NEED HELP!!! INFECTED WITH GENERIC DOWNLOADER.X!DXZ....CAN'T OPERATE DESKTOP

Thanks, Chris.

Since waiting for your response I ran Sophos Anti-Rotokit on the advice of my brother-in-law who is a Sys Analyst. SAR detected 25 "unknown hidden files" and did not reccomend cleaning them as it may harm my system. I cleaned one of the files which I researched and found to be a threat: system32\f36decbb.exe. Unfortunately, SAR doesn't provide a log to send you. I cleaned the one file and the rest of the files were no longer available to view as I had to restart and lost those ( I could run it again....it took nearly an hour). Many of the unknown files were "system volume information restore files with an a0001101.exe extension where the extension numbers varied after the a0001....there were probably around 15 of those files. I think I should have cleaned them also? I researched those files and were mostly viewed as threats.

I also ran another malwarebytes scan as I had problems intially accessing websites. 2 infected registry keys were found and the log is listed below.



Malwarebytes' Anti-Malware 1.45
www.malwarebytes.org

Database version: 3930

Windows 5.1.2600 Service Pack 3 (Safe Mode)
Internet Explorer 7.0.5730.11

5/29/2010 11:36:30 AM
mbam-log-2010-05-29 (11-36-30).txt

Scan type: Quick scan
Objects scanned: 129138
Time elapsed: 10 minute(s), 29 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 2
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\NameServer (Trojan.DNSChanger) -> Data: 93.188.163.19,93.188.161.243 -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{6b9d9fdd-cc26-42f7-a10e-216d01e76f51}\NameServer (Trojan.DNSChanger) -> Data: 93.188.163.19,93.188.161.243 -> Quarantined and deleted successfully.

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

BTW, I did remove Viewpoint Manger and Viewpoint Media Player as they were the only ones present.

Chris, just copied the text to notepad and went to save it to the ComboFix file location and noticed it's no longer on my desktop and I can't find it in my files. I see the combofix log but that's it. Should I start over and download ComboFix again?

Hi Sparty,

Please wait on the "behind the scenes" guys before proceeding. We've got to figure out the best way to proceed. Thanks

Hi Sparty,

Please do not run any scanners it's causing confusion for us both. Too many cooks spoil the soup as they say

If ComboFix exists on your Desktop, drag it into the Recycle Bin. Download ComboFix again and let me know if you receive a Rootkit message this time

Please post a new ComboFix log in your reply and we'll go from there.

Chris,

Will do. We are just heading out to 2 graduation parties. So.....I'm not going to be able to respond for quite a while. I was hoping to knock this thing down, one way or another before leaving. Wishful thinking! I'll try and respond tonight if at all possible. Otherwise, I guess it waits until tomorrow. I hope you're having a better holiday weekend than I!

I'll be back ASAP.

Sounds good Sparty. Enjoy

Ok, Chris. ComboFix was no longer on my desktop...not sure why?? Anyway, I've downloaded ComboFix again and copied the log below. I noticed the log shows 0 hidden files and no rootkit??? Why did Sophos SAR find 25 unknown hidden files yesterday? What about all of those "System Volume Information_Restore\A0001.... .exe files? Were they threats?

Also, while I'm typing this....a new browser window opened up to a random website once again. This was also happening yesterday.

Thanks again for your assistance!



ComboFix 10-05-29.05 - Boss 05/30/2010 11:55:03.2.2 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.511.227 [GMT -4:00]
Running from: c:\documents and settings\Boss\Desktop\ComboFix.exe
AV: McAfee VirusScan *On-access scanning disabled* (Updated) {84B5EE75-6421-4CDE-A33A-DD43BA9FAD83}
FW: McAfee Personal Firewall *enabled* {94894B63-8C7F-4050-BDA4-813CA00DA3E8}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\system32\Vb40032.dll

.
((((((((((((((((((((((((( Files Created from 2010-04-28 to 2010-05-30 )))))))))))))))))))))))))))))))
.

2010-05-30 14:42 . 2010-05-28 18:08 75264 ----a-w- c:\windows\system32\Spool\prtprocs\w32x86\U7mY17.dll
2010-05-29 17:13 . 2010-05-28 18:08 75264 ----a-w- c:\windows\system32\f36decbb.exe
2010-05-29 17:11 . 2009-06-18 16:55 18816 ------w- c:\windows\system32\SAVRKBootTasks.sys
2010-05-29 15:45 . 2010-05-29 15:45 -------- d-----w- c:\program files\Sophos
2010-05-28 23:49 . 2010-05-28 18:08 75264 ----a-w- c:\windows\system32\Spool\prtprocs\w32x86\9sKU93i79.dll
2010-05-28 19:55 . 2010-05-28 18:08 75264 ----a-w- c:\windows\system32\Spool\prtprocs\w32x86\17oC17.dll
2010-05-28 18:12 . 2010-05-28 18:12 -------- d-----w- c:\documents and settings\Boss\Application Data\Street-Ads
2010-05-28 18:10 . 2008-04-13 18:40 34688 ----a-w- c:\windows\system32\drivers\lbrtfdc.sys
2010-05-28 18:10 . 2008-04-13 18:40 34688 ----a-w- c:\windows\system32\dllcache\lbrtfdc.sys
2010-05-28 18:10 . 2008-04-13 18:40 8192 ----a-w- c:\windows\system32\drivers\changer.sys
2010-05-28 18:10 . 2008-04-13 18:40 8192 ----a-w- c:\windows\system32\dllcache\changer.sys
2010-05-28 18:10 . 2010-05-28 18:10 -------- d-----w- c:\documents and settings\Boss\Application Data\Sky-Banners
2010-05-28 18:09 . 2010-05-28 18:09 -------- d-----w- c:\documents and settings\Boss\Local Settings\Application Data\esdjguvxo
2010-05-28 18:09 . 2010-05-28 18:09 50981 ----a-w- c:\windows\system32\areoghkfntcfn.exe
2010-05-28 18:09 . 2010-05-28 18:09 -------- d-----w- c:\program files\$NtUninstallWTF1012$
2010-05-28 18:09 . 2010-05-28 18:08 75264 ----a-w- c:\windows\system32\Spool\prtprocs\w32x86\555qG.dll
2010-05-28 18:08 . 2010-05-28 18:08 75264 ----a-w- c:\windows\system32\8db3d791.exe
2010-05-25 05:38 . 2010-05-25 05:38 309248 ----a-w- c:\windows\system32\mzhjanoe.dll
2010-05-24 16:31 . 2010-05-24 16:31 40633 ----a-w- c:\windows\system32\tevbxohl.exe

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-05-30 15:46 . 2004-06-21 16:18 288 ----a-w- c:\windows\system32\DVCStateBkp-{00000002-00000000-00000002-00001102-00000004-10031102}.dat
2010-05-30 15:46 . 2004-06-21 16:18 288 ----a-w- c:\windows\system32\DVCState-{00000002-00000000-00000002-00001102-00000004-10031102}.dat
2010-05-30 14:43 . 2008-09-24 03:35 -------- d-----w- c:\documents and settings\All Users\Application Data\Google Updater
2010-05-29 15:23 . 2004-06-21 16:16 -------- d-----w- c:\program files\Viewpoint
2010-05-29 15:21 . 2004-06-21 16:16 -------- d-----w- c:\documents and settings\All Users\Application Data\Viewpoint
2010-05-28 20:03 . 2004-10-19 14:00 -------- d-----w- c:\program files\McAfee
2010-05-28 18:10 . 2009-05-28 23:13 -------- d-----w- c:\program files\Common Files\Motive
2010-05-21 21:09 . 2010-04-22 18:42 -------- d-----w- c:\documents and settings\LocalService\Application Data\SACore
2010-05-18 04:39 . 2008-09-24 03:35 -------- d-----w- c:\program files\Google
2010-04-22 17:53 . 2005-12-14 18:51 -------- d-----w- c:\documents and settings\All Users\Application Data\McAfee
2010-04-22 17:50 . 2010-04-22 17:50 -------- d-----w- c:\documents and settings\All Users\Application Data\SiteAdvisor
2010-04-22 17:47 . 2010-04-22 17:46 -------- d-----w- c:\program files\Common Files\McAfee
2010-04-22 17:46 . 2010-04-22 17:46 -------- d-----w- c:\program files\McAfee.com
2010-04-14 16:29 . 2004-06-27 22:20 -------- d-----w- c:\program files\Common Files\Adobe
2010-04-01 20:28 . 2009-04-17 16:00 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-03-30 15:33 . 2010-03-30 15:33 45056 ----a-w- c:\documents and settings\All Users\Application Data\Real\RealPlayer\BrowserRecordPlugin\ThinShims\rpnpshimwmp.dll
2010-03-30 15:33 . 2010-03-30 15:33 45056 ----a-w- c:\documents and settings\All Users\Application Data\Real\RealPlayer\BrowserRecordPlugin\ThinShims\rpnpshimswf.dll
2010-03-30 15:33 . 2010-03-30 15:33 45056 ----a-w- c:\documents and settings\All Users\Application Data\Real\RealPlayer\BrowserRecordPlugin\ThinShims\rpnpshimrp.dll
2010-03-30 15:33 . 2010-03-30 15:33 45056 ----a-w- c:\documents and settings\All Users\Application Data\Real\RealPlayer\BrowserRecordPlugin\ThinShims\rpnpshimqt.dll
2010-03-30 15:33 . 2010-03-30 15:33 49152 ----a-w- c:\documents and settings\All Users\Application Data\Real\RealPlayer\BrowserRecordPlugin\Firefox\Ext\Components\nprpffbrowserrecordext.dll
2010-03-30 15:33 . 2010-03-30 15:33 308808 ----a-w- c:\documents and settings\All Users\Application Data\Real\RealPlayer\BrowserRecordPlugin\Common\rpmainbrowserrecordplugin.dll
2010-03-30 15:33 . 2010-03-30 15:33 14848 ----a-w- c:\documents and settings\All Users\Application Data\Real\RealPlayer\BrowserRecordPlugin\MozillaPlugins\nprphtml5videoshim.dll
2010-03-30 15:33 . 2010-03-30 15:33 40960 ----a-w- c:\documents and settings\All Users\Application Data\Real\RealPlayer\BrowserRecordPlugin\Chrome\Hook\rpchromebrowserrecordhelper.dll
2010-03-30 15:33 . 2010-03-30 15:33 341600 ----a-w- c:\documents and settings\All Users\Application Data\Real\RealPlayer\BrowserRecordPlugin\IE\rpbrowserrecordplugin.dll
2010-03-30 15:31 . 2003-08-05 17:55 499712 ----a-w- c:\windows\system32\msvcp71.dll
2010-03-30 15:31 . 2003-08-05 17:55 348160 ----a-w- c:\windows\system32\msvcr71.dll
2010-03-30 04:46 . 2009-04-17 16:00 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-03-30 04:45 . 2009-04-17 16:00 20824 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-03-11 12:38 . 2004-02-06 23:05 832512 ----a-w- c:\windows\system32\wininet.dll
2010-03-11 12:38 . 2004-08-04 07:56 78336 ----a-w- c:\windows\system32\ieencode.dll
2010-03-11 12:38 . 2004-03-19 22:34 17408 ----a-w- c:\windows\system32\corpol.dll
2010-03-09 11:09 . 2004-03-19 22:44 430080 ----a-w- c:\windows\system32\vbscript.dll
2005-12-08 05:16 . 2005-12-08 05:16 5037072 ----a-w- c:\program files\spybotsd14.exe
2005-10-22 14:46 . 2005-10-22 14:45 53619100 ----a-w- c:\program files\hansel new users v6.02.exe
.

------- Sigcheck -------

[7] 2008-04-14 . B26B135FF1B9F60C9388B4A7D16F600B . 578560 . . [5.1.2600.5512] . . c:\windows\ServicePackFiles\i386\user32.dll
[-] 2008-04-14 . 48FDBBE0E55B15E1886FCF5D8563B19F . 578560 . . [5.1.2600.5512] . . c:\windows\SYSTEM32\user32.dll
[-] 2007-03-08 . 7AA4F6C00405DFC4B70ED4214E7D687B . 578048 . . [5.1.2600.3099] . . c:\windows\$hf_mig$\KB925902\SP2QFE\user32.dll
[-] 2007-03-08 . B409909F6E2E8A7067076ED748ABF1E7 . 577536 . . [5.1.2600.3099] . . c:\windows\$NtServicePackUninstall$\user32.dll
[-] 2005-03-02 . 1800F293BCCC8EDE8A70E12B88D80036 . 577024 . . [5.1.2600.2622] . . c:\windows\$hf_mig$\KB890859\SP2QFE\user32.dll
[-] 2005-03-02 . DE2DB164BBB35DB061AF0997E4499054 . 577024 . . [5.1.2600.2622] . . c:\windows\$NtUninstallKB925902$\user32.dll
[7] 2004-08-04 . C72661F8552ACE7C5C85E16A3CF505C4 . 577024 . . [5.1.2600.2180] . . c:\windows\$NtUninstallKB890859$\user32.dll
[-] 2004-03-19 . DD9269230C21EE8FB7FD3FCCC3B1CFCB . 560128 . . [5.1.2600.1106] . . c:\windows\$NtUninstallKB824141$\USER32.DLL
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{4CC5A190-E657-4C30-A101-C0A9252B9DAA}]
2010-05-25 05:38 309248 ----a-w- c:\windows\SYSTEM32\mzhjanoe.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2008-09-24 39408]
"MoneyAgent"="c:\program files\Microsoft Money\System\mnyexpr.exe" [2003-06-18 200704]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSKDetectorExe"="c:\program files\McAfee\SpamKiller\MSKDetct.exe" [2005-08-12 1121792]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2004-06-21 77824]
"MMTray"="c:\program files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe" [2006-01-17 135168]
"ATT-SST_McciTrayApp"="c:\program files\ATT-SST\McciTrayApp.exe" [2008-09-19 1529856]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2010-03-30 202256]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2010-04-02 40368]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-03-24 952768]
"mcagent_exe"="c:\program files\McAfee.com\Agent\mcagent.exe" [2010-02-11 1218008]
"McENUI"="c:\progra~1\McAfee\MHN\McENUI.exe" [2009-07-08 1176808]
"MChk"="c:\windows\system32\tevbxohl.exe" [2010-05-24 40633]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Microsoft Works Calendar Reminders.lnk - c:\program files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe [1999-9-4 53317]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\mcmscsvc]
@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS]
@=""

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
backup=c:\windows\pss\Adobe Reader Speed Launch.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP OfficeJet Startup.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\HP OfficeJet Startup.lnk
backup=c:\windows\pss\HP OfficeJet Startup.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AsioReg]
2003-02-20 21:27 110592 ----a-w- c:\windows\SYSTEM32\CTASIO.DLL

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ControlCenter2.0]
2004-11-12 02:00 864256 ------w- c:\program files\Brother\ControlCenter2\brctrcen.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CTDVDDet]
2002-09-30 06:00 45056 ----a-w- c:\program files\Creative\SBAudigy2\DVDAudio\CTDVDDET.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
2008-04-14 00:12 15360 ----a-w- c:\windows\SYSTEM32\ctfmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CTHelper]
2003-02-20 21:45 28672 ----a-w- c:\windows\SYSTEM32\CTHELPER.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CTSysVol]
2002-10-29 14:18 49152 ----a-w- c:\program files\Creative\SBAudigy2\Surround Mixer\CTSysVol.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\dla]
2004-03-15 06:04 122933 ----a-w- c:\windows\SYSTEM32\dla\tfswctrl.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DVDSentry]
2003-08-13 15:27 28672 ----a-w- c:\windows\SYSTEM32\DSentry.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IndexSearch]
2004-04-14 19:04 40960 ----a-w- c:\program files\ScanSoft\PaperPort\IndexSearch.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IntelMeM]
2003-09-04 01:12 221184 ----a-w- c:\program files\Intel\Modem Event Monitor\IntelMEM.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISUSPM Startup]
2004-06-16 10:03 221184 ----a-w- c:\progra~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISUSScheduler]
2004-06-16 10:03 81920 ----a-w- c:\program files\Common Files\InstallShield\UpdateService\issch.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\mmtask]
2006-01-17 17:03 53248 ----a-w- c:\program files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MMTray]
2006-01-17 17:03 135168 ----a-w- c:\program files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MoneyAgent]
2003-06-18 17:00 200704 ----a-w- c:\program files\Microsoft Money\System\mnyexpr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
2008-04-14 00:12 1695232 ----a-w- c:\program files\Messenger\msmsgs.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvCplDaemon]
2003-11-03 18:46 4800512 ----a-w- c:\windows\SYSTEM32\nvcpl.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PaperPort PTD]
2004-04-14 18:46 57393 ----a-w- c:\program files\ScanSoft\PaperPort\pptd40nt.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PCMService]
2003-08-27 00:47 204800 ------w- c:\program files\Dell\Media Experience\PCMService.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
2004-06-21 16:16 77824 ----a-w- c:\program files\QuickTime\qttask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SSBkgdUpdate]
2003-10-14 14:22 155648 ----a-r- c:\program files\Common Files\ScanSoft Shared\SSBkgdUpdate\SSBkgdUpdate.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
2006-11-09 20:07 49263 ----a-w- c:\program files\Java\jre1.5.0_10\bin\jusched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
2010-03-30 15:31 202256 ----a-w- c:\program files\Common Files\Real\Update_OB\realsched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\UpdateManager]
2003-08-19 06:01 110592 ----a-w- c:\program files\Common Files\Sonic\Update Manager\sgtray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\UpdReg]
2000-05-11 06:00 90112 ------w- c:\windows\Updreg.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001
"FirewallOverride"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
"DisableNotifications"= 1 (0x1)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\ATT-HSI\\McciBrowser.exe"=
"c:\\Program Files\\Common Files\\McAfee\\MNA\\McNASvc.exe"=

R1 SAVRKBootTasks;Boot Tasks Driver;c:\windows\SYSTEM32\SAVRKBootTasks.sys [5/29/2010 1:11 PM 18816]
R2 McAfee SiteAdvisor Service;McAfee SiteAdvisor Service;c:\program files\McAfee\SiteAdvisor\McSACore.exe [4/22/2010 1:49 PM 203280]
S0 cadamg;cadamg; [x]
S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [1/6/2010 2:21 PM 135664]
S2 MSWU-8db3d791;MSWU-8db3d791;c:\windows\SYSTEM32\8db3d791.exe [5/28/2010 2:08 PM 75264]
S2 MSWU-f36decbb;MSWU-f36decbb;c:\windows\SYSTEM32\f36decbb.exe [5/29/2010 1:13 PM 75264]
S3 bepprldr;BCL easyPDF SDK Loader;c:\program files\Common Files\BCL Technologies\easyPDF 4\bepprldr.exe [11/11/2005 11:03 PM 77824]
S3 MEMSWEEP2;MEMSWEEP2;\??\c:\windows\system32\17.tmp --> c:\windows\system32\17.tmp [?]

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
fyphhfvk
.
Contents of the 'Scheduled Tasks' folder

2010-05-30 c:\windows\Tasks\Google Software Updater.job
- c:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe [2008-09-24 16:03]

2010-05-30 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-01-06 18:21]

2010-05-30 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-01-06 18:21]

2010-05-15 c:\windows\Tasks\McDefragTask.job
- c:\progra~1\mcafee\mqc\QcConsol.exe [2010-04-22 16:22]

2010-04-22 c:\windows\Tasks\McQcTask.job
- c:\progra~1\mcafee\mqc\QcConsol.exe [2010-04-22 16:22]

2010-05-30 c:\windows\Tasks\RealUpgradeLogonTaskS-1-5-21-4164457144-2476349802-418968361-1006.job
- c:\program files\Real\RealUpgrade\realupgrade.exe [2010-02-25 02:09]

2010-05-30 c:\windows\Tasks\RealUpgradeLogonTaskS-1-5-21-4164457144-2476349802-418968361-1008.job
- c:\program files\Real\RealUpgrade\realupgrade.exe [2010-02-25 02:09]

2010-05-30 c:\windows\Tasks\RealUpgradeScheduledTaskS-1-5-21-4164457144-2476349802-418968361-1006.job
- c:\program files\Real\RealUpgrade\realupgrade.exe [2010-02-25 02:09]

2010-05-27 c:\windows\Tasks\RealUpgradeScheduledTaskS-1-5-21-4164457144-2476349802-418968361-1008.job
- c:\program files\Real\RealUpgrade\realupgrade.exe [2010-02-25 02:09]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
uInternet Connection Wizard,ShellNext = iexplore
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
Trusted Zone: motive.com\patttbc.att
DPF: ppctlcab - hxxp://www.pestscan.com/scanner/ppctlcab.cab
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-05-30 12:03
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\MEMSWEEP2]
"ImagePath"="\??\c:\windows\system32\17.tmp"
.
Completion time: 2010-05-30 12:09:04
ComboFix-quarantined-files.txt 2010-05-30 16:09
ComboFix2.txt 2010-05-28 22:13

Pre-Run: 59,996,250,112 bytes free
Post-Run: 60,041,424,896 bytes free

- - End Of File - - 07D00A30666A8470CDD95816A499D152

Hi Sparty,

This infection just keeps on fighting back. I'm working with the guys behind the scenes to come up with a way to attack it.

Hi Sparty,

Let's see the infection stand up to this!

Re-running ComboFix to remove infections:

1. Close any open browsers.
   
2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
   
3. Open notepad and copy/paste the text in the quotebox below into it:
   

   
   Rootkit::
   c:\windows\system32\f36decbb.exe
   c:\windows\system32\areoghkfntcfn.exe
   c:\windows\system32\8db3d791.exe
   c:\windows\system32\mzhjanoe.dll
   c:\windows\system32\tevbxohl.exe
   c:\windows\SYSTEM32\8db3d791.exe
   c:\windows\system32\17.tmp
   
   Folder::
   c:\program files\Viewpoint
   c:\documents and settings\All Users\Application Data\Viewpoint
   
   Driver::
   MSWU-8db3d791
   MSWU-f36decbb
   MEMSWEEP2
   cadamg
   
   Registry::
   [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
   
   "MChk"=-
   
   [-HKEY_LOCAL_MACHINE\System\ControlSet001\Services\MEMSWEEP2]
   
   NetSvc::
   fyphhfvk
   

4. Save this as CFScript.txt, in the same location as ComboFix.exe
   
   
   
   
5. Referring to the picture above, drag CFScript into ComboFix.exe
   
6. When finished, it shall produce a log for you at C:\ComboFix.txt
   
7. Please post the contents of the log in your next reply.

Here you go, Chris. The new ComboFix log is below.

I've got my fingers crossed!



ComboFix 10-05-29.05 - Boss 05/30/2010 18:40:57.3.2 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.511.276 [GMT -4:00]
Running from: c:\documents and settings\Boss\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Boss\Desktop\CFScript.txt
AV: McAfee VirusScan *On-access scanning disabled* (Updated) {84B5EE75-6421-4CDE-A33A-DD43BA9FAD83}
FW: McAfee Personal Firewall *disabled* {94894B63-8C7F-4050-BDA4-813CA00DA3E8}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\All Users\Application Data\Viewpoint
c:\program files\Viewpoint

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_CADAMG
-------\Legacy_MEMSWEEP2
-------\Legacy_MSWU-8DB3D791
-------\Legacy_MSWU-F36DECBB
-------\Service_cadamg
-------\Service_MSWU-8db3d791
-------\Service_MSWU-f36decbb


((((((((((((((((((((((((( Files Created from 2010-04-28 to 2010-05-30 )))))))))))))))))))))))))))))))
.

2010-05-30 14:42 . 2010-05-28 18:08 75264 ----a-w- c:\windows\system32\Spool\prtprocs\w32x86\U7mY17.dll
2010-05-29 17:11 . 2009-06-18 16:55 18816 ------w- c:\windows\system32\SAVRKBootTasks.sys
2010-05-29 15:45 . 2010-05-29 15:45 -------- d-----w- c:\program files\Sophos
2010-05-28 23:49 . 2010-05-28 18:08 75264 ----a-w- c:\windows\system32\Spool\prtprocs\w32x86\9sKU93i79.dll
2010-05-28 19:55 . 2010-05-28 18:08 75264 ----a-w- c:\windows\system32\Spool\prtprocs\w32x86\17oC17.dll
2010-05-28 18:12 . 2010-05-28 18:12 -------- d-----w- c:\documents and settings\Boss\Application Data\Street-Ads
2010-05-28 18:10 . 2008-04-13 18:40 34688 ----a-w- c:\windows\system32\drivers\lbrtfdc.sys
2010-05-28 18:10 . 2008-04-13 18:40 34688 ----a-w- c:\windows\system32\dllcache\lbrtfdc.sys
2010-05-28 18:10 . 2008-04-13 18:40 8192 ----a-w- c:\windows\system32\drivers\changer.sys
2010-05-28 18:10 . 2008-04-13 18:40 8192 ----a-w- c:\windows\system32\dllcache\changer.sys
2010-05-28 18:10 . 2010-05-28 18:10 -------- d-----w- c:\documents and settings\Boss\Application Data\Sky-Banners
2010-05-28 18:09 . 2010-05-28 18:09 -------- d-----w- c:\documents and settings\Boss\Local Settings\Application Data\esdjguvxo
2010-05-28 18:09 . 2010-05-28 18:09 -------- d-----w- c:\program files\$NtUninstallWTF1012$
2010-05-28 18:09 . 2010-05-28 18:08 75264 ----a-w- c:\windows\system32\Spool\prtprocs\w32x86\555qG.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-05-30 22:49 . 2004-06-21 16:18 288 ----a-w- c:\windows\system32\DVCStateBkp-{00000002-00000000-00000002-00001102-00000004-10031102}.dat
2010-05-30 22:49 . 2004-06-21 16:18 288 ----a-w- c:\windows\system32\DVCState-{00000002-00000000-00000002-00001102-00000004-10031102}.dat
2010-05-30 14:43 . 2008-09-24 03:35 -------- d-----w- c:\documents and settings\All Users\Application Data\Google Updater
2010-05-28 20:03 . 2004-10-19 14:00 -------- d-----w- c:\program files\McAfee
2010-05-28 18:10 . 2009-05-28 23:13 -------- d-----w- c:\program files\Common Files\Motive
2010-05-21 21:09 . 2010-04-22 18:42 -------- d-----w- c:\documents and settings\LocalService\Application Data\SACore
2010-05-18 04:39 . 2008-09-24 03:35 -------- d-----w- c:\program files\Google
2010-04-22 17:53 . 2005-12-14 18:51 -------- d-----w- c:\documents and settings\All Users\Application Data\McAfee
2010-04-22 17:50 . 2010-04-22 17:50 -------- d-----w- c:\documents and settings\All Users\Application Data\SiteAdvisor
2010-04-22 17:47 . 2010-04-22 17:46 -------- d-----w- c:\program files\Common Files\McAfee
2010-04-22 17:46 . 2010-04-22 17:46 -------- d-----w- c:\program files\McAfee.com
2010-04-14 16:29 . 2004-06-27 22:20 -------- d-----w- c:\program files\Common Files\Adobe
2010-04-01 20:28 . 2009-04-17 16:00 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-03-30 15:33 . 2010-03-30 15:33 45056 ----a-w- c:\documents and settings\All Users\Application Data\Real\RealPlayer\BrowserRecordPlugin\ThinShims\rpnpshimwmp.dll
2010-03-30 15:33 . 2010-03-30 15:33 45056 ----a-w- c:\documents and settings\All Users\Application Data\Real\RealPlayer\BrowserRecordPlugin\ThinShims\rpnpshimswf.dll
2010-03-30 15:33 . 2010-03-30 15:33 45056 ----a-w- c:\documents and settings\All Users\Application Data\Real\RealPlayer\BrowserRecordPlugin\ThinShims\rpnpshimrp.dll
2010-03-30 15:33 . 2010-03-30 15:33 45056 ----a-w- c:\documents and settings\All Users\Application Data\Real\RealPlayer\BrowserRecordPlugin\ThinShims\rpnpshimqt.dll
2010-03-30 15:33 . 2010-03-30 15:33 49152 ----a-w- c:\documents and settings\All Users\Application Data\Real\RealPlayer\BrowserRecordPlugin\Firefox\Ext\Components\nprpffbrowserrecordext.dll
2010-03-30 15:33 . 2010-03-30 15:33 308808 ----a-w- c:\documents and settings\All Users\Application Data\Real\RealPlayer\BrowserRecordPlugin\Common\rpmainbrowserrecordplugin.dll
2010-03-30 15:33 . 2010-03-30 15:33 14848 ----a-w- c:\documents and settings\All Users\Application Data\Real\RealPlayer\BrowserRecordPlugin\MozillaPlugins\nprphtml5videoshim.dll
2010-03-30 15:33 . 2010-03-30 15:33 40960 ----a-w- c:\documents and settings\All Users\Application Data\Real\RealPlayer\BrowserRecordPlugin\Chrome\Hook\rpchromebrowserrecordhelper.dll
2010-03-30 15:33 . 2010-03-30 15:33 341600 ----a-w- c:\documents and settings\All Users\Application Data\Real\RealPlayer\BrowserRecordPlugin\IE\rpbrowserrecordplugin.dll
2010-03-30 15:31 . 2003-08-05 17:55 499712 ----a-w- c:\windows\system32\msvcp71.dll
2010-03-30 15:31 . 2003-08-05 17:55 348160 ----a-w- c:\windows\system32\msvcr71.dll
2010-03-30 04:46 . 2009-04-17 16:00 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-03-30 04:45 . 2009-04-17 16:00 20824 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-03-11 12:38 . 2004-02-06 23:05 832512 ----a-w- c:\windows\system32\wininet.dll
2010-03-11 12:38 . 2004-08-04 07:56 78336 ----a-w- c:\windows\system32\ieencode.dll
2010-03-11 12:38 . 2004-03-19 22:34 17408 ----a-w- c:\windows\system32\corpol.dll
2010-03-09 11:09 . 2004-03-19 22:44 430080 ----a-w- c:\windows\system32\vbscript.dll
2005-12-08 05:16 . 2005-12-08 05:16 5037072 ----a-w- c:\program files\spybotsd14.exe
2005-10-22 14:46 . 2005-10-22 14:45 53619100 ----a-w- c:\program files\hansel new users v6.02.exe
.

------- Sigcheck -------

[7] 2008-04-14 . B26B135FF1B9F60C9388B4A7D16F600B . 578560 . . [5.1.2600.5512] . . c:\windows\ServicePackFiles\i386\user32.dll
[-] 2008-04-14 . 48FDBBE0E55B15E1886FCF5D8563B19F . 578560 . . [5.1.2600.5512] . . c:\windows\SYSTEM32\user32.dll
[-] 2007-03-08 . 7AA4F6C00405DFC4B70ED4214E7D687B . 578048 . . [5.1.2600.3099] . . c:\windows\$hf_mig$\KB925902\SP2QFE\user32.dll
[-] 2007-03-08 . B409909F6E2E8A7067076ED748ABF1E7 . 577536 . . [5.1.2600.3099] . . c:\windows\$NtServicePackUninstall$\user32.dll
[-] 2005-03-02 . 1800F293BCCC8EDE8A70E12B88D80036 . 577024 . . [5.1.2600.2622] . . c:\windows\$hf_mig$\KB890859\SP2QFE\user32.dll
[-] 2005-03-02 . DE2DB164BBB35DB061AF0997E4499054 . 577024 . . [5.1.2600.2622] . . c:\windows\$NtUninstallKB925902$\user32.dll
[7] 2004-08-04 . C72661F8552ACE7C5C85E16A3CF505C4 . 577024 . . [5.1.2600.2180] . . c:\windows\$NtUninstallKB890859$\user32.dll
[-] 2004-03-19 . DD9269230C21EE8FB7FD3FCCC3B1CFCB . 560128 . . [5.1.2600.1106] . . c:\windows\$NtUninstallKB824141$\USER32.DLL
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2008-09-24 39408]
"MoneyAgent"="c:\program files\Microsoft Money\System\mnyexpr.exe" [2003-06-18 200704]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSKDetectorExe"="c:\program files\McAfee\SpamKiller\MSKDetct.exe" [2005-08-12 1121792]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2004-06-21 77824]
"MMTray"="c:\program files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe" [2006-01-17 135168]
"ATT-SST_McciTrayApp"="c:\program files\ATT-SST\McciTrayApp.exe" [2008-09-19 1529856]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2010-03-30 202256]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2010-04-02 40368]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-03-24 952768]
"mcagent_exe"="c:\program files\McAfee.com\Agent\mcagent.exe" [2010-02-11 1218008]
"McENUI"="c:\progra~1\McAfee\MHN\McENUI.exe" [2009-07-08 1176808]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Microsoft Works Calendar Reminders.lnk - c:\program files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe [1999-9-4 53317]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\mcmscsvc]
@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS]
@=""

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
backup=c:\windows\pss\Adobe Reader Speed Launch.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP OfficeJet Startup.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\HP OfficeJet Startup.lnk
backup=c:\windows\pss\HP OfficeJet Startup.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AsioReg]
2003-02-20 21:27 110592 ----a-w- c:\windows\SYSTEM32\CTASIO.DLL

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ControlCenter2.0]
2004-11-12 02:00 864256 ------w- c:\program files\Brother\ControlCenter2\brctrcen.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CTDVDDet]
2002-09-30 06:00 45056 ----a-w- c:\program files\Creative\SBAudigy2\DVDAudio\CTDVDDET.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
2008-04-14 00:12 15360 ----a-w- c:\windows\SYSTEM32\ctfmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CTHelper]
2003-02-20 21:45 28672 ----a-w- c:\windows\SYSTEM32\CTHELPER.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CTSysVol]
2002-10-29 14:18 49152 ----a-w- c:\program files\Creative\SBAudigy2\Surround Mixer\CTSysVol.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\dla]
2004-03-15 06:04 122933 ----a-w- c:\windows\SYSTEM32\dla\tfswctrl.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DVDSentry]
2003-08-13 15:27 28672 ----a-w- c:\windows\SYSTEM32\DSentry.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IndexSearch]
2004-04-14 19:04 40960 ----a-w- c:\program files\ScanSoft\PaperPort\IndexSearch.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IntelMeM]
2003-09-04 01:12 221184 ----a-w- c:\program files\Intel\Modem Event Monitor\IntelMEM.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISUSPM Startup]
2004-06-16 10:03 221184 ----a-w- c:\progra~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISUSScheduler]
2004-06-16 10:03 81920 ----a-w- c:\program files\Common Files\InstallShield\UpdateService\issch.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\mmtask]
2006-01-17 17:03 53248 ----a-w- c:\program files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MMTray]
2006-01-17 17:03 135168 ----a-w- c:\program files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MoneyAgent]
2003-06-18 17:00 200704 ----a-w- c:\program files\Microsoft Money\System\mnyexpr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
2008-04-14 00:12 1695232 ----a-w- c:\program files\Messenger\msmsgs.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvCplDaemon]
2003-11-03 18:46 4800512 ----a-w- c:\windows\SYSTEM32\nvcpl.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PaperPort PTD]
2004-04-14 18:46 57393 ----a-w- c:\program files\ScanSoft\PaperPort\pptd40nt.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PCMService]
2003-08-27 00:47 204800 ------w- c:\program files\Dell\Media Experience\PCMService.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
2004-06-21 16:16 77824 ----a-w- c:\program files\QuickTime\qttask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SSBkgdUpdate]
2003-10-14 14:22 155648 ----a-r- c:\program files\Common Files\ScanSoft Shared\SSBkgdUpdate\SSBkgdUpdate.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
2006-11-09 20:07 49263 ----a-w- c:\program files\Java\jre1.5.0_10\bin\jusched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
2010-03-30 15:31 202256 ----a-w- c:\program files\Common Files\Real\Update_OB\realsched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\UpdateManager]
2003-08-19 06:01 110592 ----a-w- c:\program files\Common Files\Sonic\Update Manager\sgtray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\UpdReg]
2000-05-11 06:00 90112 ------w- c:\windows\Updreg.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001
"FirewallOverride"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
"DisableNotifications"= 1 (0x1)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\ATT-HSI\\McciBrowser.exe"=
"c:\\Program Files\\Common Files\\McAfee\\MNA\\McNASvc.exe"=

R1 SAVRKBootTasks;Boot Tasks Driver;c:\windows\SYSTEM32\SAVRKBootTasks.sys [5/29/2010 1:11 PM 18816]
R2 McAfee SiteAdvisor Service;McAfee SiteAdvisor Service;c:\program files\McAfee\SiteAdvisor\McSACore.exe [4/22/2010 1:49 PM 203280]
S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [1/6/2010 2:21 PM 135664]
S3 bepprldr;BCL easyPDF SDK Loader;c:\program files\Common Files\BCL Technologies\easyPDF 4\bepprldr.exe [11/11/2005 11:03 PM 77824]
.
Contents of the 'Scheduled Tasks' folder

2010-05-30 c:\windows\Tasks\Google Software Updater.job
- c:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe [2008-09-24 16:03]

2010-05-30 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-01-06 18:21]

2010-05-30 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-01-06 18:21]

2010-05-15 c:\windows\Tasks\McDefragTask.job
- c:\progra~1\mcafee\mqc\QcConsol.exe [2010-04-22 16:22]

2010-04-22 c:\windows\Tasks\McQcTask.job
- c:\progra~1\mcafee\mqc\QcConsol.exe [2010-04-22 16:22]

2010-05-30 c:\windows\Tasks\RealUpgradeLogonTaskS-1-5-21-4164457144-2476349802-418968361-1006.job
- c:\program files\Real\RealUpgrade\realupgrade.exe [2010-02-25 02:09]

2010-05-30 c:\windows\Tasks\RealUpgradeLogonTaskS-1-5-21-4164457144-2476349802-418968361-1008.job
- c:\program files\Real\RealUpgrade\realupgrade.exe [2010-02-25 02:09]

2010-05-30 c:\windows\Tasks\RealUpgradeScheduledTaskS-1-5-21-4164457144-2476349802-418968361-1006.job
- c:\program files\Real\RealUpgrade\realupgrade.exe [2010-02-25 02:09]

2010-05-27 c:\windows\Tasks\RealUpgradeScheduledTaskS-1-5-21-4164457144-2476349802-418968361-1008.job
- c:\program files\Real\RealUpgrade\realupgrade.exe [2010-02-25 02:09]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
uInternet Connection Wizard,ShellNext = iexplore
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
Trusted Zone: motive.com\patttbc.att
DPF: ppctlcab - hxxp://www.pestscan.com/scanner/ppctlcab.cab
.
- - - - ORPHANS REMOVED - - - -

BHO-{4CC5A190-E657-4C30-A101-C0A9252B9DAA} - c:\windows\system32\mzhjanoe.dll
AddRemove-areoghkfntcfn - c:\windows\system32\areoghkfntcfn.exe



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-05-30 18:55
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'explorer.exe'(4048)
c:\windows\system32\WININET.dll
c:\program files\McAfee\SiteAdvisor\saHook.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\System32\CTsvcCDA.exe
c:\program files\Common Files\Motive\McciCMService.exe
c:\progra~1\McAfee\MSC\mcmscsvc.exe
c:\progra~1\COMMON~1\mcafee\mna\mcnasvc.exe
c:\progra~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
c:\progra~1\McAfee\VIRUSS~1\mcshield.exe
c:\program files\McAfee\MPF\MPFSrv.exe
c:\windows\System32\nvsvc32.exe
c:\windows\System32\MsPMSPSv.exe
c:\program files\Canon\CAL\CALMAIN.exe
c:\progra~1\mcafee.com\agent\mcagent.exe
.
**************************************************************************
.

Hi Sparty,

That looks MUCH better! The Rootkit has met its match . How are things running now?

I'll come up with a fix and get it approved and back to you ASAP. Should just be some cleanup and likely one more scanner to make sure everything is gone

That's GREAT news!

I haven't really been using the desktop except to run the scans, etc. and I've had the firewall locked down for safety's sake. But, so far so good right now. I haven't seen any random websites open up yet and nothing else looking abnormal......hope it holds up!

I'll wait to hear back from you, Chris. Thanks!

hi sparty,

Re-running ComboFix to remove infections:

1. Close any open browsers.
   
2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
   
3. Open notepad and copy/paste the text in the quotebox below into it:
   

   
   Fcopy::
   c:\windows\ServicePackFiles\i386\user32.dll | c:\windows\system32\user32.dll
   
   Folder::
   c:\documents and settings\Boss\Local Settings\Application Data\esdjguvxo
   

4. Save this as CFScript.txt, in the same location as ComboFix.exe
   
   
   
   
5. Referring to the picture above, drag CFScript into ComboFix.exe
   
6. When finished, it shall produce a log for you at C:\ComboFix.txt
   
7. Please post the contents of the log in your next reply.

========

Next, Please go to Kaspersky website and perform an online antivirus scan.

1. Read through the requirements and privacy statement and click on Accept button.
   
2. It will start downloading and installing the scanner and virus definitions. You will be prompted to install an application from Kaspersky. Click Run.
   
3. When the downloads have finished, click on Settings.
   
4. Make sure these boxes are checked (ticked). If they are not, please tick them and click on the Save button:
   Spyware, Adware, Dialers, and other potentially dangerous programs
   Archives
   Mail databases

Click on My Computer under Scan.

Once the scan is complete, it will display the results. Click on View Scan Report.

You will see a list of infected items there. Click on Save Report As....

Save this report to a convenient place. Change the Files of type to Text file (.txt) before clicking on the Save button.

Please post this log in your next reply.

Hi Chris,

I've completed the last requested ComboFix scan. The latest ComboFix log follows. I'll now run the Kaspersky scan as advised and will post that report in my next reply.



ComboFix 10-05-30.04 - Boss 05/31/2010 0:26.4.2 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.511.195 [GMT -4:00]
Running from: c:\documents and settings\Boss\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Boss\Desktop\CFScript.txt
AV: McAfee VirusScan *On-access scanning disabled* (Updated) {84B5EE75-6421-4CDE-A33A-DD43BA9FAD83}
FW: McAfee Personal Firewall *disabled* {94894B63-8C7F-4050-BDA4-813CA00DA3E8}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\Boss\Local Settings\Application Data\esdjguvxo

.
--------------- FCopy ---------------

c:\windows\ServicePackFiles\i386\user32.dll --> c:\windows\system32\user32.dll
.
((((((((((((((((((((((((( Files Created from 2010-04-28 to 2010-05-31 )))))))))))))))))))))))))))))))
.

2010-05-30 14:42 . 2010-05-28 18:08 75264 ----a-w- c:\windows\system32\Spool\prtprocs\w32x86\U7mY17.dll
2010-05-29 17:11 . 2009-06-18 16:55 18816 ------w- c:\windows\system32\SAVRKBootTasks.sys
2010-05-29 15:45 . 2010-05-29 15:45 -------- d-----w- c:\program files\Sophos
2010-05-28 23:49 . 2010-05-28 18:08 75264 ----a-w- c:\windows\system32\Spool\prtprocs\w32x86\9sKU93i79.dll
2010-05-28 19:55 . 2010-05-28 18:08 75264 ----a-w- c:\windows\system32\Spool\prtprocs\w32x86\17oC17.dll
2010-05-28 18:12 . 2010-05-28 18:12 -------- d-----w- c:\documents and settings\Boss\Application Data\Street-Ads
2010-05-28 18:10 . 2008-04-13 18:40 34688 ----a-w- c:\windows\system32\drivers\lbrtfdc.sys
2010-05-28 18:10 . 2008-04-13 18:40 34688 ----a-w- c:\windows\system32\dllcache\lbrtfdc.sys
2010-05-28 18:10 . 2008-04-13 18:40 8192 ----a-w- c:\windows\system32\drivers\changer.sys
2010-05-28 18:10 . 2008-04-13 18:40 8192 ----a-w- c:\windows\system32\dllcache\changer.sys
2010-05-28 18:10 . 2010-05-28 18:10 -------- d-----w- c:\documents and settings\Boss\Application Data\Sky-Banners
2010-05-28 18:09 . 2010-05-28 18:09 -------- d-----w- c:\program files\$NtUninstallWTF1012$
2010-05-28 18:09 . 2010-05-28 18:08 75264 ----a-w- c:\windows\system32\Spool\prtprocs\w32x86\555qG.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-05-30 22:49 . 2004-06-21 16:18 288 ----a-w- c:\windows\system32\DVCStateBkp-{00000002-00000000-00000002-00001102-00000004-10031102}.dat
2010-05-30 22:49 . 2004-06-21 16:18 288 ----a-w- c:\windows\system32\DVCState-{00000002-00000000-00000002-00001102-00000004-10031102}.dat
2010-05-30 14:43 . 2008-09-24 03:35 -------- d-----w- c:\documents and settings\All Users\Application Data\Google Updater
2010-05-28 20:03 . 2004-10-19 14:00 -------- d-----w- c:\program files\McAfee
2010-05-28 18:10 . 2009-05-28 23:13 -------- d-----w- c:\program files\Common Files\Motive
2010-05-21 21:09 . 2010-04-22 18:42 -------- d-----w- c:\documents and settings\LocalService\Application Data\SACore
2010-05-18 04:39 . 2008-09-24 03:35 -------- d-----w- c:\program files\Google
2010-04-22 17:53 . 2005-12-14 18:51 -------- d-----w- c:\documents and settings\All Users\Application Data\McAfee
2010-04-22 17:50 . 2010-04-22 17:50 -------- d-----w- c:\documents and settings\All Users\Application Data\SiteAdvisor
2010-04-22 17:47 . 2010-04-22 17:46 -------- d-----w- c:\program files\Common Files\McAfee
2010-04-22 17:46 . 2010-04-22 17:46 -------- d-----w- c:\program files\McAfee.com
2010-04-14 16:29 . 2004-06-27 22:20 -------- d-----w- c:\program files\Common Files\Adobe
2010-04-01 20:28 . 2009-04-17 16:00 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-03-30 15:33 . 2010-03-30 15:33 45056 ----a-w- c:\documents and settings\All Users\Application Data\Real\RealPlayer\BrowserRecordPlugin\ThinShims\rpnpshimwmp.dll
2010-03-30 15:33 . 2010-03-30 15:33 45056 ----a-w- c:\documents and settings\All Users\Application Data\Real\RealPlayer\BrowserRecordPlugin\ThinShims\rpnpshimswf.dll
2010-03-30 15:33 . 2010-03-30 15:33 45056 ----a-w- c:\documents and settings\All Users\Application Data\Real\RealPlayer\BrowserRecordPlugin\ThinShims\rpnpshimrp.dll
2010-03-30 15:33 . 2010-03-30 15:33 45056 ----a-w- c:\documents and settings\All Users\Application Data\Real\RealPlayer\BrowserRecordPlugin\ThinShims\rpnpshimqt.dll
2010-03-30 15:33 . 2010-03-30 15:33 49152 ----a-w- c:\documents and settings\All Users\Application Data\Real\RealPlayer\BrowserRecordPlugin\Firefox\Ext\Components\nprpffbrowserrecordext.dll
2010-03-30 15:33 . 2010-03-30 15:33 308808 ----a-w- c:\documents and settings\All Users\Application Data\Real\RealPlayer\BrowserRecordPlugin\Common\rpmainbrowserrecordplugin.dll
2010-03-30 15:33 . 2010-03-30 15:33 14848 ----a-w- c:\documents and settings\All Users\Application Data\Real\RealPlayer\BrowserRecordPlugin\MozillaPlugins\nprphtml5videoshim.dll
2010-03-30 15:33 . 2010-03-30 15:33 40960 ----a-w- c:\documents and settings\All Users\Application Data\Real\RealPlayer\BrowserRecordPlugin\Chrome\Hook\rpchromebrowserrecordhelper.dll
2010-03-30 15:33 . 2010-03-30 15:33 341600 ----a-w- c:\documents and settings\All Users\Application Data\Real\RealPlayer\BrowserRecordPlugin\IE\rpbrowserrecordplugin.dll
2010-03-30 15:31 . 2003-08-05 17:55 499712 ----a-w- c:\windows\system32\msvcp71.dll
2010-03-30 15:31 . 2003-08-05 17:55 348160 ----a-w- c:\windows\system32\msvcr71.dll
2010-03-30 04:46 . 2009-04-17 16:00 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-03-30 04:45 . 2009-04-17 16:00 20824 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-03-11 12:38 . 2004-02-06 23:05 832512 ----a-w- c:\windows\system32\wininet.dll
2010-03-11 12:38 . 2004-08-04 07:56 78336 ----a-w- c:\windows\system32\ieencode.dll
2010-03-11 12:38 . 2004-03-19 22:34 17408 ----a-w- c:\windows\system32\corpol.dll
2010-03-09 11:09 . 2004-03-19 22:44 430080 ----a-w- c:\windows\system32\vbscript.dll
2005-12-08 05:16 . 2005-12-08 05:16 5037072 ----a-w- c:\program files\spybotsd14.exe
2005-10-22 14:46 . 2005-10-22 14:45 53619100 ----a-w- c:\program files\hansel new users v6.02.exe
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2008-09-24 39408]
"MoneyAgent"="c:\program files\Microsoft Money\System\mnyexpr.exe" [2003-06-18 200704]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSKDetectorExe"="c:\program files\McAfee\SpamKiller\MSKDetct.exe" [2005-08-12 1121792]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2004-06-21 77824]
"MMTray"="c:\program files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe" [2006-01-17 135168]
"ATT-SST_McciTrayApp"="c:\program files\ATT-SST\McciTrayApp.exe" [2008-09-19 1529856]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2010-03-30 202256]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2010-04-02 40368]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-03-24 952768]
"mcagent_exe"="c:\program files\McAfee.com\Agent\mcagent.exe" [2010-02-11 1218008]
"McENUI"="c:\progra~1\McAfee\MHN\McENUI.exe" [2009-07-08 1176808]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Microsoft Works Calendar Reminders.lnk - c:\program files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe [1999-9-4 53317]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\mcmscsvc]
@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS]
@=""

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
backup=c:\windows\pss\Adobe Reader Speed Launch.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP OfficeJet Startup.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\HP OfficeJet Startup.lnk
backup=c:\windows\pss\HP OfficeJet Startup.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AsioReg]
2003-02-20 21:27 110592 ----a-w- c:\windows\SYSTEM32\CTASIO.DLL

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ControlCenter2.0]
2004-11-12 02:00 864256 ------w- c:\program files\Brother\ControlCenter2\brctrcen.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CTDVDDet]
2002-09-30 06:00 45056 ----a-w- c:\program files\Creative\SBAudigy2\DVDAudio\CTDVDDET.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
2008-04-14 00:12 15360 ----a-w- c:\windows\SYSTEM32\ctfmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CTHelper]
2003-02-20 21:45 28672 ----a-w- c:\windows\SYSTEM32\CTHELPER.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CTSysVol]
2002-10-29 14:18 49152 ----a-w- c:\program files\Creative\SBAudigy2\Surround Mixer\CTSysVol.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\dla]
2004-03-15 06:04 122933 ----a-w- c:\windows\SYSTEM32\dla\tfswctrl.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DVDSentry]
2003-08-13 15:27 28672 ----a-w- c:\windows\SYSTEM32\DSentry.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IndexSearch]
2004-04-14 19:04 40960 ----a-w- c:\program files\ScanSoft\PaperPort\IndexSearch.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IntelMeM]
2003-09-04 01:12 221184 ----a-w- c:\program files\Intel\Modem Event Monitor\IntelMEM.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISUSPM Startup]
2004-06-16 10:03 221184 ----a-w- c:\progra~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISUSScheduler]
2004-06-16 10:03 81920 ----a-w- c:\program files\Common Files\InstallShield\UpdateService\issch.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\mmtask]
2006-01-17 17:03 53248 ----a-w- c:\program files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MMTray]
2006-01-17 17:03 135168 ----a-w- c:\program files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MoneyAgent]
2003-06-18 17:00 200704 ----a-w- c:\program files\Microsoft Money\System\mnyexpr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
2008-04-14 00:12 1695232 ----a-w- c:\program files\Messenger\msmsgs.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvCplDaemon]
2003-11-03 18:46 4800512 ----a-w- c:\windows\SYSTEM32\nvcpl.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PaperPort PTD]
2004-04-14 18:46 57393 ----a-w- c:\program files\ScanSoft\PaperPort\pptd40nt.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PCMService]
2003-08-27 00:47 204800 ------w- c:\program files\Dell\Media Experience\PCMService.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
2004-06-21 16:16 77824 ----a-w- c:\program files\QuickTime\qttask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SSBkgdUpdate]
2003-10-14 14:22 155648 ----a-r- c:\program files\Common Files\ScanSoft Shared\SSBkgdUpdate\SSBkgdUpdate.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
2006-11-09 20:07 49263 ----a-w- c:\program files\Java\jre1.5.0_10\bin\jusched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
2010-03-30 15:31 202256 ----a-w- c:\program files\Common Files\Real\Update_OB\realsched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\UpdateManager]
2003-08-19 06:01 110592 ----a-w- c:\program files\Common Files\Sonic\Update Manager\sgtray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\UpdReg]
2000-05-11 06:00 90112 ------w- c:\windows\Updreg.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001
"FirewallOverride"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
"DisableNotifications"= 1 (0x1)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\ATT-HSI\\McciBrowser.exe"=
"c:\\Program Files\\Common Files\\McAfee\\MNA\\McNASvc.exe"=

R1 SAVRKBootTasks;Boot Tasks Driver;c:\windows\SYSTEM32\SAVRKBootTasks.sys [5/29/2010 1:11 PM 18816]
R2 McAfee SiteAdvisor Service;McAfee SiteAdvisor Service;c:\program files\McAfee\SiteAdvisor\McSACore.exe [4/22/2010 1:49 PM 203280]
S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [1/6/2010 2:21 PM 135664]
S3 bepprldr;BCL easyPDF SDK Loader;c:\program files\Common Files\BCL Technologies\easyPDF 4\bepprldr.exe [11/11/2005 11:03 PM 77824]
.
Contents of the 'Scheduled Tasks' folder

2010-05-30 c:\windows\Tasks\Google Software Updater.job
- c:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe [2008-09-24 16:03]

2010-05-30 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-01-06 18:21]

2010-05-31 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-01-06 18:21]

2010-05-15 c:\windows\Tasks\McDefragTask.job
- c:\progra~1\mcafee\mqc\QcConsol.exe [2010-04-22 16:22]

2010-04-22 c:\windows\Tasks\McQcTask.job
- c:\progra~1\mcafee\mqc\QcConsol.exe [2010-04-22 16:22]

2010-05-31 c:\windows\Tasks\RealUpgradeLogonTaskS-1-5-21-4164457144-2476349802-418968361-1006.job
- c:\program files\Real\RealUpgrade\realupgrade.exe [2010-02-25 02:09]

2010-05-30 c:\windows\Tasks\RealUpgradeLogonTaskS-1-5-21-4164457144-2476349802-418968361-1008.job
- c:\program files\Real\RealUpgrade\realupgrade.exe [2010-02-25 02:09]

2010-05-31 c:\windows\Tasks\RealUpgradeScheduledTaskS-1-5-21-4164457144-2476349802-418968361-1006.job
- c:\program files\Real\RealUpgrade\realupgrade.exe [2010-02-25 02:09]

2010-05-27 c:\windows\Tasks\RealUpgradeScheduledTaskS-1-5-21-4164457144-2476349802-418968361-1008.job
- c:\program files\Real\RealUpgrade\realupgrade.exe [2010-02-25 02:09]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
uInternet Connection Wizard,ShellNext = iexplore
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
Trusted Zone: motive.com\patttbc.att
DPF: ppctlcab - hxxp://www.pestscan.com/scanner/ppctlcab.cab
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-05-31 00:34
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'explorer.exe'(584)
c:\windows\system32\WININET.dll
c:\program files\McAfee\SiteAdvisor\saHook.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
Completion time: 2010-05-31 00:40:47
ComboFix-quarantined-files.txt 2010-05-31 04:40
ComboFix2.txt 2010-05-30 23:02
ComboFix3.txt 2010-05-30 16:09
ComboFix4.txt 2010-05-28 22:13

Pre-Run: 59,888,521,216 bytes free
Post-Run: 59,864,510,464 bytes free

- - End Of File - - 422D36296C74F4519DE3C02F262678D1

Hi Sparty,

There's some more junk we need to remove but, let's just make sure these files are infected first:

Please visit VirusTotal

* Click the Browse.. button
* Navigate to the file c:\windows\system32\Spool\prtprocs\w32x86\555qG.dll
* Click the Open button
* Click the Send button
* Copy and paste the results into a new reply in this thread please.

Please do the same for:
c:\windows\system32\Spool\prtprocs\w32x86\9sKU93i79.dll
c:\windows\system32\Spool\prtprocs\w32x86\17oC17.dll
c:\windows\system32\Spool\prtprocs\w32x86\U7mY17.dll

If VirusTotal is busy please use Jotti

Chris,

Wow that scan took forever (3 hours)!

There were 6 infections found :-( It looks like those System Volume Information_Restore files that I've mentioned that were found by the SAR scan ARE a problem. What now?

Here is the report from the Kaspersky scan.



KASPERSKY ONLINE SCANNER 7.0: scan report
Monday, May 31, 2010
Operating system: Microsoft Windows XP Professional Service Pack 3 (build 2600)
Kaspersky Online Scanner version: 7.0.26.13
Last database update: Monday, May 31, 2010 02:33:10
Records in database: 4193694
--------------------------------------------------------------------------------

Scan settings:
scan using the following database: extended
Scan archives: yes
Scan e-mail databases: yes

Scan area - My Computer:
A:\
C:\
D:\
E:\

Scan statistics:
Objects scanned: 81510
Threats found: 4
Infected objects found: 6
Suspicious objects found: 0
Scan duration: 02:57:34


File name / Threat / Threats count
C:\Qoobox\Quarantine\C\WINDOWS\Mcybaa.exe.vir Infected: Packed.Win32.Katusha.n 1
C:\Qoobox\Quarantine\C\WINDOWS\system32\Drivers\FTDISK.SYS.vir Infected: Rootkit.Win32.TDSS.ap 1
C:\System Volume Information\_restore{CCA15F78-7193-4CA6-8115-2B570DD6546C}\RP1\A0001008.dll Infected: not-a-virus:AdWare.Win32.BHO.mfb 1
C:\System Volume Information\_restore{CCA15F78-7193-4CA6-8115-2B570DD6546C}\RP1\A0001012.dll Infected: not-a-virus:AdWare.Win32.RON.dvc 1
C:\System Volume Information\_restore{CCA15F78-7193-4CA6-8115-2B570DD6546C}\RP1\A0001036.SYS Infected: Rootkit.Win32.TDSS.ap 1
C:\System Volume Information\_restore{CCA15F78-7193-4CA6-8115-2B570DD6546C}\RP1\A0001090.exe Infected: Packed.Win32.Katusha.n 1

Selected area has been scanned.

Sorry, Chris. I didn't notice you had posted while I was running the Kaspersky scan.

Following are the results of the Virus Total reports. When I opened and sent the files you listed, I got a message on the last 3 that you listed (after the 555qG.dll) that those files had already been analysed and the report shown was the same for each of those last 3 files as for the 555qG.dll (in fact, it listed the "File 555qG.dll received on 2010.05.31 10:03:00 (UTC)" at the top of the last report for those files. The message after sending those files is immediately below and the 555qG.dll report follows that.

I need some sleep!




File has already been analysed:
MD5: 73d34ba60d912ecd316c927759343c90
First received: 2010.05.31 10:03:00 UTC
Date: 2010.05.31 10:03:00 UTC [<1D]
Results: 14/40
Permalink: analisis/cd810f7f6bb6594360d5f40e24a02ddbf9a2dd312a58e172fa8e4a8278f6bb8d-1275300180




File 555qG.dll received on 2010.05.31 10:03:00 (UTC)
Current status: Loading ... queued waiting scanning finished NOT FOUND STOPPED


Result: 14/40 (35%)
Loading server information...
Your file is queued in position: 3.
Estimated start time is between 56 and 80 seconds.
Do not close the window until scan is complete.
The scanner that was processing your file is stopped at this moment, we are going to wait a few seconds to try to recover your result.
If you are waiting for more than five minutes you have to resend your file.
Your file is being scanned by VirusTotal in this moment,
results will be shown as they're generated.
Compact Print results
Your file has expired or does not exists.
Service is stopped in this moments, your file is waiting to be scanned (position: ) for an undefined time.

You can wait for web response (automatic reload) or type your email in the form below and click "request" so the system sends you a notification when the scan is finished.
Email:


Antivirus Version Last Update Result
a-squared 5.0.0.26 2010.05.31 Trojan.Win32.Alureon!IK
AhnLab-V3 2010.05.30.00 2010.05.29 -
AntiVir 8.2.1.242 2010.05.31 -
Antiy-AVL 2.0.3.7 2010.05.31 -
Authentium 5.2.0.5 2010.05.31 -
Avast 4.8.1351.0 2010.05.30 Win32:Trojan-gen
Avast5 5.0.332.0 2010.05.30 Win32:Trojan-gen
AVG 9.0.0.787 2010.05.31 -
BitDefender 7.2 2010.05.31 Gen:Trojan.Heur.TP.em8@bifn34ei
CAT-QuickHeal 10.00 2010.05.31 -
ClamAV 0.96.0.3-git 2010.05.30 -
Comodo 4959 2010.05.31 Heur.Packed.Unknown
DrWeb 5.0.2.03300 2010.05.31 Trojan.PWS.IpDiscover.4
eSafe 7.0.17.0 2010.05.30 -
eTrust-Vet 35.2.7521 2010.05.31 -
F-Prot 4.6.0.103 2010.05.31 -
F-Secure 9.0.15370.0 2010.05.31 Gen:Trojan.Heur.TP.em8@bifn34ei
Fortinet 4.1.133.0 2010.05.30 -
GData 21 2010.05.31 Gen:Trojan.Heur.TP.em8@bifn34ei
Ikarus T3.1.1.84.0 2010.05.31 Trojan.Win32.Alureon
Jiangmin 13.0.900 2010.05.30 -
Kaspersky 7.0.0.125 2010.05.31 -
McAfee 5.400.0.1158 2010.05.31 -
McAfee-GW-Edition 2010.1 2010.05.31 Heuristic.BehavesLike.Win32.Spyware.I
Microsoft 1.5802 2010.05.31 -
NOD32 5157 2010.05.31 -
Norman 6.04.12 2010.05.31 W32/Suspicious_Gen2.ATZEI
nProtect 2010-05-31.01 2010.05.31 -
Panda 10.0.2.7 2010.05.30 Suspicious file
PCTools 7.0.3.5 2010.05.31 -
Rising 22.50.00.04 2010.05.31 -
Sophos 4.53.0 2010.05.31 Mal/TDSSPack-Y
Sunbelt 6380 2010.05.31 Trojan.Win32.Generic!BT
Symantec 20101.1.0.89 2010.05.31 -
TheHacker 6.5.2.0.290 2010.05.30 -
TrendMicro 9.120.0.1004 2010.05.31 -
TrendMicro-HouseCall 9.120.0.1004 2010.05.31 -
VBA32 3.12.12.5 2010.05.29 -
ViRobot 2010.5.20.2326 2010.05.28 -
VirusBuster 5.0.27.0 2010.05.30 -
Additional information
File size: 75264 bytes
MD5...: 73d34ba60d912ecd316c927759343c90
SHA1..: 3bfcbf37cefd1a4d52519f2eded49cab4bbd7e88
SHA256: cd810f7f6bb6594360d5f40e24a02ddbf9a2dd312a58e172fa8e4a8278f6bb8d
ssdeep: 1536:9GpuwF5CmcRGHSiFrCKm0+xx5fIO8kKxlEbq2e/sFcDh5Zjpj1:UpymcRCt
4xxlpClEjKpj1

PEiD..: -
PEInfo: PE Structure information

( base data )
entrypointaddress.: 0x1000
timedatestamp.....: 0x422eef1b (Wed Mar 09 12:42:03 2005)
machinetype.......: 0x14c (I386)

( 3 sections )
name viradd virsiz rawdsiz ntrpy md5
.text 0x1000 0x3000 0x2a00 0.32 baf0f802aada2311a22c24a9460e1026
.data 0x4000 0x2f000 0xf400 7.36 2aaa268a0ad7fae275e7d9e030160b99
.rsrc 0x33000 0x1000 0x400 2.66 ffe0298fe7154c7a2174d283500baa9f

( 1 imports )
> kernel32.dll: DeleteCriticalSection, EnterCriticalSection, GetCommandLineA, GetLastError, GetModuleHandleA, GetProcAddress, GetProcessId, GetVersion, InitializeCriticalSection, LeaveCriticalSection, LoadLibraryA, VirtualProtect

( 0 exports )

RDS...: NSRL Reference Data Set
-
pdfid.: -
trid..: Generic Win/DOS Executable (49.9%)
DOS Executable Generic (49.8%)
Autodesk FLIC Image File (extensions: flc, fli, cel) (0.1%)
Symantec Reputation Network: Suspicious.Insight http://www.symantec.com/security_response/writeup.jsp?docid=2010-021223-0550-99
sigcheck:
publisher....: n/a
copyright....: Copyright (C) 2010
product......: vsdsvsdsetup Application
description..: Pasdvasetup Application
original name: asdvasdsetup.exe
internal name: PPCsetup
file version.: 1, 0, 0, 1
comments.....: n/a
signers......: -
signing date.: -
verified.....: Unsigned

Chris, for what it's worth, here are the results of the Jotti scans on those same files. Jotti also indicated the last 3 files were named 555qG.dll and said that file was already scanned.



Jotti's malware scan
Filename: 555qG.dll
Status: Scan finished. 6 out of 19 scanners reported malware.
Scan taken on: Mon 31 May 2010 12:25:49 (CET) Permalink




Additional info
File size: 75264 bytes
Filetype: PE32 executable for MS Windows (DLL) (GUI) Intel 80386 32-bit
MD5: 73d34ba60d912ecd316c927759343c90
SHA1: 3bfcbf37cefd1a4d52519f2eded49cab4bbd7e88







Scanners
2010-05-30 Found nothing 2010-05-31 Gen:Trojan.Heur.TP.em8@bifn34ei
2010-05-30 Win32:Trojan-gen 2010-05-31 Trojan.Win32.Alureon
2010-05-31 Found nothing 2010-05-31 Found nothing
2010-05-31 Found nothing 2010-05-31 Found nothing
2010-05-31 Gen:Trojan.Heur.TP.em8@bifn34ei 2010-05-30 Found nothing
2010-05-30 Found nothing 2010-05-31 Found nothing
2010-05-31 Found nothing 2010-05-31 Mal/TDSSPack-Y
2010-05-31 Trojan.PWS.IpDiscover.4 2010-05-28 Found nothing
2010-05-30 Found nothing 2010-05-30 Found nothing
2010-05-31 Found nothing

Hi Sparty,

Those System Restore Points are more menacing than they look . When we remove ComboFix it will flush them out and they'll be gone. It looks like all those files are indeed infected so, I'm going to go get a fix approved and back to you asap

Hi Sparty,

We're well on our way to complete disinfection!

Re-running ComboFix to remove infections:

1. Close any open browsers.
   
2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
   
3. Open notepad and copy/paste the text in the quotebox below into it:
   

   
   Folder::
   c:\program files\$NtUninstallWTF1012$
   
   File::
   c:\windows\system32\Spool\prtprocs\w32x86\555qG.dll
   c:\windows\system32\Spool\prtprocs\w32x86\9sKU93i79.dll
   c:\windows\system32\Spool\prtprocs\w32x86\U7mY17.dll
   

4. Save this as CFScript.txt, in the same location as ComboFix.exe
   
   
   
   
5. Referring to the picture above, drag CFScript into ComboFix.exe
   
6. When finished, it shall produce a log for you at C:\ComboFix.txt
   
7. Please post the contents of the log in your next reply.

I hope you're right, Chris.

Following is the latest ComboFix report. Thanks again for your help!




ComboFix 10-05-31.02 - Boss 05/31/2010 22:47:44.5.2 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.511.173 [GMT -4:00]
Running from: c:\documents and settings\Boss\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Boss\Desktop\CFScript.txt
AV: McAfee VirusScan *On-access scanning disabled* (Updated) {84B5EE75-6421-4CDE-A33A-DD43BA9FAD83}
FW: McAfee Personal Firewall *disabled* {94894B63-8C7F-4050-BDA4-813CA00DA3E8}

FILE ::
"c:\windows\system32\Spool\prtprocs\w32x86\555qG.dll"
"c:\windows\system32\Spool\prtprocs\w32x86\9sKU93i79.dll"
"c:\windows\system32\Spool\prtprocs\w32x86\U7mY17.dll"
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\program files\$NtUninstallWTF1012$
c:\program files\$NtUninstallWTF1012$\elUninstall.exe
c:\windows\system32\Spool\prtprocs\w32x86\555qG.dll
c:\windows\system32\Spool\prtprocs\w32x86\9sKU93i79.dll
c:\windows\system32\Spool\prtprocs\w32x86\U7mY17.dll

.
((((((((((((((((((((((((( Files Created from 2010-05-01 to 2010-06-01 )))))))))))))))))))))))))))))))
.

2010-05-31 20:26 . 2010-05-31 20:26 -------- d-----w- c:\windows\LastGood
2010-05-29 17:11 . 2009-06-18 16:55 18816 ------w- c:\windows\system32\SAVRKBootTasks.sys
2010-05-29 15:45 . 2010-05-29 15:45 -------- d-----w- c:\program files\Sophos
2010-05-28 19:55 . 2010-05-28 18:08 75264 ----a-w- c:\windows\system32\Spool\prtprocs\w32x86\17oC17.dll
2010-05-28 18:12 . 2010-05-28 18:12 -------- d-----w- c:\documents and settings\Boss\Application Data\Street-Ads
2010-05-28 18:10 . 2008-04-13 18:40 34688 ----a-w- c:\windows\system32\drivers\lbrtfdc.sys
2010-05-28 18:10 . 2008-04-13 18:40 34688 ----a-w- c:\windows\system32\dllcache\lbrtfdc.sys
2010-05-28 18:10 . 2008-04-13 18:40 8192 ----a-w- c:\windows\system32\drivers\changer.sys
2010-05-28 18:10 . 2008-04-13 18:40 8192 ----a-w- c:\windows\system32\dllcache\changer.sys
2010-05-28 18:10 . 2010-05-28 18:10 -------- d-----w- c:\documents and settings\Boss\Application Data\Sky-Banners

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-05-31 20:26 . 2004-10-19 14:00 -------- d-----w- c:\program files\McAfee
2010-05-31 20:21 . 2008-09-24 03:35 -------- d-----w- c:\documents and settings\All Users\Application Data\Google Updater
2010-05-31 10:36 . 2004-06-21 16:18 288 ----a-w- c:\windows\system32\DVCStateBkp-{00000002-00000000-00000002-00001102-00000004-10031102}.dat
2010-05-31 10:36 . 2004-06-21 16:18 288 ----a-w- c:\windows\system32\DVCState-{00000002-00000000-00000002-00001102-00000004-10031102}.dat
2010-05-28 18:10 . 2009-05-28 23:13 -------- d-----w- c:\program files\Common Files\Motive
2010-05-21 21:09 . 2010-04-22 18:42 -------- d-----w- c:\documents and settings\LocalService\Application Data\SACore
2010-05-18 04:39 . 2008-09-24 03:35 -------- d-----w- c:\program files\Google
2010-04-22 17:53 . 2005-12-14 18:51 -------- d-----w- c:\documents and settings\All Users\Application Data\McAfee
2010-04-22 17:50 . 2010-04-22 17:50 -------- d-----w- c:\documents and settings\All Users\Application Data\SiteAdvisor
2010-04-22 17:47 . 2010-04-22 17:46 -------- d-----w- c:\program files\Common Files\McAfee
2010-04-22 17:46 . 2010-04-22 17:46 -------- d-----w- c:\program files\McAfee.com
2010-04-14 16:29 . 2004-06-27 22:20 -------- d-----w- c:\program files\Common Files\Adobe
2010-03-30 15:33 . 2010-03-30 15:33 45056 ----a-w- c:\documents and settings\All Users\Application Data\Real\RealPlayer\BrowserRecordPlugin\ThinShims\rpnpshimwmp.dll
2010-03-30 15:33 . 2010-03-30 15:33 45056 ----a-w- c:\documents and settings\All Users\Application Data\Real\RealPlayer\BrowserRecordPlugin\ThinShims\rpnpshimswf.dll
2010-03-30 15:33 . 2010-03-30 15:33 45056 ----a-w- c:\documents and settings\All Users\Application Data\Real\RealPlayer\BrowserRecordPlugin\ThinShims\rpnpshimrp.dll
2010-03-30 15:33 . 2010-03-30 15:33 45056 ----a-w- c:\documents and settings\All Users\Application Data\Real\RealPlayer\BrowserRecordPlugin\ThinShims\rpnpshimqt.dll
2010-03-30 15:33 . 2010-03-30 15:33 49152 ----a-w- c:\documents and settings\All Users\Application Data\Real\RealPlayer\BrowserRecordPlugin\Firefox\Ext\Components\nprpffbrowserrecordext.dll
2010-03-30 15:33 . 2010-03-30 15:33 308808 ----a-w- c:\documents and settings\All Users\Application Data\Real\RealPlayer\BrowserRecordPlugin\Common\rpmainbrowserrecordplugin.dll
2010-03-30 15:33 . 2010-03-30 15:33 14848 ----a-w- c:\documents and settings\All Users\Application Data\Real\RealPlayer\BrowserRecordPlugin\MozillaPlugins\nprphtml5videoshim.dll
2010-03-30 15:33 . 2010-03-30 15:33 40960 ----a-w- c:\documents and settings\All Users\Application Data\Real\RealPlayer\BrowserRecordPlugin\Chrome\Hook\rpchromebrowserrecordhelper.dll
2010-03-30 15:33 . 2010-03-30 15:33 341600 ----a-w- c:\documents and settings\All Users\Application Data\Real\RealPlayer\BrowserRecordPlugin\IE\rpbrowserrecordplugin.dll
2010-03-30 15:31 . 2003-08-05 17:55 499712 ----a-w- c:\windows\system32\msvcp71.dll
2010-03-30 15:31 . 2003-08-05 17:55 348160 ----a-w- c:\windows\system32\msvcr71.dll
2010-03-30 04:46 . 2009-04-17 16:00 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-03-30 04:45 . 2009-04-17 16:00 20824 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-03-11 12:38 . 2004-02-06 23:05 832512 ----a-w- c:\windows\system32\wininet.dll
2010-03-11 12:38 . 2004-08-04 07:56 78336 ----a-w- c:\windows\system32\ieencode.dll
2010-03-11 12:38 . 2004-03-19 22:34 17408 ----a-w- c:\windows\system32\corpol.dll
2010-03-09 11:09 . 2004-03-19 22:44 430080 ----a-w- c:\windows\system32\vbscript.dll
2005-12-08 05:16 . 2005-12-08 05:16 5037072 ----a-w- c:\program files\spybotsd14.exe
2005-10-22 14:46 . 2005-10-22 14:45 53619100 ----a-w- c:\program files\hansel new users v6.02.exe
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2008-09-24 39408]
"MoneyAgent"="c:\program files\Microsoft Money\System\mnyexpr.exe" [2003-06-18 200704]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSKDetectorExe"="c:\program files\McAfee\SpamKiller\MSKDetct.exe" [2005-08-12 1121792]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2004-06-21 77824]
"MMTray"="c:\program files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe" [2006-01-17 135168]
"ATT-SST_McciTrayApp"="c:\program files\ATT-SST\McciTrayApp.exe" [2008-09-19 1529856]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2010-03-30 202256]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2010-04-02 40368]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-03-24 952768]
"mcagent_exe"="c:\program files\McAfee.com\Agent\mcagent.exe" [2010-02-11 1218008]
"McENUI"="c:\progra~1\McAfee\MHN\McENUI.exe" [2009-07-08 1176808]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Microsoft Works Calendar Reminders.lnk - c:\program files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe [1999-9-4 53317]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\mcmscsvc]
@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS]
@=""

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
backup=c:\windows\pss\Adobe Reader Speed Launch.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP OfficeJet Startup.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\HP OfficeJet Startup.lnk
backup=c:\windows\pss\HP OfficeJet Startup.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AsioReg]
2003-02-20 21:27 110592 ----a-w- c:\windows\SYSTEM32\CTASIO.DLL

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ControlCenter2.0]
2004-11-12 02:00 864256 ------w- c:\program files\Brother\ControlCenter2\brctrcen.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CTDVDDet]
2002-09-30 06:00 45056 ----a-w- c:\program files\Creative\SBAudigy2\DVDAudio\CTDVDDET.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
2008-04-14 00:12 15360 ----a-w- c:\windows\SYSTEM32\ctfmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CTHelper]
2003-02-20 21:45 28672 ----a-w- c:\windows\SYSTEM32\CTHELPER.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CTSysVol]
2002-10-29 14:18 49152 ----a-w- c:\program files\Creative\SBAudigy2\Surround Mixer\CTSysVol.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\dla]
2004-03-15 06:04 122933 ----a-w- c:\windows\SYSTEM32\dla\tfswctrl.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DVDSentry]
2003-08-13 15:27 28672 ----a-w- c:\windows\SYSTEM32\DSentry.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IndexSearch]
2004-04-14 19:04 40960 ----a-w- c:\program files\ScanSoft\PaperPort\IndexSearch.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IntelMeM]
2003-09-04 01:12 221184 ----a-w- c:\program files\Intel\Modem Event Monitor\IntelMEM.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISUSPM Startup]
2004-06-16 10:03 221184 ----a-w- c:\progra~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISUSScheduler]
2004-06-16 10:03 81920 ----a-w- c:\program files\Common Files\InstallShield\UpdateService\issch.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\mmtask]
2006-01-17 17:03 53248 ----a-w- c:\program files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MMTray]
2006-01-17 17:03 135168 ----a-w- c:\program files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MoneyAgent]
2003-06-18 17:00 200704 ----a-w- c:\program files\Microsoft Money\System\mnyexpr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
2008-04-14 00:12 1695232 ----a-w- c:\program files\Messenger\msmsgs.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvCplDaemon]
2003-11-03 18:46 4800512 ----a-w- c:\windows\SYSTEM32\nvcpl.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PaperPort PTD]
2004-04-14 18:46 57393 ----a-w- c:\program files\ScanSoft\PaperPort\pptd40nt.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PCMService]
2003-08-27 00:47 204800 ------w- c:\program files\Dell\Media Experience\PCMService.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
2004-06-21 16:16 77824 ----a-w- c:\program files\QuickTime\qttask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SSBkgdUpdate]
2003-10-14 14:22 155648 ----a-r- c:\program files\Common Files\ScanSoft Shared\SSBkgdUpdate\SSBkgdUpdate.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
2006-11-09 20:07 49263 ----a-w- c:\program files\Java\jre1.5.0_10\bin\jusched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
2010-03-30 15:31 202256 ----a-w- c:\program files\Common Files\Real\Update_OB\realsched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\UpdateManager]
2003-08-19 06:01 110592 ----a-w- c:\program files\Common Files\Sonic\Update Manager\sgtray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\UpdReg]
2000-05-11 06:00 90112 ------w- c:\windows\Updreg.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001
"FirewallOverride"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
"DisableNotifications"= 1 (0x1)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\ATT-HSI\\McciBrowser.exe"=
"c:\\Program Files\\Common Files\\McAfee\\MNA\\McNASvc.exe"=

R1 SAVRKBootTasks;Boot Tasks Driver;c:\windows\SYSTEM32\SAVRKBootTasks.sys [5/29/2010 1:11 PM 18816]
R2 McAfee SiteAdvisor Service;McAfee SiteAdvisor Service;c:\program files\McAfee\SiteAdvisor\McSACore.exe [4/22/2010 1:49 PM 203280]
S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [1/6/2010 2:21 PM 135664]
S3 bepprldr;BCL easyPDF SDK Loader;c:\program files\Common Files\BCL Technologies\easyPDF 4\bepprldr.exe [11/11/2005 11:03 PM 77824]
.
Contents of the 'Scheduled Tasks' folder

2010-05-31 c:\windows\Tasks\Google Software Updater.job
- c:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe [2008-09-24 16:03]

2010-05-31 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-01-06 18:21]

2010-06-01 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-01-06 18:21]

2010-05-15 c:\windows\Tasks\McDefragTask.job
- c:\progra~1\mcafee\mqc\QcConsol.exe [2010-04-22 16:22]

2010-04-22 c:\windows\Tasks\McQcTask.job
- c:\progra~1\mcafee\mqc\QcConsol.exe [2010-04-22 16:22]

2010-06-01 c:\windows\Tasks\RealUpgradeLogonTaskS-1-5-21-4164457144-2476349802-418968361-1006.job
- c:\program files\Real\RealUpgrade\realupgrade.exe [2010-02-25 02:09]

2010-05-31 c:\windows\Tasks\RealUpgradeLogonTaskS-1-5-21-4164457144-2476349802-418968361-1008.job
- c:\program files\Real\RealUpgrade\realupgrade.exe [2010-02-25 02:09]

2010-06-01 c:\windows\Tasks\RealUpgradeScheduledTaskS-1-5-21-4164457144-2476349802-418968361-1006.job
- c:\program files\Real\RealUpgrade\realupgrade.exe [2010-02-25 02:09]

2010-05-27 c:\windows\Tasks\RealUpgradeScheduledTaskS-1-5-21-4164457144-2476349802-418968361-1008.job
- c:\program files\Real\RealUpgrade\realupgrade.exe [2010-02-25 02:09]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
uInternet Connection Wizard,ShellNext = iexplore
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
Trusted Zone: motive.com\patttbc.att
DPF: ppctlcab - hxxp://www.pestscan.com/scanner/ppctlcab.cab
.
- - - - ORPHANS REMOVED - - - -

AddRemove-$NtUninstallWTF1012$ - c:\program files\$NtUninstallWTF1012$\elUninstall.exe



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-05-31 22:55
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2010-05-31 23:01:21
ComboFix-quarantined-files.txt 2010-06-01 03:01
ComboFix2.txt 2010-05-31 04:40
ComboFix3.txt 2010-05-30 23:02
ComboFix4.txt 2010-05-30 16:09
ComboFix5.txt 2010-06-01 02:45

Pre-Run: 59,722,158,080 bytes free
Post-Run: 59,803,074,560 bytes free

- - End Of File - - EE244E72D08209CD8472F8DE9D183698

Hi Sparty,

Looks like there is one file that withstood deletion. Let's see it stand up to this!

• Download The Avenger by Swandog46 from here.
  
• Unzip/extract it to a folder on your desktop.
  
• Double click on avenger.exe to run The Avenger.
  
• Click OK.
  
• Make sure that the box next to Scan for rootkits has a tick in it and that the box next to Automatically disable any rootkits found does not have a tick in it.
  
• Copy all of the text in the below textbox to the clibpboard by highlighting it and then pressing Ctrl+C.
  

  Code:

  Files to delete:
c:\windows\system32\Spool\prtprocs\w32x86\17oC17.dll

  
  
• In the avenger window, click the Paste script from Clipboard, button.
  
• Click the Execute button.
  
• You will be asked Are you sure you want to execute the current script?.
  
• Click Yes.
  
• You will now be asked First step completed --- The Avenger has been successfully set up to run on next boot. Reboot now?.
  
• Click Yes.
  
• Your PC will now be rebooted.
  
• Note: If the above script contains Drivers to delete: or Drivers to disable:, then The Avenger will require two reboots to complete its operation.
  
• If that is the case, it will force a BSOD on the first reboot. This is normal & expected behaviour.
  
• After your PC has completed the necessary reboots, a log should automatically open. If it does not automatically open, then the log can be found at %systemdrive%\avenger.txt (typically C:\avenger.txt).
  
• Please post this log in your next reply.
  

Hi Chris,

I ran the Avenger and the log is posted below. It looks like that didn't work on removing that file either. When I first pasted the text to the clipboard I included the word "Code"" and Avenger didn't like that.....I pasted just the text w/o "Code:" and it then executed....but apparently could not find the file. Now what? - Thanks.



Logfile of The Avenger Version 2.0, (c) by Swandog46
http://swandog46.geekstogo.com

Platform: Windows XP

*******************

Script file opened successfully.
Script file read successfully.

Backups directory opened successfully at C:\Avenger

*******************

Beginning to process script file:

Rootkit scan active.
No rootkits found!


Error: file "c:\windows\system32\Spool\prtprocs\w32x86\17oC17.dll" not found!
Deletion of file "c:\windows\system32\Spool\prtprocs\w32x86\17oC17.dll" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
--> the object does not exist


Completed script processing.

*******************

Finished! Terminate.

Hi again Chris,

Just wanted to let you know that, when I just rebooted my desktop, McAfee showed that it had detected and deleted a trojan by the name of "Artemis..." (I couldn't see the extension when it flashed on the screen).

Thought you might want to know.

Hi Sparty,

Would you mind re-running ComboFix please? I'm signing off here in a few minutes so, we'll likely catch up in the morning

Hey Chris,

Ok. I had to download ComboFix AGAIN. The executable file was gone again from my desktop and was nowhere to be found on a search. Why is that happening? Is the rootkit responsible? Is the rootikit still present? Thanks again for your continuing assistance!

Here's the log from the latest ComboFix scan:



ComboFix 10-05-31.03 - Boss 06/01/2010 11:36:58.6.2 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.511.229 [GMT -4:00]
Running from: c:\documents and settings\Boss\Desktop\ComboFix.exe
AV: McAfee VirusScan *On-access scanning disabled* (Updated) {84B5EE75-6421-4CDE-A33A-DD43BA9FAD83}
FW: McAfee Personal Firewall *disabled* {94894B63-8C7F-4050-BDA4-813CA00DA3E8}
.

((((((((((((((((((((((((( Files Created from 2010-05-01 to 2010-06-01 )))))))))))))))))))))))))))))))
.

2010-05-29 17:11 . 2009-06-18 16:55 18816 ------w- c:\windows\system32\SAVRKBootTasks.sys
2010-05-29 15:45 . 2010-05-29 15:45 -------- d-----w- c:\program files\Sophos
2010-05-28 18:12 . 2010-05-28 18:12 -------- d-----w- c:\documents and settings\Boss\Application Data\Street-Ads
2010-05-28 18:10 . 2008-04-13 18:40 34688 ----a-w- c:\windows\system32\drivers\lbrtfdc.sys
2010-05-28 18:10 . 2008-04-13 18:40 34688 ----a-w- c:\windows\system32\dllcache\lbrtfdc.sys
2010-05-28 18:10 . 2008-04-13 18:40 8192 ----a-w- c:\windows\system32\drivers\changer.sys
2010-05-28 18:10 . 2008-04-13 18:40 8192 ----a-w- c:\windows\system32\dllcache\changer.sys
2010-05-28 18:10 . 2010-05-28 18:10 -------- d-----w- c:\documents and settings\Boss\Application Data\Sky-Banners

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-06-01 07:52 . 2004-06-21 16:18 288 ----a-w- c:\windows\system32\DVCStateBkp-{00000002-00000000-00000002-00001102-00000004-10031102}.dat
2010-06-01 07:52 . 2004-06-21 16:18 288 ----a-w- c:\windows\system32\DVCState-{00000002-00000000-00000002-00001102-00000004-10031102}.dat
2010-05-31 20:26 . 2004-10-19 14:00 -------- d-----w- c:\program files\McAfee
2010-05-31 20:21 . 2008-09-24 03:35 -------- d-----w- c:\documents and settings\All Users\Application Data\Google Updater
2010-05-28 18:10 . 2009-05-28 23:13 -------- d-----w- c:\program files\Common Files\Motive
2010-05-21 21:09 . 2010-04-22 18:42 -------- d-----w- c:\documents and settings\LocalService\Application Data\SACore
2010-05-18 04:39 . 2008-09-24 03:35 -------- d-----w- c:\program files\Google
2010-04-22 17:53 . 2005-12-14 18:51 -------- d-----w- c:\documents and settings\All Users\Application Data\McAfee
2010-04-22 17:50 . 2010-04-22 17:50 -------- d-----w- c:\documents and settings\All Users\Application Data\SiteAdvisor
2010-04-22 17:47 . 2010-04-22 17:46 -------- d-----w- c:\program files\Common Files\McAfee
2010-04-22 17:46 . 2010-04-22 17:46 -------- d-----w- c:\program files\McAfee.com
2010-04-14 16:29 . 2004-06-27 22:20 -------- d-----w- c:\program files\Common Files\Adobe
2010-03-30 15:33 . 2010-03-30 15:33 45056 ----a-w- c:\documents and settings\All Users\Application Data\Real\RealPlayer\BrowserRecordPlugin\ThinShims\rpnpshimwmp.dll
2010-03-30 15:33 . 2010-03-30 15:33 45056 ----a-w- c:\documents and settings\All Users\Application Data\Real\RealPlayer\BrowserRecordPlugin\ThinShims\rpnpshimswf.dll
2010-03-30 15:33 . 2010-03-30 15:33 45056 ----a-w- c:\documents and settings\All Users\Application Data\Real\RealPlayer\BrowserRecordPlugin\ThinShims\rpnpshimrp.dll
2010-03-30 15:33 . 2010-03-30 15:33 45056 ----a-w- c:\documents and settings\All Users\Application Data\Real\RealPlayer\BrowserRecordPlugin\ThinShims\rpnpshimqt.dll
2010-03-30 15:33 . 2010-03-30 15:33 49152 ----a-w- c:\documents and settings\All Users\Application Data\Real\RealPlayer\BrowserRecordPlugin\Firefox\Ext\Components\nprpffbrowserrecordext.dll
2010-03-30 15:33 . 2010-03-30 15:33 308808 ----a-w- c:\documents and settings\All Users\Application Data\Real\RealPlayer\BrowserRecordPlugin\Common\rpmainbrowserrecordplugin.dll
2010-03-30 15:33 . 2010-03-30 15:33 14848 ----a-w- c:\documents and settings\All Users\Application Data\Real\RealPlayer\BrowserRecordPlugin\MozillaPlugins\nprphtml5videoshim.dll
2010-03-30 15:33 . 2010-03-30 15:33 40960 ----a-w- c:\documents and settings\All Users\Application Data\Real\RealPlayer\BrowserRecordPlugin\Chrome\Hook\rpchromebrowserrecordhelper.dll
2010-03-30 15:33 . 2010-03-30 15:33 341600 ----a-w- c:\documents and settings\All Users\Application Data\Real\RealPlayer\BrowserRecordPlugin\IE\rpbrowserrecordplugin.dll
2010-03-30 15:31 . 2003-08-05 17:55 499712 ----a-w- c:\windows\system32\msvcp71.dll
2010-03-30 15:31 . 2003-08-05 17:55 348160 ----a-w- c:\windows\system32\msvcr71.dll
2010-03-30 04:46 . 2009-04-17 16:00 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-03-30 04:45 . 2009-04-17 16:00 20824 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-03-11 12:38 . 2004-02-06 23:05 832512 ----a-w- c:\windows\system32\wininet.dll
2010-03-11 12:38 . 2004-08-04 07:56 78336 ----a-w- c:\windows\system32\ieencode.dll
2010-03-11 12:38 . 2004-03-19 22:34 17408 ----a-w- c:\windows\system32\corpol.dll
2010-03-09 11:09 . 2004-03-19 22:44 430080 ----a-w- c:\windows\system32\vbscript.dll
2005-12-08 05:16 . 2005-12-08 05:16 5037072 ----a-w- c:\program files\spybotsd14.exe
2005-10-22 14:46 . 2005-10-22 14:45 53619100 ----a-w- c:\program files\hansel new users v6.02.exe
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2008-09-24 39408]
"MoneyAgent"="c:\program files\Microsoft Money\System\mnyexpr.exe" [2003-06-18 200704]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSKDetectorExe"="c:\program files\McAfee\SpamKiller\MSKDetct.exe" [2005-08-12 1121792]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2004-06-21 77824]
"MMTray"="c:\program files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe" [2006-01-17 135168]
"ATT-SST_McciTrayApp"="c:\program files\ATT-SST\McciTrayApp.exe" [2008-09-19 1529856]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2010-03-30 202256]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2010-04-02 40368]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-03-24 952768]
"mcagent_exe"="c:\program files\McAfee.com\Agent\mcagent.exe" [2010-02-11 1218008]
"McENUI"="c:\progra~1\McAfee\MHN\McENUI.exe" [2009-07-08 1176808]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Microsoft Works Calendar Reminders.lnk - c:\program files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe [1999-9-4 53317]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\mcmscsvc]
@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS]
@=""

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
backup=c:\windows\pss\Adobe Reader Speed Launch.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP OfficeJet Startup.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\HP OfficeJet Startup.lnk
backup=c:\windows\pss\HP OfficeJet Startup.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AsioReg]
2003-02-20 21:27 110592 ----a-w- c:\windows\SYSTEM32\CTASIO.DLL

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ControlCenter2.0]
2004-11-12 02:00 864256 ------w- c:\program files\Brother\ControlCenter2\brctrcen.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CTDVDDet]
2002-09-30 06:00 45056 ----a-w- c:\program files\Creative\SBAudigy2\DVDAudio\CTDVDDET.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
2008-04-14 00:12 15360 ----a-w- c:\windows\SYSTEM32\ctfmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CTHelper]
2003-02-20 21:45 28672 ----a-w- c:\windows\SYSTEM32\CTHELPER.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CTSysVol]
2002-10-29 14:18 49152 ----a-w- c:\program files\Creative\SBAudigy2\Surround Mixer\CTSysVol.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\dla]
2004-03-15 06:04 122933 ----a-w- c:\windows\SYSTEM32\dla\tfswctrl.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DVDSentry]
2003-08-13 15:27 28672 ----a-w- c:\windows\SYSTEM32\DSentry.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IndexSearch]
2004-04-14 19:04 40960 ----a-w- c:\program files\ScanSoft\PaperPort\IndexSearch.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IntelMeM]
2003-09-04 01:12 221184 ----a-w- c:\program files\Intel\Modem Event Monitor\IntelMEM.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISUSPM Startup]
2004-06-16 10:03 221184 ----a-w- c:\progra~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISUSScheduler]
2004-06-16 10:03 81920 ----a-w- c:\program files\Common Files\InstallShield\UpdateService\issch.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\mmtask]
2006-01-17 17:03 53248 ----a-w- c:\program files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MMTray]
2006-01-17 17:03 135168 ----a-w- c:\program files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MoneyAgent]
2003-06-18 17:00 200704 ----a-w- c:\program files\Microsoft Money\System\mnyexpr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
2008-04-14 00:12 1695232 ----a-w- c:\program files\Messenger\msmsgs.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvCplDaemon]
2003-11-03 18:46 4800512 ----a-w- c:\windows\SYSTEM32\nvcpl.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PaperPort PTD]
2004-04-14 18:46 57393 ----a-w- c:\program files\ScanSoft\PaperPort\pptd40nt.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PCMService]
2003-08-27 00:47 204800 ------w- c:\program files\Dell\Media Experience\PCMService.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
2004-06-21 16:16 77824 ----a-w- c:\program files\QuickTime\qttask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SSBkgdUpdate]
2003-10-14 14:22 155648 ----a-r- c:\program files\Common Files\ScanSoft Shared\SSBkgdUpdate\SSBkgdUpdate.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
2006-11-09 20:07 49263 ----a-w- c:\program files\Java\jre1.5.0_10\bin\jusched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
2010-03-30 15:31 202256 ----a-w- c:\program files\Common Files\Real\Update_OB\realsched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\UpdateManager]
2003-08-19 06:01 110592 ----a-w- c:\program files\Common Files\Sonic\Update Manager\sgtray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\UpdReg]
2000-05-11 06:00 90112 ------w- c:\windows\Updreg.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001
"FirewallOverride"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
"DisableNotifications"= 1 (0x1)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\ATT-HSI\\McciBrowser.exe"=
"c:\\Program Files\\Common Files\\McAfee\\MNA\\McNASvc.exe"=

R1 SAVRKBootTasks;Boot Tasks Driver;c:\windows\SYSTEM32\SAVRKBootTasks.sys [5/29/2010 1:11 PM 18816]
R2 McAfee SiteAdvisor Service;McAfee SiteAdvisor Service;c:\program files\McAfee\SiteAdvisor\McSACore.exe [4/22/2010 1:49 PM 203280]
S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [1/6/2010 2:21 PM 135664]
S3 bepprldr;BCL easyPDF SDK Loader;c:\program files\Common Files\BCL Technologies\easyPDF 4\bepprldr.exe [11/11/2005 11:03 PM 77824]
.
Contents of the 'Scheduled Tasks' folder

2010-06-01 c:\windows\Tasks\Google Software Updater.job
- c:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe [2008-09-24 16:03]

2010-06-01 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-01-06 18:21]

2010-06-01 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-01-06 18:21]

2010-05-15 c:\windows\Tasks\McDefragTask.job
- c:\progra~1\mcafee\mqc\QcConsol.exe [2010-04-22 16:22]

2010-06-01 c:\windows\Tasks\McQcTask.job
- c:\progra~1\mcafee\mqc\QcConsol.exe [2010-04-22 16:22]

2010-06-01 c:\windows\Tasks\RealUpgradeLogonTaskS-1-5-21-4164457144-2476349802-418968361-1006.job
- c:\program files\Real\RealUpgrade\realupgrade.exe [2010-02-25 02:09]

2010-06-01 c:\windows\Tasks\RealUpgradeLogonTaskS-1-5-21-4164457144-2476349802-418968361-1008.job
- c:\program files\Real\RealUpgrade\realupgrade.exe [2010-02-25 02:09]

2010-06-01 c:\windows\Tasks\RealUpgradeScheduledTaskS-1-5-21-4164457144-2476349802-418968361-1006.job
- c:\program files\Real\RealUpgrade\realupgrade.exe [2010-02-25 02:09]

2010-05-27 c:\windows\Tasks\RealUpgradeScheduledTaskS-1-5-21-4164457144-2476349802-418968361-1008.job
- c:\program files\Real\RealUpgrade\realupgrade.exe [2010-02-25 02:09]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
uInternet Connection Wizard,ShellNext = iexplore
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
Trusted Zone: motive.com\patttbc.att
DPF: ppctlcab - hxxp://www.pestscan.com/scanner/ppctlcab.cab
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-06-01 11:45
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'explorer.exe'(1988)
c:\windows\system32\WININET.dll
c:\program files\McAfee\SiteAdvisor\saHook.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
Completion time: 2010-06-01 11:51:14
ComboFix-quarantined-files.txt 2010-06-01 15:51
ComboFix2.txt 2010-06-01 03:01
ComboFix3.txt 2010-05-31 04:40
ComboFix4.txt 2010-05-30 23:02
ComboFix5.txt 2010-06-01 15:34

Pre-Run: 59,795,775,488 bytes free
Post-Run: 59,768,147,968 bytes free

- - End Of File - - 12F8FFFC5F99A90DD4E6EC928634A413

Hi Sparty,

That confirms it. The file is gone

How are things running now?

Hi Chris,

Excellent!! The desktop seems to be running fine at this point. Nothing unusual noted.

Do you really think we've gotten totally rid of this beast?? I can't help but be skeptical after reading that rootkit info at Wiki, etc..

Do you still think I should change all my passwords? I'm guessing it would be a good idea for safety's sake, right? Should I leave all the ComboFix files or get rid of them?

Thank God for guys like you and your cohorts at Geek Police, Chris!! I am VERY grateful for all your assistance with this issue. It's a fantastic service you guys perform to fight the #@*& idiots that throw this crap out there to muck up our lives via the internet!

I'll keep you posted if anything weird shows up in the near future.

Nice job, Chris!!

Hi Sparty,

Do you really think we've gotten totally rid of this beast?? I can't help but be skeptical after reading that rootkit info at Wiki, etc..

Yep. That latest logs shows no more remnants of the Rootkit but, you're absoƖute right. It was one nasty infection!

Do you still think I should change all my passwords? I'm guessing it would be a good idea for safety's sake, right? Should I leave all the ComboFix files or get rid of them?

You're absoƖutely right again. Changing passwords periodically never hurts. Except when you can't remember them

Thank God for guys like you and your cohorts at Geek Police, Chris!! I am VERY grateful for all your assistance with this issue. It's a fantastic service you guys perform to fight the #@*& idiots that throw this crap out there to muck up our lives via the internet!

You're very welcome. It's been a pleasure working you

====

Now for the cleanup:

Congratulations!! Your PC is all clean!

To uninstall ComboFix

• Click the Start button. Click Run. For Vista: type in Run in the Start search, and click on Run in the results pane.
  
• In the field, type in ComboFix /uninstall

(Note: Make sure there's a space between the word ComboFix and the forward-slash.)

• Then, press Enter, or click OK.
  
• This will uninstall ComboFix, delete its folders and files, hides System files and folders, and resets System Restore.

========

There are many things you can do to keep this from happening again. You can think of a computer like a car. It requires basic maintenance to keep in tip top shape and ready to go. Would you drive your car 100,000 miles without changing the oil? The same principle applies here.

Cleaning

Now that your PC is free of malware, it is important to clean up your PC. There are several good free cleaners available. You should make sure to clean up your temp files regularly, at least once a week.

ATF Cleaner
CCleaner

Defragmenting Your Hard Disk

Over time your PC can become fragmented, Windows comes with a defragmenting utility, however, it is very slow, and there are other options available.

To use the defragmenter included with Windows either go to Start/Run and type dfrg.msc, hit enter; or
right-click My Computer, choose Manage, Storage, Disk Defragmenter.

In the Defragmenter utility, select your main partition/HD, generally C:\ and select analyze . The analysis report will tell you whether or not your disk needs to be defragmented, if it does, click defragment. Be patient, this can take a long time.

Repeat for multiple partitions/hard disks.

System Restore Cleanup Instructions

If you are using Windows ME or XP then it is good to disable and re-enable system restore to make sure there are no infected files left in a restore point. (All restore points will be deleted that way)
You can find instructions on how to disable and re-enable system restore here:

Windows ME System Restore Guide

Windows XP System Restore Guide

Reading Tip:
Computer Health
Keep Your System Updated

Microsoft releases patches for Windows and Office products regularly to patch up Windows and Office products loopholes and fix any bugs found. Please ensure that you visit the following websites regularly or do update your system regularly.

Install the updates immediately, if they are found. Reboot your computer if necessary, revisit Windows Update and Office update sites until there are no more updates to be installed.

To update Windows and office

Go to Start > All Programs > Microsoft Update

Alternatively, you can visit the link below to update Windows and Office products.

Microsoft Update

If you are forgetful, you can change some settings so that you will be informed of updates. Here's how:

1. Go to Start > Control Panel > Automatic Updates
2. Select Automatic (recommended) radio button if you want the updates to be downloaded and installed without prompting you.
3. Select Download updates for me, but let me chose when to install them radio button if you want the updates to be downloaded automatically but to be installed at another time.4. Select Notify me but don't automatically download or install them radio button if you want to be notified of the updates.

Please make sure that you update your antivirus, firewall and anti-spyware programs at least once a week.

Be careful when opening attachments and downloading files.

1. Never open email attachments, not even if they are from someone you know. If you need to open them, scan them with your antivirus program before opening.
2. Never open emails from unknown senders.
3. Beware of emails that warn about viruses that are spreading, especially those from antivirus vendors. These are called hoaxes. The email addresses used in the hoaxes can be easily spoofed. Check the antivirus vendor websites to be sure.
4. Be careful of what you download. Only download files from known sources. Also, avoid cracked programs. If you need a particular program that costs too much for you, try finding free alternatives on Sourceforge or Pricelessware.

Surf safely

Many security exploits on websites are directed to users of Internet Explorer and Firefox.

If you use Firefox, try the No-script Add On - which, by default, disables all scripts on all websites. If you trust the website, you can manually allow scripts to work.

Backup regularly

You never know when your PC will become unstable or become so infected that you can't recover it. Follow this Microsoft Article to learn how to backup. Follow This Article by Microsoft to restore your backups.

Alternatively, you can use 3rd-party programs to back up your data. Examples of these can be found at
Bleeping Computer

Avoid P2P

I see you have P2P software installed on your machine. We are not here to pass judgment on file-sharing as a concept. However, we will warn you that engaging in this activity and having this kind of software installed on your machine will always make you more susceptible to re-infections. It is certainly contributing to your current situation.

Please note: Even if you are using a "safe" P2P program, it is only the program that is safe. You will be sharing files from uncertified sources, and these are often infected. The bad guys use P2P filesharing as a major conduit to spread their wares.

I would strongly recommend that you uninstall them, however that choice is up to you. If you choose to remove these programs, you can do so via Control Panel >> Add or Remove Programs.

Prevent A Re-infection

1. Winpatrol

Winpatrol is a heuristic protection program, meaning it looks for patterns in codes that work like malware. It also takes a snapshot of your system's critical resources and alerts you to any changes that may occur without you knowing. You can read more about Winpatrol's features Here

You can get a Free Copy of Winpatrol or use the Plus Version for more features.

You can read Win Patrol FAQ if you run into problems.

2. Hosts File

A Hosts file is like a phone book. You look up someone's name in the phone book before calling him/her. Similarly, your PC will look up the website's IP address before you can view the website.

Hosts file will replace your current Hosts file with another one containing well-known advertisement sites, spyware sites and other bad sites. This new Hosts file will protect you by re-directing these bad sites to 127.0.0.1.

Here are some Hosts files:
MVPS Hosts File
Blue Tack’s Hosts File
Blue Tack’s Hosts Manager

3. Spybot Search and Destroy

Spybot Search & Destroy is another program for scanning spyware and adware. You are strongly encouraged to run a scan at least once per week.

Spybot Search & Destroy can be downloaded from here.

If you need help in using Spybot Search & Destroy, you can read Spybot Search and Destroy tutorial at Bleeping Computer.

4. SiteHound Toolbar

SiteHound is a toolbar that warns you if you go to a site that is known to scam people, that has potentially lots of viruses or spyware or other questionable content. If you know the site, you can enter it; if you don't, it will bring you back to the previous page. Currently, SiteHound works for Internet Explorer and Firefox only.

====

Stand Up and Be Counted ---> Malware Complaints<--- where you can make difference!

The site offers people who have been (or are) victims of malware the opportunity to document their story and, in that way, launch a complaint against the malware and the makers of the malware.
============================================================
See this page for more info about malware and prevention.
Thank you for choosing GeekPolice. Please see this page if you would like to leave feedback or contribute to our site.
Before the thread is archived, do you have any more questions?

Happy surfing and stay clean!

Hi Chris,

Well, one more problem. I ran the ComboFix /Uninstall and, although it did remove the ComboFix icon from my Desktop, I received an error message stating that "Windows cannot find 'ComboFix' ". Also, McAfee showed the Artemis..... trojan detected alert again as soon as I ran the CombFix uninstall request. I ran a file search for 'ComboFix' and there were 14 combofix files found. Should I manually delte those 14 files?

I'll wait for your instructions. Thanks.

Hi Sparty,

Please delete the following files from your machine. They are all part of ComboFix.

-Combo-Fix.sys
-nircmd.exe
-pev.exe
-pv.com
-swreg.exe
-grep.exe
-hidec.exe
-sed.exe
-zip.exe
-winstart.bat
-append.dll
-mbr.exe

Do you have the path to that Artemis Trojan that mcafee picked up?

Hi Chris,

Of the files listed above that are part of ComboFix, my search was unable to find Combo-Fix.sys, pv.com, hidec.exe(2 prefetch files associated with that file were found and deleted), winstart.bat and append.dll. The rest of the files were found and deleted along with the 14 files with 'combofix' in their names (logs, text files, prefetch, etc.). Is it a problem that those other files couldn't be located?

Maybe it has something to do with the "Artemis Trojan" siutation. I found the file in the quarantined files of mcafee and it looks like, on 3 seperate occasions, that the combofix.exe file was the culprit that was identified as a possible threat and quarantined. That likely explains why combofix kept disappearing from my desktop. Maybe it explains the other files not being found?? Check out this link from mcafee regarding Artemis http://community.mcafee.com/message/98190

The link in the 1st reply (by the moderator) is particularly interesting. Apparenty, "Artemis is a new technology by McAfee which provides always-on real-time protection that safeguards and secures you from emerging threats."

What do you think, Chris?

Hi Sparty,

I've been talking to the behind the scenes guys about this. We've determined that the Artemis trojan detected by Mcafee was actually ComboFix.

A lot of times tools we use will be detected as Malware because of the way they are developed. Last I checked, one of our post powerful tools wasn't Malware

We've also detemined you're good in terms of the botched ComboFix removal. You got it all manually.

Anything else I can do before this is archived? It's been a pleasure working with you

Sounds good to me, Chris.

Once again, thanks so much for your competent assistance!

Hopefully, I won't be needing the Geek Police in the future.....but if I do, I'll do so with confidence.

Peace!