32\brsvc01a.exe

O23 - Service: Cisco Systems, Inc. VPN Service (CVPND) - Cisco Systems, Inc. - C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe

O23 - Service: dlbu_device - - C:\WINDOWS\system32\dlbucoms.exe

O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe

O23 - Service: McLeod Imaging Server (FTSRVR) - Unknown owner - C:\tm\tmsimg\bin\ftsrvrsvc.exe

O23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe

O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe

O23 - Service: Lavasoft Ad-Aware Service - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe

O23 - Service: LME 9.0 - Unknown owner - c:\mcleod_900\Win2000_tools\scheduler_service\LMEschedulerService.exe (file missing)

O23 - Service: LME 9.1 - - c:\mcleod_910\Win2000_tools\scheduler_service\LMESchedulerService.exe

O23 - Service: LME Scheduler (demo_820) - Unknown owner - c:\mcleod_820\win2000_tools\scheduler_service\lmeschedulerservice.exe (file missing)

O23 - Service: NICCONFIGSVC - Unknown owner - C:\Program Files\Dell\QuickSet\NICCONFIGSVC.exe (file missing)

O23 - Service: OfficeScanNT RealTime Scan (ntrtscan) - Trend Micro Inc. - C:\Program Files\Trend Micro\OfficeScan Client\ntrtscan.exe

O23 - Service: ObjectStore Cache Manager R6.0 - Unknown owner - C:\ODI\OStore\BIN\OSCMGR6.EXE (file missing)

O23 - Service: ObjectStore Server R6.0 - Unknown owner - C:\ODI\OStore\BIN\OSSERVER.EXE (file missing)

O23 - Service: Imaging Services Starter (Service1) - Unknown owner - C:\tm\tmsimg\bin\startsvc.exe

O23 - Service: PC*MILER TCP/IP Interface (tcpsvc) - Unknown owner - C:\Program Files\ALK Technologies\Tolls190\TCPIP\tcpsvc.exe

O23 - Service: OfficeScan NT Listener (tmlisten) - Trend Micro Inc. - C:\Program Files\Trend Micro\OfficeScan Client\tmlisten.exe

O23 - Service: OfficeScan NT Proxy Service (TmProxy) - Trend Micro Inc. - C:\Program Files\Trend Micro\OfficeScan Client\TmProxy.exe

--

End of file - 8315 bytes

Link to post
Share on other sites

Please note that all instructions given are customised for this computer only,

the tools used may cause damage if used on a computer with different infections.

If you think you have similar problems, please post a log in the HJT forum and wait for help.

Hello and welcome to the forums

My name is Katana and I will be helping you to remove any infection(s) that you may have.

Please observe these rules while we work:

  1. Please Read All Instructions Carefully
  2. If you don't understand something, stop and ask! Don't keep going on.
  3. Please do not run any other tools or scans whilst I am helping you
  4. Failure to reply within 5 days will result in the topic being closed.
  5. Please continue to respond until I give you the "All Clear"
    (Just because you can't see a problem doesn't mean it isn't there)

If you can do those few things, everything should go smoothly laechel.gif

Some of the logs I request will be quite large, You may need to split them over a couple of replies.

Please Note, your security programs may give warnings for some of the tools I will ask you to use.

Be assured, any links I give are safe

----------------------------------------------------------------------------------------

Is this a Work computer ?

Download and Run ComboFix (by sUBs)

Please visit this webpage for instructions for downloading and running ComboFix:

Bleeping Computer ComboFix Tutorial

  • You must download it to and run it from your Desktop
  • Now STOP all your monitoring programs (Antivirus/Antispyware, Guards and Shields) as they could easily interfere with ComboFix.
  • Double click combofix.exe & follow the prompts.
  • When finished, it will produce a log. Please save that log to post in your next reply
  • Re-enable all the programs that were disabled during the running of ComboFix..

A word of warning: Neither I nor sUBs are responsible for any damage you may have caused your machine by running ComboFix on your own.

This tool is not a toy and not for everyday use.

ComboFix SHOULD NOT be used unless requested by a forum helper

For instructions on how to disable your security programs, please see this topic

How To Temporarily Disable Your Anti-virus, Firewall And Anti-malware Programs

Link to post
Share on other sites

Hello Katana,

Thank you for the reply. A few things:

I could not seem to get Trend Micro to totally go away; I saw no evidence of it running. The programs known to me to belong to it were not running and there was no systray icon. Obviously it was running. The oashdi... did come back after ComboFix.exe ran and a reboot.

Thanks; here is the ComboFix log:

ComboFix 09-09-01.04 - mattd 09/01/2009 21:16.1.2 - NTFSx86

Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1014.501 [GMT -5:00]

Running from: c:\documents and settings\mattd\My Documents\Downloads\ComboFix.exe

AV: Trend Micro OfficeScan Antivirus *On-access scanning enabled* (Updated) {806EEB56-F26D-4ADC-9880-7088DDA66B8D}

FW: COMODO Firewall *disabled* {043803A3-4F86-4ef6-AFC5-F6E02A79969B}

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.

c:\documents and settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat

c:\documents and settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat

c:\documents and settings\LocalService\oashdihasidhasuidhiasdhiashdiuasdhasd

c:\windows\Installer\10b7b.msi

c:\windows\Installer\32a79.msi

c:\windows\Installer\77509.msi

c:\windows\Installer\77ed7f0.msp

c:\windows\Installer\882d04e.msp

c:\windows\Installer\d68665.msp

c:\windows\system32\Drivers\hxcqis.sys

----- BITS: Possible infected sites -----

hxxp://backup

.

((((((((((((((((((((((((( Files Created from 2009-08-02 to 2009-09-02 )))))))))))))))))))))))))))))))

.

2009-08-31 20:52 . 2009-08-31 20:52 -------- d-----w- C:\bol

2009-08-30 23:55 . 2009-08-31 04:15 -------- d-----w- c:\documents and settings\All Users\Application Data\Comodo

2009-08-30 23:55 . 2009-09-01 15:01 179792 ----a-w- c:\windows\system32\guard32.dll

2009-08-30 23:55 . 2009-09-01 15:01 87104 ----a-w- c:\windows\system32\drivers\inspect.sys

2009-08-30 23:55 . 2009-09-01 15:01 25160 ----a-w- c:\windows\system32\drivers\cmdhlp.sys

2009-08-30 23:55 . 2009-09-01 15:01 132168 ----a-w- c:\windows\system32\drivers\cmdguard.sys

2009-08-30 23:55 . 2009-08-30 23:55 -------- d-----w- c:\program files\COMODO

2009-08-30 03:47 . 2009-08-30 03:47 -------- d-----w- c:\program files\Windows Defender

2009-08-27 12:21 . 2009-09-02 01:48 94016 ----a-w- c:\windows\system32\drivers\agp440.sys

2009-08-27 12:21 . 2009-09-02 01:48 94016 ----a-w- c:\windows\system32\dllcache\agp440.sys

2009-08-27 12:08 . 2009-08-27 12:08 -------- d-----w- c:\documents and settings\mattd\Local Settings\Application Data\Microsoft Help

2009-08-27 11:53 . 2009-08-27 11:54 -------- d-----w- C:\b94fc99b4234241569f8

2009-08-27 11:52 . 2009-08-27 11:55 -------- d-----w- C:\af68abf42d22c0317532447fccccfb74

2009-08-24 01:04 . 2009-08-24 01:22 -------- d-----w- c:\windows\system32\NtmsData

2009-08-23 14:12 . 2009-08-25 17:22 44 ----a-w- c:\windows\system32\statistics.dat

2009-08-23 13:51 . 2009-08-25 17:20 54 ----a-w- c:\windows\system32\rp_stats.dat

2009-08-23 13:51 . 2009-08-25 17:20 39 ----a-w- c:\windows\system32\rp_rules.dat

2009-08-22 17:44 . 2009-08-22 17:44 -------- d-----w- c:\documents and settings\mattd\Application Data\Malwarebytes

2009-08-22 17:44 . 2009-08-03 18:36 38160 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys

2009-08-22 17:44 . 2009-08-22 17:44 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes

2009-08-22 17:44 . 2009-08-22 17:44 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware

2009-08-22 17:44 . 2009-08-03 18:36 19096 ----a-w- c:\windows\system32\drivers\mbam.sys

2009-08-22 13:23 . 2009-08-31 14:02 -------- d-----w- c:\documents and settings\All Users\Application Data\Lavasoft

2009-08-18 17:44 . 2009-08-18 17:44 -------- d-----w- c:\program files\Active Data Recovery Software

2009-08-17 19:06 . 2009-08-17 19:06 -------- d-----w- c:\documents and settings\All Users\Application Data\TechSmith

2009-08-17 19:06 . 2009-08-17 19:06 -------- d-----w- c:\documents and settings\mattd\Local Settings\Application Data\TechSmith

2009-08-13 14:45 . 2009-08-13 14:45 -------- d-----w- c:\documents and settings\mattd\$USERHOME

2009-08-13 02:29 . 2009-06-12 12:31 80896 ------w- c:\windows\system32\dllcache\tlntsess.exe

2009-08-13 02:29 . 2009-06-12 12:31 76288 ------w- c:\windows\system32\dllcache\telnet.exe

2009-08-13 02:28 . 2009-06-10 06:14 132096 ------w- c:\windows\system32\dllcache\wkssvc.dll

2009-08-13 02:28 . 2009-06-10 14:13 84992 ------w- c:\windows\system32\dllcache\avifil32.dll

2009-08-13 02:27 . 2009-07-17 19:01 58880 ------w- c:\windows\system32\dllcache\atl.dll

2009-08-13 02:27 . 2009-07-10 13:27 1315328 ------w- c:\windows\system32\dllcache\msoe.dll

2009-08-13 02:25 . 2009-08-05 09:01 204800 ------w- c:\windows\system32\dllcache\mswebdvd.dll

2009-08-13 02:24 . 2009-06-25 08:25 54272 ------w- c:\windows\system32\dllcache\wdigest.dll

2009-08-13 02:24 . 2009-06-25 08:25 136192 ------w- c:\windows\system32\dllcache\msv1_0.dll

2009-08-13 02:24 . 2009-06-24 11:18 92928 ------w- c:\windows\system32\dllcache\ksecdd.sys

2009-08-13 02:24 . 2009-06-25 08:25 301568 ------w- c:\windows\system32\dllcache\kerberos.dll

2009-08-10 18:35 . 2009-08-10 18:35 721912 ----a-w- c:\documents and settings\mattd\gotomypc_428.exe

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2009-09-01 15:51 . 2009-03-05 15:47 -------- d-----w- c:\documents and settings\mattd\Application Data\SmartDraw

2009-08-29 02:15 . 2009-04-22 14:11 -------- d-----w- c:\program files\Trend Micro

2009-08-29 00:20 . 2009-03-24 02:24 -------- d-----w- c:\program files\Common Files\Remote Control Software Common

2009-08-27 12:13 . 2007-10-01 21:11 -------- d-----w- c:\documents and settings\All Users\Application Data\Microsoft Help

2009-08-27 12:07 . 2007-10-01 21:14 -------- d-----w- c:\program files\Microsoft Visual Studio 8

2009-08-27 11:09 . 2009-08-27 11:09 324 ----a-w- c:\program files\vnqlxzgb.txt

2009-08-26 14:33 . 2006-09-27 08:13 -------- d-----w- c:\program files\CyberLink

2009-08-26 14:33 . 2006-09-27 08:09 -------- d--h--w- c:\program files\InstallShield Installation Information

2009-08-26 14:32 . 2009-06-11 17:47 -------- d-----w- c:\program files\Citrix

2009-08-26 00:07 . 2004-08-11 22:00 626336 ----a-w- c:\windows\system32\drivers\ntfs.sys

2009-08-25 00:34 . 2009-04-04 04:05 -------- d-----w- c:\documents and settings\mattd\Application Data\BitTorrent

2009-08-17 19:06 . 2009-03-05 22:40 -------- d-----w- c:\program files\TechSmith

2009-08-17 19:03 . 2007-11-20 20:55 -------- d-----w- c:\program files\Common Files\Wise Installation Wizard

2009-08-17 16:09 . 2006-11-13 16:14 -------- d-----w- c:\program files\AniTa

2009-08-05 09:01 . 2004-08-11 22:00 204800 ----a-w- c:\windows\system32\mswebdvd.dll

2009-07-29 01:03 . 2009-07-28 19:59 -------- d-----w- c:\documents and settings\All Users\Application Data\Rosetta Stone

2009-07-28 20:00 . 2009-07-28 20:00 -------- d-----w- c:\program files\Common Files\Macrovision Shared

2009-07-28 19:59 . 2009-07-28 19:59 -------- d-----w- c:\program files\Rosetta Stone

2009-07-20 02:45 . 2009-04-08 00:14 -------- d-----w- c:\program files\JukeItUp Ecstasy Edition

2009-07-17 19:01 . 2004-08-11 22:00 58880 ----a-w- c:\windows\system32\atl.dll

2009-07-16 23:06 . 2009-07-16 23:06 -------- d-----w- c:\program files\Microsoft Works

2009-07-16 17:16 . 2009-07-16 17:13 -------- d-----w- c:\documents and settings\All Users\Application Data\BVRP Software

2009-07-16 17:13 . 2009-07-16 17:13 -------- d-----w- c:\program files\Avanquest update

2009-07-16 17:13 . 2009-07-16 17:13 -------- d-----w- c:\program files\Motorola Phone Tools

2009-07-13 15:08 . 2004-08-11 22:00 286720 ----a-w- c:\windows\system32\wmpdxm.dll

2009-06-29 16:12 . 2004-08-11 22:00 827392 ----a-w- c:\windows\system32\wininet.dll

2009-06-29 16:12 . 2004-08-11 22:00 78336 ----a-w- c:\windows\system32\ieencode.dll

2009-06-29 16:12 . 2004-08-11 22:00 17408 ----a-w- c:\windows\system32\corpol.dll

2009-06-25 08:25 . 2004-08-11 22:00 54272 ----a-w- c:\windows\system32\wdigest.dll

2009-06-25 08:25 . 2004-08-11 22:00 56832 ----a-w- c:\windows\system32\secur32.dll

2009-06-25 08:25 . 2004-08-11 22:00 147456 ----a-w- c:\windows\system32\schannel.dll

2009-06-25 08:25 . 2004-08-11 22:00 136192 ----a-w- c:\windows\system32\msv1_0.dll

2009-06-25 08:25 . 2004-08-11 22:00 730112 ----a-w- c:\windows\system32\lsasrv.dll

2009-06-25 08:25 . 2004-08-11 22:00 301568 ----a-w- c:\windows\system32\kerberos.dll

2009-06-24 11:18 . 2004-08-11 22:00 92928 ----a-w- c:\windows\system32\drivers\ksecdd.sys

2009-06-16 14:36 . 2004-08-11 22:00 119808 ----a-w- c:\windows\system32\t2embed.dll

2009-06-16 14:36 . 2004-08-11 22:00 81920 ----a-w- c:\windows\system32\fontsub.dll

2009-06-16 13:40 . 2009-06-16 13:40 1498149 ----a-w- C:\xp32.zip

2009-06-12 12:31 . 2004-08-11 22:00 80896 ----a-w- c:\windows\system32\tlntsess.exe

2009-06-12 12:31 . 2004-08-11 22:00 76288 ----a-w- c:\windows\system32\telnet.exe

2009-06-11 17:46 . 2009-06-11 17:46 60744 ----a-w- c:\documents and settings\mattd\g2mdlhlpx.exe

2009-06-10 14:19 . 2004-08-11 22:11 2066432 ----a-w- c:\windows\system32\mstscax.dll

2009-06-10 14:13 . 2004-08-11 22:00 84992 ----a-w- c:\windows\system32\avifil32.dll

2009-06-10 06:14 . 2004-08-11 22:00 132096 ----a-w- c:\windows\system32\wkssvc.dll

2006-10-11 08:04 . 2006-11-13 16:17 61036 ----a-w- c:\program files\mozilla firefox\components\jar50.dll

2006-10-11 08:04 . 2006-11-13 16:17 48742 ----a-w- c:\program files\mozilla firefox\components\jsd3250.dll

2006-10-11 08:05 . 2006-11-13 16:17 29313 ----a-w- c:\program files\mozilla firefox\components\myspell.dll

2006-10-11 08:05 . 2006-11-13 16:17 41082 ----a-w- c:\program files\mozilla firefox\components\spellchk.dll

2006-10-11 08:04 . 2006-11-13 16:17 166510 ----a-w- c:\program files\mozilla firefox\components\xpinstal.dll

2009-02-24 19:34 . 2009-02-24 19:34 1044480 ----a-w- c:\program files\mozilla firefox\plugins\libdivx.dll

2009-02-24 19:34 . 2009-02-24 19:34 200704 ----a-w- c:\program files\mozilla firefox\plugins\ssldivx.dll

.

------- Sigcheck -------

[-] 2007-02-09 11:23 574976 05AB81909514BFD69CBB1F2C147CF6B9 c:\windows\$hf_mig$\KB930916\SP2QFE\ntfs.sys

[-] 2007-02-09 11:10 574464 19A811EF5F1ED5C926A028CE107FF1AF c:\windows\$NtServicePackUninstall$\ntfs.sys

[7] 2004-08-04 10:00 574592 B78BE402C3F63DD55521F73876951CDD c:\windows\$NtUninstallKB930916$\ntfs.sys

[7] 2008-04-14 05:45 574976 78A08DD6A8D65E697C18E1DB01C5CDCA c:\windows\ServicePackFiles\i386\ntfs.sys

[-] 2009-08-26 00:07 626336 96CC8F3C8E1FF18ECA8F0F1402CA991B c:\windows\system32\drivers\ntfs.sys

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"WinPatrol"="c:\program files\BillP Studios\WinPatrol\winpatrol.exe" [2008-10-09 333120]

"OfficeScanNT Monitor"="c:\program files\Trend Micro\OfficeScan Client\pccntmon.exe" [2009-02-18 709928]

"Windows Defender"="c:\program files\Windows Defender\MSASCui.exe" [2006-11-04 866584]

"COMODO Internet Security"="c:\program files\COMODO\COMODO Internet Security\cfp.exe" [2009-09-01 1796368]

c:\documents and settings\mattd\Start Menu\Programs\Startup\

beep.bat [2009-3-12 13]

POP Peeper.lnk - c:\program files\POP Peeper\POPPeeper.exe [2009-1-21 1470464]

c:\documents and settings\All Users\Start Menu\Programs\Startup\

SnagIt 5.lnk - c:\program files\TechSmith\SnagIt\SnagIt32.exe [2009-8-24 1179648]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]

"disablecad"= 1 (0x1)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]

"AppInit_DLLs"=c:\windows\system32\guard32.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]

Notification Packages REG_MULTI_SZ pswdsync scecli

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-606747145-630328440-1801674531-1124\Scripts\Logon\0\0]

"Script"=xdrivemapping.bat

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-606747145-630328440-1801674531-1124\Scripts\Logon\1\0]

"Script"=xdrivemapping.bat

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-606747145-630328440-1801674531-1167\Scripts\Logon\0\0]

"Script"=connectXDrive.vbs

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-606747145-630328440-1801674531-3673\Scripts\Logon\0\0]

"Script"=xdrivemapping.bat

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-606747145-630328440-1801674531-3673\Scripts\Logon\1\0]

"Script"=xdrivemapping.bat

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend]

@="Service"

[HKEY_LOCAL_MACHINE\software\microsoft\security center]

"AntiVirusOverride"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\TrendAntiVirus]

"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]

"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"%windir%\\system32\\sessmgr.exe"=

"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

"c:\\Program Files\\Logitech\\Logitech Harmony Remote Software 7\\HarmonyRemote.exe"=

"c:\\Program Files\\BitTorrent\\bittorrent.exe"=

"c:\\Program Files\\Rosetta Stone\\Rosetta Stone V3\\RosettaStoneVersion3.exe"=

"c:\\Program Files\\Rosetta Stone\\Rosetta Stone V3\\support\\bin\\RosettaStoneLtdServices.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]

"8097:TCP"= 8097:TCP:EarthLink UHP Modem Support

"3389:TCP"= 3389:TCP:*:Disabled:@xpsp2res.dll,-22009

"<NO NAME>"=

"61153:TCP"= 61153:TCP:Trend Micro OfficeScan Listener

R1 cmdGuard;COMODO Internet Security Sandbox Driver;c:\windows\system32\drivers\cmdguard.sys [8/30/2009 6:55 PM 132168]

R1 cmdHlp;COMODO Internet Security Helper Driver;c:\windows\system32\drivers\cmdhlp.sys [8/30/2009 6:55 PM 25160]

R1 vcdrom;Virtual CD-ROM Device Driver;c:\windows\system32\drivers\VCdRom.sys [4/6/2009 5:42 PM 8576]

R2 msftesql$UC2007;SQL Server FullText Search (UC2007);c:\program files\Microsoft SQL Server\MSSQL.2\MSSQL\Binn\msftesql.exe [8/26/2005 4:00 PM 92880]

R2 MSOLAP$UC2007;SQL Server Analysis Services (UC2007);c:\program files\Microsoft SQL Server\MSSQL.3\OLAP\bin\msmdsrv.exe [10/14/2005 3:46 AM 14557912]

R2 MSSQL$UC2007;SQL Server (UC2007);c:\program files\Microsoft SQL Server\MSSQL.2\MSSQL\Binn\sqlservr.exe [10/14/2005 3:51 AM 28768528]

R2 RshSvc;Remote Shell Service;c:\sfu\common\rshsvc.exe [11/8/2003 2:46 PM 16800]

R2 TmFilter;Trend Micro Filter;c:\program files\Trend Micro\OfficeScan Client\TmXPFlt.sys [11/26/2008 1:42 PM 225296]

R2 TmPreFilter;Trend Micro PreFilter;c:\program files\Trend Micro\OfficeScan Client\tmpreflt.sys [11/26/2008 1:42 PM 36368]

R2 WinDefend;Windows Defender;c:\program files\Windows Defender\MsMpEng.exe [11/3/2006 7:19 PM 13592]

R2 zzInterix;Interix Subsystem Startup;c:\windows\system32\PSXRUN.EXE [11/8/2003 2:45 PM 66480]

R3 Portmap;Portmap;c:\windows\system32\drivers\portmap.sys [11/8/2003 2:42 PM 35072]

R3 PsxDrv;PsxDrv;c:\windows\system32\drivers\PSXDRV.SYS [11/8/2003 2:45 PM 6128]

R3 RpcXdr;RpcXdr;c:\windows\system32\drivers\rpcxdr.sys [11/8/2003 2:42 PM 55872]

S2 InAspi32;InAspi32;c:\windows\system32\drivers\InAspi32.sys [11/19/2007 3:57 PM 8704]

S2 Mapsvc;User Name Mapping;c:\sfu\Mapper\mapsvc.exe [11/8/2003 2:42 PM 111728]

S2 MsDtsServer;SQL Server Integration Services;c:\program files\Microsoft SQL Server\90\DTS\Binn\MsDtsSrvr.exe [10/14/2005 3:45 AM 199384]

S2 ObjectStore Cache Manager R6.0;ObjectStore Cache Manager R6.0;c:\odi\OStore\BIN\OSCMGR6.EXE --> c:\odi\OStore\BIN\OSCMGR6.EXE [?]

S2 ObjectStore Server R6.0;ObjectStore Server R6.0;c:\odi\OStore\BIN\OSSERVER.EXE --> c:\odi\OStore\BIN\OSSERVER.EXE [?]

S2 TmProxy;OfficeScan NT Proxy Service;c:\program files\Trend Micro\OfficeScan Client\TmProxy.exe [2/18/2009 12:27 PM 652552]

S3 bddepsrv;BitDefender Deployment Service;c:\windows\_BDDEP_\bddepsrv.exe [3/4/2009 5:09 PM 118112256]

S3 BW2NDIS5;BW2NDIS5;c:\windows\system32\Drivers\BW2NDIS5.sys --> c:\windows\system32\Drivers\BW2NDIS5.sys [?]

S3 FTSRVR;McLeod Imaging Server;c:\tm\tmsimg\bin\ftsrvrsvc.exe [2/6/2009 10:00 AM 629248]

S3 LME 9.0;LME 9.0;c:\mcleod_900\Win2000_tools\scheduler_service\LMEschedulerService.exe --> c:\mcleod_900\Win2000_tools\scheduler_service\LMEschedulerService.exe [?]

S3 LME 9.1;LME 9.1;c:\mcleod_910\Win2000_tools\scheduler_service\LMESchedulerService.exe [2/4/2009 10:30 AM 32768]

S3 LME Scheduler (demo_820);LME Scheduler (demo_820);c:\mcleod_820\win2000_tools\scheduler_service\lmeschedulerservice.exe --> c:\mcleod_820\win2000_tools\scheduler_service\lmeschedulerservice.exe [?]

S3 SQLAgent$UC2007;SQL Server Agent (UC2007);c:\program files\Microsoft SQL Server\MSSQL.2\MSSQL\Binn\SQLAGENT90.EXE [10/14/2005 3:51 AM 318680]

S3 tcpsvc;PC*MILER TCP/IP Interface;c:\program files\ALK Technologies\Tolls190\TCPIP\tcpsvc.exe [11/13/2006 4:52 PM 16384]

S4 CronService;Windows Cron Service;c:\sfu\common\cron.exe [11/8/2003 2:46 PM 47536]

S4 msvsmon80;Visual Studio 2005 Remote Debugger;c:\program files\Microsoft Visual Studio 8\Common7\IDE\Remote Debugger\x86\msvsmon.exe [12/2/2006 6:17 AM 2805000]

S4 PerlSock;Perl Socket Service;c:\sfu\Perl\bin\PerlSock.exe [11/8/2003 3:05 PM 225357]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]

bdx REG_MULTI_SZ scan

.

Contents of the 'Scheduled Tasks' folder

2009-09-02 c:\windows\Tasks\MP Scheduled Scan.job

- c:\program files\Windows Defender\MpCmdRun.exe [2006-11-04 00:20]

.

- - - - ORPHANS REMOVED - - - -

WebBrowser-{8FF5E180-ABDE-46EB-B09E-D2AAB95CABE3} - (no file)

.

------- Supplementary Scan -------

.

uStart Page = about:blank

IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000

DPF: {7B133798-FAA8-4A7E-950D-BEB35D3363AF} - hxxp://71.8.85.66:1024/img/LinksysViewer.cab

FF - ProfilePath -

FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2009-09-01 21:23

Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully

hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet003\Services\msftesql$UC2007]

"ImagePath"="\"c:\program files\Microsoft SQL Server\MSSQL.2\MSSQL\Binn\msftesql.exe\" -s:MSSQL.2 -f:UC2007"

.

--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\software\DeterministicNetworks\DNE\Parameters]

"SymbolicLinkValue"=hex(6):5c,00,52,00,65,00,67,00,69,00,73,00,74,00,72,00,79,

00,5c,00,4d,00,61,00,63,00,68,00,69,00,6e,00,65,00,5c,00,53,00,79,00,73,00,\

.

--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(1348)

c:\windows\system32\guard32.dll

- - - - - - - > 'lsass.exe'(1404)

c:\windows\system32\guard32.dll

c:\windows\system32\pswdsync.dll

.

Completion time: 2009-09-02 21:26

ComboFix-quarantined-files.txt 2009-09-02 02:26

Pre-Run: 23,681,200,128 bytes free

Post-Run: 26,700,255,232 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe

[boot loader]

timeout=2

default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS

[operating systems]

c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons

multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Microsoft Windows XP Professional" /noexecute=AlwaysOff /fastdetect

260 --- E O F --- 2009-08-27 15:18

Link to post
Share on other sites

A couple of questions for you ...

1) Is this an Office/Work Machine ?

2) Do you know what this file is for ? beep.bat

3) Do you know anything about the Logon scripts showing in your log ?

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-606747145-630328440-1801674531-1124\Scripts\Logon\0\0]

"Script"=xdrivemapping.bat

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-606747145-630328440-1801674531-1124\Scripts\Logon\1\0]

"Script"=xdrivemapping.bat

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-606747145-630328440-1801674531-1167\Scripts\Logon\0\0]

"Script"=connectXDrive.vbs

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-606747145-630328440-1801674531-3673\Scripts\Logon\0\0]

"Script"=xdrivemapping.bat

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-606747145-630328440-1801674531-3673\Scripts\Logon\1\0]

"Script"=xdrivemapping.bat

----------------------------------------------------------------------------------------

Step 1

Custom CFScript

  • Please open Notepad (Start -> Run -> type notepad in the Open field -> OK) and copy and paste the text present inside the code box below:
    http://www.malwarebytes.org/forums/index.php?showtopic=22953&st=0entry118900
    Suspect::[4]
    c:\windows\system32\drivers\ntfs.sys
    c:\documents and settings\mattd\Start Menu\Programs\Startup\beep.bat
    c:\Program Files\vnqlxzgb.txt
    File::
    c:\Program Files\vnqlxzgb.txt
    FCopy::
    c:\windows\ServicePackFiles\i386\ntfs.sys|c:\windows\system32\drivers\ntfs.sys
    ADS::


  • Save this as CFScript.txt and place it on your desktop.
    CFScriptb.gif
  • Referring to the screenshot above, drag CFScript.txt into ComboFix.exe.
  • ComboFix will now run a scan on your system. It may reboot your system when it finishes. This is normal.
  • **Note**
    When CF finishes running, the ComboFix log will open along with a message box--do not be alarmed. With the above script, ComboFix will capture files to submit for analysis.
    • Ensure you are connected to the internet and click OK on the message box.

    [*] Copy and paste the contents of the log in your next reply.

CAUTION: Do not mouse-click ComboFix's window while it is running. That may cause it to stall.

Note: the above code was created specifically for this user. If you are not this user, do NOT follow these directions as they could damage the workings of your system.

----------------------------------------------------------------------------------------

Step 2

Kaspersky Online Scanner .

Your Antivirus and/or Antispyware may give a warning during the scan. This is perfectly normal

NOTE:- This scan is best done from IE (Internet Explorer)

NOTE:- Vista users should start IE by Start(Vista Orb) >> Internet Explorer >> Right-Click Run As Admin

Go Here http://www.kaspersky.com/kos/eng/partner/d...kavwebscan.html

Read the Requirements and limitations before you click Accept.

Once the database has downloaded, click My Computer in the left pane

Now go and put the kettle on !

When the scan has completed, click Save Report As...

Enter a name for the file in the Filename: text box and then click the down arrow to the right of Save as type: and select text file (*.txt)

Click Save - by default the file will be saved to your Desktop, but you can change this if you wish.

**Note**

To optimize scanning time and produce a more sensible report for review:

  • Close any open programs.
  • Turn off the real-time scanner of all antivirus or antispyware programs while performing the online scan.

Note for Internet Explorer 7 users: If at any time you have trouble viewing the accept button of the license, click on the Zoom tool located at the bottom right of the IE window and set the zoom to 75%. Once the license is accepted, reset to 100%.

----------------------------------------------------------------------------------------

Logs/Information to Post in Reply

Please post the following logs/Information in your reply

Some of the logs I request will be quite large, You may need to split them over a couple of replies.

  • Combofix Log
  • Kaspersky Log
  • Contents of C:\Qoobox\Add-Remove Programs.txt
  • How are things running now ?

Link to post
Share on other sites

A couple of questions for you ...

1) Is this an Office/Work Machine ?

2) Do you know what this file is for ? beep.bat

3) Do you know anything about the Logon scripts showing in your log ?

Hi again Katana,

1) It is a laptop that I use for the company I work for. It is on a domain often, but I have full perms. The only thing I can't do is manually stop TrendMicro, because it is passworded.

2) Beep.bat is nothing; it issues a single dos command. I wrote it myself to reset a data value.

3) The login scripts are for my office mapped network drive. They are safe.

4) "How is it running now?" ... it appears fine, but that is the odd thing about this; I can reboot a few times and it seems to come back. But for the moment, it seems fine.

5) Kaspersky did find a few things that all others missed.

6) This AM I was getting a blue screen (something to do with tcp/ip). I had to choose "use last known configuration", at which time, it booted fine.

Logs you requested:

Add-Remove:

7-Zip 4.65

AAC Decoder

Adobe Acrobat - Reader 6.0.2 Update

Adobe Flash Player 10 ActiveX

Adobe Flash Player 10 Plugin

Adobe Reader 6.0.1

ALK|FleetSuite Tolls 19

ALK|FleetSuite Tolls Streets 19.0

ALPS Touch Pad Driver

AniTa Terminal

Apple Software Update

AutoUpdate

Avanquest update

BitTorrent

Broadcom Advanced Control Suite

Cisco Systems VPN Client 4.8.00.0440

Command Prompt Here PowerToy

COMODO Internet Security

Compatibility Pack for the 2007 Office system

Conexant HDA D110 MDC V.92 Modem

CutePDF Writer 2.7

DivX Codec

DivX Converter

DivX Player

DivX Plus DirectShow Filters

DivX Version Checker

DivX Web Player

FaxMan SDK V 4.1.2.0

FileSync

Foxit Reader

Fujitsu fi-4120C2

Google Chrome

Google Toolbar for Internet Explorer

GSview 4.8

H.264 Decoder

High Definition Audio Driver Package - KB835221

HijackThis 2.0.2

Hotfix 2055 for SQL Server 2000 ENU (KB960082)

Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595)

Hotfix for Microsoft .NET Framework 3.5 SP1 (KB958484)

Hotfix for Windows Internet Explorer 7 (KB947864)

Hotfix for Windows XP (KB952287)

Hotfix for Windows XP (KB954550-v5)

Hotfix for Windows XP (KB961118)

Hotfix for Windows XP (KB970653-v3)

Intel® Graphics Media Accelerator Driver

J2SE Runtime Environment 5.0 Update 3

J2SE Runtime Environment 5.0 Update 6

Java 6 Update 11

JukeItUp!

Kofax Scan Demo

Kofax TWAIN Data Source

LimeWire PRO 5.0.11

Logitech Harmony Remote Software 7

MagicDisc 2.7.106

Malwarebytes' Anti-Malware

MetaFrame Presentation Server Web Client for Win32

Microsoft .NET Framework 1.1

Microsoft .NET Framework 1.1 Hotfix (KB928366)

Microsoft .NET Framework 2.0 Service Pack 2

Microsoft .NET Framework 3.0 Service Pack 2

Microsoft .NET Framework 3.5 SP1

Microsoft Internationalized Domain Names Mitigation APIs

Microsoft Kernel-Mode Driver Framework Feature Pack 1.5

Microsoft National Language Support Downlevel APIs

Microsoft Office Basic Edition 2003

Microsoft Office PowerPoint 2003

Microsoft Office Visio Standard 2003

Microsoft Silverlight

Microsoft SQL Server 2005

Microsoft SQL Server 2005 (UC2007)

Microsoft SQL Server 2005 Analysis Services

Microsoft SQL Server 2005 Analysis Services (UC2007)

Microsoft SQL Server 2005 Backward compatibility

Microsoft SQL Server 2005 Books Online (English)

Microsoft SQL Server 2005 Integration Services

Microsoft SQL Server 2005 Notification Services

Microsoft SQL Server 2005 Tools

Microsoft SQL Server Native Client

Microsoft SQL Server Setup Support Files (English)

Microsoft SQL Server VSS Writer

Microsoft Visual Studio 2005 Premier Partner Edition - ENU

Microsoft Visual Studio 2005 Premier Partner Edition - ENU Service Pack 1 (KB926601)

Microsoft Windows Services for UNIX

Microsoft Works 6-9 Converter

MKV Splitter

Motorola Driver Installation 3.7.0

Motorola Phone Tools

Mozilla Firefox (2.0)

MS Runtime

MSXML 6.0 Parser

NTRU Hybrid TSS v2.0.25

ObjectStore 6.2.1

Paint Shop Pro 7 Try And Buy

POP Peeper

QuickSet

QuickTime

Remote Control USB Driver

Rosetta Stone V3

Security Update for Step By Step Interactive Training (KB923723)

Security Update for Windows Internet Explorer 7 (KB928090)

Security Update for Windows Internet Explorer 7 (KB929969)

Security Update for Windows Internet Explorer 7 (KB938127-v2)

Security Update for Windows Internet Explorer 7 (KB950759)

Security Update for Windows Internet Explorer 7 (KB958215)

Security Update for Windows Internet Explorer 7 (KB960714)

Security Update for Windows Internet Explorer 7 (KB961260)

Security Update for Windows Internet Explorer 7 (KB963027)

Security Update for Windows Internet Explorer 7 (KB969897)

Security Update for Windows Internet Explorer 7 (KB972260)

Security Update for Windows Media Player (KB911564)

Security Update for Windows Media Player (KB952069)

Security Update for Windows Media Player (KB973540)

Security Update for Windows Media Player 10 (KB936782)

Security Update for Windows XP (KB923561)

Security Update for Windows XP (KB923689)

Security Update for Windows XP (KB923789)

Security Update for Windows XP (KB938464)

Security Update for Windows XP (KB941569)

Security Update for Windows XP (KB946648)

Security Update for Windows XP (KB950760)

Security Update for Windows XP (KB950762)

Security Update for Windows XP (KB950974)

Security Update for Windows XP (KB951066)

Security Update for Windows XP (KB951376-v2)

Security Update for Windows XP (KB951698)

Security Update for Windows XP (KB951748)

Security Update for Windows XP (KB952004)

Security Update for Windows XP (KB952954)

Security Update for Windows XP (KB954211)

Security Update for Windows XP (KB954459)

Security Update for Windows XP (KB954600)

Security Update for Windows XP (KB955069)

Security Update for Windows XP (KB956391)

Security Update for Windows XP (KB956572)

Security Update for Windows XP (KB956744)

Security Update for Windows XP (KB956802)

Security Update for Windows XP (KB956803)

Security Update for Windows XP (KB956841)

Security Update for Windows XP (KB957097)

Security Update for Windows XP (KB958644)

Security Update for Windows XP (KB958687)

Security Update for Windows XP (KB958690)

Security Update for Windows XP (KB959426)

Security Update for Windows XP (KB960225)

Security Update for Windows XP (KB960715)

Security Update for Windows XP (KB960803)

Security Update for Windows XP (KB960859)

Security Update for Windows XP (KB961371)

Security Update for Windows XP (KB961373)

Security Update for Windows XP (KB961501)

Security Update for Windows XP (KB968537)

Security Update for Windows XP (KB970238)

Security Update for Windows XP (KB971557)

Security Update for Windows XP (KB971633)

Security Update for Windows XP (KB971657)

Security Update for Windows XP (KB973346)

Security Update for Windows XP (KB973354)

Security Update for Windows XP (KB973507)

Security Update for Windows XP (KB973869)

Sentinel System Driver

SmartDraw 6

SnagIt 5

SnagIt 9

SQLXML4

Starcraft

Target Context Menu (Remove Only)

Trend Micro OfficeScan Client

Update for Microsoft .NET Framework 3.5 SP1 (KB963707)

Update for Windows XP (KB942763)

Update for Windows XP (KB951978)

Update for Windows XP (KB955839)

Update for Windows XP (KB967715)

Update for Windows XP (KB968389)

Update for Windows XP (KB973815)

VC80CRTRedist - 8.0.50727.762

VirtualReScan

Visual C++ 2008 x86 Runtime - (v9.0.30729)

Visual C++ 2008 x86 Runtime - v9.0.30729.01

VNC Free Edition 4.1.3

VRS Service Pack-1

WebEx

WebFldrs XP

Windows Defender

Windows Genuine Advantage Notifications (KB905474)

Windows Installer 3.1 (KB893803)

Windows Internet Explorer 7

Windows Media Format Runtime

Windows Media Player 10

Windows XP Service Pack 3

WinPatrol 2008

--------------------------------------------------------------------------------------

Combo Fix

ComboFix 09-09-01.08 - mattd 09/02/2009 17:34.2.2 - NTFSx86

Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1014.434 [GMT -5:00]

Running from: c:\documents and settings\mattd\Desktop\ComboFix.exe

Command switches used :: c:\documents and settings\mattd\Desktop\CFScript.txt

AV: Trend Micro OfficeScan Antivirus *On-access scanning enabled* (Updated) {806EEB56-F26D-4ADC-9880-7088DDA66B8D}

FW: COMODO Firewall *enabled* {043803A3-4F86-4ef6-AFC5-F6E02A79969B}

FILE ::

"c:\program files\vnqlxzgb.txt"

file zipped: c:\program files\vnqlxzgb.txt

file zipped: c:\windows\system32\drivers\ntfs.sys

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.

c:\program files\vnqlxzgb.txt

.

--------------- FCopy ---------------

c:\windows\ServicePackFiles\i386\ntfs.sys --> c:\windows\system32\drivers\ntfs.sys

.

((((((((((((((((((((((((( Files Created from 2009-08-02 to 2009-09-02 )))))))))))))))))))))))))))))))

.

2009-08-31 20:52 . 2009-08-31 20:52 -------- d-----w- C:\bol

2009-08-30 23:55 . 2009-08-31 04:15 -------- d-----w- c:\documents and settings\All Users\Application Data\Comodo

2009-08-30 23:55 . 2009-09-01 15:01 179792 ----a-w- c:\windows\system32\guard32.dll

2009-08-30 23:55 . 2009-09-01 15:01 87104 ----a-w- c:\windows\system32\drivers\inspect.sys

2009-08-30 23:55 . 2009-09-01 15:01 25160 ----a-w- c:\windows\system32\drivers\cmdhlp.sys

2009-08-30 23:55 . 2009-09-01 15:01 132168 ----a-w- c:\windows\system32\drivers\cmdguard.sys

2009-08-30 23:55 . 2009-08-30 23:55 -------- d-----w- c:\program files\COMODO

2009-08-30 03:47 . 2009-08-30 03:47 -------- d-----w- c:\program files\Windows Defender

2009-08-27 12:21 . 2009-09-02 02:30 94016 ----a-w- c:\windows\system32\drivers\agp440.sys

2009-08-27 12:21 . 2009-09-02 02:30 94016 ----a-w- c:\windows\system32\dllcache\agp440.sys

2009-08-27 12:08 . 2009-08-27 12:08 -------- d-----w- c:\documents and settings\mattd\Local Settings\Application Data\Microsoft Help

2009-08-27 11:53 . 2009-08-27 11:54 -------- d-----w- C:\b94fc99b4234241569f8

2009-08-27 11:52 . 2009-08-27 11:55 -------- d-----w- C:\af68abf42d22c0317532447fccccfb74

2009-08-24 01:04 . 2009-08-24 01:22 -------- d-----w- c:\windows\system32\NtmsData

2009-08-23 14:12 . 2009-08-25 17:22 44 ----a-w- c:\windows\system32\statistics.dat

2009-08-23 13:51 . 2009-08-25 17:20 54 ----a-w- c:\windows\system32\rp_stats.dat

2009-08-23 13:51 . 2009-08-25 17:20 39 ----a-w- c:\windows\system32\rp_rules.dat

2009-08-22 17:44 . 2009-08-22 17:44 -------- d-----w- c:\documents and settings\mattd\Application Data\Malwarebytes

2009-08-22 17:44 . 2009-08-03 18:36 38160 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys

2009-08-22 17:44 . 2009-08-22 17:44 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes

2009-08-22 17:44 . 2009-08-22 17:44 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware

2009-08-22 17:44 . 2009-08-03 18:36 19096 ----a-w- c:\windows\system32\drivers\mbam.sys

2009-08-22 13:23 . 2009-08-31 14:02 -------- d-----w- c:\documents and settings\All Users\Application Data\Lavasoft

2009-08-18 17:44 . 2009-08-18 17:44 -------- d-----w- c:\program files\Active Data Recovery Software

2009-08-17 19:06 . 2009-08-17 19:06 -------- d-----w- c:\documents and settings\All Users\Application Data\TechSmith

2009-08-17 19:06 . 2009-08-17 19:06 -------- d-----w- c:\documents and settings\mattd\Local Settings\Application Data\TechSmith

2009-08-13 14:45 . 2009-08-13 14:45 -------- d-----w- c:\documents and settings\mattd\$USERHOME

2009-08-13 02:29 . 2009-06-12 12:31 80896 ------w- c:\windows\system32\dllcache\tlntsess.exe

2009-08-13 02:29 . 2009-06-12 12:31 76288 ------w- c:\windows\system32\dllcache\telnet.exe

2009-08-13 02:28 . 2009-06-10 06:14 132096 ------w- c:\windows\system32\dllcache\wkssvc.dll

2009-08-13 02:28 . 2009-06-10 14:13 84992 ------w- c:\windows\system32\dllcache\avifil32.dll

2009-08-13 02:27 . 2009-07-17 19:01 58880 ------w- c:\windows\system32\dllcache\atl.dll

2009-08-13 02:27 . 2009-07-10 13:27 1315328 ------w- c:\windows\system32\dllcache\msoe.dll

2009-08-13 02:25 . 2009-08-05 09:01 204800 ------w- c:\windows\system32\dllcache\mswebdvd.dll

2009-08-13 02:24 . 2009-06-25 08:25 54272 ------w- c:\windows\system32\dllcache\wdigest.dll

2009-08-13 02:24 . 2009-06-25 08:25 136192 ------w- c:\windows\system32\dllcache\msv1_0.dll

2009-08-13 02:24 . 2009-06-24 11:18 92928 ------w- c:\windows\system32\dllcache\ksecdd.sys

2009-08-13 02:24 . 2009-06-25 08:25 301568 ------w- c:\windows\system32\dllcache\kerberos.dll

2009-08-10 18:35 . 2009-08-10 18:35 721912 ----a-w- c:\documents and settings\mattd\gotomypc_428.exe

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2009-09-02 21:17 . 2009-03-05 15:47 -------- d-----w- c:\documents and settings\mattd\Application Data\SmartDraw

2009-08-29 02:15 . 2009-04-22 14:11 -------- d-----w- c:\program files\Trend Micro

2009-08-29 00:20 . 2009-03-24 02:24 -------- d-----w- c:\program files\Common Files\Remote Control Software Common

2009-08-27 12:13 . 2007-10-01 21:11 -------- d-----w- c:\documents and settings\All Users\Application Data\Microsoft Help

2009-08-27 12:07 . 2007-10-01 21:14 -------- d-----w- c:\program files\Microsoft Visual Studio 8

2009-08-26 14:33 . 2006-09-27 08:13 -------- d-----w- c:\program files\CyberLink

2009-08-26 14:33 . 2006-09-27 08:09 -------- d--h--w- c:\program files\InstallShield Installation Information

2009-08-26 14:32 . 2009-06-11 17:47 -------- d-----w- c:\program files\Citrix

2009-08-25 00:34 . 2009-04-04 04:05 -------- d-----w- c:\documents and settings\mattd\Application Data\BitTorrent

2009-08-17 19:06 . 2009-03-05 22:40 -------- d-----w- c:\program files\TechSmith

2009-08-17 19:03 . 2007-11-20 20:55 -------- d-----w- c:\program files\Common Files\Wise Installation Wizard

2009-08-17 16:09 . 2006-11-13 16:14 -------- d-----w- c:\program files\AniTa

2009-08-05 09:01 . 2004-08-11 22:00 204800 ----a-w- c:\windows\system32\mswebdvd.dll

2009-07-29 01:03 . 2009-07-28 19:59 -------- d-----w- c:\documents and settings\All Users\Application Data\Rosetta Stone

2009-07-28 20:00 . 2009-07-28 20:00 -------- d-----w- c:\program files\Common Files\Macrovision Shared

2009-07-28 19:59 . 2009-07-28 19:59 -------- d-----w- c:\program files\Rosetta Stone

2009-07-20 02:45 . 2009-04-08 00:14 -------- d-----w- c:\program files\JukeItUp Ecstasy Edition

2009-07-17 19:01 . 2004-08-11 22:00 58880 ----a-w- c:\windows\system32\atl.dll

2009-07-16 23:06 . 2009-07-16 23:06 -------- d-----w- c:\program files\Microsoft Works

2009-07-16 17:16 . 2009-07-16 17:13 -------- d-----w- c:\documents and settings\All Users\Application Data\BVRP Software

2009-07-16 17:13 . 2009-07-16 17:13 -------- d-----w- c:\program files\Avanquest update

2009-07-16 17:13 . 2009-07-16 17:13 -------- d-----w- c:\program files\Motorola Phone Tools

2009-07-13 15:08 . 2004-08-11 22:00 286720 ----a-w- c:\windows\system32\wmpdxm.dll

2009-06-29 16:12 . 2004-08-11 22:00 827392 ------w- c:\windows\system32\wininet.dll

2009-06-29 16:12 . 2004-08-11 22:00 78336 ----a-w- c:\windows\system32\ieencode.dll

2009-06-29 16:12 . 2004-08-11 22:00 17408 ----a-w- c:\windows\system32\corpol.dll

2009-06-25 08:25 . 2004-08-11 22:00 54272 ----a-w- c:\windows\system32\wdigest.dll

2009-06-25 08:25 . 2004-08-11 22:00 56832 ----a-w- c:\windows\system32\secur32.dll

2009-06-25 08:25 . 2004-08-11 22:00 147456 ----a-w- c:\windows\system32\schannel.dll

2009-06-25 08:25 . 2004-08-11 22:00 136192 ----a-w- c:\windows\system32\msv1_0.dll

2009-06-25 08:25 . 2004-08-11 22:00 730112 ----a-w- c:\windows\system32\lsasrv.dll

2009-06-25 08:25 . 2004-08-11 22:00 301568 ----a-w- c:\windows\system32\kerberos.dll

2009-06-24 11:18 . 2004-08-11 22:00 92928 ----a-w- c:\windows\system32\drivers\ksecdd.sys

2009-06-16 14:36 . 2004-08-11 22:00 119808 ----a-w- c:\windows\system32\t2embed.dll

2009-06-16 14:36 . 2004-08-11 22:00 81920 ----a-w- c:\windows\system32\fontsub.dll

2009-06-16 13:40 . 2009-06-16 13:40 1498149 ----a-w- C:\xp32.zip

2009-06-12 12:31 . 2004-08-11 22:00 80896 ----a-w- c:\windows\system32\tlntsess.exe

2009-06-12 12:31 . 2004-08-11 22:00 76288 ----a-w- c:\windows\system32\telnet.exe

2009-06-11 17:46 . 2009-06-11 17:46 60744 ----a-w- c:\documents and settings\mattd\g2mdlhlpx.exe

2009-06-10 14:19 . 2004-08-11 22:11 2066432 ----a-w- c:\windows\system32\mstscax.dll

2009-06-10 14:13 . 2004-08-11 22:00 84992 ----a-w- c:\windows\system32\avifil32.dll

2009-06-10 06:14 . 2004-08-11 22:00 132096 ----a-w- c:\windows\system32\wkssvc.dll

2006-10-11 08:04 . 2006-11-13 16:17 61036 ----a-w- c:\program files\mozilla firefox\components\jar50.dll

2006-10-11 08:04 . 2006-11-13 16:17 48742 ----a-w- c:\program files\mozilla firefox\components\jsd3250.dll

2006-10-11 08:05 . 2006-11-13 16:17 29313 ----a-w- c:\program files\mozilla firefox\components\myspell.dll

2006-10-11 08:05 . 2006-11-13 16:17 41082 ----a-w- c:\program files\mozilla firefox\components\spellchk.dll

2006-10-11 08:04 . 2006-11-13 16:17 166510 ----a-w- c:\program files\mozilla firefox\components\xpinstal.dll

2009-02-24 19:34 . 2009-02-24 19:34 1044480 ----a-w- c:\program files\mozilla firefox\plugins\libdivx.dll

2009-02-24 19:34 . 2009-02-24 19:34 200704 ----a-w- c:\program files\mozilla firefox\plugins\ssldivx.dll

.

((((((((((((((((((((((((((((( SnapShot@2009-09-02_02.23.39 )))))))))))))))))))))))))))))))))))))))))

.

+ 2009-09-02 13:57 . 2009-09-02 13:57 16384 c:\windows\Temp\Perflib_Perfdata_4b0.dat

+ 2004-08-11 22:00 . 2008-04-14 05:45 574976 c:\windows\system32\dllcache\ntfs.sys

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"WinPatrol"="c:\program files\BillP Studios\WinPatrol\winpatrol.exe" [2008-10-09 333120]

"OfficeScanNT Monitor"="c:\program files\Trend Micro\OfficeScan Client\pccntmon.exe" [2009-02-18 709928]

"Windows Defender"="c:\program files\Windows Defender\MSASCui.exe" [2006-11-04 866584]

"COMODO Internet Security"="c:\program files\COMODO\COMODO Internet Security\cfp.exe" [2009-09-01 1796368]

c:\documents and settings\mattd\Start Menu\Programs\Startup\

beep.bat [2009-3-12 13]

POP Peeper.lnk - c:\program files\POP Peeper\POPPeeper.exe [2009-1-21 1470464]

c:\documents and settings\All Users\Start Menu\Programs\Startup\

SnagIt 5.lnk - c:\program files\TechSmith\SnagIt\SnagIt32.exe [2009-8-24 1179648]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]

"disablecad"= 1 (0x1)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]

"AppInit_DLLs"=c:\windows\system32\guard32.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]

Notification Packages REG_MULTI_SZ pswdsync scecli

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-606747145-630328440-1801674531-1124\Scripts\Logon\0\0]

"Script"=xdrivemapping.bat

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-606747145-630328440-1801674531-1124\Scripts\Logon\1\0]

"Script"=xdrivemapping.bat

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-606747145-630328440-1801674531-1167\Scripts\Logon\0\0]

"Script"=connectXDrive.vbs

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-606747145-630328440-1801674531-3673\Scripts\Logon\0\0]

"Script"=xdrivemapping.bat

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-606747145-630328440-1801674531-3673\Scripts\Logon\1\0]

"Script"=xdrivemapping.bat

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend]

@="Service"

[HKEY_LOCAL_MACHINE\software\microsoft\security center]

"AntiVirusOverride"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\TrendAntiVirus]

"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]

"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"%windir%\\system32\\sessmgr.exe"=

"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

"c:\\Program Files\\Logitech\\Logitech Harmony Remote Software 7\\HarmonyRemote.exe"=

"c:\\Program Files\\BitTorrent\\bittorrent.exe"=

"c:\\Program Files\\Rosetta Stone\\Rosetta Stone V3\\RosettaStoneVersion3.exe"=

"c:\\Program Files\\Rosetta Stone\\Rosetta Stone V3\\support\\bin\\RosettaStoneLtdServices.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]

"8097:TCP"= 8097:TCP:EarthLink UHP Modem Support

"3389:TCP"= 3389:TCP:*:Disabled:@xpsp2res.dll,-22009

"<NO NAME>"=

"61153:TCP"= 61153:TCP:Trend Micro OfficeScan Listener

R1 cmdGuard;COMODO Internet Security Sandbox Driver;c:\windows\system32\drivers\cmdguard.sys [8/30/2009 6:55 PM 132168]

R1 cmdHlp;COMODO Internet Security Helper Driver;c:\windows\system32\drivers\cmdhlp.sys [8/30/2009 6:55 PM 25160]

R1 vcdrom;Virtual CD-ROM Device Driver;c:\windows\system32\drivers\VCdRom.sys [4/6/2009 5:42 PM 8576]

R2 Mapsvc;User Name Mapping;c:\sfu\Mapper\mapsvc.exe [11/8/2003 2:42 PM 111728]

R2 msftesql$UC2007;SQL Server FullText Search (UC2007);c:\program files\Microsoft SQL Server\MSSQL.2\MSSQL\Binn\msftesql.exe [8/26/2005 4:00 PM 92880]

R2 MSOLAP$UC2007;SQL Server Analysis Services (UC2007);c:\program files\Microsoft SQL Server\MSSQL.3\OLAP\bin\msmdsrv.exe [10/14/2005 3:46 AM 14557912]

R2 MSSQL$UC2007;SQL Server (UC2007);c:\program files\Microsoft SQL Server\MSSQL.2\MSSQL\Binn\sqlservr.exe [10/14/2005 3:51 AM 28768528]

R2 RshSvc;Remote Shell Service;c:\sfu\common\rshsvc.exe [11/8/2003 2:46 PM 16800]

R2 TmFilter;Trend Micro Filter;c:\program files\Trend Micro\OfficeScan Client\TmXPFlt.sys [11/26/2008 1:42 PM 225296]

R2 TmPreFilter;Trend Micro PreFilter;c:\program files\Trend Micro\OfficeScan Client\tmpreflt.sys [11/26/2008 1:42 PM 36368]

R2 WinDefend;Windows Defender;c:\program files\Windows Defender\MsMpEng.exe [11/3/2006 7:19 PM 13592]

R2 zzInterix;Interix Subsystem Startup;c:\windows\system32\PSXRUN.EXE [11/8/2003 2:45 PM 66480]

R3 Portmap;Portmap;c:\windows\system32\drivers\portmap.sys [11/8/2003 2:42 PM 35072]

R3 PsxDrv;PsxDrv;c:\windows\system32\drivers\PSXDRV.SYS [11/8/2003 2:45 PM 6128]

R3 RpcXdr;RpcXdr;c:\windows\system32\drivers\rpcxdr.sys [11/8/2003 2:42 PM 55872]

S2 InAspi32;InAspi32;c:\windows\system32\drivers\InAspi32.sys [11/19/2007 3:57 PM 8704]

S2 MsDtsServer;SQL Server Integration Services;c:\program files\Microsoft SQL Server\90\DTS\Binn\MsDtsSrvr.exe [10/14/2005 3:45 AM 199384]

S2 ObjectStore Cache Manager R6.0;ObjectStore Cache Manager R6.0;c:\odi\OStore\BIN\OSCMGR6.EXE --> c:\odi\OStore\BIN\OSCMGR6.EXE [?]

S2 ObjectStore Server R6.0;ObjectStore Server R6.0;c:\odi\OStore\BIN\OSSERVER.EXE --> c:\odi\OStore\BIN\OSSERVER.EXE [?]

S2 TmProxy;OfficeScan NT Proxy Service;c:\program files\Trend Micro\OfficeScan Client\TmProxy.exe [2/18/2009 12:27 PM 652552]

S3 bddepsrv;BitDefender Deployment Service;c:\windows\_BDDEP_\bddepsrv.exe [3/4/2009 5:09 PM 118112256]

S3 BW2NDIS5;BW2NDIS5;c:\windows\system32\Drivers\BW2NDIS5.sys --> c:\windows\system32\Drivers\BW2NDIS5.sys [?]

S3 FTSRVR;McLeod Imaging Server;c:\tm\tmsimg\bin\ftsrvrsvc.exe [2/6/2009 10:00 AM 629248]

S3 LME 9.0;LME 9.0;c:\mcleod_900\Win2000_tools\scheduler_service\LMEschedulerService.exe --> c:\mcleod_900\Win2000_tools\scheduler_service\LMEschedulerService.exe [?]

S3 LME 9.1;LME 9.1;c:\mcleod_910\Win2000_tools\scheduler_service\LMESchedulerService.exe [2/4/2009 10:30 AM 32768]

S3 LME Scheduler (demo_820);LME Scheduler (demo_820);c:\mcleod_820\win2000_tools\scheduler_service\lmeschedulerservice.exe --> c:\mcleod_820\win2000_tools\scheduler_service\lmeschedulerservice.exe [?]

S3 SQLAgent$UC2007;SQL Server Agent (UC2007);c:\program files\Microsoft SQL Server\MSSQL.2\MSSQL\Binn\SQLAGENT90.EXE [10/14/2005 3:51 AM 318680]

S3 tcpsvc;PC*MILER TCP/IP Interface;c:\program files\ALK Technologies\Tolls190\TCPIP\tcpsvc.exe [11/13/2006 4:52 PM 16384]

S4 CronService;Windows Cron Service;c:\sfu\common\cron.exe [11/8/2003 2:46 PM 47536]

S4 msvsmon80;Visual Studio 2005 Remote Debugger;c:\program files\Microsoft Visual Studio 8\Common7\IDE\Remote Debugger\x86\msvsmon.exe [12/2/2006 6:17 AM 2805000]

S4 PerlSock;Perl Socket Service;c:\sfu\Perl\bin\PerlSock.exe [11/8/2003 3:05 PM 225357]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]

bdx REG_MULTI_SZ scan

.

Contents of the 'Scheduled Tasks' folder

2009-09-02 c:\windows\Tasks\MP Scheduled Scan.job

- c:\program files\Windows Defender\MpCmdRun.exe [2006-11-04 00:20]

.

.

------- Supplementary Scan -------

.

uStart Page = about:blank

IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000

DPF: {7B133798-FAA8-4A7E-950D-BEB35D3363AF} - hxxp://71.8.85.66:1024/img/LinksysViewer.cab

FF - ProfilePath -

FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2009-09-02 17:42

Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully

hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet004\Services\msftesql$UC2007]

"ImagePath"="\"c:\program files\Microsoft SQL Server\MSSQL.2\MSSQL\Binn\msftesql.exe\" -s:MSSQL.2 -f:UC2007"

.

--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\software\DeterministicNetworks\DNE\Parameters]

"SymbolicLinkValue"=hex(6):5c,00,52,00,65,00,67,00,69,00,73,00,74,00,72,00,79,

00,5c,00,4d,00,61,00,63,00,68,00,69,00,6e,00,65,00,5c,00,53,00,79,00,73,00,\

.

--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(1348)

c:\windows\system32\guard32.dll

c:\windows\system32\igfxdev.dll

- - - - - - - > 'lsass.exe'(1404)

c:\windows\system32\guard32.dll

c:\windows\system32\pswdsync.dll

.

Completion time: 2009-09-02 17:44

ComboFix-quarantined-files.txt 2009-09-02 22:44

ComboFix2.txt 2009-09-02 02:26

Pre-Run: 26,675,863,552 bytes free

Post-Run: 26,631,495,680 bytes free

246 --- E O F --- 2009-08-27 15:18

--------------------------------------------------------------------------------------------------

KASPERSKY ONLINE SCANNER 7.0: scan report

Wednesday, September 2, 2009

Operating system: Microsoft Windows XP Professional Service Pack 3 (build 2600)

Kaspersky Online Scanner version: 7.0.26.13

Last database update: Thursday, September 03, 2009 00:36:06

Records in database: 2740933

--------------------------------------------------------------------------------

Scan settings:

scan using the following database: extended

Scan archives: yes

Scan e-mail databases: yes

Scan area - My Computer:

C:\

D:\

X:\

Scan statistics:

Objects scanned: 153916

Threats found: 5

Infected objects found: 11

Suspicious objects found: 0

Scan duration: 03:44:17

File name / Threat / Threats count

C:\Documents and Settings\mattd\My Documents\Utilities\os\dmx10 - touch screen jukebox os.zip Infected: not-a-virus:RemoteAdmin.Win32.WinVNC.4110 1

C:\Documents and Settings\mattd\My Documents\Utilities\os\dmx10 - touch screen jukebox os.zip Infected: not-a-virus:RemoteAdmin.Win32.WinVNC.4 1

C:\Documents and Settings\mattd\My Documents\Utilities\os\nec ready 120lt os.zip Infected: not-a-virus:RemoteAdmin.Win32.WinVNC.4 3

C:\mcleod_910\Win2000_tools\Install Files\tightvnc-1.2.3-setup.exe Infected: not-a-virus:RemoteAdmin.Win32.WinVNC-based.b 1

C:\mcleod_910\Win2000_tools\tightvnc-1.2.3-setup.exe Infected: not-a-virus:RemoteAdmin.Win32.WinVNC-based.b 1

C:\Program Files\RealVNC\VNC4\vncconfig.exe Infected: not-a-virus:RemoteAdmin.Win32.WinVNC.ad 1

C:\Program Files\RealVNC\VNC4\winvnc4.exe Infected: not-a-virus:RemoteAdmin.Win32.WinVNC.ad 1

C:\Qoobox\Quarantine\C\WINDOWS\system32\drivers\ntfs.sys.vir Infected: Virus.Win32.Protector.c 1

C:\Qoobox\Quarantine\[4]-Submit_2009-09-02_17.33.48.zip Infected: Virus.Win32.Protector.c 1

Selected area has been scanned.

Link to post
Share on other sites

Why on earth do you have P2P programs on a machine that you connect to an Office network ???

IMPORTANT

I notice there are signs of one or more P2P (Person to Person) File Sharing Programs on your computer.

BitTorrent

LimeWire PRO 5.0.11

I'd like you to read the Guidelines for P2P Programs where we explain why it's not a good idea to have them.

Also available here.

My recommendation is you go to Control Panel > Add/Remove Programs and uninstall any P2P programs

Please note: you must NOT use any P2P whilst we are cleaning your machine.

Your Adobe Acrobat Reader is out of date. Older versions have vulnerabilities that malware can use to infect your system.

Adobe Reader is a large program and uses unnecessary space.

If you prefer a smaller program you can get Foxit 3.0 from http://www.foxitsoftware.com/pdf/rd_intro.php << Recommended

There is a newer version of Adobe Acrobat Reader available.

  • Please go to this link Adobe Acrobat Reader Download Link
  • Click Download
  • On the right Untick Adobe Phototshop Album Starter Edition if you do not wish to include this in the installation.
  • Click the Continue button
  • Click Run, and click Run again
  • Next click the Install Now button and follow the on screen prompts

Your Java is out of date. Older versions have vulnerabilities that malware can use to infect your system.

Please download Java SE Runtime Environment (JRE) . ( don't install it yet )

  • Scroll down to where it says "Java SE Runtime Environment (JRE)".
  • Click the "Download" button to the right.
    • Platform = Windows
    • Language = Multi Language

    [*]Check the box that says: "Accept License Agreement".

    [*]The page will refresh.

    [*]Click on the link to download Windows Offline Installation with or without Multi-language and save to your desktop.

Now download JavaRa and unzip it to your desktop.

***Please close any instances of Internet Explorer (or other web browser) before continuing!***

  • Double-click on JavaRa.exe to start the program.
  • From the drop-down menu, choose English and click on Select.
  • JavaRa will open; click on Remove Older Versions to remove the older versions of Java installed on your computer.
  • Click Yes when prompted. When JavaRa is done, a notice will appear that a logfile has been produced. Click OK.
  • A logfile will pop up. Please save it to a convenient location.

Now install the Java SE Runtime Environment (JRE) package you downloaded

(it comes with a toolbar pre-selected, so make sure you uncheck the box)

You can delete JavaRa (zip and exe)

----------------------------------------------------------------------------------------

Congratulations your logs look clean :D

Let's see if I can help you keep it that way

First lets tidy up

Uninstall Combofix

  • This will clear your System Volume Information restore points and remove all the infected files that were quarantined
  • Click START then RUN
  • Now type Combofix /u in the runbox and click OK. Note the space between the X and the /U, it needs to be there.
    • CF_Cleanup.png

You can also delete any logs we have produced and any other tools we have downloaded.

----------------------------------------------------------- -----------------------------------------------------------

The following is some info to help you stay safe and clean.

You may already have some of the following programs, but I include the full list for the benefit of all the other people who will be reading this thread in the future.

( Vista users must ensure that any programs are Vista compatible BEFORE installing )

Online Scanners

I would recommend a scan at one or more of the following sites at least once a month.

http://www.pandasecurity.com/activescan

http://www.kaspersky.com/kos/eng/partner/7...kavwebscan.html

!!! Make sure that all your programs are updated !!!

Secunia Software Inspector does all the work for you, .... see HERE for details

AntiSpyware

  • AntiSpyware is not the same thing as Antivirus.
    Different AntiSpyware programs detect different things, so in this case it is recommended that you have more than one.
    You should only have one running all the time, the other/s should be used "on demand" on a regular basis.
    Most of the programs in this list have a free (for Home Users ) and paid versions,
    it is worth paying for one and having "realtime" protection, unless you intend to do a manual scan often.
  • Spybot - Search & Destroy <<< A must have program
    • It includes host protection and registry protection
    • A hosts file is a bit like a phone book, it points to the actual numeric address (i.e. the IP address) from the human friendly name of a website. This feature can be used to block malicious websites

    [*] MalwareBytes Anti-malware <<< A New and effective program

    [*]a-squared Free <<< A good "realtime" or "on demand" scanner

    [*]superantispyware <<< A good "realtime" or "on demand" scanner

Prevention

  • These programs don't detect malware, they help stop it getting on your machine in the first place.
    Each does a different job, so you can have more than one
  • Winpatrol
    • An excellent startup manager and then some !!
    • Notifies you if programs are added to startup
    • Allows delayed startup
    • A must have addition

    [*]SpywareBlaster 4.0

    • SpywareBlaster sets killbits in the registry to prevent known malicious activex controls from installing themselves on your computer.

    [*]SpywareGuard 2.2

    • SpywareGuard provides real-time protection against spyware.
    • Not required if you have other "realtime" antispyware or Winpatrol

    [*]ZonedOut

    • Formerly known as IE-SPYAD, adds a long list of sites and domains associated with known advertisers and marketers to the Restricted sites zone of Internet Explorer.

    [*]MVPS HOSTS

    • This little program packs a powerful punch as it blocks ads, banners, 3rd party Cookies, 3rd party page counters, web bugs, and many hijackers.
    • For information on how to download and install, please read this tutorial by WinHelp2002.
    • Not required if you are using other host file protections

Internet Browsers

  • Microsoft has worked hard to make IE.7 a more secure browser, unfortunately whilst it is still the leading browser of choice it will always be under attack from the bad guys.
    Using a different web browser can help stop malware getting on your machine.
    • Make your Internet Explorer more secure - This can be done by following these simple instructions:
      1. From within Internet Explorer click on the Tools menu and then click on Options.
      2. Click once on the Security tab
      3. Click once on the Internet icon so it becomes highlighted.
      4. Click once on the Custom Level button.
        • Change the Download signed ActiveX controls to Prompt
        • Change the Download unsigned ActiveX controls to Disable
        • Change the Initialise and script ActiveX controls not marked as safe to Disable
        • Change the Installation of desktop items to Prompt
        • Change the Launching programs and files in an IFRAME to Prompt
        • Change the Navigate sub-frames across different domains to Prompt
        • When all these settings have been made, click on the OK button.
        • If it prompts you as to whether or not you want to save the settings, press the Yes button.

      [*]Next press the Apply button and then the OK to exit the Internet Properties page.

If you are still using IE6 then either update, or get one of the following.

  • FireFox
    • With many addons available that make customization easy this is a very popular choice
    • NoScript and AdBlockPlus addons are essential

    [*]Opera

    • Another popular alternative

    [*]Netscape

    • Another popular alternative
    • Also has Addons available

Cleaning Temporary Internet Files and Tracking Cookies

  • Temporary Internet Files are mainly the files that are downloaded when you open a web page.
    Unfortunately, if the site you visit is of a dubious nature or has been hacked, they can also be an entry point for malware.
    It is a good idea to empty the Temporary Internet Files folder on a regular basis.
    Tracking Cookies are files that websites use to monitor which sites you visit and how often.
    A lot of Antispyware scanners pick up these tracking cookies and flag them as unwanted.
    CAUTION :- If you delete all your cookies you will lose any autologin information for sites that you visit, and will need your passwords
    Both of these can be cleaned manually, but a quicker option is to use a program
  • ATF Cleaner
    • Free and very simple to use

    [*]CCleaner

    • Free and very flexible, you can chose which cookies to keep

Also PLEASE read this article.....So How Did I Get Infected In The First Place

The last and most important thing I can tell you is UPDATE.

If you don't update your security programs (Antivirus, Antispyware even Windows) then you are at risk.

Malware changes on a day to day basis. You should update every week at the very least.

If you follow this advice then (with a bit of luck) you will never have to hear from me again :)

If you could post back one more time to let me know everything is OK, then I can have this thread archived.

Happy surfing K'

Link to post
Share on other sites

Why on earth do you have P2P programs on a machine that you connect to an Office network ???

IMPORTANT

I notice there are signs of one or more P2P (Person to Person) File Sharing Programs on your computer.

BitTorrent

LimeWire PRO 5.0.11

Hello,

Ahhh...yes, P2P stuff. I wondered if that would come up. Thank you very much for your help. I will follow your recommendations and suggestions.

-Matt

Link to post
Share on other sites

  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.