I'm Guessing You've Seen This Before

[Desperate Dave]

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 11:14:52 AM, on 1/14/2009

Platform: Windows XP SP2 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Boot mode: Normal

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\Program Files\Windows Defender\MsMpEng.exe

C:\WINDOWS\System32\svchost.exe

C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe

C:\WINDOWS\system32\spoolsv.exe

C:\Program Files\Symantec AntiVirus\DefWatch.exe

C:\WINDOWS\System32\svchost.exe

C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE

C:\WINDOWS\system32\nvsvc32.exe

C:\Program Files\Symantec AntiVirus\SavRoam.exe

C:\WINDOWS\System32\svchost.exe

C:\Program Files\RealVNC\VNC4\WinVNC4.exe

C:\WINDOWS\system32\MsPMSPSv.exe

C:\WINDOWS\system32\SearchIndexer.exe

C:\WINDOWS\Explorer.EXE

C:\Program Files\Windows Defender\MSASCui.exe

C:\Program Files\Common Files\Symantec Shared\ccApp.exe

C:\PROGRA~1\SYMANT~1\VPTray.exe

C:\WINDOWS\system32\RUNDLL32.EXE

C:\Program Files\QuickTime\qttask.exe

C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe

C:\Program Files\Cobian Backup 9\Cobian.exe

C:\WINDOWS\system32\ctfmon.exe

C:\Program Files\Windows Desktop Search\WindowsSearch.exe

C:\Program Files\Cobian Backup 9\cbInterface.exe

C:\Malwarebytes' Anti-Malware\mbam.exe

C:\Program Files\Java\jre1.6.0_07\bin\jucheck.exe

C:\Program Files\Microsoft Office\OFFICE11\OUTLOOK.EXE

C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE

C:\Program Files\Adobe\Reader 8.0\Reader\AcroRd32.exe

C:\WINDOWS\system32\rundll32.exe

C:\Program Files\Mozilla Firefox\firefox.exe

C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

C:\WINDOWS\system32\SearchProtocolHost.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://g.msn.com/0SEENUS/SAOS10

O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll

O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll

O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide

O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"

O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTray.exe

O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup

O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit

O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime

O4 - HKLM\..\Run: [sunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe"

O4 - HKLM\..\Run: [Cobian Backup 9] "C:\Program Files\Cobian Backup 9\Cobian.exe"

O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe

O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe

O4 - HKUS\S-1-5-18\..\Run: [msiexec.exe] msiconf.exe (User 'SYSTEM')

O4 - HKUS\S-1-5-18\..\RunOnce: [WMC_WMPDBExport] C:\Program Files\Windows Media Player\wmdbexport.exe (User 'SYSTEM')

O4 - HKUS\.DEFAULT\..\Run: [msiexec.exe] msiconf.exe (User 'Default user')

O4 - HKUS\.DEFAULT\..\RunOnce: [WMC_WMPDBExport] C:\Program Files\Windows Media Player\wmdbexport.exe (User 'Default user')

O4 - Global Startup: Windows Desktop Search.lnk = C:\Program Files\Windows Desktop Search\WindowsSearch.exe

O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll

O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll

O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL

O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/...b?1127145287279

O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = vermont.edu

O17 - HKLM\Software\..\Telephony: DomainName = vermont.edu

O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = vermont.edu

O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe

O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe

O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe

O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE

O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe

O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe

O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe

O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe

O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe

O23 - Service: VNC Server Version 4 (WinVNC4) - RealVNC Ltd. - C:\Program Files\RealVNC\VNC4\WinVNC4.exe

--

End of file - 5643 bytes

[Desperate Dave]

And here's the MBAM log:

Malwarebytes' Anti-Malware 1.32

Database version: 1652

Windows 5.1.2600 Service Pack 2

1/14/2009 11:44:28 AM

mbam-log-2009-01-14 (11-44-28).txt

Scan type: Quick Scan

Objects scanned: 63111

Time elapsed: 8 minute(s), 6 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 0

Registry Values Infected: 0

Registry Data Items Infected: 2

Folders Infected: 0

Files Infected: 0

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

(No malicious items detected)

Registry Values Infected:

(No malicious items detected)

Registry Data Items Infected:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit (Trojan.Agent) -> Data: c:\windows\system32\userinit.exe -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit (Trojan.Agent) -> Data: system32\userinit.exe -> Quarantined and deleted successfully.

Folders Infected:

(No malicious items detected)

Files Infected:

(No malicious items detected)

Each MBAM scan results in 2 items found

[AdvancedSetup]

You will want to print out or copy these instructions to Notepad for Safe Mode/offline reference!

These steps are for member

Desperate Dave only

. If you are a lurker, do NOT try this on your system!

If you are not

Desperate Dave

and have a similar problem, do NOT post here; start your own topic

Do not run or start any other programs while these utilities and tools are in use!

Do NOT run any other tools on your own or do any fixes other than what is listed here.

If you have questions, please ask before you do something on your own.

But it is important that you get going on these following steps.

STEP01

Reconfigure Windows XP to show hidden files:

To enable the viewing of Hidden files follow these steps:

* Close all programs so that you are at your desktop.

* Double-click on the My Computer icon.

* Select the Tools menu and click Folder Options.

* After the new window appears select the View tab.

* Put a checkmark in the checkbox labeled Display the contents of system folders.

* Under the Hidden files and folders section select the radio button labeled Show hidden files and folders.

* Remove the checkmark from the checkbox labeled Hide file extensions for known file types.

* Remove the checkmark from the checkbox labeled Hide protected operating system files.

* Press the Apply button and then the OK button and exit My Computer.

* Now your computer is configured to show all hidden files.

STEP02

Download and install
CCleaner
• CCleaner
  
  
• Double-click on the downloaded file "ccsetup215.exe" and install the application.
  
  
• Keep the default installation folder "C:\Program Files\CCleaner"
  
  
• Uncheck "Add CCleaner Yahoo! Toolbar and use CCleaner from your browser"
  
  
• Click finish when done and close
  ALL PROGRAMS
  
  
• Start the
  CCleaner
  program.
  
  
• Click on
  Registry
  and
  Uncheck
  Registry Integrity so that it does not run
  
  
• Click on
  Options
  -
  Advanced
  and
  Uncheck
  "Only delete files in Windows Temp folders older than 48 hours"
  
  
• Click back to
  Cleaner
  and under SYSTEM uncheck the Memory Dumps and Windows Log Files
  
  
• Click on
  Run Cleaner
  button on the bottom right side of the program.
  
  
• Click OK to any prompts
  
  

STEP03

Disable your AntiVirus and AntiSpyware

applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools.

This should apply to AVG8:

To

disable the Resident Shield

, please:

open AVG User Interface

double-click on the Resident Shield

un-tick the option Resident Shield active

save the changes.

STEP04

Please download and run the following file to repair file and registry permissions

fixacl.exe

STEP05

• Download
  FixPolicies.exe
  by Bill Castner and save it to your desktop.
• Double click on FixPolicies.exe to run it.
  
  
• Click on Install. It will create a folder named FixPolicies on your desktop.
  
  
• Open the FixPolicies folder.
  
  
• Double click on
  Fix_policies.cmd
  to run it. Command Prompt will open and close quickly this is normal.
  
  
• Reboot your computer after it runs
  
  
• This fix may prove temporary. Active malware may revert these changes at your next startup. You can safely run the utility again.
  
  
• Note: some malware will block the running of this tool. So if you cannot run Fixpolicies, then, RENAME the EXE file to something like Mytool.exe and then run it.
  
  

STEP06

Download this INF repair file by MS-MVP Miekiemoes:

http://users.telenet.be/bluepatchy/miekiemoes/tools/VArestorepolicies.zip

Unzip the download. Open the folder

VArestorepolicies

and

Right-click

the file inside,

VArestorepolicies.INF

and choose

Install

STEP07

If you have a prior copy of Combofix, delete it now !

Download ComboFix from one of these locations, saving to DESKTOP:

Link 1

Link 2

* IMPORTANT !!! Save ComboFix.exe to your Desktop

If your I.E. browser shows a warning message at the top, do a Right-Click on the bar and select Download, saving it to the Desktop.

• Disable your AntiVirus and AntiSpyware
  applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools
• Double click on Combo-Fix.exe & follow the prompts.
  
  
• If and only if you are prompted to download a new version of Combofix, reply NO .
  
  
• As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  
  
• Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
  
  

**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

Click on Yes, to continue scanning for malware.

Please watch Combofix as it runs, as you may see messages which require your response, or the pressing of OK button.

IF

you should see a message like this:

then, be sure to write down fully and also copy that into your next reply here and then await for my response.

When finished, it shall produce a log for you. Please include the

C:\ComboFix.txt

in your next reply.

-------------------------------------------------------

A caution -

Do not run Combofix more than once.

Do not touch your mouse/keyboard until the scan has completed, as this may cause the process to stall or your computer to lock.

The scan will temporarily disable your desktop, and if interrupted may leave your desktop disabled.

If this occurs, please reboot to restore the desktop.

Even when ComboFix appears to be doing nothing, look at your Drive light.

If it is flashing, Combofix is still at work.

Please then reply with a copy of

C:\Combofix.txt

, and a new

HijackThis

RE-Enable your AntiVirus and AntiSpyware

applications.

[AdvancedSetup]

Please post a status update on this.

[AdvancedSetup]

Are you still with us? Please post an update.

[AdvancedSetup]

Due to the lack of feedback this Topic is closed to prevent others from posting here. If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this thread with your request. This applies only to the originator of this thread.

Other members who need assistance please start your own topic in a new thread. Thanks!

The fixes and advice in this thread are for this machine only. Do not apply the instructions from this thread to your own machine. Please start a new thread describing your issue and someone will be along to assist you.