Jump to content

Trojan Agent in Registry, userinit.exe uid backdoor.bot and rundll32.exe problem


Recommended Posts

Hi,

This is my first time posting, on my own I've removed a lot of viruses that come back after malwarebytes removes and reboots, and I learnt a lot through using a search engine to find other instances of the same virus on forums. I even tried to avoid solutions involing HijackThis. One I had came up on mb scan as an .sys & came back after rebooting. I found out that I had to use rootkit to wipe the .sys file, re-run mb and mb found other files with the same name, removed them and that was the end of it.

Unfortunatly from what I can see there isn't much more I can do on my own, even thought I've had a virus that almost grounded the system to a stop, this time is worse cause I can't remove it by myself. From what I have gathered, the backdoor.bots aren't severe in terms of backdoor.bots and the userinit shouldn't be deleted but is infected. I sent the infected userinit.exe to virustotal.com for an analysis and it came back 5/42.

also, as I saw in http://forums.malwarebytes.org/index.php?showtopic=5591 I have an infected userinit.exe, Upon login when I sign into my account the system 'hangs' and I have to open task manager and manually get it to load the desktop (I click new task, right click a folder, click explore, and that starts 'explorer.exe' loads the desktop with the start button)

and I also get error messages saying rundll32.exe fails to initialise properly.

Here is Malwarebytes output:

Malwarebytes' Anti-Malware 1.44

Database version: 3917

Windows 5.1.2600 Service Pack 2

Internet Explorer 8.0.6001.18702

27/03/2010 00:45:11

mbam-log-2010-03-27 (00-45-11).txt

Scan type: Quick Scan

Objects scanned: 161297

Time elapsed: 9 minute(s), 11 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 2

Registry Values Infected: 1

Registry Data Items Infected: 2

Folders Infected: 0

Files Infected: 0

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\{43bf8cd1-c5d5-2230-7bb2-98f22c2b7dc6} (Backdoor.Bot) -> Quarantined and deleted successfully.

HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\{43bf8cd1-c5d5-2230-7bb2-98f22c2b7dc6} (Backdoor.Bot) -> Quarantined and deleted successfully.

Registry Values Infected:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Network\uid (Malware.Trace) -> Quarantined and deleted successfully.

Registry Data Items Infected:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit (Trojan.Agent.Gen) -> Data: c:\windows\system32\userinit.exe -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit (Trojan.Agent.Gen) -> Data: system32\userinit.exe -> Quarantined and deleted successfully.

Folders Infected:

(No malicious items detected)

Files Infected:

(No malicious items detected)

And the HijackThis Log:

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 00:11:28, on 27/03/2010

Platform: Windows XP SP2 (WinNT 5.01.2600)

MSIE: Internet Explorer v8.00 (8.00.6001.18702)

Boot mode: Normal

Running processes:

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\Program Files\Intel\Wireless\Bin\EvtEng.exe

C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe

C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe

C:\WINDOWS\system32\spoolsv.exe

C:\Acer\Empowering Technology\admServ.exe

C:\Program Files\Bonjour\mDNSResponder.exe

C:\WINDOWS\system32\crypserv.exe

C:\Program Files\Olympus\DeviceDetector\DM1Service.exe

C:\Program Files\CA\eTrust Antivirus\InoRpc.exe

C:\Program Files\CA\eTrust Antivirus\InoRT.exe

C:\Program Files\CA\eTrust Antivirus\InoTask.exe

C:\Program Files\Kontiki\KService.exe

C:\Program Files\Common Files\LightScribe\LSSrvc.exe

C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE

C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe

C:\WINDOWS\System32\PAStiSvc.exe

C:\WINDOWS\system32\svchost.exe

C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtSrv.exe

C:\WINDOWS\system32\taskmgr.exe

C:\Program Files\Internet Explorer\IEXPLORE.EXE

C:\Program Files\Internet Explorer\IEXPLORE.EXE

C:\WINDOWS\system32\ctfmon.exe

C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe

C:\WINDOWS\Explorer.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\wuauclt.exe

C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe

C:\Acer\Empowering Technology\ePower\ePower_DMC.exe

C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe

C:\Program Files\Synaptics\SynTP\SynTPLpr.exe

C:\Program Files\Synaptics\SynTP\SynTPEnh.exe

C:\WINDOWS\RTHDCPL.EXE

C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe

C:\PROGRA~1\CA\ETRUST~1\realmon.exe

C:\PROGRA~1\LAUNCH~1\QtZgAcer.EXE

C:\Program Files\Microsoft IntelliType Pro\itype.exe

C:\Program Files\Microsoft IntelliPoint\ipoint.exe

C:\WINDOWS\system32\igfxpers.exe

C:\WINDOWS\system32\hkcmd.exe

C:\Program Files\HP\HP Software Update\HPWuSchd2.exe

C:\Acer\Empowering Technology\eRecovery\Monitor.exe

C:\Acer\Empowering Technology\eDataSecurity\eDSloader.exe

C:\Acer\Empowering Technology\admtray.exe

C:\WINDOWS\system32\igfxext.exe

C:\PROGRA~1\Sony\SONICS~1\SsAAD.exe

C:\Program Files\Common Files\Real\Update_OB\realsched.exe

C:\WINDOWS\system32\igfxsrvc.exe

C:\WINDOWS\system32\rundll32.exe

C:\Program Files\Common Files\Sony Shared\AVLib\SSScsiSV.exe

C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe

C:\Program Files\SAGEM\SAGEM F@st 800-840\dslmon.exe

C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe

C:\DOCUME~1\JOHNMU~1\LOCALS~1\Temp\RtkBtMnt.exe

C:\WINDOWS\system32\wbem\unsecapp.exe

C:\Program Files\HP\Digital Imaging\bin\hpqgalry.exe

C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe

C:\Program Files\Java\jre1.6.0_05\bin\jucheck.exe

C:\Program Files\Internet Explorer\IEXPLORE.EXE

C:\Program Files\Internet Explorer\iexplore.exe

C:\Program Files\Internet Explorer\iexplore.exe

C:\Program Files\Internet Explorer\iexplore.exe

C:\Program Files\Adobe\Acrobat 7.0\Reader\AcroRd32.exe

C:\Program Files\Internet Explorer\iexplore.exe

C:\Program Files\Internet Explorer\iexplore.exe

C:\Program Files\Internet Explorer\iexplore.exe

C:\Program Files\QuickTime\QuickTimePlayer.exe

C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =

about:tabs

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL =

http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL =

http://go.microsoft.com/fwlink/?LinkId=54896

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page =

http://go.microsoft.com/fwlink/?LinkId=54896

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =

http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext =

wmplayer.exe //ICWLaunch

F2 - REG:system.ini: UserInit=C:\WINDOWS\system32

\userinit.exe,C:\WINDOWS\system32\msfqqn32.exe,

O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - (no file)

O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-

5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows

Live\WindowsLiveLogin.dll

O3 - Toolbar: Acer eDataSecurity Management - {5CBE3B7C-1E47-477e-A7DD-

396DB0476E29} - C:\WINDOWS\system32\eDStoolbar.dll

O4 - HKLM\..\Run: [ePower_DMC] C:\Acer\Empowering

Technology\ePower\ePower_DMC.exe

O4 - HKLM\..\Run: [iSUSPM Startup] "c:\Program Files\Common

Files\InstallShield\UpdateService\isuspm.exe" -startup

O4 - HKLM\..\Run: [sunJavaUpdateSched] "C:\Program

Files\Java\jre1.6.0_05\bin\jusched.exe"

O4 - HKLM\..\Run: [sSBkgdUpdate] C:\Program Files\Common Files\Scansoft

Shared\SSBkgdUpdate\SSBkgdupdate.exe -Embedding -boot

O4 - HKLM\..\Run: [DNS7reminder] "C:\Program

Files\Nuance\NaturallySpeaking9\Program\ereg.exe" -r "C:\Program

Files\Nuance\NaturallySpeaking9\Program\ereg.ini"

O4 - HKLM\..\Run: [synTPLpr] C:\Program

Files\Synaptics\SynTP\SynTPLpr.exe

O4 - HKLM\..\Run: [synTPEnh] C:\Program

Files\Synaptics\SynTP\SynTPEnh.exe

O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE

O4 - HKLM\..\Run: [RemoteControl] "C:\Program

Files\CyberLink\PowerDVD\PDVDServ.exe"

O4 - HKLM\..\Run: [Realtime Monitor] C:\PROGRA~1\CA\ETRUST~1\realmon.exe

-s

O4 - HKLM\..\Run: [QuickTime Task] "C:\Program

Files\QuickTime\qttask.exe" -atboottime

O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\system32

\IME\TINTLGNT\TINTSETP.EXE /SYNC

O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32

\IME\TINTLGNT\TINTSETP.EXE /IMEName

O4 - HKLM\..\Run: [ntiMUI] C:\Program Files\NewTech Infosystems\NTI CD &

DVD-Maker 7\ntiMUI.exe

O4 - HKLM\..\Run: [MSPY2002] C:\WINDOWS\system32

\IME\PINTLGNT\ImScInst.exe /SYNC

O4 - HKLM\..\Run: [LManager] C:\PROGRA~1\LAUNCH~1\QtZgAcer.EXE

O4 - HKLM\..\Run: [LaunchApp] Alaunch

O4 - HKLM\..\Run: [itype] "C:\Program Files\Microsoft IntelliType

Pro\itype.exe"

O4 - HKLM\..\Run: [iSUSScheduler] "C:\Program Files\Common

Files\InstallShield\UpdateService\issch.exe" -start

O4 - HKLM\..\Run: [intelliPoint] "C:\Program Files\Microsoft

IntelliPoint\ipoint.exe"

O4 - HKLM\..\Run: [iMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE"

/Spoil /RemAdvDef /Migration32

O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe

O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe

O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe

O4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\HP\HP Software

Update\HPWuSchd2.exe"

O4 - HKLM\..\Run: [eRecoveryService] C:\Acer\Empowering

Technology\eRecovery\Monitor.exe

O4 - HKLM\..\Run: [eDataSecurity Loader] C:\Acer\Empowering

Technology\eDataSecurity\eDSloader.exe

O4 - HKLM\..\Run: [AzMixerSel] C:\Program

Files\Realtek\InstallShield\AzMixerSel.exe

O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE

O4 - HKLM\..\Run: [ADMTray.exe] "C:\Acer\Empowering

Technology\admtray.exe"

O4 - HKLM\..\Run: [Acer ePower Management] C:\Acer\Empowering

Technology\ePower\Acer ePower Management.exe boot

O4 - HKLM\..\Run: [adiras] adiras.exe

O4 - HKLM\..\Run: [ssAAD.exe] C:\PROGRA~1\Sony\SONICS~1\SsAAD.exe

O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common

Files\Real\Update_OB\realsched.exe" -osboot

O4 - HKLM\..\Run: [4oD] "C:\Program Files\Kontiki\KHost.exe" -all

O4 - HKLM\..\Run: [Ad-Watch] C:\Program Files\Lavasoft\Ad-

Aware\AAWTray.exe

O4 - HKLM\..\Run: [bluetoothAuthenticationAgent] rundll32.exe

bthprops.cpl,,BluetoothAuthenticationAgent

O4 - HKLM\..\Run: [Chozemunajazetij] rundll32.exe

"C:\WINDOWS\uholekoconisi.dll",Startup

O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!

\Messenger\YahooMessenger.exe" -quiet

O4 - HKCU\..\Run: [updateMgr] "C:\Program Files\Adobe\Acrobat 7.0

\Reader\AdobeUpdateManager.exe" AcRdB7_0_8 -reboot 1

O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe

O4 - HKCU\..\Run: [iSUSPM] "C:\Program Files\Common

Files\InstallShield\UpdateService\isuspm.exe" -scheduler

O4 - HKCU\..\Run: [Eyeball Chat] "C:\Program Files\Eyeball\Eyeball

Chat\EyeballChat.exe" -min

O4 - HKCU\..\Run: [kdx] C:\Program Files\Kontiki\KHost.exe -all

O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE

(User 'SYSTEM')

O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE

(User 'Default user')

O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program

Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe

O4 - Global Startup: Bluetooth Manager.lnk = ?

O4 - Global Startup: DSLMON.lnk = C:\Program Files\SAGEM\SAGEM F@st 800-

840\dslmon.exe

O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program

Files\HP\Digital Imaging\bin\hpqtra08.exe

O4 - Global Startup: HP Image Zone Fast Start.lnk = C:\Program

Files\HP\Digital Imaging\bin\hpqthb08.exe

O8 - Extra context menu item: E&xport to Microsoft Excel -

res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000

O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} -

C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll

O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5

-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll

O9 - Extra button: Skype - {77BF5300-1474-4EC7-9980-D32B190E9B07} -

C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll

O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} -

C:\PROGRA~1\MI1933~1\OFFICE11\REFIEBAR.DLL

O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} -

C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-

82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} -

C:\Program Files\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-

BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O10 - Unknown file in Winsock LSP: c:\windows\system32\lspsou.dll

O15 - Trusted Zone: http://www.reallusion.com

O16 - DPF: CabBuilder -

http://kiw.imgag.com/imgag/kiw/toolbar/dow...llerControl.cab

O16 - DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} (Facebook Photo

Uploader 5 Control) -

http://upload.facebook.com/controls/2008.1...bookPhotoUpload

er5.cab

O16 - DPF: {149E45D8-163E-4189-86FC-45022AB2B6C9} (SpinTop DRM Control) -

file:///C:/Program%20Files/Monopoly%20Here%20and%20Now/Images/stg_drm.ocx

O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine

Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204

O16 - DPF: {20A60F0D-9AFA-4515-A0FD-83BD84642501} (Checkers Class) -

http://messenger.zone.msn.com/binary/msgrchkr.cab56986.cab

O16 - DPF: {4871A87A-BFDD-4106-8153-FFDE2BAC2967} (DLM Control) -

http://dlm.tools.akamai.com/dlmanager/vers...ex/dlm-activex-

2.2.3.5.cab

O16 - DPF: {5C051655-FCD5-4969-9182-770EA5AA5565} (Solitaire Showdown

Class) -

http://messenger.zone.msn.com/binary/Solit...wn.cab56986.cab

O16 - DPF: {5D6F45B3-9043-443D-A792-115447494D24} (UnoCtrl Class) -

http://messenger.zone.msn.com/EN-US/a-UNO1/GAME_UNO1.cab

O16 - DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} (DivXBrowserPlugin

Object) - http://download.divx.com/player/DivXBrowserPlugin.cab

O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) -

http://update.microsoft.com/microsoftupdat...en/x86/client/m

uweb_site.cab?1159189640140

O16 - DPF: {7E980B9B-8AE5-466A-B6D6-DA8CF814E78A} (MJLauncherCtrl Class)

- http://messenger.zone.msn.com/EN-US/a-LUXR/mjolauncher.cab

O16 - DPF: {AC120B1D-9411-4111-AF52-118052D85D45} (GameDesire Darts

Games) - http://67.15.101.33/g_bin/eng/darts_2_0_0_42.cab

O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient

Class) -

http://messenger.zone.msn.com/binary/Messe...nt.cab56907.cab

O16 - DPF: {CC450D71-CC90-424C-8638-1F2DBAC87A54} (ArmHelper Control) -

file:///C:/Program%20Files/Monopoly%20Here%20and%

20Now/Images/armhelper.ocx

O16 - DPF: {E77F23EB-E7AB-4502-8F37-247DBAF1A147} (Windows Live Hotmail

Photo Upload Tool) -

http://gfx1.hotmail.com/mail/w4/pr01/photo...ol/MSNPUpld.cab

O16 - DPF: {EB6D7E70-AAA9-40D9-BA05-F214089F2275} (Vitalize Class) -

http://download.clickteam.com/vitalize3/vitalize.cab

O16 - DPF: {FFBB3F3B-0A5A-4106-BE53-DFE1E2340CB1} (DownloadManager

Control) - http://dlm.tools.akamai.com/dlmanager/versions/activex/dlm-

activex-2.2.1.6.cab

O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} -

C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL

O23 - Service: Ati HotKey Poller - ATI Technologies Inc. -

C:\WINDOWS\system32\Ati2evxx.exe

O23 - Service: AdminWorks Agent X6 (AWService) - Avocent Inc. -

C:\Acer\Empowering Technology\admServ.exe

O23 - Service: ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762##

(Bonjour Service) - Apple Computer, Inc. - C:\Program

Files\Bonjour\mDNSResponder.exe

O23 - Service: Crypkey License - CrypKey (Canada) Ltd. -

C:\WINDOWS\SYSTEM32\crypserv.exe

O23 - Service: DM1Service - OLYMPUS Corporation - C:\Program

Files\Olympus\DeviceDetector\DM1Service.exe

O23 - Service: Intel® PROSet/Wireless Event Log (EvtEng) - Intel

Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe

O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. -

C:\Program Files\Common Files\Macrovision Shared\FLEXnet

Publisher\FNPLicensingService.exe

O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision

Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050

\Intel 32\IDriverT.exe

O23 - Service: eTrust Antivirus RPC Server (InoRPC) - Computer Associates

International, Inc. - C:\Program Files\CA\eTrust Antivirus\InoRpc.exe

O23 - Service: eTrust Antivirus Realtime Server (InoRT) - Computer

Associates International, Inc. - C:\Program Files\CA\eTrust

Antivirus\InoRT.exe

O23 - Service: eTrust Antivirus Job Server (InoTask) - Computer

Associates International, Inc. - C:\Program Files\CA\eTrust

Antivirus\InoTask.exe

O23 - Service: KService - Kontiki Inc. - C:\Program

Files\Kontiki\KService.exe

O23 - Service: Lavasoft Ad-Aware Service - Lavasoft - C:\Program

Files\Lavasoft\Ad-Aware\AAWService.exe

O23 - Service: LightScribeService Direct Disc Labeling Service

(LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common

Files\LightScribe\LSSrvc.exe

O23 - Service: MSCSPTISRV - Sony Corporation - C:\Program Files\Common

Files\Sony Shared\AVLib\MSCSPTISRV.exe

O23 - Service: PACSPTISVR - Sony Corporation - C:\Program Files\Common

Files\Sony Shared\AVLib\PACSPTISVR.exe

O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe

O23 - Service: Intel® PROSet/Wireless Registry Service (RegSrvc) -

Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe

O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd)

- CACE Technologies - C:\Program Files\WinPcap\rpcapd.exe

O23 - Service: Intel® PROSet/Wireless Service (S24EventMonitor) - Intel

Corporation - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe

O23 - Service: SIMUL8 Parallel Processor (SIMUL8Parallel) - SIMUL8

Corporation - C:\PROGRA~1\SIMUL8\SIMUL8_ParallelSVC.exe

O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation -

C:\Program Files\Common Files\Sony Shared\AVLib\SPTISRV.exe

O23 - Service: SonicStage SCSI Service (SSScsiSV) - Sony Corporation -

C:\Program Files\Common Files\Sony Shared\AVLib\SSScsiSV.exe

O23 - Service: STI Simulator - Unknown owner - C:\WINDOWS\System32

\PAStiSvc.exe

O23 - Service: TOSHIBA Bluetooth Service - TOSHIBA CORPORATION -

C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtSrv.exe

--

End of file - 15843 bytes

Appreciate the Help

Link to post
Share on other sites

Hello John26

Welcome to Malwarebytes.

=====================

Looking at your system now, one or more of the identified infections is a backdoor Trojan.

If this computer is ever used for on-line banking, I suggest you do the following immediately:

1. Call all of your banks, credit card companies, financial institutions and inform them that you may be a victim of identity theft and to put a watch on your accounts or change all your account numbers.

2. From a clean computer, change ALL your on-line passwords for email, for banks, financial accounts, PayPal, eBay, on-line companies, any on-line forums or groups you belong to.

Do NOT change passwords or do any transactions while using the infected computer because the attacker will get the new passwords and transaction information.

=================

We will begin with ComboFix.exe. Please visit this webpage for download links, and instructions for running the tool:

http://www.bleepingcomputer.com/combofix/how-to-use-combofix

* Ensure you have disabled all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

Please include the C:\ComboFix.txt in your next reply for further review.

Link to post
Share on other sites

Hello John26

Welcome to Malwarebytes.

=====================

Looking at your system now, one or more of the identified infections is a backdoor Trojan.

If this computer is ever used for on-line banking, I suggest you do the following immediately:

1. Call all of your banks, credit card companies, financial institutions and inform them that you may be a victim of identity theft and to put a watch on your accounts or change all your account numbers.

2. From a clean computer, change ALL your on-line passwords for email, for banks, financial accounts, PayPal, eBay, on-line companies, any on-line forums or groups you belong to.

Do NOT change passwords or do any transactions while using the infected computer because the attacker will get the new passwords and transaction information.

=================

We will begin with ComboFix.exe. Please visit this webpage for download links, and instructions for running the tool:

http://www.bleepingcomputer.com/combofix/how-to-use-combofix

* Ensure you have disabled all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

Please include the C:\ComboFix.txt in your next reply for further review.

Thank you, I hope you gave me a personal response and not a Generalised Already Writen Response. Combofix went throught a whole process to find the infected file, which I already knew was userinit.exe thats why I posted here. I've removed lots of virus without asking for help and this is the first time becuase usernit is an infected file that can't be deleted and I can't fix it myself.

Sorry if I sound like I'm not gratful, I am grateful its just that I don't want to be classed as "Low Level Inquiry" (Thats how it took a week for xbox support to answer something they could've answered in a day!!)

Here is the combofix.txt:

ComboFix 10-03-26.02 - John Murphy 27/03/2010 19:46:07.1.2 - x86

Microsoft Windows XP Professional 5.1.2600.2.1252.44.1033.18.1014.585 [GMT 0:00]

Running from: c:\documents and settings\John Murphy\Desktop\ComboFix.exe

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.

c:\documents and settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat

c:\documents and settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat

c:\documents and settings\John Murphy\Local Settings\Application Data\{8269CA71-FA11-47E4-81BF-628E253C3789}

c:\documents and settings\John Murphy\Local Settings\Application Data\{8269CA71-FA11-47E4-81BF-628E253C3789}\chrome.manifest

c:\documents and settings\John Murphy\Local Settings\Application Data\{8269CA71-FA11-47E4-81BF-628E253C3789}\chrome\content\_cfg.js

c:\documents and settings\John Murphy\Local Settings\Application Data\{8269CA71-FA11-47E4-81BF-628E253C3789}\chrome\content\overlay.xul

c:\documents and settings\John Murphy\Local Settings\Application Data\{8269CA71-FA11-47E4-81BF-628E253C3789}\install.rdf

c:\program files\WinPCap

c:\program files\WinPCap\daemon_mgm.exe

c:\program files\WinPCap\npf_mgm.exe

c:\program files\WinPCap\rpcapd.exe

c:\windows\Downloaded Program Files\f3initialsetup1.0.0.15-3.inf

c:\windows\Downloaded Program Files\f3initialsetup1.0.1.1.inf

c:\windows\Downloaded Program Files\popcaploader.inf

c:\windows\eSellerateEngine.dll

c:\windows\jestertb.dll

c:\windows\system32\drivers\npf.sys

c:\windows\system32\dz1.txt

c:\windows\system32\lsprst7.dll

c:\windows\system32\p1.txt

c:\windows\system32\Packet.dll

c:\windows\system32\prsgrc.dll

c:\windows\system32\pthreadVC.dll

c:\windows\system32\r24.txt

c:\windows\system32\sblog.txt

c:\windows\system32\WanPacket.dll

c:\windows\system32\wpcap.dll

c:\windows\uholekoconisi.dll

----- BITS: Possible infected sites -----

hxxp://oft.ag

Infected copy of c:\windows\system32\userinit.exe was found and disinfected

Restored copy from - c:\system volume information\_restore{A44DC278-4675-40AC-9A92-6FF66A1FD2E2}\RP83\A0017969.exe

.

((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))

.

-------\Service_NPF

((((((((((((((((((((((((( Files Created from 2010-02-27 to 2010-03-27 )))))))))))))))))))))))))))))))

.

2010-03-27 00:11 . 2010-03-27 00:11 -------- d-----w- c:\program files\Trend Micro

2010-03-26 16:38 . 2010-03-26 16:38 -------- d-----w- c:\windows\system32\wbem\Repository

2010-03-16 21:58 . 2004-08-04 04:00 24576 ----a-w- c:\windows\system32\stu2.exe

2010-03-09 15:27 . 2010-03-09 15:27 -------- d-sh--w- c:\documents and settings\John Murphy\IECompatCache

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2010-03-27 20:04 . 2008-11-21 21:16 -------- d-----w- c:\documents and settings\All Users\Application Data\Kontiki

2010-03-27 19:58 . 2009-05-29 21:25 12 ----a-w- c:\windows\bthservsdp.dat

2010-03-27 19:23 . 2010-02-19 03:17 120 ----a-w- c:\windows\Thokacupodovujep.dat

2010-03-27 01:29 . 2010-02-19 03:17 0 ----a-w- c:\windows\Vviwazukohomalok.bin

2010-03-26 23:39 . 2007-08-07 17:19 -------- d-----w- c:\documents and settings\All Users\Application Data\Viewpoint

2010-03-26 18:22 . 2009-05-25 23:04 -------- d-----w- c:\program files\CCleaner

2010-03-26 17:01 . 2007-08-07 17:19 -------- d-----w- c:\program files\Viewpoint

2010-03-26 16:21 . 2010-03-26 16:30 214978 ----a-w- c:\windows\pchealth\helpctr\Config\Cache\Professional_32_1033.dat

2010-03-26 02:50 . 2007-08-07 16:54 -------- d-----w- c:\documents and settings\John Murphy\Application Data\Skype

2010-03-09 05:01 . 2009-11-10 04:51 -------- d-----w- c:\documents and settings\John Murphy\Application Data\Any Video Converter

2010-03-01 19:15 . 2009-06-22 18:21 315736 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\threatwork.exe

2010-03-01 19:15 . 2009-06-22 18:21 25440 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\savapibridge.dll

2010-03-01 19:15 . 2009-06-22 18:21 173408 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\lavamessage.dll

2010-03-01 19:15 . 2009-06-01 18:14 15688 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\lsdelete.exe

2010-03-01 19:15 . 2009-05-05 18:33 15688 ----a-w- c:\windows\system32\lsdelete.exe

2010-03-01 19:15 . 2009-06-22 18:20 350544 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\lavalicense.dll

2010-03-01 19:15 . 2009-06-22 18:20 303456 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\UpdateManager.dll

2010-03-01 19:15 . 2009-06-27 16:26 1630560 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\Resources.dll

2010-03-01 19:15 . 2009-06-01 18:14 89952 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\ShellExt.dll

2010-03-01 19:14 . 2009-06-01 18:14 254832 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\RPAPI.dll

2010-03-01 19:14 . 2009-06-01 18:14 45408 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\PrivacyClean.dll

2010-03-01 19:14 . 2009-06-22 18:19 671592 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\CEAPI.dll

2010-03-01 19:14 . 2009-09-28 18:13 3701760 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\AutoLaunch.exe

2010-03-01 19:14 . 2009-06-22 18:18 566648 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\Ad-AwareCommand.exe

2010-03-01 19:14 . 2009-06-22 18:17 567144 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\Ad-AwareAdmin.exe

2010-03-01 19:13 . 2009-06-22 18:17 2357064 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\Ad-Aware.exe

2010-03-01 19:13 . 2009-06-22 18:15 524632 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\AAWTray.exe

2010-03-01 19:13 . 2009-06-22 18:15 1029456 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\AAWService.exe

2010-02-20 11:57 . 2010-02-20 11:57 16 ----a-w- c:\windows\system32\config\systemprofile\Application Data\cqfyto.dat

2010-02-19 03:13 . 2010-02-19 03:13 16 ----a-w- c:\documents and settings\LocalService\Application Data\cqfyto.dat

2010-02-13 16:39 . 2010-02-13 16:39 50354 ----a-w- c:\documents and settings\John Murphy\Application Data\Facebook\uninstall.exe

2010-02-13 16:39 . 2010-02-13 16:39 -------- d-----w- c:\documents and settings\John Murphy\Application Data\Facebook

2010-02-12 10:03 . 2010-02-25 15:44 293376 ------w- c:\windows\system32\browserchoice.exe

2010-02-10 21:00 . 2006-09-22 15:43 49664 ----a-w- c:\documents and settings\John Murphy\Local Settings\Application Data\GDIPFONTCACHEV1.DAT

2010-02-10 19:15 . 2010-02-10 19:15 1024 ----a-w- c:\windows\system32\grcauth2.dll

2010-02-10 19:15 . 2010-02-10 19:15 1024 ----a-w- c:\windows\system32\grcauth1.dll

2010-02-10 19:15 . 2010-02-10 19:15 16 ---h--w- c:\documents and settings\All Users\Application Data\SafeNet Sentinel\Sentinel RMS Development Kit\System\e563io5.dll

2010-02-10 19:15 . 2010-02-10 19:14 1024 ----a-w- c:\documents and settings\All Users\Application Data\SafeNet Sentinel\Sentinel RMS Development Kit\System\clauth2.dll

2010-02-10 19:07 . 2010-02-10 19:07 -------- d-----w- c:\documents and settings\All Users\Application Data\SPSS

2010-02-10 19:07 . 2010-02-10 19:07 -------- d-----w- c:\program files\Common Files\SPSS

2010-02-10 19:07 . 2010-02-10 19:07 -------- d-----w- c:\program files\SPSSInc

2010-02-10 19:06 . 2010-02-10 19:06 1025 ----a-w- c:\windows\system32\sysprs7.dll

2010-02-01 22:04 . 2010-02-01 22:04 847040 ----a-w- c:\documents and settings\John Murphy\Application Data\Facebook\axfbootloader.dll

2010-02-01 22:04 . 2010-02-01 22:04 5578752 ----a-w- c:\documents and settings\John Murphy\Application Data\Facebook\npfbplugin_1_0_1.dll

2010-01-28 16:52 . 2008-11-05 00:37 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware

2010-01-28 16:52 . 2009-05-29 16:19 5115824 -c--a-w- c:\documents and settings\All Users\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\mbam-setup.exe

2010-01-28 00:31 . 2008-01-16 23:04 2434 ----a-w- c:\documents and settings\John Murphy\Application Data\SAS7_000.DAT

2010-01-14 12:01 . 2006-09-25 10:18 69878 -c--a-w- c:\windows\hpoins05.dat

2010-01-07 16:07 . 2008-11-05 00:37 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys

2010-01-07 16:07 . 2008-11-05 00:37 19160 ----a-w- c:\windows\system32\drivers\mbam.sys

2009-12-31 16:14 . 2006-04-21 06:12 352640 ----a-w- c:\windows\system32\drivers\srv.sys

2007-08-07 17:44 . 2007-08-07 17:43 411248 -c--a-w- c:\program files\FLV PlayerRCSetup.exe

2009-04-19 11:32 . 2007-08-18 23:47 67688 -c--a-w- c:\program files\mozilla firefox\components\jar50.dll

2009-04-19 11:32 . 2007-08-18 23:47 54368 -c--a-w- c:\program files\mozilla firefox\components\jsd3250.dll

2009-04-19 11:32 . 2007-08-18 23:47 34944 -c--a-w- c:\program files\mozilla firefox\components\myspell.dll

2009-04-19 11:32 . 2007-08-18 23:47 46712 -c--a-w- c:\program files\mozilla firefox\components\spellchk.dll

2009-04-19 11:32 . 2007-08-18 23:47 172136 -c--a-w- c:\program files\mozilla firefox\components\xpinstal.dll

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"Yahoo! Pager"="c:\program files\Yahoo!\Messenger\YahooMessenger.exe" [2007-07-16 4670704]

"updateMgr"="c:\program files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" [2006-03-30 313472]

"ISUSPM"="c:\program files\Common Files\InstallShield\UpdateService\isuspm.exe" [2006-09-11 218032]

"Eyeball Chat"="c:\program files\Eyeball\Eyeball Chat\EyeballChat.exe" [2002-10-11 2863176]

"kdx"="c:\program files\Kontiki\KHost.exe" [2008-02-27 1032376]

"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2004-08-04 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"LaunchApp"="Alaunch" [X]

"ePower_DMC"="c:\acer\Empowering Technology\ePower\ePower_DMC.exe" [2006-05-09 352256]

"ISUSPM Startup"="c:\program files\Common Files\InstallShield\UpdateService\isuspm.exe" [2006-09-11 218032]

"SunJavaUpdateSched"="c:\program files\Java\jre1.6.0_05\bin\jusched.exe" [2008-02-22 144784]

"SSBkgdUpdate"="c:\program files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" [2003-09-29 155648]

"DNS7reminder"="c:\program files\Nuance\NaturallySpeaking9\Program\ereg.exe" [2006-06-28 1404928]

"SynTPLpr"="c:\program files\Synaptics\SynTP\SynTPLpr.exe" [2005-11-01 102491]

"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2005-11-01 692315]

"RTHDCPL"="RTHDCPL.EXE" [2006-04-04 16120832]

"RemoteControl"="c:\program files\CyberLink\PowerDVD\PDVDServ.exe" [2004-11-02 32768]

"Realtime Monitor"="c:\progra~1\CA\ETRUST~1\realmon.exe" [2004-04-06 504080]

"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2006-09-23 155648]

"PHIME2002ASync"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2004-08-04 455168]

"PHIME2002A"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2004-08-04 455168]

"ntiMUI"="c:\program files\NewTech Infosystems\NTI CD & DVD-Maker 7\ntiMUI.exe" [2005-05-11 45056]

"MSPY2002"="c:\windows\system32\IME\PINTLGNT\ImScInst.exe" [2004-08-04 59392]

"LManager"="c:\progra~1\LAUNCH~1\QtZgAcer.EXE" [2006-04-03 471040]

"itype"="c:\program files\Microsoft IntelliType Pro\itype.exe" [2005-12-05 437008]

"ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2006-09-11 86960]

"IntelliPoint"="c:\program files\Microsoft IntelliPoint\ipoint.exe" [2005-12-05 461584]

"IMJPMIG8.1"="c:\windows\IME\imjp8_1\IMJPMIG.EXE" [2004-08-04 208952]

"igfxtray"="c:\windows\system32\igfxtray.exe" [2005-11-02 98304]

"igfxpers"="c:\windows\system32\igfxpers.exe" [2005-11-02 118784]

"igfxhkcmd"="c:\windows\system32\hkcmd.exe" [2005-11-02 77824]

"HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2004-09-13 49152]

"eRecoveryService"="c:\acer\Empowering Technology\eRecovery\Monitor.exe" [2006-01-24 397312]

"eDataSecurity Loader"="c:\acer\Empowering Technology\eDataSecurity\eDSloader.exe" [2005-12-27 69632]

"AzMixerSel"="c:\program files\Realtek\InstallShield\AzMixerSel.exe" [2005-08-24 53248]

"ADMTray.exe"="c:\acer\Empowering Technology\admtray.exe" [2005-10-24 2462208]

"Acer ePower Management"="c:\acer\Empowering Technology\ePower\Acer ePower Management.exe" [2006-05-08 3080704]

"SsAAD.exe"="c:\progra~1\Sony\SONICS~1\SsAAD.exe" [2005-01-24 81920]

"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2007-11-20 185896]

"4oD"="c:\program files\Kontiki\KHost.exe" [2008-02-27 1032376]

"Ad-Watch"="c:\program files\Lavasoft\Ad-Aware\AAWTray.exe" [2010-03-01 524632]

"BluetoothAuthenticationAgent"="bthprops.cpl" [2004-08-04 110592]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]

"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2004-08-04 15360]

c:\documents and settings\All Users\Start Menu\Programs\Startup\

Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-9-23 29696]

Bluetooth Manager.lnk - c:\program files\Toshiba\Bluetooth Toshiba Stack\TosBtMng.exe [2007-1-18 2752512]

DSLMON.lnk - c:\program files\SAGEM\SAGEM F@st 800-840\dslmon.exe [2007-8-7 962660]

HP Digital Imaging Monitor.lnk - c:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2004-11-4 258048]

HP Image Zone Fast Start.lnk - c:\program files\HP\Digital Imaging\bin\hpqthb08.exe [2004-11-4 53248]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon]

"Userinit"="c:\windows\system32\userinit.exe,c:\windows\system32\msfqqn32.exe,"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Lavasoft Ad-Aware Service]

@="Service"

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]

"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"%windir%\\system32\\sessmgr.exe"=

"c:\\program files\\texthelp systems\\read and write 8\\mind mapper\\Property Controller.exe"= c:\\Program Files\\Texthelp Systems\\Read And Write 8\\Mind Mapper\\Property Controller.exe

"c:\\program files\\texthelp systems\\read and write 8\\mind mapper\\MindMapLauncher.exe"= c:\\Program Files\\Texthelp Systems\\Read And Write 8\\Mind Mapper\\MindMapLauncher.exe

"c:\\program files\\texthelp systems\\read and write 8\\RW8.exe"= c:\\Program Files\\Texthelp Systems\\Read And Write 8\\RW8.exe

"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=

"c:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"=

"c:\\Program Files\\CA\\eTrust Antivirus\\InocIT.exe"=

"d:\\My Data\\Limewire\\LimeWire.exe"=

"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=

"c:\\Program Files\\Adobe\\Adobe After Effects CS3\\Support Files\\AfterFX.exe"=

"c:\\Program Files\\Multimedia Fusion 2\\Data\\Runtime\\edrt.exe"=

"c:\\Program Files\\Real\\RealPlayer\\realplay.exe"=

"c:\\Program Files\\Messenger\\msmsgs.exe"=

"c:\\Program Files\\Sony\\Station\\LaunchPad\\LaunchPad.exe"=

"c:\\WINDOWS\\pchealth\\helpctr\\binaries\\HelpCtr.exe"=

"c:\\WINDOWS\\system32\\dpvsetup.exe"=

"c:\\Program Files\\CA\\eTrust Antivirus\\Realmon.exe"=

"c:\\Program Files\\CA\\eTrust Antivirus\\Shellscn.exe"=

"c:\\Program Files\\Kontiki\\KService.exe"=

"c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"=

"c:\\Program Files\\Windows Live\\Contacts\\wlcomm.exe"=

"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=

"c:\\Program Files\\SPSSInc\\Statistics17\\statistics.com"=

"c:\\Program Files\\SPSSInc\\Statistics17\\statistics.exe"=

"c:\\Program Files\\SPSSInc\\Statistics17\\SPSSWinWrapIDE.exe"=

"c:\\Program Files\\Skype\\Phone\\Skype.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]

"3724:TCP"= 3724:TCP:Blizzard Downloader: 3724

R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [25/04/2009 18:13 64160]

S0 osmswiak;osmswiak; [x]

S2 SIMUL8Parallel;SIMUL8 Parallel Processor;c:\progra~1\SIMUL8\SIMUL8_ParallelSVC.exe [14/01/2008 19:31 502272]

S3 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\Lavasoft\Ad-Aware\AAWService.exe [09/03/2009 19:06 1029456]

S3 PAC207;SoC PC-Camer@;c:\windows\system32\drivers\PFC027.sys [24/02/2005 11:29 162176]

S3 scrcap;scrcap;c:\windows\system32\DRIVERS\scrcap.sys --> c:\windows\system32\DRIVERS\scrcap.sys [?]

.

Contents of the 'Scheduled Tasks' folder

2010-03-22 c:\windows\Tasks\Ad-Aware Update (Weekly).job

- c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2009-03-09 19:14]

2010-03-27 c:\windows\Tasks\HPpromotions journeysoftware.job

- c:\program files\hp\digital imaging\bin\hp promotions\journeysoftware\HPpromo.exe [2005-04-22 16:36]

2010-03-27 c:\windows\Tasks\User_Feed_Synchronization-{2AF3A6D8-46D6-4A7E-B7DE-7188C750983E}.job

- c:\windows\system32\msfeedssync.exe [2006-10-17 04:31]

2010-03-27 c:\windows\Tasks\WGASetup.job

- c:\windows\system32\KB905474\wgasetup.exe [2009-04-28 21:18]

.

.

------- Supplementary Scan -------

.

uStart Page = about:tabs

uInternet Connection Wizard,ShellNext = wmplayer.exe //ICWLaunch

IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000

Trusted Zone: reallusion.com\www

DPF: CabBuilder - hxxp://kiw.imgag.com/imgag/kiw/toolbar/download/InstallerControl.cab

DPF: {AC120B1D-9411-4111-AF52-118052D85D45} - hxxp://67.15.101.33/g_bin/eng/darts_2_0_0_42.cab

FF - ProfilePath - c:\documents and settings\John Murphy\Application Data\Mozilla\Firefox\Profiles\3z63gkqu.default\

FF - prefs.js: browser.search.defaulturl - hxxp://www.google.com/search?lr=&ie=UTF-8&oe=UTF-8&q=

FF - prefs.js: browser.search.selectedEngine - Google

FF - prefs.js: network.proxy.type - 4

FF - component: c:\program files\Mozilla Firefox\components\xpinstal.dll

FF - component: c:\program files\Mozilla Firefox\extensions\talkback@mozilla.org\components\qfaservices.dll

FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

.

- - - - ORPHANS REMOVED - - - -

WebBrowser-{6638A9DE-0745-4292-8A2E-AE530E7B9B3F} - (no file)

HKLM-Run-adiras - adiras.exe

HKLM-Run-Chozemunajazetij - c:\windows\uholekoconisi.dll

ActiveSetup-{2E1A9DE4-ADA0-4501-A46E-6633CDB01654} - xagkf32.dll

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2010-03-27 20:00

Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully

hidden files: 0

**************************************************************************

.

--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{71A78D8C-2A2C-F1E0-42C57DD6D788EDD0}\{92C0E49C-6DF5-7FD3-2A5D5DA34780C80D}\{FCC2AF23-71C0-A57B-CCE1F90128BA76FE}*]

"JWOYTVPITEDJCHYUGDR5XL6BSC1"=hex:01,00,01,00,00,00,00,00,b1,dc,8a,ef,e5,23,43,

80,35,81,92,71,e8,29,5a,84,14,35,16,70,d8,6e,ff,61

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{D6C53DCC-FBE6-A484-895E707488E1192C}\{427B1CEB-CDC7-050B-E6202C9404952D54}\{86A51E58-9B8E-E4EB-26F8074E7F2FD295}*]

"JWOYTVPITEDJCHYUGDR5XL6BSC1"=hex:01,00,01,00,00,00,00,00,b1,dc,8a,ef,e5,23,43,

80,35,81,92,71,e8,29,5a,84,14,35,16,70,d8,6e,ff,61

.

--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(920)

c:\windows\system32\Ati2evxx.dll

c:\windows\system32\wininet.dll

- - - - - - - > 'lsass.exe'(980)

c:\windows\system32\wininet.dll

- - - - - - - > 'explorer.exe'(3116)

c:\windows\system32\WININET.dll

c:\windows\system32\MSNChatHook.dll

c:\windows\system32\sysenv.dll

c:\windows\system32\MSVCR71.dll

c:\windows\system32\ieframe.dll

c:\windows\system32\webcheck.dll

c:\windows\system32\WPDShServiceObj.dll

c:\windows\system32\PortableDeviceTypes.dll

c:\windows\system32\PortableDeviceApi.dll

c:\acer\Empowering Technology\ePower\SysHook.dll

.

------------------------ Other Running Processes ------------------------

.

c:\program files\Intel\Wireless\Bin\EvtEng.exe

c:\program files\Intel\Wireless\Bin\S24EvMon.exe

c:\acer\Empowering Technology\admServ.exe

c:\program files\Bonjour\mDNSResponder.exe

c:\windows\system32\crypserv.exe

c:\program files\Olympus\DeviceDetector\DM1Service.exe

c:\program files\CA\eTrust Antivirus\InoRpc.exe

c:\program files\CA\eTrust Antivirus\InoRT.exe

c:\program files\CA\eTrust Antivirus\InoTask.exe

c:\program files\Kontiki\KService.exe

c:\program files\Common Files\LightScribe\LSSrvc.exe

c:\program files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE

c:\program files\Intel\Wireless\Bin\RegSrvc.exe

c:\windows\System32\PAStiSvc.exe

c:\program files\Toshiba\Bluetooth Toshiba Stack\TosBtSrv.exe

c:\windows\system32\wscntfy.exe

c:\windows\RTHDCPL.EXE

c:\windows\system32\wbem\unsecapp.exe

c:\windows\system32\igfxext.exe

c:\windows\system32\igfxsrvc.exe

c:\program files\Common Files\Sony Shared\AVLib\SSScsiSV.exe

c:\windows\system32\rundll32.exe

c:\program files\HP\Digital Imaging\bin\hpqgalry.exe

c:\program files\Toshiba\Bluetooth Toshiba Stack\TosA2dp.exe

c:\program files\Yahoo!\Messenger\ymsgr_tray.exe

c:\program files\Toshiba\Bluetooth Toshiba Stack\TosBtHid.exe

c:\program files\Toshiba\Bluetooth Toshiba Stack\TosBtHsp.exe

c:\docume~1\JOHNMU~1\LOCALS~1\Temp\RtkBtMnt.exe

c:\program files\Java\jre1.6.0_05\bin\jucheck.exe

.

**************************************************************************

.

Completion time: 2010-03-27 20:09:47 - machine was rebooted

ComboFix-quarantined-files.txt 2010-03-27 20:09

Pre-Run: 2,080,817,152 bytes free

Post-Run: 2,409,046,016 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe

[boot loader]

timeout=2

default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS

[operating systems]

c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons

multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect

- - End Of File - - 904AD04B98EE1D32987EB017F3BF7571

Link to post
Share on other sites

The userinit.exe seems to be ok now, Seems the root of the problem is uid. The backdoor.bots remove easily, uid is coming back and downloading the backdoor.bots.

So, what is HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Network\uid ?? UID keeps coming back after deletion, is uid part of a virus or is it an infected windows file like userinit.exe was?

Link to post
Share on other sites

Been doing stuff by myself and I'm sorry but I don't believe you actually looked at my HijackThis Log properly. Seems like you saw infected userinit and simply suggested Combofix to restore it. Now I'm left with uid coming back and downloading backdoor.bots, and I think user miekiemoes has just inadvertently helped me in another topic which is almost identical to the stage I'm at now.

In http://forums.malwarebytes.org/index.php?showtopic=40652 the problem is uid and 4 backdoor.bots. miekiemoes in his first post response noticed UserInit=C:\WINDOWS\system32\userinit.exe,C:\WINDOWS\system32\mskqyj32.exe in the HJT, identical to my "F2 - REG:system.ini: UserInit=C:\WINDOWS\system32

\userinit.exe,C:\WINDOWS\system32\msfqqn32.exe" its the exact same ms****32.exe in userinit producing the same results in malwarebytes scan (uid and # of backdoor.bot)

So I'm going to take this matter myself and follow his steps http://forums.malwarebytes.org/index.php?s...rt=#entry202503

Link to post
Share on other sites

but I don't believe you actually looked at my HijackThis Log properly.
Seriously do you know what I am thinking or what I see I don't think you do.

I don't throw combofix at logs in' hopes it will do all of the work for me.

By the way Mikemoes is a woman.

If you are going to do that then I will help you no further I will relay this to someone to have this topic closed,have a good one.

Link to post
Share on other sites

Seriously do you know what I am thinking or what I see I don't think you do.

I don't throw combofix at logs in' hopes it will do all of the work for me.

By the way Mikemoes is a woman.

If you are going to do that then I will help you no further I will relay this to someone to have this topic closed,have a good one.

Fact: The first post had a HTJ that showed ms****.exe and you appear to have missed that, and I did say "I am sorry but..."

I saw a difference between the topics. There was clearly a ms****.exe problem that you missed but Mikemoes saw on another very similar topic. I have followed what Mikemoes suggested in the other topic and now everything seems to be fine :)

Again, I said "I am sorry but", and again, you missed the ms****.exe part, and again now everything seems to be fine :)

If you look back I tried to be clear and respectful, as I said "Sorry if I sound like I'm not gratful, I am grateful"

Link to post
Share on other sites

Again, I said "I am sorry but", and again, you missed the ms****.exe part, and again now everything seems to be fine
In Fact I did not miss it but I didn't point it out to you that I saw it does that make sense now?

If I had time to explain each step as I go along that would take way too much time and point out each entry that is malware.

Cf is updated frequently to handle new emerging threats the malware removal process is not a one step thing and because some symptoms are not present anymore that does not mean that the problem is gone.

Now do you want me to continue helping you or did you want to continue doing it on your own.

I do not have time to waste if you do not want to follow my instructions to finish then that is fine either way let me know.

Link to post
Share on other sites

In Fact I did not miss it but I didn't point it out to you that I saw it does that make sense now?

If I had time to explain each step as I go along that would take way too much time and point out each entry that is malware.

Cf is updated frequently to handle new emerging threats the malware removal process is not a one step thing and because some symptoms are not present anymore that does not mean that the problem is gone.

Now do you want me to continue helping you or did you want to continue doing it on your own.

I do not have time to waste if you do not want to follow my instructions to finish then that is fine either way let me know.

Makes a little bit of sense, but not much sense. I think it would be much better if there was a way you could've just pointed it out in the first post, then I wouldn't have had to spend the night deleting UID manually from registry every 10mins when it came back. As you saw with the posts I left, after userinit.exe was restored I was stuck with a reinfecting UID downloading Backdoor.bots.

Refering back to my first post, I have removed a rootkit disguised as a .sys and removed a Trojan.TDSS on my own, so this isn't the first time I've tried to solve it myself. I started the topic cause I knew I couldn't restore the userinit.exe on my own (which I am really gratefull for your help on that) and I'm glad I found that other topic to help me throught the rest.

Malwarebytes scans are coming up clean, things seem to be running fine. As far as I can tell this issue is resolved

But if you can see something I can't, here is the last Combofix Log:

ComboFix 10-03-26.02 - John Murphy 28/03/2010 6:41.4.2 - x86

Microsoft Windows XP Professional 5.1.2600.2.1252.44.1033.18.1014.521 [GMT 1:00]

Running from: c:\documents and settings\John Murphy\Desktop\ComboFix.exe

Command switches used :: c:\documents and settings\John Murphy\Desktop\CFScript.txt

file zipped: c:\windows\system32\msfqqn32.exe

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.

c:\windows\system32\msfqqn32.exe

.

((((((((((((((((((((((((( Files Created from 2010-02-28 to 2010-03-28 )))))))))))))))))))))))))))))))

.

2010-03-27 00:11 . 2010-03-27 00:11 -------- d-----w- c:\program files\Trend Micro

2010-03-26 16:38 . 2010-03-26 16:38 -------- d-----w- c:\windows\system32\wbem\Repository

2010-03-16 21:58 . 2004-08-04 04:00 24576 ----a-w- c:\windows\system32\stu2.exe

2010-03-09 15:27 . 2010-03-09 15:27 -------- d-sh--w- c:\documents and settings\John Murphy\IECompatCache

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2010-03-28 05:53 . 2008-11-21 21:16 -------- d-----w- c:\documents and settings\All Users\Application Data\Kontiki

2010-03-28 05:47 . 2009-05-29 21:25 12 ----a-w- c:\windows\bthservsdp.dat

2010-03-27 19:23 . 2010-02-19 03:17 120 ----a-w- c:\windows\Thokacupodovujep.dat

2010-03-27 01:29 . 2010-02-19 03:17 0 ----a-w- c:\windows\Vviwazukohomalok.bin

2010-03-26 23:39 . 2007-08-07 17:19 -------- d-----w- c:\documents and settings\All Users\Application Data\Viewpoint

2010-03-26 18:22 . 2009-05-25 23:04 -------- d-----w- c:\program files\CCleaner

2010-03-26 16:21 . 2010-03-26 16:30 214978 ----a-w- c:\windows\pchealth\helpctr\Config\Cache\Professional_32_1033.dat

2010-03-26 02:50 . 2007-08-07 16:54 -------- d-----w- c:\documents and settings\John Murphy\Application Data\Skype

2010-03-09 05:01 . 2009-11-10 04:51 -------- d-----w- c:\documents and settings\John Murphy\Application Data\Any Video Converter

2010-03-01 19:15 . 2009-06-22 18:21 315736 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\threatwork.exe

2010-03-01 19:15 . 2009-06-22 18:21 25440 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\savapibridge.dll

2010-03-01 19:15 . 2009-06-22 18:21 173408 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\lavamessage.dll

2010-03-01 19:15 . 2009-06-01 18:14 15688 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\lsdelete.exe

2010-03-01 19:15 . 2009-05-05 18:33 15688 ----a-w- c:\windows\system32\lsdelete.exe

2010-03-01 19:15 . 2009-06-22 18:20 350544 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\lavalicense.dll

2010-03-01 19:15 . 2009-06-22 18:20 303456 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\UpdateManager.dll

2010-03-01 19:15 . 2009-06-27 16:26 1630560 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\Resources.dll

2010-03-01 19:15 . 2009-06-01 18:14 89952 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\ShellExt.dll

2010-03-01 19:14 . 2009-06-01 18:14 254832 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\RPAPI.dll

2010-03-01 19:14 . 2009-06-01 18:14 45408 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\PrivacyClean.dll

2010-03-01 19:14 . 2009-06-22 18:19 671592 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\CEAPI.dll

2010-03-01 19:14 . 2009-09-28 18:13 3701760 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\AutoLaunch.exe

2010-03-01 19:14 . 2009-06-22 18:18 566648 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\Ad-AwareCommand.exe

2010-03-01 19:14 . 2009-06-22 18:17 567144 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\Ad-AwareAdmin.exe

2010-03-01 19:13 . 2009-06-22 18:17 2357064 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\Ad-Aware.exe

2010-03-01 19:13 . 2009-06-22 18:15 524632 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\AAWTray.exe

2010-03-01 19:13 . 2009-06-22 18:15 1029456 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\AAWService.exe

2010-02-20 11:57 . 2010-02-20 11:57 16 ----a-w- c:\windows\system32\config\systemprofile\Application Data\cqfyto.dat

2010-02-19 03:13 . 2010-02-19 03:13 16 ----a-w- c:\documents and settings\LocalService\Application Data\cqfyto.dat

2010-02-13 16:39 . 2010-02-13 16:39 50354 ----a-w- c:\documents and settings\John Murphy\Application Data\Facebook\uninstall.exe

2010-02-13 16:39 . 2010-02-13 16:39 -------- d-----w- c:\documents and settings\John Murphy\Application Data\Facebook

2010-02-12 10:03 . 2010-02-25 15:44 293376 ------w- c:\windows\system32\browserchoice.exe

2010-02-10 21:00 . 2006-09-22 15:43 49664 ----a-w- c:\documents and settings\John Murphy\Local Settings\Application Data\GDIPFONTCACHEV1.DAT

2010-02-10 19:15 . 2010-02-10 19:15 1024 ----a-w- c:\windows\system32\grcauth2.dll

2010-02-10 19:15 . 2010-02-10 19:15 1024 ----a-w- c:\windows\system32\grcauth1.dll

2010-02-10 19:15 . 2010-02-10 19:15 16 ---h--w- c:\documents and settings\All Users\Application Data\SafeNet Sentinel\Sentinel RMS Development Kit\System\e563io5.dll

2010-02-10 19:15 . 2010-02-10 19:14 1024 ----a-w- c:\documents and settings\All Users\Application Data\SafeNet Sentinel\Sentinel RMS Development Kit\System\clauth2.dll

2010-02-10 19:07 . 2010-02-10 19:07 -------- d-----w- c:\documents and settings\All Users\Application Data\SPSS

2010-02-10 19:07 . 2010-02-10 19:07 -------- d-----w- c:\program files\Common Files\SPSS

2010-02-10 19:07 . 2010-02-10 19:07 -------- d-----w- c:\program files\SPSSInc

2010-02-10 19:06 . 2010-02-10 19:06 1025 ----a-w- c:\windows\system32\sysprs7.dll

2010-02-01 22:04 . 2010-02-01 22:04 847040 ----a-w- c:\documents and settings\John Murphy\Application Data\Facebook\axfbootloader.dll

2010-02-01 22:04 . 2010-02-01 22:04 5578752 ----a-w- c:\documents and settings\John Murphy\Application Data\Facebook\npfbplugin_1_0_1.dll

2010-01-28 16:52 . 2008-11-05 00:37 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware

2010-01-28 16:52 . 2009-05-29 16:19 5115824 -c--a-w- c:\documents and settings\All Users\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\mbam-setup.exe

2010-01-28 00:31 . 2008-01-16 23:04 2434 ----a-w- c:\documents and settings\John Murphy\Application Data\SAS7_000.DAT

2010-01-14 12:01 . 2006-09-25 10:18 69878 -c--a-w- c:\windows\hpoins05.dat

2010-01-07 16:07 . 2008-11-05 00:37 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys

2010-01-07 16:07 . 2008-11-05 00:37 19160 ----a-w- c:\windows\system32\drivers\mbam.sys

2009-12-31 16:14 . 2006-04-21 06:12 352640 ----a-w- c:\windows\system32\drivers\srv.sys

2007-08-07 17:44 . 2007-08-07 17:43 411248 -c--a-w- c:\program files\FLV PlayerRCSetup.exe

2009-04-19 11:32 . 2007-08-18 23:47 67688 -c--a-w- c:\program files\mozilla firefox\components\jar50.dll

2009-04-19 11:32 . 2007-08-18 23:47 54368 -c--a-w- c:\program files\mozilla firefox\components\jsd3250.dll

2009-04-19 11:32 . 2007-08-18 23:47 34944 -c--a-w- c:\program files\mozilla firefox\components\myspell.dll

2009-04-19 11:32 . 2007-08-18 23:47 46712 -c--a-w- c:\program files\mozilla firefox\components\spellchk.dll

2009-04-19 11:32 . 2007-08-18 23:47 172136 -c--a-w- c:\program files\mozilla firefox\components\xpinstal.dll

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"Yahoo! Pager"="c:\program files\Yahoo!\Messenger\YahooMessenger.exe" [2007-07-16 4670704]

"updateMgr"="c:\program files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" [2006-03-30 313472]

"ISUSPM"="c:\program files\Common Files\InstallShield\UpdateService\isuspm.exe" [2006-09-11 218032]

"Eyeball Chat"="c:\program files\Eyeball\Eyeball Chat\EyeballChat.exe" [2002-10-11 2863176]

"kdx"="c:\program files\Kontiki\KHost.exe" [2008-02-27 1032376]

"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2004-08-04 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"LaunchApp"="Alaunch" [X]

"ePower_DMC"="c:\acer\Empowering Technology\ePower\ePower_DMC.exe" [2006-05-09 352256]

"ISUSPM Startup"="c:\program files\Common Files\InstallShield\UpdateService\isuspm.exe" [2006-09-11 218032]

"SunJavaUpdateSched"="c:\program files\Java\jre1.6.0_05\bin\jusched.exe" [2008-02-22 144784]

"SSBkgdUpdate"="c:\program files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" [2003-09-29 155648]

"DNS7reminder"="c:\program files\Nuance\NaturallySpeaking9\Program\ereg.exe" [2006-06-28 1404928]

"SynTPLpr"="c:\program files\Synaptics\SynTP\SynTPLpr.exe" [2005-11-01 102491]

"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2005-11-01 692315]

"RTHDCPL"="RTHDCPL.EXE" [2006-04-04 16120832]

"RemoteControl"="c:\program files\CyberLink\PowerDVD\PDVDServ.exe" [2004-11-02 32768]

"Realtime Monitor"="c:\progra~1\CA\ETRUST~1\realmon.exe" [2004-04-06 504080]

"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2006-09-23 155648]

"PHIME2002ASync"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2004-08-04 455168]

"PHIME2002A"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2004-08-04 455168]

"ntiMUI"="c:\program files\NewTech Infosystems\NTI CD & DVD-Maker 7\ntiMUI.exe" [2005-05-11 45056]

"MSPY2002"="c:\windows\system32\IME\PINTLGNT\ImScInst.exe" [2004-08-04 59392]

"LManager"="c:\progra~1\LAUNCH~1\QtZgAcer.EXE" [2006-04-03 471040]

"itype"="c:\program files\Microsoft IntelliType Pro\itype.exe" [2005-12-05 437008]

"ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2006-09-11 86960]

"IntelliPoint"="c:\program files\Microsoft IntelliPoint\ipoint.exe" [2005-12-05 461584]

"IMJPMIG8.1"="c:\windows\IME\imjp8_1\IMJPMIG.EXE" [2004-08-04 208952]

"igfxtray"="c:\windows\system32\igfxtray.exe" [2005-11-02 98304]

"igfxpers"="c:\windows\system32\igfxpers.exe" [2005-11-02 118784]

"igfxhkcmd"="c:\windows\system32\hkcmd.exe" [2005-11-02 77824]

"HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2004-09-13 49152]

"eRecoveryService"="c:\acer\Empowering Technology\eRecovery\Monitor.exe" [2006-01-24 397312]

"eDataSecurity Loader"="c:\acer\Empowering Technology\eDataSecurity\eDSloader.exe" [2005-12-27 69632]

"AzMixerSel"="c:\program files\Realtek\InstallShield\AzMixerSel.exe" [2005-08-24 53248]

"ADMTray.exe"="c:\acer\Empowering Technology\admtray.exe" [2005-10-24 2462208]

"Acer ePower Management"="c:\acer\Empowering Technology\ePower\Acer ePower Management.exe" [2006-05-08 3080704]

"SsAAD.exe"="c:\progra~1\Sony\SONICS~1\SsAAD.exe" [2005-01-24 81920]

"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2007-11-20 185896]

"4oD"="c:\program files\Kontiki\KHost.exe" [2008-02-27 1032376]

"Ad-Watch"="c:\program files\Lavasoft\Ad-Aware\AAWTray.exe" [2010-03-01 524632]

"BluetoothAuthenticationAgent"="bthprops.cpl" [2004-08-04 110592]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]

"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2004-08-04 15360]

c:\documents and settings\All Users\Start Menu\Programs\Startup\

Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-9-23 29696]

Bluetooth Manager.lnk - c:\program files\Toshiba\Bluetooth Toshiba Stack\TosBtMng.exe [2007-1-18 2752512]

DSLMON.lnk - c:\program files\SAGEM\SAGEM F@st 800-840\dslmon.exe [2007-8-7 962660]

HP Digital Imaging Monitor.lnk - c:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2004-11-4 258048]

HP Image Zone Fast Start.lnk - c:\program files\HP\Digital Imaging\bin\hpqthb08.exe [2004-11-4 53248]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Lavasoft Ad-Aware Service]

@="Service"

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]

"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"%windir%\\system32\\sessmgr.exe"=

"c:\\program files\\texthelp systems\\read and write 8\\mind mapper\\Property Controller.exe"= c:\\Program Files\\Texthelp Systems\\Read And Write 8\\Mind Mapper\\Property Controller.exe

"c:\\program files\\texthelp systems\\read and write 8\\mind mapper\\MindMapLauncher.exe"= c:\\Program Files\\Texthelp Systems\\Read And Write 8\\Mind Mapper\\MindMapLauncher.exe

"c:\\program files\\texthelp systems\\read and write 8\\RW8.exe"= c:\\Program Files\\Texthelp Systems\\Read And Write 8\\RW8.exe

"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=

"c:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"=

"c:\\Program Files\\CA\\eTrust Antivirus\\InocIT.exe"=

"d:\\My Data\\Limewire\\LimeWire.exe"=

"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=

"c:\\Program Files\\Adobe\\Adobe After Effects CS3\\Support Files\\AfterFX.exe"=

"c:\\Program Files\\Multimedia Fusion 2\\Data\\Runtime\\edrt.exe"=

"c:\\Program Files\\Real\\RealPlayer\\realplay.exe"=

"c:\\Program Files\\Messenger\\msmsgs.exe"=

"c:\\Program Files\\Sony\\Station\\LaunchPad\\LaunchPad.exe"=

"c:\\WINDOWS\\pchealth\\helpctr\\binaries\\HelpCtr.exe"=

"c:\\WINDOWS\\system32\\dpvsetup.exe"=

"c:\\Program Files\\CA\\eTrust Antivirus\\Realmon.exe"=

"c:\\Program Files\\CA\\eTrust Antivirus\\Shellscn.exe"=

"c:\\Program Files\\Kontiki\\KService.exe"=

"c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"=

"c:\\Program Files\\Windows Live\\Contacts\\wlcomm.exe"=

"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=

"c:\\Program Files\\SPSSInc\\Statistics17\\statistics.com"=

"c:\\Program Files\\SPSSInc\\Statistics17\\statistics.exe"=

"c:\\Program Files\\SPSSInc\\Statistics17\\SPSSWinWrapIDE.exe"=

"c:\\Program Files\\Skype\\Phone\\Skype.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]

"3724:TCP"= 3724:TCP:Blizzard Downloader: 3724

R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [25/04/2009 19:13 64160]

S0 osmswiak;osmswiak; [x]

S2 SIMUL8Parallel;SIMUL8 Parallel Processor;c:\progra~1\SIMUL8\SIMUL8_ParallelSVC.exe [14/01/2008 20:31 502272]

S3 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\Lavasoft\Ad-Aware\AAWService.exe [09/03/2009 20:06 1029456]

S3 PAC207;SoC PC-Camer@;c:\windows\system32\drivers\PFC027.sys [24/02/2005 12:29 162176]

S3 scrcap;scrcap;c:\windows\system32\DRIVERS\scrcap.sys --> c:\windows\system32\DRIVERS\scrcap.sys [?]

--- Other Services/Drivers In Memory ---

*NewlyCreated* - INT15.SYS

.

Contents of the 'Scheduled Tasks' folder

2010-03-22 c:\windows\Tasks\Ad-Aware Update (Weekly).job

- c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2009-03-09 19:14]

2010-03-28 c:\windows\Tasks\HPpromotions journeysoftware.job

- c:\program files\hp\digital imaging\bin\hp promotions\journeysoftware\HPpromo.exe [2005-04-22 16:36]

2010-03-28 c:\windows\Tasks\User_Feed_Synchronization-{2AF3A6D8-46D6-4A7E-B7DE-7188C750983E}.job

- c:\windows\system32\msfeedssync.exe [2006-10-17 04:31]

2010-03-28 c:\windows\Tasks\WGASetup.job

- c:\windows\system32\KB905474\wgasetup.exe [2009-04-28 21:18]

.

.

------- Supplementary Scan -------

.

uStart Page = about:tabs

uInternet Connection Wizard,ShellNext = wmplayer.exe //ICWLaunch

IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000

Trusted Zone: reallusion.com\www

DPF: CabBuilder - hxxp://kiw.imgag.com/imgag/kiw/toolbar/download/InstallerControl.cab

DPF: {AC120B1D-9411-4111-AF52-118052D85D45} - hxxp://67.15.101.33/g_bin/eng/darts_2_0_0_42.cab

FF - ProfilePath - c:\documents and settings\John Murphy\Application Data\Mozilla\Firefox\Profiles\3z63gkqu.default\

FF - prefs.js: browser.search.defaulturl - hxxp://www.google.com/search?lr=&ie=UTF-8&oe=UTF-8&q=

FF - prefs.js: browser.search.selectedEngine - Google

FF - prefs.js: network.proxy.type - 4

FF - component: c:\program files\Mozilla Firefox\components\xpinstal.dll

FF - component: c:\program files\Mozilla Firefox\extensions\talkback@mozilla.org\components\qfaservices.dll

FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2010-03-28 06:49

Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully

hidden files: 0

**************************************************************************

.

--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{71A78D8C-2A2C-F1E0-42C57DD6D788EDD0}\{92C0E49C-6DF5-7FD3-2A5D5DA34780C80D}\{FCC2AF23-71C0-A57B-CCE1F90128BA76FE}*]

"JWOYTVPITEDJCHYUGDR5XL6BSC1"=hex:01,00,01,00,00,00,00,00,b1,dc,8a,ef,e5,23,43,

80,35,81,92,71,e8,29,5a,84,14,35,16,70,d8,6e,ff,61

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{D6C53DCC-FBE6-A484-895E707488E1192C}\{427B1CEB-CDC7-050B-E6202C9404952D54}\{86A51E58-9B8E-E4EB-26F8074E7F2FD295}*]

"JWOYTVPITEDJCHYUGDR5XL6BSC1"=hex:01,00,01,00,00,00,00,00,b1,dc,8a,ef,e5,23,43,

80,35,81,92,71,e8,29,5a,84,14,35,16,70,d8,6e,ff,61

.

--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(920)

c:\windows\system32\Ati2evxx.dll

- - - - - - - > 'explorer.exe'(2596)

c:\windows\system32\WININET.dll

c:\windows\system32\MSNChatHook.dll

c:\windows\system32\sysenv.dll

c:\windows\system32\MSVCR71.dll

c:\windows\system32\ieframe.dll

c:\acer\Empowering Technology\ePower\SysHook.dll

c:\windows\system32\webcheck.dll

c:\windows\system32\WPDShServiceObj.dll

c:\windows\system32\PortableDeviceTypes.dll

c:\windows\system32\PortableDeviceApi.dll

.

------------------------ Other Running Processes ------------------------

.

c:\program files\Intel\Wireless\Bin\EvtEng.exe

c:\program files\Intel\Wireless\Bin\S24EvMon.exe

c:\acer\Empowering Technology\admServ.exe

c:\program files\Bonjour\mDNSResponder.exe

c:\windows\system32\crypserv.exe

c:\program files\Olympus\DeviceDetector\DM1Service.exe

c:\program files\CA\eTrust Antivirus\InoRpc.exe

c:\program files\CA\eTrust Antivirus\InoRT.exe

c:\program files\CA\eTrust Antivirus\InoTask.exe

c:\program files\Kontiki\KService.exe

c:\program files\Common Files\LightScribe\LSSrvc.exe

c:\program files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE

c:\program files\Intel\Wireless\Bin\RegSrvc.exe

c:\windows\System32\PAStiSvc.exe

c:\program files\Toshiba\Bluetooth Toshiba Stack\TosBtSrv.exe

c:\windows\system32\wscntfy.exe

c:\windows\RTHDCPL.EXE

c:\windows\system32\igfxext.exe

c:\windows\system32\igfxsrvc.exe

c:\program files\Common Files\Sony Shared\AVLib\SSScsiSV.exe

c:\windows\system32\rundll32.exe

c:\windows\system32\wbem\unsecapp.exe

c:\program files\Toshiba\Bluetooth Toshiba Stack\TosA2dp.exe

c:\program files\Toshiba\Bluetooth Toshiba Stack\TosBtHid.exe

c:\program files\HP\Digital Imaging\bin\hpqgalry.exe

c:\docume~1\JOHNMU~1\LOCALS~1\Temp\RtkBtMnt.exe

c:\program files\Toshiba\Bluetooth Toshiba Stack\TosBtHsp.exe

c:\program files\Yahoo!\Messenger\ymsgr_tray.exe

.

**************************************************************************

.

Completion time: 2010-03-28 06:56:47 - machine was rebooted

ComboFix-quarantined-files.txt 2010-03-28 05:56

ComboFix2.txt 2010-03-28 05:28

ComboFix3.txt 2010-03-28 05:08

ComboFix4.txt 2010-03-27 20:09

Pre-Run: 1,956,880,384 bytes free

Post-Run: 2,407,936,000 bytes free

- - End Of File - - F503B4AF47F07CCE8E8634FB5BF492D1

Thank You

Link to post
Share on other sites

Makes a little bit of sense, but not much sense. I think it would be much better if there was a way you could've just pointed it out in the first post, then I wouldn't have had to spend the night deleting UID manually from registry every 10mins
It seems you do not understand.

That is not the way things are done

We don't point out one malware entry and say there you go that is the reason for all of the infections.

There were multiple infections present that Combofix auto deleted.

The remaining entries I was going to finish until you made your comment about me missing the entry.

That comment makes me think that you do not think that I know what I am doing.

You didn't have to delete anything manually you just didn't want to wait for me to respond so you went ahead with your own way which did not have to be done.

You haven't gotten rid of all of the malware and you never did answer my question if you wanted me to help you finish it or not.

If you would like for me to finish this up then that is fine but if you are happy with your work then that is your decision.

Let me know and I will either help you or close it.

Link to post
Share on other sites

It seems you do not understand.

That is not the way things are done

We don't point out one malware entry and say there you go that is the reason for all of the infections.

There were multiple infections present that Combofix auto deleted.

The remaining entries I was going to finish until you made your comment about me missing the entry.

That comment makes me think that you do not think that I know what I am doing.

You didn't have to delete anything manually you just didn't want to wait for me to respond so you went ahead with your own way which did not have to be done.

You haven't gotten rid of all of the malware and you never did answer my question if you wanted me to help you finish it or not.

If you would like for me to finish this up then that is fine but if you are happy with your work then that is your decision.

Let me know and I will either help you or close it.

I asked you to finish this in my last post, If you look it is written "as far as i can tell this issue is resolved, but if you can see something I can't here is the last combofix log". I added the combofix log so that you could see it and tell me if anything is wrong

Also, I have a question, Did you hand write your first post or did you as it appears just change the name? I just spoke on what I was percieving, look at my first post, I mentioned that I had an issue with XBOX Support which they could've sorted in a day but because of the already written out responses it took a week to sort out. My issue with xbox was mistreated as a low level enquiry and your first post made me think you were treating this as a low level enquiry as it seems you did not personally write that response, I never said anywhere that you don't know what you are doing.

And can I ask you why do you think I said "I think it would be much better if there was a way you could've just pointed it out in the first post"?? I said that because I do understand that is not the way things are done and I feel that would sort the problem faster.

So the combofix log is in my last post, does it look ok?

Link to post
Share on other sites

No I hand type anything in between the original post is what is called a canned speech it is something that has the correct code for the forums with custom scan's that I like to run to spot the infections.

This will remove the leftover infection's from the system then we will finish up after that.

=========================

1. Please open Notepad

  • Click Start , then Run
  • type in notepad in the Run Box then hit ok.

2. Now copy/paste the entire content of the codebox below into the Notepad window:

Driver::
osmswiak
scrcap

File::
c:\windows\Thokacupodovujep.dat
c:\windows\Vviwazukohomalok.bin

3. Save the above as CFScript.txt

4. Then drag the CFScript.txt into ComboFix.exe as depicted in the animation below. This will start ComboFix again.

CFScriptB-4.gif

5. After reboot, (in case it asks to reboot), please post the following report/log into your next reply:

  • Combofix.txt

=============

Link to post
Share on other sites

No I hand type anything in between the original post is what is called a canned speech it is something that has the correct code for the forums with custom scan's that I like to run to spot the infections.

This will remove the leftover infection's from the system then we will finish up after that.

=========================

1. Please open Notepad

  • Click Start , then Run
  • type in notepad in the Run Box then hit ok.

2. Now copy/paste the entire content of the codebox below into the Notepad window:

Driver::
osmswiak
scrcap

File::
c:\windows\Thokacupodovujep.dat
c:\windows\Vviwazukohomalok.bin

3. Save the above as CFScript.txt

4. Then drag the CFScript.txt into ComboFix.exe as depicted in the animation below. This will start ComboFix again.

CFScriptB-4.gif

5. After reboot, (in case it asks to reboot), please post the following report/log into your next reply:

  • Combofix.txt

=============

Ok, thank you for clearing that up and I'm sorry for any offence, really grateful for your instructions here. Wow everything is running fine, Malwarebytes isn't finding anything, but the system isn't actually clean. Just out of interest, the infected file/drivers don't seem to be affecting anything, what are they and what do they do?

Here is the combofix log:

ComboFix 10-03-29.04 - John Murphy 30/03/2010 19:44:46.5.2 - x86

Microsoft Windows XP Professional 5.1.2600.2.1252.44.1033.18.1014.469 [GMT 1:00]

Running from: c:\documents and settings\John Murphy\Desktop\ComboFix.exe

Command switches used :: c:\documents and settings\John Murphy\Desktop\CFScript.txt

FILE ::

"c:\windows\Thokacupodovujep.dat"

"c:\windows\Vviwazukohomalok.bin"

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.

c:\windows\Thokacupodovujep.dat

c:\windows\Vviwazukohomalok.bin

.

((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))

.

-------\Legacy_OSMSWIAK

-------\Service_osmswiak

-------\Service_scrcap

((((((((((((((((((((((((( Files Created from 2010-02-28 to 2010-03-30 )))))))))))))))))))))))))))))))

.

2010-03-27 00:11 . 2010-03-27 00:11 -------- d-----w- c:\program files\Trend Micro

2010-03-26 16:38 . 2010-03-26 16:38 -------- d-----w- c:\windows\system32\wbem\Repository

2010-03-16 21:58 . 2004-08-04 04:00 24576 ----a-w- c:\windows\system32\stu2.exe

2010-03-09 15:27 . 2010-03-09 15:27 -------- d-sh--w- c:\documents and settings\John Murphy\IECompatCache

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2010-03-30 18:58 . 2008-11-21 21:16 -------- d-----w- c:\documents and settings\All Users\Application Data\Kontiki

2010-03-30 18:52 . 2009-05-29 21:25 12 ----a-w- c:\windows\bthservsdp.dat

2010-03-30 09:19 . 2009-11-10 04:51 -------- d-----w- c:\documents and settings\John Murphy\Application Data\Any Video Converter

2010-03-29 22:13 . 2007-08-16 16:28 230432 ----a-w- C:\StiImg.dat

2010-03-26 23:39 . 2007-08-07 17:19 -------- d-----w- c:\documents and settings\All Users\Application Data\Viewpoint

2010-03-26 18:22 . 2009-05-25 23:04 -------- d-----w- c:\program files\CCleaner

2010-03-26 16:21 . 2010-03-26 16:30 214978 ----a-w- c:\windows\pchealth\helpctr\Config\Cache\Professional_32_1033.dat

2010-03-26 02:50 . 2007-08-07 16:54 -------- d-----w- c:\documents and settings\John Murphy\Application Data\Skype

2010-03-01 19:15 . 2009-06-22 18:21 315736 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\threatwork.exe

2010-03-01 19:15 . 2009-06-22 18:21 25440 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\savapibridge.dll

2010-03-01 19:15 . 2009-06-22 18:21 173408 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\lavamessage.dll

2010-03-01 19:15 . 2009-06-01 18:14 15688 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\lsdelete.exe

2010-03-01 19:15 . 2009-05-05 18:33 15688 ----a-w- c:\windows\system32\lsdelete.exe

2010-03-01 19:15 . 2009-06-22 18:20 350544 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\lavalicense.dll

2010-03-01 19:15 . 2009-06-22 18:20 303456 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\UpdateManager.dll

2010-03-01 19:15 . 2009-06-27 16:26 1630560 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\Resources.dll

2010-03-01 19:15 . 2009-06-01 18:14 89952 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\ShellExt.dll

2010-03-01 19:14 . 2009-06-01 18:14 254832 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\RPAPI.dll

2010-03-01 19:14 . 2009-06-01 18:14 45408 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\PrivacyClean.dll

2010-03-01 19:14 . 2009-06-22 18:19 671592 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\CEAPI.dll

2010-03-01 19:14 . 2009-09-28 18:13 3701760 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\AutoLaunch.exe

2010-03-01 19:14 . 2009-06-22 18:18 566648 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\Ad-AwareCommand.exe

2010-03-01 19:14 . 2009-06-22 18:17 567144 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\Ad-AwareAdmin.exe

2010-03-01 19:13 . 2009-06-22 18:17 2357064 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\Ad-Aware.exe

2010-03-01 19:13 . 2009-06-22 18:15 524632 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\AAWTray.exe

2010-03-01 19:13 . 2009-06-22 18:15 1029456 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\AAWService.exe

2010-02-20 11:57 . 2010-02-20 11:57 16 ----a-w- c:\windows\system32\config\systemprofile\Application Data\cqfyto.dat

2010-02-19 03:13 . 2010-02-19 03:13 16 ----a-w- c:\documents and settings\LocalService\Application Data\cqfyto.dat

2010-02-13 16:39 . 2010-02-13 16:39 50354 ----a-w- c:\documents and settings\John Murphy\Application Data\Facebook\uninstall.exe

2010-02-13 16:39 . 2010-02-13 16:39 -------- d-----w- c:\documents and settings\John Murphy\Application Data\Facebook

2010-02-12 10:03 . 2010-02-25 15:44 293376 ------w- c:\windows\system32\browserchoice.exe

2010-02-10 21:00 . 2006-09-22 15:43 49664 ----a-w- c:\documents and settings\John Murphy\Local Settings\Application Data\GDIPFONTCACHEV1.DAT

2010-02-10 19:15 . 2010-02-10 19:15 1024 ----a-w- c:\windows\system32\grcauth2.dll

2010-02-10 19:15 . 2010-02-10 19:15 1024 ----a-w- c:\windows\system32\grcauth1.dll

2010-02-10 19:15 . 2010-02-10 19:15 16 ---h--w- c:\documents and settings\All Users\Application Data\SafeNet Sentinel\Sentinel RMS Development Kit\System\e563io5.dll

2010-02-10 19:15 . 2010-02-10 19:14 1024 ----a-w- c:\documents and settings\All Users\Application Data\SafeNet Sentinel\Sentinel RMS Development Kit\System\clauth2.dll

2010-02-10 19:07 . 2010-02-10 19:07 -------- d-----w- c:\documents and settings\All Users\Application Data\SPSS

2010-02-10 19:07 . 2010-02-10 19:07 -------- d-----w- c:\program files\Common Files\SPSS

2010-02-10 19:07 . 2010-02-10 19:07 -------- d-----w- c:\program files\SPSSInc

2010-02-10 19:06 . 2010-02-10 19:06 1025 ----a-w- c:\windows\system32\sysprs7.dll

2010-02-01 22:04 . 2010-02-01 22:04 847040 ----a-w- c:\documents and settings\John Murphy\Application Data\Facebook\axfbootloader.dll

2010-02-01 22:04 . 2010-02-01 22:04 5578752 ----a-w- c:\documents and settings\John Murphy\Application Data\Facebook\npfbplugin_1_0_1.dll

2010-01-28 16:52 . 2009-05-29 16:19 5115824 -c--a-w- c:\documents and settings\All Users\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\mbam-setup.exe

2010-01-28 00:31 . 2008-01-16 23:04 2434 ----a-w- c:\documents and settings\John Murphy\Application Data\SAS7_000.DAT

2010-01-14 12:01 . 2006-09-25 10:18 69878 -c--a-w- c:\windows\hpoins05.dat

2010-01-07 16:07 . 2008-11-05 00:37 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys

2010-01-07 16:07 . 2008-11-05 00:37 19160 ----a-w- c:\windows\system32\drivers\mbam.sys

2009-12-31 16:14 . 2006-04-21 06:12 352640 ----a-w- c:\windows\system32\drivers\srv.sys

2007-08-07 17:44 . 2007-08-07 17:43 411248 -c--a-w- c:\program files\FLV PlayerRCSetup.exe

2009-04-19 11:32 . 2007-08-18 23:47 67688 -c--a-w- c:\program files\mozilla firefox\components\jar50.dll

2009-04-19 11:32 . 2007-08-18 23:47 54368 -c--a-w- c:\program files\mozilla firefox\components\jsd3250.dll

2009-04-19 11:32 . 2007-08-18 23:47 34944 -c--a-w- c:\program files\mozilla firefox\components\myspell.dll

2009-04-19 11:32 . 2007-08-18 23:47 46712 -c--a-w- c:\program files\mozilla firefox\components\spellchk.dll

2009-04-19 11:32 . 2007-08-18 23:47 172136 -c--a-w- c:\program files\mozilla firefox\components\xpinstal.dll

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"Yahoo! Pager"="c:\program files\Yahoo!\Messenger\YahooMessenger.exe" [2007-07-16 4670704]

"updateMgr"="c:\program files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" [2006-03-30 313472]

"ISUSPM"="c:\program files\Common Files\InstallShield\UpdateService\isuspm.exe" [2006-09-11 218032]

"Eyeball Chat"="c:\program files\Eyeball\Eyeball Chat\EyeballChat.exe" [2002-10-11 2863176]

"kdx"="c:\program files\Kontiki\KHost.exe" [2008-02-27 1032376]

"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2004-08-04 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"LaunchApp"="Alaunch" [X]

"ePower_DMC"="c:\acer\Empowering Technology\ePower\ePower_DMC.exe" [2006-05-09 352256]

"ISUSPM Startup"="c:\program files\Common Files\InstallShield\UpdateService\isuspm.exe" [2006-09-11 218032]

"SunJavaUpdateSched"="c:\program files\Java\jre1.6.0_05\bin\jusched.exe" [2008-02-22 144784]

"SSBkgdUpdate"="c:\program files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" [2003-09-29 155648]

"DNS7reminder"="c:\program files\Nuance\NaturallySpeaking9\Program\ereg.exe" [2006-06-28 1404928]

"SynTPLpr"="c:\program files\Synaptics\SynTP\SynTPLpr.exe" [2005-11-01 102491]

"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2005-11-01 692315]

"RTHDCPL"="RTHDCPL.EXE" [2006-04-04 16120832]

"RemoteControl"="c:\program files\CyberLink\PowerDVD\PDVDServ.exe" [2004-11-02 32768]

"Realtime Monitor"="c:\progra~1\CA\ETRUST~1\realmon.exe" [2004-04-06 504080]

"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2006-09-23 155648]

"PHIME2002ASync"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2004-08-04 455168]

"PHIME2002A"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2004-08-04 455168]

"ntiMUI"="c:\program files\NewTech Infosystems\NTI CD & DVD-Maker 7\ntiMUI.exe" [2005-05-11 45056]

"MSPY2002"="c:\windows\system32\IME\PINTLGNT\ImScInst.exe" [2004-08-04 59392]

"LManager"="c:\progra~1\LAUNCH~1\QtZgAcer.EXE" [2006-04-03 471040]

"itype"="c:\program files\Microsoft IntelliType Pro\itype.exe" [2005-12-05 437008]

"ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2006-09-11 86960]

"IntelliPoint"="c:\program files\Microsoft IntelliPoint\ipoint.exe" [2005-12-05 461584]

"IMJPMIG8.1"="c:\windows\IME\imjp8_1\IMJPMIG.EXE" [2004-08-04 208952]

"igfxtray"="c:\windows\system32\igfxtray.exe" [2005-11-02 98304]

"igfxpers"="c:\windows\system32\igfxpers.exe" [2005-11-02 118784]

"igfxhkcmd"="c:\windows\system32\hkcmd.exe" [2005-11-02 77824]

"HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2004-09-13 49152]

"eRecoveryService"="c:\acer\Empowering Technology\eRecovery\Monitor.exe" [2006-01-24 397312]

"eDataSecurity Loader"="c:\acer\Empowering Technology\eDataSecurity\eDSloader.exe" [2005-12-27 69632]

"AzMixerSel"="c:\program files\Realtek\InstallShield\AzMixerSel.exe" [2005-08-24 53248]

"ADMTray.exe"="c:\acer\Empowering Technology\admtray.exe" [2005-10-24 2462208]

"Acer ePower Management"="c:\acer\Empowering Technology\ePower\Acer ePower Management.exe" [2006-05-08 3080704]

"SsAAD.exe"="c:\progra~1\Sony\SONICS~1\SsAAD.exe" [2005-01-24 81920]

"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2007-11-20 185896]

"4oD"="c:\program files\Kontiki\KHost.exe" [2008-02-27 1032376]

"Ad-Watch"="c:\program files\Lavasoft\Ad-Aware\AAWTray.exe" [2010-03-01 524632]

"BluetoothAuthenticationAgent"="bthprops.cpl" [2004-08-04 110592]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]

"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2004-08-04 15360]

c:\documents and settings\All Users\Start Menu\Programs\Startup\

Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-9-23 29696]

Bluetooth Manager.lnk - c:\program files\Toshiba\Bluetooth Toshiba Stack\TosBtMng.exe [2007-1-18 2752512]

DSLMON.lnk - c:\program files\SAGEM\SAGEM F@st 800-840\dslmon.exe [2007-8-7 962660]

HP Digital Imaging Monitor.lnk - c:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2004-11-4 258048]

HP Image Zone Fast Start.lnk - c:\program files\HP\Digital Imaging\bin\hpqthb08.exe [2004-11-4 53248]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Lavasoft Ad-Aware Service]

@="Service"

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]

"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"%windir%\\system32\\sessmgr.exe"=

"c:\\program files\\texthelp systems\\read and write 8\\mind mapper\\Property Controller.exe"= c:\\Program Files\\Texthelp Systems\\Read And Write 8\\Mind Mapper\\Property Controller.exe

"c:\\program files\\texthelp systems\\read and write 8\\mind mapper\\MindMapLauncher.exe"= c:\\Program Files\\Texthelp Systems\\Read And Write 8\\Mind Mapper\\MindMapLauncher.exe

"c:\\program files\\texthelp systems\\read and write 8\\RW8.exe"= c:\\Program Files\\Texthelp Systems\\Read And Write 8\\RW8.exe

"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=

"c:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"=

"c:\\Program Files\\CA\\eTrust Antivirus\\InocIT.exe"=

"d:\\My Data\\Limewire\\LimeWire.exe"=

"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=

"c:\\Program Files\\Adobe\\Adobe After Effects CS3\\Support Files\\AfterFX.exe"=

"c:\\Program Files\\Multimedia Fusion 2\\Data\\Runtime\\edrt.exe"=

"c:\\Program Files\\Real\\RealPlayer\\realplay.exe"=

"c:\\Program Files\\Messenger\\msmsgs.exe"=

"c:\\Program Files\\Sony\\Station\\LaunchPad\\LaunchPad.exe"=

"c:\\WINDOWS\\pchealth\\helpctr\\binaries\\HelpCtr.exe"=

"c:\\WINDOWS\\system32\\dpvsetup.exe"=

"c:\\Program Files\\CA\\eTrust Antivirus\\Realmon.exe"=

"c:\\Program Files\\CA\\eTrust Antivirus\\Shellscn.exe"=

"c:\\Program Files\\Kontiki\\KService.exe"=

"c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"=

"c:\\Program Files\\Windows Live\\Contacts\\wlcomm.exe"=

"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=

"c:\\Program Files\\SPSSInc\\Statistics17\\statistics.com"=

"c:\\Program Files\\SPSSInc\\Statistics17\\statistics.exe"=

"c:\\Program Files\\SPSSInc\\Statistics17\\SPSSWinWrapIDE.exe"=

"c:\\Program Files\\Skype\\Phone\\Skype.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]

"3724:TCP"= 3724:TCP:Blizzard Downloader: 3724

R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [25/04/2009 19:13 64160]

R2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\Lavasoft\Ad-Aware\AAWService.exe [09/03/2009 20:06 1029456]

S2 SIMUL8Parallel;SIMUL8 Parallel Processor;c:\progra~1\SIMUL8\SIMUL8_ParallelSVC.exe [14/01/2008 20:31 502272]

S3 PAC207;SoC PC-Camer@;c:\windows\system32\drivers\PFC027.sys [24/02/2005 12:29 162176]

.

Contents of the 'Scheduled Tasks' folder

2010-03-29 c:\windows\Tasks\Ad-Aware Update (Weekly).job

- c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2009-03-09 19:14]

2010-03-30 c:\windows\Tasks\HPpromotions journeysoftware.job

- c:\program files\hp\digital imaging\bin\hp promotions\journeysoftware\HPpromo.exe [2005-04-22 16:36]

2010-03-30 c:\windows\Tasks\User_Feed_Synchronization-{2AF3A6D8-46D6-4A7E-B7DE-7188C750983E}.job

- c:\windows\system32\msfeedssync.exe [2006-10-17 04:31]

2010-03-30 c:\windows\Tasks\WGASetup.job

- c:\windows\system32\KB905474\wgasetup.exe [2009-04-28 21:18]

.

.

------- Supplementary Scan -------

.

uStart Page = about:tabs

uInternet Connection Wizard,ShellNext = wmplayer.exe //ICWLaunch

IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000

Trusted Zone: reallusion.com\www

DPF: CabBuilder - hxxp://kiw.imgag.com/imgag/kiw/toolbar/download/InstallerControl.cab

DPF: {AC120B1D-9411-4111-AF52-118052D85D45} - hxxp://67.15.101.33/g_bin/eng/darts_2_0_0_42.cab

FF - ProfilePath - c:\documents and settings\John Murphy\Application Data\Mozilla\Firefox\Profiles\3z63gkqu.default\

FF - prefs.js: browser.search.defaulturl - hxxp://www.google.com/search?lr=&ie=UTF-8&oe=UTF-8&q=

FF - prefs.js: browser.search.selectedEngine - Google

FF - prefs.js: network.proxy.type - 4

FF - component: c:\program files\Mozilla Firefox\components\xpinstal.dll

FF - component: c:\program files\Mozilla Firefox\extensions\talkback@mozilla.org\components\qfaservices.dll

FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2010-03-30 19:54

Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully

hidden files: 0

**************************************************************************

.

--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{71A78D8C-2A2C-F1E0-42C57DD6D788EDD0}\{92C0E49C-6DF5-7FD3-2A5D5DA34780C80D}\{FCC2AF23-71C0-A57B-CCE1F90128BA76FE}*]

"JWOYTVPITEDJCHYUGDR5XL6BSC1"=hex:01,00,01,00,00,00,00,00,b1,dc,8a,ef,e5,23,43,

80,35,81,92,71,e8,29,5a,84,14,35,16,70,d8,6e,ff,61

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{D6C53DCC-FBE6-A484-895E707488E1192C}\{427B1CEB-CDC7-050B-E6202C9404952D54}\{86A51E58-9B8E-E4EB-26F8074E7F2FD295}*]

"JWOYTVPITEDJCHYUGDR5XL6BSC1"=hex:01,00,01,00,00,00,00,00,b1,dc,8a,ef,e5,23,43,

80,35,81,92,71,e8,29,5a,84,14,35,16,70,d8,6e,ff,61

.

--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(920)

c:\windows\system32\Ati2evxx.dll

- - - - - - - > 'explorer.exe'(3956)

c:\windows\system32\WININET.dll

c:\windows\system32\MSNChatHook.dll

c:\windows\system32\sysenv.dll

c:\windows\system32\MSVCR71.dll

c:\windows\system32\ieframe.dll

c:\windows\system32\webcheck.dll

c:\windows\system32\WPDShServiceObj.dll

c:\windows\system32\PortableDeviceTypes.dll

c:\windows\system32\PortableDeviceApi.dll

c:\acer\Empowering Technology\ePower\SysHook.dll

c:\windows\system32\browselc.dll

.

------------------------ Other Running Processes ------------------------

.

c:\program files\Intel\Wireless\Bin\EvtEng.exe

c:\program files\Intel\Wireless\Bin\S24EvMon.exe

c:\acer\Empowering Technology\admServ.exe

c:\program files\Bonjour\mDNSResponder.exe

c:\windows\system32\crypserv.exe

c:\program files\Olympus\DeviceDetector\DM1Service.exe

c:\program files\CA\eTrust Antivirus\InoRpc.exe

c:\program files\CA\eTrust Antivirus\InoRT.exe

c:\program files\CA\eTrust Antivirus\InoTask.exe

c:\program files\Kontiki\KService.exe

c:\program files\Common Files\LightScribe\LSSrvc.exe

c:\program files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE

c:\program files\Intel\Wireless\Bin\RegSrvc.exe

c:\windows\System32\PAStiSvc.exe

c:\program files\Toshiba\Bluetooth Toshiba Stack\TosBtSrv.exe

c:\windows\system32\wscntfy.exe

c:\windows\system32\wbem\unsecapp.exe

c:\windows\RTHDCPL.EXE

c:\windows\system32\igfxsrvc.exe

c:\windows\system32\igfxext.exe

c:\windows\system32\wbem\unsecapp.exe

c:\windows\system32\rundll32.exe

c:\program files\Common Files\Sony Shared\AVLib\SSScsiSV.exe

c:\docume~1\JOHNMU~1\LOCALS~1\Temp\RtkBtMnt.exe

c:\program files\HP\Digital Imaging\bin\hpqgalry.exe

c:\program files\Toshiba\Bluetooth Toshiba Stack\TosA2dp.exe

c:\program files\Yahoo!\Messenger\ymsgr_tray.exe

c:\program files\Toshiba\Bluetooth Toshiba Stack\TosBtHid.exe

c:\program files\Toshiba\Bluetooth Toshiba Stack\TosBtHsp.exe

.

**************************************************************************

.

Completion time: 2010-03-30 20:03:31 - machine was rebooted

ComboFix-quarantined-files.txt 2010-03-30 19:03

ComboFix2.txt 2010-03-28 05:56

ComboFix3.txt 2010-03-28 05:28

ComboFix4.txt 2010-03-28 05:08

ComboFix5.txt 2010-03-30 18:43

Pre-Run: 1,673,932,800 bytes free

Post-Run: 2,008,178,688 bytes free

- - End Of File - - 9B2255DF1DB60F9CF5D4A320E45DFD8A

Thank you so much for helping me, sorry I caused you some grief by trying to sort it out myself haha (As I said I've removed a rootkit and TDSS myself). Guess I should turn that 'passion to solve things' to my mathematical studies, need to get myself to do revision and lots to solve there.

Link to post
Share on other sites

Those drivers were removed because they were orphaned entries.

The reason I remove those is because some nasty malware can exploit orphaned services and use them to hide malware files behind them.

Thank you so much for helping me, sorry I caused you some grief by trying to sort it out myself haha

No worries it is good that you have removed a rootkit before.

A couple more steps here then we will be done. :rolleyes:

1. Please open Notepad

  • Click Start , then Run
  • type in notepad in the Run Box then hit ok.

2. Now copy/paste the entire content of the codebox below into the Notepad window:

RegNull::
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{71A78D8C-2A2C-F1E0-42C57DD6D788EDD0}\{92C0E49C-6DF5-7FD3-2A5D5DA34780C80D}\{FCC2AF23-71C0-A57B-CCE1F90128BA76FE}*]
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{D6C53DCC-FBE6-A484-895E707488E1192C}\{427B1CEB-CDC7-050B-E6202C9404952D54}\{86A51E58-9B8E-E4EB-26F8074E7F2FD295}*]

3. Save the above as CFScript.txt

4. Then drag the CFScript.txt into ComboFix.exe as depicted in the animation below. This will start ComboFix again.

CFScriptB-4.gif

5. After reboot, (in case it asks to reboot), please post the following report/log into your next reply:

  • Combofix.txt

=============

* Go here to run an online scannner from ESET.

  • Note: You will need to use Internet explorer for this scan
  • Tick the box next to YES, I accept the Terms of Use.
  • Click Start
  • When asked, allow the activex control to install
  • Click Start
  • Check next options: Remove found threats and Scan unwanted applications.
  • Click Scan
  • Wait for the scan to finish
  • Use notepad to open the logfile located at C:\Program Files\ESET\ESET Online Scanner\log.txt
  • Copy and paste that log as a reply to this topic

Link to post
Share on other sites

Those drivers were removed because they were orphaned entries.

The reason I remove those is because some nasty malware can exploit orphaned services and use them to hide malware files behind them.

Wow, had no idea malware can create really hidden stuff that has no effect on the system but is essentially an infection fast track.

=============

* Go here to run an online scannner from ESET.

  • Note: You will need to use Internet explorer for this scan
  • Tick the box next to YES, I accept the Terms of Use.
  • Click Start
  • When asked, allow the activex control to install
  • Click Start
  • Check next options: Remove found threats and Scan unwanted applications.
  • Click Scan
  • Wait for the scan to finish
  • Use notepad to open the logfile located at C:\Program Files\ESET\ESET Online Scanner\log.txt
  • Copy and paste that log as a reply to this topic

Thanks, I've seen quite a few online virus scans but didn't really trust them. I saw VirusTotal mentioned on a forum, sent my userinit.exe file and it found 5/42. I'll definatly give this recommended one a look

Followed the steps, here is the combofix log:

ComboFix 10-03-29.04 - John Murphy 02/04/2010 15:40:03.6.2 - x86

Microsoft Windows XP Professional 5.1.2600.2.1252.44.1033.18.1014.561 [GMT 1:00]

Running from: c:\documents and settings\John Murphy\Desktop\ComboFix.exe

Command switches used :: c:\documents and settings\John Murphy\Desktop\CFScript.txt

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.

c:\program files\Internet Explorer\SET5B.tmp

c:\program files\Internet Explorer\SET5C.tmp

.

((((((((((((((((((((((((( Files Created from 2010-03-02 to 2010-04-02 )))))))))))))))))))))))))))))))

.

2010-04-02 14:02 . 2010-04-02 14:02 -------- d-----w- c:\windows\LastGood

2010-03-27 00:11 . 2010-03-27 00:11 -------- d-----w- c:\program files\Trend Micro

2010-03-26 16:38 . 2010-03-26 16:38 -------- d-----w- c:\windows\system32\wbem\Repository

2010-03-16 21:58 . 2004-08-04 04:00 24576 ----a-w- c:\windows\system32\stu2.exe

2010-03-09 15:27 . 2010-03-09 15:27 -------- d-sh--w- c:\documents and settings\John Murphy\IECompatCache

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2010-04-02 14:47 . 2008-11-21 21:16 -------- d-----w- c:\documents and settings\All Users\Application Data\Kontiki

2010-03-30 20:57 . 2009-11-10 04:51 -------- d-----w- c:\documents and settings\John Murphy\Application Data\Any Video Converter

2010-03-30 18:52 . 2009-05-29 21:25 12 ----a-w- c:\windows\bthservsdp.dat

2010-03-29 22:13 . 2007-08-16 16:28 230432 ----a-w- C:\StiImg.dat

2010-03-26 23:39 . 2007-08-07 17:19 -------- d-----w- c:\documents and settings\All Users\Application Data\Viewpoint

2010-03-26 18:22 . 2009-05-25 23:04 -------- d-----w- c:\program files\CCleaner

2010-03-26 16:21 . 2010-03-26 16:30 214978 ----a-w- c:\windows\pchealth\helpctr\Config\Cache\Professional_32_1033.dat

2010-03-26 02:50 . 2007-08-07 16:54 -------- d-----w- c:\documents and settings\John Murphy\Application Data\Skype

2010-03-01 19:15 . 2009-06-22 18:21 315736 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\threatwork.exe

2010-03-01 19:15 . 2009-06-22 18:21 25440 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\savapibridge.dll

2010-03-01 19:15 . 2009-06-22 18:21 173408 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\lavamessage.dll

2010-03-01 19:15 . 2009-06-01 18:14 15688 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\lsdelete.exe

2010-03-01 19:15 . 2009-05-05 18:33 15688 ----a-w- c:\windows\system32\lsdelete.exe

2010-03-01 19:15 . 2009-06-22 18:20 350544 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\lavalicense.dll

2010-03-01 19:15 . 2009-06-22 18:20 303456 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\UpdateManager.dll

2010-03-01 19:15 . 2009-06-27 16:26 1630560 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\Resources.dll

2010-03-01 19:15 . 2009-06-01 18:14 89952 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\ShellExt.dll

2010-03-01 19:14 . 2009-06-01 18:14 254832 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\RPAPI.dll

2010-03-01 19:14 . 2009-06-01 18:14 45408 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\PrivacyClean.dll

2010-03-01 19:14 . 2009-06-22 18:19 671592 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\CEAPI.dll

2010-03-01 19:14 . 2009-09-28 18:13 3701760 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\AutoLaunch.exe

2010-03-01 19:14 . 2009-06-22 18:18 566648 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\Ad-AwareCommand.exe

2010-03-01 19:14 . 2009-06-22 18:17 567144 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\Ad-AwareAdmin.exe

2010-03-01 19:13 . 2009-06-22 18:17 2357064 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\Ad-Aware.exe

2010-03-01 19:13 . 2009-06-22 18:15 524632 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\AAWTray.exe

2010-03-01 19:13 . 2009-06-22 18:15 1029456 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\AAWService.exe

2010-02-25 10:54 . 2010-02-25 10:54 11070976 ----a-w- c:\windows\system32\SET58.tmp

2010-02-25 06:24 . 2010-03-31 03:22 916480 ------w- c:\windows\system32\SET4D.tmp

2010-02-25 06:24 . 2010-03-31 03:22 1209344 ----a-w- c:\windows\system32\SET4E.tmp

2010-02-25 06:24 . 2010-03-31 03:22 5944832 ------w- c:\windows\system32\SET51.tmp

2010-02-25 06:24 . 2010-03-31 03:22 594432 ----a-w- c:\windows\system32\SET53.tmp

2010-02-25 06:24 . 2010-03-31 03:22 55296 ----a-w- c:\windows\system32\SET52.tmp

2010-02-25 06:24 . 2010-03-31 03:22 184320 ----a-w- c:\windows\system32\SET57.tmp

2010-02-25 06:24 . 2010-03-31 03:22 1985536 ----a-w- c:\windows\system32\SET56.tmp

2010-02-20 11:57 . 2010-02-20 11:57 16 ----a-w- c:\windows\system32\config\systemprofile\Application Data\cqfyto.dat

2010-02-19 03:13 . 2010-02-19 03:13 16 ----a-w- c:\documents and settings\LocalService\Application Data\cqfyto.dat

2010-02-13 16:39 . 2010-02-13 16:39 50354 ----a-w- c:\documents and settings\John Murphy\Application Data\Facebook\uninstall.exe

2010-02-13 16:39 . 2010-02-13 16:39 -------- d-----w- c:\documents and settings\John Murphy\Application Data\Facebook

2010-02-12 10:03 . 2010-02-25 15:44 293376 ------w- c:\windows\system32\browserchoice.exe

2010-02-10 21:00 . 2006-09-22 15:43 49664 ----a-w- c:\documents and settings\John Murphy\Local Settings\Application Data\GDIPFONTCACHEV1.DAT

2010-02-10 19:15 . 2010-02-10 19:15 1024 ----a-w- c:\windows\system32\grcauth2.dll

2010-02-10 19:15 . 2010-02-10 19:15 1024 ----a-w- c:\windows\system32\grcauth1.dll

2010-02-10 19:15 . 2010-02-10 19:15 16 ---h--w- c:\documents and settings\All Users\Application Data\SafeNet Sentinel\Sentinel RMS Development Kit\System\e563io5.dll

2010-02-10 19:15 . 2010-02-10 19:14 1024 ----a-w- c:\documents and settings\All Users\Application Data\SafeNet Sentinel\Sentinel RMS Development Kit\System\clauth2.dll

2010-02-10 19:07 . 2010-02-10 19:07 -------- d-----w- c:\documents and settings\All Users\Application Data\SPSS

2010-02-10 19:07 . 2010-02-10 19:07 -------- d-----w- c:\program files\Common Files\SPSS

2010-02-10 19:07 . 2010-02-10 19:07 -------- d-----w- c:\program files\SPSSInc

2010-02-10 19:06 . 2010-02-10 19:06 1025 ----a-w- c:\windows\system32\sysprs7.dll

2010-02-01 22:04 . 2010-02-01 22:04 847040 ----a-w- c:\documents and settings\John Murphy\Application Data\Facebook\axfbootloader.dll

2010-02-01 22:04 . 2010-02-01 22:04 5578752 ----a-w- c:\documents and settings\John Murphy\Application Data\Facebook\npfbplugin_1_0_1.dll

2010-01-28 16:52 . 2009-05-29 16:19 5115824 -c--a-w- c:\documents and settings\All Users\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\mbam-setup.exe

2010-01-28 00:31 . 2008-01-16 23:04 2434 ----a-w- c:\documents and settings\John Murphy\Application Data\SAS7_000.DAT

2010-01-14 12:01 . 2006-09-25 10:18 69878 -c--a-w- c:\windows\hpoins05.dat

2010-01-07 16:07 . 2008-11-05 00:37 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys

2010-01-07 16:07 . 2008-11-05 00:37 19160 ----a-w- c:\windows\system32\drivers\mbam.sys

2007-08-07 17:44 . 2007-08-07 17:43 411248 -c--a-w- c:\program files\FLV PlayerRCSetup.exe

2009-04-19 11:32 . 2007-08-18 23:47 67688 -c--a-w- c:\program files\mozilla firefox\components\jar50.dll

2009-04-19 11:32 . 2007-08-18 23:47 54368 -c--a-w- c:\program files\mozilla firefox\components\jsd3250.dll

2009-04-19 11:32 . 2007-08-18 23:47 34944 -c--a-w- c:\program files\mozilla firefox\components\myspell.dll

2009-04-19 11:32 . 2007-08-18 23:47 46712 -c--a-w- c:\program files\mozilla firefox\components\spellchk.dll

2009-04-19 11:32 . 2007-08-18 23:47 172136 -c--a-w- c:\program files\mozilla firefox\components\xpinstal.dll

.

((((((((((((((((((((((((((((( SnapShot@2010-03-28_05.06.37 )))))))))))))))))))))))))))))))))))))))))

.

+ 2010-03-30 18:53 . 2010-03-30 18:53 16384 c:\windows\Temp\Perflib_Perfdata_764.dat

- 2006-09-25 11:12 . 2009-12-11 23:08 74048 c:\windows\system32\perfc009.dat

+ 2006-09-25 11:12 . 2010-03-28 05:52 74048 c:\windows\system32\perfc009.dat

- 2006-06-23 11:25 . 2009-12-21 19:14 25600 c:\windows\system32\jsproxy.dll

+ 2006-06-23 11:25 . 2010-02-25 06:24 25600 c:\windows\system32\jsproxy.dll

+ 2009-11-04 20:23 . 2010-02-25 06:24 12800 c:\windows\system32\dllcache\xpshims.dll

- 2009-11-04 20:23 . 2009-12-21 19:14 12800 c:\windows\system32\dllcache\xpshims.dll

+ 2007-04-25 08:41 . 2010-02-25 06:24 55296 c:\windows\system32\dllcache\msfeedsbs.dll

- 2007-04-25 08:41 . 2009-12-21 19:14 55296 c:\windows\system32\dllcache\msfeedsbs.dll

+ 2006-06-23 11:25 . 2010-02-25 06:24 25600 c:\windows\system32\dllcache\jsproxy.dll

- 2006-06-23 11:25 . 2009-12-21 19:14 25600 c:\windows\system32\dllcache\jsproxy.dll

+ 2004-08-04 04:00 . 2004-08-04 04:00 71680 c:\windows\system32\dllcache\blastcln.exe

+ 2010-04-02 14:03 . 2009-12-21 19:14 12800 c:\windows\ie8updates\KB980182-IE8\xpshims.dll

+ 2010-04-02 14:03 . 2009-12-21 19:14 55296 c:\windows\ie8updates\KB980182-IE8\msfeedsbs.dll

+ 2010-04-02 14:03 . 2009-12-21 19:14 25600 c:\windows\ie8updates\KB980182-IE8\jsproxy.dll

+ 2004-08-04 04:00 . 2004-08-04 04:00 5632 c:\windows\system32\dllcache\write.exe

+ 2004-08-04 04:00 . 2004-08-04 04:00 9216 c:\windows\system32\dllcache\proxycfg.exe

- 2006-09-25 11:12 . 2009-12-11 23:08 447200 c:\windows\system32\perfh009.dat

+ 2006-09-25 11:12 . 2010-03-28 05:52 447200 c:\windows\system32\perfh009.dat

+ 2004-08-04 04:00 . 2010-02-25 06:24 206848 c:\windows\system32\occache.dll

- 2004-08-04 04:00 . 2009-12-21 19:14 206848 c:\windows\system32\occache.dll

- 2006-06-23 11:25 . 2009-03-08 04:32 611840 c:\windows\system32\mstime.dll

+ 2006-06-23 11:25 . 2010-02-25 06:24 611840 c:\windows\system32\mstime.dll

+ 2004-08-04 04:00 . 2010-02-25 06:24 387584 c:\windows\system32\iedkcs32.dll

- 2004-08-04 04:00 . 2009-12-21 19:14 387584 c:\windows\system32\iedkcs32.dll

+ 2004-08-04 04:00 . 2010-02-24 09:54 173056 c:\windows\system32\ie4uinit.exe

- 2004-08-04 04:00 . 2009-12-21 13:19 173056 c:\windows\system32\ie4uinit.exe

+ 2004-08-04 04:00 . 2004-08-04 04:00 358912 c:\windows\system32\dllcache\wmic.exe

+ 2004-08-04 04:00 . 2004-08-04 04:00 126464 c:\windows\system32\dllcache\wmiapsrv.exe

+ 2006-06-23 11:25 . 2010-02-25 06:24 916480 c:\windows\system32\dllcache\wininet.dll

- 2006-06-23 11:25 . 2009-12-21 19:14 916480 c:\windows\system32\dllcache\wininet.dll

+ 2004-08-04 04:00 . 2004-08-04 04:00 283648 c:\windows\system32\dllcache\winhlp32.exe

+ 2004-08-04 04:00 . 2004-08-04 04:00 121856 c:\windows\system32\dllcache\sctasks.exe

- 2004-08-04 04:00 . 2009-12-21 19:14 206848 c:\windows\system32\dllcache\occache.dll

+ 2004-08-04 04:00 . 2010-02-25 06:24 206848 c:\windows\system32\dllcache\occache.dll

- 2006-06-23 11:25 . 2009-03-08 04:32 611840 c:\windows\system32\dllcache\mstime.dll

+ 2006-06-23 11:25 . 2010-02-25 06:24 611840 c:\windows\system32\dllcache\mstime.dll

+ 2007-04-25 08:41 . 2010-02-25 06:24 594432 c:\windows\system32\dllcache\msfeeds.dll

- 2007-04-25 08:41 . 2009-12-21 19:14 594432 c:\windows\system32\dllcache\msfeeds.dll

+ 2009-11-04 20:23 . 2010-02-25 06:24 247808 c:\windows\system32\dllcache\ieproxy.dll

- 2009-03-08 04:31 . 2009-12-21 19:14 184320 c:\windows\system32\dllcache\iepeers.dll

+ 2009-03-08 04:31 . 2010-02-25 06:24 184320 c:\windows\system32\dllcache\iepeers.dll

+ 2004-08-04 04:00 . 2010-02-25 06:24 387584 c:\windows\system32\dllcache\iedkcs32.dll

- 2004-08-04 04:00 . 2009-12-21 19:14 387584 c:\windows\system32\dllcache\iedkcs32.dll

+ 2004-08-04 04:00 . 2010-02-24 09:54 173056 c:\windows\system32\dllcache\ie4uinit.exe

- 2004-08-04 04:00 . 2009-12-21 13:19 173056 c:\windows\system32\dllcache\ie4uinit.exe

+ 2010-04-02 14:03 . 2009-12-21 19:14 916480 c:\windows\ie8updates\KB980182-IE8\wininet.dll

+ 2010-04-02 14:03 . 2009-05-26 11:40 382840 c:\windows\ie8updates\KB980182-IE8\spuninst\updspapi.dll

+ 2010-04-02 14:03 . 2009-05-26 11:40 231288 c:\windows\ie8updates\KB980182-IE8\spuninst\spuninst.exe

+ 2010-04-02 14:03 . 2009-12-21 19:14 206848 c:\windows\ie8updates\KB980182-IE8\occache.dll

+ 2010-04-02 14:03 . 2009-03-08 04:32 611840 c:\windows\ie8updates\KB980182-IE8\mstime.dll

+ 2010-04-02 14:03 . 2009-12-21 19:14 594432 c:\windows\ie8updates\KB980182-IE8\msfeeds.dll

+ 2010-04-02 14:03 . 2009-12-21 19:14 246272 c:\windows\ie8updates\KB980182-IE8\ieproxy.dll

+ 2010-04-02 14:03 . 2009-12-21 19:14 184320 c:\windows\ie8updates\KB980182-IE8\iepeers.dll

+ 2010-04-02 14:03 . 2009-12-21 19:14 387584 c:\windows\ie8updates\KB980182-IE8\iedkcs32.dll

+ 2010-04-02 14:03 . 2009-12-21 13:19 173056 c:\windows\ie8updates\KB980182-IE8\ie4uinit.exe

+ 2006-07-25 20:42 . 2010-02-25 06:24 1209344 c:\windows\system32\dllcache\urlmon.dll

+ 2006-07-28 11:30 . 2010-02-25 06:24 5944832 c:\windows\system32\dllcache\mshtml.dll

- 2007-04-25 08:41 . 2009-12-21 19:14 1985536 c:\windows\system32\dllcache\iertutil.dll

+ 2007-04-25 08:41 . 2010-02-25 06:24 1985536 c:\windows\system32\dllcache\iertutil.dll

+ 2010-04-02 14:03 . 2009-12-21 19:14 1208832 c:\windows\ie8updates\KB980182-IE8\urlmon.dll

+ 2010-04-02 14:03 . 2009-12-21 19:14 5942784 c:\windows\ie8updates\KB980182-IE8\mshtml.dll

+ 2010-04-02 14:03 . 2009-12-21 19:14 1985536 c:\windows\ie8updates\KB980182-IE8\iertutil.dll

+ 2007-04-25 08:41 . 2010-02-25 10:54 11070976 c:\windows\system32\dllcache\ieframe.dll

+ 2010-04-02 14:03 . 2009-12-21 19:14 11070464 c:\windows\ie8updates\KB980182-IE8\ieframe.dll

.

-- Snapshot reset to current date --

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"Yahoo! Pager"="c:\program files\Yahoo!\Messenger\YahooMessenger.exe" [2007-07-16 4670704]

"updateMgr"="c:\program files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" [2006-03-30 313472]

"ISUSPM"="c:\program files\Common Files\InstallShield\UpdateService\isuspm.exe" [2006-09-11 218032]

"Eyeball Chat"="c:\program files\Eyeball\Eyeball Chat\EyeballChat.exe" [2002-10-11 2863176]

"kdx"="c:\program files\Kontiki\KHost.exe" [2008-02-27 1032376]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"LaunchApp"="Alaunch" [X]

"ePower_DMC"="c:\acer\Empowering Technology\ePower\ePower_DMC.exe" [2006-05-09 352256]

"ISUSPM Startup"="c:\program files\Common Files\InstallShield\UpdateService\isuspm.exe" [2006-09-11 218032]

"SunJavaUpdateSched"="c:\program files\Java\jre1.6.0_05\bin\jusched.exe" [2008-02-22 144784]

"SSBkgdUpdate"="c:\program files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" [2003-09-29 155648]

"DNS7reminder"="c:\program files\Nuance\NaturallySpeaking9\Program\ereg.exe" [2006-06-28 1404928]

"SynTPLpr"="c:\program files\Synaptics\SynTP\SynTPLpr.exe" [2005-11-01 102491]

"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2005-11-01 692315]

"RTHDCPL"="RTHDCPL.EXE" [2006-04-04 16120832]

"RemoteControl"="c:\program files\CyberLink\PowerDVD\PDVDServ.exe" [2004-11-02 32768]

"Realtime Monitor"="c:\progra~1\CA\ETRUST~1\realmon.exe" [2004-04-06 504080]

"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2006-09-23 155648]

"PHIME2002ASync"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2004-08-04 455168]

"PHIME2002A"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2004-08-04 455168]

"ntiMUI"="c:\program files\NewTech Infosystems\NTI CD & DVD-Maker 7\ntiMUI.exe" [2005-05-11 45056]

"MSPY2002"="c:\windows\system32\IME\PINTLGNT\ImScInst.exe" [2004-08-04 59392]

"LManager"="c:\progra~1\LAUNCH~1\QtZgAcer.EXE" [2006-04-03 471040]

"itype"="c:\program files\Microsoft IntelliType Pro\itype.exe" [2005-12-05 437008]

"ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2006-09-11 86960]

"IntelliPoint"="c:\program files\Microsoft IntelliPoint\ipoint.exe" [2005-12-05 461584]

"IMJPMIG8.1"="c:\windows\IME\imjp8_1\IMJPMIG.EXE" [2004-08-04 208952]

"igfxtray"="c:\windows\system32\igfxtray.exe" [2005-11-02 98304]

"igfxpers"="c:\windows\system32\igfxpers.exe" [2005-11-02 118784]

"igfxhkcmd"="c:\windows\system32\hkcmd.exe" [2005-11-02 77824]

"HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2004-09-13 49152]

"eRecoveryService"="c:\acer\Empowering Technology\eRecovery\Monitor.exe" [2006-01-24 397312]

"eDataSecurity Loader"="c:\acer\Empowering Technology\eDataSecurity\eDSloader.exe" [2005-12-27 69632]

"AzMixerSel"="c:\program files\Realtek\InstallShield\AzMixerSel.exe" [2005-08-24 53248]

"ADMTray.exe"="c:\acer\Empowering Technology\admtray.exe" [2005-10-24 2462208]

"Acer ePower Management"="c:\acer\Empowering Technology\ePower\Acer ePower Management.exe" [2006-05-08 3080704]

"SsAAD.exe"="c:\progra~1\Sony\SONICS~1\SsAAD.exe" [2005-01-24 81920]

"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2007-11-20 185896]

"4oD"="c:\program files\Kontiki\KHost.exe" [2008-02-27 1032376]

"Ad-Watch"="c:\program files\Lavasoft\Ad-Aware\AAWTray.exe" [2010-03-01 524632]

"BluetoothAuthenticationAgent"="bthprops.cpl" [2004-08-04 110592]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]

"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2004-08-04 15360]

c:\documents and settings\All Users\Start Menu\Programs\Startup\

Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-9-23 29696]

Bluetooth Manager.lnk - c:\program files\Toshiba\Bluetooth Toshiba Stack\TosBtMng.exe [2007-1-18 2752512]

DSLMON.lnk - c:\program files\SAGEM\SAGEM F@st 800-840\dslmon.exe [2007-8-7 962660]

HP Digital Imaging Monitor.lnk - c:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2004-11-4 258048]

HP Image Zone Fast Start.lnk - c:\program files\HP\Digital Imaging\bin\hpqthb08.exe [2004-11-4 53248]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Lavasoft Ad-Aware Service]

@="Service"

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]

"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"%windir%\\system32\\sessmgr.exe"=

"c:\\program files\\texthelp systems\\read and write 8\\mind mapper\\Property Controller.exe"= c:\\Program Files\\Texthelp Systems\\Read And Write 8\\Mind Mapper\\Property Controller.exe

"c:\\program files\\texthelp systems\\read and write 8\\mind mapper\\MindMapLauncher.exe"= c:\\Program Files\\Texthelp Systems\\Read And Write 8\\Mind Mapper\\MindMapLauncher.exe

"c:\\program files\\texthelp systems\\read and write 8\\RW8.exe"= c:\\Program Files\\Texthelp Systems\\Read And Write 8\\RW8.exe

"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=

"c:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"=

"c:\\Program Files\\CA\\eTrust Antivirus\\InocIT.exe"=

"d:\\My Data\\Limewire\\LimeWire.exe"=

"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=

"c:\\Program Files\\Adobe\\Adobe After Effects CS3\\Support Files\\AfterFX.exe"=

"c:\\Program Files\\Multimedia Fusion 2\\Data\\Runtime\\edrt.exe"=

"c:\\Program Files\\Real\\RealPlayer\\realplay.exe"=

"c:\\Program Files\\Messenger\\msmsgs.exe"=

"c:\\Program Files\\Sony\\Station\\LaunchPad\\LaunchPad.exe"=

"c:\\WINDOWS\\pchealth\\helpctr\\binaries\\HelpCtr.exe"=

"c:\\WINDOWS\\system32\\dpvsetup.exe"=

"c:\\Program Files\\CA\\eTrust Antivirus\\Realmon.exe"=

"c:\\Program Files\\CA\\eTrust Antivirus\\Shellscn.exe"=

"c:\\Program Files\\Kontiki\\KService.exe"=

"c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"=

"c:\\Program Files\\Windows Live\\Contacts\\wlcomm.exe"=

"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=

"c:\\Program Files\\SPSSInc\\Statistics17\\statistics.com"=

"c:\\Program Files\\SPSSInc\\Statistics17\\statistics.exe"=

"c:\\Program Files\\SPSSInc\\Statistics17\\SPSSWinWrapIDE.exe"=

"c:\\Program Files\\Skype\\Phone\\Skype.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]

"3724:TCP"= 3724:TCP:Blizzard Downloader: 3724

R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [25/04/2009 19:13 64160]

R3 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\Lavasoft\Ad-Aware\AAWService.exe [09/03/2009 20:06 1029456]

S2 SIMUL8Parallel;SIMUL8 Parallel Processor;c:\progra~1\SIMUL8\SIMUL8_ParallelSVC.exe [14/01/2008 20:31 502272]

S3 PAC207;SoC PC-Camer@;c:\windows\system32\drivers\PFC027.sys [24/02/2005 12:29 162176]

.

Contents of the 'Scheduled Tasks' folder

2010-03-29 c:\windows\Tasks\Ad-Aware Update (Weekly).job

- c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2009-03-09 19:14]

2010-03-31 c:\windows\Tasks\HPpromotions journeysoftware.job

- c:\program files\hp\digital imaging\bin\hp promotions\journeysoftware\HPpromo.exe [2005-04-22 16:36]

2010-04-02 c:\windows\Tasks\User_Feed_Synchronization-{2AF3A6D8-46D6-4A7E-B7DE-7188C750983E}.job

- c:\windows\system32\msfeedssync.exe [2006-10-17 04:31]

2010-03-30 c:\windows\Tasks\WGASetup.job

- c:\windows\system32\KB905474\wgasetup.exe [2009-04-28 21:18]

.

.

------- Supplementary Scan -------

.

uStart Page = about:tabs

uInternet Connection Wizard,ShellNext = wmplayer.exe //ICWLaunch

IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000

Trusted Zone: reallusion.com\www

DPF: CabBuilder - hxxp://kiw.imgag.com/imgag/kiw/toolbar/download/InstallerControl.cab

DPF: {AC120B1D-9411-4111-AF52-118052D85D45} - hxxp://67.15.101.33/g_bin/eng/darts_2_0_0_42.cab

FF - ProfilePath - c:\documents and settings\John Murphy\Application Data\Mozilla\Firefox\Profiles\3z63gkqu.default\

FF - prefs.js: browser.search.defaulturl - hxxp://www.google.com/search?lr=&ie=UTF-8&oe=UTF-8&q=

FF - prefs.js: browser.search.selectedEngine - Google

FF - prefs.js: network.proxy.type - 4

FF - component: c:\program files\Mozilla Firefox\components\xpinstal.dll

FF - component: c:\program files\Mozilla Firefox\extensions\talkback@mozilla.org\components\qfaservices.dll

FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2010-04-02 15:47

Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully

hidden files: 0

**************************************************************************

.

--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(920)

c:\windows\system32\Ati2evxx.dll

c:\windows\system32\igfxdev.dll

.

Completion time: 2010-04-02 15:50:31

ComboFix-quarantined-files.txt 2010-04-02 14:50

ComboFix2.txt 2010-03-30 19:03

ComboFix3.txt 2010-03-28 05:56

ComboFix4.txt 2010-03-28 05:28

ComboFix5.txt 2010-04-02 14:38

Pre-Run: 1,114,902,528 bytes free

Post-Run: 1,355,878,400 bytes free

- - End Of File - - 3B2B64B930E090FA4021C9A4206A9F76

Link to post
Share on other sites

  • 2 weeks later...
Great all looks good in that log once the Eset scan is done post those results then we can wrap it up.

Hi, sorry its been so long for me to respond, but I've been away for easter hols and didn't have good internet access for the 2hr Eset scan.

These are the 7 files it deleted after the scan:

C:\Qoobox\Quarantine\C\WINDOWS\uholekoconisi.dll.vir a variant of Win32/Cimag.BQ trojan cleaned by deleting - quarantined

C:\Qoobox\Quarantine\C\WINDOWS\system32\userinit.exe.vir Win32/TrojanDownloader.FakeAlert.AAB trojan cleaned by deleting - quarantined

C:\System Volume Information\_restore{A44DC278-4675-40AC-9A92-6FF66A1FD2E2}\RP92\A0022213.exe probably a variant of Win32/Agent trojan deleted - quarantined

C:\System Volume Information\_restore{A44DC278-4675-40AC-9A92-6FF66A1FD2E2}\RP92\A0022250.exe Win32/TrojanDownloader.FakeAlert.AAB trojan cleaned by deleting - quarantined

C:\System Volume Information\_restore{A44DC278-4675-40AC-9A92-6FF66A1FD2E2}\RP92\A0022264.dll a variant of Win32/Cimag.BQ trojan cleaned by deleting - quarantined

C:\System Volume Information\_restore{A44DC278-4675-40AC-9A92-6FF66A1FD2E2}\RP96\A0023421.dll probably a variant of Win32/Agent trojan cleaned by deleting - quarantined

C:\System Volume Information\_restore{A44DC278-4675-40AC-9A92-6FF66A1FD2E2}\RP96\A0023422.exe probably a variant of Win32/Agent trojan deleted - quarantined

Thank you for all your help

Link to post
Share on other sites

No problem and you are welcome.

=======Cleanup=======

  • Click START then RUN
  • Now type Combofix /uninstall in the runbox and click OK. Note the space between the X and the Uninstall, it needs to be there.

======Next======

  • Double click on OTL to run it.
  • Click on the Cleanup button at the top.
  • You will be asked to reboot the machine to finish the Cleanup process. Choose Yes.
  • This will remove itself and other tools we may have used.

===============Update Java===============

Your Java is out of date. Older versions have vulnerabilities that malicious sites can use to exploit and infect your system. Please follow these steps to remove older version Java components and update:

  • Download the latest version of Java SE Runtime Environment (JRE) and save it to your desktop.
  • Scroll down to where it says "Java SE Runtime Environment (JRE) 6 Update 19...allows end-users to run Java applications".
  • Click the "Download" button to the right.
  • Select your Platform: "Windows".
  • Select your Language: "Multi-language".
  • Read the License Agreement, and then check the box that says: "Accept License Agreement".
  • Click Continue and the page will refresh.
  • Click on the link to download Windows Offline Installation and save the file to your desktop.
  • Close any programs you may have running - especially your web browser.
  • Go to Start > Settings > Control Panel, double-click on Add/Remove Programs and remove all older versions of Java.
  • Check (highlight) any item with Java Runtime Environment (JRE or J2SE) in the name.
  • Click the Remove or Change/Remove button.
  • Repeat as many times as necessary to remove each Java versions.
  • Reboot your computer once all Java components are removed.
  • Then from your desktop double-click on jre-6u19-windows-i586.exe to install the newest version.

======================Clear out infected System Restore points======================

Then we need to reset your System Restore points.

The link below shows how to do this.

How to Turn On and Turn Off System Restore in Windows XP

http://support.microsoft.com/kb/310405/en-us

If you are using Vista then see this link: http://www.bleepingcomputer.com/tutorials/...143.html#manual

Delete\uninstall anything else that we have used that is leftover.

=====================================

After that your all set.

The following are some articles and a Windows Update link that I like to suggest to people to prevent malware and general PC maintenance.

Windows Updates - It is very important to make sure that both Internet Explorer and Windows are kept current with the latest critical security patches from Microsoft. To do this just start Internet Explorer and select Tools > Windows Update, and follow the online instructions from there.

Prevention article To find out more information about how you got infected in the first place and some great guidelines to follow to prevent future infections please read the Prevention artice by Miekiemoes.

If your computer is slow Is a tutorial on what you can do if your computer is slow.

File sharing program dangers Reasons to stay away from File sharing programs for ex: BitTorrent,Limewire,Kazaa,emule,Utorrent,Limewire etc...

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
 Share

  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.