24 replies to this topic

[amarita77]

Hi. This morning, I got an message on my computer saying I had a Trojan virus. I ran Anti-Malware, and it cleaned everything up besides 3 things. I've run it a couple of times and keep getting the same 3 things. Since this happened this morning, my internet explorer keeps having an error and shutting down. It doesn't say what the internet explorer error is, though. I'd appreciate any advice.

Malwarebytes' Anti-Malware 1.35
Database version: 1905
Windows 5.1.2600 Service Pack 3

4/27/2009 2:54:10 PM
mbam-log-2009-04-27 (14-54-08).txt

Scan type: Full Scan (C:\|)
Objects scanned: 177901
Time elapsed: 27 minute(s), 9 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 2
Folders Infected: 0
Files Infected: 1

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit (Trojan.Agent) -> Data: c:\windows\system32\userinit.exe -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit (Trojan.Agent) -> Data: system32\userinit.exe -> No action taken.

Folders Infected:
(No malicious items detected)

Files Infected:
C:\WINDOWS\system32\win32hlp.cnf (Trojan.Agent) -> No action taken.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 2:58:05 PM, on 4/27/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16762)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Intel\AMT\atchksrv.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Wave Systems Corp\Common\DataServer.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Intel\AMT\LMS.exe
C:\Program Files\Symantec AntiVirus\SavRoam.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\NTRU Cryptosystems\NTRU Hybrid TSS v1.05\bin\tcsd_win32.exe
C:\WINDOWS\system32\igfxtray.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\PROGRA~1\SYMANT~1\VPTray.exe
C:\WINDOWS\Twain_32\Fjscan32\SOP\FtLnSOP.exe
C:\WINDOWS\Twain_32\fjscan32\FjtwSetup.exe
C:\Program Files\HP\Digital Imaging\bin\hpqSRMon.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\The Weather Channel FW\Desktop\DesktopWeather.exe
C:\Program Files\Microsoft Location Finder\LocationFinder.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\HSI\MicroMD EMR Client\MicroMD EMR.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\medical\medical.exe
C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://swagbucks.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.micromd.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft....k/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file)
O2 - BHO: (no name) - {B2BA40A2-74F0-42BD-F434-12345A2C8953} - (no file)
O3 - Toolbar: Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar.dll
O4 - HKLM\..\Run: [SigmatelSysTrayApp] sttray.exe
O4 - HKLM\..\Run: [IntelAudioStudio] "C:\Program Files\Intel Audio Studio\IntelAudioStudio.exe" BOOT
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [Persistence] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTray.exe
O4 - HKLM\..\Run: [FtLnSOP_setup] C:\WINDOWS\Twain_32\Fjscan32\SOP\FtLnSOP.exe
O4 - HKLM\..\Run: [FJTWAIN Setup] C:\WINDOWS\Twain_32\fjscan32\FjtwSetup.exe /Station
O4 - HKLM\..\Run: [LogMeIn GUI] "C:\Program Files\LogMeIn\x86\LogMeInSystray.exe"
O4 - HKLM\..\Run: [hpqSRMon] C:\Program Files\HP\Digital Imaging\bin\hpqSRMon.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [updateMgr] "C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" AcRdB7_0_9 -reboot 1
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [DW6] "C:\Program Files\The Weather Channel FW\Desktop\DesktopWeather.exe"
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Microsoft Location Finder] "C:\Program Files\Microsoft Location Finder\LocationFinder.exe"
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O9 - Extra button: (no name) - {B205A35E-1FC4-4CE3-818B-899DBBB3388C} - C:\Program Files\Common Files\Microsoft Shared\Encarta Search Bar\ENCSBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://www.micromd.com
O16 - DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} (Facebook Photo Uploader 5 Control) - http://upload.facebook.com/controls/2008.1...toUploader5.cab
O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX Scan Agent 6.6) - http://housecall65.trendmicro.com/housecal...ivex/hcImpl.cab
O16 - DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} (Snapfish Activia) - http://photos.walmar...martActivia.cab
O16 - DPF: {48DD0448-9209-4F81-9F6D-D83562940134} (MySpace Uploader Control) - http://lads.myspace....ploader1006.cab
O16 - DPF: {549F957E-2F89-11D6-8CFE-00C04F52B225} (CMV5 Class) - http://coupons.smart...oad/cscmv5X.cab
O16 - DPF: {6F750203-1362-4815-A476-88533DE61D0C} (Kodak Gallery Easy Upload Manager Class) - http://www.kodakgallery.com/downloads/BUM/..._2/axofupld.cab
O16 - DPF: {8BBDC81D-81B3-49EE-87E8-47B7A707FAE8} (GoToMeeting/GoToWebinar Web Starter) - https://www1.gotomee...ets/g2mdlax.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shoc...ash/swflash.cab
O16 - DPF: {FD0B6769-6490-4A91-AA0A-B5AE0DC75AC9} (Performance Viewer Activex Control) - https://secure.logme...trl.cab?lmi=100
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = MASCIO.LOCAL
O17 - HKLM\Software\..\Telephony: DomainName = MASCIO.LOCAL
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = MASCIO.LOCAL
O18 - Filter: x-sdch - {B1759355-3EEC-4C1E-B0F1-B719FE26E377} - C:\Program Files\Google\Google Toolbar\Component\fastsearch_A8904FB862BD9564.dll
O20 - AppInit_DLLs: pyspbt.dll
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Intel® AMT System Status Service (atchksrv) - Intel Corporation - C:\Program Files\Intel\AMT\atchksrv.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: DataSvr - Wave Systems Corp. - C:\Program Files\Wave Systems Corp\Common\DataServer.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: Intel® Active Management Technology LMS Service (LMS) - Intel - C:\Program Files\Intel\AMT\LMS.exe
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: SPBBCSvc - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe
O23 - Service: NTRU Hybrid TSS v1.05 TCSD (tcsd_win32.exe) - Unknown owner - C:\Program Files\NTRU Cryptosystems\NTRU Hybrid TSS v1.05\bin\tcsd_win32.exe

--
End of file - 9470 bytes

[miekiemoes]

Hi,

Quote

Malwarebytes' Anti-Malware 1.35
Database version: 1905
Windows 5.1.2600 Service Pack 3

First of all, please update MalwareBytes, because the databaseversion is outdated + malwarebytes itself is outdated.

• Start MalwareBytes and click the Update tab. There click "Check for updates"
  
• In case you can't update the database via the update option, please download and install the database from here. Only do this when the update option doesn't work.
  
• Once the updates are downloaded, perform a full scan again.
  
• The scan may take some time to finish,so please be patient.
  
• When the scan is complete, click OK, then Show Results to view the results.
  
• Make sure that everything is checked, and click Remove Selected.
  
• When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
  
• The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
  
• Copy&Paste the entire report in your next reply along with a fresh HijackThis log, then we'll proceed from there with new steps.

Extra Note:
If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process,if asked to restart the computer,please do so immediatly.

[amarita77]

Thanks. I updated and re-ran everything. I also installed Firefox because IE is still closing out.

Malwarebytes' Anti-Malware 1.36
Database version: 2050
Windows 5.1.2600 Service Pack 3

4/28/2009 8:18:47 AM
mbam-log-2009-04-28 (08-18-44).txt

Scan type: Full Scan (C:\|)
Objects scanned: 189433
Time elapsed: 28 minute(s), 57 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 1
Folders Infected: 0
Files Infected: 1

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit (Trojan.Agent) -> Data: c:\windows\system32\userinit.exe -> No action taken.

Folders Infected:
(No malicious items detected)

Files Infected:
C:\WINDOWS\system32\win32hlp.cnf (Trojan.Agent) -> No action taken.


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 8:21:22 AM, on 4/28/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16762)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Intel\AMT\atchksrv.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Wave Systems Corp\Common\DataServer.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Intel\AMT\LMS.exe
C:\Program Files\Symantec AntiVirus\SavRoam.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\NTRU Cryptosystems\NTRU Hybrid TSS v1.05\bin\tcsd_win32.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\igfxtray.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\PROGRA~1\SYMANT~1\VPTray.exe
C:\WINDOWS\Twain_32\Fjscan32\SOP\FtLnSOP.exe
C:\WINDOWS\Twain_32\fjscan32\FjtwSetup.exe
C:\Program Files\HP\Digital Imaging\bin\hpqSRMon.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\The Weather Channel FW\Desktop\DesktopWeather.exe
C:\Program Files\Microsoft Location Finder\LocationFinder.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe
C:\medical\medical.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\HSI\MicroMD EMR Client\MicroMD EMR.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.wtov9.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.micromd.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft....k/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file)
O3 - Toolbar: Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar.dll
O4 - HKLM\..\Run: [SigmatelSysTrayApp] sttray.exe
O4 - HKLM\..\Run: [IntelAudioStudio] "C:\Program Files\Intel Audio Studio\IntelAudioStudio.exe" BOOT
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [Persistence] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTray.exe
O4 - HKLM\..\Run: [FtLnSOP_setup] C:\WINDOWS\Twain_32\Fjscan32\SOP\FtLnSOP.exe
O4 - HKLM\..\Run: [FJTWAIN Setup] C:\WINDOWS\Twain_32\fjscan32\FjtwSetup.exe /Station
O4 - HKLM\..\Run: [LogMeIn GUI] "C:\Program Files\LogMeIn\x86\LogMeInSystray.exe"
O4 - HKLM\..\Run: [hpqSRMon] C:\Program Files\HP\Digital Imaging\bin\hpqSRMon.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [updateMgr] "C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" AcRdB7_0_9 -reboot 1
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [DW6] "C:\Program Files\The Weather Channel FW\Desktop\DesktopWeather.exe"
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Microsoft Location Finder] "C:\Program Files\Microsoft Location Finder\LocationFinder.exe"
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O9 - Extra button: (no name) - {B205A35E-1FC4-4CE3-818B-899DBBB3388C} - C:\Program Files\Common Files\Microsoft Shared\Encarta Search Bar\ENCSBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://www.micromd.com
O16 - DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} (Facebook Photo Uploader 5 Control) - http://upload.facebook.com/controls/2008.1...toUploader5.cab
O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX Scan Agent 6.6) - http://housecall65.trendmicro.com/housecal...ivex/hcImpl.cab
O16 - DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} (Snapfish Activia) - http://photos.walmar...martActivia.cab
O16 - DPF: {48DD0448-9209-4F81-9F6D-D83562940134} (MySpace Uploader Control) - http://lads.myspace....ploader1006.cab
O16 - DPF: {549F957E-2F89-11D6-8CFE-00C04F52B225} (CMV5 Class) - http://coupons.smart...oad/cscmv5X.cab
O16 - DPF: {6F750203-1362-4815-A476-88533DE61D0C} (Kodak Gallery Easy Upload Manager Class) - http://www.kodakgallery.com/downloads/BUM/..._2/axofupld.cab
O16 - DPF: {8BBDC81D-81B3-49EE-87E8-47B7A707FAE8} (GoToMeeting/GoToWebinar Web Starter) - https://www1.gotomee...ets/g2mdlax.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shoc...ash/swflash.cab
O16 - DPF: {FD0B6769-6490-4A91-AA0A-B5AE0DC75AC9} (Performance Viewer Activex Control) - https://secure.logme...trl.cab?lmi=100
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = MASCIO.LOCAL
O17 - HKLM\Software\..\Telephony: DomainName = MASCIO.LOCAL
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = MASCIO.LOCAL
O18 - Filter: x-sdch - {B1759355-3EEC-4C1E-B0F1-B719FE26E377} - C:\Program Files\Google\Google Toolbar\Component\fastsearch_A8904FB862BD9564.dll
O20 - AppInit_DLLs: pyspbt.dll
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Intel® AMT System Status Service (atchksrv) - Intel Corporation - C:\Program Files\Intel\AMT\atchksrv.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: DataSvr - Wave Systems Corp. - C:\Program Files\Wave Systems Corp\Common\DataServer.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: Intel® Active Management Technology LMS Service (LMS) - Intel - C:\Program Files\Intel\AMT\LMS.exe
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: SPBBCSvc - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe
O23 - Service: NTRU Hybrid TSS v1.05 TCSD (tcsd_win32.exe) - Unknown owner - C:\Program Files\NTRU Cryptosystems\NTRU Hybrid TSS v1.05\bin\tcsd_win32.exe

--
End of file - 9393 bytes

[miekiemoes]

Hi,

You're supposed to take action and let mbam remove what it found.

Anyway, * Please visit this webpage for instructions for downloading and running ComboFix:

http://www.bleepingc...to-use-combofix

Post the log from ComboFix in your next reply.

Please make sure you disable ALL of your Antivirus/Antispyware/Firewall before running ComboFix..This because Security Software may see some components ComboFix uses (prep.com for example) as suspicious and blocks the tool, or even deletes it. Please visit HERE if you don't know how.

[amarita77]

I started to run the Combofix. It shut my computer down after a few minutes. Now, when the computer comes back up, all I have is the background. There are no icons or anything else besides the cursor.

miekiemoes, on Apr 28 2009, 08:34 AM, said:

Hi,

You're supposed to take action and let mbam remove what it found.

Anyway, * Please visit this webpage for instructions for downloading and running ComboFix:

http://www.bleepingc...to-use-combofix

Post the log from ComboFix in your next reply.

Please make sure you disable ALL of your Antivirus/Antispyware/Firewall before running ComboFix..This because Security Software may see some components ComboFix uses (prep.com for example) as suspicious and blocks the tool, or even deletes it. Please visit HERE if you don't know how.

[amarita77]

I apologize. It seems like I jumped the gun, and the computer finally did come back up after an hr of nothing. I am going to re-run Combofix now.

amarita77, on Apr 28 2009, 09:30 AM, said:

I started to run the Combofix. It shut my computer down after a few minutes. Now, when the computer comes back up, all I have is the background. There are no icons or anything else besides the cursor.

[miekiemoes]

Ok, I read you later

[amarita77]

I'm sorry for being such a pain. I've been on the blank background screen for 3 hrs now. Does it normally take this long for Combofix to run?

[miekiemoes]

No, it's not supposed to scan that long.

Did you disable your Antivirus? Because I know Norton may interfere with it.

Anyway, please abort the scan, reboot and then try to run it from Windows safe mode.

°To get into the Windows Safe Mode, restart your computer and, just before Windows starts to load, tap the F8 key a few times.
Choose Safe Mode from the menu that will appear and press Enter.

Also, did you install the Recovery console through combofix at the beginning? Because that is really important!!

[amarita77]

When I restarted the computer, I did get a Combofix log. Should I still restart and run it again in safe mode?

ComboFix 09-04-27.04 - WS3 04/28/2009 10:09.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2022.1539 [GMT -4:00]
Running from: c:\documents and settings\WS3\Desktop\ComboFix.exe
AV: Symantec AntiVirus Corporate Edition *On-access scanning disabled* (Updated)
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\LocalService\protect.dll
c:\documents and settings\WS3\protect.dll
c:\documents and settings\WS3\Start Menu\Programs\Startup\ChkDisk.dll
c:\documents and settings\WS3\Start Menu\Programs\Startup\ChkDisk.lnk
c:\windows\system32\autochk.dll
c:\windows\system32\config\systemprofile\protect.dll
c:\windows\system32\win32hlp.cnf

Infected copy of c:\windows\system32\userinit.exe was found and disinfected
Restored copy from - c:\windows\$NtServicePackUninstall$\userinit.exe

.
((((((((((((((((((((((((( Files Created from 2009-05-28 to 2009-4-28 )))))))))))))))))))))))))))))))
.

2009-04-28 14:12 . 2009-04-28 14:27 27648 ----a-w c:\windows\system32\lmppcsetup.exe
2009-04-28 13:16 . 2004-08-04 12:00 221184 ----a-w c:\windows\system32\wmpns.dll
2009-04-28 13:14 . 2009-03-06 14:22 284160 -c----w c:\windows\system32\dllcache\pdh.dll
2009-04-28 13:14 . 2009-02-09 12:10 401408 -c----w c:\windows\system32\dllcache\rpcss.dll
2009-04-28 13:14 . 2009-02-06 11:11 110592 -c----w c:\windows\system32\dllcache\services.exe
2009-04-28 13:14 . 2009-02-09 12:10 473600 -c----w c:\windows\system32\dllcache\fastprox.dll
2009-04-28 13:14 . 2009-02-06 10:10 227840 -c----w c:\windows\system32\dllcache\wmiprvse.exe
2009-04-28 13:14 . 2009-02-09 12:10 453120 -c----w c:\windows\system32\dllcache\wmiprvsd.dll
2009-04-28 13:14 . 2009-02-09 12:10 729088 -c----w c:\windows\system32\dllcache\lsasrv.dll
2009-04-28 13:14 . 2009-02-09 12:10 617472 -c----w c:\windows\system32\dllcache\advapi32.dll
2009-04-28 13:14 . 2009-02-09 12:10 714752 -c----w c:\windows\system32\dllcache\ntdll.dll
2009-04-28 13:13 . 2008-05-03 11:55 2560 ------w c:\windows\system32\xpsp4res.dll
2009-04-28 13:13 . 2008-04-21 12:08 215552 -c----w c:\windows\system32\dllcache\wordpad.exe
2009-04-28 11:54 . 2009-04-28 11:54 0 ----a-w c:\windows\nsreg.dat
2009-04-28 11:54 . 2009-04-28 11:54 -------- d-----w c:\documents and settings\WS3\Local Settings\Application Data\Mozilla
2009-04-27 20:36 . 2009-04-27 20:36 29696 ----a-w c:\windows\system32\loader49.exe
2009-04-27 18:17 . 2009-04-27 18:17 -------- d-----w c:\program files\Trend Micro
2009-04-27 12:04 . 2009-04-27 12:04 24064 ----a-w c:\windows\system32\loader266.exe
2009-04-13 19:46 . 2009-04-13 19:46 -------- d-----w c:\program files\iPod
2009-04-13 19:46 . 2009-04-13 19:46 -------- d-----w c:\documents and settings\All Users\Application Data\{8CD7F5AF-ECFA-4793-BF40-D8F42DBFF906}
2009-04-13 19:46 . 2009-04-13 19:46 -------- d-----w c:\program files\iTunes
2009-03-31 12:47 . 2009-03-31 13:23 -------- d-----w c:\documents and settings\WS3\Application Data\DiskAid
2009-03-31 12:47 . 2009-03-31 12:47 -------- d-----w c:\program files\DigiDNA

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-04-27 19:46 . 2008-12-22 21:24 -------- d-----w c:\program files\Malwarebytes' Anti-Malware
2009-04-27 12:27 . 2008-09-26 15:52 -------- d-----w c:\program files\LimeWire
2009-04-13 19:46 . 2008-09-15 12:42 -------- d-----w c:\program files\Common Files\Apple
2009-04-06 19:32 . 2008-12-22 21:24 38496 ----a-w c:\windows\system32\drivers\mbamswissarmy.sys
2009-04-06 19:32 . 2008-12-22 21:24 15504 ----a-w c:\windows\system32\drivers\mbam.sys
2009-03-30 13:29 . 2008-03-18 13:42 -------- d-----w c:\program files\Coupons
2009-03-23 19:51 . 2009-03-23 19:51 -------- d-----w c:\program files\Bonjour
2009-03-23 19:51 . 2009-03-23 19:50 -------- d-----w c:\program files\QuickTime
2009-03-19 20:32 . 2008-10-28 18:20 23400 ----a-w c:\windows\system32\drivers\GEARAspiWDM.sys
2009-03-18 19:53 . 2009-03-18 19:53 -------- d-----w c:\program files\Midmark Diagnostics Group
2009-03-18 19:53 . 2006-10-09 14:24 -------- d--h--w c:\program files\InstallShield Installation Information
2009-03-18 19:53 . 2009-03-18 19:53 -------- d-----w c:\program files\Enigma
2009-03-18 17:33 . 2009-03-18 17:33 -------- d-----w c:\program files\MDGPDFDriver
2009-03-18 17:32 . 2007-06-26 20:23 -------- d-----w c:\program files\HSI
2009-03-06 14:22 . 2004-08-04 12:00 284160 ----a-w c:\windows\system32\pdh.dll
2009-03-06 03:59 . 2009-03-23 19:48 1900544 ----a-w c:\windows\system32\usbaaplrc.dll
2009-03-06 03:59 . 2008-09-22 19:00 36864 ----a-w c:\windows\system32\drivers\usbaapl.sys
2009-03-03 00:18 . 2004-08-04 12:00 826368 ----a-w c:\windows\system32\wininet.dll
2009-02-26 00:32 . 2008-05-14 18:41 557056 ----a-w c:\windows\system32\HenryScheinUserControlHost.dll
2009-02-20 18:09 . 2004-08-04 12:00 78336 ----a-w c:\windows\system32\ieencode.dll
2009-02-09 12:10 . 2004-08-04 12:00 729088 ----a-w c:\windows\system32\lsasrv.dll
2009-02-09 12:10 . 2004-08-04 12:00 714752 ----a-w c:\windows\system32\ntdll.dll
2009-02-09 12:10 . 2004-08-04 12:00 617472 ----a-w c:\windows\system32\advapi32.dll
2009-02-09 12:10 . 2004-08-04 12:00 401408 ----a-w c:\windows\system32\rpcss.dll
2009-02-09 11:13 . 2004-08-04 12:00 1846784 ----a-w c:\windows\system32\win32k.sys
2009-02-06 11:11 . 2004-08-04 12:00 110592 ----a-w c:\windows\system32\services.exe
2009-02-06 11:06 . 2004-08-04 12:00 2145280 ----a-w c:\windows\system32\ntoskrnl.exe
2009-02-06 10:39 . 2004-08-04 12:00 35328 ----a-w c:\windows\system32\sc.exe
2009-02-06 10:32 . 2004-08-03 22:59 2023936 ----a-w c:\windows\system32\ntkrnlpa.exe
2009-02-03 19:59 . 2004-08-04 12:00 56832 ----a-w c:\windows\system32\secur32.dll
.

((((((((((((((((((((((((((((( SnapShot@2009-04-28_13.35.22 )))))))))))))))))))))))))))))))))))))))))
.
+ 2009-04-28 18:04 . 2009-04-28 18:03 16384 c:\windows\Temp\Temporary Internet Files\Content.IE5\index.dat
+ 2009-04-28 18:06 . 2009-04-28 18:06 16384 c:\windows\Temp\Perflib_Perfdata_1fc.dat
- 2009-04-28 13:10 . 2009-04-28 13:35 24064 c:\windows\Temp\msb.dll
+ 2009-04-28 14:12 . 2009-04-28 14:12 24064 c:\windows\Temp\msb.dll
+ 2009-04-28 18:04 . 2009-04-28 18:03 16384 c:\windows\Temp\History\History.IE5\index.dat
+ 2009-04-28 18:04 . 2009-04-28 18:03 16384 c:\windows\Temp\Cookies\index.dat
+ 2004-08-04 12:00 . 2004-08-04 12:00 24576 c:\windows\system32\userinit.exe
+ 2004-08-04 12:00 . 2009-04-28 14:04 71512 c:\windows\system32\perfc009.dat
- 2004-08-04 12:00 . 2009-04-28 13:25 71512 c:\windows\system32\perfc009.dat
+ 2004-08-04 12:00 . 2004-08-04 12:00 24576 c:\windows\system32\dllcache\userinit.exe
- 2009-04-28 13:10 . 2009-04-28 13:35 24064 c:\windows\system32\config\systemprofile\Start Menu\Programs\Startup\ChkDisk.dll
+ 2009-04-28 13:10 . 2009-04-28 14:27 24064 c:\windows\system32\config\systemprofile\Start Menu\Programs\Startup\ChkDisk.dll
+ 2006-10-09 14:10 . 2009-04-28 18:05 49152 c:\windows\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat
- 2006-10-09 14:10 . 2009-04-28 13:34 49152 c:\windows\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat
- 2006-10-09 14:10 . 2009-04-28 13:34 32768 c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
+ 2006-10-09 14:10 . 2009-04-28 18:05 32768 c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
- 2006-10-09 14:10 . 2009-04-28 13:34 32768 c:\windows\system32\config\systemprofile\Cookies\index.dat
+ 2006-10-09 14:10 . 2009-04-28 18:05 32768 c:\windows\system32\config\systemprofile\Cookies\index.dat
+ 2004-08-04 12:00 . 2009-04-28 14:04 441954 c:\windows\system32\perfh009.dat
- 2004-08-04 12:00 . 2009-04-28 13:25 441954 c:\windows\system32\perfh009.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]
"updateMgr"="c:\program files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" [2006-03-30 313472]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2008-06-11 68856]
"DW6"="c:\program files\The Weather Channel FW\Desktop\DesktopWeather.exe" [2009-02-11 801904]
"MSMSGS"="c:\program files\Messenger\msmsgs.exe" [2008-04-14 1695232]
"Microsoft Location Finder"="c:\program files\Microsoft Location Finder\LocationFinder.exe" [2005-08-24 101080]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IntelAudioStudio"="c:\program files\Intel Audio Studio\IntelAudioStudio.exe" [2006-09-21 9138176]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2007-01-05 98304]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2007-01-05 114688]
"Persistence"="c:\windows\system32\igfxpers.exe" [2007-01-05 94208]
"ccApp"="c:\program files\Common Files\Symantec Shared\ccApp.exe" [2006-03-07 53408]
"vptray"="c:\progra~1\SYMANT~1\VPTray.exe" [2006-03-17 124656]
"FtLnSOP_setup"="c:\windows\Twain_32\Fjscan32\SOP\FtLnSOP.exe" [2005-01-06 212992]
"FJTWAIN Setup"="c:\windows\Twain_32\fjscan32\FjtwSetup.exe" [2004-09-01 126976]
"hpqSRMon"="c:\program files\HP\Digital Imaging\bin\hpqSRMon.exe" [2008-08-20 150016]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2008-11-10 136600]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2009-01-05 413696]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2009-04-02 342312]

c:\windows\system32\config\systemprofile\Start Menu\Programs\Startup\
ChkDisk.dll [2009-4-28 24064]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-9-23 29696]
Microsoft Office.lnk - c:\program files\Microsoft Office\Office10\OSA.EXE [2001-2-13 83360]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"LogonType"= 0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"NoWelcomeScreen"= 1 (0x1)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoTaskGrouping"= 1 (0x1)
"NoSimpleStartMenu"= 1 (0x1)
"NoSMBalloonTip"= 1 (0x1)
"NoWelcomeScreen"= 1 (0x1)
"NoSMConfigurePrograms"= 1 (0x1)

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"NoSetActiveDesktop"= 1 (0x1)
"NoActiveDesktopChanges"= 1 (0x1)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\LMIinit]
2008-04-30 22:08 87352 ----a-w c:\windows\system32\LMIinit.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=pyspbt.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\ati0fnxx.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\ati2qrxx.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\ati5ctxx.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\ati7aixx.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\ati7arxx.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001
"FirewallOverride"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqpse.exe"=
"c:\\Program Files\\Common Files\\HP\\Digital Imaging\\Bin\\hpqPhotoCrm.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqsudi.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqpsapp.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3389:TCP"= 3389:TCP:@xpsp2res.dll,-22009

R0 ati0fnxx;ati0fnxx; [x]
R0 ati2qrxx;ati2qrxx; [x]
R0 ati5ctxx;ati5ctxx; [x]
R0 ati7aixx;ati7aixx; [x]
R0 ati7arxx;ati7arxx; [x]
R1 244597bf;244597bf; [x]
R1 srr;srr; [x]
R2 LMIInfo;LogMeIn Kernel Information Provider; [x]
R3 IAMTXP;Driver for Intel® Active Management Technology - KCS;c:\windows\system32\DRIVERS\IAMTXP.sys [2005-03-10 38528]
R4 LMIRfsClientNP;LMIRfsClientNP; [x]
S0 stmtpm;STM TPM Service;c:\windows\system32\DRIVERS\stm_tpm.sys [2006-05-19 21504]
S2 LMIRfsDriver;LogMeIn Remote File System Driver;c:\windows\system32\drivers\LMIRfsDriver.sys [2008-03-07 45848]
S2 SavRoam;SavRoam;c:\program files\Symantec AntiVirus\SavRoam.exe [2006-03-17 115952]
S3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [2008-09-02 99376]


HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
ktbncicx
.
Contents of the 'Scheduled Tasks' folder

2009-04-27 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 16:34]

2009-04-28 c:\windows\Tasks\Google Software Updater.job
- c:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe [2008-06-11 08:08]
.
- - - - ORPHANS REMOVED - - - -

HKLM-Run-autochk - c:\windows\system32\autochk.dll
HKU-Default-Run-autochk - c:\docume~1\LOCALS~1\protect.dll


.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.wtov9.com/
uInternet Settings,ProxyOverride = *.local
Filter: x-sdch - {B1759355-3EEC-4C1E-B0F1-B719FE26E377} - c:\program files\Google\Google Toolbar\Component\fastsearch_A8904FB862BD9564.dll
FF - ProfilePath - c:\documents and settings\WS3\Application Data\Mozilla\Firefox\Profiles\s18ngle8.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.wtov9.com/
FF - plugin: c:\program files\Google\Google Updater\2.4.1536.6592\npCIDetect13.dll
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-04-28 14:07
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...


c:\windows\system32\drivers\ovfsthxecmapsaj.sys 81408 bytes executable
c:\windows\system32\ovfsthxaepwqwlr.dll 18432 bytes executable
c:\windows\system32\ovfsthxhxuslkiv.dat 43079 bytes
c:\windows\system32\ovfsthxkkdyqldr.dat 43 bytes
c:\windows\system32\ovfsthxlog.dat 655 bytes
c:\windows\system32\ovfsthxrhtpphst.dll 59904 bytes executable
c:\windows\system32\ovfsthxyukoraoh.dll 18432 bytes executable


**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(748)
c:\windows\system32\LMIinit.dll
c:\windows\system32\LMIRfsClientNP.dll

- - - - - - - > 'lsass.exe'(804)
c:\program files\Bonjour\mdnsNSP.dll

- - - - - - - > 'explorer.exe'(3132)
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
c:\windows\system32\LMIRfsClientNP.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Common Files\Symantec Shared\ccSetMgr.exe
c:\program files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Intel\AMT\atchksrv.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\Wave Systems Corp\Common\DataServer.exe
c:\program files\Symantec AntiVirus\DefWatch.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\Intel\AMT\LMS.exe
c:\program files\NTRU Cryptosystems\NTRU Hybrid TSS v1.05\bin\tcsd_win32.exe
c:\program files\Common Files\Symantec Shared\ccEvtMgr.exe
c:\windows\system32\rundll32.exe
c:\program files\iPod\bin\iPodService.exe
.
**************************************************************************
.
Completion time: 2009-04-28 14:12 - machine was rebooted
ComboFix-quarantined-files.txt 2009-04-28 18:11
ComboFix2.txt 2009-04-28 13:38

Pre-Run: 144,711,929,856 bytes free
Post-Run: 144,712,617,984 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect

266 --- E O F --- 2009-04-28 13:18

miekiemoes, on Apr 28 2009, 01:56 PM, said:

No, it's not supposed to scan that long.

Did you disable your Antivirus? Because I know Norton may interfere with it.

Anyway, please abort the scan, reboot and then try to run it from Windows safe mode.

°To get into the Windows Safe Mode, restart your computer and, just before Windows starts to load, tap the F8 key a few times.
Choose Safe Mode from the menu that will appear and press Enter.

Also, did you install the Recovery console through combofix at the beginning? Because that is really important!!

[miekiemoes]

Hi,

Quote

When I restarted the computer, I did get a Combofix log. Should I still restart and run it again in safe mode?

No, not needed anymore.

I see userinit.exe got restored in a meanwhile.
This computer was / and still is severly infected. It looks like during our instructions, it installed another infection on top.

Anyway,

Let's deal with the rest now.. Please disable Norton!!
In case of problems, run from Safe mode.

* Open notepad - don't use any other texteditor than notepad or the script will fail.
Copy/paste the text in the quotebox below into notepad:

Quote

File::
c:\windows\system32\config\systemprofile\Start Menu\Programs\Startup\ChkDisk.dll
c:\windows\system32\lmppcsetup.exe
c:\windows\system32\loader49.exe
c:\windows\system32\loader266.exe
Rootkit::
c:\windows\system32\drivers\ovfsthxecmapsaj.sys
c:\windows\system32\ovfsthxaepwqwlr.dll
c:\windows\system32\ovfsthxhxuslkiv.dat
c:\windows\system32\ovfsthxkkdyqldr.dat
c:\windows\system32\ovfsthxlog.dat
c:\windows\system32\ovfsthxrhtpphst.dll
c:\windows\system32\ovfsthxyukoraoh.dll
NetSvc::
ktbncicx
Driver::
srr
ati2qrxx
ati0fnxx
ati5ctxx
244597bf
ati7arxx
ati7aixx
Registry::
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=""
[-HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\ati0fnxx.sys]
[-HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\ati2qrxx.sys]
[-HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\ati5ctxx.sys]
[-HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\ati7aixx.sys]
[-HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\ati7arxx.sys]

Save this as txtfile CFScript

Then drag the CFScript into ComboFix.exe as you see in the screenshot below.



This will start ComboFix again. After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply.

[amarita77]

I disabled the anti-virus, but it looks like it keeps enabling itself. I re-ran Combofix, and it went much more quickly this time. This is what I got:

ComboFix 09-04-27.05 - WS3 04/28/2009 14:40.3 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2022.1474 [GMT -4:00]
Running from: c:\documents and settings\WS3\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\WS3\Desktop\CFScript.txt
AV: Symantec AntiVirus Corporate Edition *On-access scanning disabled* (Updated)

FILE ::
c:\windows\system32\config\systemprofile\Start Menu\Programs\Startup\ChkDisk.dll
c:\windows\system32\lmppcsetup.exe
c:\windows\system32\loader266.exe
c:\windows\system32\loader49.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\LocalService\protect.dll
c:\documents and settings\WS3\protect.dll
c:\documents and settings\WS3\Start Menu\Programs\Startup\ChkDisk.dll
c:\documents and settings\WS3\Start Menu\Programs\Startup\ChkDisk.lnk
c:\windows\system32\autochk.dll
c:\windows\system32\config\systemprofile\protect.dll
c:\windows\system32\config\systemprofile\Start Menu\Programs\Startup\ChkDisk.dll
c:\windows\system32\drivers\ovfsthxecmapsaj.sys
c:\windows\system32\lmppcsetup.exe
c:\windows\system32\loader266.exe
c:\windows\system32\loader49.exe
c:\windows\system32\ovfsthxaepwqwlr.dll
c:\windows\system32\ovfsthxhxuslkiv.dat
c:\windows\system32\ovfsthxkkdyqldr.dat
c:\windows\system32\ovfsthxlog.dat
c:\windows\system32\ovfsthxrhtpphst.dll
c:\windows\system32\ovfsthxyukoraoh.dll
c:\windows\TEMP\msb.dll

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_ATI2QRXX
-------\Legacy_srr
-------\Service_244597bf
-------\Service_ati0fnxx
-------\Service_ati2qrxx
-------\Service_ati5ctxx
-------\Service_ati7aixx
-------\Service_ati7arxx
-------\Service_srr


((((((((((((((((((((((((( Files Created from 2009-05-28 to 2009-4-28 )))))))))))))))))))))))))))))))
.

2009-04-28 13:16 . 2004-08-04 12:00 221184 ----a-w c:\windows\system32\wmpns.dll
2009-04-28 13:14 . 2009-03-06 14:22 284160 -c----w c:\windows\system32\dllcache\pdh.dll
2009-04-28 13:14 . 2009-02-09 12:10 401408 -c----w c:\windows\system32\dllcache\rpcss.dll
2009-04-28 13:14 . 2009-02-06 11:11 110592 -c----w c:\windows\system32\dllcache\services.exe
2009-04-28 13:14 . 2009-02-09 12:10 473600 -c----w c:\windows\system32\dllcache\fastprox.dll
2009-04-28 13:14 . 2009-02-06 10:10 227840 -c----w c:\windows\system32\dllcache\wmiprvse.exe
2009-04-28 13:14 . 2009-02-09 12:10 453120 -c----w c:\windows\system32\dllcache\wmiprvsd.dll
2009-04-28 13:14 . 2009-02-09 12:10 729088 -c----w c:\windows\system32\dllcache\lsasrv.dll
2009-04-28 13:14 . 2009-02-09 12:10 617472 -c----w c:\windows\system32\dllcache\advapi32.dll
2009-04-28 13:14 . 2009-02-09 12:10 714752 -c----w c:\windows\system32\dllcache\ntdll.dll
2009-04-28 13:13 . 2008-05-03 11:55 2560 ------w c:\windows\system32\xpsp4res.dll
2009-04-28 13:13 . 2008-04-21 12:08 215552 -c----w c:\windows\system32\dllcache\wordpad.exe
2009-04-28 11:54 . 2009-04-28 11:54 0 ----a-w c:\windows\nsreg.dat
2009-04-28 11:54 . 2009-04-28 11:54 -------- d-----w c:\documents and settings\WS3\Local Settings\Application Data\Mozilla
2009-04-27 18:17 . 2009-04-27 18:17 -------- d-----w c:\program files\Trend Micro
2009-04-13 19:46 . 2009-04-13 19:46 -------- d-----w c:\program files\iPod
2009-04-13 19:46 . 2009-04-13 19:46 -------- d-----w c:\documents and settings\All Users\Application Data\{8CD7F5AF-ECFA-4793-BF40-D8F42DBFF906}
2009-04-13 19:46 . 2009-04-13 19:46 -------- d-----w c:\program files\iTunes
2009-03-31 12:47 . 2009-03-31 13:23 -------- d-----w c:\documents and settings\WS3\Application Data\DiskAid
2009-03-31 12:47 . 2009-03-31 12:47 -------- d-----w c:\program files\DigiDNA

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-04-27 19:46 . 2008-12-22 21:24 -------- d-----w c:\program files\Malwarebytes' Anti-Malware
2009-04-27 12:27 . 2008-09-26 15:52 -------- d-----w c:\program files\LimeWire
2009-04-13 19:46 . 2008-09-15 12:42 -------- d-----w c:\program files\Common Files\Apple
2009-04-06 19:32 . 2008-12-22 21:24 38496 ----a-w c:\windows\system32\drivers\mbamswissarmy.sys
2009-04-06 19:32 . 2008-12-22 21:24 15504 ----a-w c:\windows\system32\drivers\mbam.sys
2009-03-30 13:29 . 2008-03-18 13:42 -------- d-----w c:\program files\Coupons
2009-03-23 19:51 . 2009-03-23 19:51 -------- d-----w c:\program files\Bonjour
2009-03-23 19:51 . 2009-03-23 19:50 -------- d-----w c:\program files\QuickTime
2009-03-19 20:32 . 2008-10-28 18:20 23400 ----a-w c:\windows\system32\drivers\GEARAspiWDM.sys
2009-03-18 19:53 . 2009-03-18 19:53 -------- d-----w c:\program files\Midmark Diagnostics Group
2009-03-18 19:53 . 2006-10-09 14:24 -------- d--h--w c:\program files\InstallShield Installation Information
2009-03-18 19:53 . 2009-03-18 19:53 -------- d-----w c:\program files\Enigma
2009-03-18 17:33 . 2009-03-18 17:33 -------- d-----w c:\program files\MDGPDFDriver
2009-03-18 17:32 . 2007-06-26 20:23 -------- d-----w c:\program files\HSI
2009-03-06 14:22 . 2004-08-04 12:00 284160 ----a-w c:\windows\system32\pdh.dll
2009-03-06 03:59 . 2009-03-23 19:48 1900544 ----a-w c:\windows\system32\usbaaplrc.dll
2009-03-06 03:59 . 2008-09-22 19:00 36864 ----a-w c:\windows\system32\drivers\usbaapl.sys
2009-03-03 00:18 . 2004-08-04 12:00 826368 ----a-w c:\windows\system32\wininet.dll
2009-02-26 00:32 . 2008-05-14 18:41 557056 ----a-w c:\windows\system32\HenryScheinUserControlHost.dll
2009-02-20 18:09 . 2004-08-04 12:00 78336 ----a-w c:\windows\system32\ieencode.dll
2009-02-09 12:10 . 2004-08-04 12:00 729088 ----a-w c:\windows\system32\lsasrv.dll
2009-02-09 12:10 . 2004-08-04 12:00 714752 ----a-w c:\windows\system32\ntdll.dll
2009-02-09 12:10 . 2004-08-04 12:00 617472 ----a-w c:\windows\system32\advapi32.dll
2009-02-09 12:10 . 2004-08-04 12:00 401408 ----a-w c:\windows\system32\rpcss.dll
2009-02-09 11:13 . 2004-08-04 12:00 1846784 ----a-w c:\windows\system32\win32k.sys
2009-02-06 11:11 . 2004-08-04 12:00 110592 ----a-w c:\windows\system32\services.exe
2009-02-06 11:06 . 2004-08-04 12:00 2145280 ----a-w c:\windows\system32\ntoskrnl.exe
2009-02-06 10:39 . 2004-08-04 12:00 35328 ----a-w c:\windows\system32\sc.exe
2009-02-06 10:32 . 2004-08-03 22:59 2023936 ----a-w c:\windows\system32\ntkrnlpa.exe
2009-02-03 19:59 . 2004-08-04 12:00 56832 ----a-w c:\windows\system32\secur32.dll
.

((((((((((((((((((((((((((((( SnapShot@2009-04-28_13.35.22 )))))))))))))))))))))))))))))))))))))))))
.
+ 2009-04-28 18:44 . 2009-04-28 18:44 16384 c:\windows\Temp\Perflib_Perfdata_268.dat
+ 2004-08-04 12:00 . 2004-08-04 12:00 24576 c:\windows\system32\userinit.exe
- 2004-08-04 12:00 . 2009-04-28 13:25 71512 c:\windows\system32\perfc009.dat
+ 2004-08-04 12:00 . 2009-04-28 14:04 71512 c:\windows\system32\perfc009.dat
+ 2004-08-04 12:00 . 2004-08-04 12:00 24576 c:\windows\system32\dllcache\userinit.exe
+ 2006-10-09 14:10 . 2009-04-28 18:05 49152 c:\windows\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat
- 2006-10-09 14:10 . 2009-04-28 13:34 49152 c:\windows\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat
+ 2006-10-09 14:10 . 2009-04-28 18:05 32768 c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
- 2006-10-09 14:10 . 2009-04-28 13:34 32768 c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
+ 2006-10-09 14:10 . 2009-04-28 18:05 32768 c:\windows\system32\config\systemprofile\Cookies\index.dat
- 2006-10-09 14:10 . 2009-04-28 13:34 32768 c:\windows\system32\config\systemprofile\Cookies\index.dat
+ 2004-08-04 12:00 . 2009-04-28 14:04 441954 c:\windows\system32\perfh009.dat
- 2004-08-04 12:00 . 2009-04-28 13:25 441954 c:\windows\system32\perfh009.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]
"updateMgr"="c:\program files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" [2006-03-30 313472]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2008-06-11 68856]
"DW6"="c:\program files\The Weather Channel FW\Desktop\DesktopWeather.exe" [2009-02-11 801904]
"MSMSGS"="c:\program files\Messenger\msmsgs.exe" [2008-04-14 1695232]
"Microsoft Location Finder"="c:\program files\Microsoft Location Finder\LocationFinder.exe" [2005-08-24 101080]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IntelAudioStudio"="c:\program files\Intel Audio Studio\IntelAudioStudio.exe" [2006-09-21 9138176]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2007-01-05 98304]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2007-01-05 114688]
"Persistence"="c:\windows\system32\igfxpers.exe" [2007-01-05 94208]
"ccApp"="c:\program files\Common Files\Symantec Shared\ccApp.exe" [2006-03-07 53408]
"vptray"="c:\progra~1\SYMANT~1\VPTray.exe" [2006-03-17 124656]
"FtLnSOP_setup"="c:\windows\Twain_32\Fjscan32\SOP\FtLnSOP.exe" [2005-01-06 212992]
"FJTWAIN Setup"="c:\windows\Twain_32\fjscan32\FjtwSetup.exe" [2004-09-01 126976]
"hpqSRMon"="c:\program files\HP\Digital Imaging\bin\hpqSRMon.exe" [2008-08-20 150016]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2008-11-10 136600]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2009-01-05 413696]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2009-04-02 342312]
"autochk"="c:\windows\system32\autochk.dll" [BU]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"autochk"="c:\docume~1\LOCALS~1\protect.dll" [BU]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-9-23 29696]
Microsoft Office.lnk - c:\program files\Microsoft Office\Office10\OSA.EXE [2001-2-13 83360]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"LogonType"= 0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"NoWelcomeScreen"= 1 (0x1)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoTaskGrouping"= 1 (0x1)
"NoSimpleStartMenu"= 1 (0x1)
"NoSMBalloonTip"= 1 (0x1)
"NoWelcomeScreen"= 1 (0x1)
"NoSMConfigurePrograms"= 1 (0x1)

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"NoSetActiveDesktop"= 1 (0x1)
"NoActiveDesktopChanges"= 1 (0x1)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\LMIinit]
2008-04-30 22:08 87352 ----a-w c:\windows\system32\LMIinit.dll

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001
"FirewallOverride"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqpse.exe"=
"c:\\Program Files\\Common Files\\HP\\Digital Imaging\\Bin\\hpqPhotoCrm.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqsudi.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqpsapp.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3389:TCP"= 3389:TCP:@xpsp2res.dll,-22009

R2 LMIInfo;LogMeIn Kernel Information Provider; [x]
R3 IAMTXP;Driver for Intel® Active Management Technology - KCS;c:\windows\system32\DRIVERS\IAMTXP.sys [2005-03-10 38528]
R4 LMIRfsClientNP;LMIRfsClientNP; [x]
S0 stmtpm;STM TPM Service;c:\windows\system32\DRIVERS\stm_tpm.sys [2006-05-19 21504]
S2 LMIRfsDriver;LogMeIn Remote File System Driver;c:\windows\system32\drivers\LMIRfsDriver.sys [2008-03-07 45848]
S2 SavRoam;SavRoam;c:\program files\Symantec AntiVirus\SavRoam.exe [2006-03-17 115952]
S3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [2008-09-02 99376]

.
Contents of the 'Scheduled Tasks' folder

2009-04-27 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 16:34]

2009-04-28 c:\windows\Tasks\Google Software Updater.job
- c:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe [2008-06-11 08:08]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.wtov9.com/
uInternet Settings,ProxyOverride = *.local
Filter: x-sdch - {B1759355-3EEC-4C1E-B0F1-B719FE26E377} - c:\program files\Google\Google Toolbar\Component\fastsearch_A8904FB862BD9564.dll
FF - ProfilePath - c:\documents and settings\WS3\Application Data\Mozilla\Firefox\Profiles\s18ngle8.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.wtov9.com/
FF - plugin: c:\program files\Google\Google Updater\2.4.1536.6592\npCIDetect13.dll
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-04-28 14:45
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(756)
c:\windows\system32\LMIinit.dll
c:\windows\system32\LMIRfsClientNP.dll

- - - - - - - > 'lsass.exe'(812)
c:\program files\Bonjour\mdnsNSP.dll

- - - - - - - > 'explorer.exe'(2964)
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
c:\windows\system32\LMIRfsClientNP.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Common Files\Symantec Shared\ccSetMgr.exe
c:\program files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Intel\AMT\atchksrv.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\Wave Systems Corp\Common\DataServer.exe
c:\program files\Symantec AntiVirus\DefWatch.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\Intel\AMT\LMS.exe
c:\program files\NTRU Cryptosystems\NTRU Hybrid TSS v1.05\bin\tcsd_win32.exe
c:\program files\Common Files\Symantec Shared\ccEvtMgr.exe
c:\program files\iPod\bin\iPodService.exe
.
**************************************************************************
.
Completion time: 2009-04-28 14:50 - machine was rebooted
ComboFix-quarantined-files.txt 2009-04-28 18:49
ComboFix2.txt 2009-04-28 18:12
ComboFix3.txt 2009-04-28 13:38

Pre-Run: 144,735,178,752 bytes free
Post-Run: 144,722,505,728 bytes free

247 --- E O F --- 2009-04-28 13:18

miekiemoes, on Apr 28 2009, 02:30 PM, said:

Hi,

No, not needed anymore.

I see userinit.exe got restored in a meanwhile.
This computer was / and still is severly infected. It looks like during our instructions, it installed another infection on top.

Anyway,

Let's deal with the rest now.. Please disable Norton!!
In case of problems, run from Safe mode.

* Open notepad - don't use any other texteditor than notepad or the script will fail.
Copy/paste the text in the quotebox below into notepad:



Save this as txtfile CFScript

Then drag the CFScript into ComboFix.exe as you see in the screenshot below.



This will start ComboFix again. After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply.

[miekiemoes]

Hi,

This looks OK again.

* Go to start > run and copy and paste next command in the field:

ComboFix /u

Make sure there's a space between Combofix and /
Then hit enter.

This will uninstall Combofix, delete its related folders and files, reset your clock settings, hide file extensions, hide the system/hidden files and resets System Restore again.

Let me know in your next reply how things are now.

[amarita77]

Thank you so much for all your help! I re-ran the anti-malware and it showed no infected items. I don't know what I would've done without your help!

Malwarebytes' Anti-Malware 1.36
Database version: 2050
Windows 5.1.2600 Service Pack 3

4/28/2009 4:37:31 PM
mbam-log-2009-04-28 (16-37-31).txt

Scan type: Full Scan (C:\|)
Objects scanned: 156068
Time elapsed: 27 minute(s), 50 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

[miekiemoes]

This looks OK again.

Glad I could help.

Please read my Prevention page with lots of info and tips how to prevent this in the future.
And if you want to improve speed/system performance after malware removal, take a look here.
Extra note: Make sure your programs are up to date - because older versions may contain Security Leaks. To find out what programs need to be updated, please run the Secunia Software Inspector Scan.

Happy Surfing again!

[amarita77]

When I started up my computer this morning, I ran anti-malware 3 times. Each time, it shows infected items. I reboot and rerun the scan and get the same thing.

Malwarebytes' Anti-Malware 1.36
Database version: 2050
Windows 5.1.2600 Service Pack 3

4/30/2009 9:20:47 AM
mbam-log-2009-04-30 (09-20-47).txt

Scan type: Full Scan (C:\|)
Objects scanned: 164361
Time elapsed: 18 minute(s), 54 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 3
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 9

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\autochk (Worm.Autorun) -> Quarantined and deleted successfully.
HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\autochk (Worm.Autorun) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\autochk (Trojan.Agent) -> Quarantined and deleted successfully.

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\Documents and Settings\LocalService\protect.dll (Worm.Autorun) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\autochk.dll (Worm.Autorun) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\config\systemprofile\protect.dll (Worm.Autorun) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\config\systemprofile\Start Menu\Programs\Startup\ChkDisk.dll (Worm.Autorun) -> Quarantined and deleted successfully.
C:\WINDOWS\Temp\msb.dll (Worm.Autorun) -> Delete on reboot.
C:\Documents and Settings\WS3\protect.dll (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Documents and Settings\WS3\Start Menu\Programs\Startup\ChkDisk.dll (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Documents and Settings\WS3\Start Menu\Programs\Startup\ChkDisk.lnk (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\WINDOWS\Temp\nsrbgxod.bak (Trojan.Agent) -> Delete on reboot.

[miekiemoes]

Hi,

It looks like you got reinfected

* Please visit this webpage for instructions for downloading and running ComboFix:

http://www.bleepingc...to-use-combofix

Post the log from ComboFix in your next reply.

Please make sure you disable ALL of your Antivirus/Antispyware/Firewall before running ComboFix..This because Security Software may see some components ComboFix uses (prep.com for example) as suspicious and blocks the tool, or even deletes it. Please visit HERE if you don't know how.

[amarita77]

Here's the new log.

ComboFix 09-04-29.07 - WS3 04/30/2009 12:55.4 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2022.1627 [GMT -4:00]
Running from: c:\documents and settings\WS3\Desktop\ComboFix.exe
AV: Symantec AntiVirus Corporate Edition *On-access scanning disabled* (Updated)
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\WS3\Local Settings\Temporary Internet Files\fbk.sts
c:\windows\system32\bedepeba.exe
c:\windows\system32\drivers\ovfsthoklmkdvhbjlkmbppypobcnvqtaoowprt.sys
c:\windows\system32\drivers\ovfsthxecmapsaj.sys
c:\windows\system32\lmppcsetup.exe
c:\windows\system32\ovfstheddjwbaddtoqxdboucdocfvpxhhmrsjg.dll
c:\windows\system32\ovfsthkaaipuxlvkkekhldwibhujcgaijkxvbx.dat
c:\windows\system32\ovfsthldanetavncgnwassjiexwwqeuyxrrtms.dll
c:\windows\system32\ovfsthlpjtnbirdbqirmlrdbqxlswhxfqtoduf.dll
c:\windows\system32\ovfsthtqnafuxgqlrobhbvodyixrmbltneaoch.dat
c:\windows\system32\ovfsthxaepwqwlr.dll
c:\windows\system32\ovfsthxhxuslkiv.dat
c:\windows\system32\ovfsthxkkdyqldr.dat
c:\windows\system32\ovfsthxrhtpphst.dll
c:\windows\system32\ovfsthxyukoraoh.dll

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Service_ovfsthwujnbaqpqqtvtrramvlluersbnyrdlms
-------\Service_ovfsthxrkispfdc


((((((((((((((((((((((((( Files Created from 2009-05-28 to 2009-4-30 )))))))))))))))))))))))))))))))
.

2009-04-28 13:16 . 2004-08-04 12:00 221184 ----a-w c:\windows\system32\wmpns.dll
2009-04-28 13:14 . 2009-03-06 14:22 284160 -c----w c:\windows\system32\dllcache\pdh.dll
2009-04-28 13:14 . 2009-02-09 12:10 401408 -c----w c:\windows\system32\dllcache\rpcss.dll
2009-04-28 13:14 . 2009-02-06 11:11 110592 -c----w c:\windows\system32\dllcache\services.exe
2009-04-28 13:14 . 2009-02-09 12:10 473600 -c----w c:\windows\system32\dllcache\fastprox.dll
2009-04-28 13:14 . 2009-02-06 10:10 227840 -c----w c:\windows\system32\dllcache\wmiprvse.exe
2009-04-28 13:14 . 2009-02-09 12:10 453120 -c----w c:\windows\system32\dllcache\wmiprvsd.dll
2009-04-28 13:14 . 2009-02-09 12:10 729088 -c----w c:\windows\system32\dllcache\lsasrv.dll
2009-04-28 13:14 . 2009-02-09 12:10 617472 -c----w c:\windows\system32\dllcache\advapi32.dll
2009-04-28 13:14 . 2009-02-09 12:10 714752 -c----w c:\windows\system32\dllcache\ntdll.dll
2009-04-28 13:13 . 2008-05-03 11:55 2560 ------w c:\windows\system32\xpsp4res.dll
2009-04-28 13:13 . 2008-04-21 12:08 215552 -c----w c:\windows\system32\dllcache\wordpad.exe
2009-04-28 11:54 . 2009-04-28 11:54 0 ----a-w c:\windows\nsreg.dat
2009-04-28 11:54 . 2009-04-28 11:54 -------- d-----w c:\documents and settings\WS3\Local Settings\Application Data\Mozilla
2009-04-27 18:17 . 2009-04-27 18:17 -------- d-----w c:\program files\Trend Micro
2009-04-13 19:46 . 2009-04-13 19:46 -------- d-----w c:\program files\iPod
2009-04-13 19:46 . 2009-04-13 19:46 -------- d-----w c:\documents and settings\All Users\Application Data\{8CD7F5AF-ECFA-4793-BF40-D8F42DBFF906}
2009-04-13 19:46 . 2009-04-13 19:46 -------- d-----w c:\program files\iTunes

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-04-30 12:12 . 2008-09-26 15:52 -------- d-----w c:\program files\LimeWire
2009-04-29 17:07 . 2008-03-18 13:42 -------- d-----w c:\program files\Coupons
2009-04-27 19:46 . 2008-12-22 21:24 -------- d-----w c:\program files\Malwarebytes' Anti-Malware
2009-04-13 19:46 . 2008-09-15 12:42 -------- d-----w c:\program files\Common Files\Apple
2009-04-06 19:32 . 2008-12-22 21:24 38496 ----a-w c:\windows\system32\drivers\mbamswissarmy.sys
2009-04-06 19:32 . 2008-12-22 21:24 15504 ----a-w c:\windows\system32\drivers\mbam.sys
2009-03-31 12:47 . 2009-03-31 12:47 -------- d-----w c:\program files\DigiDNA
2009-03-23 19:51 . 2009-03-23 19:51 -------- d-----w c:\program files\Bonjour
2009-03-23 19:51 . 2009-03-23 19:50 -------- d-----w c:\program files\QuickTime
2009-03-19 20:32 . 2008-10-28 18:20 23400 ----a-w c:\windows\system32\drivers\GEARAspiWDM.sys
2009-03-18 19:53 . 2009-03-18 19:53 -------- d-----w c:\program files\Midmark Diagnostics Group
2009-03-18 19:53 . 2006-10-09 14:24 -------- d--h--w c:\program files\InstallShield Installation Information
2009-03-18 19:53 . 2009-03-18 19:53 -------- d-----w c:\program files\Enigma
2009-03-18 17:33 . 2009-03-18 17:33 -------- d-----w c:\program files\MDGPDFDriver
2009-03-18 17:32 . 2007-06-26 20:23 -------- d-----w c:\program files\HSI
2009-03-06 14:22 . 2004-08-04 12:00 284160 ----a-w c:\windows\system32\pdh.dll
2009-03-06 03:59 . 2009-03-23 19:48 1900544 ----a-w c:\windows\system32\usbaaplrc.dll
2009-03-06 03:59 . 2008-09-22 19:00 36864 ----a-w c:\windows\system32\drivers\usbaapl.sys
2009-03-03 00:18 . 2004-08-04 12:00 826368 ----a-w c:\windows\system32\wininet.dll
2009-02-26 00:32 . 2008-05-14 18:41 557056 ----a-w c:\windows\system32\HenryScheinUserControlHost.dll
2009-02-20 18:09 . 2004-08-04 12:00 78336 ----a-w c:\windows\system32\ieencode.dll
2009-02-09 12:10 . 2004-08-04 12:00 729088 ----a-w c:\windows\system32\lsasrv.dll
2009-02-09 12:10 . 2004-08-04 12:00 714752 ----a-w c:\windows\system32\ntdll.dll
2009-02-09 12:10 . 2004-08-04 12:00 617472 ----a-w c:\windows\system32\advapi32.dll
2009-02-09 12:10 . 2004-08-04 12:00 401408 ----a-w c:\windows\system32\rpcss.dll
2009-02-09 11:13 . 2004-08-04 12:00 1846784 ----a-w c:\windows\system32\win32k.sys
2009-02-06 11:11 . 2004-08-04 12:00 110592 ----a-w c:\windows\system32\services.exe
2009-02-06 11:06 . 2004-08-04 12:00 2145280 ----a-w c:\windows\system32\ntoskrnl.exe
2009-02-06 10:39 . 2004-08-04 12:00 35328 ----a-w c:\windows\system32\sc.exe
2009-02-06 10:32 . 2004-08-03 22:59 2023936 ----a-w c:\windows\system32\ntkrnlpa.exe
2009-02-03 19:59 . 2004-08-04 12:00 56832 ----a-w c:\windows\system32\secur32.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]
"updateMgr"="c:\program files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" [2006-03-30 313472]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2008-06-11 68856]
"DW6"="c:\program files\The Weather Channel FW\Desktop\DesktopWeather.exe" [2009-02-11 801904]
"MSMSGS"="c:\program files\Messenger\msmsgs.exe" [2008-04-14 1695232]
"Microsoft Location Finder"="c:\program files\Microsoft Location Finder\LocationFinder.exe" [2005-08-24 101080]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IntelAudioStudio"="c:\program files\Intel Audio Studio\IntelAudioStudio.exe" [2006-09-21 9138176]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2007-01-05 98304]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2007-01-05 114688]
"Persistence"="c:\windows\system32\igfxpers.exe" [2007-01-05 94208]
"ccApp"="c:\program files\Common Files\Symantec Shared\ccApp.exe" [2006-03-07 53408]
"vptray"="c:\progra~1\SYMANT~1\VPTray.exe" [2006-03-17 124656]
"FtLnSOP_setup"="c:\windows\Twain_32\Fjscan32\SOP\FtLnSOP.exe" [2005-01-06 212992]
"FJTWAIN Setup"="c:\windows\Twain_32\fjscan32\FjtwSetup.exe" [2004-09-01 126976]
"hpqSRMon"="c:\program files\HP\Digital Imaging\bin\hpqSRMon.exe" [2008-08-20 150016]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2008-11-10 136600]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2009-01-05 413696]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2009-04-02 342312]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-9-23 29696]
Microsoft Office.lnk - c:\program files\Microsoft Office\Office10\OSA.EXE [2001-2-13 83360]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"LogonType"= 0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"NoWelcomeScreen"= 1 (0x1)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoTaskGrouping"= 1 (0x1)
"NoSimpleStartMenu"= 1 (0x1)
"NoSMBalloonTip"= 1 (0x1)
"NoWelcomeScreen"= 1 (0x1)
"NoSMConfigurePrograms"= 1 (0x1)

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"NoSetActiveDesktop"= 1 (0x1)
"NoActiveDesktopChanges"= 1 (0x1)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\LMIinit]
2008-04-30 22:08 87352 ----a-w c:\windows\system32\LMIinit.dll

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001
"FirewallOverride"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqpse.exe"=
"c:\\Program Files\\Common Files\\HP\\Digital Imaging\\Bin\\hpqPhotoCrm.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqsudi.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqpsapp.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3389:TCP"= 3389:TCP:@xpsp2res.dll,-22009

R2 LMIInfo;LogMeIn Kernel Information Provider; [x]
R3 IAMTXP;Driver for Intel® Active Management Technology - KCS;c:\windows\system32\DRIVERS\IAMTXP.sys [2005-03-10 38528]
R4 LMIRfsClientNP;LMIRfsClientNP; [x]
S0 stmtpm;STM TPM Service;c:\windows\system32\DRIVERS\stm_tpm.sys [2006-05-19 21504]
S2 LMIRfsDriver;LogMeIn Remote File System Driver;c:\windows\system32\drivers\LMIRfsDriver.sys [2008-03-07 45848]
S2 SavRoam;SavRoam;c:\program files\Symantec AntiVirus\SavRoam.exe [2006-03-17 115952]
S3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [2008-09-02 99376]

.
Contents of the 'Scheduled Tasks' folder

2009-04-27 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 16:34]

2009-04-30 c:\windows\Tasks\Google Software Updater.job
- c:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe [2008-06-11 08:08]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.wtov9.com/
uInternet Settings,ProxyOverride = *.local
Filter: x-sdch - {B1759355-3EEC-4C1E-B0F1-B719FE26E377} - c:\program files\Google\Google Toolbar\Component\fastsearch_A8904FB862BD9564.dll
FF - ProfilePath - c:\documents and settings\WS3\Application Data\Mozilla\Firefox\Profiles\s18ngle8.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.wtov9.com/
FF - plugin: c:\program files\Google\Google Updater\2.4.1536.6592\npCIDetect13.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npCouponPrinter.dll
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-04-30 12:58
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...


**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(728)
c:\windows\system32\LMIinit.dll
c:\windows\system32\LMIRfsClientNP.dll

- - - - - - - > 'lsass.exe'(784)
c:\program files\Bonjour\mdnsNSP.dll
.
Completion time: 2009-04-30 13:01
ComboFix-quarantined-files.txt 2009-04-30 16:59
ComboFix2.txt 2009-04-28 18:50

Pre-Run: 144,686,747,648 bytes free
Post-Run: 144,708,276,224 bytes free

187 --- E O F --- 2009-04-28 13:18

[miekiemoes]

Hi,

Please reboot and run Combofix once more..

[amarita77]

Ok. I reran it.

ComboFix 09-04-30.02 - WS3 04/30/2009 16:15.6 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2022.1489 [GMT -4:00]
Running from: c:\documents and settings\WS3\Desktop\ComboFix.exe
AV: Symantec AntiVirus Corporate Edition *On-access scanning disabled* (Updated)
.

((((((((((((((((((((((((( Files Created from 2009-03-28 to 2009-04-30 )))))))))))))))))))))))))))))))
.

2009-04-28 13:16 . 2004-08-04 12:00 221184 ----a-w c:\windows\system32\wmpns.dll
2009-04-28 13:14 . 2009-03-06 14:22 284160 -c----w c:\windows\system32\dllcache\pdh.dll
2009-04-28 13:14 . 2009-02-09 12:10 401408 -c----w c:\windows\system32\dllcache\rpcss.dll
2009-04-28 13:14 . 2009-02-06 11:11 110592 -c----w c:\windows\system32\dllcache\services.exe
2009-04-28 13:14 . 2009-02-09 12:10 473600 -c----w c:\windows\system32\dllcache\fastprox.dll
2009-04-28 13:14 . 2009-02-06 10:10 227840 -c----w c:\windows\system32\dllcache\wmiprvse.exe
2009-04-28 13:14 . 2009-02-09 12:10 453120 -c----w c:\windows\system32\dllcache\wmiprvsd.dll
2009-04-28 13:14 . 2009-02-09 12:10 729088 -c----w c:\windows\system32\dllcache\lsasrv.dll
2009-04-28 13:14 . 2009-02-09 12:10 617472 -c----w c:\windows\system32\dllcache\advapi32.dll
2009-04-28 13:14 . 2009-02-09 12:10 714752 -c----w c:\windows\system32\dllcache\ntdll.dll
2009-04-28 13:13 . 2008-05-03 11:55 2560 ------w c:\windows\system32\xpsp4res.dll
2009-04-28 13:13 . 2008-04-21 12:08 215552 -c----w c:\windows\system32\dllcache\wordpad.exe
2009-04-28 11:54 . 2009-04-28 11:54 0 ----a-w c:\windows\nsreg.dat
2009-04-28 11:54 . 2009-04-28 11:54 -------- d-----w c:\documents and settings\WS3\Local Settings\Application Data\Mozilla
2009-04-27 18:17 . 2009-04-27 18:17 -------- d-----w c:\program files\Trend Micro
2009-04-13 19:46 . 2009-04-13 19:46 -------- d-----w c:\program files\iPod
2009-04-13 19:46 . 2009-04-13 19:46 -------- d-----w c:\documents and settings\All Users\Application Data\{8CD7F5AF-ECFA-4793-BF40-D8F42DBFF906}
2009-04-13 19:46 . 2009-04-13 19:46 -------- d-----w c:\program files\iTunes

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-04-30 12:12 . 2008-09-26 15:52 -------- d-----w c:\program files\LimeWire
2009-04-29 17:07 . 2008-03-18 13:42 -------- d-----w c:\program files\Coupons
2009-04-27 19:46 . 2008-12-22 21:24 -------- d-----w c:\program files\Malwarebytes' Anti-Malware
2009-04-13 19:46 . 2008-09-15 12:42 -------- d-----w c:\program files\Common Files\Apple
2009-04-06 19:32 . 2008-12-22 21:24 38496 ----a-w c:\windows\system32\drivers\mbamswissarmy.sys
2009-04-06 19:32 . 2008-12-22 21:24 15504 ----a-w c:\windows\system32\drivers\mbam.sys
2009-03-31 12:47 . 2009-03-31 12:47 -------- d-----w c:\program files\DigiDNA
2009-03-23 19:51 . 2009-03-23 19:51 -------- d-----w c:\program files\Bonjour
2009-03-23 19:51 . 2009-03-23 19:50 -------- d-----w c:\program files\QuickTime
2009-03-19 20:32 . 2008-10-28 18:20 23400 ----a-w c:\windows\system32\drivers\GEARAspiWDM.sys
2009-03-18 19:53 . 2009-03-18 19:53 -------- d-----w c:\program files\Midmark Diagnostics Group
2009-03-18 19:53 . 2006-10-09 14:24 -------- d--h--w c:\program files\InstallShield Installation Information
2009-03-18 19:53 . 2009-03-18 19:53 -------- d-----w c:\program files\Enigma
2009-03-18 17:33 . 2009-03-18 17:33 -------- d-----w c:\program files\MDGPDFDriver
2009-03-18 17:32 . 2007-06-26 20:23 -------- d-----w c:\program files\HSI
2009-03-06 14:22 . 2004-08-04 12:00 284160 ----a-w c:\windows\system32\pdh.dll
2009-03-06 03:59 . 2009-03-23 19:48 1900544 ----a-w c:\windows\system32\usbaaplrc.dll
2009-03-06 03:59 . 2008-09-22 19:00 36864 ----a-w c:\windows\system32\drivers\usbaapl.sys
2009-03-03 00:18 . 2004-08-04 12:00 826368 ----a-w c:\windows\system32\wininet.dll
2009-02-26 00:32 . 2008-05-14 18:41 557056 ----a-w c:\windows\system32\HenryScheinUserControlHost.dll
2009-02-20 18:09 . 2004-08-04 12:00 78336 ----a-w c:\windows\system32\ieencode.dll
2009-02-09 12:10 . 2004-08-04 12:00 729088 ----a-w c:\windows\system32\lsasrv.dll
2009-02-09 12:10 . 2004-08-04 12:00 714752 ----a-w c:\windows\system32\ntdll.dll
2009-02-09 12:10 . 2004-08-04 12:00 617472 ----a-w c:\windows\system32\advapi32.dll
2009-02-09 12:10 . 2004-08-04 12:00 401408 ----a-w c:\windows\system32\rpcss.dll
2009-02-09 11:13 . 2004-08-04 12:00 1846784 ----a-w c:\windows\system32\win32k.sys
2009-02-06 11:11 . 2004-08-04 12:00 110592 ----a-w c:\windows\system32\services.exe
2009-02-06 11:06 . 2004-08-04 12:00 2145280 ----a-w c:\windows\system32\ntoskrnl.exe
2009-02-06 10:39 . 2004-08-04 12:00 35328 ----a-w c:\windows\system32\sc.exe
2009-02-06 10:32 . 2004-08-03 22:59 2023936 ----a-w c:\windows\system32\ntkrnlpa.exe
2009-02-03 19:59 . 2004-08-04 12:00 56832 ----a-w c:\windows\system32\secur32.dll
.

((((((((((((((((((((((((((((( SnapShot@2009-04-30_16.58.28 )))))))))))))))))))))))))))))))))))))))))
.
+ 2009-04-30 20:13 . 2009-04-30 20:13 16384 c:\windows\Temp\Perflib_Perfdata_260.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]
"updateMgr"="c:\program files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" [2006-03-30 313472]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2008-06-11 68856]
"DW6"="c:\program files\The Weather Channel FW\Desktop\DesktopWeather.exe" [2009-02-11 801904]
"MSMSGS"="c:\program files\Messenger\msmsgs.exe" [2008-04-14 1695232]
"Microsoft Location Finder"="c:\program files\Microsoft Location Finder\LocationFinder.exe" [2005-08-24 101080]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IntelAudioStudio"="c:\program files\Intel Audio Studio\IntelAudioStudio.exe" [2006-09-21 9138176]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2007-01-05 98304]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2007-01-05 114688]
"Persistence"="c:\windows\system32\igfxpers.exe" [2007-01-05 94208]
"ccApp"="c:\program files\Common Files\Symantec Shared\ccApp.exe" [2006-03-07 53408]
"vptray"="c:\progra~1\SYMANT~1\VPTray.exe" [2006-03-17 124656]
"FtLnSOP_setup"="c:\windows\Twain_32\Fjscan32\SOP\FtLnSOP.exe" [2005-01-06 212992]
"FJTWAIN Setup"="c:\windows\Twain_32\fjscan32\FjtwSetup.exe" [2004-09-01 126976]
"hpqSRMon"="c:\program files\HP\Digital Imaging\bin\hpqSRMon.exe" [2008-08-20 150016]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2008-11-10 136600]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2009-01-05 413696]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2009-04-02 342312]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-9-23 29696]
Microsoft Office.lnk - c:\program files\Microsoft Office\Office10\OSA.EXE [2001-2-13 83360]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"LogonType"= 0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"NoWelcomeScreen"= 1 (0x1)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoTaskGrouping"= 1 (0x1)
"NoSimpleStartMenu"= 1 (0x1)
"NoSMBalloonTip"= 1 (0x1)
"NoWelcomeScreen"= 1 (0x1)
"NoSMConfigurePrograms"= 1 (0x1)

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"NoSetActiveDesktop"= 1 (0x1)
"NoActiveDesktopChanges"= 1 (0x1)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\LMIinit]
2008-04-30 22:08 87352 ----a-w c:\windows\system32\LMIinit.dll

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001
"FirewallOverride"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqpse.exe"=
"c:\\Program Files\\Common Files\\HP\\Digital Imaging\\Bin\\hpqPhotoCrm.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqsudi.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqpsapp.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3389:TCP"= 3389:TCP:@xpsp2res.dll,-22009

R2 LMIInfo;LogMeIn Kernel Information Provider; [x]
R3 IAMTXP;Driver for Intel® Active Management Technology - KCS;c:\windows\system32\DRIVERS\IAMTXP.sys [2005-03-10 38528]
R4 LMIRfsClientNP;LMIRfsClientNP; [x]
S0 stmtpm;STM TPM Service;c:\windows\system32\DRIVERS\stm_tpm.sys [2006-05-19 21504]
S2 LMIRfsDriver;LogMeIn Remote File System Driver;c:\windows\system32\drivers\LMIRfsDriver.sys [2008-03-07 45848]
S2 SavRoam;SavRoam;c:\program files\Symantec AntiVirus\SavRoam.exe [2006-03-17 115952]
S3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [2008-09-02 99376]

.
Contents of the 'Scheduled Tasks' folder

2009-04-27 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 16:34]

2009-04-30 c:\windows\Tasks\Google Software Updater.job
- c:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe [2008-06-11 08:08]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.wtov9.com/
uInternet Settings,ProxyOverride = *.local
Filter: x-sdch - {B1759355-3EEC-4C1E-B0F1-B719FE26E377} - c:\program files\Google\Google Toolbar\Component\fastsearch_A8904FB862BD9564.dll
FF - ProfilePath - c:\documents and settings\WS3\Application Data\Mozilla\Firefox\Profiles\s18ngle8.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.wtov9.com/
FF - plugin: c:\documents and settings\WS3\Application Data\Mozilla\Firefox\Profiles\s18ngle8.default\extensions\{0C7E3F01-99E9-4095-9BDC-F84724960B57}\plugins\NPCpnMgr.dll
FF - plugin: c:\program files\Google\Google Updater\2.4.1536.6592\npCIDetect13.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npCouponPrinter.dll
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-04-30 16:17
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(748)
c:\windows\system32\LMIinit.dll
c:\windows\system32\LMIRfsClientNP.dll

- - - - - - - > 'lsass.exe'(808)
c:\program files\Bonjour\mdnsNSP.dll

- - - - - - - > 'explorer.exe'(3036)
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
c:\windows\system32\LMIRfsClientNP.dll
.
Completion time: 2009-04-30 16:20
ComboFix-quarantined-files.txt 2009-04-30 20:18
ComboFix2.txt 2009-04-30 20:11
ComboFix3.txt 2009-04-30 17:01
ComboFix4.txt 2009-04-28 18:50

Pre-Run: 144,672,301,056 bytes free
Post-Run: 144,665,161,728 bytes free

179 --- E O F --- 2009-04-28 13:18