Inactive Followed 8 step sticky, root-kit activity likely, help appreciated

[bigmanrpb]

Hello,

First, I want to say that this is an amazing forum! I have followed some of the basic steps to fix problems I have had in the past and it always worked out for the best.

Now, however, I believe I have root kit activity on my machine. It has caused slow startup and shutdown times, google links to re-direct, and will not let me access my Gmail account.

After reading similar posts I learned that I should not run Combo-Fix unless instructed so I have not done so; but I have it saved to my desktop should it be needed.

I ran programs: Sweeper to clean my temporary files, Spybot Search and Destroy removing all 9 malware entrys found, GMER and DDS.

I have copy & pasted the Logs from GMER and DDS as Instructed but they exceeded the 20,000 forum character limit. Please find them attached.

Thank you for your time, effort, and expertise!

~Bigmanrpb~

 

[Broni]

Malwarebytes log is missing.

 

[bigmanrpb]

Thank you for the response Broni,

I ran malwarebytes following all instructions. The log is as follows

Malwarebytes' Anti-Malware 1.46
www.malwarebytes.org

Database version: 4232

Windows 5.1.2600 Service Pack 3
Internet Explorer 8.0.6001.18702

6/23/2010 6:57:20 PM
mbam-log-2010-06-23 (18-57-20).txt

Scan type: Quick scan
Objects scanned: 147231
Time elapsed: 5 minute(s), 58 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 5

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\Documents and Settings\HelpAssistant\Local Settings\Temp\3.tmp (Rootkit.Agent) -> Quarantined and deleted successfully.
C:\Documents and Settings\HelpAssistant\Local Settings\Temp\4.tmp (Rootkit.Agent) -> Quarantined and deleted successfully.
C:\Documents and Settings\HelpAssistant\Local Settings\Temp\7.tmp (Rootkit.Agent) -> Quarantined and deleted successfully.
C:\Documents and Settings\HelpAssistant\Local Settings\Temp\buwwhw.exe (Rootkit.Agent) -> Quarantined and deleted successfully.
C:\Documents and Settings\HelpAssistant\Application Data\Microsoft\Internet Explorer\Quick Launch\Protection Center.LNK (Rogue.ProtectionCenter) -> Quarantined and deleted successfully.

 

[Broni]

Please download ComboFix from Here or Here to your Desktop.

**Note: In the event you already have Combofix, this is a new version that I need you to download. It is important that it is saved directly to your desktop**

1. Please, never rename Combofix unless instructed.
2. Close any open browsers.
3. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
   • Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".
   • Click on this link to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.
   NOTE. If Combofix asks you to install Recovery Console, please allow it.
   • Close any open browsers.
   • WARNING: Combofix will disconnect your machine from the Internet as soon as it starts
   • Please do not attempt to re-connect your machine back to the Internet until Combofix has completely finished.
   • If there is no internet connection after running Combofix, then restart your computer to restore back your connection.
4. Double click on combofix.exe & follow the prompts.
5. When finished, it will produce a report for you.
6. Please post the "C:\ComboFix.txt"

**Note: Do not mouseclick combofix's window while it's running. That may cause it to stall**

Make sure, you re-enable your security programs, when you're done with Combofix.

DO NOT make any other changes to your computer (like installing programs, using other cleaning tools, etc.), until it's officially declared clean!!!

 

[bigmanrpb]

Thank you again for the help Broni,

I followed the instructions to the letter and the following is the log file from Combofix.

ComboFix 10-06-23.02 - DiveMaster Rob 06/23/2010 19:47:39.8.1 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2047.1661 [GMT -10:00]
Running from: c:\documents and settings\DiveMaster Rob\Desktop\ComboFix.exe

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((( Files Created from 2010-05-24 to 2010-06-24 )))))))))))))))))))))))))))))))
.

2010-06-24 03:04 . 2010-06-24 03:04 -------- d-----w- c:\documents and settings\DiveMaster Rob\Application Data\Malwarebytes
2010-06-24 03:04 . 2010-04-30 01:39 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-06-24 03:04 . 2010-06-24 03:04 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-06-24 03:04 . 2010-06-24 03:04 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2010-06-24 03:04 . 2010-04-30 01:39 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-06-22 01:58 . 2010-06-22 01:58 -------- d-----w- c:\documents and settings\HelpAssistant\PrivacIE
2010-06-22 01:55 . 2010-06-22 02:11 -------- d-----w- c:\documents and settings\HelpAssistant\IECompatCache
2010-06-22 01:55 . 2010-06-22 01:55 -------- d-----w- c:\documents and settings\HelpAssistant\IETldCache
2010-06-15 18:39 . 2010-06-15 18:39 -------- d-----w- c:\documents and settings\DiveMaster Rob\Local Settings\Application Data\HP
2010-06-11 19:30 . 2010-05-06 10:41 743424 -c----w- c:\windows\system32\dllcache\iedvtool.dll
2010-06-09 01:09 . 2010-06-09 01:09 -------- d-sh--w- c:\documents and settings\Administrator\PrivacIE
2010-06-09 01:08 . 2010-06-09 01:08 -------- d-sh--w- c:\documents and settings\Administrator\IETldCache
2010-05-29 01:22 . 2008-03-28 20:07 20992 ----a-w- c:\documents and settings\DiveMaster Rob\Application Data\Convivea\Bit_Che\languages\compare.exe
2010-05-29 01:22 . 2010-05-29 01:22 -------- d-----w- c:\program files\Bit Che
2010-05-29 01:22 . 2010-05-29 01:22 -------- d-----w- c:\documents and settings\DiveMaster Rob\Application Data\Convivea
2010-05-29 01:22 . 2009-04-11 04:40 118784 ----a-w- c:\documents and settings\DiveMaster Rob\Application Data\Convivea\Bit_Che\scripts\x.exe
2010-05-29 01:22 . 2008-03-28 20:02 60928 ----a-w- c:\documents and settings\DiveMaster Rob\Application Data\Convivea\Bit_Che\scripts\update.exe
2010-05-29 01:22 . 2007-07-12 05:43 24557 ----a-w- c:\documents and settings\DiveMaster Rob\Application Data\Convivea\Bit_Che\scripts\special.exe
2010-05-29 01:22 . 2003-08-19 15:06 80896 ----a-w- c:\documents and settings\DiveMaster Rob\Application Data\Convivea\Bit_Che\scripts\x.dll
2010-05-27 08:10 . 2010-05-27 08:10 -------- d-----w- c:\documents and settings\All Users\Application Data\id Software
2010-05-27 05:29 . 2010-05-27 05:29 -------- d-----w- c:\program files\Haali
2010-05-27 05:29 . 2010-05-27 05:29 -------- d-----w- c:\program files\CoreCodec
2010-05-26 00:27 . 2010-05-26 00:28 -------- d-----w- c:\program files\Skypedelay

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-06-24 05:46 . 2009-06-21 21:18 0 ----a-w- c:\windows\system32\drivers\lvuvc.hs
2010-06-24 05:46 . 2009-06-21 21:16 0 ----a-w- c:\windows\system32\drivers\logiflt.iad
2010-06-24 05:02 . 2007-08-07 21:45 163712 ----a-w- c:\windows\system32\drivers\vidstub.sys
2010-06-22 06:01 . 2007-06-17 19:05 -------- d-----w- c:\documents and settings\DiveMaster Rob\Application Data\uTorrent
2010-06-18 04:24 . 2009-06-21 21:49 -------- d-----w- c:\documents and settings\DiveMaster Rob\Application Data\Skype
2010-06-18 03:16 . 2009-06-21 21:50 -------- d-----w- c:\documents and settings\DiveMaster Rob\Application Data\skypePM
2010-06-17 23:49 . 2009-06-22 04:38 139336 ----a-w- c:\windows\system32\drivers\PnkBstrK.sys
2010-06-17 23:49 . 2009-06-22 04:56 371776 ----a-w- c:\documents and settings\DiveMaster Rob\Application Data\id Software\quakelive\home\baseq3\cgamex86.dll
2010-06-17 23:49 . 2009-06-22 04:56 187456 ----a-w- c:\documents and settings\DiveMaster Rob\Application Data\id Software\quakelive\home\baseq3\uix86.dll
2010-06-17 23:48 . 2009-06-22 04:38 214720 ----a-w- c:\windows\system32\PnkBstrB.exe
2010-06-17 23:48 . 2009-06-22 04:56 57344 ----a-w- c:\documents and settings\DiveMaster Rob\Application Data\id Software\quakelive\home\pb\pbag.dll
2010-06-17 23:48 . 2009-06-22 04:56 887448 ----a-w- c:\documents and settings\DiveMaster Rob\Application Data\id Software\quakelive\home\pb\pbcl.dll
2010-06-17 23:48 . 2009-06-22 04:56 2436160 ----a-w- c:\documents and settings\DiveMaster Rob\Application Data\id Software\quakelive\home\baseq3\quakelive.dll
2010-06-16 08:13 . 2007-06-17 17:41 61600 ----a-w- c:\windows\system32\nvModes.dat
2010-06-15 18:39 . 2010-05-24 22:38 -------- d-----w- c:\documents and settings\DiveMaster Rob\Application Data\HP
2010-06-14 04:43 . 2008-02-12 19:52 -------- d-----w- c:\program files\Common Files\Adobe
2010-06-02 23:24 . 2007-06-17 19:49 -------- d-----w- c:\program files\Spybot - Search & Destroy
2010-06-02 06:02 . 2007-09-23 20:15 -------- d-----w- c:\documents and settings\DiveMaster Rob\Application Data\dvdcss
2010-05-28 23:05 . 2009-06-25 08:36 465984 ----a-w- c:\documents and settings\DiveMaster Rob\Application Data\id Software\quakelive\home\baseq3\qagamex86.dll
2010-05-27 08:13 . 2009-06-22 04:37 75064 ----a-w- c:\windows\system32\PnkBstrA.exe
2010-05-27 08:13 . 2009-06-22 04:37 2373712 ----a-w- c:\windows\system32\pbsvc.exe
2010-05-27 05:24 . 2010-05-24 07:32 -------- d-----w- c:\program files\VistaCodecPack
2010-05-27 05:24 . 2010-05-24 07:32 -------- d-----w- c:\documents and settings\All Users\Application Data\VistaCodecs
2010-05-24 22:42 . 2010-05-24 22:42 -------- d-----w- c:\documents and settings\DiveMaster Rob\Application Data\HPAppData
2010-05-24 22:38 . 2007-06-17 17:36 69616 ----a-w- c:\documents and settings\DiveMaster Rob\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2010-05-24 22:38 . 2010-05-24 22:38 -------- d-----w- c:\documents and settings\All Users\Application Data\WEBREG
2010-05-24 22:38 . 2010-05-24 22:32 -------- d-----w- c:\documents and settings\All Users\Application Data\HP
2010-05-24 22:38 . 2010-05-24 22:29 168023 ----a-w- c:\windows\hpoins37.dat
2010-05-24 22:36 . 2010-05-24 22:36 -------- d-----w- c:\program files\Yahoo!
2010-05-24 22:36 . 2010-05-24 22:36 -------- d-----w- c:\documents and settings\DiveMaster Rob\Application Data\Yahoo!
2010-05-24 22:36 . 2010-05-24 22:36 -------- d-----w- c:\documents and settings\All Users\Application Data\Yahoo! Companion
2010-05-24 22:35 . 2010-05-24 22:30 -------- d-----w- c:\program files\HP
2010-05-24 22:34 . 2010-05-24 22:34 -------- d-----w- c:\documents and settings\All Users\Application Data\HP Product Assistant
2010-05-24 22:33 . 2010-05-24 22:33 -------- d-----w- c:\program files\Common Files\HP
2010-05-24 22:32 . 2010-05-24 22:32 -------- d-----w- c:\program files\Common Files\Hewlett-Packard
2010-05-24 06:00 . 2007-08-16 22:28 96384 ----a-w- c:\windows\system32\drivers\sptd7357.sys
2010-05-24 05:58 . 2007-06-17 17:29 86327 ----a-w- c:\windows\pchealth\helpctr\OfflineCache\index.dat
2010-05-24 04:27 . 2010-05-24 04:27 0 ----a-w- c:\windows\nsreg.dat
2010-05-24 03:37 . 2007-06-17 19:05 -------- d-----w- c:\program files\uTorrent
2010-05-06 10:41 . 2004-08-04 12:00 916480 ----a-w- c:\windows\system32\wininet.dll
2010-05-02 05:22 . 2008-03-06 19:35 1851264 ----a-w- c:\windows\system32\win32k.sys
2010-04-20 05:30 . 2004-08-04 12:00 285696 ----a-w- c:\windows\system32\atmfd.dll
2010-04-13 23:03 . 2010-04-13 23:03 2373712 ----a-w- c:\documents and settings\All Users\Application Data\id Software\QuakeLive\pbsvc.exe
2010-03-31 10:16 . 2010-03-31 10:16 99176 ----a-w- c:\windows\system32\PresentationHostProxy.dll
2010-03-31 10:10 . 2010-03-31 10:10 295264 ----a-w- c:\windows\system32\PresentationHost.exe
.

((((((((((((((((((((((((((((( SnapShot_2010-06-23_06.26.20 )))))))))))))))))))))))))))))))))))))))))
.
+ 2010-06-23 06:27 . 2010-06-23 06:27 37888 c:\windows\assembly\NativeImages_v2.0.50727_32\System.Windows.Pres#\f46915dfc57bc7e49c5402e9b8f7ec18\System.Windows.Presentation.ni.dll
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IntelZeroConfig"="c:\program files\Intel\Wireless\bin\ZCfgSvc.exe" [2005-07-23 401408]
"IntelWireless"="c:\program files\Intel\Wireless\Bin\ifrmewrk.exe" [2005-07-23 385024]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2005-03-24 5525504]
"Dell QuickSet"="c:\program files\Dell\QuickSet\Quickset.exe" [2005-03-04 622592]
"UltraMon"="c:\program files\UltraMon\UltraMon.exe" [2006-10-13 304640]
"BootSkin Startup Jobs"="c:\progra~1\Stardock\WINCUS~1\BootSkin\BootSkin.exe" [2004-04-26 270336]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2008-09-06 413696]
"nwiz"="nwiz.exe" [2005-03-24 1495040]
"Kernel and Hardware Abstraction Layer"="KHALMNPR.EXE" [2008-10-10 69632]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2010-04-02 40368]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-03-24 952768]

c:\documents and settings\DiveMaster Rob\Start Menu\Programs\Startup\
MagicDisc.lnk.disabled [2008-11-9 652]
OneNote 2007 Screen Clipper and Launcher.lnk.disabled [2008-1-14 947]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
HP Digital Imaging Monitor.lnk.disabled [2010-5-24 1849]
Logitech SetPoint.lnk - c:\program files\Logitech\SetPoint\SetPoint.exe [2009-6-21 809488]
VPN Client.lnk - c:\windows\Installer\{CCBAA1F7-E5E1-48B2-9ED9-A79C6A37CE78}\Icon3E5562ED7.ico [2008-2-16 6144]
Windows Desktop Search.lnk.disabled [2008-9-9 1781]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{56F9679E-7826-4C84-81F3-532071A8BCC5}"= "c:\program files\Windows Desktop Search\MSNLNamespaceMgr.dll" [2006-03-13 233472]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\IntelWireless]
2005-07-23 03:46 110592 ----a-w- c:\program files\Intel\Wireless\Bin\LgNotify.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\LBTWlgn]
2008-11-07 21:41 72208 ----a-w- c:\program files\Common Files\LogiShrd\Bluetooth\LBTWLgn.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WdfLoadGroup]
@=""

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
"BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="c:\program files\Common Files\Ahead\Lib\NMBgMonitor.exe"
"swg"=c:\program files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" -atboottime
"NeroFilterCheck"=c:\program files\Common Files\Ahead\Lib\NeroCheck.exe
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe"
"GrooveMonitor"="c:\program files\Microsoft Office\Office12\GrooveMonitor.exe"
"<NO NAME>"=
"RegistryMechanic"=
"SunJavaUpdateSched"="c:\program files\Java\jre1.6.0_03\bin\jusched.exe"
"BJCFD"=c:\program files\BroadJump\Client Foundation\CFD.exe
"nwiz"=nwiz.exe /installquiet
"HP Software Update"=c:\program files\HP\HP Software Update\HPWuSchd2.exe
"LogitechQuickCamRibbon"="c:\program files\Logitech\Logitech WebCam Software\LWS.exe" /hide
"EPSON Stylus CX6600 Series"=c:\windows\System32\spool\DRIVERS\W32X86\3\E_FATI9EA.EXE /P26 "EPSON Stylus CX6600 Series" /O6 "USB001" /M "Stylus CX6600"
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"c:\\Program Files\\uTorrent\\utorrent.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\IES\\VisualAnalysis 5.5 Package\\VisualAnalysis55.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Trillian\\trillian.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqtra08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqste08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposid01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqcopy2.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpfcCopy.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpoews01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpiscnapp.exe"=
"c:\\Program Files\\Common Files\\HP\\Digital Imaging\\Bin\\hpqPhotoCrm.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqgplgtupl.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqgpc01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqusgm.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqusgh.exe"=
"c:\\Program Files\\HP\\HP Software Update\\HPWUCli.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\smart web printing\\SmartWebPrintExe.exe"=
"c:\\WINDOWS\\system32\\PnkBstrA.exe"=
"c:\\WINDOWS\\system32\\PnkBstrB.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"52996:UDP"= 52996:UDP:utorrent
"65533:TCP"= 65533:TCP:Services
"52344:TCP"= 52344:TCP:Services
"9167:TCP"= 9167:TCP:Services
"9168:TCP"= 9168:TCP:Services
"3389:TCP"= 3389:TCP:Remote Desktop
"2649:TCP"= 2649:TCP:Services
"3798:TCP"= 3798:TCP:Services
"8351:TCP"= 8351:TCP:Services
"8352:TCP"= 8352:TCP:Services
"2164:TCP"= 2164:TCP:Services
"2828:TCP"= 2828:TCP:Services

R1 DhaHelper;DhaHelper;c:\windows\system32\drivers\dhahelper.sys [12/11/2007 9:58 AM 7168]
R2 LBeepKE;LBeepKE;c:\windows\system32\drivers\LBeepKE.sys [6/21/2009 11:24 AM 10384]
R2 UltraMonUtility;UltraMon Utility Driver;c:\program files\Common Files\Realtime Soft\UltraMonMirrorDrv\x32\UltraMonUtility.sys [9/24/2006 4:22 PM 11776]
R3 UltraMonMirror;UltraMonMirror;c:\windows\system32\drivers\UltraMonMirror.sys [9/24/2006 4:23 PM 3584]
S3 libusb0;LibUsb-Win32 - Kernel Driver 03/20/2007, 0.1.12.1;c:\windows\system32\drivers\libusb0.sys [12/11/2007 9:58 AM 28672]
S3 motccgp;Motorola USB Composite Device Driver;c:\windows\system32\drivers\motccgp.sys [4/28/2008 8:56 AM 17920]
S3 motccgpfl;MotCcgpFlService;c:\windows\system32\drivers\motccgpfl.sys [4/28/2008 8:56 AM 7680]
S3 MotDev;Motorola Inc. USB Device;c:\windows\system32\drivers\motodrv.sys [4/28/2008 8:56 AM 42112]
S3 TiglUsb;TiglUsb.sys TI-GRAPH / DIRECT LINK USB driver;c:\windows\system32\Drivers\TiglUsb.sys --> c:\windows\system32\Drivers\TiglUsb.sys [?]
S4 sptd;sptd;c:\windows\system32\drivers\sptd.sys [8/16/2007 12:28 PM 642560]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc
.
Contents of the 'Scheduled Tasks' folder

2010-06-18 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 17:34]

2010-06-24 c:\windows\Tasks\SkypeDelay.job
- c:\program files\Skypedelay\SkypeDelay.vbs [2010-05-26 06:16]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
uInternet Settings,ProxyOverride = *.local
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
Trusted Zone: att.net
Trusted Zone: sbcglobal.net
Trusted Zone: yahoo.com\clientapps
TCP: {40B025D0-0630-4670-93C5-3D3A21067802} = 192.168.2.1
DPF: Microsoft XML Parser for Java - file:///C:/windows/Java/classes/xmldso.cab
DPF: {5D80A6D1-B500-47DA-82B8-EB9875F85B4D} - hxxp://dl.google.com/dl/desktop/nv/GoogleGadgetPluginIEWin.cab
.
- - - - ORPHANS REMOVED - - - -

AddRemove-Gtk+ Runtime Environment - c:\gtk\uninst.exe



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-06-23 19:53
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net

device: opened successfully
user: MBR read successfully
called modules: ntkrnlpa.exe catchme.sys CLASSPNP.SYS disk.sys >>UNKNOWN [0x8990F78A]<<
kernel: MBR read successfully
detected MBR rootkit hooks:
\Driver\Disk -> CLASSPNP.SYS @ 0xba10cf28
\Driver\ACPI -> ACPI.sys @ 0xb9f57cb8
\Driver\atapi -> ntkrnlpa.exe @ 0x8057c2df
IoDeviceObjectType -> DeleteProcedure -> ntkrnlpa.exe @ 0x80579014
ParseProcedure -> ntkrnlpa.exe @ 0x80577c76
\Device\Harddisk0\DR0 -> DeleteProcedure -> ntkrnlpa.exe @ 0x80579014
ParseProcedure -> ntkrnlpa.exe @ 0x80577c76
NDIS: Broadcom NetXtreme Gigabit Ethernet -> SendCompleteHandler -> 0x89975980
PacketIndicateHandler -> NDIS.sys @ 0xb9dc6a0d
SendHandler -> NDIS.sys @ 0xb9ddab40
copy of MBR has been found in sector 0x06FC3DBF
malicious code @ sector 0x06FC3DC2 !
PE file found in sector at 0x06FC3DD8 !
MBR rootkit infection detected ! Use: "mbr.exe -f" to fix.

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-515967899-1275210071-725345543-1003\Software\SecuROM\!CAUTION! NEVER A OR CHANGE ANY KEY*]
"??"=hex:c4,a0,f8,2c,36,41,2d,0a,3c,1a,0d,c2,95,bc,55,f3,12,1e,f8,7f,47,dd,00,
f9,b3,d0,8a,db,e4,77,4f,b0,c0,e9,bb,28,b2,51,61,b7,6d,b0,2f,1f,e7,14,12,f2,\
"??"=hex:af,ae,bd,e0,38,d8,28,1a,51,76,d8,b2,d8,3c,bc,a3

[HKEY_USERS\S-1-5-21-515967899-1275210071-725345543-1003\Software\SecuROM\License information*]
"datasecu"=hex:ea,4b,4f,8c,e9,5e,bf,89,4d,a4,86,23,21,89,e4,d1,10,d0,fa,b8,45,
72,37,d3,31,a2,51,9e,8f,d5,70,f9,b0,48,e7,85,d3,aa,83,2d,27,c2,87,e0,bd,b5,\
"rkeysecu"=hex:62,b0,a8,88,3e,07,21,e8,00,5f,80,cd,87,65,d5,dc

[HKEY_LOCAL_MACHINE\software\DeterministicNetworks\DNE\Parameters]
"SymbolicLinkValue"=hex(6):5c,00,52,00,65,00,67,00,69,00,73,00,74,00,72,00,79,
00,5c,00,4d,00,61,00,63,00,68,00,69,00,6e,00,65,00,5c,00,53,00,79,00,73,00,\
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(1344)
c:\program files\common files\logishrd\bluetooth\LBTWlgn.dll
c:\program files\common files\logishrd\bluetooth\LBTServ.dll
c:\program files\Intel\Wireless\Bin\LgNotify.dll
.
Completion time: 2010-06-23 19:56:00
ComboFix-quarantined-files.txt 2010-06-24 05:55
ComboFix2.txt 2010-06-22 06:18
ComboFix3.txt 2010-06-22 03:19
ComboFix4.txt 2010-06-14 08:54
ComboFix5.txt 2010-06-23 06:13

Pre-Run: 34,681,491,456 bytes free
Post-Run: 34,683,379,712 bytes free

Current=3 Default=3 Failed=1 LastKnownGood=6 Sets=1,2,3,4,5,6
- - End Of File - - 333D8722D20D92553065EF9FFF3B77FC

 

[Broni]

My Combofix instructions say:

NOTE. If Combofix asks you to install Recovery Console, please allow it.

...and Combofix reports:

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!

Make sure, you allow recovery console installation, when we run Combofix again.

====================================================================

Download the MBR Rootkit Detector: http://www2.gmer.net/mbr/mbr.exe to your desktop.

* Doubleclick mbr.exe and follow prompts (Vista users: right click on mbr.exe and click "Run As Administrator").
* A black DOS window will quickly appear then disappear.
* When mbr.exe is finished it will create a log on your desktop.
* Copy and paste contents of that log (mbr.log) file to your next reply.

 

[bigmanrpb]

Thanks again Broni,

When I ran Combofix I allowed it to download and install the recovery Console. after starting the scan it said that root-kit activity was found and needed to restart so I clicked OK. It then tryed to install the Recovery console again but encountered an error and did not give a prompt before running with out it. the following is the MBR log.

Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net

device: opened successfully
user: MBR read successfully
kernel: MBR read successfully
copy of MBR has been found in sector 0x06FC3DBF
malicious code @ sector 0x06FC3DC2 !
PE file found in sector at 0x06FC3DD8 !
MBR rootkit infection detected ! Use: "mbr.exe -f" to fix.

 

[Broni]

I didn't ask you to run Combofix again, yet

Go Start>Run (Vista/7 users "Start search"), type in:
cmd
Click OK (Vista/7 users, hold CTRL and SHIFT keys, press Enter)

At the DOS prompt type:
"%userprofile%\desktop\mbr.exe" -f (<------make sure you have a space before the -f)
Hit Enter.

Type:
exit
Hit Enter.

Restart the computer normally.

Run the mbr.exe again.
Post new log.

 

[bigmanrpb]

Entered the CMD code verbatum and restarted normally then ran MBR.exe

Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net

device: opened successfully
user: MBR read successfully
kernel: MBR read successfully
user & kernel MBR OK
copy of MBR has been found in sector 0x06FC3DBF
malicious code @ sector 0x06FC3DC2 !
PE file found in sector at 0x06FC3DD8 !

 

[Broni]

Good
Delete your GMER and Combofix files, download fresh one, run both tools and post new logs.
GMER first, then Combo.
Don't forget about recovery console.

 

[bigmanrpb]

Thank you Broni,

My computer seems to be running great!

Sorry it took so long to respond, I had a lot of school work to catch up on. I Ran GMER and Combo Fix; I have attached the Log files as they exceed the character limit of this forum ; )

 

[Broni]

You still didn't install recovery console.

Download and save HelpAsst_mebroot_fix.exe to your desktop.

• Close all open programs.
• Double click HelpAsst_mebroot_fix.exe to run it.
• Pay attention to the running tool.
• If the tool detects mbr infection, please allow it to run mbr -f and shutdown your computer. To do so, type Y and press Enter.
• After restart, wait 5 minutes, then go Start>Run, copy and paste the following command in the run box then hit Enter:
  • 
    helpasst -mbrt
• When it completes, a log will open.
• Please post the contents of that log.

IMPORTANT!
If the tool does NOT detect any mbr infection and completes, proceed with the following...

• Click Start>Run and copy and paste the following command, then hit Enter:
  • 
    mbr -f
• Repeat the above step one more time
• Now shut down the computer (do not restart, but shut it down), wait 5 minutes then start it back up.
• Wait another 5 minutes, then click Start>Run and copy and paste the following command, then hit Enter.
  • 
    helpasst -mbrt
    
• When it completes, a log will open.
• Please post the contents of that log.

**Important note to Dell users - fixing the mbr may prevent access the the Dell Restore Utility, which allows you to press a key on startup and revert your computer to a factory delivered state. There are a couple of known fixes for said condition, though the methods are somewhat advanced. If you are unwilling to take such a risk, you should not allow the tool to execute mbr -f nor execute the command manually, and you will either need to restore your computer to a factory state or allow your computer to remain having an infected mbr (the latter not recommended).

 

[bigmanrpb]

Great! Thanks again. No MBR infection found, so I followed the second set of directions exactly.

C:\Documents and Settings\DiveMaster Rob\Desktop\HelpAsst_mebroot_fix.exe
Sat 06/26/2010 at 19:36:29.84

HelpAssistant account is Active ~ attempting to de-activate

Account active Yes
Local Group Memberships *Administrators

HelpAssistant successfully set Inactive

~~ Checking for termsrv32.dll ~~

termsrv32.dll present! ~ attempting to remove
termsrv32.dll successfully removed

~~ Checking firewall ports ~~

backing up DomainProfile\GloballyOpenPorts\List registry key
closing rogue ports

HKLM\~\services\sharedaccess\parameters\firewallpolicy\domainprofile\globallyopenports\list
"65533:TCP"=-
"52344:TCP"=-
"9167:TCP"=-
"9168:TCP"=-
"3389:TCP"=-
"2649:TCP"=-
"3798:TCP"=-
"8351:TCP"=-
"8352:TCP"=-
"2164:TCP"=-
"2828:TCP"=-
"3227:TCP"=-
"4954:TCP"=-

backing up StandardProfile\GloballyOpenPorts\List registry key
closing rogue ports

HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\globallyopenports\list
"65533:TCP"=-
"52344:TCP"=-
"9167:TCP"=-
"9168:TCP"=-
"3389:TCP"=-
"2649:TCP"=-
"3798:TCP"=-
"8351:TCP"=-
"8352:TCP"=-
"2164:TCP"=-
"2828:TCP"=-
"3227:TCP"=-
"4954:TCP"=-

~~ Checking profile list ~~

HelpAssistant profile found in registry ~ backing up and removing S-1-5-21-515967899-1275210071-725345543-1000
HelpAssistant profile directory exists at C:\Documents and Settings\HelpAssistant ~ attempting to remove
~ All C:\Documents and Settings\HelpAssistant files successfully removed ~

~~ Checking mbr ~~

user & kernel MBR OK

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Status check on Sat 06/26/2010 at 20:00:47.26

Account active No
Local Group Memberships

~~ Checking mbr ~~

Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net

device: opened successfully
user: MBR read successfully
called modules: ntkrnlpa.exe CLASSPNP.SYS disk.sys atapi.sys hal.dll intelide.sys PCIIDEX.SYS
kernel: MBR read successfully
user & kernel MBR OK
copy of MBR has been found in sector 0x06FC3DBF
malicious code @ sector 0x06FC3DC2 !
PE file found in sector at 0x06FC3DD8 !

~~ Checking for termsrv32.dll ~~

termsrv32.dll not found


HKEY_LOCAL_MACHINE\system\currentcontrolset\services\termservice\parameters
ServiceDll REG_EXPAND_SZ %systemroot%\System32\termsrv.dll

~~ Checking profile list ~~

No HelpAssistant profile in registry

~~ Checking for HelpAssistant directories ~~

none found

~~ Checking firewall ports ~~

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\domainprofile\GloballyOpenPorts\List]

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]


~~ EOF ~~

 

[Broni]

Looks good, so far

Delete your Combofix file, download new one and give me fresh log.

 

[bigmanrpb]

Ok,

So I think the reason why it says recovery console is not installed is that right after I download and install it following the prompts I get this Error:

Error: Boot Partition cannot be Enumerated Correctly

But here is the new log file anyways ; )


Thanks again,

~Bigmanrpb~

 

[Broni]

This time, we'll be removing rather large folder, using Combofix, so it may take a while. Be patient.

1. Please open Notepad

• Click Start , then Run
• Type notepad .exe in the Run Box.

2. Now copy/paste the entire content of the codebox below into the Notepad window:

File::
c:\windows\system32\drivers\lvuvc.hs
c:\windows\system32\drivers\logiflt.iad


Folder::
C:\HelpAsst_backup


Registry::
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=-

3. Save the above as CFScript.txt

4. Then drag the CFScript.txt into ComboFix.exe as depicted in the animation below. This will start ComboFix again.

5. After reboot, (in case it asks to reboot), please post the following reports/logs into your next reply:

• Combofix.txt

 

[bigmanrpb]

Followed your directions and still had Boot Partition error. I attached the new log file in Six parts as it was too large to post as a single file.

Thanks!

~Bigmanrpb~

 

[bigmanrpb]

Here is the 6th file as there is a 5 file limit ; )

 

[Broni]

Looks good

Uninstall Combofix:
Go Start > Run [Vista users, go Start>"Start search"]
Type in:
Combofix /Uninstall
Note the space between the "Combofix" and the "/Uninstall"
Restart computer.

==================================================================

Delete your mbr.exe file.

Download the MBR Rootkit Detector: http://www2.gmer.net/mbr/mbr.exe to your desktop.

* Doubleclick mbr.exe and follow prompts (Vista users: right click on mbr.exe and click "Run As Administrator").
* A black DOS window will quickly appear then disappear.
* When mbr.exe is finished it will create a log on your desktop.
* Copy and paste contents of that log (mbr.log) file to your next reply.

 

[bigmanrpb]

Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net

device: opened successfully
user: MBR read successfully
kernel: MBR read successfully
user & kernel MBR OK
copy of MBR has been found in sector 0x06FC3DBF
malicious code @ sector 0x06FC3DC2 !
PE file found in sector at 0x06FC3DD8 !

 

[Broni]

Very good

How is your computer doing at the moment?

Download OTL to your Desktop.

* Double click on the icon to run it. Make sure all other windows are closed and to let it run uninterrupted.
* Under the Custom Scan box paste this in:


netsvcs
drivers32 /all
%SYSTEMDRIVE%\*.*
%systemroot%\system32\Spool\prtprocs\w32x86\*.dll
%systemroot%\*. /mp /s
CREATERESTOREPOINT
%systemroot%\system32\*.dll /lockedfiles
%systemroot%\Tasks\*.job /lockedfiles
%systemroot%\System32\config\*.sav
%systemroot%\system32\user32.dll /md5
%systemroot%\system32\ws2_32.dll /md5
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU


* Click the Quick Scan button. Do not change any settings unless otherwise told to do so. The scan wont take long.

• When the scan completes, it will open two notepad windows: OTL.txt and Extras.txt. These are saved in the same location as OTL.
• Please copy (Edit->Select All, Edit->Copy) the contents of these files, one at a time, and post them back here.

 

[bigmanrpb]

Well its an oldschool Dell XPS Laptop Gen 2 so it was top of the line 5 years ago, but now its just your average laptop. Its running like the day I got it or even better, thanks!

Here are the logs from the last program you had me run with the special coding.

~Bigmanrpb~

 

[Broni]

I'm glad to hear good news

I'm not sure, how I missed it, but you don't have any AV program running.
Please, download and install ONE of these:
- Avast! free antivirus: http://www.avast.com/eng/download-avast-home.html
- Avira free antivirus: http://www.free-av.com/en/download/1/avira_antivir_personal__free_antivirus.html

======================================================================

Update your Java version here: http://www.java.com/en/download/installed.jsp
Uninstall all previous Java versions, through Add\Remove (Programs & Features in Vista/7).

=======================================================================

Run OTL

• Under the Custom Scans/Fixes box at the bottom, paste in the following
  
  

  :OTL
  DRV - [2005/01/26 04:22:20 | 000,280,344 | ---- | M] (Zone Labs LLC) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\vsdatant.sys -- (vsdatant)
  O2 - BHO: (AVG Safe Search) - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - Reg Error: Value error. File not found
  O16 - DPF: Microsoft XML Parser for Java file:///C:/windows/Java/classes/xmldso.cab (Reg Error: Key error.)
  [2010/06/27 19:18:53 | 000,000,000 | ---- | C] () -- C:\windows\System32\drivers\lvuvc.hs
  
  
  :Services
  
  :Reg
  
  :Files
  
  :Commands
  [purity]
  [emptytemp]
  [emptyflash]
  [resethosts]
  [Reboot]

• Then click the Run Fix button at the top
• Let the program run unhindered, reboot the PC when it is done
• You will get a log that shows the results of the fix. Please post it.
• Open OTL again and click the Quick Scan button. Post the log it produces in your next reply.

 

[bigmanrpb]

Thanks again!

Here are the new logs

 

[Broni]

You didn't follow ALL instructions.
I still don't see any AV program running and you didn't uninstall old Java versions (1.6.0_02 and 1.6.0_03).
Please, post another OTL Quick Scan, when you're done.