Solved Need help removing Rootkit.tdss from XP workstation

Status
Not open for further replies.
B

BlckBerry

Posts: 9   +0
Hello,

I've been trying to find a way to get rid of the TDSS.Rootkit that is on one of my company's workstations and have come here for good help. I've run multiple instances of the 8-step (now 6) process and here are my latest results.
 
Malwarebytes' Anti-Malware 1.50
www.malwarebytes.org

Database version: 5287

Windows 5.1.2600 Service Pack 2
Internet Explorer 6.0.2900.2180

12/10/2010 11:02:28 AM
mbam-log-2010-12-10 (11-02-28).txt

Scan type: Quick scan
Objects scanned: 247906
Time elapsed: 16 minute(s), 6 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 2

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
c:\RECYCLER\s-1-5-21-515967899-682003330-937999820-4928\Dc248.tmp (Rootkit.TDSS.Gen) -> Quarantined and deleted successfully.
c:\RECYCLER\s-1-5-21-515967899-682003330-937999820-4928\Dc249.tmp (Rootkit.TDSS.Gen) -> Quarantined and deleted successfully.
 
MBRCheck, version 1.2.3
(c) 2010, AD

Command-line:
Windows Version: Windows XP Professional
Windows Information: Service Pack 2 (build 2600)
Logical Drives Mask: 0x0004000d

Kernel Drivers (total 131):
0x804D7000 \WINDOWS\system32\ntkrnlpa.exe
0x806CE000 \WINDOWS\system32\hal.dll
0xBA5A8000 \WINDOWS\system32\KDCOM.DLL
0xBA4B8000 \WINDOWS\system32\BOOTVID.dll
0xB9F79000 ACPI.sys
0xBA5AA000 \WINDOWS\system32\DRIVERS\WMILIB.SYS
0xB9F68000 pci.sys
0xBA0A8000 isapnp.sys
0xBA670000 pciide.sys
0xBA328000 \WINDOWS\system32\DRIVERS\PCIIDEX.SYS
0xBA5AC000 intelide.sys
0xBA0B8000 MountMgr.sys
0xB9F49000 ftdisk.sys
0xBA5AE000 dmload.sys
0xB9F23000 dmio.sys
0xBA330000 PartMgr.sys
0xBA338000 pxscan.sys
0xBA0C8000 VolSnap.sys
0xB9F0B000 atapi.sys
0xBA0D8000 disk.sys
0xBA0E8000 \WINDOWS\system32\DRIVERS\CLASSPNP.SYS
0xB9EEB000 fltMgr.sys
0xB9ED7000 PQV2i.sys
0xB9EC0000 KSecDD.sys
0xB9E33000 Ntfs.sys
0xB9E06000 NDIS.sys
0xB9DEB000 Mup.sys
0xBA2B8000 \SystemRoot\system32\DRIVERS\intelppm.sys
0xB9CDD000 \SystemRoot\system32\DRIVERS\ialmnt5.sys
0xB9CC9000 \SystemRoot\system32\DRIVERS\VIDEOPRT.SYS
0xB9C9B000 \SystemRoot\system32\DRIVERS\b57xp32.sys
0xBA3C0000 \SystemRoot\system32\DRIVERS\usbuhci.sys
0xB9C78000 \SystemRoot\system32\DRIVERS\USBPORT.SYS
0xBA3C8000 \SystemRoot\system32\DRIVERS\usbehci.sys
0xB9BE2000 \SystemRoot\system32\drivers\smwdm.sys
0xB9BBE000 \SystemRoot\system32\drivers\portcls.sys
0xBA2C8000 \SystemRoot\system32\drivers\drmk.sys
0xB9B9B000 \SystemRoot\system32\drivers\ks.sys
0xBA5B8000 \SystemRoot\system32\drivers\aeaudio.sys
0xBA3D0000 \SystemRoot\system32\DRIVERS\fdc.sys
0xB9B87000 \SystemRoot\system32\DRIVERS\parport.sys
0xBA2D8000 \SystemRoot\system32\DRIVERS\serial.sys
0xBA570000 \SystemRoot\system32\DRIVERS\serenum.sys
0xBA2E8000 \SystemRoot\system32\DRIVERS\cdrom.sys
0xBA2F8000 \SystemRoot\system32\DRIVERS\redbook.sys
0xBA574000 \SystemRoot\System32\Drivers\GearAspiWDM.SYS
0xBA6CE000 \SystemRoot\system32\DRIVERS\audstub.sys
0xBA308000 \SystemRoot\system32\DRIVERS\rasl2tp.sys
0xBA57C000 \SystemRoot\system32\DRIVERS\ndistapi.sys
0xB9B70000 \SystemRoot\system32\DRIVERS\ndiswan.sys
0xBA318000 \SystemRoot\system32\DRIVERS\raspppoe.sys
0xBA108000 \SystemRoot\system32\DRIVERS\raspptp.sys
0xBA3D8000 \SystemRoot\system32\DRIVERS\TDI.SYS
0xB9B5F000 \SystemRoot\system32\DRIVERS\psched.sys
0xBA118000 \SystemRoot\system32\DRIVERS\msgpc.sys
0xBA3E0000 \SystemRoot\system32\DRIVERS\ptilink.sys
0xBA3E8000 \SystemRoot\system32\DRIVERS\raspti.sys
0xB9B2E000 \SystemRoot\system32\DRIVERS\rdpdr.sys
0xBA128000 \SystemRoot\system32\DRIVERS\termdd.sys
0xBA3F0000 \SystemRoot\system32\DRIVERS\kbdclass.sys
0xBA3F8000 \SystemRoot\system32\DRIVERS\mouclass.sys
0xB9AE8000 \SystemRoot\system32\DRIVERS\teefer2.sys
0xBA5BA000 \SystemRoot\system32\DRIVERS\swenum.sys
0xB9A8F000 \SystemRoot\system32\DRIVERS\update.sys
0xBA59C000 \SystemRoot\system32\DRIVERS\mssmbios.sys
0xBA148000 \SystemRoot\System32\Drivers\NDProxy.SYS
0xBA188000 \SystemRoot\system32\DRIVERS\usbhub.sys
0xBA5BC000 \SystemRoot\system32\DRIVERS\USBD.SYS
0xBA400000 \SystemRoot\system32\DRIVERS\flpydisk.sys
0xBA5BE000 \SystemRoot\System32\Drivers\i2omgmt.SYS
0xA98B4000 \SystemRoot\System32\drivers\pxrts.sys
0xBA5C0000 \SystemRoot\System32\Drivers\Fs_Rec.SYS
0xBA768000 \SystemRoot\System32\Drivers\Null.SYS
0xBA5C2000 \SystemRoot\System32\Drivers\Beep.SYS
0xBA410000 \SystemRoot\system32\DRIVERS\HIDPARSE.SYS
0xBA418000 \SystemRoot\System32\drivers\vga.sys
0xBA5C4000 \SystemRoot\System32\Drivers\mnmdd.SYS
0xBA5C6000 \SystemRoot\System32\DRIVERS\RDPCDD.sys
0xBA420000 \SystemRoot\System32\Drivers\Msfs.SYS
0xBA428000 \SystemRoot\System32\Drivers\Npfs.SYS
0xBA564000 \SystemRoot\system32\DRIVERS\rasacd.sys
0xA9859000 \SystemRoot\system32\DRIVERS\ipsec.sys
0xA9801000 \SystemRoot\system32\DRIVERS\tcpip.sys
0xA97D4000 \SystemRoot\System32\Drivers\SYMTDI.SYS
0xA97AF000 \??\C:\WINDOWS\system32\Drivers\SYMEVENT.SYS
0xBA1F8000 \??\C:\WINDOWS\system32\drivers\wpsdrvnt.sys
0xA9787000 \SystemRoot\system32\DRIVERS\netbt.sys
0xA9765000 \SystemRoot\System32\drivers\afd.sys
0xBA208000 \SystemRoot\system32\DRIVERS\netbios.sys
0xBA218000 \SystemRoot\System32\Drivers\SRTSPX.SYS
0xA96FB000 \??\C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCDrv.sys
0xBA228000 \SystemRoot\system32\DRIVERS\wanarp.sys
0xB9B2A000 \SystemRoot\system32\DRIVERS\hidusb.sys
0xBA258000 \SystemRoot\system32\DRIVERS\HIDCLASS.SYS
0xB9B26000 \SystemRoot\system32\DRIVERS\mouhid.sys
0xB9B22000 \SystemRoot\system32\DRIVERS\kbdhid.sys
0xBA438000 \SystemRoot\System32\drivers\pxkbf.sys
0xA96D0000 \SystemRoot\system32\DRIVERS\rdbss.sys
0xA9955000 \SystemRoot\System32\Drivers\PQIMount.SYS
0xA9611000 \SystemRoot\system32\DRIVERS\mrxsmb.sys
0xA9935000 \SystemRoot\System32\Drivers\Fips.SYS
0xA95B3000 \??\C:\Program Files\Common Files\Symantec Shared\EENGINE\eeCtrl.sys
0xA9596000 \??\C:\Program Files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys
0xBA1C8000 \SystemRoot\System32\Drivers\Cdfs.SYS
0xA957E000 \SystemRoot\System32\Drivers\dump_atapi.sys
0xBA5C8000 \SystemRoot\System32\Drivers\dump_WMILIB.SYS
0xBF800000 \SystemRoot\System32\win32k.sys
0xBA55C000 \SystemRoot\System32\drivers\Dxapi.sys
0xBA450000 \SystemRoot\System32\watchdog.sys
0xBF000000 \SystemRoot\System32\drivers\dxg.sys
0xBA7D9000 \SystemRoot\System32\drivers\dxgthk.sys
0xBF020000 \SystemRoot\System32\ialmdnt5.dll
0xBF012000 \SystemRoot\System32\ialmrnt5.dll
0xBF03E000 \SystemRoot\System32\ialmdev5.DLL
0xBF064000 \SystemRoot\System32\ialmdd5.DLL
0xA9466000 \SystemRoot\system32\DRIVERS\ndisuio.sys
0xA9196000 \??\C:\WINDOWS\system32\drivers\WpsHelper.sys
0xA9052000 \SystemRoot\system32\DRIVERS\mrxdav.sys
0xA9017000 \SystemRoot\System32\Drivers\SENTINEL.SYS
0xBA470000 \??\C:\WINDOWS\system32\drivers\InAspi32.sys
0xA8ED0000 \SystemRoot\system32\DRIVERS\srv.sys
0xA8E96000 \SystemRoot\SYSTEM32\DRIVERS\WibuKey.sys
0xA8D69000 \SystemRoot\system32\drivers\wdmaud.sys
0xA8E86000 \SystemRoot\system32\drivers\sysaudio.sys
0xA88EA000 \SystemRoot\System32\Drivers\HTTP.sys
0xBA368000 \SystemRoot\System32\Drivers\SYMREDRV.SYS
0xA8558000 \SystemRoot\System32\Drivers\SRTSP.SYS
0xA840D000 \??\C:\PROGRA~1\COMMON~1\SYMANT~1\VIRUSD~1\20101209.048\NAVEX15.SYS
0xA83F9000 \??\C:\PROGRA~1\COMMON~1\SYMANT~1\VIRUSD~1\20101209.048\NAVENG.SYS
0xA8213000 \SystemRoot\system32\drivers\kmixer.sys
0x7C900000 \WINDOWS\system32\ntdll.dll

Processes (total 30):
0 System Idle Process
4 System
960 C:\WINDOWS\system32\smss.exe
1060 csrss.exe
1084 C:\WINDOWS\system32\winlogon.exe
1128 C:\WINDOWS\system32\services.exe
1140 C:\WINDOWS\system32\lsass.exe
1292 C:\WINDOWS\system32\svchost.exe
1388 svchost.exe
1428 C:\WINDOWS\system32\svchost.exe
1548 C:\Program Files\Symantec AntiVirus\Smc.exe
1620 svchost.exe
1652 svchost.exe
1760 C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
1984 C:\WINDOWS\system32\spoolsv.exe
168 svchost.exe
324 C:\WINDOWS\system32\gearsec.exe
368 C:\Program Files\Java\jre6\bin\jqs.exe
492 C:\Program Files\Symantec AntiVirus\Rtvscan.exe
480 C:\Program Files\PowerQuest\Drive Image 7.0\Agent\PQV2iSvc.exe
456 C:\WINDOWS\explorer.exe
2112 C:\Program Files\Symantec AntiVirus\SmcGui.exe
2208 C:\WINDOWS\system32\hkcmd.exe
2216 C:\Program Files\Java\jre6\bin\jusched.exe
2232 C:\Program Files\Adobe\Acrobat 9.0\Acrobat\acrotray.exe
2252 C:\Program Files\Common Files\Symantec Shared\ccApp.exe
2276 C:\WINDOWS\system32\ctfmon.exe
2772 C:\Program Files\Internet Explorer\iexplore.exe
2528 C:\Documents and Settings\anthony.berry.SMI\Desktop\MBRCheck.exe
516 SescLU.exe

\\.\C: --> \\.\PhysicalDrive0 at offset 0x00000000`036e8e00 (NTFS)

PhysicalDrive0 Model Number: WDCWD400BD-75LRA0, Rev: 09.01D09

Size Device Name MBR Status
--------------------------------------------
37 GB \\.\PhysicalDrive0 Windows XP MBR code detected
SHA1: DA38B874B7713D1B51CBC449F4EF809B0DEC644A


Done!


UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
IF REQUESTED, ZIP IT UP & ATTACH IT

DDS (Ver_10-12-05.01)

Microsoft Windows XP Professional
Boot Device: \Device\HarddiskVolume2
Install Date: 8/10/2005 12:49:58 PM
System Uptime: 12/10/2010 1:09:54 PM (0 hours ago)

Motherboard: Dell Inc. | | 0C7195
Processor: Intel(R) Pentium(R) 4 CPU 3.20GHz | Microprocessor | 3192/800mhz

==== Disk Partitions =========================

A: is Removable
C: is FIXED (NTFS) - 37 GiB total, 23.648 GiB free.
D: is CDROM ()

==== Disabled Device Manager Items =============

==== System Restore Points ===================

No restore point in system.

==== Installed Programs ======================

Adobe Acrobat 9 Standard - English, Français, Deutsch
Adobe Acrobat 9.4.1 - CPSID_83708
Adobe Flash Player ActiveX
Ascent Advanced Forms Custom Module V3.7 SR01
Ascent Advanced Forms V3.7 SR01
Ascent Advanced Forms Validation Custom Module V3.7 SR01
Ascent Advanced Forms Validation V3.7 SR01
Ascent Capture 7.0 - Workstation
Broadcom Advanced Control Suite 2
Drive Image 7.0
Hitman Pro 3.5
Hotfix for Windows XP (KB915865)
Hotfix for Windows XP (KB952287)
Imaging for Windows® Professional Edition 2.5
Intel(R) Graphics Media Accelerator Driver
Java 2 Runtime Environment, SE v1.4.2_03
Java(TM) 6 Update 17
Kofax TWAIN Data Source
Kofax VirtualReScan 4.0
LiveUpdate 3.3 (Symantec Corporation)
Malwarebytes' Anti-Malware
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1 Security Update (KB979906)
Microsoft .NET Framework 2.0
Microsoft Application Error Reporting
Microsoft Choice Guard
Microsoft Internationalized Domain Names Mitigation APIs
Microsoft National Language Support Downlevel APIs
Microsoft Office Access MUI (English) 2007
Microsoft Office Access Setup Metadata MUI (English) 2007
Microsoft Office Excel MUI (English) 2007
Microsoft Office InfoPath MUI (English) 2007
Microsoft Office Outlook MUI (English) 2007
Microsoft Office PowerPoint MUI (English) 2007
Microsoft Office Professional Plus 2007
Microsoft Office Proof (English) 2007
Microsoft Office Proof (French) 2007
Microsoft Office Proof (Spanish) 2007
Microsoft Office Proofing (English) 2007
Microsoft Office Publisher MUI (English) 2007
Microsoft Office Shared MUI (English) 2007
Microsoft Office Shared Setup Metadata MUI (English) 2007
Microsoft Office Word MUI (English) 2007
Microsoft Software Update for Web Folders (English) 12
MSVCRT
RFClient
RFClient8.01
RUMBA 2000
Security Update for Microsoft .NET Framework 2.0 (KB928365)
Security Update for Step By Step Interactive Training (KB898458)
Security Update for Step By Step Interactive Training (KB923723)
Security Update for Windows Media Player (KB911564)
Security Update for Windows Media Player (KB952069)
Security Update for Windows Media Player (KB954155)
Security Update for Windows Media Player (KB968816)
Security Update for Windows Media Player (KB973540)
Security Update for Windows Media Player (KB978695)
Security Update for Windows Media Player (KB979402)
Security Update for Windows Media Player 6.4 (KB925398)
Security Update for Windows Media Player 9 (KB911565)
Security Update for Windows Media Player 9 (KB917734)
Security Update for Windows Media Player 9 (KB936782)
Security Update for Windows XP (KB2229593)
Security Update for Windows XP (KB890046)
Security Update for Windows XP (KB893066)
Security Update for Windows XP (KB893756)
Security Update for Windows XP (KB896358)
Security Update for Windows XP (KB896422)
Security Update for Windows XP (KB896423)
Security Update for Windows XP (KB896424)
Security Update for Windows XP (KB896428)
Security Update for Windows XP (KB896688)
Security Update for Windows XP (KB899587)
Security Update for Windows XP (KB899588)
Security Update for Windows XP (KB899589)
Security Update for Windows XP (KB899591)
Security Update for Windows XP (KB900725)
Security Update for Windows XP (KB901017)
Security Update for Windows XP (KB901214)
Security Update for Windows XP (KB902400)
Security Update for Windows XP (KB904706)
Security Update for Windows XP (KB905414)
Security Update for Windows XP (KB905749)
Security Update for Windows XP (KB905915)
Security Update for Windows XP (KB908519)
Security Update for Windows XP (KB908531)
Security Update for Windows XP (KB911280)
Security Update for Windows XP (KB911562)
Security Update for Windows XP (KB911567)
Security Update for Windows XP (KB911927)
Security Update for Windows XP (KB912812)
Security Update for Windows XP (KB912919)
Security Update for Windows XP (KB913446)
Security Update for Windows XP (KB913580)
Security Update for Windows XP (KB914388)
Security Update for Windows XP (KB914389)
Security Update for Windows XP (KB916281)
Security Update for Windows XP (KB917159)
Security Update for Windows XP (KB917344)
Security Update for Windows XP (KB917422)
Security Update for Windows XP (KB917953)
Security Update for Windows XP (KB918118)
Security Update for Windows XP (KB918439)
Security Update for Windows XP (KB918899)
Security Update for Windows XP (KB919007)
Security Update for Windows XP (KB920213)
Security Update for Windows XP (KB920214)
Security Update for Windows XP (KB920670)
Security Update for Windows XP (KB920683)
Security Update for Windows XP (KB920685)
Security Update for Windows XP (KB921398)
Security Update for Windows XP (KB921503)
Security Update for Windows XP (KB921883)
Security Update for Windows XP (KB922616)
Security Update for Windows XP (KB922760)
Security Update for Windows XP (KB922819)
Security Update for Windows XP (KB923191)
Security Update for Windows XP (KB923414)
Security Update for Windows XP (KB923561)
Security Update for Windows XP (KB923689)
Security Update for Windows XP (KB923694)
Security Update for Windows XP (KB923980)
Security Update for Windows XP (KB924191)
Security Update for Windows XP (KB924270)
Security Update for Windows XP (KB924496)
Security Update for Windows XP (KB924667)
Security Update for Windows XP (KB925454)
Security Update for Windows XP (KB925486)
Security Update for Windows XP (KB925902)
Security Update for Windows XP (KB926255)
Security Update for Windows XP (KB926436)
Security Update for Windows XP (KB927779)
Security Update for Windows XP (KB927802)
Security Update for Windows XP (KB928090)
Security Update for Windows XP (KB928255)
Security Update for Windows XP (KB928843)
Security Update for Windows XP (KB929123)
Security Update for Windows XP (KB929969)
Security Update for Windows XP (KB930178)
Security Update for Windows XP (KB931261)
Security Update for Windows XP (KB931768)
Security Update for Windows XP (KB931784)
Security Update for Windows XP (KB932168)
Security Update for Windows XP (KB933566)
Security Update for Windows XP (KB933729)
Security Update for Windows XP (KB935839)
Security Update for Windows XP (KB935840)
Security Update for Windows XP (KB936021)
Security Update for Windows XP (KB937143)
Security Update for Windows XP (KB937894)
Security Update for Windows XP (KB938127)
Security Update for Windows XP (KB938464)
Security Update for Windows XP (KB938829)
Security Update for Windows XP (KB939653)
Security Update for Windows XP (KB941202)
Security Update for Windows XP (KB941568)
Security Update for Windows XP (KB941569)
Security Update for Windows XP (KB941644)
Security Update for Windows XP (KB941693)
Security Update for Windows XP (KB942615)
Security Update for Windows XP (KB943055)
Security Update for Windows XP (KB943460)
Security Update for Windows XP (KB943485)
Security Update for Windows XP (KB944338-v2)
Security Update for Windows XP (KB944533)
Security Update for Windows XP (KB944653)
Security Update for Windows XP (KB945553)
Security Update for Windows XP (KB946026)
Security Update for Windows XP (KB946648)
Security Update for Windows XP (KB948590)
Security Update for Windows XP (KB948881)
Security Update for Windows XP (KB950749)
Security Update for Windows XP (KB950760)
Security Update for Windows XP (KB950762)
Security Update for Windows XP (KB950974)
Security Update for Windows XP (KB951066)
Security Update for Windows XP (KB951376-v2)
Security Update for Windows XP (KB951376)
Security Update for Windows XP (KB951698)
Security Update for Windows XP (KB951748)
Security Update for Windows XP (KB952004)
Security Update for Windows XP (KB952954)
Security Update for Windows XP (KB954211)
Security Update for Windows XP (KB954600)
Security Update for Windows XP (KB955069)
Security Update for Windows XP (KB956572)
Security Update for Windows XP (KB956802)
Security Update for Windows XP (KB956803)
Security Update for Windows XP (KB956841)
Security Update for Windows XP (KB956844)
Security Update for Windows XP (KB957095)
Security Update for Windows XP (KB957097)
Security Update for Windows XP (KB958470)
Security Update for Windows XP (KB958644)
Security Update for Windows XP (KB958687)
Security Update for Windows XP (KB958690)
Security Update for Windows XP (KB958869)
Security Update for Windows XP (KB959426)
Security Update for Windows XP (KB960225)
Security Update for Windows XP (KB960803)
Security Update for Windows XP (KB960859)
Security Update for Windows XP (KB961371)
Security Update for Windows XP (KB961373)
Security Update for Windows XP (KB961501)
Security Update for Windows XP (KB968537)
Security Update for Windows XP (KB969059)
Security Update for Windows XP (KB969947)
Security Update for Windows XP (KB970238)
Security Update for Windows XP (KB970430)
Security Update for Windows XP (KB971032)
Security Update for Windows XP (KB971468)
Security Update for Windows XP (KB971486)
Security Update for Windows XP (KB971557)
Security Update for Windows XP (KB971633)
Security Update for Windows XP (KB971657)
Security Update for Windows XP (KB971961)
Security Update for Windows XP (KB972260)
Security Update for Windows XP (KB972270)
Security Update for Windows XP (KB973346)
Security Update for Windows XP (KB973354)
Security Update for Windows XP (KB973507)
Security Update for Windows XP (KB973525)
Security Update for Windows XP (KB973869)
Security Update for Windows XP (KB973904)
Security Update for Windows XP (KB974112)
Security Update for Windows XP (KB974318)
Security Update for Windows XP (KB974392)
Security Update for Windows XP (KB974571)
Security Update for Windows XP (KB975025)
Security Update for Windows XP (KB975467)
Security Update for Windows XP (KB975560)
Security Update for Windows XP (KB975561)
Security Update for Windows XP (KB975562)
Security Update for Windows XP (KB975713)
Security Update for Windows XP (KB977165-v2)
Security Update for Windows XP (KB977816)
Security Update for Windows XP (KB977914)
Security Update for Windows XP (KB978037)
Security Update for Windows XP (KB978251)
Security Update for Windows XP (KB978262)
Security Update for Windows XP (KB978338)
Security Update for Windows XP (KB978542)
Security Update for Windows XP (KB978601)
Security Update for Windows XP (KB978706)
Security Update for Windows XP (KB979309)
Security Update for Windows XP (KB979482)
Security Update for Windows XP (KB979559)
Security Update for Windows XP (KB979683)
Security Update for Windows XP (KB980195)
Security Update for Windows XP (KB980218)
Security Update for Windows XP (KB980232)
Security Update for Windows XP (KB981349)
Security Update for Windows XP (KB981350)
Security Update for Windows XP (KB982381)
Segoe UI
Sentinel System Driver 5.41.1 (32-bit)
SpywareBlaster 4.4
Symantec Endpoint Protection
Update for Windows XP (KB894391)
Update for Windows XP (KB896727)
Update for Windows XP (KB898461)
Update for Windows XP (KB900485)
Update for Windows XP (KB904942)
Update for Windows XP (KB910437)
Update for Windows XP (KB916595)
Update for Windows XP (KB920342)
Update for Windows XP (KB920872)
Update for Windows XP (KB922582)
Update for Windows XP (KB927891)
Update for Windows XP (KB929338)
Update for Windows XP (KB930916)
Update for Windows XP (KB931836)
Update for Windows XP (KB932823-v3)
Update for Windows XP (KB933360)
Update for Windows XP (KB936357)
Update for Windows XP (KB938828)
Update for Windows XP (KB942763)
Update for Windows XP (KB942840)
Update for Windows XP (KB946627)
Update for Windows XP (KB955759)
Update for Windows XP (KB955839)
Update for Windows XP (KB961503)
Update for Windows XP (KB967715)
Update for Windows XP (KB968389)
Update for Windows XP (KB971737)
Update for Windows XP (KB973687)
Update for Windows XP (KB973815)
VBA (2627.01)
WebFldrs XP
Windows Genuine Advantage v1.3.0254.0
Windows Installer 3.1 (KB893803)
Windows Live Call
Windows Live Communications Platform
Windows Live Essentials
Windows Live Messenger
Windows Live Sign-in Assistant
Windows Live Upload Tool
Windows XP Hotfix - KB873333
Windows XP Hotfix - KB873339
Windows XP Hotfix - KB885250
Windows XP Hotfix - KB885835
Windows XP Hotfix - KB885836
Windows XP Hotfix - KB886185
Windows XP Hotfix - KB887472
Windows XP Hotfix - KB887742
Windows XP Hotfix - KB888113
Windows XP Hotfix - KB888302
Windows XP Hotfix - KB888310
Windows XP Hotfix - KB890175
Windows XP Hotfix - KB890859
Windows XP Hotfix - KB890923
Windows XP Hotfix - KB891781
Windows XP Hotfix - KB893086

==== Event Viewer Messages From Past Week ========

12/9/2010 9:06:00 AM, error: Service Control Manager [7026] - The following boot-start or system-start driver(s) failed to load: AFD eeCtrl Fips IntelIde intelppm IPSec MRxSmb NetBIOS NetBT PQIMount RasAcd Rdbss SPBBCDrv SRTSPX SYMTDI Tcpip WPS
12/9/2010 9:06:00 AM, error: Service Control Manager [7001] - The TCP/IP NetBIOS Helper service depends on the AFD service which failed to start because of the following error: A device attached to the system is not functioning.
12/9/2010 9:06:00 AM, error: Service Control Manager [7001] - The IPSEC Services service depends on the IPSEC driver service which failed to start because of the following error: A device attached to the system is not functioning.
12/9/2010 9:06:00 AM, error: Service Control Manager [7001] - The DNS Client service depends on the TCP/IP Protocol Driver service which failed to start because of the following error: A device attached to the system is not functioning.
12/9/2010 9:06:00 AM, error: Service Control Manager [7001] - The DHCP Client service depends on the NetBios over Tcpip service which failed to start because of the following error: A device attached to the system is not functioning.
12/8/2010 12:43:18 PM, information: Windows File Protection [64002] - File replacement was attempted on the protected system file c:\windows\system32\spoolsv.exe. This file was restored to the original version to maintain system stability. The file version of the system file is 5.1.2600.2696.
12/7/2010 1:43:13 PM, information: Windows File Protection [64002] - File replacement was attempted on the protected system file spoolsv.exe. This file was restored to the original version to maintain system stability. The file version of the system file is 5.1.2600.2180.
12/6/2010 7:58:58 AM, error: Service Control Manager [7026] - The following boot-start or system-start driver(s) failed to load: IntelIde
12/6/2010 7:57:27 AM, error: NETLOGON [5719] - No Domain Controller is available for domain SMI due to the following: There are currently no logon servers available to service the logon request. . Make sure that the computer is connected to the network and try again. If the problem persists, please contact your domain administrator.
12/6/2010 10:52:46 AM, error: Print [22] - Failed to ugrade printer settings for printer Adobe PDF,0 driver Adobe PDF Converter error 1801.
12/6/2010 10:52:46 AM, error: Print [22] - Failed to ugrade printer settings for printer \\NCSDU7NG6481\Adobe PDF,0,LocalOnly driver C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\PS5UI.DLL error 1801.
12/6/2010 10:42:44 AM, error: DCOM [10001] - Unable to start a DCOM Server: {73AA8F59-DBC4-11D0-AF5C-00A02448799A} as /. The error: "%2" Happened while starting this command: C:\Program Files\Microsoft Visual Studio\Common\IDE\IDE98\MSE.EXE -JITDebug -Embedding
12/6/2010 10:34:30 AM, error: Service Control Manager [7023] - The Computer Browser service terminated with the following error: This operation returned because the timeout period expired.
12/3/2010 3:55:16 PM, error: Service Control Manager [7000] - The LiveUpdate service failed to start due to the following error: The service did not respond to the start or control request in a timely fashion.
12/3/2010 3:54:36 PM, error: Service Control Manager [7009] - Timeout (30000 milliseconds) waiting for the LiveUpdate service to connect.
12/3/2010 3:53:56 PM, error: DCOM [10005] - DCOM got error "%1053" attempting to start the service LiveUpdate with arguments "" in order to run the server: {03E0E6C2-363B-11D3-B536-00902771A435}
12/3/2010 2:54:56 PM, error: DCOM [10005] - DCOM got error "%1084" attempting to start the service EventSystem with arguments "" in order to run the server: {1BE1F766-5536-11D1-B726-00C04FB926AF}
12/3/2010 2:44:15 PM, error: DCOM [10005] - DCOM got error "%1053" attempting to start the service winmgmt with arguments "" in order to run the server: {8BC3F05E-D86B-11D0-A075-00C04FB68820}
12/3/2010 2:30:41 PM, error: DCOM [10005] - DCOM got error "%1084" attempting to start the service netman with arguments "" in order to run the server: {BA126AE5-2166-11D1-B1D0-00805FC1270E}
12/10/2010 9:37:54 AM, error: Service Control Manager [7024] - The Hitman Pro 3.5 Crusader (Boot) service terminated with service-specific error 0 (0x0).
12/10/2010 9:08:07 AM, error: Service Control Manager [7026] - The following boot-start or system-start driver(s) failed to load: AFD eeCtrl Fips intelppm IPSec MRxSmb NetBIOS NetBT PQIMount pxrts RasAcd Rdbss SPBBCDrv SRTSPX SYMTDI Tcpip WPS
12/10/2010 12:30:27 PM, error: DCOM [10000] - Unable to start a DCOM Server: {7E477741-01A6-4C06-9DAC-55F6174C08A3}. The error: "%6" Happened while starting this command: "C:\Program Files\Symantec AntiVirus\SescLU.exe" -Embedding
12/10/2010 11:06:46 AM, error: atapi [9] - The device, \Device\Ide\IdePort1, did not respond within the timeout period.
12/10/2010 11:05:38 AM, error: Service Control Manager [7016] - The GEARSecurity service has reported an invalid current state 0.
12/10/2010 10:23:12 AM, error: Service Control Manager [7034] - The V2i Protector service terminated unexpectedly. It has done this 1 time(s).
12/10/2010 10:23:12 AM, error: Service Control Manager [7034] - The Java Quick Starter service terminated unexpectedly. It has done this 1 time(s).
12/10/2010 10:23:12 AM, error: Service Control Manager [7034] - The GEARSecurity service terminated unexpectedly. It has done this 1 time(s).
12/10/2010 10:23:12 AM, error: Service Control Manager [7031] - The Symantec Settings Manager service terminated unexpectedly. It has done this 1 time(s). The following corrective action will be taken in 100 milliseconds: Restart the service.
12/10/2010 10:23:12 AM, error: Service Control Manager [7031] - The Symantec Management Client service terminated unexpectedly. It has done this 1 time(s). The following corrective action will be taken in 1000 milliseconds: Restart the service.
12/10/2010 10:23:12 AM, error: Service Control Manager [7031] - The Symantec Event Manager service terminated unexpectedly. It has done this 1 time(s). The following corrective action will be taken in 200 milliseconds: Restart the service.
12/10/2010 10:23:12 AM, error: Service Control Manager [7031] - The Symantec Endpoint Protection service terminated unexpectedly. It has done this 1 time(s). The following corrective action will be taken in 10000 milliseconds: Restart the service.

==== End Of File ===========================

DDS (Ver_10-12-05.01) - NTFSx86
Run by anthony.berry at 13:31:27.63 on Fri 12/10/2010
Internet Explorer: 6.0.2900.2180
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.3062.2603 [GMT -5:00]

AV: Symantec Endpoint Protection *On-access scanning disabled* (Updated) {FB06448E-52B8-493A-90F3-E43226D3305C}
FW: Symantec Endpoint Protection *enabled* {BE898FE3-CD0B-4014-85A9-03DB9923DDB6}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\Program Files\Symantec AntiVirus\Smc.exe
svchost.exe
svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\WINDOWS\System32\GEARSec.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\Program Files\PowerQuest\Drive Image 7.0\Agent\PQV2iSvc.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Symantec AntiVirus\SmcGui.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\Adobe\Acrobat 9.0\Acrobat\Acrotray.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\MDM.EXE
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\anthony.berry.SMI\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://insidesmi/
uDefault_Page_URL = hxxp://www.dell.com
mDefault_Page_URL = hxxp://www.dell.com
mStart Page = hxxp://www.dell.com
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: {5C255C8A-E604-49b4-9D64-90988571CECB} - No File
BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: Adobe PDF Conversion Toolbar Helper: {ae7cd045-e861-484f-8273-0445ee161910} - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll
BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
BHO: SmartSelect Class: {f4971ee7-daa0-4053-9964-665d8ee6a077} - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll
TB: Adobe PDF: {47833539-d0c5-4125-9fa8-0819e2eaac93} - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
mRun: [IgfxTray] c:\windows\system32\igfxtray.exe
mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
mRun: [Adobe Acrobat Speed Launcher] "c:\program files\adobe\acrobat 9.0\acrobat\Acrobat_sl.exe"
mRun: [<NO NAME>]
mRun: [Acrobat Assistant 8.0] "c:\program files\adobe\acrobat 9.0\acrobat\Acrotray.exe"
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
mRun: [ccApp] "c:\program files\common files\symantec shared\ccApp.exe"
mRun: [HitmanPro35] "c:\program files\hitman pro 3.5\HitmanPro35.exe" /scan:boot
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\shortc~1.lnk - \\ncsduvg056\smiapps\prod\smilaunch\SMILaunch.exe
IE: Append Link Target to Existing PDF - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Append to Existing PDF - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert Link Target to Adobe PDF - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert to Adobe PDF - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll/AcroIECapture.html
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office12\REFIEBAR.DLL
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
TCP: {FAB8539F-27EC-423B-9D13-A76691C35E20} = 192.168.2.42,10.0.5.3
Notify: igfxcui - igfxsrvc.dll

============= SERVICES / DRIVERS ===============

R0 PQV2i;PQV2i;c:\windows\system32\drivers\PQV2i.sys [2003-6-3 123957]
R1 PQIMount;PQIMount;c:\windows\system32\drivers\PQIMount.sys [2003-6-3 46900]
R2 ccEvtMgr;Symantec Event Manager;c:\program files\common files\symantec shared\ccSvcHst.exe [2009-9-29 108392]
R2 ccSetMgr;Symantec Settings Manager;c:\program files\common files\symantec shared\ccSvcHst.exe [2009-9-29 108392]
R2 InAspi32;InAspi32;c:\windows\system32\drivers\InAspi32.sys [2006-3-7 8704]
R2 Symantec AntiVirus;Symantec Endpoint Protection;c:\program files\symantec antivirus\Rtvscan.exe [2009-9-29 2477304]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\common files\symantec shared\eengine\EraserUtilRebootDrv.sys [2010-12-3 102448]
R3 NAVENG;NAVENG;c:\progra~1\common~1\symant~1\virusd~1\20101209.048\NAVENG.SYS [2010-12-10 86136]
R3 NAVEX15;NAVEX15;c:\progra~1\common~1\symant~1\virusd~1\20101209.048\NAVEX15.SYS [2010-12-10 1360248]
S3 COAX;COAX;c:\windows\system32\drivers\COAX.SYS [2005-8-10 26528]
S3 COH_Mon;COH_Mon;c:\windows\system32\drivers\COH_Mon.sys [2009-9-29 23888]
S3 RMBS;RMBS;c:\windows\system32\drivers\RMBS.SYS [2005-8-10 18208]
S3 VPREMOTE;VPRemote Install Bootstrap Service;c:\temp\clt-inst\vpremote.exe [2010-6-11 142192]

=============== Created Last 30 ================

2010-12-10 14:39:51 134464 ----a-w- c:\windows\system32\LnkProtect.dll
2010-12-10 14:29:23 16968 ----a-w- c:\windows\system32\drivers\hitmanpro35.sys
2010-12-10 14:29:22 -------- d-----w- c:\program files\Hitman Pro 3.5
2010-12-10 14:28:00 -------- d-----w- c:\docume~1\alluse~1\applic~1\Hitman Pro
2010-12-09 14:11:06 -------- d-s---w- c:\documents and settings\anthony.berry.smi\UserData
2010-12-07 13:18:16 81920 ------w- c:\windows\system32\dllcache\ieencode.dll
2010-12-07 13:17:38 417792 ------w- c:\windows\system32\dllcache\vbscript.dll
2010-12-06 20:27:11 -------- d-----w- c:\program files\SpywareBlaster
2010-12-06 20:18:11 -------- d-----w- c:\docume~1\anthon~1.smi\applic~1\Malwarebytes
2010-12-03 19:11:13 167936 ----a-w- c:\windows\system32\drivers\wpshelper.sys
2010-12-03 19:03:20 92488 ----a-w- c:\windows\system32\drivers\SysPlant.sys
2010-12-03 18:56:36 60808 ----a-w- c:\windows\system32\S32EVNT1.DLL
2010-12-03 18:56:35 124976 ----a-w- c:\windows\system32\drivers\SYMEVENT.SYS
2010-12-03 16:21:54 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-12-03 16:21:49 -------- d-----w- c:\docume~1\alluse~1\applic~1\Malwarebytes
2010-12-03 16:20:56 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-12-03 16:20:55 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware

==================== Find3M ====================


=================== ROOTKIT ====================

Stealth MBR rootkit/Mebroot/Sinowal/TDL4 detector 0.4.2 by Gmer, http://www.gmer.net
Windows 5.1.2600 Disk: WDC_WD400BD-75LRA0 rev.09.01D09 -> Harddisk0\DR0 -> \Device\Ide\IdePort1 P1T0L0-e

device: opened successfully
user: MBR read successfully

Disk trace:
called modules: ntkrnlpa.exe CLASSPNP.SYS disk.sys >>UNKNOWN [0x8A4F5555]<<
_asm { PUSH EBP; MOV EBP, ESP; PUSH ECX; MOV EAX, [EBP+0x8]; CMP EAX, [0x8a4fb7b0]; MOV EAX, [0x8a4fb82c]; PUSH EBX; PUSH ESI; MOV ESI, [EBP+0xc]; MOV EBX, [ESI+0x60]; PUSH EDI; JNZ 0x20; MOV [EBP+0x8], EAX; }
1 ntkrnlpa!IofCallDriver[0x804EE00A] -> \Device\Harddisk0\DR0[0x8A4E1AB8]
3 CLASSPNP[0xBA0E905B] -> ntkrnlpa!IofCallDriver[0x804EE00A] -> [0x8A4A66B8]
\Driver\atapi[0x8A4D2D30] -> IRP_MJ_CREATE -> 0x8A4F5555
kernel: MBR read successfully
_asm { XOR AX, AX; MOV SS, AX; MOV SP, 0x7c00; STI ; PUSH AX; POP ES; PUSH AX; POP DS; CLD ; MOV SI, 0x7c1b; MOV DI, 0x61b; PUSH AX; PUSH DI; MOV CX, 0x1e5; REP MOVSB ; RETF ; MOV BP, 0x7be; MOV CL, 0x4; CMP [BP+0x0], CH; JL 0x2e; JNZ 0x3a; }
detected disk devices:
\Device\Ide\IdeDeviceP1T0L0-e -> \??\IDE#DiskWDC_WD400BD-75LRA0______________________09.01D09#5&2a36c317&0&0.0.0#{53f56307-b6bf-11d0-94f2-00a0c91efb8b} device not found
detected hooks:
\Driver\atapi DriverStartIo -> 0x8A4F539B
user & kernel MBR OK
Warning: possible TDL3 rootkit infection !

============= FINISH: 13:31:59.18 ===============

GMER 1.0.15.15530 - http://www.gmer.net
Rootkit quick scan 2010-12-10 13:30:18
Windows 5.1.2600 Service Pack 2 Harddisk0\DR0 -> \Device\Ide\IdePort1 WDC_WD400BD-75LRA0 rev.09.01D09
Running: thekbmwt.exe; Driver: C:\DOCUME~1\ANTHON~1.SMI\LOCALS~1\Temp\pwlyqpow.sys


---- Disk sectors - GMER 1.0.15 ----

Disk \Device\Harddisk0\DR0 sector 10: rootkit-like behavior;
Disk \Device\Harddisk0\DR0 sector 32: rootkit-like behavior;
Disk \Device\Harddisk0\DR0 sector 57: rootkit-like behavior;
Disk \Device\Harddisk0\DR0 sector 63: rootkit-like behavior;

---- Devices - GMER 1.0.15 ----

Device \Driver\atapi -> DriverStartIo \Device\Ide\IdeDeviceP0T0L0-3 8A4F539B
Device \Driver\atapi -> DriverStartIo \Device\Ide\IdePort0 8A4F539B
Device \Driver\atapi -> DriverStartIo \Device\Ide\IdePort1 8A4F539B
Device Ntfs.sys (NT File System Driver/Microsoft Corporation)
Device Fastfat.SYS (Fast FAT File System Driver/Microsoft Corporation)

AttachedDevice \Driver\Tcpip \Device\Ip wpsdrvnt.sys (Symantec CMC Firewall WPS/Symantec Corporation)
AttachedDevice \Driver\Tcpip \Device\Ip SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation)
AttachedDevice \Driver\Tcpip \Device\Tcp wpsdrvnt.sys (Symantec CMC Firewall WPS/Symantec Corporation)
AttachedDevice \Driver\Tcpip \Device\Tcp SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation)
AttachedDevice \Driver\Tcpip \Device\Udp wpsdrvnt.sys (Symantec CMC Firewall WPS/Symantec Corporation)
AttachedDevice \Driver\Tcpip \Device\Udp SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation)
AttachedDevice \Driver\Tcpip \Device\RawIp wpsdrvnt.sys (Symantec CMC Firewall WPS/Symantec Corporation)
AttachedDevice \Driver\Tcpip \Device\RawIp SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation)

Device \Device\Ide\IdeDeviceP1T0L0-e -> \??\IDE#DiskWDC_WD400BD-75LRA0______________________09.01D09#5&2a36c317&0&0.0.0#{53f56307-b6bf-11d0-94f2-00a0c91efb8b} device not found

---- EOF - GMER 1.0.15 ----
 
Welcome to TechSpot! I'll help with the malware. I will request that you run only the programs I instruct you to. You didn't find the MBR program in out 'now 6 use to be 8 steps'!

Before starting, I'd like for you to remove this:
[HitmanPro35] "c:\program files\hitman pro 3.5\HitmanPro35.exe" /scan:boot
Take it off of Startup, uninstall the program. It is a bundle of programs that are free on the internet, most being used without the authors' permissions. There is a short trial period and then you are expected to pay to have an entry removed.
============================================
And we will remove the Recycler entries. The Recycler folder is where the Recycle Bin sends deleted files. It is a hidden system file and the contents have to be removed in a special way:

Empty the Recycle Bin. This has to be done first. If there is anything in it, you can't empty the Recycler.
You will need to display hidden files and folders: Using Windows Explorer: Windows key + E
  • Click on Tools> Folder Options> View tab>
  • Check 'show hidden files and folders'>
  • Uncheck 'hide operating system files (Recommended'>
  • Click on My Computer> Local Drive> Double click Recycler
  • Look for these contents on the right screen: the numerical string is the identification number for the account with these files:
    s-1-5-21-515967899-682003330-937999820-4928\Dc248.tmp (Rootkit.TDSS.Gen)
    s-1-5-21-515967899-682003330-937999820-4928\Dc249.tmp (Rootkit.TDSS.Gen)
  • Do a right click> Delete on each entry
  • Click on Apply> OK when finished.
Now go back and rehide the files and folders, Close Windows Explorer.
=======================================================
You have a rootkit malware infection. This type of program requires specific programs to find and remove the rootkit- so we'll begin with this:
  • Download the file TDSSKiller.zip and save to the desktop.
    (If you are unable to download the file for some reason, then TDSS may be blocking it. You would then need to download it first to a clean computer and then transfer it to the infected one using an external drive or USB flash drive.)
  • Right-click the tdsskiller.zip file> Select Extract All into a folder on the infected (or potentially infected) PC.
  • Double click on TDSSKiller.exe. to run the scan
  • When the scan is over, the utility outputs a list of detected objects with description.
    The utility automatically selects an action (Cure or Delete) for malicious objects.
    The utility prompts the user to select an action to apply to suspicious objects (Skip, by default).
  • Select the action Quarantine to quarantine detected objects.
    The default quarantine folder is in the system disk root folder, e.g.: C:\TDSSKiller_Quarantine\23.07.2010_15.31.43
  • After clicking Next, the utility applies selected actions and outputs the result.
  • A reboot is required after disinfection.
Please leave the log in your next reply.
=====================================
Please follow with
Run Eset NOD32 Online AntiVirus scan HEREhttp://www.eset.eu/online-scanner
  1. Tick the box next to YES, I accept the Terms of Use.
  2. Click Start
  3. When asked, allow the Active X control to install
  4. Disable your current Antivirus software. You can usually do this with its Notification Tray icon near the clock.
  5. Click Start
  6. Make sure that the option "Remove found threats" is Unchecked, and the option "Scan unwanted applications" is checked
  7. Click Scan
  8. Wait for the scan to finish
  9. Re-enable your Antivirus software.
  10. A logfile is created and located at C:\Program Files\EsetOnlineScanner\log.txt. Please include this on your post.

Important!
Please do not use any other cleaning programs or scans while I'm helping you, unless I direct you to. Do not use a Registry cleaner or make any changes in the Registry.

I will finish checking these logs while you run those programs.
 
Okay, I will follow your steps, but PC is at work for now. I will definitely post logs on Monday morning.

PS. I do have TDSSKiller already installed and continues to find the rootkit. Though I did not try the 'quaratine' you're suggesting.
 
PS. I do have TDSSKiller already installed and continues to find the rootkit. Though I did not try the 'quaratine' you're suggesting.
Click to expand...

Run the scan again and follow the directions for quarantine.
 
2010/12/13 08:54:44.0031 TDSS rootkit removing tool 2.4.11.0 Dec 8 2010 14:46:40
2010/12/13 08:54:44.0031 ================================================================================
2010/12/13 08:54:44.0031 SystemInfo:
2010/12/13 08:54:44.0031
2010/12/13 08:54:44.0031 OS Version: 5.1.2600 ServicePack: 2.0
2010/12/13 08:54:44.0031 Product type: Workstation
2010/12/13 08:54:44.0031 ComputerName: NCSDU7NG6481
2010/12/13 08:54:44.0031 UserName: smiadmin
2010/12/13 08:54:44.0031 Windows directory: C:\WINDOWS
2010/12/13 08:54:44.0031 System windows directory: C:\WINDOWS
2010/12/13 08:54:44.0031 Processor architecture: Intel x86
2010/12/13 08:54:44.0031 Number of processors: 1
2010/12/13 08:54:44.0031 Page size: 0x1000
2010/12/13 08:54:44.0031 Boot type: Normal boot
2010/12/13 08:54:44.0031 ================================================================================
2010/12/13 08:54:44.0171 Initialize success
2010/12/13 08:54:49.0171 ================================================================================
2010/12/13 08:54:49.0171 Scan started
2010/12/13 08:54:49.0171 Mode: Manual;
2010/12/13 08:54:49.0171 ================================================================================
2010/12/13 08:54:50.0171 abp480n5 (6abb91494fe6c59089b9336452ab2ea3) C:\WINDOWS\system32\DRIVERS\ABP480N5.SYS
2010/12/13 08:54:50.0343 ACPI (a10c7534f7223f4a73a948967d00e69b) C:\WINDOWS\system32\DRIVERS\ACPI.sys
2010/12/13 08:54:50.0531 ACPIEC (9859c0f6936e723e4892d7141b1327d5) C:\WINDOWS\system32\drivers\ACPIEC.sys
2010/12/13 08:54:50.0625 adpu160m (9a11864873da202c996558b2106b0bbc) C:\WINDOWS\system32\DRIVERS\adpu160m.sys
2010/12/13 08:54:50.0734 aeaudio (11c04b17ed2abbb4833694bcd644ac90) C:\WINDOWS\system32\drivers\aeaudio.sys
2010/12/13 08:54:50.0953 aec (1ee7b434ba961ef845de136224c30fec) C:\WINDOWS\system32\drivers\aec.sys
2010/12/13 08:54:51.0078 AFD (55e6e1c51b6d30e54335750955453702) C:\WINDOWS\System32\drivers\afd.sys
2010/12/13 08:54:51.0203 agp440 (2c428fa0c3e3a01ed93c9b2a27d8d4bb) C:\WINDOWS\system32\DRIVERS\agp440.sys
2010/12/13 08:54:51.0296 agpCPQ (67288b07d6aba6c1267b626e67bc56fd) C:\WINDOWS\system32\DRIVERS\agpCPQ.sys
2010/12/13 08:54:51.0421 Aha154x (c23ea9b5f46c7f7910db3eab648ff013) C:\WINDOWS\system32\DRIVERS\aha154x.sys
2010/12/13 08:54:51.0578 aic78u2 (19dd0fb48b0c18892f70e2e7d61a1529) C:\WINDOWS\system32\DRIVERS\aic78u2.sys
2010/12/13 08:54:51.0671 aic78xx (b7fe594a7468aa0132deb03fb8e34326) C:\WINDOWS\system32\DRIVERS\aic78xx.sys
2010/12/13 08:54:51.0828 AliIde (1140ab9938809700b46bb88e46d72a96) C:\WINDOWS\system32\DRIVERS\aliide.sys
2010/12/13 08:54:52.0125 alim1541 (f312b7cef21eff52fa23056b9d815fad) C:\WINDOWS\system32\DRIVERS\alim1541.sys
2010/12/13 08:54:52.0609 amdagp (675c16a3c1f8482f85ee4a97fc0dde3d) C:\WINDOWS\system32\DRIVERS\amdagp.sys
2010/12/13 08:54:52.0765 amsint (79f5add8d24bd6893f2903a3e2f3fad6) C:\WINDOWS\system32\DRIVERS\amsint.sys
2010/12/13 08:54:52.0937 asc (62d318e9a0c8fc9b780008e724283707) C:\WINDOWS\system32\DRIVERS\asc.sys
2010/12/13 08:54:53.0015 asc3350p (69eb0cc7714b32896ccbfd5edcbea447) C:\WINDOWS\system32\DRIVERS\asc3350p.sys
2010/12/13 08:54:53.0156 asc3550 (5d8de112aa0254b907861e9e9c31d597) C:\WINDOWS\system32\DRIVERS\asc3550.sys
2010/12/13 08:54:53.0312 AsyncMac (02000abf34af4c218c35d257024807d6) C:\WINDOWS\system32\DRIVERS\asyncmac.sys
2010/12/13 08:54:53.0453 atapi (cdfe4411a69c224bd1d11b2da92dac51) C:\WINDOWS\system32\DRIVERS\atapi.sys
2010/12/13 08:54:53.0703 Atmarpc (ec88da854ab7d7752ec8be11a741bb7f) C:\WINDOWS\system32\DRIVERS\atmarpc.sys
2010/12/13 08:54:53.0812 audstub (d9f724aa26c010a217c97606b160ed68) C:\WINDOWS\system32\DRIVERS\audstub.sys
2010/12/13 08:54:53.0906 b57w2k (4826fcf97c47b361a2e2f68cd487a19e) C:\WINDOWS\system32\DRIVERS\b57xp32.sys
2010/12/13 08:54:54.0000 Beep (da1f27d85e0d1525f6621372e7b685e9) C:\WINDOWS\system32\drivers\Beep.sys
2010/12/13 08:54:54.0125 cbidf (90a673fc8e12a79afbed2576f6a7aaf9) C:\WINDOWS\system32\DRIVERS\cbidf2k.sys
2010/12/13 08:54:54.0234 cbidf2k (90a673fc8e12a79afbed2576f6a7aaf9) C:\WINDOWS\system32\drivers\cbidf2k.sys
2010/12/13 08:54:54.0375 cd20xrnt (f3ec03299634490e97bbce94cd2954c7) C:\WINDOWS\system32\DRIVERS\cd20xrnt.sys
2010/12/13 08:54:54.0484 Cdaudio (c1b486a7658353d33a10cc15211a873b) C:\WINDOWS\system32\drivers\Cdaudio.sys
2010/12/13 08:54:54.0625 Cdfs (cd7d5152df32b47f4e36f710b35aae02) C:\WINDOWS\system32\drivers\Cdfs.sys
2010/12/13 08:54:54.0750 Cdrom (af9c19b3100fe010496b1a27181fbf72) C:\WINDOWS\system32\DRIVERS\cdrom.sys
2010/12/13 08:54:55.0000 CmdIde (e5dcb56c533014ecbc556a8357c929d5) C:\WINDOWS\system32\DRIVERS\cmdide.sys
2010/12/13 08:54:55.0109 COAX (caa5c61a3443807ab8dc99e7d5d84961) C:\WINDOWS\system32\drivers\COAX.sys
2010/12/13 08:54:55.0265 COH_Mon (c586875ece5318c6309ed1ab79d0e55f) C:\WINDOWS\system32\Drivers\COH_Mon.sys
2010/12/13 08:54:55.0406 Cpqarray (3ee529119eed34cd212a215e8c40d4b6) C:\WINDOWS\system32\DRIVERS\cpqarray.sys
2010/12/13 08:54:55.0546 dac2w2k (e550e7418984b65a78299d248f0a7f36) C:\WINDOWS\system32\DRIVERS\dac2w2k.sys
2010/12/13 08:54:55.0687 dac960nt (683789caa3864eb46125ae86ff677d34) C:\WINDOWS\system32\DRIVERS\dac960nt.sys
2010/12/13 08:54:55.0812 Disk (00ca44e4534865f8a3b64f7c0984bff0) C:\WINDOWS\system32\DRIVERS\disk.sys
2010/12/13 08:54:56.0000 dmboot (c0fbb516e06e243f0cf31f597e7ebf7d) C:\WINDOWS\system32\drivers\dmboot.sys
2010/12/13 08:54:56.0187 dmio (f5e7b358a732d09f4bcf2824b88b9e28) C:\WINDOWS\system32\drivers\dmio.sys
2010/12/13 08:54:56.0218 dmload (e9317282a63ca4d188c0df5e09c6ac5f) C:\WINDOWS\system32\drivers\dmload.sys
2010/12/13 08:54:56.0406 DMusic (a6f881284ac1150e37d9ae47ff601267) C:\WINDOWS\system32\drivers\DMusic.sys
2010/12/13 08:54:56.0578 dpti2o (40f3b93b4e5b0126f2f5c0a7a5e22660) C:\WINDOWS\system32\DRIVERS\dpti2o.sys
2010/12/13 08:54:56.0625 drmkaud (1ed4dbbae9f5d558dbba4cc450e3eb2e) C:\WINDOWS\system32\drivers\drmkaud.sys
2010/12/13 08:54:56.0796 E100B (3fca03cbca11269f973b70fa483c88ef) C:\WINDOWS\system32\DRIVERS\e100b325.sys
2010/12/13 08:54:56.0953 eeCtrl (089296aedb9b72b4916ac959752bdc89) C:\Program Files\Common Files\Symantec Shared\EENGINE\eeCtrl.sys
2010/12/13 08:54:57.0015 EraserUtilRebootDrv (850259334652d392e33ee3412562e583) C:\Program Files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys
2010/12/13 08:54:57.0203 Fastfat (3117f595e9615e04f05a54fc15a03b20) C:\WINDOWS\system32\drivers\Fastfat.sys
2010/12/13 08:54:57.0359 Fdc (ced2e8396a8838e59d8fd529c680e02c) C:\WINDOWS\system32\DRIVERS\fdc.sys
2010/12/13 08:54:57.0484 Fips (e153ab8a11de5452bcf5ac7652dbf3ed) C:\WINDOWS\system32\drivers\Fips.sys
2010/12/13 08:54:57.0578 Flpydisk (0dd1de43115b93f4d85e889d7a86f548) C:\WINDOWS\system32\DRIVERS\flpydisk.sys
2010/12/13 08:54:57.0703 FltMgr (3d234fb6d6ee875eb009864a299bea29) C:\WINDOWS\system32\DRIVERS\fltMgr.sys
2010/12/13 08:54:57.0843 Fs_Rec (3e1e2bd4f39b0e2b7dc4f4d2bcc2779a) C:\WINDOWS\system32\drivers\Fs_Rec.sys
2010/12/13 08:54:57.0984 Ftdisk (6ac26732762483366c3969c9e4d2259d) C:\WINDOWS\system32\DRIVERS\ftdisk.sys
2010/12/13 08:54:58.0156 GearAspiWDM (c33f253f50dec8c8119f67bcde831f13) C:\WINDOWS\system32\drivers\GearAspiWDM.sys
2010/12/13 08:54:58.0281 Gpc (c0f1d4a21de5a415df8170616703debf) C:\WINDOWS\system32\DRIVERS\msgpc.sys
2010/12/13 08:54:58.0421 HidUsb (1de6783b918f540149aa69943bdfeba8) C:\WINDOWS\system32\DRIVERS\hidusb.sys
2010/12/13 08:54:58.0546 hpn (b028377dea0546a5fcfba928a8aefae0) C:\WINDOWS\system32\DRIVERS\hpn.sys
2010/12/13 08:54:58.0687 HTTP (9f8b0f4276f618964fd118be4289b7cd) C:\WINDOWS\system32\Drivers\HTTP.sys
2010/12/13 08:54:58.0875 i2omgmt (8f09f91b5c91363b77bcd15599570f2c) C:\WINDOWS\system32\drivers\i2omgmt.sys
2010/12/13 08:54:58.0921 i2omp (ed6bf9e441fdea13292a6d30a64a24c3) C:\WINDOWS\system32\DRIVERS\i2omp.sys
2010/12/13 08:54:59.0093 i8042prt (5502b58eef7486ee6f93f3f164dcb808) C:\WINDOWS\system32\DRIVERS\i8042prt.sys
2010/12/13 08:54:59.0203 ialm (0acebb31989cbf9a5663fe4a33d28d21) C:\WINDOWS\system32\DRIVERS\ialmnt5.sys
2010/12/13 08:54:59.0359 Imapi (f8aa320c6a0409c0380e5d8a99d76ec6) C:\WINDOWS\system32\DRIVERS\imapi.sys
2010/12/13 08:54:59.0484 InAspi32 (35738fd20716cfcc5cb104f76ee48e80) C:\WINDOWS\system32\drivers\InAspi32.sys
2010/12/13 08:54:59.0593 ini910u (4a40e045faee58631fd8d91afc620719) C:\WINDOWS\system32\DRIVERS\ini910u.sys
2010/12/13 08:54:59.0687 IntelIde (2d722b2b54ab55b2fa475eb58d7b2aad) C:\WINDOWS\system32\DRIVERS\intelide.sys
2010/12/13 08:54:59.0812 intelppm (279fb78702454dff2bb445f238c048d2) C:\WINDOWS\system32\DRIVERS\intelppm.sys
2010/12/13 08:54:59.0968 Ip6Fw (4448006b6bc60e6c027932cfc38d6855) C:\WINDOWS\system32\DRIVERS\Ip6Fw.sys
2010/12/13 08:55:00.0093 IpFilterDriver (731f22ba402ee4b62748adaf6363c182) C:\WINDOWS\system32\DRIVERS\ipfltdrv.sys
2010/12/13 08:55:00.0234 IpInIp (e1ec7f5da720b640cd8fb8424f1b14bb) C:\WINDOWS\system32\DRIVERS\ipinip.sys
2010/12/13 08:55:00.0328 IpNat (e2168cbc7098ffe963c6f23f472a3593) C:\WINDOWS\system32\DRIVERS\ipnat.sys
2010/12/13 08:55:00.0500 IPSec (64537aa5c003a6afeee1df819062d0d1) C:\WINDOWS\system32\DRIVERS\ipsec.sys
2010/12/13 08:55:00.0546 IRENUM (50708daa1b1cbb7d6ac1cf8f56a24410) C:\WINDOWS\system32\DRIVERS\irenum.sys
2010/12/13 08:55:00.0718 isapnp (e504f706ccb699c2596e9a3da1596e87) C:\WINDOWS\system32\DRIVERS\isapnp.sys
2010/12/13 08:55:00.0906 Kbdclass (ebdee8a2ee5393890a1acee971c4c246) C:\WINDOWS\system32\DRIVERS\kbdclass.sys
2010/12/13 08:55:01.0015 kbdhid (e182fa8e49e8ee41b4adc53093f3c7e6) C:\WINDOWS\system32\DRIVERS\kbdhid.sys
2010/12/13 08:55:01.0156 kmixer (ba5deda4d934e6288c2f66caf58d2562) C:\WINDOWS\system32\drivers\kmixer.sys
2010/12/13 08:55:01.0343 KSecDD (674d3e5a593475915dc6643317192403) C:\WINDOWS\system32\drivers\KSecDD.sys
2010/12/13 08:55:01.0609 mnmdd (4ae068242760a1fb6e1a44bf4e16afa6) C:\WINDOWS\system32\drivers\mnmdd.sys
2010/12/13 08:55:01.0781 Modem (6fc6f9d7acc36dca9b914565a3aeda05) C:\WINDOWS\system32\drivers\Modem.sys
2010/12/13 08:55:01.0890 Mouclass (34e1f0031153e491910e12551400192c) C:\WINDOWS\system32\DRIVERS\mouclass.sys
2010/12/13 08:55:02.0031 mouhid (b1c303e17fb9d46e87a98e4ba6769685) C:\WINDOWS\system32\DRIVERS\mouhid.sys
2010/12/13 08:55:02.0203 MountMgr (65653f3b4477f3c63e68a9659f85ee2e) C:\WINDOWS\system32\drivers\MountMgr.sys
2010/12/13 08:55:02.0375 mraid35x (3f4bb95e5a44f3be34824e8e7caf0737) C:\WINDOWS\system32\DRIVERS\mraid35x.sys
2010/12/13 08:55:02.0468 MRxDAV (29414447eb5bde2f8397dc965dbb3156) C:\WINDOWS\system32\DRIVERS\mrxdav.sys
2010/12/13 08:55:02.0671 MRxSmb (fb6c89bb3ce282b08bdb1e3c179e1c39) C:\WINDOWS\system32\DRIVERS\mrxsmb.sys
2010/12/13 08:55:02.0875 Msfs (561b3a4333ca2dbdba28b5b956822519) C:\WINDOWS\system32\drivers\Msfs.sys
2010/12/13 08:55:02.0953 MSKSSRV (ae431a8dd3c1d0d0610cdbac16057ad0) C:\WINDOWS\system32\drivers\MSKSSRV.sys
2010/12/13 08:55:03.0125 MSPCLOCK (13e75fef9dfeb08eeded9d0246e1f448) C:\WINDOWS\system32\drivers\MSPCLOCK.sys
2010/12/13 08:55:03.0218 MSPQM (1988a33ff19242576c3d0ef9ce785da7) C:\WINDOWS\system32\drivers\MSPQM.sys
2010/12/13 08:55:03.0343 mssmbios (469541f8bfd2b32659d5d463a6714bce) C:\WINDOWS\system32\DRIVERS\mssmbios.sys
2010/12/13 08:55:03.0500 Mup (82035e0f41c2dd05ae41d27fe6cf7de1) C:\WINDOWS\system32\drivers\Mup.sys
2010/12/13 08:55:03.0718 NAVENG (01543b4f5b6fdac6761910ce44aff3f8) C:\PROGRA~1\COMMON~1\SYMANT~1\VIRUSD~1\20101209.048\NAVENG.SYS
2010/12/13 08:55:03.0953 NAVEX15 (38814ee261cfc76ded4b5647fc082826) C:\PROGRA~1\COMMON~1\SYMANT~1\VIRUSD~1\20101209.048\NAVEX15.SYS
2010/12/13 08:55:04.0140 NDIS (558635d3af1c7546d26067d5d9b6959e) C:\WINDOWS\system32\drivers\NDIS.sys
2010/12/13 08:55:04.0171 NdisTapi (08d43bbdacdf23f34d79e44ed35c1b4c) C:\WINDOWS\system32\DRIVERS\ndistapi.sys
2010/12/13 08:55:04.0343 Ndisuio (34d6cd56409da9a7ed573e1c90a308bf) C:\WINDOWS\system32\DRIVERS\ndisuio.sys
2010/12/13 08:55:04.0484 NdisWan (0b90e255a9490166ab368cd55a529893) C:\WINDOWS\system32\DRIVERS\ndiswan.sys
2010/12/13 08:55:04.0562 NDProxy (59fc3fb44d2669bc144fd87826bb571f) C:\WINDOWS\system32\drivers\NDProxy.sys
2010/12/13 08:55:04.0703 NetBIOS (3a2aca8fc1d7786902ca434998d7ceb4) C:\WINDOWS\system32\DRIVERS\netbios.sys
2010/12/13 08:55:04.0828 NetBT (0c80e410cd2f47134407ee7dd19cc86b) C:\WINDOWS\system32\DRIVERS\netbt.sys
2010/12/13 08:55:05.0000 Npfs (4f601bcb8f64ea3ac0994f98fed03f8e) C:\WINDOWS\system32\drivers\Npfs.sys
2010/12/13 08:55:05.0125 Ntfs (19a811ef5f1ed5c926a028ce107ff1af) C:\WINDOWS\system32\drivers\Ntfs.sys
2010/12/13 08:55:05.0359 Null (73c1e1f395918bc2c6dd67af7591a3ad) C:\WINDOWS\system32\drivers\Null.sys
2010/12/13 08:55:05.0468 nv (2b298519edbfcf451d43e0f1e8f1006d) C:\WINDOWS\system32\DRIVERS\nv4_mini.sys
2010/12/13 08:55:05.0671 NwlnkFlt (b305f3fad35083837ef46a0bbce2fc57) C:\WINDOWS\system32\DRIVERS\nwlnkflt.sys
2010/12/13 08:55:05.0718 NwlnkFwd (c99b3415198d1aab7227f2c88fd664b9) C:\WINDOWS\system32\DRIVERS\nwlnkfwd.sys
2010/12/13 08:55:05.0781 Parport (29744eb4ce659dfe3b4122deb45bc478) C:\WINDOWS\system32\DRIVERS\parport.sys
2010/12/13 08:55:05.0921 PartMgr (3334430c29dc338092f79c38ef7b4cd0) C:\WINDOWS\system32\drivers\PartMgr.sys
2010/12/13 08:55:06.0046 ParVdm (70e98b3fd8e963a6a46a2e6247e0bea1) C:\WINDOWS\system32\drivers\ParVdm.sys
2010/12/13 08:55:06.0218 PCI (8086d9979234b603ad5bc2f5d890b234) C:\WINDOWS\system32\DRIVERS\pci.sys
2010/12/13 08:55:06.0421 PCIIde (ccf5f451bb1a5a2a522a76e670000ff0) C:\WINDOWS\system32\DRIVERS\pciide.sys
2010/12/13 08:55:06.0500 Pcmcia (82a087207decec8456fbe8537947d579) C:\WINDOWS\system32\drivers\Pcmcia.sys
2010/12/13 08:55:06.0718 perc2 (6c14b9c19ba84f73d3a86dba11133101) C:\WINDOWS\system32\DRIVERS\perc2.sys
2010/12/13 08:55:06.0875 perc2hib (f50f7c27f131afe7beba13e14a3b9416) C:\WINDOWS\system32\DRIVERS\perc2hib.sys
2010/12/13 08:55:07.0062 PptpMiniport (1c5cc65aac0783c344f16353e60b72ac) C:\WINDOWS\system32\DRIVERS\raspptp.sys
2010/12/13 08:55:07.0187 PQIMount (2c4c21f42a50bec51c50e1674e590a57) C:\WINDOWS\system32\drivers\PQIMount.sys
2010/12/13 08:55:07.0312 PQV2i (6a566d0f05a23bc9491b3440945c50a2) C:\WINDOWS\system32\drivers\PQV2i.sys
2010/12/13 08:55:07.0468 PSched (48671f327553dcf1d27f6197f622a668) C:\WINDOWS\system32\DRIVERS\psched.sys
2010/12/13 08:55:07.0593 Ptilink (80d317bd1c3dbc5d4fe7b1678c60cadd) C:\WINDOWS\system32\DRIVERS\ptilink.sys
2010/12/13 08:55:07.0703 ql1080 (0a63fb54039eb5662433caba3b26dba7) C:\WINDOWS\system32\DRIVERS\ql1080.sys
2010/12/13 08:55:07.0812 Ql10wnt (6503449e1d43a0ff0201ad5cb1b8c706) C:\WINDOWS\system32\DRIVERS\ql10wnt.sys
2010/12/13 08:55:07.0937 ql12160 (156ed0ef20c15114ca097a34a30d8a01) C:\WINDOWS\system32\DRIVERS\ql12160.sys
2010/12/13 08:55:08.0093 ql1240 (70f016bebde6d29e864c1230a07cc5e6) C:\WINDOWS\system32\DRIVERS\ql1240.sys
2010/12/13 08:55:08.0187 ql1280 (907f0aeea6bc451011611e732bd31fcf) C:\WINDOWS\system32\DRIVERS\ql1280.sys
2010/12/13 08:55:08.0359 RasAcd (fe0d99d6f31e4fad8159f690d68ded9c) C:\WINDOWS\system32\DRIVERS\rasacd.sys
2010/12/13 08:55:08.0531 Rasl2tp (98faeb4a4dcf812ba1c6fca4aa3e115c) C:\WINDOWS\system32\DRIVERS\rasl2tp.sys
2010/12/13 08:55:08.0578 RasPppoe (7306eeed8895454cbed4669be9f79faa) C:\WINDOWS\system32\DRIVERS\raspppoe.sys
2010/12/13 08:55:08.0703 Raspti (fdbb1d60066fcfbb7452fd8f9829b242) C:\WINDOWS\system32\DRIVERS\raspti.sys
2010/12/13 08:55:08.0828 Rdbss (03b965b1ca47f6ef60eb5e51cb50e0af) C:\WINDOWS\system32\DRIVERS\rdbss.sys
2010/12/13 08:55:08.0906 RDPCDD (4912d5b403614ce99c28420f75353332) C:\WINDOWS\system32\DRIVERS\RDPCDD.sys
2010/12/13 08:55:09.0062 rdpdr (a2cae2c60bc37e0751ef9dda7ceaf4ad) C:\WINDOWS\system32\DRIVERS\rdpdr.sys
2010/12/13 08:55:09.0234 RDPWD (b54cd38a9ebfbf2b3561426e3fe26f62) C:\WINDOWS\system32\drivers\RDPWD.sys
2010/12/13 08:55:09.0375 redbook (b31b4588e4086d8d84adbf9845c2402b) C:\WINDOWS\system32\DRIVERS\redbook.sys
2010/12/13 08:55:09.0515 RMBS (4fae1f8b3046be33f217b9fd73f5c1d4) C:\WINDOWS\system32\drivers\RMBS.sys
2010/12/13 08:55:09.0640 Secdrv (90a3935d05b494a5a39d37e71f09a677) C:\WINDOWS\system32\DRIVERS\secdrv.sys
2010/12/13 08:55:09.0796 Sentinel (aebba7428a6c40cce3c5abde45190b24) C:\WINDOWS\System32\Drivers\SENTINEL.SYS
2010/12/13 08:55:09.0984 serenum (a2d868aeeff612e70e213c451a70cafb) C:\WINDOWS\system32\DRIVERS\serenum.sys
2010/12/13 08:55:10.0078 Serial (cd9404d115a00d249f70a371b46d5a26) C:\WINDOWS\system32\DRIVERS\serial.sys
2010/12/13 08:55:10.0203 Sfloppy (0d13b6df6e9e101013a7afb0ce629fe0) C:\WINDOWS\system32\drivers\Sfloppy.sys
2010/12/13 08:55:10.0406 sisagp (732d859b286da692119f286b21a2a114) C:\WINDOWS\system32\DRIVERS\sisagp.sys
2010/12/13 08:55:10.0593 smwdm (4aa922332433cdeb8b82c072c212e32e) C:\WINDOWS\system32\drivers\smwdm.sys
2010/12/13 08:55:10.0781 Sparrow (83c0f71f86d3bdaf915685f3d568b20e) C:\WINDOWS\system32\DRIVERS\sparrow.sys
2010/12/13 08:55:10.0984 SPBBCDrv (e621bb5839cf45fa477f48092edd2b40) C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCDrv.sys
2010/12/13 08:55:11.0140 splitter (0ce218578fff5f4f7e4201539c45c78f) C:\WINDOWS\system32\drivers\splitter.sys
2010/12/13 08:55:11.0218 sr (e41b6d037d6cd08461470af04500dc24) C:\WINDOWS\system32\DRIVERS\sr.sys
2010/12/13 08:55:11.0406 SRTSP (2abf82c8452ab0b9ffc74a2d5da91989) C:\WINDOWS\system32\Drivers\SRTSP.SYS
2010/12/13 08:55:11.0546 SRTSPL (e2f9e5887bea5bd8784d337e06eda31b) C:\WINDOWS\system32\Drivers\SRTSPL.SYS
2010/12/13 08:55:11.0687 SRTSPX (3b974c158fabd910186f98df8d3e23f3) C:\WINDOWS\system32\Drivers\SRTSPX.SYS
2010/12/13 08:55:11.0859 Srv (7a4f147cc6b133f905f6e65e2f8669fb) C:\WINDOWS\system32\DRIVERS\srv.sys
2010/12/13 08:55:12.0078 swenum (03c1bae4766e2450219d20b993d6e046) C:\WINDOWS\system32\DRIVERS\swenum.sys
2010/12/13 08:55:12.0109 swmidi (94abc808fc4b6d7d2bbf42b85e25bb4d) C:\WINDOWS\system32\drivers\swmidi.sys
2010/12/13 08:55:12.0281 symc810 (1ff3217614018630d0a6758630fc698c) C:\WINDOWS\system32\DRIVERS\symc810.sys
2010/12/13 08:55:12.0437 symc8xx (070e001d95cf725186ef8b20335f933c) C:\WINDOWS\system32\DRIVERS\symc8xx.sys
2010/12/13 08:55:12.0593 SymEvent (a54ff04bd6e75dc4d8cb6f3e352635e0) C:\WINDOWS\system32\Drivers\SYMEVENT.SYS
2010/12/13 08:55:12.0718 SYMREDRV (394b2368212114d538316812af60fddd) C:\WINDOWS\System32\Drivers\SYMREDRV.SYS
2010/12/13 08:55:12.0906 SYMTDI (d46676bb414c7531bdffe637a33f5033) C:\WINDOWS\System32\Drivers\SYMTDI.SYS
2010/12/13 08:55:13.0078 sym_hi (80ac1c4abbe2df3b738bf15517a51f2c) C:\WINDOWS\system32\DRIVERS\sym_hi.sys
2010/12/13 08:55:13.0125 sym_u3 (bf4fab949a382a8e105f46ebb4937058) C:\WINDOWS\system32\DRIVERS\sym_u3.sys
2010/12/13 08:55:13.0312 sysaudio (650ad082d46bac0e64c9c0e0928492fd) C:\WINDOWS\system32\drivers\sysaudio.sys
2010/12/13 08:55:13.0421 SysPlant (1295b1da3e2a2c24c7d176f6e97afbd1) C:\WINDOWS\SYSTEM32\Drivers\SysPlant.sys
2010/12/13 08:55:13.0578 Tcpip (2a5554fc5b1e04e131230e3ce035c3f9) C:\WINDOWS\system32\DRIVERS\tcpip.sys
2010/12/13 08:55:13.0765 TDPIPE (38d437cf2d98965f239b0abcd66dcb0f) C:\WINDOWS\system32\drivers\TDPIPE.sys
2010/12/13 08:55:13.0812 TDTCP (ed0580af02502d00ad8c4c066b156be9) C:\WINDOWS\system32\drivers\TDTCP.sys
2010/12/13 08:55:13.0984 Teefer2 (1de2e1357552a79f39bff003a11c533e) C:\WINDOWS\system32\DRIVERS\teefer2.sys
2010/12/13 08:55:14.0140 TermDD (a540a99c281d933f3d69d55e48727f47) C:\WINDOWS\system32\DRIVERS\termdd.sys
2010/12/13 08:55:14.0296 TosIde (f2790f6af01321b172aa62f8e1e187d9) C:\WINDOWS\system32\DRIVERS\toside.sys
2010/12/13 08:55:14.0453 Udfs (12f70256f140cd7d52c58c7048fde657) C:\WINDOWS\system32\drivers\Udfs.sys
2010/12/13 08:55:14.0546 ultra (1b698a51cd528d8da4ffaed66dfc51b9) C:\WINDOWS\system32\DRIVERS\ultra.sys
2010/12/13 08:55:14.0671 Update (ced744117e91bdc0beb810f7d8608183) C:\WINDOWS\system32\DRIVERS\update.sys
2010/12/13 08:55:14.0906 usbccgp (bffd9f120cc63bcbaa3d840f3eef9f79) C:\WINDOWS\system32\DRIVERS\usbccgp.sys
2010/12/13 08:55:15.0000 usbehci (15e993ba2f6946b2bfbbfcd30398621e) C:\WINDOWS\system32\DRIVERS\usbehci.sys
2010/12/13 08:55:15.0171 usbhub (c72f40947f92cea56a8fb532edf025f1) C:\WINDOWS\system32\DRIVERS\usbhub.sys
2010/12/13 08:55:15.0296 USBSTOR (6cd7b22193718f1d17a47a1cd6d37e75) C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS
2010/12/13 08:55:15.0437 usbuhci (f8fd1400092e23c8f2f31406ef06167b) C:\WINDOWS\system32\DRIVERS\usbuhci.sys
2010/12/13 08:55:15.0625 VgaSave (8a60edd72b4ea5aea8202daf0e427925) C:\WINDOWS\System32\drivers\vga.sys
2010/12/13 08:55:15.0734 viaagp (d92e7c8a30cfd14d8e15b5f7f032151b) C:\WINDOWS\system32\DRIVERS\viaagp.sys
2010/12/13 08:55:15.0859 ViaIde (59cb1338ad3654417bea49636457f65d) C:\WINDOWS\system32\DRIVERS\viaide.sys
2010/12/13 08:55:15.0984 VolSnap (ee4660083deba849ff6c485d944b379b) C:\WINDOWS\system32\drivers\VolSnap.sys
2010/12/13 08:55:16.0171 Wanarp (984ef0b9788abf89974cfed4bfbaacbc) C:\WINDOWS\system32\DRIVERS\wanarp.sys
2010/12/13 08:55:16.0328 wdmaud (efd235ca22b57c81118c1aeb4798f1c1) C:\WINDOWS\system32\drivers\wdmaud.sys
2010/12/13 08:55:16.0468 WIBUKEY (ee43e7ffccb27cb901b762f2020d9d5f) C:\WINDOWS\system32\DRIVERS\WibuKey.sys
2010/12/13 08:55:16.0640 WPS (c1620ebb375d3b02e31fd311c44fedeb) C:\WINDOWS\system32\drivers\wpsdrvnt.sys
2010/12/13 08:55:16.0765 WpsHelper (ff983a25ae6f7d3f87f26bf51f02a201) C:\WINDOWS\system32\drivers\WpsHelper.sys
2010/12/13 08:55:16.0843 \HardDisk0 - detected Rootkit.Win32.TDSS.tdl4 (0)
2010/12/13 08:55:17.0062 ================================================================================
2010/12/13 08:55:17.0062 Scan finished
2010/12/13 08:55:17.0062 ================================================================================
2010/12/13 08:55:17.0078 Detected object count: 1
2010/12/13 08:55:24.0062 \HardDisk0 - copied to quarantine
2010/12/13 08:55:24.0109 \HardDisk0\TDLFS\cfg.ini - copied to quarantine
2010/12/13 08:55:24.0109 \HardDisk0\TDLFS\mbr - copied to quarantine
2010/12/13 08:55:24.0109 \HardDisk0\TDLFS\bckfg.tmp - copied to quarantine
2010/12/13 08:55:24.0109 \HardDisk0\TDLFS\cmd.dll - copied to quarantine
2010/12/13 08:55:24.0125 \HardDisk0\TDLFS\ldr16 - copied to quarantine
2010/12/13 08:55:24.0125 \HardDisk0\TDLFS\ldr32 - copied to quarantine
2010/12/13 08:55:24.0125 \HardDisk0\TDLFS\ldr64 - copied to quarantine
2010/12/13 08:55:24.0125 \HardDisk0\TDLFS\cmd64.dll - copied to quarantine
2010/12/13 08:55:24.0140 \HardDisk0\TDLFS\keywords - copied to quarantine
2010/12/13 08:55:24.0140 Rootkit.Win32.TDSS.tdl4(\HardDisk0) - User select action: Quarantine
2010/12/13 08:55:45.0343 Deinitialize success


ESETSmartInstaller@High as CAB hook log:
OnlineScanner.ocx - registred OK
# version=7
# iexplore.exe=6.00.2900.2180 (xpsp_sp2_rtm.040803-2158)
# OnlineScanner.ocx=1.0.0.6415
# api_version=3.0.2
# EOSSerial=8405d27316e0344ebadc142ee2b6eaee
# end=finished
# remove_checked=false
# archives_checked=false
# unwanted_checked=true
# unsafe_checked=false
# antistealth_checked=true
# utc_time=2010-12-13 02:30:52
# local_time=2010-12-13 09:30:52 (-0500, Eastern Standard Time)
# country="United States"
# lang=9
# osver=5.1.2600 NT Service Pack 2
# compatibility_mode=8192 67108863 100 0 0 0 0 0
# scanned=49587
# found=6
# cleaned=0
# scan_time=1091
C:\Program Files\ODT-OCE\Ascent Advanced Forms 3.7\Conversion\bin\libriwb.dll Win32/Kryptik.BAK.gen trojan (unable to clean) 00000000000000000000000000000000 I
C:\Program Files\ODT-OCE\Ascent Advanced Forms 3.7\Conversion\bin\librvry.dll Win32/Kryptik.BAK.gen trojan (unable to clean) 00000000000000000000000000000000 I
C:\TDSSKiller_Quarantine\13.12.2010_08.54.44\boot0000\tdlfs0000\tsk0003.dta Win32/Olmarik.ADZ trojan (unable to clean) 00000000000000000000000000000000 I
C:\TDSSKiller_Quarantine\13.12.2010_08.54.44\boot0000\tdlfs0000\tsk0005.dta Win32/Olmarik.AFK trojan (unable to clean) 00000000000000000000000000000000 I
C:\TDSSKiller_Quarantine\13.12.2010_08.54.44\boot0000\tdlfs0000\tsk0006.dta Win64/Olmarik.G trojan (unable to clean) 00000000000000000000000000000000 I
C:\TDSSKiller_Quarantine\13.12.2010_08.54.44\boot0000\tdlfs0000\tsk0007.dta Win64/Olmarik.A trojan (unable to clean) 00000000000000000000000000000000 I
 
Okay, one down!

Please download OTMovit by Old Timer and save to your desktop.
  • Double-click OTMoveIt3.exe to run it. (Vista users, please right click on OTMoveit3.exe and select "Run as an Administrator")
  • Copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy):
    Code: 
    :Processes	

:Files 
C:\Program Files\ODT-OCE\Ascent Advanced Forms 3.7\Conversion\bin\libriwb.dll 
C:\Program Files\ODT-OCE\Ascent Advanced Forms 3.7\Conversion\bin\librvry.dll C:\TDSSKiller_Quarantine\13.12.2010_08.54.44\boot0000\tdlfs0000\tsk0003.dta 
C:\TDSSKiller_Quarantine\13.12.2010_08.54.44\boot0000\tdlfs0000\tsk0005.dta 
C:\TDSSKiller_Quarantine\13.12.2010_08.54.44\boot0000\tdlfs0000\tsk0006.dta 
C:\TDSSKiller_Quarantine\13.12.2010_08.54.44\boot0000\tdlfs0000\tsk0007.dta 
:Commands
[purity]
[emptytemp]
[start explorer]
[Reboot]
  • Return to OTMoveIt3, right click in the "Paste Instructions for Items to be Moved" window and choose Paste.
  • Click the red Moveit! button.
  • A log of files and folders moved will be created in the c:\_OTMoveIt\MovedFiles folder in the form of Date and Time (mmddyyyy_hhmmss.log). Please open this log in Notepad and post its contents in your next reply.
  • Close OTMoveIt3
If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes.
=====================================
Download Combofix to your desktop from one of these locations:
Link 1
Link 2
  • Double click combofix.exe & follow the prompts.
  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. It is strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode if needed.
  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
  • Query- Recovery Console image
    RcAuto1.gif

    WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
    Click to expand...
  • Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:
    whatnext.png
  • .Click on Yes, to continue scanning for malware
  • .If Combofix asks you to update the program, allow
  • .Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
  • .Close any open browsers.
  • .Double click combofix.exe
    cf-icon.jpg
    & follow the prompts to run.
  • When the scan completes it will open a text window. Please paste that log in your next reply.
Notes:
1. Do not mouse-click Combofix's window while it is running. That may cause it to stall.
2. ComboFix may reset a number of Internet Explorer's settings, including making I-E the default browser.
3. Combofix prevents autorun of ALL CD, floppy and USB devices to assist with malware removal & increase security. If this is an issue or makes it difficult for you -- please tell your helper.
4. CF disconnects your machine from the internet. The connection is automatically restored before CF completes its run. If CF runs into difficulty and terminates prematurely, the connection can be manually restored by restarting your machine.
=======================================
Sorry for delay- just got back in tiwn and online.
 
All processes killed
========== PROCESSES ==========
========== FILES ==========
LoadLibrary failed for C:\Program Files\ODT-OCE\Ascent Advanced Forms 3.7\Conversion\bin\libriwb.dll
C:\Program Files\ODT-OCE\Ascent Advanced Forms 3.7\Conversion\bin\libriwb.dll moved successfully.
File/Folder C:\Program Files\ODT-OCE\Ascent Advanced Forms 3.7\Conversion\bin\librvry.dll C:\TDSSKiller_Quarantine\13.12.2010_08.54.44\boot0000\tdlfs0000\tsk0003.dta not found.
C:\TDSSKiller_Quarantine\13.12.2010_08.54.44\boot0000\tdlfs0000\tsk0005.dta moved successfully.
C:\TDSSKiller_Quarantine\13.12.2010_08.54.44\boot0000\tdlfs0000\tsk0006.dta moved successfully.
File/Folder C:\TDSSKiller_Quarantine\13.12.2010_08.54.44\boot0000\tdlfs0000\tsk0007.dta not found.
========== COMMANDS ==========

[EMPTYTEMP]

User: Administrator
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes

User: All Users

User: anthony.berry.SMI
->Temp folder emptied: 1234 bytes
->Temporary Internet Files folder emptied: 9903261 bytes
->Java cache emptied: 0 bytes
->Flash cache emptied: 0 bytes

User: betty.fry
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes

User: bobbie.wilkinson
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes
->Java cache emptied: 0 bytes

User: Default User
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes

User: Don Baker
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes

User: don.baker
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes
->Java cache emptied: 0 bytes

User: katie.tracy
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes

User: LocalService
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 33170 bytes
->Java cache emptied: 0 bytes
->Flash cache emptied: 0 bytes

User: NetworkService
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 33170 bytes
->Flash cache emptied: 0 bytes

User: pelvia.harris
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes

User: robbie.robinson
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes

User: sandra.dagostino
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes

User: stephanie.spurlock
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes
->Java cache emptied: 0 bytes
->Flash cache emptied: 0 bytes

User: ted.mcdonald
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes

%systemdrive% .tmp files removed: 0 bytes
%systemroot% .tmp files removed: 0 bytes
%systemroot%\System32 .tmp files removed: 0 bytes
%systemroot%\System32\dllcache .tmp files removed: 0 bytes
%systemroot%\System32\drivers .tmp files removed: 0 bytes
Windows Temp folder emptied: 0 bytes
%systemroot%\system32\config\systemprofile\Local Settings\Temp folder emptied: 0 bytes
%systemroot%\system32\config\systemprofile\Local Settings\Temporary Internet Files folder emptied: 33170 bytes
RecycleBin emptied: 0 bytes

Total Files Cleaned = 10.00 mb


OTM by OldTimer - Version 3.1.17.2 log created on 12152010_105944

Files moved on Reboot...

Registry entries deleted on Reboot...


ComboFix 10-12-14.07 - anthony.berry 12/15/2010 11:24:52.1.1 - x86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.3062.2598 [GMT -5:00]
Running from: c:\documents and settings\anthony.berry.SMI\Desktop\ComboFix.exe
AV: Symantec Endpoint Protection *Disabled/Updated* {FB06448E-52B8-493A-90F3-E43226D3305C}
FW: Symantec Endpoint Protection *Disabled* {BE898FE3-CD0B-4014-85A9-03DB9923DDB6}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat
c:\documents and settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat
c:\documents and settings\stephanie.spurlock\Application Data\Adobe\AdobeUpdate .exe
c:\documents and settings\stephanie.spurlock\Application Data\Adobe\plugs
c:\documents and settings\stephanie.spurlock\Local Settings\Application Data\{06AC7C17-3E03-4615-B3E6-EB1654C6E5FE}
c:\documents and settings\stephanie.spurlock\Local Settings\Application Data\{06AC7C17-3E03-4615-B3E6-EB1654C6E5FE}\chrome.manifest
c:\documents and settings\stephanie.spurlock\Local Settings\Application Data\{06AC7C17-3E03-4615-B3E6-EB1654C6E5FE}\chrome\content\_cfg.js
c:\documents and settings\stephanie.spurlock\Local Settings\Application Data\{06AC7C17-3E03-4615-B3E6-EB1654C6E5FE}\chrome\content\overlay.xul
c:\documents and settings\stephanie.spurlock\Local Settings\Application Data\{06AC7C17-3E03-4615-B3E6-EB1654C6E5FE}\install.rdf
c:\windows\Tasks\At1.job
c:\windows\Tasks\At10.job
c:\windows\Tasks\At11.job
c:\windows\Tasks\At12.job
c:\windows\Tasks\At13.job
c:\windows\Tasks\At14.job
c:\windows\Tasks\At15.job
c:\windows\Tasks\At16.job
c:\windows\Tasks\At17.job
c:\windows\Tasks\At18.job
c:\windows\Tasks\At19.job
c:\windows\Tasks\At2.job
c:\windows\Tasks\At20.job
c:\windows\Tasks\At21.job
c:\windows\Tasks\At22.job
c:\windows\Tasks\At23.job
c:\windows\Tasks\At24.job
c:\windows\Tasks\At3.job
c:\windows\Tasks\At4.job
c:\windows\Tasks\At5.job
c:\windows\Tasks\At6.job
c:\windows\Tasks\At7.job
c:\windows\Tasks\At8.job
c:\windows\Tasks\At9.job

----- BITS: Possible infected sites -----

hxxp://gawsus
.
((((((((((((((((((((((((( Files Created from 2010-11-15 to 2010-12-15 )))))))))))))))))))))))))))))))
.

2010-12-15 15:59 . 2010-12-15 15:59 -------- d-----w- C:\_OTM
2010-12-13 14:07 . 2010-12-13 14:07 -------- d-----w- c:\program files\ESET
2010-12-13 13:55 . 2010-12-13 13:55 -------- d-----w- C:\TDSSKiller_Quarantine
2010-12-13 13:38 . 2010-12-13 13:38 -------- d-----w- c:\documents and settings\Administrator\Local Settings\Application Data\Adobe
2010-12-13 13:38 . 2010-12-13 13:38 -------- d-----w- c:\documents and settings\Administrator\Local Settings\Application Data\Symantec
2010-12-10 14:39 . 2010-12-10 14:39 134464 ----a-w- c:\windows\system32\LnkProtect.dll
2010-12-10 14:29 . 2010-12-10 16:55 16968 ----a-w- c:\windows\system32\drivers\hitmanpro35.sys
2010-12-10 14:29 . 2010-12-10 14:29 -------- d-----w- c:\program files\Hitman Pro 3.5
2010-12-10 14:28 . 2010-12-10 14:40 -------- d-----w- c:\documents and settings\All Users\Application Data\Hitman Pro
2010-12-09 14:11 . 2010-12-09 14:11 -------- d-s---w- c:\documents and settings\anthony.berry.SMI\UserData
2010-12-03 19:30 . 2010-12-03 19:30 -------- d-----w- c:\documents and settings\Administrator\Application Data\Malwarebytes
2010-12-03 19:11 . 2010-12-03 20:21 167936 ----a-w- c:\windows\system32\drivers\wpshelper.sys
2010-12-03 19:03 . 2009-09-29 20:05 92488 ----a-w- c:\windows\system32\drivers\SysPlant.sys
2010-12-03 18:56 . 2010-12-03 19:00 60808 ----a-w- c:\windows\system32\S32EVNT1.DLL
2010-12-03 18:56 . 2010-12-03 19:00 124976 ----a-w- c:\windows\system32\drivers\SYMEVENT.SYS
2010-12-03 16:22 . 2010-12-03 16:22 -------- d-----w- c:\documents and settings\stephanie.spurlock\Application Data\Malwarebytes
2010-12-03 16:21 . 2010-11-29 22:42 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-12-03 16:21 . 2010-12-03 16:21 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2010-12-03 16:20 . 2010-11-29 22:42 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-12-03 16:20 . 2010-12-06 15:29 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2004-08-21 155648]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2004-08-21 118784]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2010-01-20 149280]
"Adobe Acrobat Speed Launcher"="c:\program files\Adobe\Acrobat 9.0\Acrobat\Acrobat_sl.exe" [2009-10-03 38768]
"Acrobat Assistant 8.0"="c:\program files\Adobe\Acrobat 9.0\Acrobat\Acrotray.exe" [2010-09-22 640440]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-09-21 932288]
"ccApp"="c:\program files\Common Files\Symantec Shared\ccApp.exe" [2009-09-29 115560]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Shortcut to SMILaunch.lnk - \\ncsduvg056\SMIApps\Prod\SMILaunch\SMILaunch.exe [2010-7-19 1114112]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-515967899-682003330-937999820-1209\Scripts\Logon\0\0]
"Script"=NC_Logon.bat

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-515967899-682003330-937999820-1272\Scripts\Logon\0\0]
"Script"=NC_Logon.bat

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-515967899-682003330-937999820-14147\Scripts\Logon\0\0]
"Script"=NC_Logon.bat

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-515967899-682003330-937999820-1423\Scripts\Logon\0\0]
"Script"=NC_Logon.bat

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-515967899-682003330-937999820-4928\Scripts\Logon\0\0]
"Script"=NC_Logon.bat

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-515967899-682003330-937999820-4929\Scripts\Logon\0\0]
"Script"=NC_Logon.bat

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-515967899-682003330-937999820-8618\Scripts\Logon\0\0]
"Script"=NC_Logon.bat

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-515967899-682003330-937999820-8672\Scripts\Logon\0\0]
"Script"=NC_Logon.bat

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\ccEvtMgr]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\ccSetMgr]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Symantec Antivirus]
@="Service"

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3389:TCP"= 3389:TCP:*:Disabled:mad:xpsp2res.dll,-22009

R0 PQV2i;PQV2i;c:\windows\system32\drivers\PQV2i.sys [6/3/2003 3:52 PM 123957]
R1 PQIMount;PQIMount;c:\windows\system32\drivers\PQIMount.sys [6/3/2003 3:52 PM 46900]
R2 InAspi32;InAspi32;c:\windows\system32\drivers\InAspi32.sys [3/7/2006 2:46 PM 8704]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [12/3/2010 3:21 PM 102448]
S3 COAX;COAX;c:\windows\system32\drivers\COAX.SYS [8/10/2005 1:58 PM 26528]
S3 COH_Mon;COH_Mon;c:\windows\system32\drivers\COH_Mon.sys [9/29/2009 3:05 PM 23888]
S3 RMBS;RMBS;c:\windows\system32\drivers\RMBS.SYS [8/10/2005 1:58 PM 18208]
S3 VPREMOTE;VPRemote Install Bootstrap Service;c:\temp\Clt-Inst\vpremote.exe [6/11/2010 12:47 PM 142192]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://insidesmi/
mStart Page = hxxp://www.dell.com
IE: Append Link Target to Existing PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Append to Existing PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert Link Target to Adobe PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert to Adobe PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIECapture.html
TCP: {FAB8539F-27EC-423B-9D13-A76691C35E20} = 192.168.2.42,10.0.5.3
.
- - - - ORPHANS REMOVED - - - -

Notify-NavLogon - (no file)
SafeBoot-Symantec Antvirus



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-12-15 11:28
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2010-12-15 11:30:38
ComboFix-quarantined-files.txt 2010-12-15 16:30

Pre-Run: 26,965,839,872 bytes free
Post-Run: 26,931,793,920 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
UnsupportedDebug="do not select this" /debug
multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect

- - End Of File - - DD3A282C95858CB97DB64A2A0EED790A
 
Okay, you're almost there!

I notice there are No restore points in system.> why?
Please update to Java(TM) 6 Update 22> Check this site .Java Updates and uninstall v6u17 in Add/Remove Programs.

Is this your workplace Domain? uStart Page = hxxp://insidesmi/?

You have this entry in the Startup folder:
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\shortc~1.lnk - \\ncsduvg056\smiapps\prod\smilaunch\SMILaunch.exe
Please verify if it is for this site:
http://www.redrc.net/2010/04/smi-launch-orcan-shop-austria/
==================================================
Please run this Custom CFScript:

  • [1]. Close any open browsers.
    [2]. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
    [3]. Open notepad> click on Format> Uncheck 'Word Wrap'> and copy/paste the text in the code below into it:[Be sure to scroll down to include ALL lines.
Code: 
KillAll::
File::
c:\windows\system32\drivers\hitmanpro35.sys
Folder::
c:\program files\Hitman Pro 3.5
c:\docume~1\alluse~1\applic~1\Hitman Pro

Registry::
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=-
Save this as CFScript.txt, in the same location as ComboFix.exe
CFScriptB-4.gif


Referring to the picture above, drag CFScript into ComboFix.exe

When finished, it will produce a log for you at C:\ComboFix.txt . Please paste in your next reply.
====================
Regarding Hitman Pro: This is a bundle of programs that are all free on the internet. Some have been used without permission of their suthors. There is a short trial period after which you have to pay to have enrries removed, but could have gotten removal free from the original programs.

Please uninstall it in Add/Remove Programs, then use Windows explorer (Windows key + E) to access My Computer> Local Drive> Programs> find and delete the Hitman Pro folder.
Close Windows Explorer.
=======================================
Let's check with this to make sure no bad entries remain:
Download HijackThis http://download.bleepingcomputer.com/hijackthis/HijackThis.zipand save to your desktop.
  • Extract it to a directory on your hard drive called c:\HijackThis.
  • Then navigate to that directory and double-click on the hijackthis.exe file.
  • When started click on the Scan button and then the Save Log button to create a log of your information.
  • The log file and then the log will open in notepad. Be sure to click on Format> Uncheck Word Wrap when you open Notepad
  • Click on "Edit > Select All" then click on "Edit > Copy" to copy the entire contents of the log.
  • Come back here to this thread and paste (Ctrl+V) the log in your next reply.

NOTE: Do NOT have HijackThis fix anything yet! Most of what it finds will be harmless or even required.
 
To answer your few questions above...

This is a company PC. System Restore was disabled to prevent anymore occurences of spyware. PC will be imaged after this cleanup, so will most likely NOT have system restore enabled.

The webpage is a company intranet site. Also, the shortcut in startup is for an internal co. application. SMILaunch

Logs will be incoming soon...
 
ComboFix 10-12-18.02 - anthony.berry 12/19/2010 12:58:21.2.1 - x86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.3062.2602 [GMT -5:00]
Running from: c:\documents and settings\anthony.berry.SMI\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\anthony.berry.SMI\Desktop\CFScript.txt
AV: Symantec Endpoint Protection *Disabled/Updated* {FB06448E-52B8-493A-90F3-E43226D3305C}
FW: Symantec Endpoint Protection *Disabled* {BE898FE3-CD0B-4014-85A9-03DB9923DDB6}

FILE ::
"c:\windows\system32\drivers\hitmanpro35.sys"
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\docume~1\alluse~1\applic~1\Hitman Pro
c:\docume~1\alluse~1\applic~1\Hitman Pro\Banner.bin
c:\docume~1\alluse~1\applic~1\Hitman Pro\HitmanPro.key
c:\docume~1\alluse~1\applic~1\Hitman Pro\HitmanPro.lic
c:\windows\system32\drivers\hitmanpro35.sys

.
((((((((((((((((((((((((( Files Created from 2010-11-19 to 2010-12-19 )))))))))))))))))))))))))))))))
.

2010-12-19 17:54 . 2010-12-19 17:54 -------- d-----w- C:\HiJackThis
2010-12-15 15:59 . 2010-12-15 15:59 -------- d-----w- C:\_OTM
2010-12-13 14:07 . 2010-12-13 14:07 -------- d-----w- c:\program files\ESET
2010-12-13 13:55 . 2010-12-13 13:55 -------- d-----w- C:\TDSSKiller_Quarantine
2010-12-13 13:38 . 2010-12-13 13:38 -------- d-----w- c:\documents and settings\Administrator\Local Settings\Application Data\Adobe
2010-12-13 13:38 . 2010-12-13 13:38 -------- d-----w- c:\documents and settings\Administrator\Local Settings\Application Data\Symantec
2010-12-10 14:39 . 2010-12-10 14:39 134464 ----a-w- c:\windows\system32\LnkProtect.dll
2010-12-09 14:11 . 2010-12-09 14:11 -------- d-s---w- c:\documents and settings\anthony.berry.SMI\UserData
2010-12-03 19:30 . 2010-12-03 19:30 -------- d-----w- c:\documents and settings\Administrator\Application Data\Malwarebytes
2010-12-03 19:11 . 2010-12-03 20:21 167936 ----a-w- c:\windows\system32\drivers\wpshelper.sys
2010-12-03 19:03 . 2009-09-29 20:05 92488 ----a-w- c:\windows\system32\drivers\SysPlant.sys
2010-12-03 18:56 . 2010-12-03 19:00 60808 ----a-w- c:\windows\system32\S32EVNT1.DLL
2010-12-03 18:56 . 2010-12-03 19:00 124976 ----a-w- c:\windows\system32\drivers\SYMEVENT.SYS
2010-12-03 16:22 . 2010-12-03 16:22 -------- d-----w- c:\documents and settings\stephanie.spurlock\Application Data\Malwarebytes
2010-12-03 16:21 . 2010-11-29 22:42 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-12-03 16:21 . 2010-12-03 16:21 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2010-12-03 16:20 . 2010-11-29 22:42 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-12-03 16:20 . 2010-12-06 15:29 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
.

((((((((((((((((((((((((((((( SnapShot@2010-12-15_16.28.36 )))))))))))))))))))))))))))))))))))))))))
.
+ 2010-12-19 18:02 . 2010-12-19 18:02 16384 c:\windows\temp\Perflib_Perfdata_2a0.dat
- 2004-08-11 22:00 . 2010-11-17 20:31 63860 c:\windows\system32\perfc009.dat
+ 2004-08-11 22:00 . 2010-12-15 16:42 63860 c:\windows\system32\perfc009.dat
+ 2010-12-16 05:03 . 2010-12-19 05:02 32768 c:\windows\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat
- 2005-08-10 16:46 . 2010-12-15 05:03 32768 c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
+ 2005-08-10 16:46 . 2010-12-19 05:02 32768 c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
+ 2010-12-16 05:03 . 2010-12-19 05:02 16384 c:\windows\system32\config\systemprofile\Cookies\index.dat
- 2005-08-10 16:46 . 2010-12-15 05:03 16384 c:\windows\system32\config\systemprofile\Cookies\index.dat
+ 2004-08-11 22:00 . 2010-12-15 16:42 405310 c:\windows\system32\perfh009.dat
- 2004-08-11 22:00 . 2010-11-17 20:31 405310 c:\windows\system32\perfh009.dat
+ 2010-12-15 16:36 . 2010-12-15 16:36 233936 c:\windows\system32\Macromed\Flash\FlashUtil10l_ActiveX.exe
+ 2010-12-15 16:36 . 2010-12-15 16:36 311248 c:\windows\system32\Macromed\Flash\FlashUtil10l_ActiveX.dll
+ 2010-10-22 01:04 . 2010-10-22 01:04 2827728 c:\windows\Downloaded Program Files\FP_AX_CAB_INSTALLER.exe
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2004-08-21 155648]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2004-08-21 118784]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2010-01-20 149280]
"Adobe Acrobat Speed Launcher"="c:\program files\Adobe\Acrobat 9.0\Acrobat\Acrobat_sl.exe" [2009-10-03 38768]
"Acrobat Assistant 8.0"="c:\program files\Adobe\Acrobat 9.0\Acrobat\Acrotray.exe" [2010-09-22 640440]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-09-21 932288]
"ccApp"="c:\program files\Common Files\Symantec Shared\ccApp.exe" [2009-09-29 115560]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Shortcut to SMILaunch.lnk - \\ncsduvg056\SMIApps\Prod\SMILaunch\SMILaunch.exe [2010-7-19 1114112]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-515967899-682003330-937999820-1209\Scripts\Logon\0\0]
"Script"=NC_Logon.bat

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-515967899-682003330-937999820-1272\Scripts\Logon\0\0]
"Script"=NC_Logon.bat

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-515967899-682003330-937999820-14147\Scripts\Logon\0\0]
"Script"=NC_Logon.bat

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-515967899-682003330-937999820-1423\Scripts\Logon\0\0]
"Script"=NC_Logon.bat

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-515967899-682003330-937999820-4928\Scripts\Logon\0\0]
"Script"=NC_Logon.bat

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-515967899-682003330-937999820-4929\Scripts\Logon\0\0]
"Script"=NC_Logon.bat

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-515967899-682003330-937999820-8618\Scripts\Logon\0\0]
"Script"=NC_Logon.bat

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-515967899-682003330-937999820-8672\Scripts\Logon\0\0]
"Script"=NC_Logon.bat

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\ccEvtMgr]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\ccSetMgr]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Symantec Antivirus]
@="Service"

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3389:TCP"= 3389:TCP:*:Disabled:mad:xpsp2res.dll,-22009

R0 PQV2i;PQV2i;c:\windows\system32\drivers\PQV2i.sys [6/3/2003 3:52 PM 123957]
R1 PQIMount;PQIMount;c:\windows\system32\drivers\PQIMount.sys [6/3/2003 3:52 PM 46900]
R2 InAspi32;InAspi32;c:\windows\system32\drivers\InAspi32.sys [3/7/2006 2:46 PM 8704]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [12/3/2010 3:21 PM 102448]
S3 COAX;COAX;c:\windows\system32\drivers\COAX.SYS [8/10/2005 1:58 PM 26528]
S3 COH_Mon;COH_Mon;c:\windows\system32\drivers\COH_Mon.sys [9/29/2009 3:05 PM 23888]
S3 RMBS;RMBS;c:\windows\system32\drivers\RMBS.SYS [8/10/2005 1:58 PM 18208]
S3 VPREMOTE;VPRemote Install Bootstrap Service;c:\temp\Clt-Inst\vpremote.exe [6/11/2010 12:47 PM 142192]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://insidesmi/
mStart Page = hxxp://www.dell.com
IE: Append Link Target to Existing PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Append to Existing PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert Link Target to Adobe PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert to Adobe PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIECapture.html
TCP: {FAB8539F-27EC-423B-9D13-A76691C35E20} = 192.168.2.42,10.0.5.3
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-12-19 13:16
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10l_ActiveX.exe,-101"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]
"Enabled"=dword:00000001

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]
@="c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10l_ActiveX.exe"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
@Denied: (A 2) (Everyone)
@="IFlashBroker4"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Symantec AntiVirus\Smc.exe
c:\program files\Common Files\Symantec Shared\ccSvcHst.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\Symantec AntiVirus\Rtvscan.exe
c:\program files\PowerQuest\Drive Image 7.0\Agent\PQV2iSvc.exe
c:\program files\Symantec AntiVirus\SmcGui.exe
.
**************************************************************************
.
Completion time: 2010-12-19 13:20:30 - machine was rebooted
ComboFix-quarantined-files.txt 2010-12-19 18:20
ComboFix2.txt 2010-12-15 16:30

Pre-Run: 26,891,198,464 bytes free
Post-Run: 26,884,304,896 bytes free

- - End Of File - - 5DD5832A154D4EDEF33B70328E51C46C

Logfile of Trend Micro HijackThis v2.0.4
Scan saved at 1:28:06 PM, on 12/19/2010
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Symantec AntiVirus\Smc.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\Program Files\PowerQuest\Drive Image 7.0\Agent\PQV2iSvc.exe
C:\Program Files\Symantec AntiVirus\SmcGui.exe
C:\WINDOWS\system32\hkcmd.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\Adobe\Acrobat 9.0\Acrobat\Acrotray.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\internet explorer\iexplore.exe
C:\HiJackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://insidesmi/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dell.com
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - (no file)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Adobe PDF Conversion Toolbar Helper - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O2 - BHO: SmartSelect - {F4971EE7-DAA0-4053-9964-665D8EE6A077} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [Adobe Acrobat Speed Launcher] "C:\Program Files\Adobe\Acrobat 9.0\Acrobat\Acrobat_sl.exe"
O4 - HKLM\..\Run: [Acrobat Assistant 8.0] "C:\Program Files\Adobe\Acrobat 9.0\Acrobat\Acrotray.exe"
O4 - HKLM\..\Run: [Adobe ARM] "C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - Global Startup: Shortcut to SMILaunch.lnk = Prod\SMILaunch\SMILaunch.exe
O8 - Extra context menu item: Append Link Target to Existing PDF - res://C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Append to Existing PDF - res://C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert Link Target to Adobe PDF - res://C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIECapture.html
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} (OnlineScanner Control) - http://download.eset.com/special/eos/OnlineScanner.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = smi.corp
O17 - HKLM\Software\..\Telephony: DomainName = smi.corp
O17 - HKLM\System\CCS\Services\Tcpip\..\{FAB8539F-27EC-423B-9D13-A76691C35E20}: NameServer = 192.168.2.42,10.0.5.3
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = smi.corp
O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\system32\browseui.dll
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\system32\browseui.dll
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: GEARSecurity - GEAR Software - C:\WINDOWS\System32\GEARSec.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: Symantec Management Client (SmcService) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Smc.exe
O23 - Service: Symantec Endpoint Protection (Symantec AntiVirus) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe
O23 - Service: V2i Protector - PowerQuest Corporation - C:\Program Files\PowerQuest\Drive Image 7.0\Agent\PQV2iSvc.exe
O23 - Service: VPRemote Install Bootstrap Service (VPREMOTE) - Symantec Corporation - C:\TEMP\Clt-Inst\vpremote.exe

--
End of file - 6328 bytes
 
These logs look 'squeaky clean'! There is just one removal:
Please run this Custom CFScript:

  • [1]. Close any open browsers.
    [2]. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
    [3]. Open notepad> click on Format> Uncheck 'Word Wrap'> and copy/paste the text in the code below into it:[Be sure to scroll down to include ALL lines.
Code: 
File::
Folder::
C:\TDSSKiller_Quarantine
Save this as CFScript.txt, in the same location as ComboFix.exe
CFScriptB-4.gif

Referring to the picture above, drag CFScript into ComboFix.exe
When finished, it will produce a log for you at C:\ComboFix.txt . You do not need to leve this log unless new problems have come up.
============================================================
Is it safe to assume that you have made all of these settings for group policy?
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-515967899-682003330-937999820-8672\Scripts\Logon\0\0]
"Script"=NC_Logon.bat

I count 10 ueser accounts on this system. Is that right? It would be a good idea to run TFC again. TFC (Temp File Cleaner) will clear out all temp folders for all user accounts (temp, IE temp, java, FF, Opera, Chrome, Safari), including Administrator, All Users, LocalService, NetworkService, and any other accounts in the user folder.

And a head's up on this: There is a site with partial name of gawsus noted as possibly infected.
================================================
Removing all of the tools we used and the files and folders they created
  • Uninstall ComboFix and all Backups of the files it deleted
  • Click START> then RUN
  • Now type Combofix /Uninstall in the runbox and click OK. Note the space between the X and the U, it needs to be there.
  • Download OTCleanIt by OldTimer and save it to your Desktop.
  • Double click OTCleanIt.exe.
  • Click the CleanUp! button.
  • If you are prompted to Reboot during the cleanup, select Yes.
  • The tool will delete itself once it finishes.
Note: If you receive a warning from your firewall or other security programs regarding OTC attempting to contact the internet, please allow it to do so.
  • You should now set a new Restore Point and remove the old restore points to prevent infection from any previous Restore Points.
  • Go to Start > All Programs > Accessories > System Tools
  • Click "System Restore".
  • Choose "Create a Restore Point" on the first screen then click "Next".
  • Give the Restore Point a name> click "Create".
  • Go back and follow the path to > System Tools.
    [*]Choose Disc Cleanup
    [*]Click "OK" to select the partition or drive you want.
    [*]Click the "More Options" Tab.
    [*]Click "Clean Up" in the System Restore section to remove all previous Restore Points except the newly created one.


Empty the Recycle Bin
Let me know if you have any more questions.
Have a Happy and Peaceful Holiday!
peace_dove_bigger_normal.jpg
 
Status
Not open for further replies.

Similar threads

Jimmy2x
Intel's latest high volume EUV chip production could help it retake the lead in the semiconductor...
Replies
10
Views
461
cristianm
cristianm
Ivan Franco
Lenovo revs desktop workstations co-designed with Aston Martin
Replies
1
Views
522
toooooot
T
Bob O'Donnell
Amazon AWS is offering free AI training tools to guide users
Replies
1
Views
223
wiyosaya
wiyosaya

Latest posts

Back