I Got Hammered

Status
Not open for further replies.
And HiJackThis Log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:19:33 AM, on 2/8/2009
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16762)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\CA\SharedComponents\HIPSEngine\UmxFwHlp.exe
C:\Program Files\a-squared Free\a2service.exe
C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\ISafe.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\Iaantmon.exe
C:\Program Files\CA\SharedComponents\PPRT\bin\ITMRTSVC.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\VetMsg.exe
C:\WINDOWS\system32\ZuneBusEnum.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\CAVRID.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = MSN.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = Live Search
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = Live Search
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,First Home Page = Internet Explorer: Get It Now
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = Microsoft Windows Update
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: IeCatch5 Class - {2F364306-AA45-47B5-9F9D-39A8B94E7EF7} - C:\PROGRA~1\FlashGet\jccatch.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\System32\DLA\DLASHX_W.DLL
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files\Google\Google Toolbar\GoogleToolbar.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.0.926.3450\swg.dll
O2 - BHO: gFlash Class - {F156768E-81EF-470C-9057-481BA8380DBA} - C:\PROGRA~1\FlashGet\getflash.dll
O3 - Toolbar: FlashGet Bar - {E0E899AB-F487-11D5-8D29-0050BA6940E3} - C:\PROGRA~1\FlashGet\fgiebar.dll
O3 - Toolbar: &Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar.dll
O4 - HKLM\..\Run: [CAVRID] "C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\CAVRID.exe"
O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MI1933~1\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MI1933~1\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MI1933~1\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\PROGRA~1\FlashGet\flashget.exe
O9 - Extra 'Tools' menuitem: &FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\PROGRA~1\FlashGet\flashget.exe
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {05D44720-58E3-49E6-BDF6-D00330E511D3} (StagingUI Object) - http://zone.msn.com/binFrameWork/v10/StagingUI.cab55579.cab
O16 - DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} (Facebook Photo Uploader 5 Control) - http://upload.facebook.com/controls/2008.10.10_v5.5.8/FacebookPhotoUploader5.cab
O16 - DPF: {1239CC52-59EF-4DFA-8C61-90FFA846DF7E} (Musicnotes Viewer) - http://www.musicnotes.com/download/mnviewer.cab
O16 - DPF: {3BB54395-5982-4788-8AF4-B5388FFDD0D8} (MSN Games – Buddy Invite) - http://zone.msn.com/BinFrameWork/v10/ZBuddy.cab55579.cab
O16 - DPF: {5736C456-EA94-4AAC-BB08-917ABDD035B3} (ZonePAChat Object) - http://zone.msn.com/binframework/v10/ZPAChat.cab55579.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1162430191151
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (MSN Games - Installer) - http://cdn2.zone.msn.com/binFramework/v10/ZIntro.cab56649.cab
O16 - DPF: {CAC181B0-4D70-402D-B571-C596A47D0CE0} (CBankshotZoneCtrl Class) - http://zone.msn.com/bingame/zpagames/zpa_pool.cab42858.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
O16 - DPF: {DA2AA6CF-5C7A-4B71-BC3B-C771BB369937} (MSN Games – Game Communicator) - http://zone.msn.com/binframework/v10/StProxy.cab55579.cab
O16 - DPF: {E5D419D6-A846-4514-9FAD-97E826C84822} (HeartbeatCtl Class) - http://fdl.msn.com/zone/datafiles/heartbeat.cab
O20 - AppInit_DLLs: C:\PROGRA~1\Google\GOOGLE~1\GOEC62~1.DLL
O23 - Service: a-squared Free Service (a2free) - Emsi Software GmbH - C:\Program Files\a-squared Free\a2service.exe
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online, Inc. - C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: CaCCProvSP - CA, Inc. - C:\Program Files\CA\CA Internet Security Suite\ccprovsp.exe
O23 - Service: CAISafe - Computer Associates International, Inc. - C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\ISafe.exe
O23 - Service: COM+ System Application (COMSysApp) - Unknown owner - C:\WINDOWS\system32\dllhost.exe (file missing)
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: Intel(R) Matrix Storage Event Monitor (IAANTMON) - Intel Corporation - C:\Program Files\Intel\Intel Matrix Storage Manager\Iaantmon.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: CA Pest Patrol Realtime Protection Service (ITMRTSVC) - CA, Inc. - C:\Program Files\CA\SharedComponents\PPRT\bin\ITMRTSVC.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: PPCtlPriv - CA, Inc. - C:\Program Files\CA\CA Internet Security Suite\CA Anti-Spyware\PPCtlPriv.exe
O23 - Service: MS Software Shadow Copy Provider (SwPrv) - Unknown owner - C:\WINDOWS\system32\dllhost.exe (file missing)
O23 - Service: HIPS Firewall Helper (UmxFwHlp) - CA - C:\Program Files\CA\SharedComponents\HIPSEngine\UmxFwHlp.exe
O23 - Service: VET Message Service (VETMSGNT) - CA, Inc. - C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\VetMsg.exe

--
End of file - 8702 bytes
 
Download GooredFix and save it to your Desktop.
  • Select "2. Fix Goored" by typing 2 and pressing Enter. Make sure all instances of Firefox ir IE are closed at this point. Type y at the prompt and press Enter again.
  • A log will open, please post the contents of that log in your next reply (it can also be found on your desktop, called GooredLog.txt).
Then I need you to run Combofix once again and then Malwarebytes in the order listed

GooredFix
Combofix
Malwarebytes
 
GooredFix v1.83 by jpshortstuff
Log created at 18:27 on 09/02/2009 running Option #2 (Brian Markin)
Firefox version 2.0.0.20 (en-US)

=====Goored Deletions=====

=====Dumping Registry Values=====

[HKEY_LOCAL_MACHINE\SOFTWARE\Mozilla\Mozilla Firefox 2.0.0.20\extensions]
"Plugins"="C:\Program Files\Mozilla Firefox\plugins"

[HKEY_LOCAL_MACHINE\SOFTWARE\Mozilla\Mozilla Firefox 2.0.0.20\extensions]
"Components"="C:\Program Files\Mozilla Firefox\components"

[HKEY_LOCAL_MACHINE\SOFTWARE\Mozilla\Firefox\extensions]
"remoteExt@emusic.com"="C:\Program Files\eMusic Remote\remoteExt"


ComboFix 07-08-09.3 - "Brian Markin" 2009-02-09 18:27:44.6 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.667 [GMT -5:00]


((((((((((((((((((((((((( Files Created from 2009-01-09 to 2009-02-09 )))))))))))))))))))))))))))))))


2009-02-07 12:53 94,720 --a------ C:\WINDOWS\system32\sdbinst.exe
2009-02-07 12:53 94,720 --a------ C:\WINDOWS\system32\dllcache\sdbinst.exe
2009-02-07 12:53 92,672 --a------ C:\WINDOWS\system32\locator.exe
2009-02-07 12:53 89,088 --a------ C:\WINDOWS\system32\blastcln.exe
2009-02-07 12:53 87,552 --a------ C:\WINDOWS\system32\dllcache\sigverif.exe
2009-02-07 12:53 85,504 --a------ C:\WINDOWS\system32\systeminfo.exe
2009-02-07 12:53 84,992 --a------ C:\WINDOWS\system32\openfiles.exe
2009-02-07 12:53 84,992 --a------ C:\WINDOWS\system32\dllcache\opnfiles.exe
2009-02-07 12:53 84,480 --a------ C:\WINDOWS\system32\rdshost.exe
2009-02-07 12:53 832,512 --a------ C:\WINDOWS\system32\dllcache\mmc.exe
2009-02-07 12:53 82,944 --a------ C:\WINDOWS\system32\wextract.exe
2009-02-07 12:53 82,944 --a------ C:\WINDOWS\system32\dllcache\wextract.exe
2009-02-07 12:53 81,408 --a------ C:\WINDOWS\system32\dllcache\cleanmgr.exe
2009-02-07 12:53 81,408 --a------ C:\WINDOWS\system32\cleanmgr.exe
2009-02-07 12:53 78,848 --a------ C:\WINDOWS\system32\dllcache\tlntadmn.exe
2009-02-07 12:53 77,824 --a------ C:\WINDOWS\system32\dllcache\msimn.exe
2009-02-07 12:53 761,344 --a------ C:\WINDOWS\system32\dllcache\helpsvc.exe
2009-02-07 12:53 75,264 --a------ C:\WINDOWS\system32\dllcache\spoolsv.exe
2009-02-07 12:53 74,752 --a------ C:\WINDOWS\system32\gpupdate.exe
2009-02-07 12:53 74,752 --a------ C:\WINDOWS\system32\dllcache\gpupdate.exe
2009-02-07 12:53 74,240 --a------ C:\WINDOWS\system32\dllcache\sol.exe
2009-02-07 12:53 73,216 --a------ C:\WINDOWS\system32\dllcache\ipconfig.exe
2009-02-07 12:53 69,120 --a------ C:\WINDOWS\system32\migpwd.exe
2009-02-07 12:53 67,584 --a------ C:\WINDOWS\system32\dllcache\reg.exe
2009-02-07 12:53 67,584 --a------ C:\WINDOWS\system32\dllcache\evcreate.exe
2009-02-07 12:53 66,560 --a------ C:\WINDOWS\system32\dllcache\rsm.exe
2009-02-07 12:53 66,560 --a------ C:\WINDOWS\system32\dllcache\powercfg.exe
2009-02-07 12:53 64,512 --a------ C:\WINDOWS\system32\dllcache\srdiag.exe
2009-02-07 12:53 63,488 --a------ C:\WINDOWS\system32\dllcache\wab.exe
2009-02-07 12:53 62,976 --a------ C:\WINDOWS\system32\drwtsn32.exe
2009-02-07 12:53 59,982 --a------ C:\WINDOWS\system32\dllcache\rvsezm.exe
2009-02-07 12:53 59,904 --a------ C:\WINDOWS\system32\dllcache\net.exe
2009-02-07 12:53 59,904 --a------ C:\WINDOWS\system32\dllcache\ftp.exe
2009-02-07 12:53 57,344 --a------ C:\WINDOWS\system32\dllcache\cmmon32.exe
2009-02-07 12:53 57,344 --a------ C:\WINDOWS\system32\cmmon32.exe
2009-02-07 12:53 556,032 --a------ C:\WINDOWS\system32\spider.exe
2009-02-07 12:53 556,032 --a------ C:\WINDOWS\system32\dllcache\spider.exe
2009-02-07 12:53 531,968 --a------ C:\WINDOWS\system32\logonui.exe
2009-02-07 12:53 531,968 --a------ C:\WINDOWS\system32\dllcache\logonui.exe
2009-02-07 12:53 53,248 --a------ C:\WINDOWS\system32\rcimlby.exe
2009-02-07 12:53 52,736 --a------ C:\WINDOWS\system32\dllcache\notiflag.exe
2009-02-07 12:53 51,200 --a------ C:\WINDOWS\system32\vssadmin.exe
2009-02-07 12:53 50,688 --a------ C:\WINDOWS\system32\dllcache\rundll32.exe
2009-02-07 12:53 50,688 --a------ C:\WINDOWS\system32\dllcache\clipsrv.exe
2009-02-07 12:53 49,664 --a------ C:\WINDOWS\system32\wpabaln.exe
2009-02-07 12:53 47,616 --a------ C:\WINDOWS\system32\dllcache\asr_fmt.exe
2009-02-07 12:53 451,072 --a------ C:\WINDOWS\system32\dllcache\wiaacmgr.exe
2009-02-07 12:53 43,520 --a------ C:\WINDOWS\system32\skeys.exe
2009-02-07 12:53 42,496 --a------ C:\WINDOWS\system32\lnkstub.exe
2009-02-07 12:53 41,984 --a------ C:\WINDOWS\system32\init32.exe
2009-02-07 12:53 406,016 --a------ C:\WINDOWS\system32\dllcache\cmd.exe
2009-02-07 12:53 40,448 --a------ C:\WINDOWS\system32\dllcache\setup.exe
2009-02-07 12:53 39,424 --a------ C:\WINDOWS\system32\dllcache\mpnotify.exe
2009-02-07 12:53 38,400 --a------ C:\WINDOWS\system32\dllcache\ssmarque.scr
2009-02-07 12:53 38,400 --a------ C:\WINDOWS\system32\dllcache\fontview.exe
2009-02-07 12:53 37,376 --a------ C:\WINDOWS\system32\ssbezier.scr
2009-02-07 12:53 37,376 --a------ C:\WINDOWS\system32\dllcache\ssbezier.scr
2009-02-07 12:53 364,544 --a------ C:\WINDOWS\system32\tourstart.exe
2009-02-07 12:53 364,544 --a------ C:\WINDOWS\system32\dllcache\tourstrt.exe
2009-02-07 12:53 36,917 --a------ C:\WINDOWS\system32\dllcache\shtml.exe
2009-02-07 12:53 36,864 --a------ C:\WINDOWS\system32\dllcache\isignup.exe
2009-02-07 12:53 36,352 --a------ C:\WINDOWS\system32\dllcache\ssmyst.scr
2009-02-07 12:53 35,840 --a------ C:\WINDOWS\system32\ups.exe
2009-02-07 12:53 35,328 --a------ C:\WINDOWS\system32\dllcache\diskperf.exe
2009-02-07 12:53 33,792 --a------ C:\WINDOWS\system32\dllcache\mofcomp.exe
2009-02-07 12:53 33,280 --a------ C:\WINDOWS\system32\perfmon.exe
2009-02-07 12:53 327,737 --a------ C:\WINDOWS\system32\dllcache\imjpdct.exe
2009-02-07 12:53 32,768 --a------ C:\WINDOWS\system32\dllcache\nppagent.exe
2009-02-07 12:53 32,256 --a------ C:\WINDOWS\system32\dllcache\rsh.exe
2009-02-07 12:53 31,232 --a------ C:\WINDOWS\system32\dllcache\wscntfy.exe
2009-02-07 12:53 31,232 --a------ C:\WINDOWS\system32\dllcache\convert.exe
2009-02-07 12:53 307,200 --a------ C:\WINDOWS\system32\vssvc.exe
2009-02-07 12:53 298,496 --a------ C:\WINDOWS\system32\dllcache\pinball.exe
2009-02-07 12:53 29,696 --a------ C:\WINDOWS\system32\tcmsetup.exe
2009-02-07 12:53 29,696 --a------ C:\WINDOWS\system32\dllcache\tracert.exe
2009-02-07 12:53 29,184 --a------ C:\WINDOWS\system32\spnpinst.exe
2009-02-07 12:53 29,184 --a------ C:\WINDOWS\system32\regsvr32.exe
2009-02-07 12:53 29,184 --a------ C:\WINDOWS\system32\dllcache\regsvr32.exe
2009-02-07 12:53 28,672 --a------ C:\WINDOWS\system32\dllcache\atmadm.exe
2009-02-07 12:53 273,920 --a------ C:\WINDOWS\system32\dllcache\agentsvr.exe
2009-02-07 12:53 26,112 --a------ C:\WINDOWS\system32\eventvwr.exe
2009-02-07 12:53 26,112 --a------ C:\WINDOWS\system32\dllcache\eventvwr.exe
2009-02-07 12:53 257,536 --a------ C:\WINDOWS\system32\dllcache\migwiz.exe
2009-02-07 12:53 253,440 --a------ C:\WINDOWS\system32\dllcache\migwiz_a.exe
2009-02-07 12:53 25,600 --a------ C:\WINDOWS\system32\dllcache\control.exe
2009-02-07 12:53 25,600 --a------ C:\WINDOWS\system32\dllcache\cidaemon.exe
2009-02-07 12:53 242,176 --a------ C:\WINDOWS\system32\dmadmin.exe
2009-02-07 12:53 242,176 --a------ C:\WINDOWS\system32\dllcache\dmadmin.exe
2009-02-07 12:53 238,080 --a------ C:\WINDOWS\system32\logon.scr
2009-02-07 12:53 235,520 --a------ C:\WINDOWS\system32\dllcache\wmiprvse.exe
2009-02-07 12:53 231,936 --a------ C:\WINDOWS\system32\dllcache\wordpad.exe
2009-02-07 12:53 23,552 --a------ C:\WINDOWS\system32\dllcache\lpq.exe
2009-02-07 12:53 22,528 --a------ C:\WINDOWS\system32\dllcache\comrereg.exe
2009-02-07 12:53 22,047 --a------ C:\WINDOWS\system32\dllcache\mplayer2.exe
2009-02-07 12:53 214,016 --a------ C:\WINDOWS\system32\dllcache\wmiadap.exe
2009-02-07 12:53 210,432 --a------ C:\WINDOWS\system32\eudcedit.exe
2009-02-07 12:53 210,432 --a------ C:\WINDOWS\system32\dllcache\fsquirt.exe
2009-02-07 12:53 208,960 --a------ C:\WINDOWS\system32\dllcache\cfgwiz.exe
2009-02-07 12:53 167,424 --a------ C:\WINDOWS\system32\imapi.exe
2009-02-07 12:53 158,208 --a------ C:\WINDOWS\system32\sessmgr.exe


(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

2009-02-08 21:15 72 ---h----- C:\WINDOWS\popcreg.dat
2009-02-08 21:15 24 --a------ C:\WINDOWS\popcinfot.dat
2009-02-07 12:52 --------- d-------- C:\Program Files\Windows NT
2009-02-07 12:52 --------- d-------- C:\Program Files\Movie Maker
2009-02-07 12:52 --------- d-------- C:\Program Files\Messenger
2009-02-06 00:26 --------- d-------- C:\Program Files\GemMaster
2009-02-06 00:26 --------- d-------- C:\Program Files\EnglishOtto
2009-02-06 00:18 --------- d-------- C:\Program Files\Microsoft Works
2009-02-06 00:18 --------- d-------- C:\Program Files\Microsoft Plus! Photo Story 2 LE
2009-02-06 00:11 --------- d-------- C:\Program Files\ItsDeductible2006
2009-02-06 00:01 --------- d-------- C:\Program Files\America Online 9.0
2009-02-04 22:33 --------- d-------- C:\Program Files\BAE
2009-02-03 08:22 142848 --a------ C:\WINDOWS\system32\userinit.exe
2009-02-03 08:22 142848 --a------ C:\WINDOWS\system32\dllcache\userinit.exe
2009-02-02 19:42 --------- d-------- C:\Program Files\FlashGet
2009-01-30 07:31 --------- d-------- C:\Program Files\iTunes
2009-01-30 07:31 --------- d-------- C:\Program Files\Common Files\Apple
2009-01-21 07:01 664 --a------ C:\WINDOWS\system32\d3d9caps.dat
2009-01-21 06:12 --------- d-------- C:\DOCUME~1\BRIANM~1\APPLIC~1\BitTorrent
2009-01-19 13:39 --------- d-------- C:\Program Files\Google
2009-01-06 22:38 --------- d-------- C:\Program Files\Easy Photo Editor
2008-12-26 23:18 2288 --a------ C:\WINDOWS\system32\ealregsnapshot1.reg
2008-12-21 14:09 --------- d-------- C:\Program Files\TVAnts
2008-12-13 01:40 3593216 --------- C:\WINDOWS\system32\dllcache\mshtml.dll
2008-12-11 06:57 333184 --a------ C:\WINDOWS\system32\drivers\srv.sys
2008-12-11 06:57 333184 --------- C:\WINDOWS\system32\dllcache\srv.sys
2008-04-04 09:43 138 --a------ C:\DOCUME~1\BRIANM~1\APPLIC~1\wklnhst.dat
2008-10-29 11:41:49 88 --sh--r C:\WINDOWS\system32\0DFB5A30F7.sys
2008-10-29 11:57:16 4,232 --sha-w C:\WINDOWS\system32\KGyGaAvL.sys


((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))


*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CAVRID"="C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\CAVRID.exe" [2008-09-09 09:11]
"MSConfig"="C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe" [2005-09-26 19:34]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2006-06-16 09:39]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-10 06:00]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"InstallVisualStyle"=C:\WINDOWS\Resources\Themes\Royale\Royale.msstyles
"InstallTheme"=C:\WINDOWS\Resources\Themes\Royale.theme

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\PFW]
UmxWnp.Dll 2007-01-31 14:00 79368 C:\WINDOWS\system32\UmxWNP.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"appinit_dlls"=C:\PROGRA~1\Google\GOOGLE~1\GOEC62~1.DLL

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Aim6]
"C:\Program Files\AIM6\aim6.exe" /d locale=en-US ee://aol/imApp

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
C:\WINDOWS\system32\ctfmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvCplDaemon]
RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup

R0 iastor;Intel RAID Controller;C:\WINDOWS\system32\drivers\iastor.sys
R0 KmxStart;KmxStart;C:\WINDOWS\system32\DRIVERS\kmxstart.sys
R0 ntcdrdrv;ntcdrdrv;C:\WINDOWS\system32\DRIVERS\ntcdrdrv.sys
R1 SbcpHid;SbcpHid;\??\C:\WINDOWS\system32\Drivers\SbcpHid.sys
R2 KmxCF;KmxCF;C:\WINDOWS\system32\DRIVERS\KmxCF.sys
R2 zumbus;Zune Bus Enumerator Driver;C:\WINDOWS\system32\DRIVERS\zumbus.sys
R2 ZuneBusEnum;Zune Bus Enumerator;C:\WINDOWS\system32\ZuneBusEnum.exe
R3 ATIAVPCI;ATI Unified AVStream service;C:\WINDOWS\system32\DRIVERS\atinavrr.sys
R3 e1express;Intel(R) PRO/1000 PCI Express Network Connection Driver;C:\WINDOWS\system32\DRIVERS\e1e5132.sys
R3 Wdf01000;Wdf01000;C:\WINDOWS\system32\DRIVERS\Wdf01000.sys
S3 aceoiwhv;aceoiwhv;\??\C:\WINDOWS\System32\Drivers\aceoiwhv.sys
S3 bhjeowrc;bhjeowrc;\??\C:\WINDOWS\System32\Drivers\bhjeowrc.sys
S3 eeuqbpfu;eeuqbpfu;\??\C:\WINDOWS\System32\Drivers\eeuqbpfu.sys
S3 jioydwyn;jioydwyn;\??\C:\WINDOWS\System32\Drivers\jioydwyn.sys
S3 MPE;BDA MPE Filter;C:\WINDOWS\system32\DRIVERS\MPE.sys
S3 MR97310_USB_DUAL_CAMERA;CIF Dual-Mode Camera;C:\WINDOWS\system32\DRIVERS\mr97310c.sys
S3 NAL;Nal Service ;\??\C:\WINDOWS\system32\Drivers\iqvw32.sys
S3 nebfixpi;nebfixpi;\??\C:\WINDOWS\System32\Drivers\nebfixpi.sys
S3 nebopxhl;nebopxhl;\??\C:\WINDOWS\System32\Drivers\nebopxhl.sys
S3 nrgzlkir;nrgzlkir;\??\C:\WINDOWS\System32\Drivers\nrgzlkir.sys
S3 nusdizmr;nusdizmr;\??\C:\WINDOWS\System32\Drivers\nusdizmr.sys
S3 orfsqyph;orfsqyph;\??\C:\WINDOWS\System32\Drivers\orfsqyph.sys
S3 PD0620VID;Creative WebCam Instant;C:\WINDOWS\system32\DRIVERS\P0620Vid.sys
S3 PPCtlPriv;PPCtlPriv;"C:\Program Files\CA\CA Internet Security Suite\CA Anti-Spyware\PPCtlPriv.exe"
S3 ptiaicxf;ptiaicxf;\??\C:\WINDOWS\System32\Drivers\ptiaicxf.sys
S3 qletodsk;qletodsk;\??\C:\WINDOWS\System32\Drivers\qletodsk.sys
S3 SDDMI2;SDDMI2;\??\C:\WINDOWS\system32\DDMI2.sys
S3 USB_RNDIS;USB Remote NDIS Network Device Driver;C:\WINDOWS\system32\DRIVERS\usb8023.sys
S3 vmsjhwkx;vmsjhwkx;\??\C:\WINDOWS\System32\Drivers\vmsjhwkx.sys
S3 WinUSB;WinUSB;C:\WINDOWS\system32\DRIVERS\WinUSB.sys
S3 xkapehzn;xkapehzn;\??\C:\WINDOWS\System32\Drivers\xkapehzn.sys
S3 ykvvukhj;ykvvukhj;\??\C:\WINDOWS\System32\Drivers\ykvvukhj.sys
S3 ZuneWlanCfgSvc;Zune Wireless Configuration Service;C:\WINDOWS\system32\ZuneWlanCfgSvc.exe


[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{361ac05d-0e0d-11da-9aa9-806d6172696f}]
AutoRun\command- E:\setup.exe


Contents of the 'Scheduled Tasks' folder
2009-01-27 16:19:08 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job
2009-01-23 21:20:29 C:\WINDOWS\Tasks\CAAntiSpywareScan_Daily as Brian Markin at 10 30 AM.job - C:\Program Files\CA\CA Internet Security Suite\CA Anti-Spyware\CAAntiSpyware.exe

**************************************************************************

catchme 0.3.1061 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-02-09 18:33:26
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden registry entries ...

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{FA31A376-CD79-E447-AF19-90A84B434C11}]

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

Completion time: 2009-02-09 18:34:25
C:\ComboFix-quarantined-files.txt ... 2009-02-09 18:34
C:\ComboFix2.txt ... 2009-02-08 00:29
C:\ComboFix3.txt ... 2009-02-07 17:27

--- E O F ---
 
Malwarebytes' Anti-Malware 1.33
Database version: 1730
Windows 5.1.2600 Service Pack 2

2/9/2009 9:24:52 PM
mbam-log-2009-02-09 (21-24-44).txt

Scan type: Full Scan (C:\|)
Objects scanned: 152348
Time elapsed: 2 hour(s), 25 minute(s), 1 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 2
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit (Trojan.Agent) -> Data: c:\windows\system32\userinit.exe -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit (Trojan.Agent) -> Data: system32\userinit.exe -> No action taken.

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)
 
Click here to download Dr.Web CureIt and save it to your desktop.
  • Doubleclick the drweb-cureit.exe file and allow to run the express scan This will scan the files currently running in memory and when something is found, click the yes button when it asks you if you want to cure it. This is only a short scan. Once the short scan has finished, mark the drives that you want to scan. Select all drives. A red dot shows which drives have been chosen. the green arrow at the right, and the scan will start. Click 'Yes to all' if it asks if you want to cure/move the file. When the scan has finished, look if you can click next icon next to the files found:
    check.gif
    If so, click it and then click the next icon right below and select Move incurable as you'll see in next image:
    move.gif
    This will move it to the %userprofile%\DoctorWeb\quarantaine-folder if it can't be cured. (this in case if we need samples) After selecting, in the Dr.Web CureIt menu on top, click file and choose save report list Save the report to your desktop. The report will be called DrWeb.csv Close Dr.Web Cureit. Reboot your computer!! Because it could be possible that files in use will be moved/deleted during reboot.
  • After reboot, post the contents of the log from Dr.Web you saved previously in your next reply along with a new HijackThis log.
 
Do you need the full list of cured/moved objects from the Dr. Web Log? The whole thing's 163,666 characters, so I'd like to know for sure before posting ....

Here's the HiJackThis Log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 9:42:43 PM, on 2/10/2009
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16762)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\CA\SharedComponents\HIPSEngine\UmxFwHlp.exe
C:\Program Files\a-squared Free\a2service.exe
C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\ISafe.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\Iaantmon.exe
C:\Program Files\CA\SharedComponents\PPRT\bin\ITMRTSVC.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\VetMsg.exe
C:\WINDOWS\system32\ZuneBusEnum.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\CAVRID.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = MSN.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = Live Search
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = Live Search
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,First Home Page = Internet Explorer: Get It Now
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = Microsoft Windows Update
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: IeCatch5 Class - {2F364306-AA45-47B5-9F9D-39A8B94E7EF7} - C:\PROGRA~1\FlashGet\jccatch.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\System32\DLA\DLASHX_W.DLL
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files\Google\Google Toolbar\GoogleToolbar.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.0.926.3450\swg.dll
O2 - BHO: gFlash Class - {F156768E-81EF-470C-9057-481BA8380DBA} - C:\PROGRA~1\FlashGet\getflash.dll
O3 - Toolbar: FlashGet Bar - {E0E899AB-F487-11D5-8D29-0050BA6940E3} - C:\PROGRA~1\FlashGet\fgiebar.dll
O3 - Toolbar: &Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar.dll
O4 - HKLM\..\Run: [CAVRID] "C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\CAVRID.exe"
O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MI1933~1\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MI1933~1\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MI1933~1\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\PROGRA~1\FlashGet\flashget.exe
O9 - Extra 'Tools' menuitem: &FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\PROGRA~1\FlashGet\flashget.exe
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {05D44720-58E3-49E6-BDF6-D00330E511D3} (StagingUI Object) - http://zone.msn.com/binFrameWork/v10/StagingUI.cab55579.cab
O16 - DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} (Facebook Photo Uploader 5 Control) - http://upload.facebook.com/controls/2008.10.10_v5.5.8/FacebookPhotoUploader5.cab
O16 - DPF: {1239CC52-59EF-4DFA-8C61-90FFA846DF7E} (Musicnotes Viewer) - http://www.musicnotes.com/download/mnviewer.cab
O16 - DPF: {3BB54395-5982-4788-8AF4-B5388FFDD0D8} (MSN Games – Buddy Invite) - http://zone.msn.com/BinFrameWork/v10/ZBuddy.cab55579.cab
O16 - DPF: {5736C456-EA94-4AAC-BB08-917ABDD035B3} (ZonePAChat Object) - http://zone.msn.com/binframework/v10/ZPAChat.cab55579.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1162430191151
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (MSN Games - Installer) - http://cdn2.zone.msn.com/binFramework/v10/ZIntro.cab56649.cab
O16 - DPF: {CAC181B0-4D70-402D-B571-C596A47D0CE0} (CBankshotZoneCtrl Class) - http://zone.msn.com/bingame/zpagames/zpa_pool.cab42858.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
O16 - DPF: {DA2AA6CF-5C7A-4B71-BC3B-C771BB369937} (MSN Games – Game Communicator) - http://zone.msn.com/binframework/v10/StProxy.cab55579.cab
O16 - DPF: {E5D419D6-A846-4514-9FAD-97E826C84822} (HeartbeatCtl Class) - http://fdl.msn.com/zone/datafiles/heartbeat.cab
O20 - AppInit_DLLs: C:\PROGRA~1\Google\GOOGLE~1\GOEC62~1.DLL
O23 - Service: a-squared Free Service (a2free) - Emsi Software GmbH - C:\Program Files\a-squared Free\a2service.exe
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online, Inc. - C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: CaCCProvSP - CA, Inc. - C:\Program Files\CA\CA Internet Security Suite\ccprovsp.exe
O23 - Service: CAISafe - Computer Associates International, Inc. - C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\ISafe.exe
O23 - Service: COM+ System Application (COMSysApp) - Unknown owner - C:\WINDOWS\system32\dllhost.exe (file missing)
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: Intel(R) Matrix Storage Event Monitor (IAANTMON) - Intel Corporation - C:\Program Files\Intel\Intel Matrix Storage Manager\Iaantmon.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: CA Pest Patrol Realtime Protection Service (ITMRTSVC) - CA, Inc. - C:\Program Files\CA\SharedComponents\PPRT\bin\ITMRTSVC.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: PPCtlPriv - CA, Inc. - C:\Program Files\CA\CA Internet Security Suite\CA Anti-Spyware\PPCtlPriv.exe
O23 - Service: MS Software Shadow Copy Provider (SwPrv) - Unknown owner - C:\WINDOWS\system32\dllhost.exe (file missing)
O23 - Service: HIPS Firewall Helper (UmxFwHlp) - CA - C:\Program Files\CA\SharedComponents\HIPSEngine\UmxFwHlp.exe
O23 - Service: VET Message Service (VETMSGNT) - CA, Inc. - C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\VetMsg.exe

--
End of file - 8735 bytes
 
No, thats ok. Right now the log looks fine. I need you to run Malwarebytes to see if it picks up these 2 entries again.

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit (Trojan.Agent) -> Data: c:\windows\system32\userinit.exe -> No action taken.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows
NT\CurrentVersion\Winlogon\Userinit (Trojan.Agent) -> Data: system32\userinit.exe -> No action taken.
 
Nope, still there after the scan:

Malwarebytes' Anti-Malware 1.33
Database version: 1730
Windows 5.1.2600 Service Pack 2

2/11/2009 7:41:39 AM
mbam-log-2009-02-11 (07-41-39).txt

Scan type: Full Scan (C:\|)
Objects scanned: 153715
Time elapsed: 2 hour(s), 27 minute(s), 43 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 2
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit (Trojan.Agent) -> Data: c:\windows\system32\userinit.exe -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit (Trojan.Agent) -> Data: system32\userinit.exe -> Quarantined and deleted successfully.

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)


The "userinit.exe" files was one of the incurable/moved items from the Dr. Web CureIt scan ...
 
Status
Not open for further replies.

Similar threads

XWrench3
hijack this scan
Replies
6
Views
2K
XWrench3
XWrench3
G
Computer slow and work in background
Replies
0
Views
3K
grecycle99
G
N
Laptop slowing down in function (internet and general apps)
Replies
1
Views
3K
Trotter
Trotter
N
Your computer appears to be correctly configured, but the device or resource (DNS server) is not responding"
Replies
0
Views
4K
nev
N
M
computer suddenly slowed down.
Replies
0
Views
3K
mike3dp
M
Back
Top Bottom