Trojan, malware removal unsuccessful - signs of reoccurrance

[davidi]

I started with the false belief that this system had MBAM installed and licensed. Licenses had been purchased several months ago but the person that was

supposed to install and configure MBAM never did it.

The system has licensed NOD32 AV coverage. However .... due to unmonitored use - users have wildly used P2P apps, traded files, clicked on things they shouldn't have ... well

this machine got pretty messed up. I didn't know how messed up.

This system has three accounts that are used. Two admin level (alex and nick) and a sometimes actively used guest account with limited priviledges.

In the beginning I could not get mbam to run. Following sticky posts did not result in a solution. I ventured into tools I wasn't qualified to use but eventually managed to

get mbam on the system (although with an outdated mbam database).

In my process of doing things I have ended up with:

2 mbam logs (using outdated mbam database) with information about what was found and action taken.

2 combofix logs (one is a mutant log due to my stupidity of not realizing I was in the limited 'guest' account when I first started it and when it restarted the computer I

logged into an admin account for it's finish.)

2 more mbam logs using outdated mbam database with even more things found and action taken.

1 very GOOD mbam log where I finally got the most recent (for that moment in time) mbam database. The full scan found LOT's more stuff and shows the action taken.

I also have various logging of NOD32 AV of what it found and did throughout this process either on it's own or by my direction.

And last (literally - these were created last in this whole mess) two hijackthis v2.0.2 logs from each of the admin level accounts.

Each log does provide insight into what's been found and done. I don't have room to put the logs in one post. But I have put them all together (chronologically) in a single

text attachment.

I suspect I'm probably still infected with something or the system is not clean because although MBAM now says things are clean my AV app finds things. I also haven't returned

to the Guest account which I once visited early on and it was a mess in there.

I need some expert help here.

p.s. I also have another post asking about dealing with this Guest account on this system. Perhaps the REAL problem is that I may not be totally clean and until then I should

continue to avoid the guest account. However - the guest account is used rather often by ... well ... guests! So it would be good to get it fixed back up! Post:

http://www.malwarebytes.org/forums/index.php?showtopic=28879

Signed,

- David (davidi)

history.txt

[miekiemoes]

Hi David,

Since this was already a couple of days ago, please do the following..

First of all, please update MalwareBytes, because the databaseversion is outdated.

• Start MalwareBytes and click the Update tab. There click "Check for updates"
  
• Once the updates are downloaded, perform a quick scan again.
  
• The scan may take some time to finish,so please be patient.
  
• When the scan is complete, click OK, then Show Results to view the results.
  
• Make sure that everything is checked, and click Remove Selected.
  
• When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
  
• The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
  
• Copy&Paste the entire report in your next reply along with a fresh HijackThis log, then we'll proceed from there with new steps.
  

Extra Note:

If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process,if asked to restart the computer,please do so immediatly.

[davidi]

Mieke,

Thank you for your help. Coincidentally - last night I happen to end up at your blog site and was reading several articles in your blog! Good words. Glad to have you as my helper. Thank you so much.

Since I have two admin accounts I did as you asked with fresh start of windows, update mbam, short scan, save log, and hjt save log for each account (they have different results in the HJT logs). I restarted the system between doing this for each account.

MBAM came up clean on both. But here are the logs.

I should add ... the computer has been off since I posted originally. Except for hooking hooking up the drive as a slave to a 'donor' system to look for suspicious files and submit them to Virus Total. There was one file at the root, C:\gfadgfsd.exe that definitely didn't seem right and Virus Total came back with 18/41. I deleted that file as a result before getting assigned to you (although I do have full backup of the drive with that file.)

If I knew how to put this in a codebox I would. I'll try (I'll also change the http to hxxp). This is the link to the Virus Total analysis results for that file I deleted if curious:

hxxp://www.virustotal.com/analisis/df9e06264ecc6accd1f0757f48bf8c36d993e4239fa079c49cbd4725d470eed2-1256825280#

Thank you again,

- Davidi

For the "Alex" account, mbam log:

---------------------------------------

Malwarebytes' Anti-Malware 1.41

Database version: 3056

Windows 5.1.2600 Service Pack 2

10/29/2009 3:22:15 PM

mbam-log-2009-10-29 (15-22-15).txt

Scan type: Quick Scan

Objects scanned: 117105

Time elapsed: 3 minute(s), 54 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 0

Registry Values Infected: 0

Registry Data Items Infected: 0

Folders Infected: 0

Files Infected: 0

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

(No malicious items detected)

Registry Values Infected:

(No malicious items detected)

Registry Data Items Infected:

(No malicious items detected)

Folders Infected:

(No malicious items detected)

Files Infected:

(No malicious items detected)

For the "Alex" account, HJT log:

----------------------------------------------

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 3:23:26 PM, on 10/29/2009

Platform: Windows XP SP2 (WinNT 5.01.2600)

MSIE: Internet Explorer v7.00 (7.00.6000.16876)

Boot mode: Normal

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\Ati2evxx.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\Ati2evxx.exe

C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe

C:\WINDOWS\system32\spoolsv.exe

C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe

C:\Program Files\Bonjour\mDNSResponder.exe

C:\WINDOWS\eHome\ehRecvr.exe

C:\WINDOWS\eHome\ehSched.exe

C:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe

C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe

C:\WINDOWS\system32\svchost.exe

C:\Program Files\Viewpoint\Common\ViewpointService.exe

C:\WINDOWS\system32\dllhost.exe

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\ehome\ehtray.exe

C:\WINDOWS\SOUNDMAN.EXE

C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe

C:\WINDOWS\system32\rundll32.exe

C:\Program Files\iTunes\iTunesHelper.exe

C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe

C:\Program Files\PowerISO\PWRISOVM.EXE

C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.exe

C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe

C:\Program Files\Messenger\msmsgs.exe

C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe

C:\WINDOWS\eHome\ehmsas.exe

C:\Program Files\DAEMON Tools Lite\daemon.exe

C:\WINDOWS\system32\ctfmon.exe

C:\Program Files\iPod\bin\iPodService.exe

C:\WINDOWS\system32\wuauclt.exe

C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\ccc.exe

C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.logitech.com/bluetooth/

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local

R3 - URLSearchHook: (no name) - {EA756889-2338-43DB-8F07-D1CA6FB9C90D} - (no file)

O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.3.4501.1418\swg.dll

O3 - Toolbar: Easy-WebPrint - {327C2873-E90D-4c37-AA9D-10AC9BABA46C} - C:\Program Files\Canon\Easy-WebPrint\Toolband.dll

O3 - Toolbar: Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll

O3 - Toolbar: AIM Toolbar - {61539ecd-cc67-4437-a03c-9aaccbd14326} - C:\Program Files\AIM Toolbar\aimtb.dll

O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe

O4 - HKLM\..\Run: [soundMan] SOUNDMAN.EXE

O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe

O4 - HKLM\..\Run: [Kernel and Hardware Abstraction Layer] KHALMNPR.EXE

O4 - HKLM\..\Run: [bluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent

O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"

O4 - HKLM\..\Run: [startCCC] "C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe"

O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime

O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"

O4 - HKLM\..\Run: [egui] "C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe" /hide /waitservice

O4 - HKLM\..\Run: [PWRISOVM.EXE] C:\Program Files\PowerISO\PWRISOVM.EXE

O4 - HKLM\..\Run: [Malwarebytes Anti-Malware (reboot)] "C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe" /runcleanupscript

O4 - HKLM\..\Run: [Malwarebytes' Anti-Malware] "C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe" /starttray

O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background

O4 - HKCU\..\Run: [swg] "C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe"

O4 - HKCU\..\Run: [Aim6] "C:\Program Files\AIM6\aim6.exe" /d locale=en-US ee://aol/imApp

O4 - HKCU\..\Run: [DAEMON Tools Lite] "C:\Program Files\DAEMON Tools Lite\daemon.exe" -autorun

O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe

O8 - Extra context menu item: &AIM Search - c:\program files\aol\aim toolbar 5.0\resources\en-US\local\search.html

O9 - Extra button: AIM Toolbar - {0b83c99c-1efa-4259-858f-bcb33e007a5b} - C:\Program Files\AIM Toolbar\aimtb.dll

O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll

O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupd...b?1208967146406

O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftu...b?1208967221593

O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shoc...ash/swflash.cab

O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe

O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe

O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe

O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe

O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe

O23 - Service: ESET HTTP Server (EhttpSrv) - ESET - C:\Program Files\ESET\ESET NOD32 Antivirus\EHttpSrv.exe

O23 - Service: ESET Service (ekrn) - ESET - C:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe

O23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe

O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe

O23 - Service: MBAMService - Malwarebytes Corporation - C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe

O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe

--

End of file - 7137 bytes

For the "Nick" account, mbam log:

----------------------------------------------

Malwarebytes' Anti-Malware 1.41

Database version: 3056

Windows 5.1.2600 Service Pack 2

10/29/2009 3:04:04 PM

mbam-log-2009-10-29 (15-04-04).txt

Scan type: Quick Scan

Objects scanned: 117148

Time elapsed: 3 minute(s), 53 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 0

Registry Values Infected: 0

Registry Data Items Infected: 0

Folders Infected: 0

Files Infected: 0

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

(No malicious items detected)

Registry Values Infected:

(No malicious items detected)

Registry Data Items Infected:

(No malicious items detected)

Folders Infected:

(No malicious items detected)

Files Infected:

(No malicious items detected)

For the "Nick" account, HJT log:

---------------------------------------------

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 3:06:42 PM, on 10/29/2009

Platform: Windows XP SP2 (WinNT 5.01.2600)

MSIE: Internet Explorer v7.00 (7.00.6000.16876)

Boot mode: Normal

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\Ati2evxx.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe

C:\WINDOWS\system32\Ati2evxx.exe

C:\WINDOWS\system32\spoolsv.exe

C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe

C:\Program Files\Bonjour\mDNSResponder.exe

C:\WINDOWS\eHome\ehRecvr.exe

C:\WINDOWS\eHome\ehSched.exe

C:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe

C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe

C:\WINDOWS\system32\svchost.exe

C:\Program Files\Viewpoint\Common\ViewpointService.exe

C:\WINDOWS\system32\dllhost.exe

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\ehome\ehtray.exe

C:\WINDOWS\SOUNDMAN.EXE

C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe

C:\WINDOWS\system32\rundll32.exe

C:\Program Files\iTunes\iTunesHelper.exe

C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe

C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.exe

C:\Program Files\PowerISO\PWRISOVM.EXE

C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe

C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe

C:\Program Files\Messenger\msmsgs.exe

C:\WINDOWS\eHome\ehmsas.exe

C:\WINDOWS\system32\ctfmon.exe

C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\ccc.exe

C:\Program Files\iPod\bin\iPodService.exe

C:\WINDOWS\system32\wuauclt.exe

C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://go.microsoft.com/fwlink/?LinkId=74005

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local

O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.3.4501.1418\swg.dll

O3 - Toolbar: Easy-WebPrint - {327C2873-E90D-4c37-AA9D-10AC9BABA46C} - C:\Program Files\Canon\Easy-WebPrint\Toolband.dll

O3 - Toolbar: Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll

O3 - Toolbar: AIM Toolbar - {61539ecd-cc67-4437-a03c-9aaccbd14326} - C:\Program Files\AIM Toolbar\aimtb.dll

O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe

O4 - HKLM\..\Run: [soundMan] SOUNDMAN.EXE

O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe

O4 - HKLM\..\Run: [Kernel and Hardware Abstraction Layer] KHALMNPR.EXE

O4 - HKLM\..\Run: [bluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent

O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"

O4 - HKLM\..\Run: [startCCC] "C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe"

O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime

O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"

O4 - HKLM\..\Run: [egui] "C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe" /hide /waitservice

O4 - HKLM\..\Run: [PWRISOVM.EXE] C:\Program Files\PowerISO\PWRISOVM.EXE

O4 - HKLM\..\Run: [Malwarebytes Anti-Malware (reboot)] "C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe" /runcleanupscript

O4 - HKLM\..\Run: [Malwarebytes' Anti-Malware] "C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe" /starttray

O4 - HKCU\..\Run: [swg] "C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe"

O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background

O4 - HKCU\..\Run: [Aim6] "C:\Program Files\AIM6\aim6.exe" /d locale=en-US ee://aol/imApp

O4 - HKCU\..\Run: [AdobeUpdater] "C:\Program Files\Common Files\Adobe\Updater5\AdobeUpdater.exe"

O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe

O9 - Extra button: AIM Toolbar - {0b83c99c-1efa-4259-858f-bcb33e007a5b} - C:\Program Files\AIM Toolbar\aimtb.dll

O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll

O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupd...b?1208967146406

O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftu...b?1208967221593

O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shoc...ash/swflash.cab

O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe

O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe

O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe

O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe

O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe

O23 - Service: ESET HTTP Server (EhttpSrv) - ESET - C:\Program Files\ESET\ESET NOD32 Antivirus\EHttpSrv.exe

O23 - Service: ESET Service (ekrn) - ESET - C:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe

O23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe

O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe

O23 - Service: MBAMService - Malwarebytes Corporation - C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe

O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe

--

End of file - 6902 bytes

[miekiemoes]

Hi,

gfadgfsd.exe needs to be deleted as it is definitely bad.

I see you have Viewpoint installed...

Viewpoint Manager is considered as foistware instead of malware since it is installed without users approval but doesn't spy or do anything "bad". This will change from what we know in 2006 read this article: http://www.clickz.com/news/article.php/3561546

I suggest you remove the program now. Go to Start > Settings > Control Panel > Add/Remove Programs and remove the following programs if present.

• Viewpoint
  
• Viewpoint Manager
  
• Viewpoint Media Player
  

Also, you have used combofix before. Can you rerun an extra scan again as well? This so I can see what's still there. In your previous Combofix log, there were still some things in there that needed to be deleted, but since I know Malwarebytes deals with those as well, that's why I asked you to do a malwarebytes scan first.

No need to run this from several accounts. Just run Combofix from the account where you got infected.

Then post the contents of the latest Combofix log in your next reply.

[davidi]

I have removed Viewpoint Media Player. No signs of the other two Viewpoint programs in the Add/Remove Programs list.

I ran this fresh ComboFix in the "Nick" account.

By the way, just for information, I have one startup item disabled in this account:

Name,Value,Section,Enabled,Description,Company
"DriverCure","C:\Program Files\ParetoLogic\DriverCure\DriverCure.exe -scan","Registry - User Run","0","DriverCure","ParetoLogic"

Here's the ComboFix log. Thank you - David.

-----------------------------------------------------------------

ComboFix 09-10-28.08 - nick 10/29/2009 23:15.3.2 - NTFSx86

Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.2047.1472 [GMT -4:00]

Running from: c:\documents and settings\nick\Desktop\something.exe

AV: ESET NOD32 Antivirus 4.0 *On-access scanning disabled* (Updated) {E5E70D32-0101-4F12-8FB0-D96ACA4F34C0}

.

((((((((((((((((((((((((( Files Created from 2009-09-28 to 2009-10-30 )))))))))))))))))))))))))))))))

.

2009-10-26 07:00 . 2009-10-26 07:00 -------- d--h--w- c:\windows\PIF

2009-10-25 13:35 . 2009-10-25 13:35 -------- d-----w- c:\program files\Trend Micro

2009-10-21 16:16 . 2009-10-21 16:16 -------- d-----w- c:\program files\CodeStuff

2009-10-21 15:38 . 2009-10-21 15:38 -------- d-----w- c:\program files\WinDirStat

2009-10-21 15:21 . 2009-10-21 15:21 -------- d-----w- c:\program files\CCleaner

2009-10-21 05:52 . 2009-10-21 05:52 -------- d-----w- c:\documents and settings\alex\Local Settings\Application Data\AIM

2009-10-21 05:40 . 2009-10-21 05:40 -------- d-----w- c:\documents and settings\Guest\Local Settings\Application Data\AIM

2009-10-21 03:53 . 2009-10-21 03:53 -------- d-----w- c:\documents and settings\alex\Application Data\Malwarebytes

2009-10-21 00:38 . 2009-10-21 00:38 -------- d-----w- c:\documents and settings\nick\Local Settings\Application Data\AIM

2009-10-20 06:45 . 2009-10-20 06:45 -------- d-----w- c:\documents and settings\nick\Application Data\Malwarebytes

2009-10-20 06:45 . 2009-09-10 18:54 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys

2009-10-20 06:45 . 2009-10-21 16:14 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware

2009-10-20 06:45 . 2009-10-20 06:45 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes

2009-10-20 06:45 . 2009-09-10 18:53 19160 ----a-w- c:\windows\system32\drivers\mbam.sys

2009-10-19 22:28 . 2009-10-19 22:28 -------- d-----w- c:\documents and settings\All Users\Application Data\yayutoto

2009-10-19 22:28 . 2009-10-19 22:28 -------- d-----w- c:\documents and settings\All Users\Application Data\sejuvoma

2009-10-19 22:28 . 2009-10-21 16:58 -------- d-----w- c:\documents and settings\All Users\Application Data\pozimadu

2009-10-19 22:28 . 2009-10-19 22:28 -------- d-----w- c:\documents and settings\All Users\Application Data\zavuzogo

2009-10-19 22:28 . 2009-10-19 22:28 -------- d-----w- c:\documents and settings\All Users\Application Data\reforola

2009-10-19 22:28 . 2009-10-19 22:28 -------- d-----w- c:\documents and settings\All Users\Application Data\kuwovogi

2009-10-19 22:28 . 2009-10-19 22:28 -------- d-----w- c:\documents and settings\All Users\Application Data\fusigoka

2009-10-19 22:18 . 2009-10-19 22:18 -------- d-----w- c:\documents and settings\Guest\Local Settings\Application Data\AIM Toolbar

2009-10-19 21:14 . 2004-08-10 12:00 4224 -c--a-w- c:\windows\system32\dllcache\beep.sys

2009-10-19 21:14 . 2004-08-10 12:00 4224 ------w- c:\windows\system32\drivers\beep.sys

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2009-10-30 03:04 . 2008-04-27 16:05 -------- d-----w- c:\documents and settings\All Users\Application Data\Viewpoint

2009-10-21 15:12 . 2009-06-19 16:11 -------- d-----w- c:\documents and settings\All Users\Application Data\DriverCure

2009-10-06 21:27 . 2008-10-25 21:56 -------- d-----w- c:\program files\Microsoft Silverlight

2009-09-11 14:33 . 2004-08-10 12:00 133632 ----a-w- c:\windows\system32\msv1_0.dll

2009-09-04 20:45 . 2004-08-10 12:00 58880 ----a-w- c:\windows\system32\msasn1.dll

2009-09-01 04:03 . 2009-09-01 04:03 -------- d-----w- c:\program files\Common Files\Software Update Utility

2009-09-01 03:58 . 2009-09-01 03:58 -------- d-----w- c:\program files\AIM Toolbar

2009-09-01 03:58 . 2009-09-01 03:58 -------- d-----w- c:\documents and settings\All Users\Application Data\AIM Toolbar

2009-09-01 03:58 . 2009-09-01 03:58 -------- d-----w- c:\documents and settings\All Users\Application Data\acccore

2009-09-01 03:58 . 2008-04-27 16:05 -------- d-----w- c:\program files\AIM6

2009-09-01 03:57 . 2008-11-22 16:17 -------- d-----w- c:\documents and settings\All Users\Application Data\AOL Downloads

2009-08-26 08:16 . 2004-08-10 12:00 247326 ----a-w- c:\windows\system32\strmdll.dll

2009-08-24 01:17 . 2008-04-23 16:09 13104 ----a-w- c:\documents and settings\nick\Local Settings\Application Data\GDIPFONTCACHEV1.DAT

2009-08-19 23:22 . 2008-04-29 19:14 13104 ----a-w- c:\documents and settings\Guest\Local Settings\Application Data\GDIPFONTCACHEV1.DAT

2009-08-15 14:01 . 2008-04-23 16:07 13104 ----a-w- c:\documents and settings\alex\Local Settings\Application Data\GDIPFONTCACHEV1.DAT

2009-08-06 23:24 . 2008-04-23 02:18 327896 ----a-w- c:\windows\system32\wucltui.dll

2009-08-06 23:24 . 2008-04-23 02:18 209632 ----a-w- c:\windows\system32\wuweb.dll

2009-08-06 23:24 . 2008-04-23 16:12 44768 ----a-w- c:\windows\system32\wups2.dll

2009-08-06 23:24 . 2008-04-23 02:18 35552 ----a-w- c:\windows\system32\wups.dll

2009-08-06 23:24 . 2008-04-23 02:18 53472 ------w- c:\windows\system32\wuauclt.exe

2009-08-06 23:24 . 2004-08-10 12:00 96480 ----a-w- c:\windows\system32\cdm.dll

2009-08-06 23:23 . 2008-04-23 02:18 575704 ----a-w- c:\windows\system32\wuapi.dll

2009-08-06 23:23 . 2008-04-23 17:48 274288 ----a-w- c:\windows\system32\mucltui.dll

2009-08-06 23:23 . 2008-04-23 02:18 1929952 ----a-w- c:\windows\system32\wuaueng.dll

2009-08-06 23:23 . 2007-07-30 23:18 215920 ----a-w- c:\windows\system32\muweb.dll

2009-08-05 09:11 . 2004-08-10 12:00 204800 ----a-w- c:\windows\system32\mswebdvd.dll

2009-08-04 13:58 . 2004-08-10 12:00 2136064 ------w- c:\windows\system32\ntoskrnl.exe

2009-08-04 13:13 . 2004-08-03 22:59 2015744 ------w- c:\windows\system32\ntkrnlpa.exe

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2008-04-24 68856]

"MSMSGS"="c:\program files\Messenger\msmsgs.exe" [2004-10-13 1694208]

"Aim6"="c:\program files\AIM6\aim6.exe" [2009-05-19 49968]

"AdobeUpdater"="c:\program files\Common Files\Adobe\Updater5\AdobeUpdater.exe" [2008-12-13 2356088]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"ehTray"="c:\windows\ehome\ehtray.exe" [2004-08-10 59392]

"ATIPTA"="c:\program files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2004-11-25 344064]

"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-12 39792]

"StartCCC"="c:\program files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [2008-01-21 61440]

"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2009-05-26 413696]

"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2009-05-30 292136]

"egui"="c:\program files\ESET\ESET NOD32 Antivirus\egui.exe" [2009-05-14 2029640]

"PWRISOVM.EXE"="c:\program files\PowerISO\PWRISOVM.EXE" [2009-07-27 180224]

"Malwarebytes Anti-Malware (reboot)"="c:\program files\Malwarebytes' Anti-Malware\mbam.exe" [2009-09-10 1312080]

"Malwarebytes' Anti-Malware"="c:\program files\Malwarebytes' Anti-Malware\mbamgui.exe" [2009-09-10 420176]

"SoundMan"="SOUNDMAN.EXE" - c:\windows\SOUNDMAN.EXE [2003-11-13 62464]

"Kernel and Hardware Abstraction Layer"="KHALMNPR.EXE" - c:\windows\KHALMNPR.Exe [2007-11-29 55824]

"BluetoothAuthenticationAgent"="bthprops.cpl" - c:\windows\system32\bthprops.cpl [2004-08-10 110592]

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]

"NoSetActiveDesktop"= 1 (0x1)

"NoActiveDesktopChanges"= 1 (0x1)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"%windir%\\system32\\sessmgr.exe"=

"c:\\Program Files\\Messenger\\msmsgs.exe"=

"c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=

"c:\\Program Files\\AIM6\\aim6.exe"=

"%windir%\\system32\\drivers\\svchost.exe"=

"c:\\Program Files\\Armagetron Advanced\\armagetronad.exe"=

"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=

"c:\\Program Files\\iTunes\\iTunes.exe"=

"c:\\Program Files\\Common Files\\Apple\\Mobile Device Support\\bin\\AppleMobileDeviceService.exe"=

R1 ehdrv;ehdrv;c:\windows\system32\drivers\ehdrv.sys [5/14/2009 3:47 PM 107256]

R1 epfwtdir;epfwtdir;c:\windows\system32\drivers\epfwtdir.sys [3/13/2008 4:52 PM 94360]

R2 ekrn;ESET Service;c:\program files\ESET\ESET NOD32 Antivirus\ekrn.exe [5/14/2009 3:47 PM 731840]

R2 MBAMService;MBAMService;c:\program files\Malwarebytes' Anti-Malware\mbamservice.exe [10/20/2009 2:45 AM 269648]

R3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [10/20/2009 2:45 AM 19160]

S3 rootrepealv1.3.5;rootrepealv1.3.5;\??\c:\windows\system32\drivers\rootrepealv1.3.5.sys --> c:\windows\system32\drivers\rootrepealv1.3.5.sys [?]

--- Other Services/Drivers In Memory ---

*NewlyCreated* - CLASSPNP_2

*Deregistered* - CLASSPNP_2

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs

BtwSrv

.

Contents of the 'Scheduled Tasks' folder

2009-08-28 c:\windows\Tasks\AppleSoftwareUpdate.job

- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-04-11 16:34]

2009-09-02 c:\windows\Tasks\DriverCure.job

- c:\program files\ParetoLogic\DriverCure\DriverCure.exe [2009-04-26 12:44]

2009-10-30 c:\windows\Tasks\Malwarebytes' Scheduled Scan for alex.job

- c:\program files\Malwarebytes' Anti-Malware\mbam.exe [2009-10-21 18:53]

2009-10-29 c:\windows\Tasks\Malwarebytes' Scheduled Scan for nick.job

- c:\program files\Malwarebytes' Anti-Malware\mbam.exe [2009-10-21 18:53]

2009-10-30 c:\windows\Tasks\Malwarebytes' Scheduled Update for alex.job

- c:\program files\Malwarebytes' Anti-Malware\mbam.exe [2009-10-21 18:53]

2009-10-29 c:\windows\Tasks\Malwarebytes' Scheduled Update for nick.job

- c:\program files\Malwarebytes' Anti-Malware\mbam.exe [2009-10-21 18:53]

2009-10-29 c:\windows\Tasks\ParetoLogic Registration.job

- c:\program files\Common Files\ParetoLogic\UUS2\UUS.dll [2009-01-13 14:59]

2009-10-26 c:\windows\Tasks\ParetoLogic Update Version2.job

- c:\program files\Common Files\ParetoLogic\UUS2\Pareto_Update.exe [2009-01-13 14:59]

.

.

------- Supplementary Scan -------

.

uStart Page = hxxp://www.google.com/

uInternet Settings,ProxyOverride = *.local

FF - ProfilePath - c:\documents and settings\nick\Application Data\Mozilla\Firefox\Profiles\vx7n801x.default\

FF - prefs.js: browser.search.defaulturl - hxxp://slirsredirect.search.aol.com/slirs_http/sredir?sredir=2706&invocationType=tb50fftrie7&query=

FF - prefs.js: browser.search.selectedEngine - AIM Search

FF - prefs.js: browser.startup.homepage - google.com

FF - prefs.js: keyword.URL - hxxp://slirsredirect.search.aol.com/slirs_http/sredir?sredir=2706&invocationType=tb50fftrab&query=

FF - plugin: c:\program files\Google\Google Updater\2.4.1399.3742\npCIDetect13.dll

FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2009-10-29 23:24

Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully

hidden files: 0

**************************************************************************

.

--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(836)

c:\windows\system32\Ati2evxx.dll

- - - - - - - > 'explorer.exe'(14276)

c:\windows\system32\WININET.dll

c:\windows\system32\ieframe.dll

.

Completion time: 2009-10-30 23:26

ComboFix-quarantined-files.txt 2009-10-30 03:26

Pre-Run: 304,081,113,088 bytes free

Post-Run: 304,049,475,584 bytes free

Current=3 Default=3 Failed=2 LastKnownGood=4 Sets=1,2,3,4

- - End Of File - - 231E544A9E54BB8A5F6CE7C68C7ADC30

[miekiemoes]

Hi,

By the way, just for information, I have one startup item disabled in this account:

CODE

Name,Value,Section,Enabled,Description,Company

"DriverCure","C:\Program Files\ParetoLogic\DriverCure\DriverCure.exe -scan","Registry - User Run","0","DriverCure","ParetoLogic"

That one is fine to have. No need to disable it though.

* Open notepad - don't use any other texteditor than notepad or the script will fail.

Copy/paste the text in the quotebox below into notepad:

Folder::

c:\documents and settings\All Users\Application Data\yayutoto

c:\documents and settings\All Users\Application Data\sejuvoma

c:\documents and settings\All Users\Application Data\pozimadu

c:\documents and settings\All Users\Application Data\zavuzogo

c:\documents and settings\All Users\Application Data\reforola

c:\documents and settings\All Users\Application Data\kuwovogi

c:\documents and settings\All Users\Application Data\fusigoka

NetSvc::

BtwSrv

Registry::

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"%windir%\\system32\\drivers\\svchost.exe"=-

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]

"NoSetActiveDesktop"=-

"NoActiveDesktopChanges"=-

Save this as txtfile CFScript

Then drag the CFScript into ComboFix.exe as you see in the screenshot below.

This will start ComboFix again. After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply.

[davidi]

Mieke,

Thank you for your continued help.

I did as you asked with the ComboFix information and the log is at the end if this post. This was done in the "nick" account as that's where I've been working most before getting help and since working under your direction. However I cannot say with certainty which account was infected first or if after the one brought in bad stuff the other didn't do so also (either on the heals of the first infection or through the actions of "alex".)

It appears that ComboFix and MBAM are good at finding things independent of the account. However there are two differences in the HJT log files between the two accounts that I'm not sure of and wonder if there could be other things as well. The two items in the "alex" HJT log that I thought I would share are:

R3 - URLSearchHook: (no name) - {EA756889-2338-43DB-8F07-D1CA6FB9C90D} - (no file)

O4 - HKCU\..\Run: [DAEMON Tools Lite] "C:\Program Files\DAEMON Tools Lite\daemon.exe" -autorun

I don't mean to be pushy or speak out of turn ... but I wonder if at some point it might make sense once we think the "nick" account appears clear to check the "alex" account with ComboFix or something.

Back to focusing on your instructions to me and the results ...

There are two entries in the ComboFix log file that I'm curious about. They are the two entries about "beep.sys". I don't know if that's usual or why they would be there. I see from researching on Google that "beep.sys" is a normal Windows system file and that these appear to be in the right place. Is ComboFix telling us that one of the date properties changed to something within the last 30 days? And I wonder why. There's a bit more to this curiosity ... prior to my posting for help here the system motherboard speaker (really can only beep) was constantly beeping high-low-high-low (like a little siren.) My research on the AOpen motherboard I had seemed to indicate that this could happen for some other owners and they suspected a bad thermistor giving a false positive alert about temperature thus causing a false alarm (the beeping). One of the 'ideas' posted was to disconnect that speaker and so I did. I did first check with the BIOS and other tools that the system temperatures were OK and they were. I may have disconnected that speaker on the 19th interestingly enough. I don't know much about this and maybe it's nothing related. I think I will submit "beep.sys" to Virus Total to have a check on it. If you have any thoughts on this I would be interested in them. But perhaps it's nothing.

Ok - here's the log.

Again - Thank you for your continued help!!!

- David

-------------------------------------------------

ComboFix 09-10-28.08 - nick 10/30/2009 7:59.4.2 - NTFSx86

Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.2047.1462 [GMT -4:00]

Running from: c:\documents and settings\nick\Desktop\something.exe

Command switches used :: c:\documents and settings\nick\Desktop\CFScript.txt

AV: ESET NOD32 Antivirus 4.0 *On-access scanning disabled* (Updated) {E5E70D32-0101-4F12-8FB0-D96ACA4F34C0}

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.

c:\documents and settings\All Users\Application Data\fusigoka

c:\documents and settings\All Users\Application Data\fusigoka\fusigoka.dll

c:\documents and settings\All Users\Application Data\kuwovogi

c:\documents and settings\All Users\Application Data\kuwovogi\kuwovogi.exe

c:\documents and settings\All Users\Application Data\pozimadu

c:\documents and settings\All Users\Application Data\reforola

c:\documents and settings\All Users\Application Data\reforola\reforola.dll

c:\documents and settings\All Users\Application Data\sejuvoma

c:\documents and settings\All Users\Application Data\sejuvoma\sejuvoma.dll

c:\documents and settings\All Users\Application Data\yayutoto

c:\documents and settings\All Users\Application Data\yayutoto\yayutoto.exe

c:\documents and settings\All Users\Application Data\zavuzogo

.

((((((((((((((((((((((((( Files Created from 2009-09-28 to 2009-10-30 )))))))))))))))))))))))))))))))

.

2009-10-26 07:00 . 2009-10-26 07:00 -------- d--h--w- c:\windows\PIF

2009-10-25 13:35 . 2009-10-25 13:35 -------- d-----w- c:\program files\Trend Micro

2009-10-21 16:16 . 2009-10-21 16:16 -------- d-----w- c:\program files\CodeStuff

2009-10-21 15:38 . 2009-10-21 15:38 -------- d-----w- c:\program files\WinDirStat

2009-10-21 15:21 . 2009-10-21 15:21 -------- d-----w- c:\program files\CCleaner

2009-10-21 05:52 . 2009-10-21 05:52 -------- d-----w- c:\documents and settings\alex\Local Settings\Application Data\AIM

2009-10-21 05:40 . 2009-10-21 05:40 -------- d-----w- c:\documents and settings\Guest\Local Settings\Application Data\AIM

2009-10-21 03:53 . 2009-10-21 03:53 -------- d-----w- c:\documents and settings\alex\Application Data\Malwarebytes

2009-10-21 00:38 . 2009-10-21 00:38 -------- d-----w- c:\documents and settings\nick\Local Settings\Application Data\AIM

2009-10-20 06:45 . 2009-10-20 06:45 -------- d-----w- c:\documents and settings\nick\Application Data\Malwarebytes

2009-10-20 06:45 . 2009-09-10 18:54 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys

2009-10-20 06:45 . 2009-10-21 16:14 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware

2009-10-20 06:45 . 2009-10-20 06:45 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes

2009-10-20 06:45 . 2009-09-10 18:53 19160 ----a-w- c:\windows\system32\drivers\mbam.sys

2009-10-19 22:18 . 2009-10-19 22:18 -------- d-----w- c:\documents and settings\Guest\Local Settings\Application Data\AIM Toolbar

2009-10-19 21:14 . 2004-08-10 12:00 4224 -c--a-w- c:\windows\system32\dllcache\beep.sys

2009-10-19 21:14 . 2004-08-10 12:00 4224 ------w- c:\windows\system32\drivers\beep.sys

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2009-10-30 03:04 . 2008-04-27 16:05 -------- d-----w- c:\documents and settings\All Users\Application Data\Viewpoint

2009-10-21 15:12 . 2009-06-19 16:11 -------- d-----w- c:\documents and settings\All Users\Application Data\DriverCure

2009-10-06 21:27 . 2008-10-25 21:56 -------- d-----w- c:\program files\Microsoft Silverlight

2009-09-11 14:33 . 2004-08-10 12:00 133632 ----a-w- c:\windows\system32\msv1_0.dll

2009-09-04 20:45 . 2004-08-10 12:00 58880 ----a-w- c:\windows\system32\msasn1.dll

2009-09-01 04:03 . 2009-09-01 04:03 -------- d-----w- c:\program files\Common Files\Software Update Utility

2009-09-01 03:58 . 2009-09-01 03:58 -------- d-----w- c:\program files\AIM Toolbar

2009-09-01 03:58 . 2009-09-01 03:58 -------- d-----w- c:\documents and settings\All Users\Application Data\AIM Toolbar

2009-09-01 03:58 . 2009-09-01 03:58 -------- d-----w- c:\documents and settings\All Users\Application Data\acccore

2009-09-01 03:58 . 2008-04-27 16:05 -------- d-----w- c:\program files\AIM6

2009-09-01 03:57 . 2008-11-22 16:17 -------- d-----w- c:\documents and settings\All Users\Application Data\AOL Downloads

2009-08-26 08:16 . 2004-08-10 12:00 247326 ----a-w- c:\windows\system32\strmdll.dll

2009-08-24 01:17 . 2008-04-23 16:09 13104 ----a-w- c:\documents and settings\nick\Local Settings\Application Data\GDIPFONTCACHEV1.DAT

2009-08-19 23:22 . 2008-04-29 19:14 13104 ----a-w- c:\documents and settings\Guest\Local Settings\Application Data\GDIPFONTCACHEV1.DAT

2009-08-15 14:01 . 2008-04-23 16:07 13104 ----a-w- c:\documents and settings\alex\Local Settings\Application Data\GDIPFONTCACHEV1.DAT

2009-08-06 23:24 . 2008-04-23 02:18 327896 ----a-w- c:\windows\system32\wucltui.dll

2009-08-06 23:24 . 2008-04-23 02:18 209632 ----a-w- c:\windows\system32\wuweb.dll

2009-08-06 23:24 . 2008-04-23 16:12 44768 ----a-w- c:\windows\system32\wups2.dll

2009-08-06 23:24 . 2008-04-23 02:18 35552 ----a-w- c:\windows\system32\wups.dll

2009-08-06 23:24 . 2008-04-23 02:18 53472 ------w- c:\windows\system32\wuauclt.exe

2009-08-06 23:24 . 2004-08-10 12:00 96480 ----a-w- c:\windows\system32\cdm.dll

2009-08-06 23:23 . 2008-04-23 02:18 575704 ----a-w- c:\windows\system32\wuapi.dll

2009-08-06 23:23 . 2008-04-23 17:48 274288 ----a-w- c:\windows\system32\mucltui.dll

2009-08-06 23:23 . 2008-04-23 02:18 1929952 ----a-w- c:\windows\system32\wuaueng.dll

2009-08-06 23:23 . 2007-07-30 23:18 215920 ----a-w- c:\windows\system32\muweb.dll

2009-08-05 09:11 . 2004-08-10 12:00 204800 ----a-w- c:\windows\system32\mswebdvd.dll

2009-08-04 13:58 . 2004-08-10 12:00 2136064 ------w- c:\windows\system32\ntoskrnl.exe

2009-08-04 13:13 . 2004-08-03 22:59 2015744 ------w- c:\windows\system32\ntkrnlpa.exe

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2008-04-24 68856]

"MSMSGS"="c:\program files\Messenger\msmsgs.exe" [2004-10-13 1694208]

"Aim6"="c:\program files\AIM6\aim6.exe" [2009-05-19 49968]

"AdobeUpdater"="c:\program files\Common Files\Adobe\Updater5\AdobeUpdater.exe" [2008-12-13 2356088]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"ehTray"="c:\windows\ehome\ehtray.exe" [2004-08-10 59392]

"ATIPTA"="c:\program files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2004-11-25 344064]

"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-12 39792]

"StartCCC"="c:\program files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [2008-01-21 61440]

"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2009-05-26 413696]

"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2009-05-30 292136]

"egui"="c:\program files\ESET\ESET NOD32 Antivirus\egui.exe" [2009-05-14 2029640]

"PWRISOVM.EXE"="c:\program files\PowerISO\PWRISOVM.EXE" [2009-07-27 180224]

"Malwarebytes Anti-Malware (reboot)"="c:\program files\Malwarebytes' Anti-Malware\mbam.exe" [2009-09-10 1312080]

"Malwarebytes' Anti-Malware"="c:\program files\Malwarebytes' Anti-Malware\mbamgui.exe" [2009-09-10 420176]

"SoundMan"="SOUNDMAN.EXE" - c:\windows\SOUNDMAN.EXE [2003-11-13 62464]

"Kernel and Hardware Abstraction Layer"="KHALMNPR.EXE" - c:\windows\KHALMNPR.Exe [2007-11-29 55824]

"BluetoothAuthenticationAgent"="bthprops.cpl" - c:\windows\system32\bthprops.cpl [2004-08-10 110592]

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"%windir%\\system32\\sessmgr.exe"=

"c:\\Program Files\\Messenger\\msmsgs.exe"=

"c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=

"c:\\Program Files\\AIM6\\aim6.exe"=

"c:\\Program Files\\Armagetron Advanced\\armagetronad.exe"=

"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=

"c:\\Program Files\\iTunes\\iTunes.exe"=

"c:\\Program Files\\Common Files\\Apple\\Mobile Device Support\\bin\\AppleMobileDeviceService.exe"=

R1 ehdrv;ehdrv;c:\windows\system32\drivers\ehdrv.sys [5/14/2009 3:47 PM 107256]

R1 epfwtdir;epfwtdir;c:\windows\system32\drivers\epfwtdir.sys [3/13/2008 4:52 PM 94360]

R2 ekrn;ESET Service;c:\program files\ESET\ESET NOD32 Antivirus\ekrn.exe [5/14/2009 3:47 PM 731840]

R2 MBAMService;MBAMService;c:\program files\Malwarebytes' Anti-Malware\mbamservice.exe [10/20/2009 2:45 AM 269648]

R3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [10/20/2009 2:45 AM 19160]

S3 rootrepealv1.3.5;rootrepealv1.3.5;\??\c:\windows\system32\drivers\rootrepealv1.3.5.sys --> c:\windows\system32\drivers\rootrepealv1.3.5.sys [?]

--- Other Services/Drivers In Memory ---

*NewlyCreated* - CLASSPNP_2

*Deregistered* - CLASSPNP_2

.

Contents of the 'Scheduled Tasks' folder

2009-10-30 c:\windows\Tasks\AppleSoftwareUpdate.job

- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-04-11 16:34]

2009-09-02 c:\windows\Tasks\DriverCure.job

- c:\program files\ParetoLogic\DriverCure\DriverCure.exe [2009-04-26 12:44]

2009-10-30 c:\windows\Tasks\Malwarebytes' Scheduled Scan for alex.job

- c:\program files\Malwarebytes' Anti-Malware\mbam.exe [2009-10-21 18:53]

2009-10-30 c:\windows\Tasks\Malwarebytes' Scheduled Scan for nick.job

- c:\program files\Malwarebytes' Anti-Malware\mbam.exe [2009-10-21 18:53]

2009-10-30 c:\windows\Tasks\Malwarebytes' Scheduled Update for alex.job

- c:\program files\Malwarebytes' Anti-Malware\mbam.exe [2009-10-21 18:53]

2009-10-30 c:\windows\Tasks\Malwarebytes' Scheduled Update for nick.job

- c:\program files\Malwarebytes' Anti-Malware\mbam.exe [2009-10-21 18:53]

2009-10-29 c:\windows\Tasks\ParetoLogic Registration.job

- c:\program files\Common Files\ParetoLogic\UUS2\UUS.dll [2009-01-13 14:59]

2009-10-30 c:\windows\Tasks\ParetoLogic Update Version2.job

- c:\program files\Common Files\ParetoLogic\UUS2\Pareto_Update.exe [2009-01-13 14:59]

.

.

------- Supplementary Scan -------

.

uStart Page = hxxp://www.google.com/

uInternet Settings,ProxyOverride = *.local

FF - ProfilePath - c:\documents and settings\nick\Application Data\Mozilla\Firefox\Profiles\vx7n801x.default\

FF - prefs.js: browser.search.defaulturl - hxxp://slirsredirect.search.aol.com/slirs_http/sredir?sredir=2706&invocationType=tb50fftrie7&query=

FF - prefs.js: browser.search.selectedEngine - AIM Search

FF - prefs.js: browser.startup.homepage - google.com

FF - prefs.js: keyword.URL - hxxp://slirsredirect.search.aol.com/slirs_http/sredir?sredir=2706&invocationType=tb50fftrab&query=

FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2009-10-30 08:16

Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully

hidden files: 0

**************************************************************************

.

--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(836)

c:\windows\system32\Ati2evxx.dll

.

Completion time: 2009-10-30 8:19

ComboFix-quarantined-files.txt 2009-10-30 12:19

ComboFix2.txt 2009-10-30 03:26

Pre-Run: 304,064,831,488 bytes free

Post-Run: 304,047,857,664 bytes free

Current=3 Default=3 Failed=2 LastKnownGood=4 Sets=1,2,3,4

- - End Of File - - FE1049107F7F183DB4DE8461DAC8F65A

[miekiemoes]

I don't mean to be pushy or speak out of turn ... but I wonder if at some point it might make sense once we think the "nick" account appears clear to check the "alex" account with ComboFix or something.

That's not needed since malware is detected anyway, no matter what useraccount it is running from. It's all on the same C:\

Registry entries are different, since every user has a different HKCU branch, but in case there was a malware related reference in there, it can't do anything anyway since scanners already deleted the related files.

Don't worry about beep.sys. Combofix should report if they are infected and even restore them with a clean copy.

Your logs look clean again.

* Go to start > run and copy and paste next command in the field:

ComboFix /Uninstall

Make sure there's a space between Combofix and /

Then hit enter.

This will uninstall Combofix, delete its related folders and files, reset your clock settings, hide file extensions, hide the system/hidden files and resets System Restore again.

Let me know in your next reply how things are now.

[davidi]

Mieke,

I did the ComboFix /Uninstall and it appeared to do that successfully. I restarted the system for good health.

I wasn't sure what to do next but to perhaps use the system a little and see how it seem to be working. In the process think something I did hit something or found something that came a bit to life and I'm not sure what to do next.

Here's what I did ...

Re-enabled the following startup since we thought that might be fine:

"DriverCure","C:\Program Files\ParetoLogic\DriverCure\DriverCure.exe -scan","Registry - User Run","0","DriverCure","ParetoLogic"

I noticed the system had version 1.5.0 of Spybot Search & Destroy and it hadn't been used since 4/32/2008. So I first went out to the web using internet explorer (as I have been doing if needed with no problems) to safer networking and downloaded the 1.6.2 version. I then uninstalled 1.5.0 version and restarted the system as instructed by Spybot uninstaller.

When I returned into Windows I then installed SpyBot S&D and allowed it to get updates upon install. When it started I then used the application itself to go check for any more recent updates and it had 2-3 more which I let it get. It restarted itself after getting those updates.

I enabled the 'immunization' for all items for SpyBot S&D - this took a long while.

I also found that SpywareBlaster(SWB) was version 4.0 and last used 4/23/2008. So I uninstalled SWB. Went to the JavaCools website and downloaded the 4.2 version and installed it. I then got updates and then enabled all protections.

Somehow in the process I either purposely started FireFox to 'test' it (or it's set to come on with the AIM startup to the AOL page).

FireFox said I needed to update to the lastest version of Adobe Flash ASAP so I did that.

After that update I re-visited the Adobe Flash website to check the version and it reported that we now had the latest version installed for FireFox, Internet Explorer and other apps.

So far so good I'm thinking.

Anytime I was prompted to restart the system I did so.

Most of this was done in the "Nick" account. But I did also visit the "Alex" account and did some minor things there (I may have done one of the uninstalls there or tested FireFox and/or IE there.)

Anyway - it was the Spybot S&D scan in the "nick" account that show way more problems than I expected.

I expected I might find cookies or some remnants in the registry but I think more than that was found. I'm wondering if one of the actions above woke something up???

I think the full report log from SBS&D gives the most insight. So I hope you will bear with me or forgive me if I've done too much and this is not what you wanted me to do.

NOTE: One item SBS&D said it could not remove that item currently because the item was resident in memory and requested that I allow it to do a rescan upon reboot. I said 'Yes' or 'OK'. HOWEVER ... I have not actually restarted the system yet awaiting your thoughts on what to do.

I generated another HJT log but I don't think it shows much. Maybe Spybot cleaned up stuff before making the HJT log. I'll post the HJT log after the SBS&D full results log.

My concerns are the Virtumonde Autorun settings having showed up somehow as well as other things right in that same area near the top of the log. Also the HK_CU:Run's near the end I'm not so sure about "BackWeb" for LogiTech (maybe normal?), HK_CU:Run, 46564429 to run C:\Documents and Settings\All Users\Application Data\46564429\46564429.exe??, then there's 'calc' with strange network file call, and others after that point. I'll stop. You can see this in the log itself if it's helpful.

So - what to do next?

- Restart and let SBS&D rescan.

- Disable that restart rescan and update and run MBAM?

- Some thing else

Thank you for your help.

The post won't go through with this message and a log. So following this post will be the two log files.

- David

[miekiemoes]

Hi David, can you first post a HIjackThislog from the account where Spybot found all that stuff?

[davidi]

The Spybot Full Results log still too big for a post so see attachment please for that log.

I'll try putting the HJT log here

-----------------------------------

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 4:22:02 PM, on 10/30/2009

Platform: Windows XP SP2 (WinNT 5.01.2600)

MSIE: Internet Explorer v7.00 (7.00.6000.16876)

Boot mode: Normal

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\Ati2evxx.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe

C:\WINDOWS\system32\Ati2evxx.exe

C:\WINDOWS\system32\spoolsv.exe

C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe

C:\Program Files\Bonjour\mDNSResponder.exe

C:\WINDOWS\eHome\ehRecvr.exe

C:\WINDOWS\eHome\ehSched.exe

C:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe

C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\system32\dllhost.exe

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\ehome\ehtray.exe

C:\WINDOWS\SOUNDMAN.EXE

C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe

C:\WINDOWS\system32\rundll32.exe

C:\Program Files\iTunes\iTunesHelper.exe

C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe

C:\Program Files\PowerISO\PWRISOVM.EXE

C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.exe

C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe

C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe

C:\Program Files\Messenger\msmsgs.exe

C:\WINDOWS\eHome\ehmsas.exe

C:\WINDOWS\system32\ctfmon.exe

C:\Program Files\iPod\bin\iPodService.exe

C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\ccc.exe

C:\WINDOWS\system32\wuauclt.exe

C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://go.microsoft.com/fwlink/?LinkId=74005

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local

O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll

O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.3.4501.1418\swg.dll

O3 - Toolbar: Easy-WebPrint - {327C2873-E90D-4c37-AA9D-10AC9BABA46C} - C:\Program Files\Canon\Easy-WebPrint\Toolband.dll

O3 - Toolbar: Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll

O3 - Toolbar: AIM Toolbar - {61539ecd-cc67-4437-a03c-9aaccbd14326} - C:\Program Files\AIM Toolbar\aimtb.dll

O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe

O4 - HKLM\..\Run: [soundMan] SOUNDMAN.EXE

O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe

O4 - HKLM\..\Run: [Kernel and Hardware Abstraction Layer] KHALMNPR.EXE

O4 - HKLM\..\Run: [bluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent

O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"

O4 - HKLM\..\Run: [startCCC] "C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe"

O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime

O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"

O4 - HKLM\..\Run: [egui] "C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe" /hide /waitservice

O4 - HKLM\..\Run: [PWRISOVM.EXE] C:\Program Files\PowerISO\PWRISOVM.EXE

O4 - HKLM\..\Run: [Malwarebytes Anti-Malware (reboot)] "C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe" /runcleanupscript

O4 - HKLM\..\Run: [Malwarebytes' Anti-Malware] "C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe" /starttray

O4 - HKLM\..\RunOnce: [spybotSnD] "C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe" /autocheck

O4 - HKCU\..\Run: [swg] "C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe"

O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background

O4 - HKCU\..\Run: [Aim6] "C:\Program Files\AIM6\aim6.exe" /d locale=en-US ee://aol/imApp

O4 - HKCU\..\Run: [AdobeUpdater] "C:\Program Files\Common Files\Adobe\Updater5\AdobeUpdater.exe"

O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe

O4 - HKCU\..\Run: [DriverCure] C:\Program Files\ParetoLogic\DriverCure\DriverCure.exe -scan

O9 - Extra button: AIM Toolbar - {0b83c99c-1efa-4259-858f-bcb33e007a5b} - C:\Program Files\AIM Toolbar\aimtb.dll

O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll

O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupd...b?1208967146406

O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftu...b?1208967221593

O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shoc...ash/swflash.cab

O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe

O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe

O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe

O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe

O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe

O23 - Service: ESET HTTP Server (EhttpSrv) - ESET - C:\Program Files\ESET\ESET NOD32 Antivirus\EHttpSrv.exe

O23 - Service: ESET Service (ekrn) - ESET - C:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe

O23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe

O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe

O23 - Service: MBAMService - Malwarebytes Corporation - C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe

--

End of file - 7033 bytes

SpybotSD.Full.Results_nick.txt

[miekiemoes]

Hi,

What Spybot found were just registry leftovers from the HKEY_USERS branche and cookies, so nothing to worry here.

Your HJThis log looks OK

Just let Spybot reboot in order to delete these registry leftovers.

[davidi]

Things are looking very good. Thank you, thank you, thank you!

I let the restart and re-scan of Spybot do it's thing.

Afterwards I put the computer to the test again. In and out of both accounts. Running Internet Explorer and FireFox. Getting FireFox update. Checking HJT logs before and after. Running Spybot in both accounts - clean. Updating MBAM and running full scan in one account and short in another - clean. So looking great!

I'm thinking the two admin accounts and the computer itself are good and clean.

The only thing remaining is the state of the Guest account which I haven't visited since a week ago when whatever was on this machine did have it's fun messing with the guest account as well (I believe reconfiguring the desktop and look of windows explorer menu bars). I'm gathering that the system is clean however.

I did (from one of the admin accounts) look through the guest account documents and desktop. There are a few (3 or 4 pictures and some data animation file, *.piv I think.) I had eset NOD32 scan the account - no problems reported.

So my choice (unless you have anything else for me to do or a better suggestion) would be to either:

A.) Log into the guest account and see what damage there might be (if it hasn't already been fixed) and make some assessment or look for fixes for what I might see.

or

B.) Save the few pictures - out of the guest account to another area on the computer. Log into one of the admin accounts. Delete the Guest account. And then tell Windows to recreate the guest account and put the few pictures back.

If I did "B" I would be following instructions found at:

hxxp://www.dslreports.com/faq/xpinstall/7._Troubleshooting_and_Repair#8212

Which basically suggests:

To restore the default GUEST ACCOUNT in Windows XP, follow these steps:

[miekiemoes]

Hi,

The only thing remaining is the state of the Guest account which I haven't visited since a week ago when whatever was on this machine did have it's fun messing with the guest account as well (I believe reconfiguring the desktop and look of windows explorer menu bars). I'm gathering that the system is clean however.

The guest account runs with restricted privileges, since this one doesn't have admin rights, so malware won't have much chance there anyway.

That's why it's always a good idea to use the Guest account as much as possible for using the internet, this instead of the admin account.

Also see here for more info: http://cybercoyote.org/security/not-admin.shtml

I wouldn't tinker with the Guest account in general. No need to delete it/whatever. The guestaccount will be OK anyway.

Glad I could help.

Please read my Prevention page with lots of info and tips how to prevent this in the future.

And if you want to improve speed/system performance after malware removal, take a look here.

Extra note: Make sure your programs are up to date - because older versions may contain Security Leaks. To find out what programs need to be updated, please run the Secunia Software Inspector Scan.

Happy Surfing again!

[davidi]

Mieke,

Things are working great. Thank you very much.

I've taken care of cleaning up the guest account. Actually I used the above procedure I found on the net and just removed it and regenerated it. I know what you said is true but I wasn't pleased with what I saw in there and the files left by 'guests' in my documents. The appeared to be part of files from P2P sharing, some compressed self expanding with unknown names, too big for Virus Total ... blah, blah, blah ... so I decided to play it super safe and got rid of them all. Even the photo was nothing special but a logo from a sports team.

I made a full backup first just to be safe but it worked fine.

I've got MBAM going and it's licensed with 24/7 protection and daily updates and scans scheduled.

NOD 32 AV is licensed and doing it's thing.

And I've put instructions on the machine and told alex, nick and others about P2P risks and other such things ... as well as impressing upon them to make sure things (Spybot, SpywareBlaster) are kept up to date and run scans. I'll keep better tabs on the system that I have before (at least I hope to!)

Thank you for your other references for me to read. I will do so.

Thank you so much. I'm inspired to want to learn how to help others like you and others here do. It seems like it must be forever to learn what you know. Kudo's for your work and help to me and others!!!!

I think this can be closed.

- David

[miekiemoes]

You're most welcome David

[miekiemoes]

Since this issue appears resolved ... this Topic is closed.

If you need this topic reopened for continuations of existing problems, please request this by sending me a PM with the address of the thread. This applies only to the original topic starter.

Everyone else please begin a New Topic.