Jump to content

Malwarebytes

Userinit keeps popping up

- - - - -
Started by Morry, Jul 17 2009 02:28 PM

7 replies to this topic

#1
Morry
Posted 17 July 2009 - 02:28 PM

    New Member

  • Members
  • Pip
  • 4 posts
MBAM keeps showing Userinit.exe as a trojan each time it runs.

Quote

Malwarebytes' Anti-Malware 1.39
Database version: 2421
Windows 5.1.2600 Service Pack 3

7/17/2009 7:12:49 AM
mbam-log-2009-07-17 (07-12-49).txt

Scan type: Quick Scan
Objects scanned: 142377
Time elapsed: 13 minute(s), 16 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 2
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit (Trojan.Agent) -> Data: c:\windows\system32\userinit.exe -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit (Trojan.Agent) -> Data: system32\userinit.exe -> Quarantined and deleted successfully.

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

Quote

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 7:16:16 AM, on 7/17/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP3 (6.00.2900.5512)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\ARX\ARX CryptoKit\utils\ARCLTSRV.EXE
C:\Program Files\ARX\ARX CryptoKit\utils\arcltsrv.exe
C:\Program Files\B's Recorder GOLD8\bgsvc.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Brother\BRAdmin Professional 3\bratimer.exe
C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\GetVxWorksHost_Service\srvany.exe
C:\GetVxWorksHost_Service\GetVxWorksHost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\Iaantmon.exe
C:\Program Files\Google\Update\1.2.183.7\GoogleCrashHandler.exe
C:\WINDOWS\system32\QosServM.exe
C:\Program Files\Common Files\Intuit\Update Service\IntuitUpdateService.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\system32\lkcitdl.exe
C:\WINDOWS\system32\lkads.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\lktsrv.exe
C:\Program Files\Maxtor\Sync\SyncServices.exe
C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe
C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
C:\Program Files\McAfee\VirusScan Enterprise\VsTskMgr.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\svchost.exe
C:\PROGRA~1\MI6841~1\MSSQL\binn\sqlservr.exe
C:\Program Files\National Instruments\MAX\nimxs.exe
C:\Program Files\National Instruments\Shared\Security\nidmsrv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\nisvcloc.exe
C:\Program Files\National Instruments\Shared\Tagger\tagsrv.exe
C:\Program Files\Panasonic\pcinfo\PCInfoPi.exe
C:\Program Files\Panasonic\pcinfo\PCInfoSV.exe
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\Iaanotif.exe
C:\Program Files\Panasonic\WSwitch\WSwitch.exe
C:\WINDOWS\system32\igfxsrvc.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Panasonic\Hotkey Appendix\HKEYAPP.EXE
C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe
C:\PROGRA~1\B'SCLI~1\Win2K\BSCLIP.exe
C:\Program Files\Analog Devices\Core\smax4pnp.exe
C:\Program Files\FIDTPU\WIN2K\FTMSFLTU.EXE
C:\Program Files\Intel\Wireless\Bin\iFrmewrk.exe
C:\Program Files\Network Associates\Common Framework\UdaterUI.exe
C:\WINDOWS\system32\RButton.exe
C:\Program Files\McAfee\VirusScan Enterprise\SHSTAT.EXE
C:\Program Files\Network Associates\Common Framework\McTray.exe
C:\Program Files\RightFax\Client\English\FaxCtrl.exe
C:\Program Files\Brother\ControlCenter2\brctrcen.exe
C:\Program Files\Maxtor\OneTouch Status\maxmenumgr.exe
C:\Program Files\Common Files\Research In Motion\Auto Update\RIMAutoUpdate.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\TomTom HOME 2\TomTomHOMERunner.exe
C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Common Files\SafeNet Sentinel\Sentinel Keys Server\sntlkeyssrvr.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIAFA.EXE
C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
C:\Documents and Settings\DS\Local Settings\Application Data\Google\Update\1.2.183.7\GoogleCrashHandler.exe
C:\Program Files\Sling Media\SlingAgent\SlingAgentService.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Microsoft SQL Server\MSSQL\binn\sqlagent.exe
E:\PortableApps\PortableApps.com\PortableAppsPlatform.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\TomTom HOME 2\TomTomHOMEService.exe
c:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtSrv.exe
C:\WINDOWS\system32\CCM\CLICOMP\RemCtrl\Wuser32.exe
C:\WINDOWS\system32\CCM\CcmExec.exe
C:\WINDOWS\system32\nipalsm.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Microsoft Office\Office12\OUTLOOK.EXE
C:\iAvenue\Avenue.exe
C:\Program Files\Common Files\Microsoft Shared\Speech\sapisvr.exe
C:\iAvenue\SSAppRegistry.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Siber Systems\GoodSync\GoodSync.exe
C:\Program Files\McAfee\VirusScan Enterprise\Mcshield.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\DS\Local Settings\Application Data\Google\Google Talk Plugin\googletalkplugin.exe
C:\Program Files\Adobe\Reader 8.0\Reader\AcroRd32.exe
C:\Program Files\Microsoft Office\Office12\WINWORD.EXE
C:\Program Files\Microsoft Office\Office12\EXCEL.EXE
C:\iAvenue\FSRPrint.exe
C:\WINDOWS\system32\mstsc.exe
C:\Program Files\Intel\Wireless\Bin\Dot1XCfg.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\TC UP\totalcmd.exe
C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe
C:\Program Files\TC UP\PLUGINS\Media\Notepad++\notepad++.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.med.com/
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: RoboForm - {724d43a9-0d85-11d4-9908-00400523e39a} - C:\Program Files\Siber Systems\AI RoboForm\roboform.dll
O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - C:\Program Files\McAfee\VirusScan Enterprise\scriptcl.dll
O2 - BHO: Windows Live Toolbar Helper - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O2 - BHO: Java™ Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: Google Gears Helper - {E0FEFE40-FBF9-42AE-BA58-794CA7E3FB53} - C:\Program Files\Google\Google Gears\Internet Explorer\0.5.29.0\gears.dll
O2 - BHO: AvayaIEHlprObj Class - {E6DF0B46-7D6F-407A-A6A2-62D17A021A9A} - C:\Program Files\Avaya\Avaya IP Softphone\AvayaWebDial.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: &RoboForm - {724d43a0-0d85-11d4-9908-00400523e39a} - C:\Program Files\Siber Systems\AI RoboForm\roboform.dll
O3 - Toolbar: Windows Live Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [Persistence] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [IAAnotif] "C:\Program Files\Intel\Intel Matrix Storage Manager\Iaanotif.exe"
O4 - HKLM\..\Run: [WSwitch] C:\Program Files\Panasonic\WSwitch\WSwitch.exe
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [Panasonic Hotkey Manager] C:\Program Files\Panasonic\Hotkey Appendix\HKEYAPP.EXE
O4 - HKLM\..\Run: [PCinfo] C:\Program Files\Panasonic\pcinfo\PcInfoUt.exe
O4 - HKLM\..\Run: [IntelZeroConfig] "C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe"
O4 - HKLM\..\Run: [B'sCLiP] C:\PROGRA~1\B'SCLI~1\Win2K\BSCLIP.exe
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\Core\smax4pnp.exe
O4 - HKLM\..\Run: [SoundMAX] "C:\Program Files\Analog Devices\SoundMAX\Smax4.exe" /tray
O4 - HKLM\..\Run: [FTMSFLT(USB)] C:\Program Files\FIDTPU\WIN2K\FTMSFLTU.EXE
O4 - HKLM\..\Run: [IntelWireless] C:\Program Files\Intel\Wireless\Bin\iFrmewrk.exe /tf Intel PROSet/Wireless
O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\Network Associates\Common Framework\UdaterUI.exe" /StartedFromRunKey
O4 - HKLM\..\Run: [ShStatEXE] "C:\Program Files\McAfee\VirusScan Enterprise\SHSTAT.EXE" /STANDALONE
O4 - HKLM\..\Run: [PWRESET] C:\Program Files\Avaya\Avaya IP Softphone\IP Service Provider\pwreset.exe
O4 - HKLM\..\Run: [RightFAX Print-to-Fax Driver] C:\Program Files\RightFax\Client\English\FaxCtrl.exe
O4 - HKLM\..\Run: [ControlCenter2.0] C:\Program Files\Brother\ControlCenter2\brctrcen.exe /autorun
O4 - HKLM\..\Run: [mxomssmenu] "C:\Program Files\Maxtor\OneTouch Status\maxmenumgr.exe"
O4 - HKLM\..\Run: [BlackBerryAutoUpdate] C:\Program Files\Common Files\Research In Motion\Auto Update\RIMAutoUpdate.exe /background
O4 - HKLM\..\Run: [RoxWatchTray] "C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatchTray9.exe"
O4 - HKLM\..\Run: [PRunOnce] C:\util\prunonce\PRunOnce.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\RunOnce: [Malwarebytes' Anti-Malware] C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe /install /silent
O4 - HKLM\..\RunOnce: [InnoSetupRegFile.0000000001] "C:\WINDOWS\is-LHJKD.exe" /REG
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [TomTomHOME.exe] "C:\Program Files\TomTom HOME 2\TomTomHOMERunner.exe"
O4 - HKCU\..\Run: [Google Update] "C:\Documents and Settings\DS\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" /c
O4 - HKCU\..\Run: [ISUSPM] "C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe" -scheduler
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [EPSON Stylus CX7800 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIAFA.EXE /FU "C:\WINDOWS\TEMP\E_S11D.tmp" /EF "HKCU"
O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe
O4 - HKUS\S-1-5-19\..\Run: [Communicator] "C:\Program Files\Microsoft Office Communicator\Communicator.exe" (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [Communicator] "C:\Program Files\Microsoft Office Communicator\Communicator.exe" (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [Communicator] "C:\Program Files\Microsoft Office Communicator\Communicator.exe" (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\RunOnce: [TSClientMSIUninstaller] cmd.exe /C "cscript %systemroot%\Installer\TSClientMsiTrans\tscuinst.vbs" (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [Communicator] "C:\Program Files\Microsoft Office Communicator\Communicator.exe" (User 'Default user')
O4 - HKUS\.DEFAULT\..\RunOnce: [TSClientMSIUninstaller] cmd.exe /C "cscript %systemroot%\Installer\TSClientMsiTrans\tscuinst.vbs" (User 'Default user')
O4 - Startup: StartPortableApps.lnk = E:\StartPortableApps.exe
O4 - Global Startup: Service Manager.lnk = C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
O8 - Extra context menu item: Add to Windows &Live Favorites - http://favorites.liv...m/quickadd.aspx
O8 - Extra context menu item: Customize Menu - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComCustomizeIEMenu.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O8 - Extra context menu item: Fill Forms - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComFillForms.html
O8 - Extra context menu item: Open in new background tab - res://C:\Program Files\Windows Live Toolbar\Components\en-us\msntabres.dll.mui/229?bb4038b5d84247f081b4c4f7687f15fa
O8 - Extra context menu item: Open in new foreground tab - res://C:\Program Files\Windows Live Toolbar\Components\en-us\msntabres.dll.mui/230?bb4038b5d84247f081b4c4f7687f15fa
O8 - Extra context menu item: Save Forms - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComSavePass.html
O9 - Extra button: (no name) - {09C04DA7-5B76-4EBC-BBEE-B25EAC5965F5} - C:\Program Files\Google\Google Gears\Internet Explorer\0.5.29.0\gears.dll
O9 - Extra 'Tools' menuitem: &Gears Settings - {09C04DA7-5B76-4EBC-BBEE-B25EAC5965F5} - C:\Program Files\Google\Google Gears\Internet Explorer\0.5.29.0\gears.dll
O9 - Extra button: Fill Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F46} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComFillForms.html
O9 - Extra 'Tools' menuitem: Fill Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F46} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComFillForms.html
O9 - Extra button: Save - {320AF880-6646-11D3-ABEE-C5DBF3571F49} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComSavePass.html
O9 - Extra 'Tools' menuitem: Save Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F49} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComSavePass.html
O9 - Extra button: RoboForm - {724d43aa-0d85-11d4-9908-00400523e39a} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html
O9 - Extra 'Tools' menuitem: RoboForm Toolbar - {724d43aa-0d85-11d4-9908-00400523e39a} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - ESC Trusted Zone: http://runonce.msn.com (HKLM)
O16 - DPF: {05CA9FB0-3E3E-4B36-BF41-0E3A5CAA8CD8} (Office Genuine Advantage Validation Tool) - http://go.microsoft....k/?linkid=58813
O16 - DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} (Facebook Photo Uploader 5 Control) - http://upload.facebook.com/controls/2008.1...toUploader5.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1243963751735
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1243963674594
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = na.med.com
O17 - HKLM\Software\..\Telephony: DomainName = na.med.com
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = na.med.com
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = na.med.com
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: ARcltsrv - Algorithmic Research Ltd. - C:\Program Files\ARX\ARX CryptoKit\utils\ARCLTSRV.EXE
O23 - Service: B's Recorder GOLD Service (bgsvc) - B.H.A Corporation - C:\Program Files\B's Recorder GOLD8\bgsvc.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Brother BRAdminPro Scheduler (BRA_Scheduler) - Unknown owner - C:\Program Files\Brother\BRAdmin Professional 3\bratimer.exe
O23 - Service: Cisco Systems, Inc. VPN Service (CVPND) - Cisco Systems, Inc. - C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
O23 - Service: Intel® PROSet/Wireless Event Log (EvtEng) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
O23 - Service: FileZilla Server FTP server (FileZilla Server) - FileZilla Project - E:\xampp\filezillaftp\filezillaserver.exe
O23 - Service: GetVxWorksHost - Unknown owner - C:\GetVxWorksHost_Service\srvany.exe
O23 - Service: Google Update Service (gupdate1c9be9eb2736671) (gupdate1c9be9eb2736671) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe
O23 - Service: Intel® Matrix Storage Event Monitor (IAANTMON) - Intel Corporation - C:\Program Files\Intel\Intel Matrix Storage Manager\Iaantmon.exe
O23 - Service: iClarityQoSService - AVAYA Communication - C:\WINDOWS\system32\QosServM.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: Intuit Update Service (IntuitUpdateService) - Intuit Inc. - C:\Program Files\Common Files\Intuit\Update Service\IntuitUpdateService.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: Lookout Citadel Server (LkCitadelServer) - National Instruments, Inc. - C:\WINDOWS\system32\lkcitdl.exe
O23 - Service: National Instruments PSP Server Locator (lkClassAds) - National Instruments Corporation - C:\WINDOWS\system32\lkads.exe
O23 - Service: National Instruments Time Synchronization (lkTimeSync) - National Instruments Corporation - C:\WINDOWS\system32\lktsrv.exe
O23 - Service: Maxtor Service (Maxtor Sync Service) - Seagate Technology LLC - C:\Program Files\Maxtor\Sync\SyncServices.exe
O23 - Service: McAfee Framework Service (McAfeeFramework) - McAfee, Inc. - C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
O23 - Service: McAfee McShield (McShield) - McAfee, Inc. - C:\Program Files\McAfee\VirusScan Enterprise\Mcshield.exe
O23 - Service: McAfee Task Manager (McTaskManager) - McAfee, Inc. - C:\Program Files\McAfee\VirusScan Enterprise\VsTskMgr.exe
O23 - Service: NI Configuration Manager (mxssvr) - National Instruments Corporation - C:\Program Files\National Instruments\MAX\nimxs.exe
O23 - Service: NI Device Loader (nidevldu) - National Instruments Corporation - C:\WINDOWS\system32\nipalsm.exe
O23 - Service: National Instruments Domain Service (NIDomainService) - National Instruments Corporation - C:\Program Files\National Instruments\Shared\Security\nidmsrv.exe
O23 - Service: NILM License Manager - Macrovision Corporation - C:\Program Files\National Instruments\Shared\License Manager\Bin\lmgrd.exe
O23 - Service: NI PXI Resource Manager (nipxirmu) - National Instruments Corporation - C:\WINDOWS\system32\nipalsm.exe
O23 - Service: NI Service Locator (niSvcLoc) - National Instruments Corp. - C:\WINDOWS\system32\nisvcloc.exe
O23 - Service: National Instruments Variable Engine (NITaggerService) - National Instruments, Inc. - C:\Program Files\National Instruments\Shared\Tagger\tagsrv.exe
O23 - Service: Panasonic PC Information Viewer Service 2 (PcInfoPi) - Matsushita Electric Industrial Co., Ltd. - C:\Program Files\Panasonic\pcinfo\PCInfoPi.exe
O23 - Service: Panasonic PC Information Viewer (PcInfoSV) - Matsushita Electric Industrial Co., Ltd. - C:\Program Files\Panasonic\pcinfo\PCInfoSV.exe
O23 - Service: Intel® PROSet/Wireless Registry Service (RegSrvc) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
O23 - Service: Roxio UPnP Renderer 9 - Sonic Solutions - C:\Program Files\Roxio\Digital Home 9\RoxioUPnPRenderer9.exe
O23 - Service: Roxio Upnp Server 9 - Sonic Solutions - C:\Program Files\Roxio\Digital Home 9\RoxioUpnpService9.exe
O23 - Service: LiveShare P2P Server 9 (RoxLiveShare9) - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxLiveShare9.exe
O23 - Service: RoxMediaDB9 - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxMediaDB9.exe
O23 - Service: Roxio Hard Drive Watcher 9 (RoxWatch9) - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatch9.exe
O23 - Service: Intel® PROSet/Wireless Service (S24EventMonitor) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
O23 - Service: Sentinel Keys Server (SentinelKeysServer) - SafeNet, Inc. - C:\Program Files\Common Files\SafeNet Sentinel\Sentinel Keys Server\sntlkeyssrvr.exe
O23 - Service: Sentinel Protection Server (SentinelProtectionServer) - SafeNet, Inc - C:\Program Files\Common Files\SafeNet Sentinel\Sentinel Protection Server\WinNT\spnsrvnt.exe
O23 - Service: SlingAgentService - Sling Media Inc. - C:\Program Files\Sling Media\SlingAgent\SlingAgentService.exe
O23 - Service: TomTomHOMEService - TomTom - C:\Program Files\TomTom HOME 2\TomTomHOMEService.exe
O23 - Service: TOSHIBA Bluetooth Service - TOSHIBA CORPORATION - c:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtSrv.exe

--
End of file - 20924 bytes

#2
Tigger93
Posted 17 July 2009 - 05:26 PM

    Forum Deity

  • Moderators
  • PipPipPipPipPipPip
  • 1,648 posts
  • Gender:Male
Hi. :(

Download ComboFix from one of the locations below, and save it to your Desktop.
[indent] Link 1
Link 2 [/indent]Double click combofix.exe and follow the prompts. Please, never rename Combofix unless instructed.
When finished, it shall produce a log for you. Post that log and a HijackThis log in your next reply
Note: Do not mouseclick Combofix's window while its running. That may cause it to stall

#3
Morry
Posted 18 July 2009 - 02:48 PM

    New Member

  • Members
  • Pip
  • 4 posts
Thanks for taking up the cause, Tigger93. Here are my logs:

Quote

ComboFix 09-07-14.08 - DS 07/18/2009 0:27.1.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2038.1016 [GMT -7:00]
Running from: c:\documents and settings\DS\Desktop\ComboFix.exe
AV: VirusScan Enterprise + AntiSpyware Enterprise *On-access scanning enabled* (Updated) {918A2B0B-2C60-4016-A4AB-E868DEABF7F0}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat
c:\documents and settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat
c:\program files\sys
c:\windows\Installer\1226390.msi
c:\windows\Installer\1226391.msp
c:\windows\Installer\12c05d9.msi
c:\windows\Installer\12c05dd.msi
c:\windows\Installer\bcabc.msi
c:\windows\system32\config\systemprofile\XP Deluxe Protector

----- BITS: Possible infected sites -----

hxxp://gnbd1.cn
Infected copy of c:\windows\system32\userinit.exe was found and disinfected
Restored copy from - c:\windows\ServicePackFiles\i386\userinit.exe

c:\windows\system32\proquota.exe was missing
Restored copy from - c:\windows\ServicePackFiles\i386\proquota.exe

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_SYS
-------\Legacy_SYSDRV


((((((((((((((((((((((((( Files Created from 2009-06-18 to 2009-07-18 )))))))))))))))))))))))))))))))
.

2009-07-18 07:31 . 2008-04-14 00:12 50176 -c--a-w- c:\windows\system32\dllcache\proquota.exe
2009-07-18 07:31 . 2008-04-14 00:12 50176 ----a-w- c:\windows\system32\proquota.exe
2009-07-02 05:44 . 2009-04-15 14:51 585216 -c----w- c:\windows\system32\dllcache\rpcrt4.dll
2009-06-30 19:37 . 2006-01-18 18:17 11904 ----a-w- c:\windows\system32\drivers\BrUsbSer.sys
2009-06-30 19:37 . 2004-09-21 04:11 37888 ----a-w- c:\windows\system32\BrUSi04b.dll
2009-06-30 19:37 . 2006-01-18 13:44 53248 ----a-w- c:\windows\system32\drivers\BrSerIf.sys
2009-06-30 19:37 . 2004-10-15 03:50 15295 ----a-w- c:\windows\system32\drivers\BrScnUsb.sys
2009-06-26 20:41 . 2009-06-26 20:41 -------- d-----w- c:\program files\Trend Micro
2009-06-26 04:49 . 2009-07-17 08:00 3775176 ----a-w- c:\documents and settings\All Users\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\mbam-setup.exe
2009-06-23 23:17 . 2009-06-23 23:17 -------- d-----w- c:\program files\TomTom International B.V
2009-06-23 18:50 . 2009-06-23 18:50 -------- d-----w- c:\program files\Fast Duplicate File Finder
2009-06-22 22:23 . 2009-06-22 22:23 239088 ----a-w- c:\documents and settings\DS\Application Data\Mozilla\plugins\npgoogletalk.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-07-18 07:21 . 2008-03-21 17:36 -------- d-----w- c:\program files\Google
2009-07-18 00:20 . 2009-06-02 17:13 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-07-16 18:18 . 2009-03-13 17:11 -------- d-----w- c:\documents and settings\DS\Application Data\GoodSync
2009-07-13 20:36 . 2009-06-02 17:13 38160 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-07-13 20:36 . 2009-06-02 17:13 19096 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-07-13 19:23 . 2009-07-13 19:23 -------- d-----w- c:\program files\iTunes
2009-07-13 19:23 . 2009-07-13 19:23 -------- d-----w- c:\program files\iPod
2009-07-13 19:23 . 2008-12-14 18:45 -------- d-----w- c:\program files\Common Files\Apple
2009-07-13 19:20 . 2009-07-13 19:19 -------- d-----w- c:\program files\QuickTime
2009-07-13 19:06 . 2009-07-13 19:06 75048 ----a-w- c:\documents and settings\All Users\Application Data\Apple Computer\Installer Cache\iTunes 8.2.0.23\SetupAdmin.exe
2009-07-11 14:35 . 2008-07-23 01:01 -------- d-----w- c:\program files\Siber Systems
2009-07-06 12:03 . 2008-03-21 18:39 -------- d-----w- c:\documents and settings\All Users\Application Data\Microsoft Help
2009-07-03 03:34 . 2008-07-23 10:16 -------- d-----w- c:\program files\TC UP
2009-06-30 19:41 . 2008-07-28 04:52 65 ----a-w- c:\windows\system32\BD7820N.dat
2009-06-26 00:44 . 2008-03-21 18:13 -------- d-----w- c:\program files\EER
2009-06-24 03:30 . 2008-12-06 00:40 256 ----a-w- c:\windows\system32\pool.bin
2009-06-23 23:16 . 2008-08-09 15:19 -------- d-----w- c:\program files\TomTom HOME 2
2009-06-10 07:39 . 2008-06-19 19:04 -------- d-----w- c:\program files\Java
2009-06-10 07:36 . 2009-06-10 07:36 152576 ----a-w- c:\documents and settings\DS\Application Data\Sun\Java\jre1.6.0_14\lzma.dll
2009-06-10 01:58 . 2007-03-28 02:18 -------- d--h--w- c:\program files\InstallShield Installation Information
2009-06-10 01:57 . 2008-08-22 22:24 -------- d-----w- c:\program files\Sling Media
2009-06-08 15:37 . 2009-06-08 15:37 -------- d-----w- c:\program files\Verizon Wireless
2009-06-07 00:25 . 2008-08-06 00:10 -------- d-----w- c:\program files\Common Files\Research in Motion
2009-06-06 14:14 . 2009-06-06 14:14 -------- d-----w- c:\documents and settings\DS\Application Data\Malwarebytes
2009-06-05 19:06 . 2009-06-05 19:06 0 ----a-w- c:\documents and settings\DS\Application Data\~ygw.tmp
2009-06-04 15:29 . 2009-06-04 15:29 -------- d-----w- c:\program files\Microsoft Visual Studio .NET 2003
2009-06-04 15:29 . 2009-06-04 15:29 -------- d-----w- c:\program files\Common Files\Crystal Decisions
2009-06-04 14:36 . 2008-10-21 21:05 87616 ----a-w- c:\documents and settings\DS\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-06-04 13:44 . 2009-06-02 18:10 -------- d-----w- c:\program files\Microsoft Works
2009-06-04 13:41 . 2009-06-02 18:14 -------- d-----w- c:\program files\MSBuild
2009-06-04 13:41 . 2009-06-04 13:41 -------- d-----w- c:\program files\Microsoft.NET
2009-06-04 13:38 . 2009-06-04 13:38 -------- d-----w- c:\program files\Microsoft Visual Studio 8
2009-06-04 12:16 . 2008-07-26 03:26 -------- d-----w- c:\program files\Live Search Maps for Outlook
2009-06-02 18:36 . 2009-06-02 18:36 -------- d-----w- c:\program files\Reference Assemblies
2009-06-02 18:22 . 2008-04-10 20:01 -------- d-----w- c:\program files\MSECache
2009-06-02 17:13 . 2009-06-02 17:13 -------- d-----w- c:\documents and settings\Administrator\Application Data\Malwarebytes
2009-06-02 17:13 . 2009-06-02 17:13 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-05-27 23:35 . 2009-05-27 23:35 -------- d-----w- c:\documents and settings\DS\Application Data\TweetDeckFast.F9107117265DB7542C1A806C8DB837742CE14C21.1
2009-05-27 23:35 . 2009-05-27 23:35 -------- d-----w- c:\program files\TweetDeck
2009-05-27 23:35 . 2009-05-27 23:35 -------- d-----w- c:\program files\Common Files\Adobe AIR
2009-05-27 23:34 . 2009-05-27 23:35 38208 ----a-w- c:\documents and settings\DS\Application Data\Macromedia\Flash Player\www.macromedia.com\bin\airappinstaller\airappinstaller.exe
2009-05-21 18:33 . 2009-04-26 18:01 410984 ----a-w- c:\windows\system32\deploytk.dll
2009-04-29 04:46 . 2007-03-27 17:15 666624 ----a-w- c:\windows\system32\wininet.dll
2009-04-29 04:46 . 2007-03-27 17:13 81920 ----a-w- c:\windows\system32\ieencode.dll
2009-04-26 17:49 . 2009-04-26 17:49 152576 ----a-w- c:\documents and settings\DS\Application Data\Sun\Java\jre1.6.0_13\lzma.dll
2004-03-15 21:51 . 2004-03-15 21:51 114688 ------w- c:\program files\internet explorer\plugins\LV71ActiveXControl.dll
2006-01-23 14:32 . 2006-01-23 14:32 131072 ------w- c:\program files\internet explorer\plugins\LV80ActiveXControl.dll
2007-02-08 14:48 . 2007-02-08 14:48 133920 ------w- c:\program files\internet explorer\plugins\LV82ActiveXControl.dll
2007-07-24 23:03 . 2007-07-24 23:03 118784 ------w- c:\program files\internet explorer\plugins\LV85ActiveXControl.dll
2009-06-26 05:17 . 2008-07-23 00:51 137208 ----a-w- c:\program files\mozilla firefox\components\brwsrcmp.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]
"TomTomHOME.exe"="c:\program files\TomTom HOME 2\TomTomHOMERunner.exe" [2009-04-24 251240]
"Google Update"="c:\documents and settings\DS\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" [2008-09-03 133104]
"ISUSPM"="c:\program files\Common Files\InstallShield\UpdateService\ISUSPM.exe" [2007-08-30 205480]
"MSMSGS"="c:\program files\Messenger\msmsgs.exe" [2008-04-14 1695232]
"WMPNSCFG"="c:\program files\Windows Media Player\WMPNSCFG.exe" [2006-10-19 204288]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"UserFaultCheck"="c:\windows\system32\dumprep 0 -u" [X]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2007-02-26 131072]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2007-02-26 155648]
"Persistence"="c:\windows\system32\igfxpers.exe" [2007-02-26 131072]
"IAAnotif"="c:\program files\Intel\Intel Matrix Storage Manager\Iaanotif.exe" [2007-02-12 174872]
"WSwitch"="c:\program files\Panasonic\WSwitch\WSwitch.exe" [2007-03-20 726672]
"SynTPLpr"="c:\program files\Synaptics\SynTP\SynTPLpr.exe" [2004-10-15 98394]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2004-10-15 688218]
"Panasonic Hotkey Manager"="c:\program files\Panasonic\Hotkey Appendix\HKEYAPP.EXE" [2006-12-16 976528]
"PCinfo"="c:\program files\Panasonic\pcinfo\PcInfoUt.exe" [2006-11-30 87696]
"IntelZeroConfig"="c:\program files\Intel\Wireless\bin\ZCfgSvc.exe" [2007-02-21 819200]
"B'sCLiP"="c:\progra~1\B'SCLI~1\Win2K\BSCLIP.exe" [2006-01-16 675840]
"SoundMAXPnP"="c:\program files\Analog Devices\Core\smax4pnp.exe" [2007-03-15 868352]
"FTMSFLT(USB)"="c:\program files\FIDTPU\WIN2K\FTMSFLTU.EXE" [2005-06-23 82063]
"IntelWireless"="c:\program files\Intel\Wireless\Bin\iFrmewrk.exe" [2007-02-21 970752]
"McAfeeUpdaterUI"="c:\program files\Network Associates\Common Framework\UdaterUI.exe" [2008-02-20 136512]
"ShStatEXE"="c:\program files\McAfee\VirusScan Enterprise\SHSTAT.EXE" [2008-07-17 111952]
"PWRESET"="c:\program files\Avaya\Avaya IP Softphone\IP Service Provider\pwreset.exe" [2001-10-24 45056]
"RightFAX Print-to-Fax Driver"="c:\program files\RightFax\Client\English\FaxCtrl.exe" [2004-01-18 110592]
"ControlCenter2.0"="c:\program files\Brother\ControlCenter2\brctrcen.exe" [2008-05-24 1011712]
"mxomssmenu"="c:\program files\Maxtor\OneTouch Status\maxmenumgr.exe" [2008-07-21 169312]
"BlackBerryAutoUpdate"="c:\program files\Common Files\Research In Motion\Auto Update\RIMAutoUpdate.exe" [2009-06-05 615696]
"RoxWatchTray"="c:\program files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatchTray9.exe" [2008-09-19 236016]
"PRunOnce"="c:\util\prunonce\PRunOnce.exe" [2004-08-06 110592]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-05-21 148888]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2009-05-27 413696]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2009-06-05 292136]
"Malwarebytes' Anti-Malware"="c:\program files\Malwarebytes' Anti-Malware\mbamgui.exe" [2009-07-13 414992]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"Communicator"="c:\program files\Microsoft Office Communicator\Communicator.exe" [2005-05-12 4167376]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"TSClientMSIUninstaller"="c:\windows\Installer\TSClientMsiTrans\tscuinst.vbs" [2007-10-30 13801]

c:\documents and settings\DS\Start Menu\Programs\Startup\
StartPortableApps.lnk - E:\StartPortableApps.exe [2009-3-10 89280]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Service Manager.lnk - c:\program files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe [2008-4-3 81920]

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Network Associates\\Common Framework\\FrameworkService.exe"=
"c:\\Program Files\\Microsoft Office\\Live Meeting 8\\Console\\PWConsole.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

R0 BsStor;B.H.A Storage Helper Driver;c:\windows\system32\drivers\bsstor.sys [3/28/2007 11:54 AM 10112]
R0 nipbcfk;National Instruments Class Upper Filter Driver;c:\windows\system32\drivers\nipbcfk.sys [7/10/2007 4:08 PM 15448]
R0 PzWDM;PzWDM;c:\windows\system32\drivers\PzWDM.sys [3/25/2009 4:00 PM 15172]
R1 VD_FileDisk;VD_FileDisk;c:\windows\system32\drivers\vd_filedisk.sys [1/13/2006 6:00 AM 15872]
R2 bgsvc;B's Recorder GOLD Service;c:\program files\B's Recorder GOLD8\bgsvc.exe [3/28/2007 11:53 AM 81920]
R2 BRA_Scheduler;Brother BRAdminPro Scheduler;c:\program files\Brother\BRAdmin Professional 3\bratimer.exe [8/8/2008 7:23 AM 65536]
R2 BsUDF;BsUDF;c:\windows\system32\drivers\BsUDF.sys [3/28/2007 11:54 AM 164992]
R2 GetVxWorksHost;GetVxWorksHost;c:\getvxworkshost_service\srvany.exe [3/21/2008 11:24 AM 13312]
R2 IntuitUpdateService;Intuit Update Service;c:\program files\Common Files\Intuit\Update Service\IntuitUpdateService.exe [10/10/2008 5:45 AM 13088]
R2 MBAMService;MBAMService;c:\program files\Malwarebytes' Anti-Malware\mbamservice.exe [6/2/2009 10:13 AM 211216]
R2 nidevldu;NI Device Loader;c:\windows\system32\nipalsm.exe [2/16/2007 7:21 AM 12696]
R2 nipxirmk;nipxirmk;c:\windows\system32\drivers\nipxirmkl.sys [9/18/2007 4:24 AM 11552]
R2 NiViPxiK;NI-VISA PXI Driver;c:\windows\system32\drivers\NiViPxiKl.sys [7/19/2007 8:56 AM 11360]
R2 PcInfoPi;Panasonic PC Information Viewer Service 2;c:\program files\Panasonic\pcinfo\PCInfoPi.exe [3/27/2007 8:38 PM 54928]
R2 PcInfoSV;Panasonic PC Information Viewer;c:\program files\Panasonic\pcinfo\PCInfoSV.exe [3/27/2007 8:38 PM 186000]
R2 SDKEY;Panasonic SD Misc. Function Driver;c:\program files\Panasonic\SDKEY\SDKEY.sys [3/27/2007 8:19 PM 8192]
R2 SentinelKeysServer;Sentinel Keys Server;c:\program files\Common Files\SafeNet Sentinel\Sentinel Keys Server\sntlkeyssrvr.exe [3/21/2008 1:20 AM 327800]
R2 SlingAgentService;SlingAgentService;c:\program files\Sling Media\SlingAgent\SlingAgentService.exe [4/27/2009 6:09 PM 93960]
R2 TomTomHOMEService;TomTomHOMEService;c:\program files\TomTom HOME 2\TomTomHOMEService.exe [4/24/2009 4:57 AM 92008]
R3 FIDTPU;Fujitsu Touch Panel (USB);c:\windows\system32\drivers\FIDTPU.sys [3/27/2007 10:20 AM 27031]
R3 IFXTPM;IFXTPM;c:\windows\system32\drivers\ifxtpm.sys [3/27/2007 10:19 AM 36352]
R3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [6/2/2009 10:13 AM 19096]
R3 NewMisc;Panasonic Misc Driver;c:\windows\system32\drivers\newmisc.sys [3/27/2007 10:19 AM 42624]
R3 nidimk;nidimk;c:\windows\system32\drivers\nidimkl.sys [12/14/2007 9:41 AM 11360]
R3 nimru2k;nimru2k;c:\windows\system32\drivers\nimru2kl.sys [12/14/2007 12:06 PM 11360]
R3 nimstsk;nimstsk;c:\windows\system32\drivers\nimstskl.sys [12/18/2007 3:14 PM 11360]
S2 gupdate1c9be9eb2736671;Google Update Service (gupdate1c9be9eb2736671);c:\program files\Google\Update\GoogleUpdate.exe [4/16/2009 7:21 AM 133104]
S3 cglptnt;cglptnt;c:\program files\TC UP\CGLPTNT.SYS [6/24/2009 10:50 PM 7888]
S3 lvalarmk;lvalarmk;c:\windows\system32\drivers\lvalarmk.sys [12/20/2007 6:37 AM 20056]
S3 ni1006k;NI PXI-1006 Chassis Pilot;c:\windows\system32\drivers\ni1006k.sys [10/8/2007 11:10 AM 25888]
S3 ni1045k;NI PXI-1045 Chassis Pilot;c:\windows\system32\drivers\ni1045kl.sys [10/8/2007 11:10 AM 11552]
S3 ni1065k;NI PXIe-1065 Chassis Pilot;c:\windows\system32\drivers\ni1065k.sys [10/8/2007 11:10 AM 22360]
S3 nicdrk;nicdrk;c:\windows\system32\drivers\nicdrkl.sys [12/26/2007 8:53 AM 11352]
S3 nicsrk;nicsrk;c:\windows\system32\drivers\nicsrkl.sys [2/22/2008 8:25 AM 11336]
S3 nidmxfk;nidmxfk;c:\windows\system32\drivers\nidmxfkl.sys [12/18/2007 3:20 PM 11336]
S3 nidsark;nidsark;c:\windows\system32\drivers\nidsarkl.sys [2/15/2008 12:37 PM 11344]
S3 niemrk;niemrk;c:\windows\system32\drivers\niemrkl.sys [2/22/2008 8:25 AM 11336]
S3 niemrkw;niemrkw;c:\windows\system32\drivers\niemrkw.sys [7/10/2008 8:37 AM 11336]
S3 niesrk;niesrk;c:\windows\system32\drivers\niesrkl.sys [2/22/2008 8:25 AM 11336]
S3 nifslk;nifslk;c:\windows\system32\drivers\nifslkl.sys [12/26/2007 8:18 AM 11352]
S3 nimsdrk;nimsdrk;c:\windows\system32\drivers\nimsdrkl.sys [1/11/2008 1:08 PM 11392]
S3 nimslk;nimslk;c:\windows\system32\drivers\nimslk.dll [11/27/2007 10:46 AM 14464]
S3 nimsrlk;nimsrlk;c:\windows\system32\drivers\nimsrlk.dll [11/27/2007 10:46 AM 151683]
S3 nimxpk;nimxpk;c:\windows\system32\drivers\nimxpkl.sys [12/18/2007 3:14 PM 11368]
S3 ninshsdk;ninshsdk;c:\windows\system32\drivers\ninshsdkl.sys [12/27/2007 6:45 AM 11360]
S3 nipalfwedl;nipalfwedl;c:\windows\system32\drivers\nipalfwedl.sys [12/12/2007 8:23 PM 11904]
S3 nipalusbedl;nipalusbedl;c:\windows\system32\drivers\nipalusbedl.sys [12/12/2007 8:22 PM 11896]
S3 nipxigpk;NI PXI Generic Chassis Pilot;c:\windows\system32\drivers\nipxigpk.sys [11/26/2007 2:22 PM 20768]
S3 niscdk;niscdk;c:\windows\system32\drivers\niscdkl.sys [1/7/2008 9:38 PM 11376]
S3 nisdigk;nisdigk;c:\windows\system32\drivers\nisdigkl.sys [1/7/2008 9:21 PM 11352]
S3 nisftk;nisftk;c:\windows\system32\drivers\nisftkl.sys [12/20/2007 12:54 PM 11344]
S3 nispdk;nispdk;c:\windows\system32\drivers\nispdkl.sys [1/7/2008 9:38 PM 11376]
S3 nissrk;nissrk;c:\windows\system32\drivers\nissrkl.sys [2/22/2008 8:25 AM 11336]
S3 nistc2k;nistc2k;c:\windows\system32\drivers\nistc2kl.sys [1/7/2008 9:35 PM 11312]
S3 nistcrk;nistcrk;c:\windows\system32\drivers\nistcrkl.sys [2/14/2008 5:58 PM 11360]
S3 niswdk;niswdk;c:\windows\system32\drivers\niswdkl.sys [1/2/2008 10:14 AM 11336]
S3 nitiork;nitiork;c:\windows\system32\drivers\nitiorkl.sys [2/19/2008 8:56 PM 11360]
S3 niufurk;niufurk;c:\windows\system32\drivers\niufurkl.sys [2/22/2008 8:25 AM 11368]
S3 NiViFWK;NI-VISA FireWire Driver;c:\windows\system32\drivers\NiViFWKl.sys [7/19/2007 8:48 AM 11384]
S3 NiViPciK;NI-VISA PCI Driver;c:\windows\system32\drivers\NiViPciKl.sys [7/19/2007 8:56 AM 11360]
S3 niwfrk;niwfrk;c:\windows\system32\drivers\niwfrkl.sys [2/22/2008 8:25 AM 11336]
S3 nixsrk;nixsrk;c:\windows\system32\drivers\nixsrkl.sys [2/22/2008 8:25 AM 11336]
S3 rismc32;RICOH Smart Card Reader;c:\windows\system32\drivers\rismc32.sys [3/27/2007 10:19 AM 47616]
S3 usb6xxxk;usb6xxxk;\??\c:\windows\system32\drivers\usb6xxxkl.sys --> c:\windows\system32\drivers\usb6xxxkl.sys [?]
S3 usb6xxxkw;usb6xxxkw;c:\windows\system32\drivers\usb6xxxkw.sys [7/10/2008 8:38 AM 11312]
.
Contents of the 'Scheduled Tasks' folder

2009-07-18 c:\windows\Tasks\Check Updates for Windows Live Toolbar.job
- c:\program files\Windows Live Toolbar\MSNTBUP.EXE [2007-02-12 22:54]

2009-07-18 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-04-16 14:21]

2009-07-18 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-04-16 14:21]

2009-07-16 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-72706444-2128956082-1402864335-27204Core.job
- c:\documents and settings\DS\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2008-09-03 21:57]

2009-07-18 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-72706444-2128956082-1402864335-27204UA.job
- c:\documents and settings\DS\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2008-09-03 21:57]

2009-07-17 c:\windows\Tasks\Malwarebytes' Scheduled Scan for DS.job
- c:\program files\Malwarebytes' Anti-Malware\mbam.exe [2009-06-02 20:36]

2009-07-18 c:\windows\Tasks\Malwarebytes' Scheduled Update for DS.job
- c:\program files\Malwarebytes' Anti-Malware\mbam.exe [2009-06-02 20:36]

2009-04-19 c:\windows\Tasks\Rescue Reminder for 2HAPS7NQ.job
- c:\program files\Maxtor\ManagerApp\MaxUtilities.exe [2008-07-21 23:52]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.med.com/
IE: Add to Windows &Live Favorites - http://favorites.liv...m/quickadd.aspx
IE: Customize Menu - file://c:\program files\Siber Systems\AI RoboForm\RoboFormComCustomizeIEMenu.html
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
IE: Fill Forms - file://c:\program files\Siber Systems\AI RoboForm\RoboFormComFillForms.html
IE: Open in new background tab - c:\program files\Windows Live Toolbar\Components\en-us\msntabres.dll.mui/229?bb4038b5d84247f081b4c4f7687f15fa
IE: Open in new foreground tab - c:\program files\Windows Live Toolbar\Components\en-us\msntabres.dll.mui/230?bb4038b5d84247f081b4c4f7687f15fa
IE: Save Forms - file://c:\program files\Siber Systems\AI RoboForm\RoboFormComSavePass.html
FF - ProfilePath - c:\documents and settings\DS\Application Data\Mozilla\Firefox\Profiles\ch0ed4m9.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.med.com/
FF - component: c:\program files\Google\Google Gears\Firefox\lib\ff35\gears.dll
FF - component: c:\program files\Siber Systems\AI RoboForm\Firefox\components\rfproxy_31.dll
FF - plugin: c:\documents and settings\DS\Application Data\Mozilla\plugins\npgoogletalk.dll
FF - plugin: c:\documents and settings\DS\Local Settings\Application Data\Google\Update\1.2.183.7\npGoogleOneClick8.dll
FF - plugin: c:\program files\echospin\npesProxy.dll
FF - plugin: c:\program files\Google\Update\1.2.183.7\npGoogleOneClick8.dll

---- FIREFOX POLICIES ----
c:\program files\Mozilla Firefox\greprefs\all.js - pref("media.enforce_same_site_origin", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("media.cache_size", 51200);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("media.ogg.enabled", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("media.wave.enabled", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("media.autoplay.enabled", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.urlbar.autocomplete.enabled", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("capability.policy.mailnews.*.wholeText", "noAccess");
c:\program files\Mozilla Firefox\greprefs\all.js - pref("dom.storage.default_quota", 5120);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("content.sink.event_probe_rate", 3);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.http.prompt-temp-redirect", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("layout.css.dpi", -1);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("layout.css.devPixelsPerPx", -1);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("gestures.enable_single_finger_input", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("dom.max_chrome_script_run_time", 0);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.tcp.sendbuffer", 131072);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("geo.enabled", true);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.remember_cert_checkbox_default_setting", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr", "moz35");
c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-cjkt", "moz35");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.blocklist.level", 2);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.urlbar.restrict.typed", "~");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.urlbar.default.behavior", 0);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.history", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.formdata", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.passwords", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.downloads", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.cookies", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.cache", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.sessions", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.offlineApps", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.siteSettings", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.history", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.formdata", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.passwords", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.downloads", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.cookies", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.cache", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.sessions", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.offlineApps", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.siteSettings", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.sanitize.migrateFx3Prefs", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.ssl_override_behavior", 2);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("security.alternate_certificate_error_page", "certerror");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.privatebrowsing.autostart", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.privatebrowsing.dont_prompt_on_enter", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("geo.wifi.uri", "https://www.google.com/loc/json");
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-07-18 01:08
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\software\DeterministicNetworks\DNE\Parameters]
"SymbolicLinkValue"=hex(6):5c,00,52,00,65,00,67,00,69,00,73,00,74,00,72,00,79,
00,5c,00,4d,00,41,00,43,00,48,00,49,00,4e,00,45,00,5c,00,53,00,79,00,73,00,\
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'explorer.exe'(5700)
c:\windows\IME\SPGRMR.DLL
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Intel\Wireless\Bin\S24EvMon.exe
c:\windows\system32\scardsvr.exe
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\ARX\ARX CryptoKit\utils\ARCLTSRV.EXE
c:\program files\ARX\ARX CryptoKit\utils\ARCLTSRV.EXE
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\Cisco Systems\VPN Client\cvpnd.exe
c:\program files\Intel\Wireless\Bin\EvtEng.exe
c:\getvxworkshost_service\GetVxWorksHost.exe
c:\program files\Intel\Intel Matrix Storage Manager\IAANTmon.exe
c:\windows\system32\qosservm.exe
c:\program files\Google\Update\1.2.183.7\GoogleCrashHandler.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\windows\system32\lkads.exe
c:\windows\system32\lktsrv.exe
c:\program files\Maxtor\Sync\SyncServices.exe
c:\program files\Network Associates\Common Framework\FrameworkService.exe
c:\program files\McAfee\VirusScan Enterprise\Mcshield.exe
c:\program files\McAfee\VirusScan Enterprise\VsTskMgr.exe
c:\program files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
c:\program files\Network Associates\Common Framework\naPrdMgr.exe
c:\program files\National Instruments\MAX\nimxs.exe
c:\program files\National Instruments\Shared\Security\nidmsrv.exe
c:\windows\system32\nisvcloc.exe
c:\program files\National Instruments\Shared\Tagger\tagsrv.exe
c:\program files\Intel\Wireless\Bin\RegSrvc.exe
c:\program files\Toshiba\Bluetooth Toshiba Stack\TosBtSrv.exe
c:\windows\system32\CCM\clicomp\RemCtrl\Wuser32.exe
c:\program files\Windows Media Player\wmpnetwk.exe
c:\windows\system32\CCM\CcmExec.exe
c:\windows\system32\igfxsrvc.exe
c:\windows\system32\RButton.exe
c:\program files\Network Associates\Common Framework\Mctray.exe
c:\program files\Intel\Wireless\Bin\Dot1XCfg.exe
c:\documents and settings\DS\Local Settings\Application Data\Google\Update\1.2.183.7\GoogleCrashHandler.exe
c:\program files\iPod\bin\iPodService.exe
e:\portableapps\PortableApps.com\PortableAppsPlatform.exe
.
**************************************************************************
.
Completion time: 2009-07-18 1:13 - machine was rebooted
ComboFix-quarantined-files.txt 2009-07-18 08:13

Pre-Run: 15,451,246,592 bytes free
Post-Run: 15,896,334,336 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect

376 --- E O F --- 2009-07-06 12:03

Quote

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 7:38:50 AM, on 7/18/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP3 (6.00.2900.5512)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\ARX\ARX CryptoKit\utils\ARCLTSRV.EXE
C:\Program Files\ARX\ARX CryptoKit\utils\arcltsrv.exe
C:\Program Files\B's Recorder GOLD8\bgsvc.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Brother\BRAdmin Professional 3\bratimer.exe
C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\GetVxWorksHost_Service\srvany.exe
C:\GetVxWorksHost_Service\GetVxWorksHost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\Iaantmon.exe
C:\WINDOWS\system32\QosServM.exe
C:\Program Files\Google\Update\1.2.183.7\GoogleCrashHandler.exe
C:\Program Files\Common Files\Intuit\Update Service\IntuitUpdateService.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\system32\lkads.exe
C:\WINDOWS\system32\lktsrv.exe
C:\Program Files\Maxtor\Sync\SyncServices.exe
C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe
C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
C:\Program Files\McAfee\VirusScan Enterprise\Mcshield.exe
C:\Program Files\McAfee\VirusScan Enterprise\VsTskMgr.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\National Instruments\MAX\nimxs.exe
C:\Program Files\National Instruments\Shared\Security\nidmsrv.exe
C:\WINDOWS\system32\nisvcloc.exe
C:\Program Files\National Instruments\Shared\Tagger\tagsrv.exe
C:\Program Files\Panasonic\pcinfo\PCInfoPi.exe
C:\Program Files\Panasonic\pcinfo\PCInfoSV.exe
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\Program Files\Common Files\SafeNet Sentinel\Sentinel Keys Server\sntlkeyssrvr.exe
C:\Program Files\Sling Media\SlingAgent\SlingAgentService.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\TomTom HOME 2\TomTomHOMEService.exe
c:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtSrv.exe
C:\WINDOWS\system32\CCM\CLICOMP\RemCtrl\Wuser32.exe
C:\WINDOWS\system32\nipalsm.exe
C:\WINDOWS\system32\CCM\CcmExec.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\WINDOWS\system32\igfxsrvc.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\Iaanotif.exe
C:\Program Files\Panasonic\WSwitch\WSwitch.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Panasonic\Hotkey Appendix\HKEYAPP.EXE
C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe
C:\PROGRA~1\B'SCLI~1\Win2K\BSCLIP.exe
C:\Program Files\Analog Devices\Core\smax4pnp.exe
C:\Program Files\FIDTPU\WIN2K\FTMSFLTU.EXE
C:\WINDOWS\system32\RButton.exe
C:\Program Files\Intel\Wireless\Bin\iFrmewrk.exe
C:\Program Files\Network Associates\Common Framework\UdaterUI.exe
C:\Program Files\McAfee\VirusScan Enterprise\SHSTAT.EXE
C:\Program Files\RightFax\Client\English\FaxCtrl.exe
C:\Program Files\Brother\ControlCenter2\brctrcen.exe
C:\Program Files\Network Associates\Common Framework\McTray.exe
C:\Program Files\Maxtor\OneTouch Status\maxmenumgr.exe
C:\Program Files\Common Files\Research In Motion\Auto Update\RIMAutoUpdate.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\Intel\Wireless\Bin\Dot1XCfg.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe
C:\Program Files\TomTom HOME 2\TomTomHOMERunner.exe
C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe
C:\Documents and Settings\DS\Local Settings\Application Data\Google\Update\1.2.183.7\GoogleCrashHandler.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
C:\Program Files\iPod\bin\iPodService.exe
E:\PortableApps\PortableApps.com\PortableAppsPlatform.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.med.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: RoboForm - {724d43a9-0d85-11d4-9908-00400523e39a} - C:\Program Files\Siber Systems\AI RoboForm\roboform.dll
O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - C:\Program Files\McAfee\VirusScan Enterprise\scriptcl.dll
O2 - BHO: Windows Live Toolbar Helper - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O2 - BHO: Java™ Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: Google Gears Helper - {E0FEFE40-FBF9-42AE-BA58-794CA7E3FB53} - C:\Program Files\Google\Google Gears\Internet Explorer\0.5.30.0\gears.dll
O2 - BHO: AvayaIEHlprObj Class - {E6DF0B46-7D6F-407A-A6A2-62D17A021A9A} - C:\Program Files\Avaya\Avaya IP Softphone\AvayaWebDial.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: &RoboForm - {724d43a0-0d85-11d4-9908-00400523e39a} - C:\Program Files\Siber Systems\AI RoboForm\roboform.dll
O3 - Toolbar: Windows Live Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [Persistence] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [IAAnotif] "C:\Program Files\Intel\Intel Matrix Storage Manager\Iaanotif.exe"
O4 - HKLM\..\Run: [WSwitch] C:\Program Files\Panasonic\WSwitch\WSwitch.exe
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [Panasonic Hotkey Manager] C:\Program Files\Panasonic\Hotkey Appendix\HKEYAPP.EXE
O4 - HKLM\..\Run: [PCinfo] C:\Program Files\Panasonic\pcinfo\PcInfoUt.exe
O4 - HKLM\..\Run: [IntelZeroConfig] "C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe"
O4 - HKLM\..\Run: [B'sCLiP] C:\PROGRA~1\B'SCLI~1\Win2K\BSCLIP.exe
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\Core\smax4pnp.exe
O4 - HKLM\..\Run: [FTMSFLT(USB)] C:\Program Files\FIDTPU\WIN2K\FTMSFLTU.EXE
O4 - HKLM\..\Run: [IntelWireless] C:\Program Files\Intel\Wireless\Bin\iFrmewrk.exe /tf Intel PROSet/Wireless
O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\Network Associates\Common Framework\UdaterUI.exe" /StartedFromRunKey
O4 - HKLM\..\Run: [ShStatEXE] "C:\Program Files\McAfee\VirusScan Enterprise\SHSTAT.EXE" /STANDALONE
O4 - HKLM\..\Run: [PWRESET] C:\Program Files\Avaya\Avaya IP Softphone\IP Service Provider\pwreset.exe
O4 - HKLM\..\Run: [RightFAX Print-to-Fax Driver] C:\Program Files\RightFax\Client\English\FaxCtrl.exe
O4 - HKLM\..\Run: [ControlCenter2.0] C:\Program Files\Brother\ControlCenter2\brctrcen.exe /autorun
O4 - HKLM\..\Run: [mxomssmenu] "C:\Program Files\Maxtor\OneTouch Status\maxmenumgr.exe"
O4 - HKLM\..\Run: [BlackBerryAutoUpdate] C:\Program Files\Common Files\Research In Motion\Auto Update\RIMAutoUpdate.exe /background
O4 - HKLM\..\Run: [RoxWatchTray] "C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatchTray9.exe"
O4 - HKLM\..\Run: [PRunOnce] C:\util\prunonce\PRunOnce.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [Malwarebytes' Anti-Malware] "C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe" /starttray
O4 - HKLM\..\Run: [UserFaultCheck] %systemroot%\system32\dumprep 0 -u
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [TomTomHOME.exe] "C:\Program Files\TomTom HOME 2\TomTomHOMERunner.exe"
O4 - HKCU\..\Run: [Google Update] "C:\Documents and Settings\DS\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" /c
O4 - HKCU\..\Run: [ISUSPM] "C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe" -scheduler
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe
O4 - HKUS\S-1-5-18\..\Run: [Communicator] "C:\Program Files\Microsoft Office Communicator\Communicator.exe" (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\RunOnce: [TSClientMSIUninstaller] cmd.exe /C "cscript %systemroot%\Installer\TSClientMsiTrans\tscuinst.vbs" (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [Communicator] "C:\Program Files\Microsoft Office Communicator\Communicator.exe" (User 'Default user')
O4 - HKUS\.DEFAULT\..\RunOnce: [TSClientMSIUninstaller] cmd.exe /C "cscript %systemroot%\Installer\TSClientMsiTrans\tscuinst.vbs" (User 'Default user')
O4 - Startup: StartPortableApps.lnk = E:\StartPortableApps.exe
O4 - Global Startup: Service Manager.lnk = C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
O8 - Extra context menu item: Add to Windows &Live Favorites - http://favorites.liv...m/quickadd.aspx
O8 - Extra context menu item: Customize Menu - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComCustomizeIEMenu.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O8 - Extra context menu item: Fill Forms - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComFillForms.html
O8 - Extra context menu item: Open in new background tab - res://C:\Program Files\Windows Live Toolbar\Components\en-us\msntabres.dll.mui/229?bb4038b5d84247f081b4c4f7687f15fa
O8 - Extra context menu item: Open in new foreground tab - res://C:\Program Files\Windows Live Toolbar\Components\en-us\msntabres.dll.mui/230?bb4038b5d84247f081b4c4f7687f15fa
O8 - Extra context menu item: Save Forms - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComSavePass.html
O9 - Extra button: (no name) - {09C04DA7-5B76-4EBC-BBEE-B25EAC5965F5} - C:\Program Files\Google\Google Gears\Internet Explorer\0.5.30.0\gears.dll
O9 - Extra 'Tools' menuitem: &Gears Settings - {09C04DA7-5B76-4EBC-BBEE-B25EAC5965F5} - C:\Program Files\Google\Google Gears\Internet Explorer\0.5.30.0\gears.dll
O9 - Extra button: Fill Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F46} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComFillForms.html
O9 - Extra 'Tools' menuitem: Fill Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F46} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComFillForms.html
O9 - Extra button: Save - {320AF880-6646-11D3-ABEE-C5DBF3571F49} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComSavePass.html
O9 - Extra 'Tools' menuitem: Save Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F49} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComSavePass.html
O9 - Extra button: RoboForm - {724d43aa-0d85-11d4-9908-00400523e39a} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html
O9 - Extra 'Tools' menuitem: RoboForm Toolbar - {724d43aa-0d85-11d4-9908-00400523e39a} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - ESC Trusted Zone: http://runonce.msn.com (HKLM)
O16 - DPF: {05CA9FB0-3E3E-4B36-BF41-0E3A5CAA8CD8} (Office Genuine Advantage Validation Tool) - http://go.microsoft....k/?linkid=58813
O16 - DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} (Facebook Photo Uploader 5 Control) - http://upload.facebook.com/controls/2008.1...toUploader5.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1243963751735
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1243963674594
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = na.med.com
O17 - HKLM\Software\..\Telephony: DomainName = na.med.com
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = na.med.com
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = na.med.com
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: ARcltsrv - Algorithmic Research Ltd. - C:\Program Files\ARX\ARX CryptoKit\utils\ARCLTSRV.EXE
O23 - Service: B's Recorder GOLD Service (bgsvc) - B.H.A Corporation - C:\Program Files\B's Recorder GOLD8\bgsvc.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Brother BRAdminPro Scheduler (BRA_Scheduler) - Unknown owner - C:\Program Files\Brother\BRAdmin Professional 3\bratimer.exe
O23 - Service: Cisco Systems, Inc. VPN Service (CVPND) - Cisco Systems, Inc. - C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
O23 - Service: Intel® PROSet/Wireless Event Log (EvtEng) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
O23 - Service: FileZilla Server FTP server (FileZilla Server) - FileZilla Project - E:\xampp\filezillaftp\filezillaserver.exe
O23 - Service: GetVxWorksHost - Unknown owner - C:\GetVxWorksHost_Service\srvany.exe
O23 - Service: Google Update Service (gupdate1c9be9eb2736671) (gupdate1c9be9eb2736671) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe
O23 - Service: Intel® Matrix Storage Event Monitor (IAANTMON) - Intel Corporation - C:\Program Files\Intel\Intel Matrix Storage Manager\Iaantmon.exe
O23 - Service: iClarityQoSService - AVAYA Communication - C:\WINDOWS\system32\QosServM.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: Intuit Update Service (IntuitUpdateService) - Intuit Inc. - C:\Program Files\Common Files\Intuit\Update Service\IntuitUpdateService.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: Lookout Citadel Server (LkCitadelServer) - National Instruments, Inc. - C:\WINDOWS\system32\lkcitdl.exe
O23 - Service: National Instruments PSP Server Locator (lkClassAds) - National Instruments Corporation - C:\WINDOWS\system32\lkads.exe
O23 - Service: National Instruments Time Synchronization (lkTimeSync) - National Instruments Corporation - C:\WINDOWS\system32\lktsrv.exe
O23 - Service: Maxtor Service (Maxtor Sync Service) - Seagate Technology LLC - C:\Program Files\Maxtor\Sync\SyncServices.exe
O23 - Service: MBAMService - Malwarebytes Corporation - C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe
O23 - Service: McAfee Framework Service (McAfeeFramework) - McAfee, Inc. - C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
O23 - Service: McAfee McShield (McShield) - McAfee, Inc. - C:\Program Files\McAfee\VirusScan Enterprise\Mcshield.exe
O23 - Service: McAfee Task Manager (McTaskManager) - McAfee, Inc. - C:\Program Files\McAfee\VirusScan Enterprise\VsTskMgr.exe
O23 - Service: NI Configuration Manager (mxssvr) - National Instruments Corporation - C:\Program Files\National Instruments\MAX\nimxs.exe
O23 - Service: NI Device Loader (nidevldu) - National Instruments Corporation - C:\WINDOWS\system32\nipalsm.exe
O23 - Service: National Instruments Domain Service (NIDomainService) - National Instruments Corporation - C:\Program Files\National Instruments\Shared\Security\nidmsrv.exe
O23 - Service: NILM License Manager - Macrovision Corporation - C:\Program Files\National Instruments\Shared\License Manager\Bin\lmgrd.exe
O23 - Service: NI PXI Resource Manager (nipxirmu) - National Instruments Corporation - C:\WINDOWS\system32\nipalsm.exe
O23 - Service: NI Service Locator (niSvcLoc) - National Instruments Corp. - C:\WINDOWS\system32\nisvcloc.exe
O23 - Service: National Instruments Variable Engine (NITaggerService) - National Instruments, Inc. - C:\Program Files\National Instruments\Shared\Tagger\tagsrv.exe
O23 - Service: Panasonic PC Information Viewer Service 2 (PcInfoPi) - Matsushita Electric Industrial Co., Ltd. - C:\Program Files\Panasonic\pcinfo\PCInfoPi.exe
O23 - Service: Panasonic PC Information Viewer (PcInfoSV) - Matsushita Electric Industrial Co., Ltd. - C:\Program Files\Panasonic\pcinfo\PCInfoSV.exe
O23 - Service: Intel® PROSet/Wireless Registry Service (RegSrvc) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
O23 - Service: Roxio UPnP Renderer 9 - Sonic Solutions - C:\Program Files\Roxio\Digital Home 9\RoxioUPnPRenderer9.exe
O23 - Service: Roxio Upnp Server 9 - Sonic Solutions - C:\Program Files\Roxio\Digital Home 9\RoxioUpnpService9.exe
O23 - Service: LiveShare P2P Server 9 (RoxLiveShare9) - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxLiveShare9.exe
O23 - Service: RoxMediaDB9 - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxMediaDB9.exe
O23 - Service: Roxio Hard Drive Watcher 9 (RoxWatch9) - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatch9.exe
O23 - Service: Intel® PROSet/Wireless Service (S24EventMonitor) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
O23 - Service: Sentinel Keys Server (SentinelKeysServer) - SafeNet, Inc. - C:\Program Files\Common Files\SafeNet Sentinel\Sentinel Keys Server\sntlkeyssrvr.exe
O23 - Service: Sentinel Protection Server (SentinelProtectionServer) - SafeNet, Inc - C:\Program Files\Common Files\SafeNet Sentinel\Sentinel Protection Server\WinNT\spnsrvnt.exe
O23 - Service: SlingAgentService - Sling Media Inc. - C:\Program Files\Sling Media\SlingAgent\SlingAgentService.exe
O23 - Service: TomTomHOMEService - TomTom - C:\Program Files\TomTom HOME 2\TomTomHOMEService.exe
O23 - Service: TOSHIBA Bluetooth Service - TOSHIBA CORPORATION - c:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtSrv.exe

--
End of file - 19702 bytes

#4
Tigger93
Posted 19 July 2009 - 04:28 PM

    Forum Deity

  • Moderators
  • PipPipPipPipPipPip
  • 1,648 posts
  • Gender:Male
Go start -> run and type in combofix /u and press OK.

Everything looks good. Are you still having any problems?

#5
Morry
Posted 20 July 2009 - 08:14 PM

    New Member

  • Members
  • Pip
  • 4 posts
This was not a good experience for me.
After doing as you initially suggested and rebooting, my PC started having some troubling issues.
First I noticed my MSSQL server stopped working. Then my Intel Pro Wireless wasn't working and my DNS settings got reset preventing me from browsing the internet. Next I noticed Remote Desktop Connections stopped working.

I tried a few things in an effort to fix my new problems and was still left with the MSSQL & RDC issues.
I ran MBAM again and got the following log:

Quote

Malwarebytes' Anti-Malware 1.39
Database version: 2421
Windows 5.1.2600 Service Pack 3

7/19/2009 1:17:24 PM
mbam-log-2009-07-19 (13-17-24).txt

Scan type: Quick Scan
Objects scanned: 130429
Time elapsed: 11 minute(s), 8 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 4
Registry Values Infected: 1
Registry Data Items Infected: 3
Folders Infected: 3
Files Infected: 5

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\{19127ad2-394b-70f5-c650-b97867baa1f7} (Backdoor.Bot) -> Quarantined and deleted successfully.
HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\{43bf8cd1-c5d5-2230-7bb2-98f22c2b7dc6} (Backdoor.Bot) -> Quarantined and deleted successfully.
HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\{19127ad2-394b-70f5-c650-b97867baa1f7} (Backdoor.Bot) -> Quarantined and deleted successfully.
HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\{43bf8cd1-c5d5-2230-7bb2-98f22c2b7dc6} (Backdoor.Bot) -> Quarantined and deleted successfully.

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Network\UID (Malware.Trace) -> Quarantined and deleted successfully.

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit (Backdoor.Bot) -> Data: c:\windows\system32\twext.exe -> Delete on reboot.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit (Backdoor.Bot) -> Data: system32\twext.exe -> Delete on reboot.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit (Hijack.Userinit) -> Bad: (C:\WINDOWS\system32\userinit.exe,C:\WINDOWS\system32\twext.exe,) Good: (Userinit.exe) -> Quarantined and deleted successfully.

Folders Infected:
C:\WINDOWS\system32\twain_32 (Backdoor.Bot) -> Delete on reboot.
C:\Documents and Settings\LocalService\Application Data\twain_32 (Spyware.Zbot) -> Quarantined and deleted successfully.
C:\Documents and Settings\NetworkService\Application Data\twain_32 (Spyware.Zbot) -> Quarantined and deleted successfully.

Files Infected:
c:\WINDOWS\system32\twain_32\local.ds (Backdoor.Bot) -> Delete on reboot.
c:\WINDOWS\system32\twain_32\user.ds (Backdoor.Bot) -> Delete on reboot.
c:\documents and settings\localservice\application data\twain_32\user.ds (Spyware.Zbot) -> Quarantined and deleted successfully.
c:\documents and settings\networkservice\application data\twain_32\user.ds (Spyware.Zbot) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\twext.exe (Backdoor.Bot) -> Delete on reboot.

I can't be certain that combofix caused all the problems as I did a few things while trying to correct my PC issues, but it is more than a little disconcerting. After allowing MBAM to clean the infected items and rebooting, my RDC began working again.
Now I'm still stuck with a hosed MSSQL Server that will require a re-install.

#6
Tigger93
Posted 21 July 2009 - 12:03 AM

    Forum Deity

  • Moderators
  • PipPipPipPipPipPip
  • 1,648 posts
  • Gender:Male
It's not Combofix that caused this, you somehow got reinfected between your last post.

Please update Malwarebytes, run a quick scan and post the new log.

#7
Morry
Posted 21 July 2009 - 03:13 AM

    New Member

  • Members
  • Pip
  • 4 posts
I don't know if Combofix caused the infections, but it did screw up my MSSQL server, Remote Desktop, and cause my networking problems.

Quote

Malwarebytes' Anti-Malware 1.39
Database version: 2468
Windows 5.1.2600 Service Pack 3

7/20/2009 8:12:31 PM
mbam-log-2009-07-20 (20-12-31).txt

Scan type: Quick Scan
Objects scanned: 138217
Time elapsed: 8 minute(s), 47 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

#8
Tigger93
Posted 21 July 2009 - 01:36 PM

    Forum Deity

  • Moderators
  • PipPipPipPipPipPip
  • 1,648 posts
  • Gender:Male
Combofix didn't cause your infections nor your issues. Again, you somehow managed to get reinfected from either not all the malware being removed or you came across it between when you posted last. The fact that things started working again after running Malwarebytes shows the malware was causing the issues - not combofix.

Either way, I see nothing wrong. Are you still having any problems?
Back to Resolved HijackThis Logs · Next Unread Topic →


1 user(s) are reading this topic

0 members, 1 guests, 0 anonymous users

  1. Malwarebytes Forum
  2. Computer Help
  3. Malware Removal - HijackThis Logs
  4. Resolved HijackThis Logs

Products

About

Partners

Follow Us