Resolved Malware removal - Windows Vista

Bahawolf · Aug 25, 2010

Hello folks! I'm new to this community, though I've been lurking for a few days and it really seems that it'd be a nice place to become involved in. I'll be sure to post an introduction thread soon.

In the mean time, I am facing a challenge removing this infection on a friend's system which I am repairing remotely. The system originally had a rogue infection and I ran Combofix as well as Malwarebytes Anti-malware and it appeared to take care of it. Unfortunately, there is still some freezing and the unit still runs slower than expected as per my friend.. plus MABM did pick up an infection in a quick scan.

Any assistance is greatly appreciated.

==
Logs
==

DDS (Ver_10-03-17.01) - NTFSx86 NETWORK
Run by Chris at 21:35:33.71 on Tue 08/24/2010
Internet Explorer: 7.0.6001.18000
Microsoft® Windows Vista™ Home Premium 6.0.6001.1.1252.1.1033.18.2039.1382 [GMT -7:00]

SP: Windows Defender *disabled* (Updated) {D68DDC3A-831F-4FAE-9E44-DA132C1ACF46}

============== Running Processes ===============

C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\svchost.exe -k rpcss
C:\Windows\System32\svchost.exe -k secsvcs
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted
C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
C:\Windows\Explorer.EXE
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
C:\Windows\system32\wbem\unsecapp.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Program Files\Windows Media Player\wmpnscfg.exe
C:\Windows\system32\wbem\unsecapp.exe
C:\Program Files\TeamViewer\Version5\TeamViewer.exe
C:\Program Files\Lavasoft\Ad-Aware\AAWWSC.exe
C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Windows\system32\msiexec.exe
C:\Program Files\UltraVNC\winvnc.exe
C:\Windows\system32\igfxsrvc.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Users\Chris\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\BK5MN7WL\dds[1].scr
C:\Windows\system32\wbem\wmiprvse.exe

============== Pseudo HJT Report ===============

uInternet Settings,ProxyOverride = *.local;<local>
uInternet Settings,ProxyServer = http=localhost:7171
BHO: MRI_DISABLED - No File
BHO: 1 (0x1) - No File
TB: Windows Live Toolbar: {bdad1dad-c946-4a17-adc1-64b5b4ff55d0} - c:\program files\windows live toolbar\msntb.dll
uRun: [Svhst] c:\users\chris\appdata\roaming\swhst\svhst.exe
mRun: [avast5] c:\progra~1\alwils~1\avast5\avastUI.exe /nogui
dRun: [MySpaceIM] c:\program files\myspace\im\MySpaceIM.exe
StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\autoru~1\mri_di~1\exifla~1.lnk - c:\program files\finepixviewers\QuickDCF2.exe
uPolicies-explorer: NoDesktopCleanupWizard = 1 (0x1)
mPolicies-system: EnableLUA = 0 (0x0)
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0016-0000-0001-ABCDEFFEDCBC} - c:\program files\java\jre1.6.0_01\bin\npjpi160_01.dll
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~1\micros~2\office12\ONBttnIE.dll
IE: {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - c:\program files\yahoo!\common\yiesrvc.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office12\REFIEBAR.DLL
DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} - hxxp://download.bitdefender.com/resources/scanner/sources/en/scan8/oscan8.cab
Notify: igfxcui - igfxdev.dll

================= FIREFOX ===================

FF - ProfilePath - c:\users\chris\appdata\roaming\mozilla\firefox\profiles\l8k0id2p.default\
FF - component: c:\program files\mozilla firefox\extensions\linkfilter@kaspersky.ru\components\KavLinkFilter.dll
FF - component: c:\users\chris\appdata\roaming\mozilla\firefox\profiles\l8k0id2p.default\extensions\{e001c731-5e37-4538-a5cb-8168736a2360}\components\qscanff.dll
FF - plugin: c:\users\chris\appdata\roaming\mozilla\firefox\profiles\l8k0id2p.default\extensions\{e001c731-5e37-4538-a5cb-8168736a2360}\plugins\npqscan.dll

============= SERVICES / DRIVERS ===============

R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [2010-8-18 64288]
R2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\lavasoft\ad-aware\AAWService.exe [2010-8-12 1355416]
S1 aswSP;aswSP;c:\windows\system32\drivers\aswSP.sys [2010-8-17 165456]
S2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [2010-8-17 17744]
S2 aswMonFlt;aswMonFlt;c:\windows\system32\drivers\aswMonFlt.sys [2010-8-17 50256]
S2 avast! Antivirus;avast! Antivirus;c:\program files\alwil software\avast5\AvastSvc.exe [2010-8-17 40384]
S2 lxddCATSCustConnectService;lxddCATSCustConnectService;c:\windows\system32\spool\drivers\w32x86\3\lxddserv.exe [2007-4-25 99248]
S2 TeamViewer5;TeamViewer 5;c:\program files\teamviewer\version5\TeamViewer_Service.exe [2010-7-6 173352]
S2 uvnc_service;uvnc_service;c:\program files\ultravnc\winvnc.exe [2010-8-24 1590216]
S3 avast! Mail Scanner;avast! Mail Scanner;c:\program files\alwil software\avast5\AvastSvc.exe [2010-8-17 40384]
S3 avast! Web Scanner;avast! Web Scanner;c:\program files\alwil software\avast5\AvastSvc.exe [2010-8-17 40384]
S3 Lavasoft Kernexplorer;Lavasoft helper driver;c:\program files\lavasoft\ad-aware\kernexplorer.sys [2010-8-12 15008]
S3 mv2;mv2;c:\windows\system32\drivers\mv2.sys [2010-8-24 12096]
S3 NETw2v32;Intel(R) PRO/Wireless 2200BG Network Connection Driver for Windows Vista;c:\windows\system32\drivers\NETw2v32.sys [2006-11-2 2589184]
S4 B-Service;B-Service;c:\users\chris\downloads\B-Service.exe [2010-8-9 185640]
S4 lxdd_device;lxdd_device;c:\windows\system32\lxddcoms.exe -service --> c:\windows\system32\lxddcoms.exe -service [?]

=============== Created Last 30 ================

2010-08-25 04:27:59 23872 ----a-w- c:\windows\system32\mv2.dll
2010-08-25 04:27:59 12096 ----a-w- c:\windows\system32\drivers\mv2.sys
2010-08-25 04:27:51 0 d-----w- c:\program files\UltraVNC
2010-08-19 04:44:41 15880 ----a-w- c:\windows\system32\lsdelete.exe
2010-08-18 12:21:52 64288 ----a-w- c:\windows\system32\drivers\Lbd.sys
2010-08-18 12:21:49 95024 ----a-w- c:\windows\system32\drivers\SBREDrv.sys
2010-08-18 11:57:45 0 dc-h--w- c:\programdata\{ECC164E0-3133-4C70-A831-F08DB2940F70}
2010-08-18 11:57:06 0 d-----w- c:\programdata\Lavasoft
2010-08-18 11:57:06 0 d-----w- c:\program files\Lavasoft
2010-08-18 05:18:36 50256 ----a-w- c:\windows\system32\drivers\aswMonFlt.sys
2010-08-18 05:18:11 38848 ----a-w- c:\windows\avastSS.scr
2010-08-18 05:18:08 0 d-----w- c:\programdata\Alwil Software
2010-08-17 02:51:46 0 d-----w- C:\SDFix
2010-08-17 02:41:06 53248 ----a-w- c:\windows\system32\process.exe
2010-08-17 02:41:06 126976 ----a-w- c:\windows\system32\zip.exe
2010-08-17 02:40:56 0 d-----w- c:\program files\roguescanfix
2010-08-17 02:32:07 0 d-----w- c:\windows\LMI7445.tmp
2010-08-17 02:27:38 0 d-----w- c:\program files\Trend Micro
2010-08-15 17:01:06 0 d-----w- c:\users\chris\appdata\roaming\TeamViewer
2010-08-15 15:49:02 0 d-----w- c:\users\chris\appdata\roaming\PCToolsFirewallPlus
2010-08-15 15:49:01 0 d-----w- c:\users\chris\appdata\roaming\Spam Monitor
2010-08-15 14:44:08 0 d-----w- c:\programdata\PC Tools
2010-08-15 14:44:08 0 d-----w- c:\program files\PC Tools Internet Security
2010-08-15 14:43:38 0 d-----w- c:\users\chris\appdata\roaming\Swhst
2010-08-15 14:09:02 798 ---ha-w- C:\IPH.PH
2010-08-15 14:09:02 0 d--h--w- C:\TEMP
2010-08-15 14:01:16 0 d-----w- c:\program files\common files\PC Tools
2010-08-15 14:01:14 0 d---a-w- c:\programdata\TEMP
2010-08-15 13:11:46 4213696 ----a-w- C:\ExterminateIt.exe
2010-08-15 07:16:34 0 d-----w- c:\program files\Exterminate It!
2010-08-15 06:51:29 226688 ----a-w- C:\BdUninstallTool2010.08.14-11.51.29.reg
2010-08-15 04:22:02 0 d-----w- c:\users\chris\appdata\roaming\QuickScan
2010-08-14 22:56:26 0 d-----w- c:\programdata\SUPERAntiSpyware.com
2010-08-14 14:19:07 0 d-sh--w- C:\$RECYCLE.BIN
2010-08-13 05:24:32 162616 ----a-w- c:\windows\RegDelNull.exe
2010-08-12 04:50:55 1152 ----a-w- c:\windows\system32\windrv.sys
2010-08-10 03:34:33 15892480 ----a-w- C:\Ad-AwareInstall.exe
2010-08-10 03:03:53 0 d-----w- c:\programdata\Spybot - Search & Destroy
2010-08-10 03:03:53 0 d-----w- c:\program files\Spybot - Search & Destroy
2010-08-10 02:44:19 16409960 ----a-w- C:\spybotsd162.exe
2010-08-10 02:15:43 98816 ----a-w- c:\windows\sed.exe
2010-08-10 02:15:43 77312 ----a-w- c:\windows\MBR.exe
2010-08-10 02:15:43 256512 ----a-w- c:\windows\PEV.exe
2010-08-10 02:15:43 161792 ----a-w- c:\windows\SWREG.exe
2010-08-10 02:12:38 35 ----a-w- c:\users\chris\appdata\roaming\SetValue.bat
2010-08-10 02:12:37 691 ----a-w- c:\users\chris\appdata\roaming\GetValue.vbs
2010-08-09 23:56:45 0 d-----w- c:\users\chris\appdata\roaming\Malwarebytes
2010-08-09 23:56:27 0 d-----w- c:\programdata\Malwarebytes
2010-08-09 23:50:12 0 d-----w- c:\program files\TeamViewer
2010-08-03 22:46:16 221300608 ----a-w- c:\windows\MEMORY.DMP

==================== Find3M ====================

2010-08-25 04:28:06 86016 ----a-w- c:\windows\inf\infstrng.dat
2010-08-25 04:28:06 51200 ----a-w- c:\windows\inf\infpub.dat
2010-08-25 04:28:05 86016 ----a-w- c:\windows\inf\infstor.dat
2010-08-23 18:07:04 4022 ----a-w- c:\users\chris\appdata\roaming\wklnhst.dat
2008-08-03 09:44:02 174 --sha-w- c:\program files\desktop.ini
2008-08-03 09:31:48 665600 ----a-w- c:\windows\inf\drvindex.dat
2006-11-02 12:42:02 30674 ----a-w- c:\windows\inf\perflib\0409\perfd.dat
2006-11-02 12:42:02 30674 ----a-w- c:\windows\inf\perflib\0409\perfc.dat
2006-11-02 12:42:02 287440 ----a-w- c:\windows\inf\perflib\0409\perfi.dat
2006-11-02 12:42:02 287440 ----a-w- c:\windows\inf\perflib\0409\perfh.dat
2006-11-02 09:20:21 287440 ----a-w- c:\windows\inf\perflib\0000\perfi.dat
2006-11-02 09:20:21 287440 ----a-w- c:\windows\inf\perflib\0000\perfh.dat
2006-11-02 09:20:19 30674 ----a-w- c:\windows\inf\perflib\0000\perfd.dat
2006-11-02 09:20:19 30674 ----a-w- c:\windows\inf\perflib\0000\perfc.dat
2009-05-01 06:44:18 16384 --sha-w- c:\windows\serviceprofiles\localservice\appdata\local\microsoft\windows\history\history.ie5\index.dat
2009-05-01 06:44:18 32768 --sha-w- c:\windows\serviceprofiles\localservice\appdata\local\microsoft\windows\temporary internet files\content.ie5\index.dat
2009-05-01 06:44:18 16384 --sha-w- c:\windows\serviceprofiles\localservice\appdata\roaming\microsoft\windows\cookies\index.dat
2008-01-15 06:45:41 16384 --sha-w- c:\windows\serviceprofiles\networkservice\appdata\local\microsoft\windows\history\history.ie5\index.dat
2008-01-15 06:45:41 32768 --sha-w- c:\windows\serviceprofiles\networkservice\appdata\local\microsoft\windows\temporary internet files\content.ie5\index.dat
2008-01-15 06:45:41 16384 --sha-w- c:\windows\serviceprofiles\networkservice\appdata\roaming\microsoft\windows\cookies\index.dat
2008-09-07 04:26:46 32768 --sha-w- c:\windows\system32\config\systemprofile\appdata\local\microsoft\windows\history\history.ie5\mshist012008090620080907\index.dat

============= FINISH: 21:36:32.46 ===============

GMER 1.0.15.15281 - http://www.gmer.net
Rootkit quick scan 2010-08-23 21:03:44
Windows 6.0.6001 Service Pack 1
Running: nrl9qy0u.exe; Driver: C:\Users\Chris\AppData\Local\Temp\ufldapoc.sys

---- System - GMER 1.0.15 ----

Code \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwCreateProcessEx [0x8E997B9C]
Code \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwCreateSection [0x8E9979C0]
Code \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwLoadDriver [0x8E997AFA]
Code \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) NtCreateSection
Code \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ObInsertObject
Code \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ObMakeTemporaryObject

---- Devices - GMER 1.0.15 ----

Device \FileSystem\Ntfs \Ntfs aswSP.SYS (avast! self protection module/ALWIL Software)

AttachedDevice \Driver\tdx \Device\Tcp aswTdi.SYS (avast! TDI Filter Driver/ALWIL Software)
AttachedDevice \Driver\tdx \Device\Udp aswTdi.SYS (avast! TDI Filter Driver/ALWIL Software)

---- EOF - GMER 1.0.15 ----

Malwarebytes' Anti-Malware 1.46
www.malwarebytes.org

Database version: 4473

Windows 6.0.6001 Service Pack 1 (Safe Mode)
Internet Explorer 7.0.6001.18000

8/25/2010 04:06:29
mbam-log-2010-08-25 (04-06-29).txt

Scan type: Quick scan
Objects scanned: 135305
Time elapsed: 5 minute(s), 38 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 1
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\svhst (Backdoor.PoisonIvy) -> No action taken.

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

Bobbye · Aug 25, 2010

Yes, I can see where there are still problems. There is a second part to the DDS log named Attach.txt. Please find that and include it in the next reply.

When you ran Malwarebytes, you didn't check for it to remove what it found and it shows No Action Taken. Please update Mbam and rescan, with that line checked.

Please run this Security Check:

Download Security Check and save it to your Desktop.

Double-click SecurityCheck.exe to run.
Follow the onscreen instructions inside of the black box.
A Notepad document should open automatically called checkup.txt; please post this log in your next reply.

================================
Run Eset NOD32 Online AntiVirus scan HEREhttp://www.eset.eu/online-scanner

Tick the box next to YES, I accept the Terms of Use.
Click Start
When asked, allow the Active X control to install
Disable your current Antivirus software. You can usually do this with its Notification Tray icon near the clock.
Click Start
Make sure that the option "Remove found threats" is Unchecked, and the option "Scan unwanted applications" is checked
Click Scan
Wait for the scan to finish
Re-enable your Antivirus software.
A logfile is created and located at C:\Program Files\EsetOnlineScanner\log.txt. Please include this on your post.

I notice you ran SDFix> do you have the log for that? If not, don't run it again> I'll have yo u run Combofix instead.

Important:
Please do not use any other cleaning programs or scans while I'm helping you, unless I direct you to. Do not use a Registry cleaner or make any changes in the Registry.

Bahawolf · Aug 27, 2010

I apologize for the delay in reply...
When I ran MBAM before, it did prompt me to remove the found infection at the end so I did so.
I do not have the log for SD but I will post the rest.

ESETSmartInstaller@High as CAB hook log:
OnlineScanner.ocx - registred OK
# version=7
# iexplore.exe=7.00.6000.16386 (vista_rtm.061101-2205)
# OnlineScanner.ocx=1.0.0.6211
# api_version=3.0.2
# EOSSerial=d3f344608f45944d9b2e88f2bc227538
# end=finished
# remove_checked=true
# archives_checked=false
# unwanted_checked=true
# unsafe_checked=false
# antistealth_checked=true
# utc_time=2010-08-25 05:47:27
# local_time=2010-08-24 10:47:27 (-0800, Pacific Daylight Time)
# country="United States"
# lang=1033
# osver=6.0.6001 NT Service Pack 1
# compatibility_mode=512 16777215 100 0 0 0 0 0
# compatibility_mode=768 16777215 100 0 0 0 0 0
# compatibility_mode=5892 16776637 100 100 39337640 119319748 0 0
# compatibility_mode=8192 67108863 100 0 0 0 0 0
# scanned=119935
# found=0
# cleaned=0
# scan_time=3028
# version=7
# iexplore.exe=7.00.6000.16386 (vista_rtm.061101-2205)
# OnlineScanner.ocx=1.0.0.6211
# api_version=3.0.2
# EOSSerial=d3f344608f45944d9b2e88f2bc227538
# end=finished
# remove_checked=false
# archives_checked=false
# unwanted_checked=true
# unsafe_checked=false
# antistealth_checked=true
# utc_time=2010-08-27 05:54:23
# local_time=2010-08-26 10:54:23 (-0800, Pacific Daylight Time)
# country="United States"
# lang=9
# osver=6.0.6001 NT Service Pack 1
# compatibility_mode=512 16777215 100 0 0 0 0 0
# compatibility_mode=768 16777215 100 0 0 0 0 0
# compatibility_mode=5892 16776637 100 100 39510847 119492955 0 0
# compatibility_mode=8192 67108863 100 0 0 0 0 0
# scanned=119919
# found=0
# cleaned=0
# scan_time=3037

Results of screen317's Security Check version 0.99.5
Windows Vista Service Pack 1 (UAC is disabled!)
Out of date service pack!!
Internet Explorer 7 Out of date!
``````````````````````````````
Antivirus/Firewall Check:
Windows Security Center service is not running! This report may not be accurate!
Windows Firewall Enabled!
avast! Free Antivirus
ESET Online Scanner v3
[size=1]WMI entry may not exist for antivirus; attempting automatic update.[/size]
```````````````````````````````
Anti-malware/Other Utilities Check:
Malwarebytes' Anti-Malware
Java(TM) SE Runtime Environment 6 Update 1
Adobe Flash Player 10.0.22.87
Adobe Reader 8.1.2
Out of date Adobe Reader installed!
Mozilla Firefox (3.0.19) Firefox Out of Date!
````````````````````````````````
Process Check:
objlist.exe by Laurent
````````````````````````````````
DNS Vulnerability Check:
GREAT! (Not vulnerable to DNS cache poisoning)

``````````End of Log````````````

Bahawolf · Aug 27, 2010

Hey Bobby,
I apologize that there was such a long delay in responses but I would love if you could still help me.

Bobbye · Aug 28, 2010

Okay, the security check shows several programs out of date, so they will have to be updated along the line.

Things to do before we go on:

1. Update Java> it is 20 updates behind and presents a vulnerability to the system.
Check this site .Java Updates Stay current as most updates are for security. Uninstall any earlier versions in Add/Remove Programs as they are vulnerabilities for the system.
2. Disable or uninstall Roguescanfix while I am helping you clean the system. This is a specially crafted tool to remove rogue anti-spyware applications that use trojans to infest a system. This tool should only be used under the guidance of a trained Malware Expert. It could affect the scans we do.
3. Check Network Restrictions. Ask if any restrictions have been intentionally set or if the user is aware that the Administrator has set them.
4. Combofix. IF you have the Combofix report, copy the header and the section that shows deletions, if any. If there were any, I want to check this before you do the next step.
===============================================
If you did not save the log:

Uninstall ComboFix and all Backups of the files it deleted

Click START> then RUN
Now type Combofix /Uninstall in the runbox and click OK. Note the space between the X and the U, it needs to be there.

Please download ComboFix from Here and save to your Desktop.

[1]. Do NOT rename Combofix unless instructed.
[2].Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
[3].Close any open browsers.
[4]. Double click combofix.exe & follow the prompts to run.
NOTE: Combofix will disconnect your machine from the Internet as soon as it starts. The connection is automatically restored before CF completes its run. If it does not, restart your computer to restore your connection.
[5]. If Combofix asks you to install Recovery Console, please allow it.
[6]. If Combofix asks you to update the program, always allow.
Please do not attempt to re-connect your machine back to the Internet until Combofix has completely finished.
[7]. A report will be generated after the scan. Please paste the C:\ComboFix.txt in next reply.

Note: Do not mouseclick combofix's window while it's running. That may cause it to stall.
Note: Make sure you re-enable your security programs, when you're done with Combofix..

Bahawolf · Aug 28, 2010

I've updated Java and disabled Roguescanfix now. This is the latest Combofix log...

ComboFix 10-08-09.02 - Chris 08/13/2010 18:10:42.2.2 - x86 NETWORK
Microsoft® Windows Vista™ Home Premium 6.0.6001.1.1252.1.1033.18.2039.1526 [GMT -7:00]
Running from: c:\users\Chris\Desktop\ComboFix.exe
SP: Windows Defender *disabled* (Updated) {D68DDC3A-831F-4FAE-9E44-DA132C1ACF46}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\system32\scecli.dll . . . is infected!!

c:\windows\system32\comres.dll . . . is infected!!

.
((((((((((((((((((((((((( Files Created from 2010-07-14 to 2010-08-14 )))))))))))))))))))))))))))))))
.

2010-08-14 12:18 . 2010-08-14 12:37 -------- d-----w- c:\users\Chris\AppData\Local\temp
2010-08-14 12:18 . 2010-08-14 12:18 -------- d-----w- c:\users\Public\AppData\Local\temp
2010-08-14 12:18 . 2010-08-14 12:18 -------- d-----w- c:\users\Default\AppData\Local\temp
2010-08-14 00:48 . 2010-08-14 00:48 -------- d-----w- C:\32788R22FWJFW
2010-08-13 05:24 . 2006-11-01 20:06 162616 ----a-w- c:\windows\RegDelNull.exe
2010-08-12 04:50 . 2010-08-12 04:50 1152 ----a-w- c:\windows\system32\windrv.sys
2010-08-11 10:02 . 2010-08-12 04:42 -------- d-----w- c:\windows\BDOSCAN8
2010-08-11 06:32 . 2010-08-11 06:32 -------- d-----w- c:\program files\Common Files\BitDefender
2010-08-10 03:34 . 2010-08-10 03:48 15892480 ----a-w- C:\Ad-AwareInstall.exe
2010-08-10 03:03 . 2010-08-13 05:14 -------- d-----w- c:\program files\Spybot - Search & Destroy
2010-08-10 03:03 . 2010-08-13 05:14 -------- d-----w- c:\programdata\Spybot - Search & Destroy
2010-08-10 02:48 . 2010-08-10 02:48 -------- d-----w- c:\program files\CCleaner
2010-08-10 02:44 . 2010-08-10 02:42 16409960 ----a-w- C:\spybotsd162.exe
2010-08-10 01:00 . 2010-08-10 01:00 -------- d-----w- c:\users\Chris\AppData\Local\ICS
2010-08-10 00:59 . 2010-08-14 00:45 -------- d-----w- c:\windows\LMI3B0C.tmp
2010-08-10 00:02 . 2010-08-10 02:38 680 ----a-w- c:\users\Chris\AppData\Local\d3d9caps.dat
2010-08-09 23:56 . 2010-08-09 23:56 -------- d-----w- c:\users\Chris\AppData\Roaming\Malwarebytes
2010-08-09 23:56 . 2010-08-09 23:56 -------- d-----w- c:\programdata\Malwarebytes
2010-08-09 23:50 . 2010-08-09 23:50 -------- d-----w- c:\program files\TeamViewer

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-08-13 05:13 . 2009-05-17 01:10 -------- d-----w- c:\programdata\Kaspersky Lab Setup Files
2010-08-10 02:12 . 2010-08-10 02:12 35 ----a-w- c:\users\Chris\AppData\Roaming\SetValue.bat
2010-08-10 02:12 . 2010-08-10 02:12 691 ----a-w- c:\users\Chris\AppData\Roaming\GetValue.vbs
2010-08-03 22:50 . 2008-02-10 09:13 -------- d-----w- c:\users\Chris\AppData\Roaming\FUJIFILM
2010-08-03 19:04 . 2007-12-10 04:29 4022 ----a-w- c:\users\Chris\AppData\Roaming\wklnhst.dat
2010-08-03 19:01 . 2007-12-14 06:13 -------- d-----w- c:\program files\Lx_cats
2010-08-03 02:26 . 2009-09-21 22:32 256 ----a-w- c:\windows\system32\pool.bin
2010-07-07 23:05 . 2010-07-04 05:51 -------- d-----w- c:\users\Chris\AppData\Roaming\Sysinternals Antivirus
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
"*LogMeInRescue_528354783"="c:\windows\LMI3B0C.tmp\lmi_rescue.exe" [2010-08-10 1874808]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
"GrpConv"="grpconv -o" [X]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"MySpaceIM"="c:\program files\MySpace\IM\MySpaceIM.exe" [2008-12-12 9555968]

c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\MRI_DISABLED
Exif Launcher S.lnk - c:\program files\FinePixViewerS\QuickDCF2.exe [2008-2-10 303104]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableLUA"= 0 (0x0)

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MSIServer]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend]
@="Service"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
2008-01-12 05:16 39792 ----a-w- c:\program files\Adobe\Reader 8.0\Reader\reader_sl.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AppleSyncNotifier]
2009-08-13 22:51 177440 ----a-w- c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ehTray.exe]
2008-01-19 07:33 125952 ----a-w- c:\windows\ehome\ehtray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\FaxCenterServer]
2007-05-04 06:40 312240 ----a-w- c:\program files\Lexmark Fax Solutions\fm3032.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HotKeysCmds]
2008-01-03 01:06 166424 ----a-w- c:\windows\System32\hkcmd.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IgfxTray]
2008-01-03 01:07 141848 ----a-w- c:\windows\System32\igfxtray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISUSPM]
2006-09-11 11:40 218032 ----a-w- c:\program files\Common Files\InstallShield\UpdateService\ISUSPM.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
2009-09-09 04:09 305440 ----a-w- c:\program files\iTunes\iTunesHelper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Launcher]
2007-07-04 00:40 40072 ----a-w- c:\windows\SMINST\Launcher.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\lxddamon]
2007-03-05 07:40 20480 ----a-w- c:\program files\Lexmark 2500 Series\lxddamon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\lxddmon.exe]
2007-05-04 06:38 291760 ----a-w- c:\program files\Lexmark 2500 Series\lxddmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MRT]
2009-02-03 22:21 21244864 ----a-w- c:\windows\System32\mrt.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Persistence]
2008-01-03 01:07 133656 ----a-w- c:\windows\System32\igfxpers.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
2009-09-05 08:54 417792 ----a-w- c:\program files\QuickTime\QTTask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RoxWatchTray]
2008-03-06 23:19 236016 ----a-w- c:\program files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatchTray9.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RtHDVCpl]
2007-04-23 22:51 4435968 ----a-w- c:\windows\RtHDVCpl.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SBC_McciTrayApp]
2007-02-28 19:35 1011200 ----a-w- c:\program files\SBC\update\SST.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Sidebar]
2008-01-19 07:33 1233920 ----a-w- c:\program files\Windows Sidebar\sidebar.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Spare Backup]
2007-07-13 04:27 5252936 ----a-w- c:\program files\Spare Backup\SpareBackup.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Windows Defender]
2008-01-19 07:38 1008184 ----a-w- c:\program files\Windows Defender\MSASCui.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WMPNSCFG]
2008-01-19 07:33 202240 ----a-w- c:\program files\Windows Media Player\wmpnscfg.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Svc\S-1-5-21-3352549485-4007945283-2351025167-1000]
"EnableNotificationsRef"=dword:00000001

R2 lxddCATSCustConnectService;lxddCATSCustConnectService;c:\windows\system32\spool\DRIVERS\W32X86\3\\lxddserv.exe [2007-04-26 99248]
R2 TeamViewer5;TeamViewer 5;c:\program files\TeamViewer\Version5\TeamViewer_Service.exe [2010-07-06 173352]
R3 NETw2v32;Intel(R) PRO/Wireless 2200BG Network Connection Driver for Windows Vista;c:\windows\system32\DRIVERS\NETw2v32.sys [2006-11-02 2589184]
R4 B-Service;B-Service;c:\users\Chris\Downloads\B-Service.exe [2010-08-10 185640]
R4 lxdd_device;lxdd_device;c:\windows\system32\lxddcoms.exe [2007-04-26 537520]

--- Other Services/Drivers In Memory ---

*NewlyCreated* - UFLDAPOC
*Deregistered* - ufldapoc
.
Contents of the 'Scheduled Tasks' folder

2008-07-27 c:\windows\Tasks\Check Updates for Windows Live Toolbar.job
- c:\program files\Windows Live Toolbar\MSNTBUP.EXE [2007-10-19 18:20]
.
.
------- Supplementary Scan -------
.
uInternet Settings,ProxyOverride = <local>;*.local
uInternet Settings,ProxyServer = http=localhost:7171
FF - ProfilePath - c:\users\Chris\AppData\Roaming\Mozilla\Firefox\Profiles\l8k0id2p.default\
FF - prefs.js: browser.search.defaulturl - hxxp://www.fastbrowsersearch.com/results/results.aspx?s=DEF&v=19&q=
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - www.google.com
FF - prefs.js: keyword.URL - hxxp://www.fastbrowsersearch.com/results/results.aspx?s=NAUS&v=19&tid={51BAF25C-83A7-EB49-8254-EE07C9DA3C19}&q=
FF - component: c:\program files\Mozilla Firefox\extensions\linkfilter@kaspersky.ru\components\KavLinkFilter.dll
.
- - - - ORPHANS REMOVED - - - -

HKLM-Run-SNM - c:\program files\SpyNoMore\SNM.exe
HKLM-RunOnce-<NO NAME> - (no file)
MSConfigStartUp-Malwarebytes' Anti-Malware - c:\program files\Malwarebytes' Anti-Malware\mbamgui.exe

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-08-14 05:35
Windows 6.0.6001 Service Pack 1 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
"MSCurrentCountry"=dword:000000b5

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0001\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
Completion time: 2010-08-14 07:54:47
ComboFix-quarantined-files.txt 2010-08-14 14:51
ComboFix2.txt 2010-08-10 02:22

Pre-Run: 236,285,657,088 bytes free
Post-Run: 236,727,607,296 bytes free

- - End Of File - - ACBD098F8E48D099CD968878B41BB587

Bobbye · Aug 28, 2010

Run this please and give me the results:

Please download SystemLook from one of the links below and save it to your Desktop.
Download Mirror #1
Download Mirror #2

Double-click SystemLook.exe to run it.
Copy the content of the following codebox into the main textfield:
Code:
```
:filefind
scecli.*
comres.*
```
Click the Look button to start the scan.
When finished, a notepad window will open with the results of the scan. Please post this log in your next reply.

Note: The log can also be found on your Desktop entitled SystemLook.txt
=================================
Please go to VirSCAN.org FREE on-line scan service:
If busy, you can use one of the following: ( you only need one)
VirusTotal
Jotti

[1]. Copy and paste the following file path into the Suspicious files to scan box on the top of the page.
Code:
```
c:\windows\system32\comres.dll
```
[2]. At the upload site, click once inside the window next to Browse.
[3]. Press Ctrl+V on the keyboard (both at the same time) to paste the file path into the window.
[4]. Click on the Upload button.
This will perform a scan across multiple different virus scanning engines.
Your file will possibly be entered into a queue which normally takes less than a minute to clear.
Important: Wait for all of the scanning engines to complete.
[5]. Once the Scan is completed scroll down and click on the Copy to Clipboard button. This will copy the link of the report into the Clipboard.
[6]. Paste the contents of the Clipboard in your next reply.

Scecli.dll implements the client side extension for Group Policy. Which may be why the restrictions are in place. Important you find out which-if any-Restrictions were set by the Administrator

Bahawolf · Aug 28, 2010

Bobby,
I've asked and they have informed me that there are no user or network restrictions in place.

SystemLook v1.0 by jpshortstuff (11.01.10)
Log created at 11:43 on 28/08/2010 by Chris (Administrator - Elevation successful)

========== filefind ==========

Searching for "scecli.*"
C:\Windows\ERDNT\cache\scecli.dll --a--- 177152 bytes [02:21 10/08/2010] [07:36 19/01/2008] 28B84EB538F7E8A0FE8B9299D591E0B9
C:\Windows\System32\en-US\scecli.dll.mui --a--- 26112 bytes [12:41 02/11/2006] [12:41 02/11/2006] 9BAEE5A01FF86F50F5C996B420F40EA7
C:\Windows\System32\scecli.dll --a--- 177152 bytes [14:43 26/07/2008] [07:36 19/01/2008] 28B84EB538F7E8A0FE8B9299D591E0B9
C:\Windows\winsxs\x86_microsoft-windows-s..ineclient.resources_31bf3856ad364e35_6.0.6000.16386_en-us_4a83ea07e02eec19\scecli.dll.mui --a--- 26112 bytes [12:41 02/11/2006] [12:41 02/11/2006] 9BAEE5A01FF86F50F5C996B420F40EA7
C:\Windows\winsxs\x86_microsoft-windows-s..urationengineclient_31bf3856ad364e35_6.0.6000.16386_none_35d7205fdc305e3e\scecli.dll --a--- 176640 bytes [08:43 02/11/2006] [09:46 02/11/2006] 80E2839D05CA5970A86D7BE2A08BFF61
C:\Windows\winsxs\x86_microsoft-windows-s..urationengineclient_31bf3856ad364e35_6.0.6001.18000_none_380de25bd91b6f12\scecli.dll --a--- 177152 bytes [14:43 26/07/2008] [07:36 19/01/2008] 28B84EB538F7E8A0FE8B9299D591E0B9

Searching for "comres.*"
C:\Windows\System32\comres.dll --a--- 1291264 bytes [14:44 26/07/2008] [05:48 19/01/2008] 4211249955AF9133E2E357CC92B54DFD
C:\Windows\System32\en-US\comres.dll.mui --a--- 401408 bytes [12:40 02/11/2006] [12:40 02/11/2006] 21FD28B92DE8F3CBA5A7D4BC449304F7
C:\Windows\winsxs\x86_microsoft-windows-c..mplus.res.resources_31bf3856ad364e35_6.0.6000.16386_en-us_a0e5c1ae452540b0\comres.dll.mui --a--- 401408 bytes [12:40 02/11/2006] [12:40 02/11/2006] 21FD28B92DE8F3CBA5A7D4BC449304F7
C:\Windows\winsxs\x86_microsoft-windows-com-complus.res_31bf3856ad364e35_6.0.6000.16386_none_2a7a18dbe946c84f\comres.dll --a--- 1236992 bytes [07:29 02/11/2006] [08:50 02/11/2006] 4843A1784BA6434DFF80F841DDC592C6
C:\Windows\winsxs\x86_microsoft-windows-com-complus.res_31bf3856ad364e35_6.0.6001.18000_none_2cb0dad7e631d923\comres.dll --a--- 1291264 bytes [14:44 26/07/2008] [05:48 19/01/2008] 4211249955AF9133E2E357CC92B54DFD

-=End Of File=-

VirSCAN.org Scanned Report :
Scanned time : 2010/08/28 13:48:08 (CDT)
Scanner results: Scanners did not find malware!
File Name : comres.dll
File Size : 1291264 byte
File Type : PE32 executable for MS Windows (DLL) (console) Intel 80386 3
MD5 : 4211249955af9133e2e357cc92b54dfd
SHA1 : b2f121782f01ff1f7c4fffe297ccb3d1eb1f7494
Online report : http://virscan.org/report/cd9e59125294333f36d30fecef811031.html

Scanner Engine Ver Sig Ver Sig Date Time Scan result
a-squared 5.0.0.19 20100827080832 2010-08-27 4.73 -
AhnLab V3 2010.08.28.00 2010.08.28 2010-08-28 1.23 -
AntiVir 8.2.4.46 7.10.11.43 2010-08-28 0.27 -
Antiy 2.0.18 20100829.5009785 2010-08-29 0.12 -
Arcavir 2009 201006281601 2010-06-28 0.01 -
Authentium 5.1.1 201008280228 2010-08-28 1.29 -
AVAST! 4.7.4 100828-0 2010-08-28 0.06 -
AVG 8.5.793 271.1.1/3099 2010-08-28 0.22 -
BitDefender 7.90123.6284734 7.33608 2010-08-29 4.49 -
ClamAV 0.96.1 11727 2010-08-28 0.19 -
Comodo 4.0 5888 2010-08-28 1.17 -
CP Secure 1.3.0.5 2010.08.28 2010-08-28 0.22 -
Dr.Web 5.0.2.3300 2010.08.29 2010-08-29 9.05 -
F-Prot 4.4.4.56 20100827 2010-08-27 1.28 -
F-Secure 7.02.73807 2010.08.28.02 2010-08-28 10.86 -
Fortinet 4.1.143 12.289 2010-08-28 0.19 -
GData 21.742/21.288 20100828 2010-08-28 7.34 -
ViRobot 20100827 2010.08.27 2010-08-27 0.38 -
Ikarus T3. 2010.08.28.76622 2010-08-28 4.61 -
JiangMin 13.0.900 2010.08.27 2010-08-27 1.33 -
Kaspersky 5.5.10 2010.08.28 2010-08-28 0.08 -
KingSoft 2009.2.5.15 2010.8.28.20 2010-08-28 0.65 -
McAfee 5400.1158 6088 2010-08-28 18.49 -
Microsoft 1.6103 2010.08.28 2010-08-28 5.25 -
Norman 6.05.11 6.05.00 2010-08-28 8.01 -
Panda 9.05.01 2010.08.27 2010-08-27 0.54 -
Trend Micro 9.120-1004 7.420.02 2010-08-28 0.03 -
Quick Heal 11.00 2010.08.28 2010-08-28 2.72 -
Rising 20.0 22.62.05.03 2010-08-28 0.21 -
Sophos 3.10.0 4.56 2010-08-29 4.23 -
Sunbelt 3.9.2432.2 6802 2010-08-27 11.75 -
Symantec 1.3.0.24 20100828.004 2010-08-28 0.10 -
nProtect 20100825.02 8957401 2010-08-25 9.38 -
The Hacker 6.5.2.1 v00357 2010-08-28 0.74 -
VBA32 3.12.14.0 20100827.0614 2010-08-27 3.25 -
VirusBuster 4.5.11.10 10.127.68/2038242 2010-08-27 2.73 -

Bahawolf · Aug 28, 2010

Hey Bobby,
The logs didn't post for some reason; I think they might be waiting for approval from a moderator but didn't want you to think I disappeared again.

Bobbye · Aug 29, 2010

Everything is here- in fact, I removed one duplicate. Working on logs now.

Bobbye · Aug 29, 2010

Please run this Custom CFScript

[1]. Close any open browsers.
[2]. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
[3]. Open notepad and copy/paste the text in the code below into it:

Code:

File::
c:\windows\RegDelNull.exe
c:\windows\system32\windrv.sys
c:\users\Chris\Downloads\B-Service.exe
Folder::
c:\users\Chris\AppData\Local\temp
c:\users\Public\AppData\Local\temp
c:\users\Default\AppData\Local\temp
c:\windows\LMI3B0C.tmp
Registry::
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus]
"DisableMonitoring"=-
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\ZoneLabsFirewall]
"DisableMonitoring"=-
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
"GrpConv"=-
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Svc\S-1-5-21-3352549485-4007945283-2351025167-1000]
"EnableNotificationsRef"=-
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RtHDVCpl]
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Spare Backup]
Driver::
B-Service
FCopy::
C:\Windows\ERDNT\cache\scecli.dll | c:\windows\system32\scecli.dll
C:\Windows\winsxs\x86_microsoft-windows-com-complus.res_31bf3856ad364e35_6.0.6001.18000_none_2cb0dad7e631d923\comres.dll | c:\windows\system32\comres.dll

Save this as CFScript.txt, in the same location as ComboFix.exe

Referring to the picture above, drag CFScript into ComboFix.exe

When finished, it will produce a log for you at C:\ComboFix.txt . Please attach to your next reply.
=====================================
Then run a new scan using the Eset Online scanner:

Run Eset NOD32 Online AntiVirus scan HEREhttp://www.eset.eu/online-scanner

Tick the box next to YES, I accept the Terms of Use.
Click Start
When asked, allow the Active X control to install
Disable your current Antivirus software. You can usually do this with its Notification Tray icon near the clock.
Click Start
Make sure that the option "Remove found threats" is Unchecked, and the option "Scan unwanted applications" is checked
Click Scan
Wait for the scan to finish
Re-enable your Antivirus software.
A logfile is created and located at C:\Program Files\EsetOnlineScanner\log.txt. Please include this on your post.

There is a rootkit on the system and it also looks like a Worm which works through Group Policy- that would explain no setting and what I'm seeing.

Bahawolf · Aug 30, 2010

It hasn't frozen in a while now, but the startup is still taking a long time from the initial loading screen.

Latest logs:

ComboFix 10-08-28.02 - Chris 08/29/2010 21:35:30.3.2 - x86 NETWORK
Microsoft® Windows Vista™ Home Premium 6.0.6001.1.1252.1.1033.18.2039.1465 [GMT -7:00]
Running from: c:\users\Chris\Desktop\ComboFix.exe
Command switches used :: c:\users\Chris\Desktop\CFScript.txt
SP: Windows Defender *disabled* (Updated) {D68DDC3A-831F-4FAE-9E44-DA132C1ACF46}
* Created a new restore point

FILE ::
"c:\users\Chris\Downloads\B-Service.exe"
"c:\windows\RegDelNull.exe"
"c:\windows\system32\windrv.sys"
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\users\Chris\AppData\Local\temp
c:\users\Chris\Downloads\B-Service.exe
c:\users\Default\AppData\Local\temp
c:\users\Public\AppData\Local\temp
c:\windows\RegDelNull.exe
c:\windows\system32\Process.exe
c:\windows\system32\windrv.sys

.
--------------- FCopy ---------------

c:\windows\ERDNT\cache\scecli.dll --> c:\windows\system32\scecli.dll
c:\windows\winsxs\x86_microsoft-windows-com-complus.res_31bf3856ad364e35_6.0.6001.18000_none_2cb0dad7e631d923\comres.dll --> c:\windows\system32\comres.dll
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Service_B-Service

((((((((((((((((((((((((( Files Created from 2010-07-28 to 2010-08-30 )))))))))))))))))))))))))))))))
.

2010-08-30 04:42 . 2010-08-30 04:42 -------- d-----w- c:\users\Chris\AppData\Local\Temp
2010-08-30 04:33 . 2010-08-30 04:34 -------- d-----w- C:\32788R22FWJFW
2010-08-28 16:57 . 2010-08-28 16:57 -------- d-----w- c:\users\Chris\AppData\Roaming\Webroot
2010-08-28 14:24 . 2010-08-28 14:24 -------- d-----w- c:\program files\Common Files\Java
2010-08-28 14:23 . 2010-08-28 14:23 423656 ----a-w- c:\windows\system32\deployJava1.dll
2010-08-28 13:47 . 2010-08-28 13:47 -------- d-----w- c:\program files\Windows Installer Clean Up
2010-08-28 13:47 . 2010-08-28 13:47 -------- d-----w- c:\program files\MSECACHE
2010-08-28 12:17 . 2010-08-28 12:20 -------- d-----w- c:\program files\JDownloader
2010-08-27 04:59 . 2010-08-27 04:59 -------- d-----w- c:\users\Chris\AppData\Local\Seven Zip
2010-08-25 04:51 . 2010-08-25 04:51 -------- d-----w- c:\program files\ESET
2010-08-25 04:48 . 2010-04-29 22:39 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-08-25 04:48 . 2010-08-28 16:36 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-08-25 04:48 . 2010-04-29 22:39 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-08-25 04:27 . 2010-08-25 04:27 23872 ----a-w- c:\windows\system32\mv2.dll
2010-08-25 04:27 . 2010-08-25 04:27 12096 ----a-w- c:\windows\system32\drivers\mv2.sys
2010-08-25 04:27 . 2010-08-25 04:32 -------- d-----w- c:\program files\UltraVNC
2010-08-18 12:21 . 2010-08-18 12:21 95024 ----a-w- c:\windows\system32\drivers\SBREDrv.sys
2010-08-18 12:00 . 2010-08-18 12:00 -------- d-----w- c:\users\Chris\AppData\Local\Sunbelt Software
2010-08-18 11:57 . 2010-08-27 05:00 -------- d-----w- c:\programdata\Lavasoft
2010-08-18 11:57 . 2010-08-18 11:57 -------- d-----w- c:\program files\Lavasoft
2010-08-18 05:18 . 2010-06-28 20:37 165456 ----a-w- c:\windows\system32\drivers\aswSP.sys
2010-08-18 05:18 . 2010-06-28 20:32 17744 ----a-w- c:\windows\system32\drivers\aswFsBlk.sys
2010-08-18 05:18 . 2010-06-28 20:37 46672 ----a-w- c:\windows\system32\drivers\aswTdi.sys
2010-08-18 05:18 . 2010-06-28 20:33 23376 ----a-w- c:\windows\system32\drivers\aswRdr.sys
2010-08-18 05:18 . 2010-06-28 20:32 50256 ----a-w- c:\windows\system32\drivers\aswMonFlt.sys
2010-08-18 05:18 . 2010-06-28 20:57 38848 ----a-w- c:\windows\avastSS.scr
2010-08-18 05:18 . 2010-06-28 20:57 165032 ----a-w- c:\windows\system32\aswBoot.exe
2010-08-18 05:18 . 2010-08-18 05:18 -------- d-----w- c:\programdata\Alwil Software
2010-08-18 05:18 . 2010-08-18 05:18 -------- d-----w- c:\program files\Alwil Software
2010-08-17 02:51 . 2008-11-06 09:03 -------- d-----w- C:\SDFix
2010-08-17 02:40 . 2010-08-28 13:54 -------- d-----w- c:\program files\roguescanfix
2010-08-17 02:32 . 2010-08-17 02:59 -------- d-----w- c:\windows\LMI7445.tmp
2010-08-17 02:27 . 2010-08-17 02:27 -------- d-----w- c:\program files\Trend Micro
2010-08-15 17:01 . 2010-08-18 05:03 -------- d-----w- c:\users\Chris\AppData\Roaming\TeamViewer
2010-08-15 15:49 . 2010-08-15 15:49 -------- d-----w- c:\users\Chris\AppData\Roaming\PCToolsFirewallPlus
2010-08-15 15:49 . 2010-08-15 15:49 -------- d-----w- c:\users\Chris\AppData\Roaming\Spam Monitor
2010-08-15 14:44 . 2010-08-16 01:29 -------- d-----w- c:\program files\PC Tools Internet Security
2010-08-15 14:44 . 2010-08-15 16:24 -------- d-----w- c:\programdata\PC Tools
2010-08-15 14:43 . 2010-08-15 15:51 -------- d-----w- c:\users\Chris\AppData\Roaming\Swhst
2010-08-15 14:09 . 2010-08-28 16:26 -------- d-----w- C:\TEMP
2010-08-15 14:01 . 2010-08-16 01:29 -------- d-----w- c:\program files\Common Files\PC Tools
2010-08-15 13:11 . 2010-07-24 16:30 4213696 ----a-w- C:\ExterminateIt.exe
2010-08-15 07:16 . 2010-08-15 13:59 -------- d-----w- c:\program files\Exterminate It!
2010-08-15 06:51 . 2010-08-15 06:53 226688 ----a-w- C:\BdUninstallTool2010.08.14-11.51.29.reg
2010-08-15 04:22 . 2010-08-15 04:24 -------- d-----w- c:\users\Chris\AppData\Roaming\QuickScan
2010-08-14 22:56 . 2010-08-14 22:56 -------- d-----w- c:\programdata\SUPERAntiSpyware.com
2010-08-11 10:02 . 2010-08-15 04:15 -------- d-----w- c:\windows\BDOSCAN8
2010-08-10 03:34 . 2010-08-10 03:48 15892480 ----a-w- C:\Ad-AwareInstall.exe
2010-08-10 03:03 . 2010-08-13 05:14 -------- d-----w- c:\program files\Spybot - Search & Destroy
2010-08-10 03:03 . 2010-08-13 05:14 -------- d-----w- c:\programdata\Spybot - Search & Destroy
2010-08-10 02:44 . 2010-08-10 02:42 16409960 ----a-w- C:\spybotsd162.exe
2010-08-10 01:00 . 2010-08-10 01:00 -------- d-----w- c:\users\Chris\AppData\Local\ICS
2010-08-10 00:02 . 2010-08-30 04:38 680 ----a-w- c:\users\Chris\AppData\Local\d3d9caps.dat
2010-08-09 23:56 . 2010-08-09 23:56 -------- d-----w- c:\users\Chris\AppData\Roaming\Malwarebytes
2010-08-09 23:56 . 2010-08-09 23:56 -------- d-----w- c:\programdata\Malwarebytes
2010-08-09 23:50 . 2010-08-09 23:50 -------- d-----w- c:\program files\TeamViewer

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-08-28 16:36 . 2009-09-13 01:26 -------- d-----w- c:\program files\Bonjour
2010-08-28 16:36 . 2007-09-24 19:40 -------- d-----w- c:\program files\Spare Backup
2010-08-28 16:35 . 2006-11-02 12:37 -------- d-----w- c:\program files\Windows Defender
2010-08-28 14:22 . 2007-09-24 19:39 -------- d-----w- c:\program files\Java
2010-08-28 13:47 . 2010-08-28 13:47 3584 ----a-r- c:\users\Chris\AppData\Roaming\Microsoft\Installer\{121634B0-2F4B-11D3-ADA3-00C04F52DD52}\Icon386ED4E3.exe
2010-08-25 14:19 . 2007-12-10 04:29 4022 ----a-w- c:\users\Chris\AppData\Roaming\wklnhst.dat
2010-08-17 02:27 . 2010-08-17 02:27 388096 ----a-r- c:\users\Chris\AppData\Roaming\Microsoft\Installer\{45A66726-69BC-466B-A7A4-12FCBA4883D7}\HiJackThis.exe
2010-08-15 15:48 . 2010-08-15 15:47 699904 ----a-w- c:\users\Chris\AppData\Roaming\Swhst\swhst.exe
2010-08-10 02:12 . 2010-08-10 02:12 35 ----a-w- c:\users\Chris\AppData\Roaming\SetValue.bat
2010-08-10 02:12 . 2010-08-10 02:12 35 ----a-w- c:\users\Chris\AppData\Roaming\SetValue.bat
2010-08-10 02:12 . 2010-08-10 02:12 691 ----a-w- c:\users\Chris\AppData\Roaming\GetValue.vbs
2010-08-03 22:50 . 2008-02-10 09:13 -------- d-----w- c:\users\Chris\AppData\Roaming\FUJIFILM
2010-08-03 19:01 . 2007-12-14 06:13 -------- d-----w- c:\program files\Lx_cats
2010-08-03 02:26 . 2009-09-21 22:32 256 ----a-w- c:\windows\system32\pool.bin
2010-07-07 23:05 . 2010-07-04 05:51 -------- d-----w- c:\users\Chris\AppData\Roaming\Sysinternals Antivirus
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Malwarebytes' Anti-Malware"="c:\program files\Malwarebytes' Anti-Malware\mbamgui.exe" [2010-04-29 437584]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-05-14 248552]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"MySpaceIM"="c:\program files\MySpace\IM\MySpaceIM.exe" [2008-12-12 9555968]

c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\AutorunsDisabled\MRI_DISABLED
Exif Launcher S.lnk - c:\program files\FinePixViewerS\QuickDCF2.exe [2008-2-10 303104]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableLUA"= 0 (0x0)

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MSIServer]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend]
@="Service"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
2008-01-12 05:16 39792 ----a-w- c:\program files\Adobe\Reader 8.0\Reader\reader_sl.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AppleSyncNotifier]
2009-08-13 22:51 177440 ----a-w- c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ehTray.exe]
2008-01-19 07:33 125952 ----a-w- c:\windows\ehome\ehtray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\FaxCenterServer]
2007-05-04 06:40 312240 ----a-w- c:\program files\Lexmark Fax Solutions\fm3032.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HotKeysCmds]
2008-01-03 01:06 166424 ----a-w- c:\windows\System32\hkcmd.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IgfxTray]
2008-01-03 01:07 141848 ----a-w- c:\windows\System32\igfxtray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISUSPM]
2006-09-11 11:40 218032 ----a-w- c:\program files\Common Files\InstallShield\UpdateService\ISUSPM.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
2009-09-09 04:09 305440 ----a-w- c:\program files\iTunes\iTunesHelper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Launcher]
2007-07-04 00:40 40072 ----a-w- c:\windows\SMINST\Launcher.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\lxddamon]
2007-03-05 07:40 20480 ----a-w- c:\program files\Lexmark 2500 Series\lxddamon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\lxddmon.exe]
2007-05-04 06:38 291760 ----a-w- c:\program files\Lexmark 2500 Series\lxddmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MRT]
2009-02-03 22:21 21244864 ----a-w- c:\windows\System32\mrt.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Persistence]
2008-01-03 01:07 133656 ----a-w- c:\windows\System32\igfxpers.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
2009-09-05 08:54 417792 ----a-w- c:\program files\QuickTime\QTTask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RoxWatchTray]
2008-03-06 23:19 236016 ----a-w- c:\program files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatchTray9.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RtHDVCpl]
2007-04-23 22:51 4435968 ----a-w- c:\windows\RtHDVCpl.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SBC_McciTrayApp]
2007-02-28 19:35 1011200 ----a-w- c:\program files\SBC\update\SST.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Sidebar]
2008-01-19 07:33 1233920 ----a-w- c:\program files\Windows Sidebar\sidebar.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Spare Backup]
2007-07-13 04:27 5252936 ----a-w- c:\program files\Spare Backup\SpareBackup.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Windows Defender]
2008-01-19 07:38 1008184 ----a-w- c:\program files\Windows Defender\MSASCui.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WMPNSCFG]
2008-01-19 07:33 202240 ----a-w- c:\program files\Windows Media Player\wmpnscfg.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\KasperskyAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Svc\S-1-5-21-3352549485-4007945283-2351025167-1000]
"EnableNotificationsRef"=dword:00000001

R3 NETw2v32;Intel(R) PRO/Wireless 2200BG Network Connection Driver for Windows Vista;c:\windows\system32\DRIVERS\NETw2v32.sys [2006-11-02 2589184]
R4 Lavasoft Kernexplorer;Lavasoft helper driver;c:\program files\Lavasoft\Ad-Aware\KernExplorer.sys [x]
R4 lxdd_device;lxdd_device;c:\windows\system32\lxddcoms.exe [2007-04-26 537520]
R4 TfFsMon;TfFsMon;c:\windows\system32\drivers\TfFsMon.sys [x]
R4 TfNetMon;TfNetMon;c:\windows\system32\drivers\TfNetMon.sys [x]
R4 TfSysMon;TfSysMon;c:\windows\system32\drivers\TfSysMon.sys [x]
S1 aswSP;aswSP; [x]
S2 aswFsBlk;aswFsBlk; [x]
S2 aswMonFlt;aswMonFlt;c:\windows\system32\drivers\aswMonFlt.sys [2010-06-28 50256]
S2 lxddCATSCustConnectService;lxddCATSCustConnectService;c:\windows\system32\spool\DRIVERS\W32X86\3\\lxddserv.exe [2007-04-26 99248]
S2 MBAMService;MBAMService;c:\program files\Malwarebytes' Anti-Malware\mbamservice.exe [2010-04-29 304464]
S2 TeamViewer5;TeamViewer 5;c:\program files\TeamViewer\Version5\TeamViewer_Service.exe [2010-07-06 173352]
S2 uvnc_service;uvnc_service;c:\program files\UltraVNC\WinVNC.exe [2009-12-07 1590216]
S3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [2010-04-29 20952]
S3 mv2;mv2;c:\windows\system32\DRIVERS\mv2.sys [2010-08-25 12096]

.
Contents of the 'Scheduled Tasks' folder

2008-07-27 c:\windows\Tasks\Check Updates for Windows Live Toolbar.job
- c:\program files\Windows Live Toolbar\MSNTBUP.EXE [2007-10-19 18:20]
.
.
------- Supplementary Scan -------
.
uInternet Settings,ProxyOverride = *.local;<local>
uInternet Settings,ProxyServer = http=localhost:7171
FF - ProfilePath - c:\users\Chris\AppData\Roaming\Mozilla\Firefox\Profiles\l8k0id2p.default\
FF - component: c:\users\Chris\AppData\Roaming\Mozilla\Firefox\Profiles\l8k0id2p.default\extensions\{e001c731-5e37-4538-a5cb-8168736a2360}\components\qscanff.dll
FF - plugin: c:\program files\Java\jre6\bin\new_plugin\npdeployJava1.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npdeployJava1.dll
FF - plugin: c:\users\Chris\AppData\Roaming\Mozilla\Firefox\Profiles\l8k0id2p.default\extensions\{e001c731-5e37-4538-a5cb-8168736a2360}\plugins\npqscan.dll
.
- - - - ORPHANS REMOVED - - - -

AddRemove-HijackThis - c:\users\Chris\Desktop\MRI5_5_0\MRI5_5_0\Malware\Utilities\Trend Micro\HijackThis\HijackThis.exe

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-08-29 21:43
Windows 6.0.6001 Service Pack 1 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
"MSCurrentCountry"=dword:000000b5

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0001\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Alwil Software\Avast5\AvastSvc.exe
c:\windows\system32\agrsmsvc.exe
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\windows\system32\spool\DRIVERS\W32X86\3\lxddserv.exe
c:\program files\TeamViewer\Version5\TeamViewer.exe
c:\program files\Windows Media Player\wmpnetwk.exe
c:\windows\system32\wbem\unsecapp.exe
c:\windows\system32\ssText3d.scr
.
**************************************************************************
.
Completion time: 2010-08-29 21:48:32 - machine was rebooted
ComboFix-quarantined-files.txt 2010-08-30 04:48
ComboFix2.txt 2010-08-14 14:56
ComboFix3.txt 2010-08-10 02:22

Pre-Run: 236,663,062,528 bytes free
Post-Run: 236,383,076,352 bytes free

- - End Of File - - 41CAF884B90311C690E3BEFA099F905F

ESETSmartInstaller@High as CAB hook log:
OnlineScanner.ocx - registred OK
# version=7
# iexplore.exe=7.00.6000.16386 (vista_rtm.061101-2205)
# OnlineScanner.ocx=1.0.0.6211
# api_version=3.0.2
# EOSSerial=d3f344608f45944d9b2e88f2bc227538
# end=finished
# remove_checked=true
# archives_checked=false
# unwanted_checked=true
# unsafe_checked=false
# antistealth_checked=true
# utc_time=2010-08-25 05:47:27
# local_time=2010-08-24 10:47:27 (-0800, Pacific Daylight Time)
# country="United States"
# lang=1033
# osver=6.0.6001 NT Service Pack 1
# compatibility_mode=512 16777215 100 0 0 0 0 0
# compatibility_mode=768 16777215 100 0 0 0 0 0
# compatibility_mode=5892 16776637 100 100 39337640 119319748 0 0
# compatibility_mode=8192 67108863 100 0 0 0 0 0
# scanned=119935
# found=0
# cleaned=0
# scan_time=3028
# version=7
# iexplore.exe=7.00.6000.16386 (vista_rtm.061101-2205)
# OnlineScanner.ocx=1.0.0.6211
# api_version=3.0.2
# EOSSerial=d3f344608f45944d9b2e88f2bc227538
# end=finished
# remove_checked=false
# archives_checked=false
# unwanted_checked=true
# unsafe_checked=false
# antistealth_checked=true
# utc_time=2010-08-27 05:54:23
# local_time=2010-08-26 10:54:23 (-0800, Pacific Daylight Time)
# country="United States"
# lang=9
# osver=6.0.6001 NT Service Pack 1
# compatibility_mode=512 16777215 100 0 0 0 0 0
# compatibility_mode=768 16777215 100 0 0 0 0 0
# compatibility_mode=5892 16776637 100 100 39510847 119492955 0 0
# compatibility_mode=8192 67108863 100 0 0 0 0 0
# scanned=119919
# found=0
# cleaned=0
# scan_time=3037
# version=7
# iexplore.exe=7.00.6000.16386 (vista_rtm.061101-2205)
# OnlineScanner.ocx=1.0.0.6211
# api_version=3.0.2
# EOSSerial=d3f344608f45944d9b2e88f2bc227538
# end=finished
# remove_checked=false
# archives_checked=false
# unwanted_checked=true
# unsafe_checked=false
# antistealth_checked=true
# utc_time=2010-08-30 06:01:54
# local_time=2010-08-29 11:01:54 (-0800, Pacific Daylight Time)
# country="United States"
# lang=9
# osver=6.0.6001 NT Service Pack 1
# compatibility_mode=512 16777215 100 0 210683 210683 0 0
# compatibility_mode=768 16777215 100 0 114053 114053 0 0
# compatibility_mode=5892 16776637 100 100 40982 119751869 0 0
# compatibility_mode=8192 67108863 100 0 0 0 0 0
# scanned=121382
# found=0
# cleaned=0
# scan_time=3774

Bobbye · Aug 30, 2010

Please ask your friend not to download or run any cleaning scans except as I direct. Although it was stated in my first post not to run any other cleaning programs or scans while cleaning, I now see the following from 8/28:
c:\users\Chris\AppData\Roaming\Webroot>>>> Webroot what?
c:\program files\Windows Installer Clean Up
c:\program files\MSECACHE

Every time these scans are done, data is collected or removed, the contents of the system changes. That means some of what I previously noted is either gone or changed and some added, this takes my control of the system away. While I'm cleaning out the front door, entries are being added or removed out the backdoor by the user. And I only note Windows Defender disabled in the Combofix header, but I see numerous entries for PCTools.

PCTools uses TreatFire for AV. I see drivers/Services now indicating no longer used for PCTools, AdAware, TreatFire, but Avast is suppose to be the AV.

Is your friend aware of the type of infection found in Mbam?
But " plus MABM did pick up an infection in a quick scan."
backdoor.poisonivy
This Trojan program provides a remote malicious user with full access to the victim machine. The Trojan itself is a Windows PE EXE file, 9216 bytes in size.
Once launched, the backdoor copies itself to the Windows root directory as "wab32.exe"
The backdoor itself is the encrypted server component of Poison Ivy, a common remote administration utility.

This program is dropped to the victim machine by Trojan-Dropper.Ichitaro.Tarodrop.a, which penetrates the victim machine via a vulnerability in Ichitaro Office Suite.

It's probably very frustrating for you doing the remote help. But imagine that I am being presenting with new contents to deal with every time a log is posted. My recommendation for what you should consider now is:
1. Make sure one antivirus is installed, running and updating.
2. Make sure one firewall is installed and configured.
3. Remove any programs that are in excess of one each of the above.
4. Change all passwords and monitor any online financial transactions.
5. Removing all of the tools we used and the files and folders they created

Uninstall ComboFix and all Backups of the files it deleted
Click START> then RUN
Now type Combofix /Uninstall in the runbox and click OK. Note the space between the X and the U, it needs to be there.

Download OTCleanIt by OldTimer and save it to your Desktop.
Double click OTCleanIt.exe.
Click the CleanUp! button.
If you are prompted to Reboot during the cleanup, select Yes.
The tool will delete itself once it finishes.

Note: If you receive a warning from your firewall or other security programs regarding OTC attempting to contact the internet, please allow it to do so.

You should now set a new Restore Point and remove the old restore points to prevent infection from any previous Restore Points.
Go to Start > All Programs > Accessories > System Tools
Click "System Restore".
Choose "Create a Restore Point" on the first screen then click "Next".
Give the Restore Point a name> click "Create".
Go back and follow the path to > System Tools.
[*]Choose Disc Cleanup
[*]Click "OK" to select the partition or drive you want.
[*]Click the "More Options" Tab.
[*]Click "Clean Up" in the System Restore section to remove all previous Restore Points except the newly created one.

Empty the Recycle Bin
====================
Once this has been done, give your friend the following options:
1. Reformat/reinstall the operating system
>OR<
2. Start a cleaning over, with the preliminary program run, logs pasted in, wait for the recommendation of the helper before going further.
Once a cleaning has begun, stress to the user that no other cleaning programs or scans should be done unless the helper directs it.

Bobbye · Sep 2, 2010

New thread with new scan. This is being handled on https://www.techspot.com/vb/topic152729.html

Resolved Malware removal - Windows Vista

Bahawolf

Posts: 9 +0

Bobbye

Posts: 16,313 +36

Bahawolf

Posts: 9 +0

Attachments

Bahawolf

Posts: 9 +0

Bobbye

Posts: 16,313 +36

Bahawolf

Posts: 9 +0

Bobbye

Posts: 16,313 +36

Bahawolf

Posts: 9 +0

Bahawolf

Posts: 9 +0

Bobbye

Posts: 16,313 +36

Bobbye

Posts: 16,313 +36

Bahawolf

Posts: 9 +0

Bobbye

Posts: 16,313 +36

Bobbye

Posts: 16,313 +36

Similar threads

Latest posts