TechSpot

Need help removing Rootkit.tdss from XP workstation

By BlckBerry
Dec 10, 2010
  1. Hello,

    I've been trying to find a way to get rid of the TDSS.Rootkit that is on one of my company's workstations and have come here for good help. I've run multiple instances of the 8-step (now 6) process and here are my latest results.
     
  2. BlckBerry

    BlckBerry TS Rookie Topic Starter

    Malwarebytes' Anti-Malware 1.50
    www.malwarebytes.org

    Database version: 5287

    Windows 5.1.2600 Service Pack 2
    Internet Explorer 6.0.2900.2180

    12/10/2010 11:02:28 AM
    mbam-log-2010-12-10 (11-02-28).txt

    Scan type: Quick scan
    Objects scanned: 247906
    Time elapsed: 16 minute(s), 6 second(s)

    Memory Processes Infected: 0
    Memory Modules Infected: 0
    Registry Keys Infected: 0
    Registry Values Infected: 0
    Registry Data Items Infected: 0
    Folders Infected: 0
    Files Infected: 2

    Memory Processes Infected:
    (No malicious items detected)

    Memory Modules Infected:
    (No malicious items detected)

    Registry Keys Infected:
    (No malicious items detected)

    Registry Values Infected:
    (No malicious items detected)

    Registry Data Items Infected:
    (No malicious items detected)

    Folders Infected:
    (No malicious items detected)

    Files Infected:
    c:\RECYCLER\s-1-5-21-515967899-682003330-937999820-4928\Dc248.tmp (Rootkit.TDSS.Gen) -> Quarantined and deleted successfully.
    c:\RECYCLER\s-1-5-21-515967899-682003330-937999820-4928\Dc249.tmp (Rootkit.TDSS.Gen) -> Quarantined and deleted successfully.
     
  3. BlckBerry

    BlckBerry TS Rookie Topic Starter

    MBRCheck, version 1.2.3
    (c) 2010, AD

    Command-line:
    Windows Version: Windows XP Professional
    Windows Information: Service Pack 2 (build 2600)
    Logical Drives Mask: 0x0004000d

    Kernel Drivers (total 131):
    0x804D7000 \WINDOWS\system32\ntkrnlpa.exe
    0x806CE000 \WINDOWS\system32\hal.dll
    0xBA5A8000 \WINDOWS\system32\KDCOM.DLL
    0xBA4B8000 \WINDOWS\system32\BOOTVID.dll
    0xB9F79000 ACPI.sys
    0xBA5AA000 \WINDOWS\system32\DRIVERS\WMILIB.SYS
    0xB9F68000 pci.sys
    0xBA0A8000 isapnp.sys
    0xBA670000 pciide.sys
    0xBA328000 \WINDOWS\system32\DRIVERS\PCIIDEX.SYS
    0xBA5AC000 intelide.sys
    0xBA0B8000 MountMgr.sys
    0xB9F49000 ftdisk.sys
    0xBA5AE000 dmload.sys
    0xB9F23000 dmio.sys
    0xBA330000 PartMgr.sys
    0xBA338000 pxscan.sys
    0xBA0C8000 VolSnap.sys
    0xB9F0B000 atapi.sys
    0xBA0D8000 disk.sys
    0xBA0E8000 \WINDOWS\system32\DRIVERS\CLASSPNP.SYS
    0xB9EEB000 fltMgr.sys
    0xB9ED7000 PQV2i.sys
    0xB9EC0000 KSecDD.sys
    0xB9E33000 Ntfs.sys
    0xB9E06000 NDIS.sys
    0xB9DEB000 Mup.sys
    0xBA2B8000 \SystemRoot\system32\DRIVERS\intelppm.sys
    0xB9CDD000 \SystemRoot\system32\DRIVERS\ialmnt5.sys
    0xB9CC9000 \SystemRoot\system32\DRIVERS\VIDEOPRT.SYS
    0xB9C9B000 \SystemRoot\system32\DRIVERS\b57xp32.sys
    0xBA3C0000 \SystemRoot\system32\DRIVERS\usbuhci.sys
    0xB9C78000 \SystemRoot\system32\DRIVERS\USBPORT.SYS
    0xBA3C8000 \SystemRoot\system32\DRIVERS\usbehci.sys
    0xB9BE2000 \SystemRoot\system32\drivers\smwdm.sys
    0xB9BBE000 \SystemRoot\system32\drivers\portcls.sys
    0xBA2C8000 \SystemRoot\system32\drivers\drmk.sys
    0xB9B9B000 \SystemRoot\system32\drivers\ks.sys
    0xBA5B8000 \SystemRoot\system32\drivers\aeaudio.sys
    0xBA3D0000 \SystemRoot\system32\DRIVERS\fdc.sys
    0xB9B87000 \SystemRoot\system32\DRIVERS\parport.sys
    0xBA2D8000 \SystemRoot\system32\DRIVERS\serial.sys
    0xBA570000 \SystemRoot\system32\DRIVERS\serenum.sys
    0xBA2E8000 \SystemRoot\system32\DRIVERS\cdrom.sys
    0xBA2F8000 \SystemRoot\system32\DRIVERS\redbook.sys
    0xBA574000 \SystemRoot\System32\Drivers\GearAspiWDM.SYS
    0xBA6CE000 \SystemRoot\system32\DRIVERS\audstub.sys
    0xBA308000 \SystemRoot\system32\DRIVERS\rasl2tp.sys
    0xBA57C000 \SystemRoot\system32\DRIVERS\ndistapi.sys
    0xB9B70000 \SystemRoot\system32\DRIVERS\ndiswan.sys
    0xBA318000 \SystemRoot\system32\DRIVERS\raspppoe.sys
    0xBA108000 \SystemRoot\system32\DRIVERS\raspptp.sys
    0xBA3D8000 \SystemRoot\system32\DRIVERS\TDI.SYS
    0xB9B5F000 \SystemRoot\system32\DRIVERS\psched.sys
    0xBA118000 \SystemRoot\system32\DRIVERS\msgpc.sys
    0xBA3E0000 \SystemRoot\system32\DRIVERS\ptilink.sys
    0xBA3E8000 \SystemRoot\system32\DRIVERS\raspti.sys
    0xB9B2E000 \SystemRoot\system32\DRIVERS\rdpdr.sys
    0xBA128000 \SystemRoot\system32\DRIVERS\termdd.sys
    0xBA3F0000 \SystemRoot\system32\DRIVERS\kbdclass.sys
    0xBA3F8000 \SystemRoot\system32\DRIVERS\mouclass.sys
    0xB9AE8000 \SystemRoot\system32\DRIVERS\teefer2.sys
    0xBA5BA000 \SystemRoot\system32\DRIVERS\swenum.sys
    0xB9A8F000 \SystemRoot\system32\DRIVERS\update.sys
    0xBA59C000 \SystemRoot\system32\DRIVERS\mssmbios.sys
    0xBA148000 \SystemRoot\System32\Drivers\NDProxy.SYS
    0xBA188000 \SystemRoot\system32\DRIVERS\usbhub.sys
    0xBA5BC000 \SystemRoot\system32\DRIVERS\USBD.SYS
    0xBA400000 \SystemRoot\system32\DRIVERS\flpydisk.sys
    0xBA5BE000 \SystemRoot\System32\Drivers\i2omgmt.SYS
    0xA98B4000 \SystemRoot\System32\drivers\pxrts.sys
    0xBA5C0000 \SystemRoot\System32\Drivers\Fs_Rec.SYS
    0xBA768000 \SystemRoot\System32\Drivers\Null.SYS
    0xBA5C2000 \SystemRoot\System32\Drivers\Beep.SYS
    0xBA410000 \SystemRoot\system32\DRIVERS\HIDPARSE.SYS
    0xBA418000 \SystemRoot\System32\drivers\vga.sys
    0xBA5C4000 \SystemRoot\System32\Drivers\mnmdd.SYS
    0xBA5C6000 \SystemRoot\System32\DRIVERS\RDPCDD.sys
    0xBA420000 \SystemRoot\System32\Drivers\Msfs.SYS
    0xBA428000 \SystemRoot\System32\Drivers\Npfs.SYS
    0xBA564000 \SystemRoot\system32\DRIVERS\rasacd.sys
    0xA9859000 \SystemRoot\system32\DRIVERS\ipsec.sys
    0xA9801000 \SystemRoot\system32\DRIVERS\tcpip.sys
    0xA97D4000 \SystemRoot\System32\Drivers\SYMTDI.SYS
    0xA97AF000 \??\C:\WINDOWS\system32\Drivers\SYMEVENT.SYS
    0xBA1F8000 \??\C:\WINDOWS\system32\drivers\wpsdrvnt.sys
    0xA9787000 \SystemRoot\system32\DRIVERS\netbt.sys
    0xA9765000 \SystemRoot\System32\drivers\afd.sys
    0xBA208000 \SystemRoot\system32\DRIVERS\netbios.sys
    0xBA218000 \SystemRoot\System32\Drivers\SRTSPX.SYS
    0xA96FB000 \??\C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCDrv.sys
    0xBA228000 \SystemRoot\system32\DRIVERS\wanarp.sys
    0xB9B2A000 \SystemRoot\system32\DRIVERS\hidusb.sys
    0xBA258000 \SystemRoot\system32\DRIVERS\HIDCLASS.SYS
    0xB9B26000 \SystemRoot\system32\DRIVERS\mouhid.sys
    0xB9B22000 \SystemRoot\system32\DRIVERS\kbdhid.sys
    0xBA438000 \SystemRoot\System32\drivers\pxkbf.sys
    0xA96D0000 \SystemRoot\system32\DRIVERS\rdbss.sys
    0xA9955000 \SystemRoot\System32\Drivers\PQIMount.SYS
    0xA9611000 \SystemRoot\system32\DRIVERS\mrxsmb.sys
    0xA9935000 \SystemRoot\System32\Drivers\Fips.SYS
    0xA95B3000 \??\C:\Program Files\Common Files\Symantec Shared\EENGINE\eeCtrl.sys
    0xA9596000 \??\C:\Program Files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys
    0xBA1C8000 \SystemRoot\System32\Drivers\Cdfs.SYS
    0xA957E000 \SystemRoot\System32\Drivers\dump_atapi.sys
    0xBA5C8000 \SystemRoot\System32\Drivers\dump_WMILIB.SYS
    0xBF800000 \SystemRoot\System32\win32k.sys
    0xBA55C000 \SystemRoot\System32\drivers\Dxapi.sys
    0xBA450000 \SystemRoot\System32\watchdog.sys
    0xBF000000 \SystemRoot\System32\drivers\dxg.sys
    0xBA7D9000 \SystemRoot\System32\drivers\dxgthk.sys
    0xBF020000 \SystemRoot\System32\ialmdnt5.dll
    0xBF012000 \SystemRoot\System32\ialmrnt5.dll
    0xBF03E000 \SystemRoot\System32\ialmdev5.DLL
    0xBF064000 \SystemRoot\System32\ialmdd5.DLL
    0xA9466000 \SystemRoot\system32\DRIVERS\ndisuio.sys
    0xA9196000 \??\C:\WINDOWS\system32\drivers\WpsHelper.sys
    0xA9052000 \SystemRoot\system32\DRIVERS\mrxdav.sys
    0xA9017000 \SystemRoot\System32\Drivers\SENTINEL.SYS
    0xBA470000 \??\C:\WINDOWS\system32\drivers\InAspi32.sys
    0xA8ED0000 \SystemRoot\system32\DRIVERS\srv.sys
    0xA8E96000 \SystemRoot\SYSTEM32\DRIVERS\WibuKey.sys
    0xA8D69000 \SystemRoot\system32\drivers\wdmaud.sys
    0xA8E86000 \SystemRoot\system32\drivers\sysaudio.sys
    0xA88EA000 \SystemRoot\System32\Drivers\HTTP.sys
    0xBA368000 \SystemRoot\System32\Drivers\SYMREDRV.SYS
    0xA8558000 \SystemRoot\System32\Drivers\SRTSP.SYS
    0xA840D000 \??\C:\PROGRA~1\COMMON~1\SYMANT~1\VIRUSD~1\20101209.048\NAVEX15.SYS
    0xA83F9000 \??\C:\PROGRA~1\COMMON~1\SYMANT~1\VIRUSD~1\20101209.048\NAVENG.SYS
    0xA8213000 \SystemRoot\system32\drivers\kmixer.sys
    0x7C900000 \WINDOWS\system32\ntdll.dll

    Processes (total 30):
    0 System Idle Process
    4 System
    960 C:\WINDOWS\system32\smss.exe
    1060 csrss.exe
    1084 C:\WINDOWS\system32\winlogon.exe
    1128 C:\WINDOWS\system32\services.exe
    1140 C:\WINDOWS\system32\lsass.exe
    1292 C:\WINDOWS\system32\svchost.exe
    1388 svchost.exe
    1428 C:\WINDOWS\system32\svchost.exe
    1548 C:\Program Files\Symantec AntiVirus\Smc.exe
    1620 svchost.exe
    1652 svchost.exe
    1760 C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
    1984 C:\WINDOWS\system32\spoolsv.exe
    168 svchost.exe
    324 C:\WINDOWS\system32\gearsec.exe
    368 C:\Program Files\Java\jre6\bin\jqs.exe
    492 C:\Program Files\Symantec AntiVirus\Rtvscan.exe
    480 C:\Program Files\PowerQuest\Drive Image 7.0\Agent\PQV2iSvc.exe
    456 C:\WINDOWS\explorer.exe
    2112 C:\Program Files\Symantec AntiVirus\SmcGui.exe
    2208 C:\WINDOWS\system32\hkcmd.exe
    2216 C:\Program Files\Java\jre6\bin\jusched.exe
    2232 C:\Program Files\Adobe\Acrobat 9.0\Acrobat\acrotray.exe
    2252 C:\Program Files\Common Files\Symantec Shared\ccApp.exe
    2276 C:\WINDOWS\system32\ctfmon.exe
    2772 C:\Program Files\Internet Explorer\iexplore.exe
    2528 C:\Documents and Settings\anthony.berry.SMI\Desktop\MBRCheck.exe
    516 SescLU.exe

    \\.\C: --> \\.\PhysicalDrive0 at offset 0x00000000`036e8e00 (NTFS)

    PhysicalDrive0 Model Number: WDCWD400BD-75LRA0, Rev: 09.01D09

    Size Device Name MBR Status
    --------------------------------------------
    37 GB \\.\PhysicalDrive0 Windows XP MBR code detected
    SHA1: DA38B874B7713D1B51CBC449F4EF809B0DEC644A


    Done!


    UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
    IF REQUESTED, ZIP IT UP & ATTACH IT

    DDS (Ver_10-12-05.01)

    Microsoft Windows XP Professional
    Boot Device: \Device\HarddiskVolume2
    Install Date: 8/10/2005 12:49:58 PM
    System Uptime: 12/10/2010 1:09:54 PM (0 hours ago)

    Motherboard: Dell Inc. | | 0C7195
    Processor: Intel(R) Pentium(R) 4 CPU 3.20GHz | Microprocessor | 3192/800mhz

    ==== Disk Partitions =========================

    A: is Removable
    C: is FIXED (NTFS) - 37 GiB total, 23.648 GiB free.
    D: is CDROM ()

    ==== Disabled Device Manager Items =============

    ==== System Restore Points ===================

    No restore point in system.

    ==== Installed Programs ======================

    Adobe Acrobat 9 Standard - English, Français, Deutsch
    Adobe Acrobat 9.4.1 - CPSID_83708
    Adobe Flash Player ActiveX
    Ascent Advanced Forms Custom Module V3.7 SR01
    Ascent Advanced Forms V3.7 SR01
    Ascent Advanced Forms Validation Custom Module V3.7 SR01
    Ascent Advanced Forms Validation V3.7 SR01
    Ascent Capture 7.0 - Workstation
    Broadcom Advanced Control Suite 2
    Drive Image 7.0
    Hitman Pro 3.5
    Hotfix for Windows XP (KB915865)
    Hotfix for Windows XP (KB952287)
    Imaging for Windows® Professional Edition 2.5
    Intel(R) Graphics Media Accelerator Driver
    Java 2 Runtime Environment, SE v1.4.2_03
    Java(TM) 6 Update 17
    Kofax TWAIN Data Source
    Kofax VirtualReScan 4.0
    LiveUpdate 3.3 (Symantec Corporation)
    Malwarebytes' Anti-Malware
    Microsoft .NET Framework 1.1
    Microsoft .NET Framework 1.1 Security Update (KB979906)
    Microsoft .NET Framework 2.0
    Microsoft Application Error Reporting
    Microsoft Choice Guard
    Microsoft Internationalized Domain Names Mitigation APIs
    Microsoft National Language Support Downlevel APIs
    Microsoft Office Access MUI (English) 2007
    Microsoft Office Access Setup Metadata MUI (English) 2007
    Microsoft Office Excel MUI (English) 2007
    Microsoft Office InfoPath MUI (English) 2007
    Microsoft Office Outlook MUI (English) 2007
    Microsoft Office PowerPoint MUI (English) 2007
    Microsoft Office Professional Plus 2007
    Microsoft Office Proof (English) 2007
    Microsoft Office Proof (French) 2007
    Microsoft Office Proof (Spanish) 2007
    Microsoft Office Proofing (English) 2007
    Microsoft Office Publisher MUI (English) 2007
    Microsoft Office Shared MUI (English) 2007
    Microsoft Office Shared Setup Metadata MUI (English) 2007
    Microsoft Office Word MUI (English) 2007
    Microsoft Software Update for Web Folders (English) 12
    MSVCRT
    RFClient
    RFClient8.01
    RUMBA 2000
    Security Update for Microsoft .NET Framework 2.0 (KB928365)
    Security Update for Step By Step Interactive Training (KB898458)
    Security Update for Step By Step Interactive Training (KB923723)
    Security Update for Windows Media Player (KB911564)
    Security Update for Windows Media Player (KB952069)
    Security Update for Windows Media Player (KB954155)
    Security Update for Windows Media Player (KB968816)
    Security Update for Windows Media Player (KB973540)
    Security Update for Windows Media Player (KB978695)
    Security Update for Windows Media Player (KB979402)
    Security Update for Windows Media Player 6.4 (KB925398)
    Security Update for Windows Media Player 9 (KB911565)
    Security Update for Windows Media Player 9 (KB917734)
    Security Update for Windows Media Player 9 (KB936782)
    Security Update for Windows XP (KB2229593)
    Security Update for Windows XP (KB890046)
    Security Update for Windows XP (KB893066)
    Security Update for Windows XP (KB893756)
    Security Update for Windows XP (KB896358)
    Security Update for Windows XP (KB896422)
    Security Update for Windows XP (KB896423)
    Security Update for Windows XP (KB896424)
    Security Update for Windows XP (KB896428)
    Security Update for Windows XP (KB896688)
    Security Update for Windows XP (KB899587)
    Security Update for Windows XP (KB899588)
    Security Update for Windows XP (KB899589)
    Security Update for Windows XP (KB899591)
    Security Update for Windows XP (KB900725)
    Security Update for Windows XP (KB901017)
    Security Update for Windows XP (KB901214)
    Security Update for Windows XP (KB902400)
    Security Update for Windows XP (KB904706)
    Security Update for Windows XP (KB905414)
    Security Update for Windows XP (KB905749)
    Security Update for Windows XP (KB905915)
    Security Update for Windows XP (KB908519)
    Security Update for Windows XP (KB908531)
    Security Update for Windows XP (KB911280)
    Security Update for Windows XP (KB911562)
    Security Update for Windows XP (KB911567)
    Security Update for Windows XP (KB911927)
    Security Update for Windows XP (KB912812)
    Security Update for Windows XP (KB912919)
    Security Update for Windows XP (KB913446)
    Security Update for Windows XP (KB913580)
    Security Update for Windows XP (KB914388)
    Security Update for Windows XP (KB914389)
    Security Update for Windows XP (KB916281)
    Security Update for Windows XP (KB917159)
    Security Update for Windows XP (KB917344)
    Security Update for Windows XP (KB917422)
    Security Update for Windows XP (KB917953)
    Security Update for Windows XP (KB918118)
    Security Update for Windows XP (KB918439)
    Security Update for Windows XP (KB918899)
    Security Update for Windows XP (KB919007)
    Security Update for Windows XP (KB920213)
    Security Update for Windows XP (KB920214)
    Security Update for Windows XP (KB920670)
    Security Update for Windows XP (KB920683)
    Security Update for Windows XP (KB920685)
    Security Update for Windows XP (KB921398)
    Security Update for Windows XP (KB921503)
    Security Update for Windows XP (KB921883)
    Security Update for Windows XP (KB922616)
    Security Update for Windows XP (KB922760)
    Security Update for Windows XP (KB922819)
    Security Update for Windows XP (KB923191)
    Security Update for Windows XP (KB923414)
    Security Update for Windows XP (KB923561)
    Security Update for Windows XP (KB923689)
    Security Update for Windows XP (KB923694)
    Security Update for Windows XP (KB923980)
    Security Update for Windows XP (KB924191)
    Security Update for Windows XP (KB924270)
    Security Update for Windows XP (KB924496)
    Security Update for Windows XP (KB924667)
    Security Update for Windows XP (KB925454)
    Security Update for Windows XP (KB925486)
    Security Update for Windows XP (KB925902)
    Security Update for Windows XP (KB926255)
    Security Update for Windows XP (KB926436)
    Security Update for Windows XP (KB927779)
    Security Update for Windows XP (KB927802)
    Security Update for Windows XP (KB928090)
    Security Update for Windows XP (KB928255)
    Security Update for Windows XP (KB928843)
    Security Update for Windows XP (KB929123)
    Security Update for Windows XP (KB929969)
    Security Update for Windows XP (KB930178)
    Security Update for Windows XP (KB931261)
    Security Update for Windows XP (KB931768)
    Security Update for Windows XP (KB931784)
    Security Update for Windows XP (KB932168)
    Security Update for Windows XP (KB933566)
    Security Update for Windows XP (KB933729)
    Security Update for Windows XP (KB935839)
    Security Update for Windows XP (KB935840)
    Security Update for Windows XP (KB936021)
    Security Update for Windows XP (KB937143)
    Security Update for Windows XP (KB937894)
    Security Update for Windows XP (KB938127)
    Security Update for Windows XP (KB938464)
    Security Update for Windows XP (KB938829)
    Security Update for Windows XP (KB939653)
    Security Update for Windows XP (KB941202)
    Security Update for Windows XP (KB941568)
    Security Update for Windows XP (KB941569)
    Security Update for Windows XP (KB941644)
    Security Update for Windows XP (KB941693)
    Security Update for Windows XP (KB942615)
    Security Update for Windows XP (KB943055)
    Security Update for Windows XP (KB943460)
    Security Update for Windows XP (KB943485)
    Security Update for Windows XP (KB944338-v2)
    Security Update for Windows XP (KB944533)
    Security Update for Windows XP (KB944653)
    Security Update for Windows XP (KB945553)
    Security Update for Windows XP (KB946026)
    Security Update for Windows XP (KB946648)
    Security Update for Windows XP (KB948590)
    Security Update for Windows XP (KB948881)
    Security Update for Windows XP (KB950749)
    Security Update for Windows XP (KB950760)
    Security Update for Windows XP (KB950762)
    Security Update for Windows XP (KB950974)
    Security Update for Windows XP (KB951066)
    Security Update for Windows XP (KB951376-v2)
    Security Update for Windows XP (KB951376)
    Security Update for Windows XP (KB951698)
    Security Update for Windows XP (KB951748)
    Security Update for Windows XP (KB952004)
    Security Update for Windows XP (KB952954)
    Security Update for Windows XP (KB954211)
    Security Update for Windows XP (KB954600)
    Security Update for Windows XP (KB955069)
    Security Update for Windows XP (KB956572)
    Security Update for Windows XP (KB956802)
    Security Update for Windows XP (KB956803)
    Security Update for Windows XP (KB956841)
    Security Update for Windows XP (KB956844)
    Security Update for Windows XP (KB957095)
    Security Update for Windows XP (KB957097)
    Security Update for Windows XP (KB958470)
    Security Update for Windows XP (KB958644)
    Security Update for Windows XP (KB958687)
    Security Update for Windows XP (KB958690)
    Security Update for Windows XP (KB958869)
    Security Update for Windows XP (KB959426)
    Security Update for Windows XP (KB960225)
    Security Update for Windows XP (KB960803)
    Security Update for Windows XP (KB960859)
    Security Update for Windows XP (KB961371)
    Security Update for Windows XP (KB961373)
    Security Update for Windows XP (KB961501)
    Security Update for Windows XP (KB968537)
    Security Update for Windows XP (KB969059)
    Security Update for Windows XP (KB969947)
    Security Update for Windows XP (KB970238)
    Security Update for Windows XP (KB970430)
    Security Update for Windows XP (KB971032)
    Security Update for Windows XP (KB971468)
    Security Update for Windows XP (KB971486)
    Security Update for Windows XP (KB971557)
    Security Update for Windows XP (KB971633)
    Security Update for Windows XP (KB971657)
    Security Update for Windows XP (KB971961)
    Security Update for Windows XP (KB972260)
    Security Update for Windows XP (KB972270)
    Security Update for Windows XP (KB973346)
    Security Update for Windows XP (KB973354)
    Security Update for Windows XP (KB973507)
    Security Update for Windows XP (KB973525)
    Security Update for Windows XP (KB973869)
    Security Update for Windows XP (KB973904)
    Security Update for Windows XP (KB974112)
    Security Update for Windows XP (KB974318)
    Security Update for Windows XP (KB974392)
    Security Update for Windows XP (KB974571)
    Security Update for Windows XP (KB975025)
    Security Update for Windows XP (KB975467)
    Security Update for Windows XP (KB975560)
    Security Update for Windows XP (KB975561)
    Security Update for Windows XP (KB975562)
    Security Update for Windows XP (KB975713)
    Security Update for Windows XP (KB977165-v2)
    Security Update for Windows XP (KB977816)
    Security Update for Windows XP (KB977914)
    Security Update for Windows XP (KB978037)
    Security Update for Windows XP (KB978251)
    Security Update for Windows XP (KB978262)
    Security Update for Windows XP (KB978338)
    Security Update for Windows XP (KB978542)
    Security Update for Windows XP (KB978601)
    Security Update for Windows XP (KB978706)
    Security Update for Windows XP (KB979309)
    Security Update for Windows XP (KB979482)
    Security Update for Windows XP (KB979559)
    Security Update for Windows XP (KB979683)
    Security Update for Windows XP (KB980195)
    Security Update for Windows XP (KB980218)
    Security Update for Windows XP (KB980232)
    Security Update for Windows XP (KB981349)
    Security Update for Windows XP (KB981350)
    Security Update for Windows XP (KB982381)
    Segoe UI
    Sentinel System Driver 5.41.1 (32-bit)
    SpywareBlaster 4.4
    Symantec Endpoint Protection
    Update for Windows XP (KB894391)
    Update for Windows XP (KB896727)
    Update for Windows XP (KB898461)
    Update for Windows XP (KB900485)
    Update for Windows XP (KB904942)
    Update for Windows XP (KB910437)
    Update for Windows XP (KB916595)
    Update for Windows XP (KB920342)
    Update for Windows XP (KB920872)
    Update for Windows XP (KB922582)
    Update for Windows XP (KB927891)
    Update for Windows XP (KB929338)
    Update for Windows XP (KB930916)
    Update for Windows XP (KB931836)
    Update for Windows XP (KB932823-v3)
    Update for Windows XP (KB933360)
    Update for Windows XP (KB936357)
    Update for Windows XP (KB938828)
    Update for Windows XP (KB942763)
    Update for Windows XP (KB942840)
    Update for Windows XP (KB946627)
    Update for Windows XP (KB955759)
    Update for Windows XP (KB955839)
    Update for Windows XP (KB961503)
    Update for Windows XP (KB967715)
    Update for Windows XP (KB968389)
    Update for Windows XP (KB971737)
    Update for Windows XP (KB973687)
    Update for Windows XP (KB973815)
    VBA (2627.01)
    WebFldrs XP
    Windows Genuine Advantage v1.3.0254.0
    Windows Installer 3.1 (KB893803)
    Windows Live Call
    Windows Live Communications Platform
    Windows Live Essentials
    Windows Live Messenger
    Windows Live Sign-in Assistant
    Windows Live Upload Tool
    Windows XP Hotfix - KB873333
    Windows XP Hotfix - KB873339
    Windows XP Hotfix - KB885250
    Windows XP Hotfix - KB885835
    Windows XP Hotfix - KB885836
    Windows XP Hotfix - KB886185
    Windows XP Hotfix - KB887472
    Windows XP Hotfix - KB887742
    Windows XP Hotfix - KB888113
    Windows XP Hotfix - KB888302
    Windows XP Hotfix - KB888310
    Windows XP Hotfix - KB890175
    Windows XP Hotfix - KB890859
    Windows XP Hotfix - KB890923
    Windows XP Hotfix - KB891781
    Windows XP Hotfix - KB893086

    ==== Event Viewer Messages From Past Week ========

    12/9/2010 9:06:00 AM, error: Service Control Manager [7026] - The following boot-start or system-start driver(s) failed to load: AFD eeCtrl Fips IntelIde intelppm IPSec MRxSmb NetBIOS NetBT PQIMount RasAcd Rdbss SPBBCDrv SRTSPX SYMTDI Tcpip WPS
    12/9/2010 9:06:00 AM, error: Service Control Manager [7001] - The TCP/IP NetBIOS Helper service depends on the AFD service which failed to start because of the following error: A device attached to the system is not functioning.
    12/9/2010 9:06:00 AM, error: Service Control Manager [7001] - The IPSEC Services service depends on the IPSEC driver service which failed to start because of the following error: A device attached to the system is not functioning.
    12/9/2010 9:06:00 AM, error: Service Control Manager [7001] - The DNS Client service depends on the TCP/IP Protocol Driver service which failed to start because of the following error: A device attached to the system is not functioning.
    12/9/2010 9:06:00 AM, error: Service Control Manager [7001] - The DHCP Client service depends on the NetBios over Tcpip service which failed to start because of the following error: A device attached to the system is not functioning.
    12/8/2010 12:43:18 PM, information: Windows File Protection [64002] - File replacement was attempted on the protected system file c:\windows\system32\spoolsv.exe. This file was restored to the original version to maintain system stability. The file version of the system file is 5.1.2600.2696.
    12/7/2010 1:43:13 PM, information: Windows File Protection [64002] - File replacement was attempted on the protected system file spoolsv.exe. This file was restored to the original version to maintain system stability. The file version of the system file is 5.1.2600.2180.
    12/6/2010 7:58:58 AM, error: Service Control Manager [7026] - The following boot-start or system-start driver(s) failed to load: IntelIde
    12/6/2010 7:57:27 AM, error: NETLOGON [5719] - No Domain Controller is available for domain SMI due to the following: There are currently no logon servers available to service the logon request. . Make sure that the computer is connected to the network and try again. If the problem persists, please contact your domain administrator.
    12/6/2010 10:52:46 AM, error: Print [22] - Failed to ugrade printer settings for printer Adobe PDF,0 driver Adobe PDF Converter error 1801.
    12/6/2010 10:52:46 AM, error: Print [22] - Failed to ugrade printer settings for printer \\NCSDU7NG6481\Adobe PDF,0,LocalOnly driver C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\PS5UI.DLL error 1801.
    12/6/2010 10:42:44 AM, error: DCOM [10001] - Unable to start a DCOM Server: {73AA8F59-DBC4-11D0-AF5C-00A02448799A} as /. The error: "%2" Happened while starting this command: C:\Program Files\Microsoft Visual Studio\Common\IDE\IDE98\MSE.EXE -JITDebug -Embedding
    12/6/2010 10:34:30 AM, error: Service Control Manager [7023] - The Computer Browser service terminated with the following error: This operation returned because the timeout period expired.
    12/3/2010 3:55:16 PM, error: Service Control Manager [7000] - The LiveUpdate service failed to start due to the following error: The service did not respond to the start or control request in a timely fashion.
    12/3/2010 3:54:36 PM, error: Service Control Manager [7009] - Timeout (30000 milliseconds) waiting for the LiveUpdate service to connect.
    12/3/2010 3:53:56 PM, error: DCOM [10005] - DCOM got error "%1053" attempting to start the service LiveUpdate with arguments "" in order to run the server: {03E0E6C2-363B-11D3-B536-00902771A435}
    12/3/2010 2:54:56 PM, error: DCOM [10005] - DCOM got error "%1084" attempting to start the service EventSystem with arguments "" in order to run the server: {1BE1F766-5536-11D1-B726-00C04FB926AF}
    12/3/2010 2:44:15 PM, error: DCOM [10005] - DCOM got error "%1053" attempting to start the service winmgmt with arguments "" in order to run the server: {8BC3F05E-D86B-11D0-A075-00C04FB68820}
    12/3/2010 2:30:41 PM, error: DCOM [10005] - DCOM got error "%1084" attempting to start the service netman with arguments "" in order to run the server: {BA126AE5-2166-11D1-B1D0-00805FC1270E}
    12/10/2010 9:37:54 AM, error: Service Control Manager [7024] - The Hitman Pro 3.5 Crusader (Boot) service terminated with service-specific error 0 (0x0).
    12/10/2010 9:08:07 AM, error: Service Control Manager [7026] - The following boot-start or system-start driver(s) failed to load: AFD eeCtrl Fips intelppm IPSec MRxSmb NetBIOS NetBT PQIMount pxrts RasAcd Rdbss SPBBCDrv SRTSPX SYMTDI Tcpip WPS
    12/10/2010 12:30:27 PM, error: DCOM [10000] - Unable to start a DCOM Server: {7E477741-01A6-4C06-9DAC-55F6174C08A3}. The error: "%6" Happened while starting this command: "C:\Program Files\Symantec AntiVirus\SescLU.exe" -Embedding
    12/10/2010 11:06:46 AM, error: atapi [9] - The device, \Device\Ide\IdePort1, did not respond within the timeout period.
    12/10/2010 11:05:38 AM, error: Service Control Manager [7016] - The GEARSecurity service has reported an invalid current state 0.
    12/10/2010 10:23:12 AM, error: Service Control Manager [7034] - The V2i Protector service terminated unexpectedly. It has done this 1 time(s).
    12/10/2010 10:23:12 AM, error: Service Control Manager [7034] - The Java Quick Starter service terminated unexpectedly. It has done this 1 time(s).
    12/10/2010 10:23:12 AM, error: Service Control Manager [7034] - The GEARSecurity service terminated unexpectedly. It has done this 1 time(s).
    12/10/2010 10:23:12 AM, error: Service Control Manager [7031] - The Symantec Settings Manager service terminated unexpectedly. It has done this 1 time(s). The following corrective action will be taken in 100 milliseconds: Restart the service.
    12/10/2010 10:23:12 AM, error: Service Control Manager [7031] - The Symantec Management Client service terminated unexpectedly. It has done this 1 time(s). The following corrective action will be taken in 1000 milliseconds: Restart the service.
    12/10/2010 10:23:12 AM, error: Service Control Manager [7031] - The Symantec Event Manager service terminated unexpectedly. It has done this 1 time(s). The following corrective action will be taken in 200 milliseconds: Restart the service.
    12/10/2010 10:23:12 AM, error: Service Control Manager [7031] - The Symantec Endpoint Protection service terminated unexpectedly. It has done this 1 time(s). The following corrective action will be taken in 10000 milliseconds: Restart the service.

    ==== End Of File ===========================

    DDS (Ver_10-12-05.01) - NTFSx86
    Run by anthony.berry at 13:31:27.63 on Fri 12/10/2010
    Internet Explorer: 6.0.2900.2180
    Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.3062.2603 [GMT -5:00]

    AV: Symantec Endpoint Protection *On-access scanning disabled* (Updated) {FB06448E-52B8-493A-90F3-E43226D3305C}
    FW: Symantec Endpoint Protection *enabled* {BE898FE3-CD0B-4014-85A9-03DB9923DDB6}

    ============== Running Processes ===============

    C:\WINDOWS\system32\svchost -k DcomLaunch
    svchost.exe
    C:\Program Files\Symantec AntiVirus\Smc.exe
    svchost.exe
    svchost.exe
    C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
    C:\WINDOWS\system32\spoolsv.exe
    svchost.exe
    C:\WINDOWS\System32\GEARSec.exe
    C:\Program Files\Java\jre6\bin\jqs.exe
    C:\Program Files\Symantec AntiVirus\Rtvscan.exe
    C:\Program Files\PowerQuest\Drive Image 7.0\Agent\PQV2iSvc.exe
    C:\WINDOWS\Explorer.EXE
    C:\Program Files\Symantec AntiVirus\SmcGui.exe
    C:\Program Files\Java\jre6\bin\jusched.exe
    C:\Program Files\Adobe\Acrobat 9.0\Acrobat\Acrotray.exe
    C:\Program Files\Common Files\Symantec Shared\ccApp.exe
    C:\WINDOWS\system32\ctfmon.exe
    C:\WINDOWS\system32\MDM.EXE
    C:\WINDOWS\system32\wuauclt.exe
    C:\WINDOWS\System32\svchost.exe -k netsvcs
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\Documents and Settings\anthony.berry.SMI\Desktop\dds.scr

    ============== Pseudo HJT Report ===============

    uStart Page = hxxp://insidesmi/
    uDefault_Page_URL = hxxp://www.dell.com
    mDefault_Page_URL = hxxp://www.dell.com
    mStart Page = hxxp://www.dell.com
    BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
    BHO: {5C255C8A-E604-49b4-9D64-90988571CECB} - No File
    BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
    BHO: Adobe PDF Conversion Toolbar Helper: {ae7cd045-e861-484f-8273-0445ee161910} - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll
    BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
    BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
    BHO: SmartSelect Class: {f4971ee7-daa0-4053-9964-665d8ee6a077} - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll
    TB: Adobe PDF: {47833539-d0c5-4125-9fa8-0819e2eaac93} - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll
    uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
    mRun: [IgfxTray] c:\windows\system32\igfxtray.exe
    mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
    mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
    mRun: [Adobe Acrobat Speed Launcher] "c:\program files\adobe\acrobat 9.0\acrobat\Acrobat_sl.exe"
    mRun: [<NO NAME>]
    mRun: [Acrobat Assistant 8.0] "c:\program files\adobe\acrobat 9.0\acrobat\Acrotray.exe"
    mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
    mRun: [ccApp] "c:\program files\common files\symantec shared\ccApp.exe"
    mRun: [HitmanPro35] "c:\program files\hitman pro 3.5\HitmanPro35.exe" /scan:boot
    StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\shortc~1.lnk - \\ncsduvg056\smiapps\prod\smilaunch\SMILaunch.exe
    IE: Append Link Target to Existing PDF - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
    IE: Append to Existing PDF - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll/AcroIEAppend.html
    IE: Convert Link Target to Adobe PDF - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
    IE: Convert to Adobe PDF - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll/AcroIECapture.html
    IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
    IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office12\REFIEBAR.DLL
    DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
    TCP: {FAB8539F-27EC-423B-9D13-A76691C35E20} = 192.168.2.42,10.0.5.3
    Notify: igfxcui - igfxsrvc.dll

    ============= SERVICES / DRIVERS ===============

    R0 PQV2i;PQV2i;c:\windows\system32\drivers\PQV2i.sys [2003-6-3 123957]
    R1 PQIMount;PQIMount;c:\windows\system32\drivers\PQIMount.sys [2003-6-3 46900]
    R2 ccEvtMgr;Symantec Event Manager;c:\program files\common files\symantec shared\ccSvcHst.exe [2009-9-29 108392]
    R2 ccSetMgr;Symantec Settings Manager;c:\program files\common files\symantec shared\ccSvcHst.exe [2009-9-29 108392]
    R2 InAspi32;InAspi32;c:\windows\system32\drivers\InAspi32.sys [2006-3-7 8704]
    R2 Symantec AntiVirus;Symantec Endpoint Protection;c:\program files\symantec antivirus\Rtvscan.exe [2009-9-29 2477304]
    R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\common files\symantec shared\eengine\EraserUtilRebootDrv.sys [2010-12-3 102448]
    R3 NAVENG;NAVENG;c:\progra~1\common~1\symant~1\virusd~1\20101209.048\NAVENG.SYS [2010-12-10 86136]
    R3 NAVEX15;NAVEX15;c:\progra~1\common~1\symant~1\virusd~1\20101209.048\NAVEX15.SYS [2010-12-10 1360248]
    S3 COAX;COAX;c:\windows\system32\drivers\COAX.SYS [2005-8-10 26528]
    S3 COH_Mon;COH_Mon;c:\windows\system32\drivers\COH_Mon.sys [2009-9-29 23888]
    S3 RMBS;RMBS;c:\windows\system32\drivers\RMBS.SYS [2005-8-10 18208]
    S3 VPREMOTE;VPRemote Install Bootstrap Service;c:\temp\clt-inst\vpremote.exe [2010-6-11 142192]

    =============== Created Last 30 ================

    2010-12-10 14:39:51 134464 ----a-w- c:\windows\system32\LnkProtect.dll
    2010-12-10 14:29:23 16968 ----a-w- c:\windows\system32\drivers\hitmanpro35.sys
    2010-12-10 14:29:22 -------- d-----w- c:\program files\Hitman Pro 3.5
    2010-12-10 14:28:00 -------- d-----w- c:\docume~1\alluse~1\applic~1\Hitman Pro
    2010-12-09 14:11:06 -------- d-s---w- c:\documents and settings\anthony.berry.smi\UserData
    2010-12-07 13:18:16 81920 ------w- c:\windows\system32\dllcache\ieencode.dll
    2010-12-07 13:17:38 417792 ------w- c:\windows\system32\dllcache\vbscript.dll
    2010-12-06 20:27:11 -------- d-----w- c:\program files\SpywareBlaster
    2010-12-06 20:18:11 -------- d-----w- c:\docume~1\anthon~1.smi\applic~1\Malwarebytes
    2010-12-03 19:11:13 167936 ----a-w- c:\windows\system32\drivers\wpshelper.sys
    2010-12-03 19:03:20 92488 ----a-w- c:\windows\system32\drivers\SysPlant.sys
    2010-12-03 18:56:36 60808 ----a-w- c:\windows\system32\S32EVNT1.DLL
    2010-12-03 18:56:35 124976 ----a-w- c:\windows\system32\drivers\SYMEVENT.SYS
    2010-12-03 16:21:54 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
    2010-12-03 16:21:49 -------- d-----w- c:\docume~1\alluse~1\applic~1\Malwarebytes
    2010-12-03 16:20:56 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
    2010-12-03 16:20:55 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware

    ==================== Find3M ====================


    =================== ROOTKIT ====================

    Stealth MBR rootkit/Mebroot/Sinowal/TDL4 detector 0.4.2 by Gmer, http://www.gmer.net
    Windows 5.1.2600 Disk: WDC_WD400BD-75LRA0 rev.09.01D09 -> Harddisk0\DR0 -> \Device\Ide\IdePort1 P1T0L0-e

    device: opened successfully
    user: MBR read successfully

    Disk trace:
    called modules: ntkrnlpa.exe CLASSPNP.SYS disk.sys >>UNKNOWN [0x8A4F5555]<<
    _asm { PUSH EBP; MOV EBP, ESP; PUSH ECX; MOV EAX, [EBP+0x8]; CMP EAX, [0x8a4fb7b0]; MOV EAX, [0x8a4fb82c]; PUSH EBX; PUSH ESI; MOV ESI, [EBP+0xc]; MOV EBX, [ESI+0x60]; PUSH EDI; JNZ 0x20; MOV [EBP+0x8], EAX; }
    1 ntkrnlpa!IofCallDriver[0x804EE00A] -> \Device\Harddisk0\DR0[0x8A4E1AB8]
    3 CLASSPNP[0xBA0E905B] -> ntkrnlpa!IofCallDriver[0x804EE00A] -> [0x8A4A66B8]
    \Driver\atapi[0x8A4D2D30] -> IRP_MJ_CREATE -> 0x8A4F5555
    kernel: MBR read successfully
    _asm { XOR AX, AX; MOV SS, AX; MOV SP, 0x7c00; STI ; PUSH AX; POP ES; PUSH AX; POP DS; CLD ; MOV SI, 0x7c1b; MOV DI, 0x61b; PUSH AX; PUSH DI; MOV CX, 0x1e5; REP MOVSB ; RETF ; MOV BP, 0x7be; MOV CL, 0x4; CMP [BP+0x0], CH; JL 0x2e; JNZ 0x3a; }
    detected disk devices:
    \Device\Ide\IdeDeviceP1T0L0-e -> \??\IDE#DiskWDC_WD400BD-75LRA0______________________09.01D09#5&2a36c317&0&0.0.0#{53f56307-b6bf-11d0-94f2-00a0c91efb8b} device not found
    detected hooks:
    \Driver\atapi DriverStartIo -> 0x8A4F539B
    user & kernel MBR OK
    Warning: possible TDL3 rootkit infection !

    ============= FINISH: 13:31:59.18 ===============

    GMER 1.0.15.15530 - http://www.gmer.net
    Rootkit quick scan 2010-12-10 13:30:18
    Windows 5.1.2600 Service Pack 2 Harddisk0\DR0 -> \Device\Ide\IdePort1 WDC_WD400BD-75LRA0 rev.09.01D09
    Running: thekbmwt.exe; Driver: C:\DOCUME~1\ANTHON~1.SMI\LOCALS~1\Temp\pwlyqpow.sys


    ---- Disk sectors - GMER 1.0.15 ----

    Disk \Device\Harddisk0\DR0 sector 10: rootkit-like behavior;
    Disk \Device\Harddisk0\DR0 sector 32: rootkit-like behavior;
    Disk \Device\Harddisk0\DR0 sector 57: rootkit-like behavior;
    Disk \Device\Harddisk0\DR0 sector 63: rootkit-like behavior;

    ---- Devices - GMER 1.0.15 ----

    Device \Driver\atapi -> DriverStartIo \Device\Ide\IdeDeviceP0T0L0-3 8A4F539B
    Device \Driver\atapi -> DriverStartIo \Device\Ide\IdePort0 8A4F539B
    Device \Driver\atapi -> DriverStartIo \Device\Ide\IdePort1 8A4F539B
    Device Ntfs.sys (NT File System Driver/Microsoft Corporation)
    Device Fastfat.SYS (Fast FAT File System Driver/Microsoft Corporation)

    AttachedDevice \Driver\Tcpip \Device\Ip wpsdrvnt.sys (Symantec CMC Firewall WPS/Symantec Corporation)
    AttachedDevice \Driver\Tcpip \Device\Ip SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation)
    AttachedDevice \Driver\Tcpip \Device\Tcp wpsdrvnt.sys (Symantec CMC Firewall WPS/Symantec Corporation)
    AttachedDevice \Driver\Tcpip \Device\Tcp SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation)
    AttachedDevice \Driver\Tcpip \Device\Udp wpsdrvnt.sys (Symantec CMC Firewall WPS/Symantec Corporation)
    AttachedDevice \Driver\Tcpip \Device\Udp SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation)
    AttachedDevice \Driver\Tcpip \Device\RawIp wpsdrvnt.sys (Symantec CMC Firewall WPS/Symantec Corporation)
    AttachedDevice \Driver\Tcpip \Device\RawIp SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation)

    Device \Device\Ide\IdeDeviceP1T0L0-e -> \??\IDE#DiskWDC_WD400BD-75LRA0______________________09.01D09#5&2a36c317&0&0.0.0#{53f56307-b6bf-11d0-94f2-00a0c91efb8b} device not found

    ---- EOF - GMER 1.0.15 ----
     
  4. Bobbye

    Bobbye Helper on the Fringe Posts: 16,335   +36

    Welcome to TechSpot! I'll help with the malware. I will request that you run only the programs I instruct you to. You didn't find the MBR program in out 'now 6 use to be 8 steps'!

    Before starting, I'd like for you to remove this:
    [HitmanPro35] "c:\program files\hitman pro 3.5\HitmanPro35.exe" /scan:boot
    Take it off of Startup, uninstall the program. It is a bundle of programs that are free on the internet, most being used without the authors' permissions. There is a short trial period and then you are expected to pay to have an entry removed.
    ============================================
    And we will remove the Recycler entries. The Recycler folder is where the Recycle Bin sends deleted files. It is a hidden system file and the contents have to be removed in a special way:

    Empty the Recycle Bin. This has to be done first. If there is anything in it, you can't empty the Recycler.
    You will need to display hidden files and folders: Using Windows Explorer: Windows key + E
    • Click on Tools> Folder Options> View tab>
    • Check 'show hidden files and folders'>
    • Uncheck 'hide operating system files (Recommended'>
    • Click on My Computer> Local Drive> Double click Recycler
    • Look for these contents on the right screen: the numerical string is the identification number for the account with these files:
      s-1-5-21-515967899-682003330-937999820-4928\Dc248.tmp (Rootkit.TDSS.Gen)
      s-1-5-21-515967899-682003330-937999820-4928\Dc249.tmp (Rootkit.TDSS.Gen)
    • Do a right click> Delete on each entry
    • Click on Apply> OK when finished.
    Now go back and rehide the files and folders, Close Windows Explorer.
    =======================================================
    You have a rootkit malware infection. This type of program requires specific programs to find and remove the rootkit- so we'll begin with this:
    • Download the file TDSSKiller.zip and save to the desktop.
      (If you are unable to download the file for some reason, then TDSS may be blocking it. You would then need to download it first to a clean computer and then transfer it to the infected one using an external drive or USB flash drive.)
    • Right-click the tdsskiller.zip file> Select Extract All into a folder on the infected (or potentially infected) PC.
    • Double click on TDSSKiller.exe. to run the scan
    • When the scan is over, the utility outputs a list of detected objects with description.
      The utility automatically selects an action (Cure or Delete) for malicious objects.
      The utility prompts the user to select an action to apply to suspicious objects (Skip, by default).
    • Select the action Quarantine to quarantine detected objects.
      The default quarantine folder is in the system disk root folder, e.g.: C:\TDSSKiller_Quarantine\23.07.2010_15.31.43
    • After clicking Next, the utility applies selected actions and outputs the result.
    • A reboot is required after disinfection.
    Please leave the log in your next reply.
    =====================================
    Please follow with
    Run Eset NOD32 Online AntiVirus scan HERE
    1. Tick the box next to YES, I accept the Terms of Use.
    2. Click Start
    3. When asked, allow the Active X control to install
    4. Disable your current Antivirus software. You can usually do this with its Notification Tray icon near the clock.
    5. Click Start
    6. Make sure that the option "Remove found threats" is Unchecked, and the option "Scan unwanted applications" is checked
    7. Click Scan
    8. Wait for the scan to finish
    9. Re-enable your Antivirus software.
    10. A logfile is created and located at C:\Program Files\EsetOnlineScanner\log.txt. Please include this on your post.

    Important!
    Please do not use any other cleaning programs or scans while I'm helping you, unless I direct you to. Do not use a Registry cleaner or make any changes in the Registry.

    I will finish checking these logs while you run those programs.
     
  5. BlckBerry

    BlckBerry TS Rookie Topic Starter

    Okay, I will follow your steps, but PC is at work for now. I will definitely post logs on Monday morning.

    PS. I do have TDSSKiller already installed and continues to find the rootkit. Though I did not try the 'quaratine' you're suggesting.
     
  6. Bobbye

    Bobbye Helper on the Fringe Posts: 16,335   +36

    Run the scan again and follow the directions for quarantine.
     
  7. BlckBerry

    BlckBerry TS Rookie Topic Starter

    2010/12/13 08:54:44.0031 TDSS rootkit removing tool 2.4.11.0 Dec 8 2010 14:46:40
    2010/12/13 08:54:44.0031 ================================================================================
    2010/12/13 08:54:44.0031 SystemInfo:
    2010/12/13 08:54:44.0031
    2010/12/13 08:54:44.0031 OS Version: 5.1.2600 ServicePack: 2.0
    2010/12/13 08:54:44.0031 Product type: Workstation
    2010/12/13 08:54:44.0031 ComputerName: NCSDU7NG6481
    2010/12/13 08:54:44.0031 UserName: smiadmin
    2010/12/13 08:54:44.0031 Windows directory: C:\WINDOWS
    2010/12/13 08:54:44.0031 System windows directory: C:\WINDOWS
    2010/12/13 08:54:44.0031 Processor architecture: Intel x86
    2010/12/13 08:54:44.0031 Number of processors: 1
    2010/12/13 08:54:44.0031 Page size: 0x1000
    2010/12/13 08:54:44.0031 Boot type: Normal boot
    2010/12/13 08:54:44.0031 ================================================================================
    2010/12/13 08:54:44.0171 Initialize success
    2010/12/13 08:54:49.0171 ================================================================================
    2010/12/13 08:54:49.0171 Scan started
    2010/12/13 08:54:49.0171 Mode: Manual;
    2010/12/13 08:54:49.0171 ================================================================================
    2010/12/13 08:54:50.0171 abp480n5 (6abb91494fe6c59089b9336452ab2ea3) C:\WINDOWS\system32\DRIVERS\ABP480N5.SYS
    2010/12/13 08:54:50.0343 ACPI (a10c7534f7223f4a73a948967d00e69b) C:\WINDOWS\system32\DRIVERS\ACPI.sys
    2010/12/13 08:54:50.0531 ACPIEC (9859c0f6936e723e4892d7141b1327d5) C:\WINDOWS\system32\drivers\ACPIEC.sys
    2010/12/13 08:54:50.0625 adpu160m (9a11864873da202c996558b2106b0bbc) C:\WINDOWS\system32\DRIVERS\adpu160m.sys
    2010/12/13 08:54:50.0734 aeaudio (11c04b17ed2abbb4833694bcd644ac90) C:\WINDOWS\system32\drivers\aeaudio.sys
    2010/12/13 08:54:50.0953 aec (1ee7b434ba961ef845de136224c30fec) C:\WINDOWS\system32\drivers\aec.sys
    2010/12/13 08:54:51.0078 AFD (55e6e1c51b6d30e54335750955453702) C:\WINDOWS\System32\drivers\afd.sys
    2010/12/13 08:54:51.0203 agp440 (2c428fa0c3e3a01ed93c9b2a27d8d4bb) C:\WINDOWS\system32\DRIVERS\agp440.sys
    2010/12/13 08:54:51.0296 agpCPQ (67288b07d6aba6c1267b626e67bc56fd) C:\WINDOWS\system32\DRIVERS\agpCPQ.sys
    2010/12/13 08:54:51.0421 Aha154x (c23ea9b5f46c7f7910db3eab648ff013) C:\WINDOWS\system32\DRIVERS\aha154x.sys
    2010/12/13 08:54:51.0578 aic78u2 (19dd0fb48b0c18892f70e2e7d61a1529) C:\WINDOWS\system32\DRIVERS\aic78u2.sys
    2010/12/13 08:54:51.0671 aic78xx (b7fe594a7468aa0132deb03fb8e34326) C:\WINDOWS\system32\DRIVERS\aic78xx.sys
    2010/12/13 08:54:51.0828 AliIde (1140ab9938809700b46bb88e46d72a96) C:\WINDOWS\system32\DRIVERS\aliide.sys
    2010/12/13 08:54:52.0125 alim1541 (f312b7cef21eff52fa23056b9d815fad) C:\WINDOWS\system32\DRIVERS\alim1541.sys
    2010/12/13 08:54:52.0609 amdagp (675c16a3c1f8482f85ee4a97fc0dde3d) C:\WINDOWS\system32\DRIVERS\amdagp.sys
    2010/12/13 08:54:52.0765 amsint (79f5add8d24bd6893f2903a3e2f3fad6) C:\WINDOWS\system32\DRIVERS\amsint.sys
    2010/12/13 08:54:52.0937 asc (62d318e9a0c8fc9b780008e724283707) C:\WINDOWS\system32\DRIVERS\asc.sys
    2010/12/13 08:54:53.0015 asc3350p (69eb0cc7714b32896ccbfd5edcbea447) C:\WINDOWS\system32\DRIVERS\asc3350p.sys
    2010/12/13 08:54:53.0156 asc3550 (5d8de112aa0254b907861e9e9c31d597) C:\WINDOWS\system32\DRIVERS\asc3550.sys
    2010/12/13 08:54:53.0312 AsyncMac (02000abf34af4c218c35d257024807d6) C:\WINDOWS\system32\DRIVERS\asyncmac.sys
    2010/12/13 08:54:53.0453 atapi (cdfe4411a69c224bd1d11b2da92dac51) C:\WINDOWS\system32\DRIVERS\atapi.sys
    2010/12/13 08:54:53.0703 Atmarpc (ec88da854ab7d7752ec8be11a741bb7f) C:\WINDOWS\system32\DRIVERS\atmarpc.sys
    2010/12/13 08:54:53.0812 audstub (d9f724aa26c010a217c97606b160ed68) C:\WINDOWS\system32\DRIVERS\audstub.sys
    2010/12/13 08:54:53.0906 b57w2k (4826fcf97c47b361a2e2f68cd487a19e) C:\WINDOWS\system32\DRIVERS\b57xp32.sys
    2010/12/13 08:54:54.0000 Beep (da1f27d85e0d1525f6621372e7b685e9) C:\WINDOWS\system32\drivers\Beep.sys
    2010/12/13 08:54:54.0125 cbidf (90a673fc8e12a79afbed2576f6a7aaf9) C:\WINDOWS\system32\DRIVERS\cbidf2k.sys
    2010/12/13 08:54:54.0234 cbidf2k (90a673fc8e12a79afbed2576f6a7aaf9) C:\WINDOWS\system32\drivers\cbidf2k.sys
    2010/12/13 08:54:54.0375 cd20xrnt (f3ec03299634490e97bbce94cd2954c7) C:\WINDOWS\system32\DRIVERS\cd20xrnt.sys
    2010/12/13 08:54:54.0484 Cdaudio (c1b486a7658353d33a10cc15211a873b) C:\WINDOWS\system32\drivers\Cdaudio.sys
    2010/12/13 08:54:54.0625 Cdfs (cd7d5152df32b47f4e36f710b35aae02) C:\WINDOWS\system32\drivers\Cdfs.sys
    2010/12/13 08:54:54.0750 Cdrom (af9c19b3100fe010496b1a27181fbf72) C:\WINDOWS\system32\DRIVERS\cdrom.sys
    2010/12/13 08:54:55.0000 CmdIde (e5dcb56c533014ecbc556a8357c929d5) C:\WINDOWS\system32\DRIVERS\cmdide.sys
    2010/12/13 08:54:55.0109 COAX (caa5c61a3443807ab8dc99e7d5d84961) C:\WINDOWS\system32\drivers\COAX.sys
    2010/12/13 08:54:55.0265 COH_Mon (c586875ece5318c6309ed1ab79d0e55f) C:\WINDOWS\system32\Drivers\COH_Mon.sys
    2010/12/13 08:54:55.0406 Cpqarray (3ee529119eed34cd212a215e8c40d4b6) C:\WINDOWS\system32\DRIVERS\cpqarray.sys
    2010/12/13 08:54:55.0546 dac2w2k (e550e7418984b65a78299d248f0a7f36) C:\WINDOWS\system32\DRIVERS\dac2w2k.sys
    2010/12/13 08:54:55.0687 dac960nt (683789caa3864eb46125ae86ff677d34) C:\WINDOWS\system32\DRIVERS\dac960nt.sys
    2010/12/13 08:54:55.0812 Disk (00ca44e4534865f8a3b64f7c0984bff0) C:\WINDOWS\system32\DRIVERS\disk.sys
    2010/12/13 08:54:56.0000 dmboot (c0fbb516e06e243f0cf31f597e7ebf7d) C:\WINDOWS\system32\drivers\dmboot.sys
    2010/12/13 08:54:56.0187 dmio (f5e7b358a732d09f4bcf2824b88b9e28) C:\WINDOWS\system32\drivers\dmio.sys
    2010/12/13 08:54:56.0218 dmload (e9317282a63ca4d188c0df5e09c6ac5f) C:\WINDOWS\system32\drivers\dmload.sys
    2010/12/13 08:54:56.0406 DMusic (a6f881284ac1150e37d9ae47ff601267) C:\WINDOWS\system32\drivers\DMusic.sys
    2010/12/13 08:54:56.0578 dpti2o (40f3b93b4e5b0126f2f5c0a7a5e22660) C:\WINDOWS\system32\DRIVERS\dpti2o.sys
    2010/12/13 08:54:56.0625 drmkaud (1ed4dbbae9f5d558dbba4cc450e3eb2e) C:\WINDOWS\system32\drivers\drmkaud.sys
    2010/12/13 08:54:56.0796 E100B (3fca03cbca11269f973b70fa483c88ef) C:\WINDOWS\system32\DRIVERS\e100b325.sys
    2010/12/13 08:54:56.0953 eeCtrl (089296aedb9b72b4916ac959752bdc89) C:\Program Files\Common Files\Symantec Shared\EENGINE\eeCtrl.sys
    2010/12/13 08:54:57.0015 EraserUtilRebootDrv (850259334652d392e33ee3412562e583) C:\Program Files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys
    2010/12/13 08:54:57.0203 Fastfat (3117f595e9615e04f05a54fc15a03b20) C:\WINDOWS\system32\drivers\Fastfat.sys
    2010/12/13 08:54:57.0359 Fdc (ced2e8396a8838e59d8fd529c680e02c) C:\WINDOWS\system32\DRIVERS\fdc.sys
    2010/12/13 08:54:57.0484 Fips (e153ab8a11de5452bcf5ac7652dbf3ed) C:\WINDOWS\system32\drivers\Fips.sys
    2010/12/13 08:54:57.0578 Flpydisk (0dd1de43115b93f4d85e889d7a86f548) C:\WINDOWS\system32\DRIVERS\flpydisk.sys
    2010/12/13 08:54:57.0703 FltMgr (3d234fb6d6ee875eb009864a299bea29) C:\WINDOWS\system32\DRIVERS\fltMgr.sys
    2010/12/13 08:54:57.0843 Fs_Rec (3e1e2bd4f39b0e2b7dc4f4d2bcc2779a) C:\WINDOWS\system32\drivers\Fs_Rec.sys
    2010/12/13 08:54:57.0984 Ftdisk (6ac26732762483366c3969c9e4d2259d) C:\WINDOWS\system32\DRIVERS\ftdisk.sys
    2010/12/13 08:54:58.0156 GearAspiWDM (c33f253f50dec8c8119f67bcde831f13) C:\WINDOWS\system32\drivers\GearAspiWDM.sys
    2010/12/13 08:54:58.0281 Gpc (c0f1d4a21de5a415df8170616703debf) C:\WINDOWS\system32\DRIVERS\msgpc.sys
    2010/12/13 08:54:58.0421 HidUsb (1de6783b918f540149aa69943bdfeba8) C:\WINDOWS\system32\DRIVERS\hidusb.sys
    2010/12/13 08:54:58.0546 hpn (b028377dea0546a5fcfba928a8aefae0) C:\WINDOWS\system32\DRIVERS\hpn.sys
    2010/12/13 08:54:58.0687 HTTP (9f8b0f4276f618964fd118be4289b7cd) C:\WINDOWS\system32\Drivers\HTTP.sys
    2010/12/13 08:54:58.0875 i2omgmt (8f09f91b5c91363b77bcd15599570f2c) C:\WINDOWS\system32\drivers\i2omgmt.sys
    2010/12/13 08:54:58.0921 i2omp (ed6bf9e441fdea13292a6d30a64a24c3) C:\WINDOWS\system32\DRIVERS\i2omp.sys
    2010/12/13 08:54:59.0093 i8042prt (5502b58eef7486ee6f93f3f164dcb808) C:\WINDOWS\system32\DRIVERS\i8042prt.sys
    2010/12/13 08:54:59.0203 ialm (0acebb31989cbf9a5663fe4a33d28d21) C:\WINDOWS\system32\DRIVERS\ialmnt5.sys
    2010/12/13 08:54:59.0359 Imapi (f8aa320c6a0409c0380e5d8a99d76ec6) C:\WINDOWS\system32\DRIVERS\imapi.sys
    2010/12/13 08:54:59.0484 InAspi32 (35738fd20716cfcc5cb104f76ee48e80) C:\WINDOWS\system32\drivers\InAspi32.sys
    2010/12/13 08:54:59.0593 ini910u (4a40e045faee58631fd8d91afc620719) C:\WINDOWS\system32\DRIVERS\ini910u.sys
    2010/12/13 08:54:59.0687 IntelIde (2d722b2b54ab55b2fa475eb58d7b2aad) C:\WINDOWS\system32\DRIVERS\intelide.sys
    2010/12/13 08:54:59.0812 intelppm (279fb78702454dff2bb445f238c048d2) C:\WINDOWS\system32\DRIVERS\intelppm.sys
    2010/12/13 08:54:59.0968 Ip6Fw (4448006b6bc60e6c027932cfc38d6855) C:\WINDOWS\system32\DRIVERS\Ip6Fw.sys
    2010/12/13 08:55:00.0093 IpFilterDriver (731f22ba402ee4b62748adaf6363c182) C:\WINDOWS\system32\DRIVERS\ipfltdrv.sys
    2010/12/13 08:55:00.0234 IpInIp (e1ec7f5da720b640cd8fb8424f1b14bb) C:\WINDOWS\system32\DRIVERS\ipinip.sys
    2010/12/13 08:55:00.0328 IpNat (e2168cbc7098ffe963c6f23f472a3593) C:\WINDOWS\system32\DRIVERS\ipnat.sys
    2010/12/13 08:55:00.0500 IPSec (64537aa5c003a6afeee1df819062d0d1) C:\WINDOWS\system32\DRIVERS\ipsec.sys
    2010/12/13 08:55:00.0546 IRENUM (50708daa1b1cbb7d6ac1cf8f56a24410) C:\WINDOWS\system32\DRIVERS\irenum.sys
    2010/12/13 08:55:00.0718 isapnp (e504f706ccb699c2596e9a3da1596e87) C:\WINDOWS\system32\DRIVERS\isapnp.sys
    2010/12/13 08:55:00.0906 Kbdclass (ebdee8a2ee5393890a1acee971c4c246) C:\WINDOWS\system32\DRIVERS\kbdclass.sys
    2010/12/13 08:55:01.0015 kbdhid (e182fa8e49e8ee41b4adc53093f3c7e6) C:\WINDOWS\system32\DRIVERS\kbdhid.sys
    2010/12/13 08:55:01.0156 kmixer (ba5deda4d934e6288c2f66caf58d2562) C:\WINDOWS\system32\drivers\kmixer.sys
    2010/12/13 08:55:01.0343 KSecDD (674d3e5a593475915dc6643317192403) C:\WINDOWS\system32\drivers\KSecDD.sys
    2010/12/13 08:55:01.0609 mnmdd (4ae068242760a1fb6e1a44bf4e16afa6) C:\WINDOWS\system32\drivers\mnmdd.sys
    2010/12/13 08:55:01.0781 Modem (6fc6f9d7acc36dca9b914565a3aeda05) C:\WINDOWS\system32\drivers\Modem.sys
    2010/12/13 08:55:01.0890 Mouclass (34e1f0031153e491910e12551400192c) C:\WINDOWS\system32\DRIVERS\mouclass.sys
    2010/12/13 08:55:02.0031 mouhid (b1c303e17fb9d46e87a98e4ba6769685) C:\WINDOWS\system32\DRIVERS\mouhid.sys
    2010/12/13 08:55:02.0203 MountMgr (65653f3b4477f3c63e68a9659f85ee2e) C:\WINDOWS\system32\drivers\MountMgr.sys
    2010/12/13 08:55:02.0375 mraid35x (3f4bb95e5a44f3be34824e8e7caf0737) C:\WINDOWS\system32\DRIVERS\mraid35x.sys
    2010/12/13 08:55:02.0468 MRxDAV (29414447eb5bde2f8397dc965dbb3156) C:\WINDOWS\system32\DRIVERS\mrxdav.sys
    2010/12/13 08:55:02.0671 MRxSmb (fb6c89bb3ce282b08bdb1e3c179e1c39) C:\WINDOWS\system32\DRIVERS\mrxsmb.sys
    2010/12/13 08:55:02.0875 Msfs (561b3a4333ca2dbdba28b5b956822519) C:\WINDOWS\system32\drivers\Msfs.sys
    2010/12/13 08:55:02.0953 MSKSSRV (ae431a8dd3c1d0d0610cdbac16057ad0) C:\WINDOWS\system32\drivers\MSKSSRV.sys
    2010/12/13 08:55:03.0125 MSPCLOCK (13e75fef9dfeb08eeded9d0246e1f448) C:\WINDOWS\system32\drivers\MSPCLOCK.sys
    2010/12/13 08:55:03.0218 MSPQM (1988a33ff19242576c3d0ef9ce785da7) C:\WINDOWS\system32\drivers\MSPQM.sys
    2010/12/13 08:55:03.0343 mssmbios (469541f8bfd2b32659d5d463a6714bce) C:\WINDOWS\system32\DRIVERS\mssmbios.sys
    2010/12/13 08:55:03.0500 Mup (82035e0f41c2dd05ae41d27fe6cf7de1) C:\WINDOWS\system32\drivers\Mup.sys
    2010/12/13 08:55:03.0718 NAVENG (01543b4f5b6fdac6761910ce44aff3f8) C:\PROGRA~1\COMMON~1\SYMANT~1\VIRUSD~1\20101209.048\NAVENG.SYS
    2010/12/13 08:55:03.0953 NAVEX15 (38814ee261cfc76ded4b5647fc082826) C:\PROGRA~1\COMMON~1\SYMANT~1\VIRUSD~1\20101209.048\NAVEX15.SYS
    2010/12/13 08:55:04.0140 NDIS (558635d3af1c7546d26067d5d9b6959e) C:\WINDOWS\system32\drivers\NDIS.sys
    2010/12/13 08:55:04.0171 NdisTapi (08d43bbdacdf23f34d79e44ed35c1b4c) C:\WINDOWS\system32\DRIVERS\ndistapi.sys
    2010/12/13 08:55:04.0343 Ndisuio (34d6cd56409da9a7ed573e1c90a308bf) C:\WINDOWS\system32\DRIVERS\ndisuio.sys
    2010/12/13 08:55:04.0484 NdisWan (0b90e255a9490166ab368cd55a529893) C:\WINDOWS\system32\DRIVERS\ndiswan.sys
    2010/12/13 08:55:04.0562 NDProxy (59fc3fb44d2669bc144fd87826bb571f) C:\WINDOWS\system32\drivers\NDProxy.sys
    2010/12/13 08:55:04.0703 NetBIOS (3a2aca8fc1d7786902ca434998d7ceb4) C:\WINDOWS\system32\DRIVERS\netbios.sys
    2010/12/13 08:55:04.0828 NetBT (0c80e410cd2f47134407ee7dd19cc86b) C:\WINDOWS\system32\DRIVERS\netbt.sys
    2010/12/13 08:55:05.0000 Npfs (4f601bcb8f64ea3ac0994f98fed03f8e) C:\WINDOWS\system32\drivers\Npfs.sys
    2010/12/13 08:55:05.0125 Ntfs (19a811ef5f1ed5c926a028ce107ff1af) C:\WINDOWS\system32\drivers\Ntfs.sys
    2010/12/13 08:55:05.0359 Null (73c1e1f395918bc2c6dd67af7591a3ad) C:\WINDOWS\system32\drivers\Null.sys
    2010/12/13 08:55:05.0468 nv (2b298519edbfcf451d43e0f1e8f1006d) C:\WINDOWS\system32\DRIVERS\nv4_mini.sys
    2010/12/13 08:55:05.0671 NwlnkFlt (b305f3fad35083837ef46a0bbce2fc57) C:\WINDOWS\system32\DRIVERS\nwlnkflt.sys
    2010/12/13 08:55:05.0718 NwlnkFwd (c99b3415198d1aab7227f2c88fd664b9) C:\WINDOWS\system32\DRIVERS\nwlnkfwd.sys
    2010/12/13 08:55:05.0781 Parport (29744eb4ce659dfe3b4122deb45bc478) C:\WINDOWS\system32\DRIVERS\parport.sys
    2010/12/13 08:55:05.0921 PartMgr (3334430c29dc338092f79c38ef7b4cd0) C:\WINDOWS\system32\drivers\PartMgr.sys
    2010/12/13 08:55:06.0046 ParVdm (70e98b3fd8e963a6a46a2e6247e0bea1) C:\WINDOWS\system32\drivers\ParVdm.sys
    2010/12/13 08:55:06.0218 PCI (8086d9979234b603ad5bc2f5d890b234) C:\WINDOWS\system32\DRIVERS\pci.sys
    2010/12/13 08:55:06.0421 PCIIde (ccf5f451bb1a5a2a522a76e670000ff0) C:\WINDOWS\system32\DRIVERS\pciide.sys
    2010/12/13 08:55:06.0500 Pcmcia (82a087207decec8456fbe8537947d579) C:\WINDOWS\system32\drivers\Pcmcia.sys
    2010/12/13 08:55:06.0718 perc2 (6c14b9c19ba84f73d3a86dba11133101) C:\WINDOWS\system32\DRIVERS\perc2.sys
    2010/12/13 08:55:06.0875 perc2hib (f50f7c27f131afe7beba13e14a3b9416) C:\WINDOWS\system32\DRIVERS\perc2hib.sys
    2010/12/13 08:55:07.0062 PptpMiniport (1c5cc65aac0783c344f16353e60b72ac) C:\WINDOWS\system32\DRIVERS\raspptp.sys
    2010/12/13 08:55:07.0187 PQIMount (2c4c21f42a50bec51c50e1674e590a57) C:\WINDOWS\system32\drivers\PQIMount.sys
    2010/12/13 08:55:07.0312 PQV2i (6a566d0f05a23bc9491b3440945c50a2) C:\WINDOWS\system32\drivers\PQV2i.sys
    2010/12/13 08:55:07.0468 PSched (48671f327553dcf1d27f6197f622a668) C:\WINDOWS\system32\DRIVERS\psched.sys
    2010/12/13 08:55:07.0593 Ptilink (80d317bd1c3dbc5d4fe7b1678c60cadd) C:\WINDOWS\system32\DRIVERS\ptilink.sys
    2010/12/13 08:55:07.0703 ql1080 (0a63fb54039eb5662433caba3b26dba7) C:\WINDOWS\system32\DRIVERS\ql1080.sys
    2010/12/13 08:55:07.0812 Ql10wnt (6503449e1d43a0ff0201ad5cb1b8c706) C:\WINDOWS\system32\DRIVERS\ql10wnt.sys
    2010/12/13 08:55:07.0937 ql12160 (156ed0ef20c15114ca097a34a30d8a01) C:\WINDOWS\system32\DRIVERS\ql12160.sys
    2010/12/13 08:55:08.0093 ql1240 (70f016bebde6d29e864c1230a07cc5e6) C:\WINDOWS\system32\DRIVERS\ql1240.sys
    2010/12/13 08:55:08.0187 ql1280 (907f0aeea6bc451011611e732bd31fcf) C:\WINDOWS\system32\DRIVERS\ql1280.sys
    2010/12/13 08:55:08.0359 RasAcd (fe0d99d6f31e4fad8159f690d68ded9c) C:\WINDOWS\system32\DRIVERS\rasacd.sys
    2010/12/13 08:55:08.0531 Rasl2tp (98faeb4a4dcf812ba1c6fca4aa3e115c) C:\WINDOWS\system32\DRIVERS\rasl2tp.sys
    2010/12/13 08:55:08.0578 RasPppoe (7306eeed8895454cbed4669be9f79faa) C:\WINDOWS\system32\DRIVERS\raspppoe.sys
    2010/12/13 08:55:08.0703 Raspti (fdbb1d60066fcfbb7452fd8f9829b242) C:\WINDOWS\system32\DRIVERS\raspti.sys
    2010/12/13 08:55:08.0828 Rdbss (03b965b1ca47f6ef60eb5e51cb50e0af) C:\WINDOWS\system32\DRIVERS\rdbss.sys
    2010/12/13 08:55:08.0906 RDPCDD (4912d5b403614ce99c28420f75353332) C:\WINDOWS\system32\DRIVERS\RDPCDD.sys
    2010/12/13 08:55:09.0062 rdpdr (a2cae2c60bc37e0751ef9dda7ceaf4ad) C:\WINDOWS\system32\DRIVERS\rdpdr.sys
    2010/12/13 08:55:09.0234 RDPWD (b54cd38a9ebfbf2b3561426e3fe26f62) C:\WINDOWS\system32\drivers\RDPWD.sys
    2010/12/13 08:55:09.0375 redbook (b31b4588e4086d8d84adbf9845c2402b) C:\WINDOWS\system32\DRIVERS\redbook.sys
    2010/12/13 08:55:09.0515 RMBS (4fae1f8b3046be33f217b9fd73f5c1d4) C:\WINDOWS\system32\drivers\RMBS.sys
    2010/12/13 08:55:09.0640 Secdrv (90a3935d05b494a5a39d37e71f09a677) C:\WINDOWS\system32\DRIVERS\secdrv.sys
    2010/12/13 08:55:09.0796 Sentinel (aebba7428a6c40cce3c5abde45190b24) C:\WINDOWS\System32\Drivers\SENTINEL.SYS
    2010/12/13 08:55:09.0984 serenum (a2d868aeeff612e70e213c451a70cafb) C:\WINDOWS\system32\DRIVERS\serenum.sys
    2010/12/13 08:55:10.0078 Serial (cd9404d115a00d249f70a371b46d5a26) C:\WINDOWS\system32\DRIVERS\serial.sys
    2010/12/13 08:55:10.0203 Sfloppy (0d13b6df6e9e101013a7afb0ce629fe0) C:\WINDOWS\system32\drivers\Sfloppy.sys
    2010/12/13 08:55:10.0406 sisagp (732d859b286da692119f286b21a2a114) C:\WINDOWS\system32\DRIVERS\sisagp.sys
    2010/12/13 08:55:10.0593 smwdm (4aa922332433cdeb8b82c072c212e32e) C:\WINDOWS\system32\drivers\smwdm.sys
    2010/12/13 08:55:10.0781 Sparrow (83c0f71f86d3bdaf915685f3d568b20e) C:\WINDOWS\system32\DRIVERS\sparrow.sys
    2010/12/13 08:55:10.0984 SPBBCDrv (e621bb5839cf45fa477f48092edd2b40) C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCDrv.sys
    2010/12/13 08:55:11.0140 splitter (0ce218578fff5f4f7e4201539c45c78f) C:\WINDOWS\system32\drivers\splitter.sys
    2010/12/13 08:55:11.0218 sr (e41b6d037d6cd08461470af04500dc24) C:\WINDOWS\system32\DRIVERS\sr.sys
    2010/12/13 08:55:11.0406 SRTSP (2abf82c8452ab0b9ffc74a2d5da91989) C:\WINDOWS\system32\Drivers\SRTSP.SYS
    2010/12/13 08:55:11.0546 SRTSPL (e2f9e5887bea5bd8784d337e06eda31b) C:\WINDOWS\system32\Drivers\SRTSPL.SYS
    2010/12/13 08:55:11.0687 SRTSPX (3b974c158fabd910186f98df8d3e23f3) C:\WINDOWS\system32\Drivers\SRTSPX.SYS
    2010/12/13 08:55:11.0859 Srv (7a4f147cc6b133f905f6e65e2f8669fb) C:\WINDOWS\system32\DRIVERS\srv.sys
    2010/12/13 08:55:12.0078 swenum (03c1bae4766e2450219d20b993d6e046) C:\WINDOWS\system32\DRIVERS\swenum.sys
    2010/12/13 08:55:12.0109 swmidi (94abc808fc4b6d7d2bbf42b85e25bb4d) C:\WINDOWS\system32\drivers\swmidi.sys
    2010/12/13 08:55:12.0281 symc810 (1ff3217614018630d0a6758630fc698c) C:\WINDOWS\system32\DRIVERS\symc810.sys
    2010/12/13 08:55:12.0437 symc8xx (070e001d95cf725186ef8b20335f933c) C:\WINDOWS\system32\DRIVERS\symc8xx.sys
    2010/12/13 08:55:12.0593 SymEvent (a54ff04bd6e75dc4d8cb6f3e352635e0) C:\WINDOWS\system32\Drivers\SYMEVENT.SYS
    2010/12/13 08:55:12.0718 SYMREDRV (394b2368212114d538316812af60fddd) C:\WINDOWS\System32\Drivers\SYMREDRV.SYS
    2010/12/13 08:55:12.0906 SYMTDI (d46676bb414c7531bdffe637a33f5033) C:\WINDOWS\System32\Drivers\SYMTDI.SYS
    2010/12/13 08:55:13.0078 sym_hi (80ac1c4abbe2df3b738bf15517a51f2c) C:\WINDOWS\system32\DRIVERS\sym_hi.sys
    2010/12/13 08:55:13.0125 sym_u3 (bf4fab949a382a8e105f46ebb4937058) C:\WINDOWS\system32\DRIVERS\sym_u3.sys
    2010/12/13 08:55:13.0312 sysaudio (650ad082d46bac0e64c9c0e0928492fd) C:\WINDOWS\system32\drivers\sysaudio.sys
    2010/12/13 08:55:13.0421 SysPlant (1295b1da3e2a2c24c7d176f6e97afbd1) C:\WINDOWS\SYSTEM32\Drivers\SysPlant.sys
    2010/12/13 08:55:13.0578 Tcpip (2a5554fc5b1e04e131230e3ce035c3f9) C:\WINDOWS\system32\DRIVERS\tcpip.sys
    2010/12/13 08:55:13.0765 TDPIPE (38d437cf2d98965f239b0abcd66dcb0f) C:\WINDOWS\system32\drivers\TDPIPE.sys
    2010/12/13 08:55:13.0812 TDTCP (ed0580af02502d00ad8c4c066b156be9) C:\WINDOWS\system32\drivers\TDTCP.sys
    2010/12/13 08:55:13.0984 Teefer2 (1de2e1357552a79f39bff003a11c533e) C:\WINDOWS\system32\DRIVERS\teefer2.sys
    2010/12/13 08:55:14.0140 TermDD (a540a99c281d933f3d69d55e48727f47) C:\WINDOWS\system32\DRIVERS\termdd.sys
    2010/12/13 08:55:14.0296 TosIde (f2790f6af01321b172aa62f8e1e187d9) C:\WINDOWS\system32\DRIVERS\toside.sys
    2010/12/13 08:55:14.0453 Udfs (12f70256f140cd7d52c58c7048fde657) C:\WINDOWS\system32\drivers\Udfs.sys
    2010/12/13 08:55:14.0546 ultra (1b698a51cd528d8da4ffaed66dfc51b9) C:\WINDOWS\system32\DRIVERS\ultra.sys
    2010/12/13 08:55:14.0671 Update (ced744117e91bdc0beb810f7d8608183) C:\WINDOWS\system32\DRIVERS\update.sys
    2010/12/13 08:55:14.0906 usbccgp (bffd9f120cc63bcbaa3d840f3eef9f79) C:\WINDOWS\system32\DRIVERS\usbccgp.sys
    2010/12/13 08:55:15.0000 usbehci (15e993ba2f6946b2bfbbfcd30398621e) C:\WINDOWS\system32\DRIVERS\usbehci.sys
    2010/12/13 08:55:15.0171 usbhub (c72f40947f92cea56a8fb532edf025f1) C:\WINDOWS\system32\DRIVERS\usbhub.sys
    2010/12/13 08:55:15.0296 USBSTOR (6cd7b22193718f1d17a47a1cd6d37e75) C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS
    2010/12/13 08:55:15.0437 usbuhci (f8fd1400092e23c8f2f31406ef06167b) C:\WINDOWS\system32\DRIVERS\usbuhci.sys
    2010/12/13 08:55:15.0625 VgaSave (8a60edd72b4ea5aea8202daf0e427925) C:\WINDOWS\System32\drivers\vga.sys
    2010/12/13 08:55:15.0734 viaagp (d92e7c8a30cfd14d8e15b5f7f032151b) C:\WINDOWS\system32\DRIVERS\viaagp.sys
    2010/12/13 08:55:15.0859 ViaIde (59cb1338ad3654417bea49636457f65d) C:\WINDOWS\system32\DRIVERS\viaide.sys
    2010/12/13 08:55:15.0984 VolSnap (ee4660083deba849ff6c485d944b379b) C:\WINDOWS\system32\drivers\VolSnap.sys
    2010/12/13 08:55:16.0171 Wanarp (984ef0b9788abf89974cfed4bfbaacbc) C:\WINDOWS\system32\DRIVERS\wanarp.sys
    2010/12/13 08:55:16.0328 wdmaud (efd235ca22b57c81118c1aeb4798f1c1) C:\WINDOWS\system32\drivers\wdmaud.sys
    2010/12/13 08:55:16.0468 WIBUKEY (ee43e7ffccb27cb901b762f2020d9d5f) C:\WINDOWS\system32\DRIVERS\WibuKey.sys
    2010/12/13 08:55:16.0640 WPS (c1620ebb375d3b02e31fd311c44fedeb) C:\WINDOWS\system32\drivers\wpsdrvnt.sys
    2010/12/13 08:55:16.0765 WpsHelper (ff983a25ae6f7d3f87f26bf51f02a201) C:\WINDOWS\system32\drivers\WpsHelper.sys
    2010/12/13 08:55:16.0843 \HardDisk0 - detected Rootkit.Win32.TDSS.tdl4 (0)
    2010/12/13 08:55:17.0062 ================================================================================
    2010/12/13 08:55:17.0062 Scan finished
    2010/12/13 08:55:17.0062 ================================================================================
    2010/12/13 08:55:17.0078 Detected object count: 1
    2010/12/13 08:55:24.0062 \HardDisk0 - copied to quarantine
    2010/12/13 08:55:24.0109 \HardDisk0\TDLFS\cfg.ini - copied to quarantine
    2010/12/13 08:55:24.0109 \HardDisk0\TDLFS\mbr - copied to quarantine
    2010/12/13 08:55:24.0109 \HardDisk0\TDLFS\bckfg.tmp - copied to quarantine
    2010/12/13 08:55:24.0109 \HardDisk0\TDLFS\cmd.dll - copied to quarantine
    2010/12/13 08:55:24.0125 \HardDisk0\TDLFS\ldr16 - copied to quarantine
    2010/12/13 08:55:24.0125 \HardDisk0\TDLFS\ldr32 - copied to quarantine
    2010/12/13 08:55:24.0125 \HardDisk0\TDLFS\ldr64 - copied to quarantine
    2010/12/13 08:55:24.0125 \HardDisk0\TDLFS\cmd64.dll - copied to quarantine
    2010/12/13 08:55:24.0140 \HardDisk0\TDLFS\keywords - copied to quarantine
    2010/12/13 08:55:24.0140 Rootkit.Win32.TDSS.tdl4(\HardDisk0) - User select action: Quarantine
    2010/12/13 08:55:45.0343 Deinitialize success


    ESETSmartInstaller@High as CAB hook log:
    OnlineScanner.ocx - registred OK
    # version=7
    # iexplore.exe=6.00.2900.2180 (xpsp_sp2_rtm.040803-2158)
    # OnlineScanner.ocx=1.0.0.6415
    # api_version=3.0.2
    # EOSSerial=8405d27316e0344ebadc142ee2b6eaee
    # end=finished
    # remove_checked=false
    # archives_checked=false
    # unwanted_checked=true
    # unsafe_checked=false
    # antistealth_checked=true
    # utc_time=2010-12-13 02:30:52
    # local_time=2010-12-13 09:30:52 (-0500, Eastern Standard Time)
    # country="United States"
    # lang=9
    # osver=5.1.2600 NT Service Pack 2
    # compatibility_mode=8192 67108863 100 0 0 0 0 0
    # scanned=49587
    # found=6
    # cleaned=0
    # scan_time=1091
    C:\Program Files\ODT-OCE\Ascent Advanced Forms 3.7\Conversion\bin\libriwb.dll Win32/Kryptik.BAK.gen trojan (unable to clean) 00000000000000000000000000000000 I
    C:\Program Files\ODT-OCE\Ascent Advanced Forms 3.7\Conversion\bin\librvry.dll Win32/Kryptik.BAK.gen trojan (unable to clean) 00000000000000000000000000000000 I
    C:\TDSSKiller_Quarantine\13.12.2010_08.54.44\boot0000\tdlfs0000\tsk0003.dta Win32/Olmarik.ADZ trojan (unable to clean) 00000000000000000000000000000000 I
    C:\TDSSKiller_Quarantine\13.12.2010_08.54.44\boot0000\tdlfs0000\tsk0005.dta Win32/Olmarik.AFK trojan (unable to clean) 00000000000000000000000000000000 I
    C:\TDSSKiller_Quarantine\13.12.2010_08.54.44\boot0000\tdlfs0000\tsk0006.dta Win64/Olmarik.G trojan (unable to clean) 00000000000000000000000000000000 I
    C:\TDSSKiller_Quarantine\13.12.2010_08.54.44\boot0000\tdlfs0000\tsk0007.dta Win64/Olmarik.A trojan (unable to clean) 00000000000000000000000000000000 I
     
  8. Bobbye

    Bobbye Helper on the Fringe Posts: 16,335   +36

    Okay, one down!

    Please download OTMovit by Old Timer and save to your desktop.
    • Double-click OTMoveIt3.exe to run it. (Vista users, please right click on OTMoveit3.exe and select "Run as an Administrator")
    • Copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy):
      Code:
      :Processes	
      
      :Files 
      C:\Program Files\ODT-OCE\Ascent Advanced Forms 3.7\Conversion\bin\libriwb.dll 
      C:\Program Files\ODT-OCE\Ascent Advanced Forms 3.7\Conversion\bin\librvry.dll C:\TDSSKiller_Quarantine\13.12.2010_08.54.44\boot0000\tdlfs0000\tsk0003.dta 
      C:\TDSSKiller_Quarantine\13.12.2010_08.54.44\boot0000\tdlfs0000\tsk0005.dta 
      C:\TDSSKiller_Quarantine\13.12.2010_08.54.44\boot0000\tdlfs0000\tsk0006.dta 
      C:\TDSSKiller_Quarantine\13.12.2010_08.54.44\boot0000\tdlfs0000\tsk0007.dta 
      :Commands
      [purity]
      [emptytemp]
      [start explorer]
      [Reboot]
    • Return to OTMoveIt3, right click in the "Paste Instructions for Items to be Moved" window and choose Paste.
    • Click the red Moveit! button.
    • A log of files and folders moved will be created in the c:\_OTMoveIt\MovedFiles folder in the form of Date and Time (mmddyyyy_hhmmss.log). Please open this log in Notepad and post its contents in your next reply.
    • Close OTMoveIt3
    If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes.
    =====================================
    Download Combofix to your desktop from one of these locations:
    Link 1
    Link 2
    • Double click combofix.exe & follow the prompts.
    • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. It is strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode if needed.
    • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
    • Query- Recovery Console image
      [​IMG]
    • Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:
      [​IMG]
    • .Click on Yes, to continue scanning for malware
    • .If Combofix asks you to update the program, allow
    • .Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
    • .Close any open browsers.
    • .Double click combofix.exe[​IMG] & follow the prompts to run.
    • When the scan completes it will open a text window. Please paste that log in your next reply.
    Notes:
    1. Do not mouse-click Combofix's window while it is running. That may cause it to stall.
    2. ComboFix may reset a number of Internet Explorer's settings, including making I-E the default browser.
    3. Combofix prevents autorun of ALL CD, floppy and USB devices to assist with malware removal & increase security. If this is an issue or makes it difficult for you -- please tell your helper.
    4. CF disconnects your machine from the internet. The connection is automatically restored before CF completes its run. If CF runs into difficulty and terminates prematurely, the connection can be manually restored by restarting your machine.
    =======================================
    Sorry for delay- just got back in tiwn and online.
     
  9. BlckBerry

    BlckBerry TS Rookie Topic Starter

    All processes killed
    ========== PROCESSES ==========
    ========== FILES ==========
    LoadLibrary failed for C:\Program Files\ODT-OCE\Ascent Advanced Forms 3.7\Conversion\bin\libriwb.dll
    C:\Program Files\ODT-OCE\Ascent Advanced Forms 3.7\Conversion\bin\libriwb.dll moved successfully.
    File/Folder C:\Program Files\ODT-OCE\Ascent Advanced Forms 3.7\Conversion\bin\librvry.dll C:\TDSSKiller_Quarantine\13.12.2010_08.54.44\boot0000\tdlfs0000\tsk0003.dta not found.
    C:\TDSSKiller_Quarantine\13.12.2010_08.54.44\boot0000\tdlfs0000\tsk0005.dta moved successfully.
    C:\TDSSKiller_Quarantine\13.12.2010_08.54.44\boot0000\tdlfs0000\tsk0006.dta moved successfully.
    File/Folder C:\TDSSKiller_Quarantine\13.12.2010_08.54.44\boot0000\tdlfs0000\tsk0007.dta not found.
    ========== COMMANDS ==========

    [EMPTYTEMP]

    User: Administrator
    ->Temp folder emptied: 0 bytes
    ->Temporary Internet Files folder emptied: 0 bytes

    User: All Users

    User: anthony.berry.SMI
    ->Temp folder emptied: 1234 bytes
    ->Temporary Internet Files folder emptied: 9903261 bytes
    ->Java cache emptied: 0 bytes
    ->Flash cache emptied: 0 bytes

    User: betty.fry
    ->Temp folder emptied: 0 bytes
    ->Temporary Internet Files folder emptied: 0 bytes

    User: bobbie.wilkinson
    ->Temp folder emptied: 0 bytes
    ->Temporary Internet Files folder emptied: 0 bytes
    ->Java cache emptied: 0 bytes

    User: Default User
    ->Temp folder emptied: 0 bytes
    ->Temporary Internet Files folder emptied: 0 bytes

    User: Don Baker
    ->Temp folder emptied: 0 bytes
    ->Temporary Internet Files folder emptied: 0 bytes

    User: don.baker
    ->Temp folder emptied: 0 bytes
    ->Temporary Internet Files folder emptied: 0 bytes
    ->Java cache emptied: 0 bytes

    User: katie.tracy
    ->Temp folder emptied: 0 bytes
    ->Temporary Internet Files folder emptied: 0 bytes

    User: LocalService
    ->Temp folder emptied: 0 bytes
    ->Temporary Internet Files folder emptied: 33170 bytes
    ->Java cache emptied: 0 bytes
    ->Flash cache emptied: 0 bytes

    User: NetworkService
    ->Temp folder emptied: 0 bytes
    ->Temporary Internet Files folder emptied: 33170 bytes
    ->Flash cache emptied: 0 bytes

    User: pelvia.harris
    ->Temp folder emptied: 0 bytes
    ->Temporary Internet Files folder emptied: 0 bytes

    User: robbie.robinson
    ->Temp folder emptied: 0 bytes
    ->Temporary Internet Files folder emptied: 0 bytes

    User: sandra.dagostino
    ->Temp folder emptied: 0 bytes
    ->Temporary Internet Files folder emptied: 0 bytes

    User: stephanie.spurlock
    ->Temp folder emptied: 0 bytes
    ->Temporary Internet Files folder emptied: 0 bytes
    ->Java cache emptied: 0 bytes
    ->Flash cache emptied: 0 bytes

    User: ted.mcdonald
    ->Temp folder emptied: 0 bytes
    ->Temporary Internet Files folder emptied: 0 bytes

    %systemdrive% .tmp files removed: 0 bytes
    %systemroot% .tmp files removed: 0 bytes
    %systemroot%\System32 .tmp files removed: 0 bytes
    %systemroot%\System32\dllcache .tmp files removed: 0 bytes
    %systemroot%\System32\drivers .tmp files removed: 0 bytes
    Windows Temp folder emptied: 0 bytes
    %systemroot%\system32\config\systemprofile\Local Settings\Temp folder emptied: 0 bytes
    %systemroot%\system32\config\systemprofile\Local Settings\Temporary Internet Files folder emptied: 33170 bytes
    RecycleBin emptied: 0 bytes

    Total Files Cleaned = 10.00 mb


    OTM by OldTimer - Version 3.1.17.2 log created on 12152010_105944

    Files moved on Reboot...

    Registry entries deleted on Reboot...


    ComboFix 10-12-14.07 - anthony.berry 12/15/2010 11:24:52.1.1 - x86
    Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.3062.2598 [GMT -5:00]
    Running from: c:\documents and settings\anthony.berry.SMI\Desktop\ComboFix.exe
    AV: Symantec Endpoint Protection *Disabled/Updated* {FB06448E-52B8-493A-90F3-E43226D3305C}
    FW: Symantec Endpoint Protection *Disabled* {BE898FE3-CD0B-4014-85A9-03DB9923DDB6}
    .

    ((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
    .

    c:\documents and settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat
    c:\documents and settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat
    c:\documents and settings\stephanie.spurlock\Application Data\Adobe\AdobeUpdate .exe
    c:\documents and settings\stephanie.spurlock\Application Data\Adobe\plugs
    c:\documents and settings\stephanie.spurlock\Local Settings\Application Data\{06AC7C17-3E03-4615-B3E6-EB1654C6E5FE}
    c:\documents and settings\stephanie.spurlock\Local Settings\Application Data\{06AC7C17-3E03-4615-B3E6-EB1654C6E5FE}\chrome.manifest
    c:\documents and settings\stephanie.spurlock\Local Settings\Application Data\{06AC7C17-3E03-4615-B3E6-EB1654C6E5FE}\chrome\content\_cfg.js
    c:\documents and settings\stephanie.spurlock\Local Settings\Application Data\{06AC7C17-3E03-4615-B3E6-EB1654C6E5FE}\chrome\content\overlay.xul
    c:\documents and settings\stephanie.spurlock\Local Settings\Application Data\{06AC7C17-3E03-4615-B3E6-EB1654C6E5FE}\install.rdf
    c:\windows\Tasks\At1.job
    c:\windows\Tasks\At10.job
    c:\windows\Tasks\At11.job
    c:\windows\Tasks\At12.job
    c:\windows\Tasks\At13.job
    c:\windows\Tasks\At14.job
    c:\windows\Tasks\At15.job
    c:\windows\Tasks\At16.job
    c:\windows\Tasks\At17.job
    c:\windows\Tasks\At18.job
    c:\windows\Tasks\At19.job
    c:\windows\Tasks\At2.job
    c:\windows\Tasks\At20.job
    c:\windows\Tasks\At21.job
    c:\windows\Tasks\At22.job
    c:\windows\Tasks\At23.job
    c:\windows\Tasks\At24.job
    c:\windows\Tasks\At3.job
    c:\windows\Tasks\At4.job
    c:\windows\Tasks\At5.job
    c:\windows\Tasks\At6.job
    c:\windows\Tasks\At7.job
    c:\windows\Tasks\At8.job
    c:\windows\Tasks\At9.job

    ----- BITS: Possible infected sites -----

    hxxp://gawsus
    .
    ((((((((((((((((((((((((( Files Created from 2010-11-15 to 2010-12-15 )))))))))))))))))))))))))))))))
    .

    2010-12-15 15:59 . 2010-12-15 15:59 -------- d-----w- C:\_OTM
    2010-12-13 14:07 . 2010-12-13 14:07 -------- d-----w- c:\program files\ESET
    2010-12-13 13:55 . 2010-12-13 13:55 -------- d-----w- C:\TDSSKiller_Quarantine
    2010-12-13 13:38 . 2010-12-13 13:38 -------- d-----w- c:\documents and settings\Administrator\Local Settings\Application Data\Adobe
    2010-12-13 13:38 . 2010-12-13 13:38 -------- d-----w- c:\documents and settings\Administrator\Local Settings\Application Data\Symantec
    2010-12-10 14:39 . 2010-12-10 14:39 134464 ----a-w- c:\windows\system32\LnkProtect.dll
    2010-12-10 14:29 . 2010-12-10 16:55 16968 ----a-w- c:\windows\system32\drivers\hitmanpro35.sys
    2010-12-10 14:29 . 2010-12-10 14:29 -------- d-----w- c:\program files\Hitman Pro 3.5
    2010-12-10 14:28 . 2010-12-10 14:40 -------- d-----w- c:\documents and settings\All Users\Application Data\Hitman Pro
    2010-12-09 14:11 . 2010-12-09 14:11 -------- d-s---w- c:\documents and settings\anthony.berry.SMI\UserData
    2010-12-03 19:30 . 2010-12-03 19:30 -------- d-----w- c:\documents and settings\Administrator\Application Data\Malwarebytes
    2010-12-03 19:11 . 2010-12-03 20:21 167936 ----a-w- c:\windows\system32\drivers\wpshelper.sys
    2010-12-03 19:03 . 2009-09-29 20:05 92488 ----a-w- c:\windows\system32\drivers\SysPlant.sys
    2010-12-03 18:56 . 2010-12-03 19:00 60808 ----a-w- c:\windows\system32\S32EVNT1.DLL
    2010-12-03 18:56 . 2010-12-03 19:00 124976 ----a-w- c:\windows\system32\drivers\SYMEVENT.SYS
    2010-12-03 16:22 . 2010-12-03 16:22 -------- d-----w- c:\documents and settings\stephanie.spurlock\Application Data\Malwarebytes
    2010-12-03 16:21 . 2010-11-29 22:42 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
    2010-12-03 16:21 . 2010-12-03 16:21 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
    2010-12-03 16:20 . 2010-11-29 22:42 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
    2010-12-03 16:20 . 2010-12-06 15:29 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware

    .
    (((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .

    ((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    *Note* empty entries & legit default entries are not shown
    REGEDIT4

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "IgfxTray"="c:\windows\system32\igfxtray.exe" [2004-08-21 155648]
    "HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2004-08-21 118784]
    "SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2010-01-20 149280]
    "Adobe Acrobat Speed Launcher"="c:\program files\Adobe\Acrobat 9.0\Acrobat\Acrobat_sl.exe" [2009-10-03 38768]
    "Acrobat Assistant 8.0"="c:\program files\Adobe\Acrobat 9.0\Acrobat\Acrotray.exe" [2010-09-22 640440]
    "Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-09-21 932288]
    "ccApp"="c:\program files\Common Files\Symantec Shared\ccApp.exe" [2009-09-29 115560]

    c:\documents and settings\All Users\Start Menu\Programs\Startup\
    Shortcut to SMILaunch.lnk - \\ncsduvg056\SMIApps\Prod\SMILaunch\SMILaunch.exe [2010-7-19 1114112]

    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-515967899-682003330-937999820-1209\Scripts\Logon\0\0]
    "Script"=NC_Logon.bat

    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-515967899-682003330-937999820-1272\Scripts\Logon\0\0]
    "Script"=NC_Logon.bat

    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-515967899-682003330-937999820-14147\Scripts\Logon\0\0]
    "Script"=NC_Logon.bat

    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-515967899-682003330-937999820-1423\Scripts\Logon\0\0]
    "Script"=NC_Logon.bat

    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-515967899-682003330-937999820-4928\Scripts\Logon\0\0]
    "Script"=NC_Logon.bat

    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-515967899-682003330-937999820-4929\Scripts\Logon\0\0]
    "Script"=NC_Logon.bat

    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-515967899-682003330-937999820-8618\Scripts\Logon\0\0]
    "Script"=NC_Logon.bat

    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-515967899-682003330-937999820-8672\Scripts\Logon\0\0]
    "Script"=NC_Logon.bat

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\ccEvtMgr]
    @="Service"

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\ccSetMgr]
    @="Service"

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Symantec Antivirus]
    @="Service"

    [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
    "DisableMonitoring"=dword:00000001

    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
    "%windir%\\system32\\sessmgr.exe"=
    "c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"=
    "c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=

    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
    "3389:TCP"= 3389:TCP:*:Disabled:mad:xpsp2res.dll,-22009

    R0 PQV2i;PQV2i;c:\windows\system32\drivers\PQV2i.sys [6/3/2003 3:52 PM 123957]
    R1 PQIMount;PQIMount;c:\windows\system32\drivers\PQIMount.sys [6/3/2003 3:52 PM 46900]
    R2 InAspi32;InAspi32;c:\windows\system32\drivers\InAspi32.sys [3/7/2006 2:46 PM 8704]
    R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [12/3/2010 3:21 PM 102448]
    S3 COAX;COAX;c:\windows\system32\drivers\COAX.SYS [8/10/2005 1:58 PM 26528]
    S3 COH_Mon;COH_Mon;c:\windows\system32\drivers\COH_Mon.sys [9/29/2009 3:05 PM 23888]
    S3 RMBS;RMBS;c:\windows\system32\drivers\RMBS.SYS [8/10/2005 1:58 PM 18208]
    S3 VPREMOTE;VPRemote Install Bootstrap Service;c:\temp\Clt-Inst\vpremote.exe [6/11/2010 12:47 PM 142192]
    .
    .
    ------- Supplementary Scan -------
    .
    uStart Page = hxxp://insidesmi/
    mStart Page = hxxp://www.dell.com
    IE: Append Link Target to Existing PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
    IE: Append to Existing PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppend.html
    IE: Convert Link Target to Adobe PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
    IE: Convert to Adobe PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIECapture.html
    TCP: {FAB8539F-27EC-423B-9D13-A76691C35E20} = 192.168.2.42,10.0.5.3
    .
    - - - - ORPHANS REMOVED - - - -

    Notify-NavLogon - (no file)
    SafeBoot-Symantec Antvirus



    **************************************************************************

    catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
    Rootkit scan 2010-12-15 11:28
    Windows 5.1.2600 Service Pack 2 NTFS

    scanning hidden processes ...

    scanning hidden autostart entries ...

    scanning hidden files ...

    scan completed successfully
    hidden files: 0

    **************************************************************************
    .
    Completion time: 2010-12-15 11:30:38
    ComboFix-quarantined-files.txt 2010-12-15 16:30

    Pre-Run: 26,965,839,872 bytes free
    Post-Run: 26,931,793,920 bytes free

    WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
    [boot loader]
    timeout=2
    default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS
    [operating systems]
    c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
    UnsupportedDebug="do not select this" /debug
    multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect

    - - End Of File - - DD3A282C95858CB97DB64A2A0EED790A
     
  10. Bobbye

    Bobbye Helper on the Fringe Posts: 16,335   +36

    Okay, you're almost there!

    I notice there are No restore points in system.> why?
    Please update to Java(TM) 6 Update 22> Check this site .Java Updates and uninstall v6u17 in Add/Remove Programs.

    Is this your workplace Domain? uStart Page = hxxp://insidesmi/?

    You have this entry in the Startup folder:
    StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\shortc~1.lnk - \\ncsduvg056\smiapps\prod\smilaunch\SMILaunch.exe
    Please verify if it is for this site:
    http://www.redrc.net/2010/04/smi-launch-orcan-shop-austria/
    ==================================================
    Please run this Custom CFScript:

    • [1]. Close any open browsers.
      [2]. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
      [3]. Open notepad> click on Format> Uncheck 'Word Wrap'> and copy/paste the text in the code below into it:[Be sure to scroll down to include ALL lines.
    Code:
    KillAll::
    File::
    c:\windows\system32\drivers\hitmanpro35.sys
    Folder::
    c:\program files\Hitman Pro 3.5
    c:\docume~1\alluse~1\applic~1\Hitman Pro
    
    Registry::
    [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
    "DisableMonitoring"=-
    
    
    Save this as CFScript.txt, in the same location as ComboFix.exe
    [​IMG]

    Referring to the picture above, drag CFScript into ComboFix.exe

    When finished, it will produce a log for you at C:\ComboFix.txt . Please paste in your next reply.
    ====================
    Regarding Hitman Pro: This is a bundle of programs that are all free on the internet. Some have been used without permission of their suthors. There is a short trial period after which you have to pay to have enrries removed, but could have gotten removal free from the original programs.

    Please uninstall it in Add/Remove Programs, then use Windows explorer (Windows key + E) to access My Computer> Local Drive> Programs> find and delete the Hitman Pro folder.
    Close Windows Explorer.
    =======================================
    Let's check with this to make sure no bad entries remain:
    Download HijackThis and save to your desktop.
    • Extract it to a directory on your hard drive called c:\HijackThis.
    • Then navigate to that directory and double-click on the hijackthis.exe file.
    • When started click on the Scan button and then the Save Log button to create a log of your information.
    • The log file and then the log will open in notepad. Be sure to click on Format> Uncheck Word Wrap when you open Notepad
    • Click on "Edit > Select All" then click on "Edit > Copy" to copy the entire contents of the log.
    • Come back here to this thread and paste (Ctrl+V) the log in your next reply.

    NOTE: Do NOT have HijackThis fix anything yet! Most of what it finds will be harmless or even required.
     
  11. BlckBerry

    BlckBerry TS Rookie Topic Starter

    To answer your few questions above...

    This is a company PC. System Restore was disabled to prevent anymore occurences of spyware. PC will be imaged after this cleanup, so will most likely NOT have system restore enabled.

    The webpage is a company intranet site. Also, the shortcut in startup is for an internal co. application. SMILaunch

    Logs will be incoming soon...
     
  12. Bobbye

    Bobbye Helper on the Fringe Posts: 16,335   +36

    No IT person to help cleanup?
     
  13. BlckBerry

    BlckBerry TS Rookie Topic Starter

    I am the 'IT' person ;)
     
  14. BlckBerry

    BlckBerry TS Rookie Topic Starter

    ComboFix 10-12-18.02 - anthony.berry 12/19/2010 12:58:21.2.1 - x86
    Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.3062.2602 [GMT -5:00]
    Running from: c:\documents and settings\anthony.berry.SMI\Desktop\ComboFix.exe
    Command switches used :: c:\documents and settings\anthony.berry.SMI\Desktop\CFScript.txt
    AV: Symantec Endpoint Protection *Disabled/Updated* {FB06448E-52B8-493A-90F3-E43226D3305C}
    FW: Symantec Endpoint Protection *Disabled* {BE898FE3-CD0B-4014-85A9-03DB9923DDB6}

    FILE ::
    "c:\windows\system32\drivers\hitmanpro35.sys"
    .

    ((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
    .

    c:\docume~1\alluse~1\applic~1\Hitman Pro
    c:\docume~1\alluse~1\applic~1\Hitman Pro\Banner.bin
    c:\docume~1\alluse~1\applic~1\Hitman Pro\HitmanPro.key
    c:\docume~1\alluse~1\applic~1\Hitman Pro\HitmanPro.lic
    c:\windows\system32\drivers\hitmanpro35.sys

    .
    ((((((((((((((((((((((((( Files Created from 2010-11-19 to 2010-12-19 )))))))))))))))))))))))))))))))
    .

    2010-12-19 17:54 . 2010-12-19 17:54 -------- d-----w- C:\HiJackThis
    2010-12-15 15:59 . 2010-12-15 15:59 -------- d-----w- C:\_OTM
    2010-12-13 14:07 . 2010-12-13 14:07 -------- d-----w- c:\program files\ESET
    2010-12-13 13:55 . 2010-12-13 13:55 -------- d-----w- C:\TDSSKiller_Quarantine
    2010-12-13 13:38 . 2010-12-13 13:38 -------- d-----w- c:\documents and settings\Administrator\Local Settings\Application Data\Adobe
    2010-12-13 13:38 . 2010-12-13 13:38 -------- d-----w- c:\documents and settings\Administrator\Local Settings\Application Data\Symantec
    2010-12-10 14:39 . 2010-12-10 14:39 134464 ----a-w- c:\windows\system32\LnkProtect.dll
    2010-12-09 14:11 . 2010-12-09 14:11 -------- d-s---w- c:\documents and settings\anthony.berry.SMI\UserData
    2010-12-03 19:30 . 2010-12-03 19:30 -------- d-----w- c:\documents and settings\Administrator\Application Data\Malwarebytes
    2010-12-03 19:11 . 2010-12-03 20:21 167936 ----a-w- c:\windows\system32\drivers\wpshelper.sys
    2010-12-03 19:03 . 2009-09-29 20:05 92488 ----a-w- c:\windows\system32\drivers\SysPlant.sys
    2010-12-03 18:56 . 2010-12-03 19:00 60808 ----a-w- c:\windows\system32\S32EVNT1.DLL
    2010-12-03 18:56 . 2010-12-03 19:00 124976 ----a-w- c:\windows\system32\drivers\SYMEVENT.SYS
    2010-12-03 16:22 . 2010-12-03 16:22 -------- d-----w- c:\documents and settings\stephanie.spurlock\Application Data\Malwarebytes
    2010-12-03 16:21 . 2010-11-29 22:42 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
    2010-12-03 16:21 . 2010-12-03 16:21 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
    2010-12-03 16:20 . 2010-11-29 22:42 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
    2010-12-03 16:20 . 2010-12-06 15:29 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware

    .
    (((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .

    ((((((((((((((((((((((((((((( SnapShot@2010-12-15_16.28.36 )))))))))))))))))))))))))))))))))))))))))
    .
    + 2010-12-19 18:02 . 2010-12-19 18:02 16384 c:\windows\temp\Perflib_Perfdata_2a0.dat
    - 2004-08-11 22:00 . 2010-11-17 20:31 63860 c:\windows\system32\perfc009.dat
    + 2004-08-11 22:00 . 2010-12-15 16:42 63860 c:\windows\system32\perfc009.dat
    + 2010-12-16 05:03 . 2010-12-19 05:02 32768 c:\windows\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat
    - 2005-08-10 16:46 . 2010-12-15 05:03 32768 c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
    + 2005-08-10 16:46 . 2010-12-19 05:02 32768 c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
    + 2010-12-16 05:03 . 2010-12-19 05:02 16384 c:\windows\system32\config\systemprofile\Cookies\index.dat
    - 2005-08-10 16:46 . 2010-12-15 05:03 16384 c:\windows\system32\config\systemprofile\Cookies\index.dat
    + 2004-08-11 22:00 . 2010-12-15 16:42 405310 c:\windows\system32\perfh009.dat
    - 2004-08-11 22:00 . 2010-11-17 20:31 405310 c:\windows\system32\perfh009.dat
    + 2010-12-15 16:36 . 2010-12-15 16:36 233936 c:\windows\system32\Macromed\Flash\FlashUtil10l_ActiveX.exe
    + 2010-12-15 16:36 . 2010-12-15 16:36 311248 c:\windows\system32\Macromed\Flash\FlashUtil10l_ActiveX.dll
    + 2010-10-22 01:04 . 2010-10-22 01:04 2827728 c:\windows\Downloaded Program Files\FP_AX_CAB_INSTALLER.exe
    .
    ((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    *Note* empty entries & legit default entries are not shown
    REGEDIT4

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "IgfxTray"="c:\windows\system32\igfxtray.exe" [2004-08-21 155648]
    "HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2004-08-21 118784]
    "SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2010-01-20 149280]
    "Adobe Acrobat Speed Launcher"="c:\program files\Adobe\Acrobat 9.0\Acrobat\Acrobat_sl.exe" [2009-10-03 38768]
    "Acrobat Assistant 8.0"="c:\program files\Adobe\Acrobat 9.0\Acrobat\Acrotray.exe" [2010-09-22 640440]
    "Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-09-21 932288]
    "ccApp"="c:\program files\Common Files\Symantec Shared\ccApp.exe" [2009-09-29 115560]

    c:\documents and settings\All Users\Start Menu\Programs\Startup\
    Shortcut to SMILaunch.lnk - \\ncsduvg056\SMIApps\Prod\SMILaunch\SMILaunch.exe [2010-7-19 1114112]

    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-515967899-682003330-937999820-1209\Scripts\Logon\0\0]
    "Script"=NC_Logon.bat

    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-515967899-682003330-937999820-1272\Scripts\Logon\0\0]
    "Script"=NC_Logon.bat

    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-515967899-682003330-937999820-14147\Scripts\Logon\0\0]
    "Script"=NC_Logon.bat

    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-515967899-682003330-937999820-1423\Scripts\Logon\0\0]
    "Script"=NC_Logon.bat

    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-515967899-682003330-937999820-4928\Scripts\Logon\0\0]
    "Script"=NC_Logon.bat

    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-515967899-682003330-937999820-4929\Scripts\Logon\0\0]
    "Script"=NC_Logon.bat

    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-515967899-682003330-937999820-8618\Scripts\Logon\0\0]
    "Script"=NC_Logon.bat

    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-515967899-682003330-937999820-8672\Scripts\Logon\0\0]
    "Script"=NC_Logon.bat

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\ccEvtMgr]
    @="Service"

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\ccSetMgr]
    @="Service"

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Symantec Antivirus]
    @="Service"

    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
    "%windir%\\system32\\sessmgr.exe"=
    "c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"=
    "c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=

    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
    "3389:TCP"= 3389:TCP:*:Disabled:mad:xpsp2res.dll,-22009

    R0 PQV2i;PQV2i;c:\windows\system32\drivers\PQV2i.sys [6/3/2003 3:52 PM 123957]
    R1 PQIMount;PQIMount;c:\windows\system32\drivers\PQIMount.sys [6/3/2003 3:52 PM 46900]
    R2 InAspi32;InAspi32;c:\windows\system32\drivers\InAspi32.sys [3/7/2006 2:46 PM 8704]
    R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [12/3/2010 3:21 PM 102448]
    S3 COAX;COAX;c:\windows\system32\drivers\COAX.SYS [8/10/2005 1:58 PM 26528]
    S3 COH_Mon;COH_Mon;c:\windows\system32\drivers\COH_Mon.sys [9/29/2009 3:05 PM 23888]
    S3 RMBS;RMBS;c:\windows\system32\drivers\RMBS.SYS [8/10/2005 1:58 PM 18208]
    S3 VPREMOTE;VPRemote Install Bootstrap Service;c:\temp\Clt-Inst\vpremote.exe [6/11/2010 12:47 PM 142192]
    .
    .
    ------- Supplementary Scan -------
    .
    uStart Page = hxxp://insidesmi/
    mStart Page = hxxp://www.dell.com
    IE: Append Link Target to Existing PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
    IE: Append to Existing PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppend.html
    IE: Convert Link Target to Adobe PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
    IE: Convert to Adobe PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIECapture.html
    TCP: {FAB8539F-27EC-423B-9D13-A76691C35E20} = 192.168.2.42,10.0.5.3
    .

    **************************************************************************

    catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
    Rootkit scan 2010-12-19 13:16
    Windows 5.1.2600 Service Pack 2 NTFS

    scanning hidden processes ...

    scanning hidden autostart entries ...

    scanning hidden files ...

    scan completed successfully
    hidden files: 0

    **************************************************************************
    .
    --------------------- LOCKED REGISTRY KEYS ---------------------

    [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
    @Denied: (A 2) (Everyone)
    @="FlashBroker"
    "LocalizedString"="@c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10l_ActiveX.exe,-101"

    [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]
    "Enabled"=dword:00000001

    [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]
    @="c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10l_ActiveX.exe"

    [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]
    @="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"

    [HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
    @Denied: (A 2) (Everyone)
    @="IFlashBroker4"

    [HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
    @="{00020424-0000-0000-C000-000000000046}"

    [HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]
    @="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
    "Version"="1.0"
    .
    ------------------------ Other Running Processes ------------------------
    .
    c:\program files\Symantec AntiVirus\Smc.exe
    c:\program files\Common Files\Symantec Shared\ccSvcHst.exe
    c:\program files\Java\jre6\bin\jqs.exe
    c:\program files\Symantec AntiVirus\Rtvscan.exe
    c:\program files\PowerQuest\Drive Image 7.0\Agent\PQV2iSvc.exe
    c:\program files\Symantec AntiVirus\SmcGui.exe
    .
    **************************************************************************
    .
    Completion time: 2010-12-19 13:20:30 - machine was rebooted
    ComboFix-quarantined-files.txt 2010-12-19 18:20
    ComboFix2.txt 2010-12-15 16:30

    Pre-Run: 26,891,198,464 bytes free
    Post-Run: 26,884,304,896 bytes free

    - - End Of File - - 5DD5832A154D4EDEF33B70328E51C46C

    Logfile of Trend Micro HijackThis v2.0.4
    Scan saved at 1:28:06 PM, on 12/19/2010
    Platform: Windows XP SP2 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
    Boot mode: Normal

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\Program Files\Symantec AntiVirus\Smc.exe
    C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\Program Files\Java\jre6\bin\jqs.exe
    C:\Program Files\Symantec AntiVirus\Rtvscan.exe
    C:\Program Files\PowerQuest\Drive Image 7.0\Agent\PQV2iSvc.exe
    C:\Program Files\Symantec AntiVirus\SmcGui.exe
    C:\WINDOWS\system32\hkcmd.exe
    C:\Program Files\Java\jre6\bin\jusched.exe
    C:\Program Files\Adobe\Acrobat 9.0\Acrobat\Acrotray.exe
    C:\Program Files\Common Files\Symantec Shared\ccApp.exe
    C:\WINDOWS\explorer.exe
    C:\WINDOWS\system32\notepad.exe
    C:\Program Files\internet explorer\iexplore.exe
    C:\HiJackThis\HijackThis.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://insidesmi/
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dell.com
    O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
    O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - (no file)
    O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
    O2 - BHO: Adobe PDF Conversion Toolbar Helper - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll
    O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
    O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
    O2 - BHO: SmartSelect - {F4971EE7-DAA0-4053-9964-665D8EE6A077} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll
    O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll
    O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
    O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
    O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
    O4 - HKLM\..\Run: [Adobe Acrobat Speed Launcher] "C:\Program Files\Adobe\Acrobat 9.0\Acrobat\Acrobat_sl.exe"
    O4 - HKLM\..\Run: [Acrobat Assistant 8.0] "C:\Program Files\Adobe\Acrobat 9.0\Acrobat\Acrotray.exe"
    O4 - HKLM\..\Run: [Adobe ARM] "C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
    O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
    O4 - Global Startup: Shortcut to SMILaunch.lnk = Prod\SMILaunch\SMILaunch.exe
    O8 - Extra context menu item: Append Link Target to Existing PDF - res://C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
    O8 - Extra context menu item: Append to Existing PDF - res://C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppend.html
    O8 - Extra context menu item: Convert Link Target to Adobe PDF - res://C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
    O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIECapture.html
    O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O16 - DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} (OnlineScanner Control) - http://download.eset.com/special/eos/OnlineScanner.cab
    O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = smi.corp
    O17 - HKLM\Software\..\Telephony: DomainName = smi.corp
    O17 - HKLM\System\CCS\Services\Tcpip\..\{FAB8539F-27EC-423B-9D13-A76691C35E20}: NameServer = 192.168.2.42,10.0.5.3
    O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = smi.corp
    O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\system32\browseui.dll
    O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\system32\browseui.dll
    O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
    O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
    O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
    O23 - Service: GEARSecurity - GEAR Software - C:\WINDOWS\System32\GEARSec.exe
    O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
    O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
    O23 - Service: Symantec Management Client (SmcService) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Smc.exe
    O23 - Service: Symantec Endpoint Protection (Symantec AntiVirus) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe
    O23 - Service: V2i Protector - PowerQuest Corporation - C:\Program Files\PowerQuest\Drive Image 7.0\Agent\PQV2iSvc.exe
    O23 - Service: VPRemote Install Bootstrap Service (VPREMOTE) - Symantec Corporation - C:\TEMP\Clt-Inst\vpremote.exe

    --
    End of file - 6328 bytes
     
  15. Bobbye

    Bobbye Helper on the Fringe Posts: 16,335   +36

    These logs look 'squeaky clean'! There is just one removal:
    Please run this Custom CFScript:

    • [1]. Close any open browsers.
      [2]. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
      [3]. Open notepad> click on Format> Uncheck 'Word Wrap'> and copy/paste the text in the code below into it:[Be sure to scroll down to include ALL lines.
    Code:
    File::
    Folder::
    C:\TDSSKiller_Quarantine
    
    Save this as CFScript.txt, in the same location as ComboFix.exe
    [​IMG]
    Referring to the picture above, drag CFScript into ComboFix.exe
    When finished, it will produce a log for you at C:\ComboFix.txt . You do not need to leve this log unless new problems have come up.
    ============================================================
    Is it safe to assume that you have made all of these settings for group policy?
    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-515967899-682003330-937999820-8672\Scripts\Logon\0\0]
    "Script"=NC_Logon.bat

    I count 10 ueser accounts on this system. Is that right? It would be a good idea to run TFC again. TFC (Temp File Cleaner) will clear out all temp folders for all user accounts (temp, IE temp, java, FF, Opera, Chrome, Safari), including Administrator, All Users, LocalService, NetworkService, and any other accounts in the user folder.

    And a head's up on this: There is a site with partial name of gawsus noted as possibly infected.
    ================================================
    Removing all of the tools we used and the files and folders they created
    • Uninstall ComboFix and all Backups of the files it deleted
    • Click START> then RUN
    • Now type Combofix /Uninstall in the runbox and click OK. Note the space between the X and the U, it needs to be there.
    • Download OTCleanIt by OldTimer and save it to your Desktop.
    • Double click OTCleanIt.exe.
    • Click the CleanUp! button.
    • If you are prompted to Reboot during the cleanup, select Yes.
    • The tool will delete itself once it finishes.
    Note: If you receive a warning from your firewall or other security programs regarding OTC attempting to contact the internet, please allow it to do so.
    • You should now set a new Restore Point and remove the old restore points to prevent infection from any previous Restore Points.
    • Go to Start > All Programs > Accessories > System Tools
    • Click "System Restore".
    • Choose "Create a Restore Point" on the first screen then click "Next".
    • Give the Restore Point a name> click "Create".
    • Go back and follow the path to > System Tools.
      [*]Choose Disc Cleanup
      [*]Click "OK" to select the partition or drive you want.
      [*]Click the "More Options" Tab.
      [*]Click "Clean Up" in the System Restore section to remove all previous Restore Points except the newly created one.


    Empty the Recycle Bin
    Let me know if you have any more questions.
    Have a Happy and Peaceful Holiday![​IMG]
     
Topic Status:
Not open for further replies.

Similar Topics

Add New Comment

You need to be a member to leave a comment. Join thousands of tech enthusiasts and participate.
TechSpot Account You may also...