Jump to content

Malwarebytes

system32/regedit and oashdihasidhasuidhiasdhiashdiuasdhasd

- - - - -
Started by mattdavis, Aug 29 2009 03:17 AM

6 replies to this topic

#1
mattdavis
Posted 29 August 2009 - 03:17 AM

    New Member

  • Members
  • Pip
  • 4 posts
Hello,

I hope I am in the correct place; I followed the "I'm infected" link of another part of this site. I am having a problem with the constant returning of these two items;


1) C:\Documents and Settings\LocalService\oashdihasidhasuidhiasdhiashdiuasdhasd ...a 1k file
2) HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Regedit32

I removed the actual Regedit trojan program (c:\windows\system32\regedit.exe) being called by the run command. The registry entry continues to return but it is referencing a program that does not exist any longer and has not returned (after my one delete). mbam will remove these 2 items and that prevents the repeated attempt to add the registry key (#2 above) and removes oashdihasidhasuidhiasdhiashdiuasdhasd ...until the next reboot.

I have had Winpatrol installed for years and it keeps catching this regedit addition to startup. If I disallow its addition, it comes back every 3 minutes or so. Since Winpatrol keeps catching the registry addition every 3 minutes or so, I thought I could just start killing off services and programs until the attempts to re-add it ended, thus reveling the offending program. I stopped every running service and then every running program via task manager, that could be stopped without crashing or shutting down Windows, yet the registry entry persisted like clockwork. If I let mbam remove these (which it lists a Trace.Pendex), it does stop the attempts right then... until reboot. I also used Winpatrol to disable every startup program and I switched some non-critical services from auto to manual, but this did not prevent the re-infection.

I am running Windows XP Pro with all possible updates from Microsoft (other than IE8) on a Dell d620 laptop. I also have Adaware installed, but I think it either does the same as mbam or does not find them. Micro Trend anti-virus does not find anything. I made sure these two and mbam have up-to-date definition files.


Per the instructions of the page linking me here; I am pasting the hijack-this log and the mbam log. Both of these logs show Trace.Pandex present; if I allow mbam to clean it; I think the initial reboot is clean and mbam finds nothing, but a subsequent reboot will have them back, identical to the previous infection.

Thanks! ---Matt Davis


-------------------------------------------------------------------------------------------
Malwarebytes' Anti-Malware 1.40
Database version: 2710
Windows 5.1.2600 Service Pack 3

8/28/2009 9:25:53 PM
mbam-log-2009-08-28 (21-25-48).txt

Scan type: Quick Scan
Objects scanned: 128313
Time elapsed: 8 minute(s), 37 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 1
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 2

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Regedit32 (Trojan.Agent) -> No action taken.

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\Documents and Settings\LocalService\oashdihasidhasuidhiasdhiashdiuasdhasd (Trace.Pandex) -> No action taken.

---------------------------------------------------------------------------------------------------------------------------------------------------------------------


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 9:16:00 PM, on 8/28/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16876)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\BillP Studios\WinPatrol\winpatrol.exe
C:\Program Files\Trend Micro\OfficeScan Client\pccntmon.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\TechSmith\SnagIt\SnagIt32.exe
C:\Program Files\POP Peeper\poppeeper.exe
C:\Program Files\Microsoft SQL Server\MSSQL.3\OLAP\bin\msmdsrv.exe
C:\Program Files\Microsoft SQL Server\MSSQL.2\MSSQL\Binn\sqlservr.exe
C:\PROGRA~1\MI6841~1\MSSQL\binn\sqlservr.exe
C:\Program Files\Microsoft SQL Server\MSSQL.1\OLAP\bin\msmdsrv.exe
C:\Program Files\Trend Micro\OfficeScan Client\ntrtscan.exe
C:\SFU\common\rshsvc.exe
C:\tm\tmsimg\bin\startsvc.exe
C:\Program Files\Microsoft SQL Server\90\Shared\sqlbrowser.exe
C:\WINDOWS\system32\svchost.exe
C:\tm\tmsimg\bin\ftsrvr.exe
C:\WINDOWS\system32\PSXRUN.EXE
C:\WINDOWS\system32\psxss.exe
C:\Program Files\Microsoft SQL Server\MSSQL.2\MSSQL\Binn\msftesql.exe
C:\Program Files\Trend Micro\OfficeScan Client\tmlisten.exe
C:\SFU\usr\sbin\zzInterix
C:\SFU\usr\sbin\init
C:\SFU\usr\sbin\inetd
C:\SFU\Mapper\mapsvc.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\SFU\usr\sbin\cron
C:\Program Files\Trend Micro\OfficeScan Client\CNTAoSMgr.exe
C:\WINDOWS\TEMP\KV2D5.EXE
C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = www.google.com/ig/dell?hl=en&client=dell-usuk-rel&channel=us&ibd=6060927
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Search,Default_Page_URL = www.google.com/ig/dell?hl=en&client=dell-usuk-rel&channel=us&ibd=6060927
O2 - BHO: Java™ Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.2.4204.1700\swg.dll
O2 - BHO: Google Dictionary Compression sdch - {C84D72FE-E17D-4195-BB24-76C02E2E7C4E} - C:\Program Files\Google\Google Toolbar\Component\fastsearch_B7C5AC242193BB3E.dll
O2 - BHO: Java™ Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll
O4 - HKLM\..\Run: [WinPatrol] C:\Program Files\BillP Studios\WinPatrol\winpatrol.exe -expressboot
O4 - HKLM\..\Run: [OfficeScanNT Monitor] "C:\Program Files\Trend Micro\OfficeScan Client\pccntmon.exe" -HideWindow
O4 - HKLM\..\Run: [Regedit32] C:\WINDOWS\system32\regedit.exe
O4 - HKLM\..\RunOnce: [Malwarebytes Anti-Malware (reboot)] "C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe" /runcleanupscript
O4 - Startup: beep.bat
O4 - Startup: POP Peeper.lnk = C:\Program Files\POP Peeper\POPPeeper.exe
O4 - Global Startup: SnagIt 5.lnk = C:\Program Files\TechSmith\SnagIt\SnagIt32.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O16 - DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} (Facebook Photo Uploader 5 Control) - http://upload.facebook.com/controls/2008.1...toUploader5.cab
O16 - DPF: {238F6F83-B8B4-11CF-8771-00A024541EE3} (Citrix ICA Client) - https://cag1.intd.com/CitrixSessionInit/ICA...ca32/wficat.cab
O16 - DPF: {44C1E3A2-B594-401C-B27A-D1B4476E4797} (XTSAC Control) - https://sslvpn.skinn...s.net/XTSAC.cab
O16 - DPF: {7B133798-FAA8-4A7E-950D-BEB35D3363AF} (LinksysViewer Control) - http://71.8.85.66:10...nksysViewer.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shoc...ash/swflash.cab
O16 - DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} (GpcContainer Class) - https://mcleodsoftware.webex.com/client/T26...bex/ieatgpc.cab
O16 - DPF: {FD0B6769-6490-4A91-AA0A-B5AE0DC75AC9} (Performance Viewer Activex Control) - https://secure.logme...trl.cab?lmi=100
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = tmscorp.com
O17 - HKLM\Software\..\Telephony: DomainName = tmscorp.com
O20 - AppInit_DLLs:
O23 - Service: BitDefender Deployment Service (bddepsrv) - Unknown owner - C:\WINDOWS\_BDDEP_\bddepsrv.exe
O23 - Service: BrSplService (Brother XP spl Service) - brother Industries Ltd - C:\WINDOWS\system32\brsvc01a.exe
O23 - Service: Cisco Systems, Inc. VPN Service (CVPND) - Cisco Systems, Inc. - C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
O23 - Service: dlbu_device - - C:\WINDOWS\system32\dlbucoms.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: McLeod Imaging Server (FTSRVR) - Unknown owner - C:\tm\tmsimg\bin\ftsrvrsvc.exe
O23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: Lavasoft Ad-Aware Service - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
O23 - Service: LME 9.0 - Unknown owner - c:\mcleod_900\Win2000_tools\scheduler_service\LMEschedulerService.exe (file missing)
O23 - Service: LME 9.1 - - c:\mcleod_910\Win2000_tools\scheduler_service\LMESchedulerService.exe
O23 - Service: LME Scheduler (demo_820) - Unknown owner - c:\mcleod_820\win2000_tools\scheduler_service\lmeschedulerservice.exe (file missing)
O23 - Service: NICCONFIGSVC - Unknown owner - C:\Program Files\Dell\QuickSet\NICCONFIGSVC.exe (file missing)
O23 - Service: OfficeScanNT RealTime Scan (ntrtscan) - Trend Micro Inc. - C:\Program Files\Trend Micro\OfficeScan Client\ntrtscan.exe
O23 - Service: ObjectStore Cache Manager R6.0 - Unknown owner - C:\ODI\OStore\BIN\OSCMGR6.EXE (file missing)
O23 - Service: ObjectStore Server R6.0 - Unknown owner - C:\ODI\OStore\BIN\OSSERVER.EXE (file missing)
O23 - Service: Imaging Services Starter (Service1) - Unknown owner - C:\tm\tmsimg\bin\startsvc.exe
O23 - Service: PC*MILER TCP/IP Interface (tcpsvc) - Unknown owner - C:\Program Files\ALK Technologies\Tolls190\TCPIP\tcpsvc.exe
O23 - Service: OfficeScan NT Listener (tmlisten) - Trend Micro Inc. - C:\Program Files\Trend Micro\OfficeScan Client\tmlisten.exe
O23 - Service: OfficeScan NT Proxy Service (TmProxy) - Trend Micro Inc. - C:\Program Files\Trend Micro\OfficeScan Client\TmProxy.exe

--
End of file - 8315 bytes

#2
Katana
Posted 31 August 2009 - 03:52 PM

    True Member

  • Experts
  • PipPipPipPip
  • 387 posts
  • Gender:Male
  • Location:Manchester UK
Please note that all instructions given are customised for this computer only,
the tools used may cause damage if used on a computer with different infections.

If you think you have similar problems, please post a log in the HJT forum and wait for help.

Hello and welcome to the forums

My name is Katana and I will be helping you to remove any infection(s) that you may have.

Please observe these rules while we work:
  • Please Read All Instructions Carefully
  • If you don't understand something, stop and ask! Don't keep going on.
  • Please do not run any other tools or scans whilst I am helping you
  • Failure to reply within 5 days will result in the topic being closed.
  • Please continue to respond until I give you the "All Clear"
    (Just because you can't see a problem doesn't mean it isn't there)
If you can do those few things, everything should go smoothly Posted Image

Some of the logs I request will be quite large, You may need to split them over a couple of replies.

Please Note, your security programs may give warnings for some of the tools I will ask you to use.
Be assured, any links I give are safe
----------------------------------------------------------------------------------------

Is this a Work computer ?


Download and Run ComboFix (by sUBs)
Please visit this webpage for instructions for downloading and running ComboFix:

Bleeping Computer ComboFix Tutorial

  • You must download it to and run it from your Desktop

  • Now STOP all your monitoring programs (Antivirus/Antispyware, Guards and Shields) as they could easily interfere with ComboFix.

  • Double click combofix.exe & follow the prompts.

  • When finished, it will produce a log. Please save that log to post in your next reply

  • Re-enable all the programs that were disabled during the running of ComboFix..


A word of warning: Neither I nor sUBs are responsible for any damage you may have caused your machine by running ComboFix on your own.
This tool is not a toy and not for everyday use.
ComboFix SHOULD NOT be used unless requested by a forum helper

Quote

For instructions on how to disable your security programs, please see this topic
How To Temporarily Disable Your Anti-virus, Firewall And Anti-malware Programs

Posted Image
PM's for help will be ignored

#3
mattdavis
Posted 02 September 2009 - 02:42 AM

    New Member

  • Members
  • Pip
  • 4 posts
Hello Katana,

Thank you for the reply. A few things:
I could not seem to get Trend Micro to totally go away; I saw no evidence of it running. The programs known to me to belong to it were not running and there was no systray icon. Obviously it was running. The oashdi... did come back after ComboFix.exe ran and a reboot.

Thanks; here is the ComboFix log:



ComboFix 09-09-01.04 - mattd 09/01/2009 21:16.1.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1014.501 [GMT -5:00]
Running from: c:\documents and settings\mattd\My Documents\Downloads\ComboFix.exe
AV: Trend Micro OfficeScan Antivirus *On-access scanning enabled* (Updated) {806EEB56-F26D-4ADC-9880-7088DDA66B8D}
FW: COMODO Firewall *disabled* {043803A3-4F86-4ef6-AFC5-F6E02A79969B}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat
c:\documents and settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat
c:\documents and settings\LocalService\oashdihasidhasuidhiasdhiashdiuasdhasd
c:\windows\Installer\10b7b.msi
c:\windows\Installer\32a79.msi
c:\windows\Installer\77509.msi
c:\windows\Installer\77ed7f0.msp
c:\windows\Installer\882d04e.msp
c:\windows\Installer\d68665.msp
c:\windows\system32\Drivers\hxcqis.sys

----- BITS: Possible infected sites -----

hxxp://backup

.
((((((((((((((((((((((((( Files Created from 2009-08-02 to 2009-09-02 )))))))))))))))))))))))))))))))
.

2009-08-31 20:52 . 2009-08-31 20:52 -------- d-----w- C:\bol
2009-08-30 23:55 . 2009-08-31 04:15 -------- d-----w- c:\documents and settings\All Users\Application Data\Comodo
2009-08-30 23:55 . 2009-09-01 15:01 179792 ----a-w- c:\windows\system32\guard32.dll
2009-08-30 23:55 . 2009-09-01 15:01 87104 ----a-w- c:\windows\system32\drivers\inspect.sys
2009-08-30 23:55 . 2009-09-01 15:01 25160 ----a-w- c:\windows\system32\drivers\cmdhlp.sys
2009-08-30 23:55 . 2009-09-01 15:01 132168 ----a-w- c:\windows\system32\drivers\cmdguard.sys
2009-08-30 23:55 . 2009-08-30 23:55 -------- d-----w- c:\program files\COMODO
2009-08-30 03:47 . 2009-08-30 03:47 -------- d-----w- c:\program files\Windows Defender
2009-08-27 12:21 . 2009-09-02 01:48 94016 ----a-w- c:\windows\system32\drivers\agp440.sys
2009-08-27 12:21 . 2009-09-02 01:48 94016 ----a-w- c:\windows\system32\dllcache\agp440.sys
2009-08-27 12:08 . 2009-08-27 12:08 -------- d-----w- c:\documents and settings\mattd\Local Settings\Application Data\Microsoft Help
2009-08-27 11:53 . 2009-08-27 11:54 -------- d-----w- C:\b94fc99b4234241569f8
2009-08-27 11:52 . 2009-08-27 11:55 -------- d-----w- C:\af68abf42d22c0317532447fccccfb74
2009-08-24 01:04 . 2009-08-24 01:22 -------- d-----w- c:\windows\system32\NtmsData
2009-08-23 14:12 . 2009-08-25 17:22 44 ----a-w- c:\windows\system32\statistics.dat
2009-08-23 13:51 . 2009-08-25 17:20 54 ----a-w- c:\windows\system32\rp_stats.dat
2009-08-23 13:51 . 2009-08-25 17:20 39 ----a-w- c:\windows\system32\rp_rules.dat
2009-08-22 17:44 . 2009-08-22 17:44 -------- d-----w- c:\documents and settings\mattd\Application Data\Malwarebytes
2009-08-22 17:44 . 2009-08-03 18:36 38160 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-08-22 17:44 . 2009-08-22 17:44 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-08-22 17:44 . 2009-08-22 17:44 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-08-22 17:44 . 2009-08-03 18:36 19096 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-08-22 13:23 . 2009-08-31 14:02 -------- d-----w- c:\documents and settings\All Users\Application Data\Lavasoft
2009-08-18 17:44 . 2009-08-18 17:44 -------- d-----w- c:\program files\Active Data Recovery Software
2009-08-17 19:06 . 2009-08-17 19:06 -------- d-----w- c:\documents and settings\All Users\Application Data\TechSmith
2009-08-17 19:06 . 2009-08-17 19:06 -------- d-----w- c:\documents and settings\mattd\Local Settings\Application Data\TechSmith
2009-08-13 14:45 . 2009-08-13 14:45 -------- d-----w- c:\documents and settings\mattd\$USERHOME
2009-08-13 02:29 . 2009-06-12 12:31 80896 ------w- c:\windows\system32\dllcache\tlntsess.exe
2009-08-13 02:29 . 2009-06-12 12:31 76288 ------w- c:\windows\system32\dllcache\telnet.exe
2009-08-13 02:28 . 2009-06-10 06:14 132096 ------w- c:\windows\system32\dllcache\wkssvc.dll
2009-08-13 02:28 . 2009-06-10 14:13 84992 ------w- c:\windows\system32\dllcache\avifil32.dll
2009-08-13 02:27 . 2009-07-17 19:01 58880 ------w- c:\windows\system32\dllcache\atl.dll
2009-08-13 02:27 . 2009-07-10 13:27 1315328 ------w- c:\windows\system32\dllcache\msoe.dll
2009-08-13 02:25 . 2009-08-05 09:01 204800 ------w- c:\windows\system32\dllcache\mswebdvd.dll
2009-08-13 02:24 . 2009-06-25 08:25 54272 ------w- c:\windows\system32\dllcache\wdigest.dll
2009-08-13 02:24 . 2009-06-25 08:25 136192 ------w- c:\windows\system32\dllcache\msv1_0.dll
2009-08-13 02:24 . 2009-06-24 11:18 92928 ------w- c:\windows\system32\dllcache\ksecdd.sys
2009-08-13 02:24 . 2009-06-25 08:25 301568 ------w- c:\windows\system32\dllcache\kerberos.dll
2009-08-10 18:35 . 2009-08-10 18:35 721912 ----a-w- c:\documents and settings\mattd\gotomypc_428.exe

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-09-01 15:51 . 2009-03-05 15:47 -------- d-----w- c:\documents and settings\mattd\Application Data\SmartDraw
2009-08-29 02:15 . 2009-04-22 14:11 -------- d-----w- c:\program files\Trend Micro
2009-08-29 00:20 . 2009-03-24 02:24 -------- d-----w- c:\program files\Common Files\Remote Control Software Common
2009-08-27 12:13 . 2007-10-01 21:11 -------- d-----w- c:\documents and settings\All Users\Application Data\Microsoft Help
2009-08-27 12:07 . 2007-10-01 21:14 -------- d-----w- c:\program files\Microsoft Visual Studio 8
2009-08-27 11:09 . 2009-08-27 11:09 324 ----a-w- c:\program files\vnqlxzgb.txt
2009-08-26 14:33 . 2006-09-27 08:13 -------- d-----w- c:\program files\CyberLink
2009-08-26 14:33 . 2006-09-27 08:09 -------- d--h--w- c:\program files\InstallShield Installation Information
2009-08-26 14:32 . 2009-06-11 17:47 -------- d-----w- c:\program files\Citrix
2009-08-26 00:07 . 2004-08-11 22:00 626336 ----a-w- c:\windows\system32\drivers\ntfs.sys
2009-08-25 00:34 . 2009-04-04 04:05 -------- d-----w- c:\documents and settings\mattd\Application Data\BitTorrent
2009-08-17 19:06 . 2009-03-05 22:40 -------- d-----w- c:\program files\TechSmith
2009-08-17 19:03 . 2007-11-20 20:55 -------- d-----w- c:\program files\Common Files\Wise Installation Wizard
2009-08-17 16:09 . 2006-11-13 16:14 -------- d-----w- c:\program files\AniTa
2009-08-05 09:01 . 2004-08-11 22:00 204800 ----a-w- c:\windows\system32\mswebdvd.dll
2009-07-29 01:03 . 2009-07-28 19:59 -------- d-----w- c:\documents and settings\All Users\Application Data\Rosetta Stone
2009-07-28 20:00 . 2009-07-28 20:00 -------- d-----w- c:\program files\Common Files\Macrovision Shared
2009-07-28 19:59 . 2009-07-28 19:59 -------- d-----w- c:\program files\Rosetta Stone
2009-07-20 02:45 . 2009-04-08 00:14 -------- d-----w- c:\program files\JukeItUp Ecstasy Edition
2009-07-17 19:01 . 2004-08-11 22:00 58880 ----a-w- c:\windows\system32\atl.dll
2009-07-16 23:06 . 2009-07-16 23:06 -------- d-----w- c:\program files\Microsoft Works
2009-07-16 17:16 . 2009-07-16 17:13 -------- d-----w- c:\documents and settings\All Users\Application Data\BVRP Software
2009-07-16 17:13 . 2009-07-16 17:13 -------- d-----w- c:\program files\Avanquest update
2009-07-16 17:13 . 2009-07-16 17:13 -------- d-----w- c:\program files\Motorola Phone Tools
2009-07-13 15:08 . 2004-08-11 22:00 286720 ----a-w- c:\windows\system32\wmpdxm.dll
2009-06-29 16:12 . 2004-08-11 22:00 827392 ----a-w- c:\windows\system32\wininet.dll
2009-06-29 16:12 . 2004-08-11 22:00 78336 ----a-w- c:\windows\system32\ieencode.dll
2009-06-29 16:12 . 2004-08-11 22:00 17408 ----a-w- c:\windows\system32\corpol.dll
2009-06-25 08:25 . 2004-08-11 22:00 54272 ----a-w- c:\windows\system32\wdigest.dll
2009-06-25 08:25 . 2004-08-11 22:00 56832 ----a-w- c:\windows\system32\secur32.dll
2009-06-25 08:25 . 2004-08-11 22:00 147456 ----a-w- c:\windows\system32\schannel.dll
2009-06-25 08:25 . 2004-08-11 22:00 136192 ----a-w- c:\windows\system32\msv1_0.dll
2009-06-25 08:25 . 2004-08-11 22:00 730112 ----a-w- c:\windows\system32\lsasrv.dll
2009-06-25 08:25 . 2004-08-11 22:00 301568 ----a-w- c:\windows\system32\kerberos.dll
2009-06-24 11:18 . 2004-08-11 22:00 92928 ----a-w- c:\windows\system32\drivers\ksecdd.sys
2009-06-16 14:36 . 2004-08-11 22:00 119808 ----a-w- c:\windows\system32\t2embed.dll
2009-06-16 14:36 . 2004-08-11 22:00 81920 ----a-w- c:\windows\system32\fontsub.dll
2009-06-16 13:40 . 2009-06-16 13:40 1498149 ----a-w- C:\xp32.zip
2009-06-12 12:31 . 2004-08-11 22:00 80896 ----a-w- c:\windows\system32\tlntsess.exe
2009-06-12 12:31 . 2004-08-11 22:00 76288 ----a-w- c:\windows\system32\telnet.exe
2009-06-11 17:46 . 2009-06-11 17:46 60744 ----a-w- c:\documents and settings\mattd\g2mdlhlpx.exe
2009-06-10 14:19 . 2004-08-11 22:11 2066432 ----a-w- c:\windows\system32\mstscax.dll
2009-06-10 14:13 . 2004-08-11 22:00 84992 ----a-w- c:\windows\system32\avifil32.dll
2009-06-10 06:14 . 2004-08-11 22:00 132096 ----a-w- c:\windows\system32\wkssvc.dll
2006-10-11 08:04 . 2006-11-13 16:17 61036 ----a-w- c:\program files\mozilla firefox\components\jar50.dll
2006-10-11 08:04 . 2006-11-13 16:17 48742 ----a-w- c:\program files\mozilla firefox\components\jsd3250.dll
2006-10-11 08:05 . 2006-11-13 16:17 29313 ----a-w- c:\program files\mozilla firefox\components\myspell.dll
2006-10-11 08:05 . 2006-11-13 16:17 41082 ----a-w- c:\program files\mozilla firefox\components\spellchk.dll
2006-10-11 08:04 . 2006-11-13 16:17 166510 ----a-w- c:\program files\mozilla firefox\components\xpinstal.dll
2009-02-24 19:34 . 2009-02-24 19:34 1044480 ----a-w- c:\program files\mozilla firefox\plugins\libdivx.dll
2009-02-24 19:34 . 2009-02-24 19:34 200704 ----a-w- c:\program files\mozilla firefox\plugins\ssldivx.dll
.

------- Sigcheck -------

[-] 2007-02-09 11:23 574976 05AB81909514BFD69CBB1F2C147CF6B9 c:\windows\$hf_mig$\KB930916\SP2QFE\ntfs.sys
[-] 2007-02-09 11:10 574464 19A811EF5F1ED5C926A028CE107FF1AF c:\windows\$NtServicePackUninstall$\ntfs.sys
[7] 2004-08-04 10:00 574592 B78BE402C3F63DD55521F73876951CDD c:\windows\$NtUninstallKB930916$\ntfs.sys
[7] 2008-04-14 05:45 574976 78A08DD6A8D65E697C18E1DB01C5CDCA c:\windows\ServicePackFiles\i386\ntfs.sys
[-] 2009-08-26 00:07 626336 96CC8F3C8E1FF18ECA8F0F1402CA991B c:\windows\system32\drivers\ntfs.sys
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"WinPatrol"="c:\program files\BillP Studios\WinPatrol\winpatrol.exe" [2008-10-09 333120]
"OfficeScanNT Monitor"="c:\program files\Trend Micro\OfficeScan Client\pccntmon.exe" [2009-02-18 709928]
"Windows Defender"="c:\program files\Windows Defender\MSASCui.exe" [2006-11-04 866584]
"COMODO Internet Security"="c:\program files\COMODO\COMODO Internet Security\cfp.exe" [2009-09-01 1796368]

c:\documents and settings\mattd\Start Menu\Programs\Startup\
beep.bat [2009-3-12 13]
POP Peeper.lnk - c:\program files\POP Peeper\POPPeeper.exe [2009-1-21 1470464]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
SnagIt 5.lnk - c:\program files\TechSmith\SnagIt\SnagIt32.exe [2009-8-24 1179648]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"disablecad"= 1 (0x1)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=c:\windows\system32\guard32.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Notification Packages REG_MULTI_SZ pswdsync scecli

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-606747145-630328440-1801674531-1124\Scripts\Logon\0\0]
"Script"=xdrivemapping.bat

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-606747145-630328440-1801674531-1124\Scripts\Logon\1\0]
"Script"=xdrivemapping.bat

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-606747145-630328440-1801674531-1167\Scripts\Logon\0\0]
"Script"=connectXDrive.vbs

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-606747145-630328440-1801674531-3673\Scripts\Logon\0\0]
"Script"=xdrivemapping.bat

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-606747145-630328440-1801674531-3673\Scripts\Logon\1\0]
"Script"=xdrivemapping.bat

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend]
@="Service"

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\TrendAntiVirus]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Logitech\\Logitech Harmony Remote Software 7\\HarmonyRemote.exe"=
"c:\\Program Files\\BitTorrent\\bittorrent.exe"=
"c:\\Program Files\\Rosetta Stone\\Rosetta Stone V3\\RosettaStoneVersion3.exe"=
"c:\\Program Files\\Rosetta Stone\\Rosetta Stone V3\\support\\bin\\RosettaStoneLtdServices.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"8097:TCP"= 8097:TCP:EarthLink UHP Modem Support
"3389:TCP"= 3389:TCP:*:Disabled:@xpsp2res.dll,-22009
"<NO NAME>"=
"61153:TCP"= 61153:TCP:Trend Micro OfficeScan Listener

R1 cmdGuard;COMODO Internet Security Sandbox Driver;c:\windows\system32\drivers\cmdguard.sys [8/30/2009 6:55 PM 132168]
R1 cmdHlp;COMODO Internet Security Helper Driver;c:\windows\system32\drivers\cmdhlp.sys [8/30/2009 6:55 PM 25160]
R1 vcdrom;Virtual CD-ROM Device Driver;c:\windows\system32\drivers\VCdRom.sys [4/6/2009 5:42 PM 8576]
R2 msftesql$UC2007;SQL Server FullText Search (UC2007);c:\program files\Microsoft SQL Server\MSSQL.2\MSSQL\Binn\msftesql.exe [8/26/2005 4:00 PM 92880]
R2 MSOLAP$UC2007;SQL Server Analysis Services (UC2007);c:\program files\Microsoft SQL Server\MSSQL.3\OLAP\bin\msmdsrv.exe [10/14/2005 3:46 AM 14557912]
R2 MSSQL$UC2007;SQL Server (UC2007);c:\program files\Microsoft SQL Server\MSSQL.2\MSSQL\Binn\sqlservr.exe [10/14/2005 3:51 AM 28768528]
R2 RshSvc;Remote Shell Service;c:\sfu\common\rshsvc.exe [11/8/2003 2:46 PM 16800]
R2 TmFilter;Trend Micro Filter;c:\program files\Trend Micro\OfficeScan Client\TmXPFlt.sys [11/26/2008 1:42 PM 225296]
R2 TmPreFilter;Trend Micro PreFilter;c:\program files\Trend Micro\OfficeScan Client\tmpreflt.sys [11/26/2008 1:42 PM 36368]
R2 WinDefend;Windows Defender;c:\program files\Windows Defender\MsMpEng.exe [11/3/2006 7:19 PM 13592]
R2 zzInterix;Interix Subsystem Startup;c:\windows\system32\PSXRUN.EXE [11/8/2003 2:45 PM 66480]
R3 Portmap;Portmap;c:\windows\system32\drivers\portmap.sys [11/8/2003 2:42 PM 35072]
R3 PsxDrv;PsxDrv;c:\windows\system32\drivers\PSXDRV.SYS [11/8/2003 2:45 PM 6128]
R3 RpcXdr;RpcXdr;c:\windows\system32\drivers\rpcxdr.sys [11/8/2003 2:42 PM 55872]
S2 InAspi32;InAspi32;c:\windows\system32\drivers\InAspi32.sys [11/19/2007 3:57 PM 8704]
S2 Mapsvc;User Name Mapping;c:\sfu\Mapper\mapsvc.exe [11/8/2003 2:42 PM 111728]
S2 MsDtsServer;SQL Server Integration Services;c:\program files\Microsoft SQL Server\90\DTS\Binn\MsDtsSrvr.exe [10/14/2005 3:45 AM 199384]
S2 ObjectStore Cache Manager R6.0;ObjectStore Cache Manager R6.0;c:\odi\OStore\BIN\OSCMGR6.EXE --> c:\odi\OStore\BIN\OSCMGR6.EXE [?]
S2 ObjectStore Server R6.0;ObjectStore Server R6.0;c:\odi\OStore\BIN\OSSERVER.EXE --> c:\odi\OStore\BIN\OSSERVER.EXE [?]
S2 TmProxy;OfficeScan NT Proxy Service;c:\program files\Trend Micro\OfficeScan Client\TmProxy.exe [2/18/2009 12:27 PM 652552]
S3 bddepsrv;BitDefender Deployment Service;c:\windows\_BDDEP_\bddepsrv.exe [3/4/2009 5:09 PM 118112256]
S3 BW2NDIS5;BW2NDIS5;c:\windows\system32\Drivers\BW2NDIS5.sys --> c:\windows\system32\Drivers\BW2NDIS5.sys [?]
S3 FTSRVR;McLeod Imaging Server;c:\tm\tmsimg\bin\ftsrvrsvc.exe [2/6/2009 10:00 AM 629248]
S3 LME 9.0;LME 9.0;c:\mcleod_900\Win2000_tools\scheduler_service\LMEschedulerService.exe --> c:\mcleod_900\Win2000_tools\scheduler_service\LMEschedulerService.exe [?]
S3 LME 9.1;LME 9.1;c:\mcleod_910\Win2000_tools\scheduler_service\LMESchedulerService.exe [2/4/2009 10:30 AM 32768]
S3 LME Scheduler (demo_820);LME Scheduler (demo_820);c:\mcleod_820\win2000_tools\scheduler_service\lmeschedulerservice.exe --> c:\mcleod_820\win2000_tools\scheduler_service\lmeschedulerservice.exe [?]
S3 SQLAgent$UC2007;SQL Server Agent (UC2007);c:\program files\Microsoft SQL Server\MSSQL.2\MSSQL\Binn\SQLAGENT90.EXE [10/14/2005 3:51 AM 318680]
S3 tcpsvc;PC*MILER TCP/IP Interface;c:\program files\ALK Technologies\Tolls190\TCPIP\tcpsvc.exe [11/13/2006 4:52 PM 16384]
S4 CronService;Windows Cron Service;c:\sfu\common\cron.exe [11/8/2003 2:46 PM 47536]
S4 msvsmon80;Visual Studio 2005 Remote Debugger;c:\program files\Microsoft Visual Studio 8\Common7\IDE\Remote Debugger\x86\msvsmon.exe [12/2/2006 6:17 AM 2805000]
S4 PerlSock;Perl Socket Service;c:\sfu\Perl\bin\PerlSock.exe [11/8/2003 3:05 PM 225357]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
bdx REG_MULTI_SZ scan
.
Contents of the 'Scheduled Tasks' folder

2009-09-02 c:\windows\Tasks\MP Scheduled Scan.job
- c:\program files\Windows Defender\MpCmdRun.exe [2006-11-04 00:20]
.
- - - - ORPHANS REMOVED - - - -

WebBrowser-{8FF5E180-ABDE-46EB-B09E-D2AAB95CABE3} - (no file)


.
------- Supplementary Scan -------
.
uStart Page = about:blank
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
DPF: {7B133798-FAA8-4A7E-950D-BEB35D3363AF} - hxxp://71.8.85.66:1024/img/LinksysViewer.cab
FF - ProfilePath -
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-09-01 21:23
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet003\Services\msftesql$UC2007]
"ImagePath"="\"c:\program files\Microsoft SQL Server\MSSQL.2\MSSQL\Binn\msftesql.exe\" -s:MSSQL.2 -f:UC2007"
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\software\DeterministicNetworks\DNE\Parameters]
"SymbolicLinkValue"=hex(6):5c,00,52,00,65,00,67,00,69,00,73,00,74,00,72,00,79,
00,5c,00,4d,00,61,00,63,00,68,00,69,00,6e,00,65,00,5c,00,53,00,79,00,73,00,\
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(1348)
c:\windows\system32\guard32.dll

- - - - - - - > 'lsass.exe'(1404)
c:\windows\system32\guard32.dll
c:\windows\system32\pswdsync.dll
.
Completion time: 2009-09-02 21:26
ComboFix-quarantined-files.txt 2009-09-02 02:26

Pre-Run: 23,681,200,128 bytes free
Post-Run: 26,700,255,232 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Microsoft Windows XP Professional" /noexecute=AlwaysOff /fastdetect

260 --- E O F --- 2009-08-27 15:18

#4
Katana
Posted 02 September 2009 - 10:35 AM

    True Member

  • Experts
  • PipPipPipPip
  • 387 posts
  • Gender:Male
  • Location:Manchester UK
A couple of questions for you ...
1) Is this an Office/Work Machine ?
2) Do you know what this file is for ? beep.bat
3) Do you know anything about the Logon scripts showing in your log ?

Quote

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-606747145-630328440-1801674531-1124\Scripts\Logon\0\0]
"Script"=xdrivemapping.bat

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-606747145-630328440-1801674531-1124\Scripts\Logon\1\0]
"Script"=xdrivemapping.bat

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-606747145-630328440-1801674531-1167\Scripts\Logon\0\0]
"Script"=connectXDrive.vbs

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-606747145-630328440-1801674531-3673\Scripts\Logon\0\0]
"Script"=xdrivemapping.bat

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-606747145-630328440-1801674531-3673\Scripts\Logon\1\0]
"Script"=xdrivemapping.bat



----------------------------------------------------------------------------------------
Step 1

Custom CFScript
  • Please open Notepad (Start -> Run -> type notepad in the Open field -> OK) and copy and paste the text present inside the code box below:

    http://www.malwarebytes.org/forums/index.php?showtopic=22953&st=0&#entry118900
Suspect::[4]
c:\windows\system32\drivers\ntfs.sys
c:\documents and settings\mattd\Start Menu\Programs\Startup\beep.bat
c:\Program Files\vnqlxzgb.txt
File::
c:\Program Files\vnqlxzgb.txt
FCopy::
c:\windows\ServicePackFiles\i386\ntfs.sys|c:\windows\system32\drivers\ntfs.sys
ADS::

  • Save this as CFScript.txt and place it on your desktop.


    Posted Image



  • Referring to the screenshot above, drag CFScript.txt into ComboFix.exe.

  • ComboFix will now run a scan on your system. It may reboot your system when it finishes. This is normal.

  • **Note**
    When CF finishes running, the ComboFix log will open along with a message box--do not be alarmed. With the above script, ComboFix will capture files to submit for analysis.
    • Ensure you are connected to the internet and click OK on the message box.

  • Copy and paste the contents of the log in your next reply.

CAUTION: Do not mouse-click ComboFix's window while it is running. That may cause it to stall.
Note: the above code was created specifically for this user. If you are not this user, do NOT follow these directions as they could damage the workings of your system.


----------------------------------------------------------------------------------------
Step 2

Kaspersky Online Scanner .
Your Antivirus and/or Antispyware may give a warning during the scan. This is perfectly normal
NOTE:- This scan is best done from IE (Internet Explorer)
NOTE:- Vista users should start IE by Start(Vista Orb) >> Internet Explorer >> Right-Click Run As Admin
Go Here http://www.kaspersky.com/kos/eng/partner/d...kavwebscan.html

Read the Requirements and limitations before you click Accept.
Once the database has downloaded, click My Computer in the left pane
Now go and put the kettle on !
When the scan has completed, click Save Report As...
Enter a name for the file in the Filename: text box and then click the down arrow to the right of Save as type: and select text file (*.txt)
Click Save - by default the file will be saved to your Desktop, but you can change this if you wish.


**Note**

To optimize scanning time and produce a more sensible report for review:
  • Close any open programs.
  • Turn off the real-time scanner of all antivirus or antispyware programs while performing the online scan.
Note for Internet Explorer 7 users: If at any time you have trouble viewing the accept button of the license, click on the Zoom tool located at the bottom right of the IE window and set the zoom to 75%. Once the license is accepted, reset to 100%.


----------------------------------------------------------------------------------------
Logs/Information to Post in Reply
Please post the following logs/Information in your reply
Some of the logs I request will be quite large, You may need to split them over a couple of replies.
  • Combofix Log
  • Kaspersky Log
  • Contents of C:\Qoobox\Add-Remove Programs.txt
  • How are things running now ?

Posted Image
PM's for help will be ignored

#5
mattdavis
Posted 03 September 2009 - 03:28 AM

    New Member

  • Members
  • Pip
  • 4 posts

View PostKatana, on Sep 2 2009, 05:35 AM, said:

A couple of questions for you ...
1) Is this an Office/Work Machine ?
2) Do you know what this file is for ? beep.bat
3) Do you know anything about the Logon scripts showing in your log ?

Hi again Katana,


1) It is a laptop that I use for the company I work for. It is on a domain often, but I have full perms. The only thing I can't do is manually stop TrendMicro, because it is passworded.
2) Beep.bat is nothing; it issues a single dos command. I wrote it myself to reset a data value.
3) The login scripts are for my office mapped network drive. They are safe.
4) "How is it running now?" ... it appears fine, but that is the odd thing about this; I can reboot a few times and it seems to come back. But for the moment, it seems fine.
5) Kaspersky did find a few things that all others missed.
6) This AM I was getting a blue screen (something to do with tcp/ip). I had to choose "use last known configuration", at which time, it booted fine.

Logs you requested:

Add-Remove:

7-Zip 4.65
AAC Decoder
Adobe Acrobat - Reader 6.0.2 Update
Adobe Flash Player 10 ActiveX
Adobe Flash Player 10 Plugin
Adobe Reader 6.0.1
ALK|FleetSuite Tolls 19
ALK|FleetSuite Tolls Streets 19.0
ALPS Touch Pad Driver
AniTa Terminal
Apple Software Update
AutoUpdate
Avanquest update
BitTorrent
Broadcom Advanced Control Suite
Cisco Systems VPN Client 4.8.00.0440
Command Prompt Here PowerToy
COMODO Internet Security
Compatibility Pack for the 2007 Office system
Conexant HDA D110 MDC V.92 Modem
CutePDF Writer 2.7
DivX Codec
DivX Converter
DivX Player
DivX Plus DirectShow Filters
DivX Version Checker
DivX Web Player
FaxMan SDK V 4.1.2.0
FileSync
Foxit Reader
Fujitsu fi-4120C2
Google Chrome
Google Toolbar for Internet Explorer
GSview 4.8
H.264 Decoder
High Definition Audio Driver Package - KB835221
HijackThis 2.0.2
Hotfix 2055 for SQL Server 2000 ENU (KB960082)
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595)
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB958484)
Hotfix for Windows Internet Explorer 7 (KB947864)
Hotfix for Windows XP (KB952287)
Hotfix for Windows XP (KB954550-v5)
Hotfix for Windows XP (KB961118)
Hotfix for Windows XP (KB970653-v3)
Intel® Graphics Media Accelerator Driver
J2SE Runtime Environment 5.0 Update 3
J2SE Runtime Environment 5.0 Update 6
Java™ 6 Update 11
JukeItUp!
Kofax Scan Demo
Kofax TWAIN Data Source
LimeWire PRO 5.0.11
Logitech Harmony Remote Software 7
MagicDisc 2.7.106
Malwarebytes' Anti-Malware
MetaFrame Presentation Server Web Client for Win32
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1 Hotfix (KB928366)
Microsoft .NET Framework 2.0 Service Pack 2
Microsoft .NET Framework 3.0 Service Pack 2
Microsoft .NET Framework 3.5 SP1
Microsoft Internationalized Domain Names Mitigation APIs
Microsoft Kernel-Mode Driver Framework Feature Pack 1.5
Microsoft National Language Support Downlevel APIs
Microsoft Office Basic Edition 2003
Microsoft Office PowerPoint 2003
Microsoft Office Visio Standard 2003
Microsoft Silverlight
Microsoft SQL Server 2005
Microsoft SQL Server 2005 (UC2007)
Microsoft SQL Server 2005 Analysis Services
Microsoft SQL Server 2005 Analysis Services (UC2007)
Microsoft SQL Server 2005 Backward compatibility
Microsoft SQL Server 2005 Books Online (English)
Microsoft SQL Server 2005 Integration Services
Microsoft SQL Server 2005 Notification Services
Microsoft SQL Server 2005 Tools
Microsoft SQL Server Native Client
Microsoft SQL Server Setup Support Files (English)
Microsoft SQL Server VSS Writer
Microsoft Visual Studio 2005 Premier Partner Edition - ENU
Microsoft Visual Studio 2005 Premier Partner Edition - ENU Service Pack 1 (KB926601)
Microsoft Windows Services for UNIX
Microsoft Works 6-9 Converter
MKV Splitter
Motorola Driver Installation 3.7.0
Motorola Phone Tools
Mozilla Firefox (2.0)
MS Runtime
MSXML 6.0 Parser
NTRU Hybrid TSS v2.0.25
ObjectStore 6.2.1
Paint Shop Pro 7 Try And Buy
POP Peeper
QuickSet
QuickTime
Remote Control USB Driver
Rosetta Stone V3
Security Update for Step By Step Interactive Training (KB923723)
Security Update for Windows Internet Explorer 7 (KB928090)
Security Update for Windows Internet Explorer 7 (KB929969)
Security Update for Windows Internet Explorer 7 (KB938127-v2)
Security Update for Windows Internet Explorer 7 (KB950759)
Security Update for Windows Internet Explorer 7 (KB958215)
Security Update for Windows Internet Explorer 7 (KB960714)
Security Update for Windows Internet Explorer 7 (KB961260)
Security Update for Windows Internet Explorer 7 (KB963027)
Security Update for Windows Internet Explorer 7 (KB969897)
Security Update for Windows Internet Explorer 7 (KB972260)
Security Update for Windows Media Player (KB911564)
Security Update for Windows Media Player (KB952069)
Security Update for Windows Media Player (KB973540)
Security Update for Windows Media Player 10 (KB936782)
Security Update for Windows XP (KB923561)
Security Update for Windows XP (KB923689)
Security Update for Windows XP (KB923789)
Security Update for Windows XP (KB938464)
Security Update for Windows XP (KB941569)
Security Update for Windows XP (KB946648)
Security Update for Windows XP (KB950760)
Security Update for Windows XP (KB950762)
Security Update for Windows XP (KB950974)
Security Update for Windows XP (KB951066)
Security Update for Windows XP (KB951376-v2)
Security Update for Windows XP (KB951698)
Security Update for Windows XP (KB951748)
Security Update for Windows XP (KB952004)
Security Update for Windows XP (KB952954)
Security Update for Windows XP (KB954211)
Security Update for Windows XP (KB954459)
Security Update for Windows XP (KB954600)
Security Update for Windows XP (KB955069)
Security Update for Windows XP (KB956391)
Security Update for Windows XP (KB956572)
Security Update for Windows XP (KB956744)
Security Update for Windows XP (KB956802)
Security Update for Windows XP (KB956803)
Security Update for Windows XP (KB956841)
Security Update for Windows XP (KB957097)
Security Update for Windows XP (KB958644)
Security Update for Windows XP (KB958687)
Security Update for Windows XP (KB958690)
Security Update for Windows XP (KB959426)
Security Update for Windows XP (KB960225)
Security Update for Windows XP (KB960715)
Security Update for Windows XP (KB960803)
Security Update for Windows XP (KB960859)
Security Update for Windows XP (KB961371)
Security Update for Windows XP (KB961373)
Security Update for Windows XP (KB961501)
Security Update for Windows XP (KB968537)
Security Update for Windows XP (KB970238)
Security Update for Windows XP (KB971557)
Security Update for Windows XP (KB971633)
Security Update for Windows XP (KB971657)
Security Update for Windows XP (KB973346)
Security Update for Windows XP (KB973354)
Security Update for Windows XP (KB973507)
Security Update for Windows XP (KB973869)
Sentinel System Driver
SmartDraw 6
SnagIt 5
SnagIt 9
SQLXML4
Starcraft
Target Context Menu (Remove Only)
Trend Micro OfficeScan Client
Update for Microsoft .NET Framework 3.5 SP1 (KB963707)
Update for Windows XP (KB942763)
Update for Windows XP (KB951978)
Update for Windows XP (KB955839)
Update for Windows XP (KB967715)
Update for Windows XP (KB968389)
Update for Windows XP (KB973815)
VC80CRTRedist - 8.0.50727.762
VirtualReScan
Visual C++ 2008 x86 Runtime - (v9.0.30729)
Visual C++ 2008 x86 Runtime - v9.0.30729.01
VNC Free Edition 4.1.3
VRS Service Pack-1
WebEx
WebFldrs XP
Windows Defender
Windows Genuine Advantage Notifications (KB905474)
Windows Installer 3.1 (KB893803)
Windows Internet Explorer 7
Windows Media Format Runtime
Windows Media Player 10
Windows XP Service Pack 3
WinPatrol 2008

--------------------------------------------------------------------------------------
Combo Fix

ComboFix 09-09-01.08 - mattd 09/02/2009 17:34.2.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1014.434 [GMT -5:00]
Running from: c:\documents and settings\mattd\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\mattd\Desktop\CFScript.txt
AV: Trend Micro OfficeScan Antivirus *On-access scanning enabled* (Updated) {806EEB56-F26D-4ADC-9880-7088DDA66B8D}
FW: COMODO Firewall *enabled* {043803A3-4F86-4ef6-AFC5-F6E02A79969B}

FILE ::
"c:\program files\vnqlxzgb.txt"

file zipped: c:\program files\vnqlxzgb.txt
file zipped: c:\windows\system32\drivers\ntfs.sys
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\program files\vnqlxzgb.txt

.
--------------- FCopy ---------------

c:\windows\ServicePackFiles\i386\ntfs.sys --> c:\windows\system32\drivers\ntfs.sys
.
((((((((((((((((((((((((( Files Created from 2009-08-02 to 2009-09-02 )))))))))))))))))))))))))))))))
.

2009-08-31 20:52 . 2009-08-31 20:52 -------- d-----w- C:\bol
2009-08-30 23:55 . 2009-08-31 04:15 -------- d-----w- c:\documents and settings\All Users\Application Data\Comodo
2009-08-30 23:55 . 2009-09-01 15:01 179792 ----a-w- c:\windows\system32\guard32.dll
2009-08-30 23:55 . 2009-09-01 15:01 87104 ----a-w- c:\windows\system32\drivers\inspect.sys
2009-08-30 23:55 . 2009-09-01 15:01 25160 ----a-w- c:\windows\system32\drivers\cmdhlp.sys
2009-08-30 23:55 . 2009-09-01 15:01 132168 ----a-w- c:\windows\system32\drivers\cmdguard.sys
2009-08-30 23:55 . 2009-08-30 23:55 -------- d-----w- c:\program files\COMODO
2009-08-30 03:47 . 2009-08-30 03:47 -------- d-----w- c:\program files\Windows Defender
2009-08-27 12:21 . 2009-09-02 02:30 94016 ----a-w- c:\windows\system32\drivers\agp440.sys
2009-08-27 12:21 . 2009-09-02 02:30 94016 ----a-w- c:\windows\system32\dllcache\agp440.sys
2009-08-27 12:08 . 2009-08-27 12:08 -------- d-----w- c:\documents and settings\mattd\Local Settings\Application Data\Microsoft Help
2009-08-27 11:53 . 2009-08-27 11:54 -------- d-----w- C:\b94fc99b4234241569f8
2009-08-27 11:52 . 2009-08-27 11:55 -------- d-----w- C:\af68abf42d22c0317532447fccccfb74
2009-08-24 01:04 . 2009-08-24 01:22 -------- d-----w- c:\windows\system32\NtmsData
2009-08-23 14:12 . 2009-08-25 17:22 44 ----a-w- c:\windows\system32\statistics.dat
2009-08-23 13:51 . 2009-08-25 17:20 54 ----a-w- c:\windows\system32\rp_stats.dat
2009-08-23 13:51 . 2009-08-25 17:20 39 ----a-w- c:\windows\system32\rp_rules.dat
2009-08-22 17:44 . 2009-08-22 17:44 -------- d-----w- c:\documents and settings\mattd\Application Data\Malwarebytes
2009-08-22 17:44 . 2009-08-03 18:36 38160 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-08-22 17:44 . 2009-08-22 17:44 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-08-22 17:44 . 2009-08-22 17:44 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-08-22 17:44 . 2009-08-03 18:36 19096 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-08-22 13:23 . 2009-08-31 14:02 -------- d-----w- c:\documents and settings\All Users\Application Data\Lavasoft
2009-08-18 17:44 . 2009-08-18 17:44 -------- d-----w- c:\program files\Active Data Recovery Software
2009-08-17 19:06 . 2009-08-17 19:06 -------- d-----w- c:\documents and settings\All Users\Application Data\TechSmith
2009-08-17 19:06 . 2009-08-17 19:06 -------- d-----w- c:\documents and settings\mattd\Local Settings\Application Data\TechSmith
2009-08-13 14:45 . 2009-08-13 14:45 -------- d-----w- c:\documents and settings\mattd\$USERHOME
2009-08-13 02:29 . 2009-06-12 12:31 80896 ------w- c:\windows\system32\dllcache\tlntsess.exe
2009-08-13 02:29 . 2009-06-12 12:31 76288 ------w- c:\windows\system32\dllcache\telnet.exe
2009-08-13 02:28 . 2009-06-10 06:14 132096 ------w- c:\windows\system32\dllcache\wkssvc.dll
2009-08-13 02:28 . 2009-06-10 14:13 84992 ------w- c:\windows\system32\dllcache\avifil32.dll
2009-08-13 02:27 . 2009-07-17 19:01 58880 ------w- c:\windows\system32\dllcache\atl.dll
2009-08-13 02:27 . 2009-07-10 13:27 1315328 ------w- c:\windows\system32\dllcache\msoe.dll
2009-08-13 02:25 . 2009-08-05 09:01 204800 ------w- c:\windows\system32\dllcache\mswebdvd.dll
2009-08-13 02:24 . 2009-06-25 08:25 54272 ------w- c:\windows\system32\dllcache\wdigest.dll
2009-08-13 02:24 . 2009-06-25 08:25 136192 ------w- c:\windows\system32\dllcache\msv1_0.dll
2009-08-13 02:24 . 2009-06-24 11:18 92928 ------w- c:\windows\system32\dllcache\ksecdd.sys
2009-08-13 02:24 . 2009-06-25 08:25 301568 ------w- c:\windows\system32\dllcache\kerberos.dll
2009-08-10 18:35 . 2009-08-10 18:35 721912 ----a-w- c:\documents and settings\mattd\gotomypc_428.exe

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-09-02 21:17 . 2009-03-05 15:47 -------- d-----w- c:\documents and settings\mattd\Application Data\SmartDraw
2009-08-29 02:15 . 2009-04-22 14:11 -------- d-----w- c:\program files\Trend Micro
2009-08-29 00:20 . 2009-03-24 02:24 -------- d-----w- c:\program files\Common Files\Remote Control Software Common
2009-08-27 12:13 . 2007-10-01 21:11 -------- d-----w- c:\documents and settings\All Users\Application Data\Microsoft Help
2009-08-27 12:07 . 2007-10-01 21:14 -------- d-----w- c:\program files\Microsoft Visual Studio 8
2009-08-26 14:33 . 2006-09-27 08:13 -------- d-----w- c:\program files\CyberLink
2009-08-26 14:33 . 2006-09-27 08:09 -------- d--h--w- c:\program files\InstallShield Installation Information
2009-08-26 14:32 . 2009-06-11 17:47 -------- d-----w- c:\program files\Citrix
2009-08-25 00:34 . 2009-04-04 04:05 -------- d-----w- c:\documents and settings\mattd\Application Data\BitTorrent
2009-08-17 19:06 . 2009-03-05 22:40 -------- d-----w- c:\program files\TechSmith
2009-08-17 19:03 . 2007-11-20 20:55 -------- d-----w- c:\program files\Common Files\Wise Installation Wizard
2009-08-17 16:09 . 2006-11-13 16:14 -------- d-----w- c:\program files\AniTa
2009-08-05 09:01 . 2004-08-11 22:00 204800 ----a-w- c:\windows\system32\mswebdvd.dll
2009-07-29 01:03 . 2009-07-28 19:59 -------- d-----w- c:\documents and settings\All Users\Application Data\Rosetta Stone
2009-07-28 20:00 . 2009-07-28 20:00 -------- d-----w- c:\program files\Common Files\Macrovision Shared
2009-07-28 19:59 . 2009-07-28 19:59 -------- d-----w- c:\program files\Rosetta Stone
2009-07-20 02:45 . 2009-04-08 00:14 -------- d-----w- c:\program files\JukeItUp Ecstasy Edition
2009-07-17 19:01 . 2004-08-11 22:00 58880 ----a-w- c:\windows\system32\atl.dll
2009-07-16 23:06 . 2009-07-16 23:06 -------- d-----w- c:\program files\Microsoft Works
2009-07-16 17:16 . 2009-07-16 17:13 -------- d-----w- c:\documents and settings\All Users\Application Data\BVRP Software
2009-07-16 17:13 . 2009-07-16 17:13 -------- d-----w- c:\program files\Avanquest update
2009-07-16 17:13 . 2009-07-16 17:13 -------- d-----w- c:\program files\Motorola Phone Tools
2009-07-13 15:08 . 2004-08-11 22:00 286720 ----a-w- c:\windows\system32\wmpdxm.dll
2009-06-29 16:12 . 2004-08-11 22:00 827392 ------w- c:\windows\system32\wininet.dll
2009-06-29 16:12 . 2004-08-11 22:00 78336 ----a-w- c:\windows\system32\ieencode.dll
2009-06-29 16:12 . 2004-08-11 22:00 17408 ----a-w- c:\windows\system32\corpol.dll
2009-06-25 08:25 . 2004-08-11 22:00 54272 ----a-w- c:\windows\system32\wdigest.dll
2009-06-25 08:25 . 2004-08-11 22:00 56832 ----a-w- c:\windows\system32\secur32.dll
2009-06-25 08:25 . 2004-08-11 22:00 147456 ----a-w- c:\windows\system32\schannel.dll
2009-06-25 08:25 . 2004-08-11 22:00 136192 ----a-w- c:\windows\system32\msv1_0.dll
2009-06-25 08:25 . 2004-08-11 22:00 730112 ----a-w- c:\windows\system32\lsasrv.dll
2009-06-25 08:25 . 2004-08-11 22:00 301568 ----a-w- c:\windows\system32\kerberos.dll
2009-06-24 11:18 . 2004-08-11 22:00 92928 ----a-w- c:\windows\system32\drivers\ksecdd.sys
2009-06-16 14:36 . 2004-08-11 22:00 119808 ----a-w- c:\windows\system32\t2embed.dll
2009-06-16 14:36 . 2004-08-11 22:00 81920 ----a-w- c:\windows\system32\fontsub.dll
2009-06-16 13:40 . 2009-06-16 13:40 1498149 ----a-w- C:\xp32.zip
2009-06-12 12:31 . 2004-08-11 22:00 80896 ----a-w- c:\windows\system32\tlntsess.exe
2009-06-12 12:31 . 2004-08-11 22:00 76288 ----a-w- c:\windows\system32\telnet.exe
2009-06-11 17:46 . 2009-06-11 17:46 60744 ----a-w- c:\documents and settings\mattd\g2mdlhlpx.exe
2009-06-10 14:19 . 2004-08-11 22:11 2066432 ----a-w- c:\windows\system32\mstscax.dll
2009-06-10 14:13 . 2004-08-11 22:00 84992 ----a-w- c:\windows\system32\avifil32.dll
2009-06-10 06:14 . 2004-08-11 22:00 132096 ----a-w- c:\windows\system32\wkssvc.dll
2006-10-11 08:04 . 2006-11-13 16:17 61036 ----a-w- c:\program files\mozilla firefox\components\jar50.dll
2006-10-11 08:04 . 2006-11-13 16:17 48742 ----a-w- c:\program files\mozilla firefox\components\jsd3250.dll
2006-10-11 08:05 . 2006-11-13 16:17 29313 ----a-w- c:\program files\mozilla firefox\components\myspell.dll
2006-10-11 08:05 . 2006-11-13 16:17 41082 ----a-w- c:\program files\mozilla firefox\components\spellchk.dll
2006-10-11 08:04 . 2006-11-13 16:17 166510 ----a-w- c:\program files\mozilla firefox\components\xpinstal.dll
2009-02-24 19:34 . 2009-02-24 19:34 1044480 ----a-w- c:\program files\mozilla firefox\plugins\libdivx.dll
2009-02-24 19:34 . 2009-02-24 19:34 200704 ----a-w- c:\program files\mozilla firefox\plugins\ssldivx.dll
.

((((((((((((((((((((((((((((( SnapShot@2009-09-02_02.23.39 )))))))))))))))))))))))))))))))))))))))))
.
+ 2009-09-02 13:57 . 2009-09-02 13:57 16384 c:\windows\Temp\Perflib_Perfdata_4b0.dat
+ 2004-08-11 22:00 . 2008-04-14 05:45 574976 c:\windows\system32\dllcache\ntfs.sys
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"WinPatrol"="c:\program files\BillP Studios\WinPatrol\winpatrol.exe" [2008-10-09 333120]
"OfficeScanNT Monitor"="c:\program files\Trend Micro\OfficeScan Client\pccntmon.exe" [2009-02-18 709928]
"Windows Defender"="c:\program files\Windows Defender\MSASCui.exe" [2006-11-04 866584]
"COMODO Internet Security"="c:\program files\COMODO\COMODO Internet Security\cfp.exe" [2009-09-01 1796368]

c:\documents and settings\mattd\Start Menu\Programs\Startup\
beep.bat [2009-3-12 13]
POP Peeper.lnk - c:\program files\POP Peeper\POPPeeper.exe [2009-1-21 1470464]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
SnagIt 5.lnk - c:\program files\TechSmith\SnagIt\SnagIt32.exe [2009-8-24 1179648]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"disablecad"= 1 (0x1)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=c:\windows\system32\guard32.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Notification Packages REG_MULTI_SZ pswdsync scecli

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-606747145-630328440-1801674531-1124\Scripts\Logon\0\0]
"Script"=xdrivemapping.bat

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-606747145-630328440-1801674531-1124\Scripts\Logon\1\0]
"Script"=xdrivemapping.bat

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-606747145-630328440-1801674531-1167\Scripts\Logon\0\0]
"Script"=connectXDrive.vbs

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-606747145-630328440-1801674531-3673\Scripts\Logon\0\0]
"Script"=xdrivemapping.bat

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-606747145-630328440-1801674531-3673\Scripts\Logon\1\0]
"Script"=xdrivemapping.bat

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend]
@="Service"

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\TrendAntiVirus]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Logitech\\Logitech Harmony Remote Software 7\\HarmonyRemote.exe"=
"c:\\Program Files\\BitTorrent\\bittorrent.exe"=
"c:\\Program Files\\Rosetta Stone\\Rosetta Stone V3\\RosettaStoneVersion3.exe"=
"c:\\Program Files\\Rosetta Stone\\Rosetta Stone V3\\support\\bin\\RosettaStoneLtdServices.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"8097:TCP"= 8097:TCP:EarthLink UHP Modem Support
"3389:TCP"= 3389:TCP:*:Disabled:@xpsp2res.dll,-22009
"<NO NAME>"=
"61153:TCP"= 61153:TCP:Trend Micro OfficeScan Listener

R1 cmdGuard;COMODO Internet Security Sandbox Driver;c:\windows\system32\drivers\cmdguard.sys [8/30/2009 6:55 PM 132168]
R1 cmdHlp;COMODO Internet Security Helper Driver;c:\windows\system32\drivers\cmdhlp.sys [8/30/2009 6:55 PM 25160]
R1 vcdrom;Virtual CD-ROM Device Driver;c:\windows\system32\drivers\VCdRom.sys [4/6/2009 5:42 PM 8576]
R2 Mapsvc;User Name Mapping;c:\sfu\Mapper\mapsvc.exe [11/8/2003 2:42 PM 111728]
R2 msftesql$UC2007;SQL Server FullText Search (UC2007);c:\program files\Microsoft SQL Server\MSSQL.2\MSSQL\Binn\msftesql.exe [8/26/2005 4:00 PM 92880]
R2 MSOLAP$UC2007;SQL Server Analysis Services (UC2007);c:\program files\Microsoft SQL Server\MSSQL.3\OLAP\bin\msmdsrv.exe [10/14/2005 3:46 AM 14557912]
R2 MSSQL$UC2007;SQL Server (UC2007);c:\program files\Microsoft SQL Server\MSSQL.2\MSSQL\Binn\sqlservr.exe [10/14/2005 3:51 AM 28768528]
R2 RshSvc;Remote Shell Service;c:\sfu\common\rshsvc.exe [11/8/2003 2:46 PM 16800]
R2 TmFilter;Trend Micro Filter;c:\program files\Trend Micro\OfficeScan Client\TmXPFlt.sys [11/26/2008 1:42 PM 225296]
R2 TmPreFilter;Trend Micro PreFilter;c:\program files\Trend Micro\OfficeScan Client\tmpreflt.sys [11/26/2008 1:42 PM 36368]
R2 WinDefend;Windows Defender;c:\program files\Windows Defender\MsMpEng.exe [11/3/2006 7:19 PM 13592]
R2 zzInterix;Interix Subsystem Startup;c:\windows\system32\PSXRUN.EXE [11/8/2003 2:45 PM 66480]
R3 Portmap;Portmap;c:\windows\system32\drivers\portmap.sys [11/8/2003 2:42 PM 35072]
R3 PsxDrv;PsxDrv;c:\windows\system32\drivers\PSXDRV.SYS [11/8/2003 2:45 PM 6128]
R3 RpcXdr;RpcXdr;c:\windows\system32\drivers\rpcxdr.sys [11/8/2003 2:42 PM 55872]
S2 InAspi32;InAspi32;c:\windows\system32\drivers\InAspi32.sys [11/19/2007 3:57 PM 8704]
S2 MsDtsServer;SQL Server Integration Services;c:\program files\Microsoft SQL Server\90\DTS\Binn\MsDtsSrvr.exe [10/14/2005 3:45 AM 199384]
S2 ObjectStore Cache Manager R6.0;ObjectStore Cache Manager R6.0;c:\odi\OStore\BIN\OSCMGR6.EXE --> c:\odi\OStore\BIN\OSCMGR6.EXE [?]
S2 ObjectStore Server R6.0;ObjectStore Server R6.0;c:\odi\OStore\BIN\OSSERVER.EXE --> c:\odi\OStore\BIN\OSSERVER.EXE [?]
S2 TmProxy;OfficeScan NT Proxy Service;c:\program files\Trend Micro\OfficeScan Client\TmProxy.exe [2/18/2009 12:27 PM 652552]
S3 bddepsrv;BitDefender Deployment Service;c:\windows\_BDDEP_\bddepsrv.exe [3/4/2009 5:09 PM 118112256]
S3 BW2NDIS5;BW2NDIS5;c:\windows\system32\Drivers\BW2NDIS5.sys --> c:\windows\system32\Drivers\BW2NDIS5.sys [?]
S3 FTSRVR;McLeod Imaging Server;c:\tm\tmsimg\bin\ftsrvrsvc.exe [2/6/2009 10:00 AM 629248]
S3 LME 9.0;LME 9.0;c:\mcleod_900\Win2000_tools\scheduler_service\LMEschedulerService.exe --> c:\mcleod_900\Win2000_tools\scheduler_service\LMEschedulerService.exe [?]
S3 LME 9.1;LME 9.1;c:\mcleod_910\Win2000_tools\scheduler_service\LMESchedulerService.exe [2/4/2009 10:30 AM 32768]
S3 LME Scheduler (demo_820);LME Scheduler (demo_820);c:\mcleod_820\win2000_tools\scheduler_service\lmeschedulerservice.exe --> c:\mcleod_820\win2000_tools\scheduler_service\lmeschedulerservice.exe [?]
S3 SQLAgent$UC2007;SQL Server Agent (UC2007);c:\program files\Microsoft SQL Server\MSSQL.2\MSSQL\Binn\SQLAGENT90.EXE [10/14/2005 3:51 AM 318680]
S3 tcpsvc;PC*MILER TCP/IP Interface;c:\program files\ALK Technologies\Tolls190\TCPIP\tcpsvc.exe [11/13/2006 4:52 PM 16384]
S4 CronService;Windows Cron Service;c:\sfu\common\cron.exe [11/8/2003 2:46 PM 47536]
S4 msvsmon80;Visual Studio 2005 Remote Debugger;c:\program files\Microsoft Visual Studio 8\Common7\IDE\Remote Debugger\x86\msvsmon.exe [12/2/2006 6:17 AM 2805000]
S4 PerlSock;Perl Socket Service;c:\sfu\Perl\bin\PerlSock.exe [11/8/2003 3:05 PM 225357]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
bdx REG_MULTI_SZ scan
.
Contents of the 'Scheduled Tasks' folder

2009-09-02 c:\windows\Tasks\MP Scheduled Scan.job
- c:\program files\Windows Defender\MpCmdRun.exe [2006-11-04 00:20]
.
.
------- Supplementary Scan -------
.
uStart Page = about:blank
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
DPF: {7B133798-FAA8-4A7E-950D-BEB35D3363AF} - hxxp://71.8.85.66:1024/img/LinksysViewer.cab
FF - ProfilePath -
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-09-02 17:42
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet004\Services\msftesql$UC2007]
"ImagePath"="\"c:\program files\Microsoft SQL Server\MSSQL.2\MSSQL\Binn\msftesql.exe\" -s:MSSQL.2 -f:UC2007"
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\software\DeterministicNetworks\DNE\Parameters]
"SymbolicLinkValue"=hex(6):5c,00,52,00,65,00,67,00,69,00,73,00,74,00,72,00,79,
00,5c,00,4d,00,61,00,63,00,68,00,69,00,6e,00,65,00,5c,00,53,00,79,00,73,00,\
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(1348)
c:\windows\system32\guard32.dll
c:\windows\system32\igfxdev.dll

- - - - - - - > 'lsass.exe'(1404)
c:\windows\system32\guard32.dll
c:\windows\system32\pswdsync.dll
.
Completion time: 2009-09-02 17:44
ComboFix-quarantined-files.txt 2009-09-02 22:44
ComboFix2.txt 2009-09-02 02:26

Pre-Run: 26,675,863,552 bytes free
Post-Run: 26,631,495,680 bytes free

246 --- E O F --- 2009-08-27 15:18
--------------------------------------------------------------------------------------------------


KASPERSKY ONLINE SCANNER 7.0: scan report
Wednesday, September 2, 2009
Operating system: Microsoft Windows XP Professional Service Pack 3 (build 2600)
Kaspersky Online Scanner version: 7.0.26.13
Last database update: Thursday, September 03, 2009 00:36:06
Records in database: 2740933
--------------------------------------------------------------------------------

Scan settings:
scan using the following database: extended
Scan archives: yes
Scan e-mail databases: yes

Scan area - My Computer:
C:\
D:\
X:\

Scan statistics:
Objects scanned: 153916
Threats found: 5
Infected objects found: 11
Suspicious objects found: 0
Scan duration: 03:44:17


File name / Threat / Threats count
C:\Documents and Settings\mattd\My Documents\Utilities\os\dmx10 - touch screen jukebox os.zip Infected: not-a-virus:RemoteAdmin.Win32.WinVNC.4110 1
C:\Documents and Settings\mattd\My Documents\Utilities\os\dmx10 - touch screen jukebox os.zip Infected: not-a-virus:RemoteAdmin.Win32.WinVNC.4 1
C:\Documents and Settings\mattd\My Documents\Utilities\os\nec ready 120lt os.zip Infected: not-a-virus:RemoteAdmin.Win32.WinVNC.4 3
C:\mcleod_910\Win2000_tools\Install Files\tightvnc-1.2.3-setup.exe Infected: not-a-virus:RemoteAdmin.Win32.WinVNC-based.b 1
C:\mcleod_910\Win2000_tools\tightvnc-1.2.3-setup.exe Infected: not-a-virus:RemoteAdmin.Win32.WinVNC-based.b 1
C:\Program Files\RealVNC\VNC4\vncconfig.exe Infected: not-a-virus:RemoteAdmin.Win32.WinVNC.ad 1
C:\Program Files\RealVNC\VNC4\winvnc4.exe Infected: not-a-virus:RemoteAdmin.Win32.WinVNC.ad 1
C:\Qoobox\Quarantine\C\WINDOWS\system32\drivers\ntfs.sys.vir Infected: Virus.Win32.Protector.c 1
C:\Qoobox\Quarantine\[4]-Submit_2009-09-02_17.33.48.zip Infected: Virus.Win32.Protector.c 1

Selected area has been scanned.

#6
Katana
Posted 03 September 2009 - 09:51 AM

    True Member

  • Experts
  • PipPipPipPip
  • 387 posts
  • Gender:Male
  • Location:Manchester UK
Why on earth do you have P2P programs on a machine that you connect to an Office network ???

IMPORTANT
I notice there are signs of one or more P2P (Person to Person) File Sharing Programs on your computer.

BitTorrent
LimeWire PRO 5.0.11
I'd like you to read the Guidelines for P2P Programs where we explain why it's not a good idea to have them.

Also available here.

My recommendation is you go to Control Panel > Add/Remove Programs and uninstall any P2P programs
Please note: you must NOT use any P2P whilst we are cleaning your machine.


Your Adobe Acrobat Reader is out of date. Older versions have vulnerabilities that malware can use to infect your system.

Adobe Reader is a large program and uses unnecessary space.
If you prefer a smaller program you can get Foxit 3.0 from http://www.foxitsoft...df/rd_intro.php << Recommended

There is a newer version of Adobe Acrobat Reader available.
  • Please go to this link Adobe Acrobat Reader Download Link
  • Click Download
  • On the right Untick Adobe Phototshop Album Starter Edition if you do not wish to include this in the installation.
  • Click the Continue button
  • Click Run, and click Run again
  • Next click the Install Now button and follow the on screen prompts



Your Java is out of date. Older versions have vulnerabilities that malware can use to infect your system.

Please download Java SE Runtime Environment (JRE) . ( don't install it yet )
  • Scroll down to where it says "Java SE Runtime Environment (JRE)".
  • Click the "Download" button to the right.
    • Platform = Windows
    • Language = Multi Language
  • Check the box that says: "Accept License Agreement".
  • The page will refresh.
  • Click on the link to download Windows Offline Installation with or without Multi-language and save to your desktop.

Now download JavaRa and unzip it to your desktop.

***Please close any instances of Internet Explorer (or other web browser) before continuing!***

  • Double-click on JavaRa.exe to start the program.
  • From the drop-down menu, choose English and click on Select.
  • JavaRa will open; click on Remove Older Versions to remove the older versions of Java installed on your computer.
  • Click Yes when prompted. When JavaRa is done, a notice will appear that a logfile has been produced. Click OK.
  • A logfile will pop up. Please save it to a convenient location.

Now install the Java SE Runtime Environment (JRE) package you downloaded
(it comes with a toolbar pre-selected, so make sure you uncheck the box)

You can delete JavaRa (zip and exe)

----------------------------------------------------------------------------------------
Congratulations your logs look clean :D

Let's see if I can help you keep it that way

First lets tidy up

Uninstall Combofix
  • This will clear your System Volume Information restore points and remove all the infected files that were quarantined
  • Click START then RUN
  • Now type Combofix /u in the runbox and click OK. Note the space between the X and the /U, it needs to be there.
    • Posted Image

You can also delete any logs we have produced and any other tools we have downloaded.

----------------------------------------------------------- -----------------------------------------------------------

The following is some info to help you stay safe and clean.


You may already have some of the following programs, but I include the full list for the benefit of all the other people who will be reading this thread in the future.
( Vista users must ensure that any programs are Vista compatible BEFORE installing )

Online Scanners
I would recommend a scan at one or more of the following sites at least once a month.

http://www.pandasecu....com/activescan
http://www.kaspersky.com/kos/eng/partner/7...kavwebscan.html

!!! Make sure that all your programs are updated !!!
Secunia Software Inspector does all the work for you, .... see HERE for details

AntiSpyware
    AntiSpyware is not the same thing as Antivirus.
    Different AntiSpyware programs detect different things, so in this case it is recommended that you have more than one.
    You should only have one running all the time, the other/s should be used "on demand" on a regular basis.
    Most of the programs in this list have a free (for Home Users ) and paid versions,
    it is worth paying for one and having "realtime" protection, unless you intend to do a manual scan often.
  • Spybot - Search & Destroy <<< A must have program
    • It includes host protection and registry protection
    • A hosts file is a bit like a phone book, it points to the actual numeric address (i.e. the IP address) from the human friendly name of a website. This feature can be used to block malicious websites
  • MalwareBytes Anti-malware <<< A New and effective program
  • a-squared Free <<< A good "realtime" or "on demand" scanner
  • superantispyware <<< A good "realtime" or "on demand" scanner

Prevention
    These programs don't detect malware, they help stop it getting on your machine in the first place.
    Each does a different job, so you can have more than one
  • Winpatrol
    • An excellent startup manager and then some !!
    • Notifies you if programs are added to startup
    • Allows delayed startup
    • A must have addition
  • SpywareBlaster 4.0
    • SpywareBlaster sets killbits in the registry to prevent known malicious activex controls from installing themselves on your computer.
  • SpywareGuard 2.2
    • SpywareGuard provides real-time protection against spyware.
    • Not required if you have other "realtime" antispyware or Winpatrol
  • ZonedOut
    • Formerly known as IE-SPYAD, adds a long list of sites and domains associated with known advertisers and marketers to the Restricted sites zone of Internet Explorer.
  • MVPS HOSTS
    • This little program packs a powerful punch as it blocks ads, banners, 3rd party Cookies, 3rd party page counters, web bugs, and many hijackers.
    • For information on how to download and install, please read this tutorial by WinHelp2002.
    • Not required if you are using other host file protections

Internet Browsers
    Microsoft has worked hard to make IE.7 a more secure browser, unfortunately whilst it is still the leading browser of choice it will always be under attack from the bad guys.
    Using a different web browser can help stop malware getting on your machine.
    • Make your Internet Explorer more secure - This can be done by following these simple instructions:
      • From within Internet Explorer click on the Tools menu and then click on Options.
      • Click once on the Security tab
      • Click once on the Internet icon so it becomes highlighted.
      • Click once on the Custom Level button.
        • Change the Download signed ActiveX controls to Prompt
        • Change the Download unsigned ActiveX controls to Disable
        • Change the Initialise and script ActiveX controls not marked as safe to Disable
        • Change the Installation of desktop items to Prompt
        • Change the Launching programs and files in an IFRAME to Prompt
        • Change the Navigate sub-frames across different domains to Prompt
        • When all these settings have been made, click on the OK button.
        • If it prompts you as to whether or not you want to save the settings, press the Yes button.
      • Next press the Apply button and then the OK to exit the Internet Properties page.
    If you are still using IE6 then either update, or get one of the following.
    • FireFox
      • With many addons available that make customization easy this is a very popular choice
      • NoScript and AdBlockPlus addons are essential
    • Opera
      • Another popular alternative
    • Netscape
      • Another popular alternative
      • Also has Addons available

Cleaning Temporary Internet Files and Tracking Cookies
    Temporary Internet Files are mainly the files that are downloaded when you open a web page.
    Unfortunately, if the site you visit is of a dubious nature or has been hacked, they can also be an entry point for malware.
    It is a good idea to empty the Temporary Internet Files folder on a regular basis.

    Tracking Cookies are files that websites use to monitor which sites you visit and how often.
    A lot of Antispyware scanners pick up these tracking cookies and flag them as unwanted.
    CAUTION :- If you delete all your cookies you will lose any autologin information for sites that you visit, and will need your passwords

    Both of these can be cleaned manually, but a quicker option is to use a program
  • ATF Cleaner
    • Free and very simple to use
  • CCleaner
    • Free and very flexible, you can chose which cookies to keep

Also PLEASE read this article.....So How Did I Get Infected In The First Place

The last and most important thing I can tell you is UPDATE.
If you don't update your security programs (Antivirus, Antispyware even Windows) then you are at risk.
Malware changes on a day to day basis. You should update every week at the very least.

If you follow this advice then (with a bit of luck) you will never have to hear from me again :)


If you could post back one more time to let me know everything is OK, then I can have this thread archived.

Happy surfing K'
Posted Image
PM's for help will be ignored

#7
mattdavis
Posted 04 September 2009 - 01:15 AM

    New Member

  • Members
  • Pip
  • 4 posts

View PostKatana, on Sep 3 2009, 04:51 AM, said:

Why on earth do you have P2P programs on a machine that you connect to an Office network ???

IMPORTANT
I notice there are signs of one or more P2P (Person to Person) File Sharing Programs on your computer.

BitTorrent
LimeWire PRO 5.0.11


Hello,

Ahhh...yes, P2P stuff. I wondered if that would come up. Thank you very much for your help. I will follow your recommendations and suggestions.

-Matt
Back to Resolved HijackThis Logs · Next Unread Topic →


1 user(s) are reading this topic

0 members, 1 guests, 0 anonymous users

  1. Malwarebytes Forum
  2. Computer Help
  3. Malware Removal - HijackThis Logs
  4. Resolved HijackThis Logs

Products

About

Partners

Follow Us