speednutt
asked on
Microsoft.WindowsSecurityCenter_disabled Problem virus
Hello all, i am cleaning virus's from a machine and Spybot keeps coming up and removing the virus - Microsoft.WindowsSecurityC enter_disa bled Problem virus . I have restarted the Security Center service but within 30 seconds it is back off again.
I have run Malwarebytes, Spybot, TDSSKiller, and a host of other programs to no avail.
I have updated my Java and removed all older versions as well.
I was running MIcrosoft security essentials however this virus diabled it and i am not able to open, update or scan with the security essentials now.
After checking all over the web for an instance that seemed to fit my application i cant find anything so here i am asking for help.
I have run Malwarebytes, Spybot, TDSSKiller, and a host of other programs to no avail.
I have updated my Java and removed all older versions as well.
I was running MIcrosoft security essentials however this virus diabled it and i am not able to open, update or scan with the security essentials now.
After checking all over the web for an instance that seemed to fit my application i cant find anything so here i am asking for help.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Did you run the scans in safe mode?
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
You also might have a rootkit. Scan for rootkits using one of the tools reviewed in this article:
https://www.experts-exchange.com/Virus_and_Spyware/Anti-Virus/A_2245-Anti-rootkit-software.html
You should scan with at least 3 anti-rootkit tools - they all detect differently. IF you find and clean something be sure to scan again with regular anti-malware app.
https://www.experts-exchange.com/Virus_and_Spyware/Anti-Virus/A_2245-Anti-rootkit-software.html
You should scan with at least 3 anti-rootkit tools - they all detect differently. IF you find and clean something be sure to scan again with regular anti-malware app.
ASKER
OK, i ran the ComboFix and this is the report. I still am unable to run the security center.
ComboFix 11-01-25.05 - Administrator 01/26/2011 15:13:06.1.1 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18. 1015.647 [GMT -6:00]
Running from: c:\documents and settings\Administrator\Des ktop\Combo Fix.exe
AV: Microsoft Security Essentials *Disabled/Updated* {BCF43643-A118-4432-AEDE-D 861FCBCFCD F}
.
(((((((((((((((((((((((((( (((((((((( ((( Other Deletions )))))))))))))))))))))))))) )))))))))) )))))))))) )))
.
c:\documents and settings\Administrator\App lication Data\install
c:\documents and settings\Administrator\App lication Data\install_pal
c:\documents and settings\Administrator\App lication Data\PriceGong
c:\documents and settings\Administrator\App lication Data\PriceGong\Data\1.xml
c:\documents and settings\Administrator\App lication Data\PriceGong\Data\a.xml
c:\documents and settings\Administrator\App lication Data\PriceGong\Data\b.xml
c:\documents and settings\Administrator\App lication Data\PriceGong\Data\c.xml
c:\documents and settings\Administrator\App lication Data\PriceGong\Data\d.xml
c:\documents and settings\Administrator\App lication Data\PriceGong\Data\e.xml
c:\documents and settings\Administrator\App lication Data\PriceGong\Data\f.xml
c:\documents and settings\Administrator\App lication Data\PriceGong\Data\g.xml
c:\documents and settings\Administrator\App lication Data\PriceGong\Data\h.xml
c:\documents and settings\Administrator\App lication Data\PriceGong\Data\i.xml
c:\documents and settings\Administrator\App lication Data\PriceGong\Data\J.xml
c:\documents and settings\Administrator\App lication Data\PriceGong\Data\k.xml
c:\documents and settings\Administrator\App lication Data\PriceGong\Data\l.xml
c:\documents and settings\Administrator\App lication Data\PriceGong\Data\m.xml
c:\documents and settings\Administrator\App lication Data\PriceGong\Data\mru.xm l
c:\documents and settings\Administrator\App lication Data\PriceGong\Data\n.xml
c:\documents and settings\Administrator\App lication Data\PriceGong\Data\o.xml
c:\documents and settings\Administrator\App lication Data\PriceGong\Data\p.xml
c:\documents and settings\Administrator\App lication Data\PriceGong\Data\q.xml
c:\documents and settings\Administrator\App lication Data\PriceGong\Data\r.xml
c:\documents and settings\Administrator\App lication Data\PriceGong\Data\s.xml
c:\documents and settings\Administrator\App lication Data\PriceGong\Data\t.xml
c:\documents and settings\Administrator\App lication Data\PriceGong\Data\u.xml
c:\documents and settings\Administrator\App lication Data\PriceGong\Data\v.xml
c:\documents and settings\Administrator\App lication Data\PriceGong\Data\w.xml
c:\documents and settings\Administrator\App lication Data\PriceGong\Data\x.xml
c:\documents and settings\Administrator\App lication Data\PriceGong\Data\y.xml
c:\documents and settings\Administrator\App lication Data\PriceGong\Data\z.xml
c:\documents and settings\Administrator\App lication Data\uid_pal
c:\windows\system32\driver s\etc\lmho sts
c:\windows\system32\User.i ni
c:\windows\Tasks\At1.job
c:\windows\Tasks\At10.job
c:\windows\Tasks\At11.job
c:\windows\Tasks\At12.job
c:\windows\Tasks\At13.job
c:\windows\Tasks\At14.job
c:\windows\Tasks\At15.job
c:\windows\Tasks\At16.job
c:\windows\Tasks\At17.job
c:\windows\Tasks\At18.job
c:\windows\Tasks\At19.job
c:\windows\Tasks\At2.job
c:\windows\Tasks\At20.job
c:\windows\Tasks\At21.job
c:\windows\Tasks\At22.job
c:\windows\Tasks\At23.job
c:\windows\Tasks\At24.job
c:\windows\Tasks\At25.job
c:\windows\Tasks\At26.job
c:\windows\Tasks\At27.job
c:\windows\Tasks\At28.job
c:\windows\Tasks\At29.job
c:\windows\Tasks\At3.job
c:\windows\Tasks\At30.job
c:\windows\Tasks\At31.job
c:\windows\Tasks\At32.job
c:\windows\Tasks\At33.job
c:\windows\Tasks\At34.job
c:\windows\Tasks\At35.job
c:\windows\Tasks\At36.job
c:\windows\Tasks\At37.job
c:\windows\Tasks\At38.job
c:\windows\Tasks\At39.job
c:\windows\Tasks\At4.job
c:\windows\Tasks\At40.job
c:\windows\Tasks\At41.job
c:\windows\Tasks\At42.job
c:\windows\Tasks\At43.job
c:\windows\Tasks\At44.job
c:\windows\Tasks\At45.job
c:\windows\Tasks\At46.job
c:\windows\Tasks\At47.job
c:\windows\Tasks\At5.job
c:\windows\Tasks\At6.job
c:\windows\Tasks\At7.job
c:\windows\Tasks\At8.job
c:\windows\Tasks\At9.job
.
(((((((((((((((((((((((((( (((((((((( ((( Drivers/Services )))))))))))))))))))))))))) )))))))))) )))))))))) )))
.
-------\Legacy_6TO4
-------\Legacy_SSHNAS
-------\Service_6to4
((((((((((((((((((((((((( Files Created from 2010-12-26 to 2011-01-26 )))))))))))))))))))))))))) )))))
.
2011-01-26 19:14 . 2011-01-26 19:14 -------- d-----w- C:\TDSSKiller_Quarantine
2011-01-26 18:53 . 2011-01-26 18:53 -------- d-----w- c:\program files\Common Files\Java
2011-01-26 18:53 . 2010-11-13 00:53 472808 ----a-w- c:\windows\system32\deploy Java1.dll
2011-01-26 18:49 . 2010-12-23 01:45 2336384 ----a-w- c:\windows\system32\BootMa n.exe
2011-01-26 18:49 . 2010-07-15 14:44 86408 ----a-w- c:\windows\system32\setupe mpdrv03.ex e
2011-01-26 18:49 . 2010-07-15 14:44 8456 ----a-w- c:\windows\system32\EuGdiD rv.sys
2011-01-26 18:49 . 2010-07-15 14:44 13192 ----a-w- c:\windows\system32\epmntd rv.sys
2011-01-26 18:49 . 2010-07-15 14:44 14848 ----a-w- c:\windows\system32\EuEpmG di.dll
2011-01-26 18:41 . 2011-01-26 18:49 -------- d-----w- c:\program files\EASEUS
2011-01-26 18:28 . 2008-04-14 01:11 21504 -c--a-w- c:\windows\system32\dllcac he\hidserv .dll
2011-01-26 18:28 . 2008-04-14 01:11 21504 ----a-w- c:\windows\system32\hidser v.dll
2011-01-26 18:28 . 2008-04-13 19:39 14592 -c--a-w- c:\windows\system32\dllcac he\kbdhid. sys
2011-01-26 18:28 . 2008-04-13 19:39 14592 ----a-w- c:\windows\system32\driver s\kbdhid.s ys
2011-01-26 18:28 . 2008-04-13 19:45 32128 -c--a-w- c:\windows\system32\dllcac he\usbccgp .sys
2011-01-26 18:28 . 2008-04-13 19:45 32128 ----a-w- c:\windows\system32\driver s\usbccgp. sys
2011-01-25 02:38 . 2010-06-16 14:59 5588304 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{07E9068C-999A-4B1 6-BE22-E75 53328509D} \mpengine. dll
2011-01-25 02:35 . 2011-01-25 02:35 -------- d--h--w- c:\windows\system32\GroupP olicy
2011-01-25 02:14 . 2011-01-25 02:14 -------- d-----w- c:\windows\TempFEF64CCA-7C D1-DB4B-53 AC-309D31B C8067-Sign atures
2011-01-25 02:12 . 2011-01-25 02:41 -------- d-----w- C:\de0d2a4396998aa3183a61f d35f4f9
2011-01-24 23:02 . 2011-01-24 23:02 79360 --sha-r- c:\windows\system32\smime3 N.dll
2011-01-24 22:53 . 2011-01-24 22:57 -------- d-----w- c:\documents and settings\LocalService\Loca l Settings\Application Data\Adobe
2011-01-20 22:57 . 2011-01-20 22:57 -------- d-----w- c:\windows\system32\%APPDA TA%
2011-01-20 19:19 . 2011-01-20 19:19 -------- d-sh--w- c:\windows\system32\config \systempro file\IETld Cache
2011-01-20 19:19 . 2011-01-20 19:19 18297 ----a-w- c:\windows\system32\MAI4.t mp
2011-01-20 19:17 . 2011-01-20 19:20 -------- d-----w- c:\documents and settings\NetworkService\Lo cal Settings\Application Data\Adobe
2011-01-20 19:00 . 2011-01-20 19:00 -------- d-----w- C:\Temp
2011-01-15 14:23 . 2011-01-15 14:57 -------- d-----w- c:\documents and settings\Administrator\.SS RB2
.
(((((((((((((((((((((((((( (((((((((( (((( Find3M Report )))))))))))))))))))))))))) )))))))))) )))))))))) ))))))
.
2010-12-21 00:09 . 2010-10-24 01:46 38224 ----a-w- c:\windows\system32\driver s\mbamswis sarmy.sys
2010-12-21 00:08 . 2010-10-24 01:46 20952 ----a-w- c:\windows\system32\driver s\mbam.sys
2010-12-13 19:01 . 2010-06-02 00:00 53632 ----a-w- c:\windows\system32\Spool\ prtprocs\w 32x86\LMIp roc.dll
2010-12-13 19:01 . 2010-06-02 00:00 83360 ----a-w- c:\windows\system32\LMIRfs ClientNP.d ll
2010-12-13 19:01 . 2010-06-02 00:00 29568 ----a-w- c:\windows\system32\LMIpor t.dll
2010-12-13 19:01 . 2010-06-02 00:00 87424 ----a-w- c:\windows\system32\LMIini t.dll
2010-11-18 18:12 . 2008-04-06 03:16 81920 ----a-w- c:\windows\system32\isign3 2.dll
2010-11-12 22:34 . 2008-04-07 15:52 73728 ----a-w- c:\windows\system32\javacp l.cpl
2010-11-10 04:33 . 2010-06-22 22:00 6273872 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\Backup\mpengine.dl l
2010-11-09 14:52 . 2004-08-04 12:00 249856 ----a-w- c:\windows\system32\odbc32 .dll
2010-11-06 00:26 . 2004-08-04 12:00 916480 ----a-w- c:\windows\system32\winine t.dll
2010-11-06 00:26 . 2004-08-04 12:00 43520 ------w- c:\windows\system32\licmgr 10.dll
2010-11-06 00:26 . 2004-08-04 12:00 1469440 ------w- c:\windows\system32\inetcp l.cpl
2010-11-03 12:25 . 2004-08-04 12:00 385024 ----a-w- c:\windows\system32\html.i ec
2010-11-02 15:17 . 2004-08-04 12:00 40960 ----a-w- c:\windows\system32\driver s\ndproxy. sys
.
(((((((((((((((((((((((((( (((((((((( ( Reg Loading Points )))))))))))))))))))))))))) )))))))))) )))))))))) ))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_LOCAL_MACHINE\~\Brow ser Helper Objects\{FD72061E-9FDE-484 D-A58A-0BA B4151CAD8} ]
2010-08-13 00:46 194912 ------w- c:\program files\Yontoo Layers Client\YontooIEClient.dll
[HKEY_LOCAL_MACHINE\SOFTWA RE\Microso ft\Windows \CurrentVe rsion\Run]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeA RM.exe" [2010-09-21 932288]
"LogMeIn GUI"="c:\program files\LogMeIn\x86\LogMeInS ystray.exe " [2008-08-11 63048]
"Malwarebytes Anti-Malware (reboot)"="c:\program files\Malwarebytes' Anti-Malware\mbam.exe" [2010-12-21 963976]
"SunJavaUpdateSched"="c:\p rogram files\Common Files\Java\Java Update\jusched.exe" [2010-05-14 248552]
[HKEY_LOCAL_MACHINE\softwa re\microso ft\windows \Currentve rsion\poli cies\explo rer\Run]
"oddc"="c:\windows\system3 2\smime3N. dll" [2011-01-24 79360]
c:\documents and settings\admin\Start Menu\Programs\Startup\
OpenOffice.org 2.3.lnk - c:\program files\OpenOffice.org 2.3\program\quickstart.exe [2007-8-17 393216]
c:\documents and settings\All Users\Start Menu\Programs\Startup\
Brock Hot Key.exe.lnk - c:\program files\Brock Supply Co\Brock Hotkey\Brock Hot Key.exe [2008-1-17 327680]
Car-Part.com Trading Partner Software.lnk - c:\car-part\CPKeySrv.exe [2009-9-21 446976]
Service Manager.lnk - c:\program files\MICROSOFT SQL SERVER\80\TOOLS\BINN\sqlma ngr.exe [2005-5-3 81920]
UPS WorldShip Messaging Utility.lnk - c:\ups\WSTD\WSTDMessaging. exe [2009-12-1 393216]
UPS WorldShip PLD Reminder Utility.lnk - c:\ups\WSTD\wstdPldReminde r.exe [2009-12-1 40960]
[HKEY_LOCAL_MACHINE\softwa re\microso ft\windows nt\currentversion\winlogon \notify\LM Iinit]
2010-12-13 19:01 87424 ----a-w- c:\windows\system32\LMIini t.dll
[HKEY_LOCAL_MACHINE\SYSTEM \CurrentCo ntrolSet\C ontrol\Saf eBoot\Mini mal\MsMpSv c]
@="Service"
[HKLM\~\startupfolder\C:^D ocuments and Settings^Administrator^Sta rt Menu^Programs^Startup^Open Office.org 2.3.lnk]
path=c:\documents and settings\Administrator\Sta rt Menu\Programs\Startup\Open Office.org 2.3.lnk
backup=c:\windows\pss\Open Office.org 2.3.lnkStartup
[HKEY_LOCAL_MACHINE\softwa re\microso ft\shared tools\msconfig\startupreg\ Seagull Drivers]
ssdal_nc.exe startup [X]
[HKEY_LOCAL_MACHINE\softwa re\microso ft\shared tools\msconfig\startupreg\ Adobe Reader Speed Launcher]
2010-09-24 09:15 40368 ----a-w- c:\program files\Adobe\Reader 8.0\Reader\reader_sl.exe
[HKEY_LOCAL_MACHINE\softwa re\microso ft\shared tools\msconfig\startupreg\ hpbdfawep]
2007-04-25 19:28 954368 ----a-w- c:\program files\HP\Dfawep\bin\hpbdfa wep.exe
[HKEY_LOCAL_MACHINE\softwa re\microso ft\shared tools\msconfig\startupreg\ NA1Messeng er]
2009-12-02 02:36 24576 ----a-w- c:\ups\WSTD\UPSNA1Msgr.exe
[HKEY_LOCAL_MACHINE\softwa re\microso ft\shared tools\msconfig\startupreg\ TPPOLL]
2005-03-02 22:12 24576 ----a-w- c:\program files\Topro\tppoll.exe
[HKEY_LOCAL_MACHINE\softwa re\microso ft\securit y center\Monitoring]
"DisableMonitoring"=dword: 00000001
[HKEY_LOCAL_MACHINE\softwa re\microso ft\securit y center\Monitoring\Symantec AntiVirus]
"DisableMonitoring"=dword: 00000001
[HKEY_LOCAL_MACHINE\softwa re\microso ft\securit y center\Monitoring\Symantec Firewall]
"DisableMonitoring"=dword: 00000001
[HKLM\~\services\sharedacc ess\parame ters\firew allpolicy\ standardpr ofile\Auth orizedAppl ications\L ist]
"%windir%\\system32\\sessm gr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe" =
"c:\\Program Files\\Messenger\\msmsgs.e xe"=
"c:\\WINDOWS\\system32\\mm c.exe"=
[HKLM\~\services\sharedacc ess\parame ters\firew allpolicy\ standardpr ofile\Glob allyOpenPo rts\List]
"6160:TCP"= 6160:TCP:Seagull Driver Networking
R2 LinksysUpdater;Linksys Updater;c:\program files\Linksys\Linksys Updater\bin\LinksysUpdater .exe [1/15/2008 9:28 AM 204800]
R2 LMIGuardianSvc;LMIGuardian Svc;c:\pro gram files\LogMeIn\x86\LMIGuard ianSvc.exe [10/13/2010 11:29 AM 374152]
R2 LMIInfo;LogMeIn Kernel Information Provider;c:\program files\LogMeIn\x86\rainfo.s ys [8/11/2008 11:41 AM 12856]
R2 MSSQL$UPSWSDBSERVER;MSSQL$ UPSWSDBSER VER;c:\ups \WSTD\MSSQ L$UPSWSDBS ERVER\Binn \sqlservr. exe -sUPSWSDBSERVER --> c:\ups\WSTD\MSSQL$UPSWSDBS ERVER\Binn \sqlservr. exe -sUPSWSDBSERVER [?]
S3 DCamUSBIntel;Digi-Microsco pe;c:\wind ows\system 32\drivers \TP6800.sy s [4/8/2008 9:36 AM 211680]
S3 epmntdrv;epmntdrv;c:\windo ws\system3 2\epmntdrv .sys [1/26/2011 12:49 PM 13192]
S3 EuGdiDrv;EuGdiDrv;c:\windo ws\system3 2\EuGdiDrv .sys [1/26/2011 12:49 PM 8456]
S3 SQLAgent$UPSWSDBSERVER;SQL Agent$UPSW SDBSERVER; c:\ups\WST D\MSSQL$UP SWSDBSERVE R\Binn\sql agent.EXE -i UPSWSDBSERVER --> c:\ups\WSTD\MSSQL$UPSWSDBS ERVER\Binn \sqlagent. EXE -i UPSWSDBSERVER [?]
.
Contents of the 'Scheduled Tasks' folder
2011-01-26 c:\windows\Tasks\User_Feed _Synchroni zation-{67 A22DCE-2AE 1-42B8-80D 0-FCC1A201 8453}.job
- c:\windows\system32\msfeed ssync.exe [2007-08-13 10:31]
.
.
------- Supplementary Scan -------
.
uInternet Connection Wizard,ShellNext = iexplore
DPF: {7876E4A5-78B7-4020-B08F-C 960A1ED54C 9} - hxxp://69.21.158.138/WinWe bPush.cab
DPF: {97BB6657-DC7F-4489-9067-5 1FAB9D8857 E} - hxxp://cflive.audatex.us/c f1live/sta tic/weblau nch/weblau nch2.cab
.
- - - - ORPHANS REMOVED - - - -
Toolbar-Locked - (no file)
WebBrowser-{604BC32A-9680- 40D1-9AC6- E06B23A1BA 4C} - (no file)
MSConfigStartUp-Adobe Updater - c:\windows\system32\AdbUpd ater.exe
************************** ********** ********** ********** ********** ********
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2011-01-26 15:19
Windows 5.1.2600 Service Pack 3 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
************************** ********** ********** ********** ********** ********
.
--------------------- LOCKED REGISTRY KEYS ---------------------
[HKEY_USERS\.Default\Softw are\Micros oft\Intern et Explorer\User Preferences]
@Denied: (2) (LocalSystem)
"88D7D0879DAB32E14DE5B3A80 5A34F98AFF 34F5977"=h ex:01,00,0 0,00,d0,8c ,9d,df,01, 15,
d1,11,8c,7a,00,c0,4f,c2,97 ,eb,01,00, 00,00,0a,f c,65,15,a2 ,f7,dc,49, 9d,71,86,\
"2D53CFFC5C1A3DD2E97B7979A C2A92BD59B C839E81"=h ex:01,00,0 0,00,d0,8c ,9d,df,01, 15,
d1,11,8c,7a,00,c0,4f,c2,97 ,eb,01,00, 00,00,0a,f c,65,15,a2 ,f7,dc,49, 9d,71,86,\
[HKEY_USERS\S-1-5-21-16590 04503-1409 082233-682 003330-500 \Software\ Microsoft\ Internet Explorer\User Preferences]
@Denied: (2) (Administrator)
"88D7D0879DAB32E14DE5B3A80 5A34F98AFF 34F5977"=h ex:01,00,0 0,00,d0,8c ,9d,df,01, 15,
d1,11,8c,7a,00,c0,4f,c2,97 ,eb,01,00, 00,00,e2,b 7,62,e4,ee ,54,13,45, 9a,0a,49,\
"2D53CFFC5C1A3DD2E97B7979A C2A92BD59B C839E81"=h ex:01,00,0 0,00,d0,8c ,9d,df,01, 15,
d1,11,8c,7a,00,c0,4f,c2,97 ,eb,01,00, 00,00,d2,3 f,e9,54,1a ,5e,bd,47, 96,85,8f,\
"6256FFB019F8FDFBD36745B06 F4540E9AEA F222A25"=h ex:01,00,0 0,00,d0,8c ,9d,df,01, 15,
d1,11,8c,7a,00,c0,4f,c2,97 ,eb,01,00, 00,00,e2,b 7,62,e4,ee ,54,13,45, 9a,0a,49,\
[HKEY_LOCAL_MACHINE\softwa re\Classes \CLSID\{A4 83C63A-CDB C-426E-BF9 3-872502E8 144E}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\WI NDOWS\\sys tem32\\Mac romed\\Fla sh\\FlashU til10l_Act iveX.exe,- 101"
[HKEY_LOCAL_MACHINE\softwa re\Classes \CLSID\{A4 83C63A-CDB C-426E-BF9 3-872502E8 144E}\Elev ation]
"Enabled"=dword:00000001
[HKEY_LOCAL_MACHINE\softwa re\Classes \CLSID\{A4 83C63A-CDB C-426E-BF9 3-872502E8 144E}\Loca lServer32]
@="c:\\WINDOWS\\system32\\ Macromed\\ Flash\\Fla shUtil10l_ ActiveX.ex e"
[HKEY_LOCAL_MACHINE\softwa re\Classes \CLSID\{A4 83C63A-CDB C-426E-BF9 3-872502E8 144E}\Type Lib]
@="{FAB3E735-69C7-453B-A44 6-B6823C6D F1C9}"
[HKEY_LOCAL_MACHINE\softwa re\Classes \Interface \{E3F2C3CB -5EB8-4A04 -B22C-7E3B 4B6AF30F}]
@Denied: (A 2) (Everyone)
@="IFlashBroker4"
[HKEY_LOCAL_MACHINE\softwa re\Classes \Interface \{E3F2C3CB -5EB8-4A04 -B22C-7E3B 4B6AF30F}\ ProxyStubC lsid32]
@="{00020424-0000-0000-C00 0-00000000 0046}"
[HKEY_LOCAL_MACHINE\softwa re\Classes \Interface \{E3F2C3CB -5EB8-4A04 -B22C-7E3B 4B6AF30F}\ TypeLib]
@="{FAB3E735-69C7-453B-A44 6-B6823C6D F1C9}"
"Version"="1.0"
[HKEY_LOCAL_MACHINE\softwa re\Microso ft\Interne t Explorer\User Preferences]
@Denied: (2) (Administrator)
"88D7D0879DAB32E14DE5B3A80 5A34F98AFF 34F5977"=h ex:01,00,0 0,00,d0,8c ,9d,df,01, 15,
d1,11,8c,7a,00,c0,4f,c2,97 ,eb,01,00, 00,00,e2,b 7,62,e4,ee ,54,13,45, 9a,0a,49,\
"6256FFB019F8FDFBD36745B06 F4540E9AEA F222A25"=h ex:01,00,0 0,00,d0,8c ,9d,df,01, 15,
d1,11,8c,7a,00,c0,4f,c2,97 ,eb,01,00, 00,00,e2,b 7,62,e4,ee ,54,13,45, 9a,0a,49,\
.
--------------------- DLLs Loaded Under Running Processes ---------------------
- - - - - - - > 'winlogon.exe'(640)
c:\windows\system32\LMIini t.dll
c:\windows\system32\LMIRfs ClientNP.d ll
- - - - - - - > 'explorer.exe'(2448)
c:\windows\system32\WININE T.dll
c:\windows\system32\iefram e.dll
c:\windows\system32\webche ck.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Java\jre6\bin\jqs.ex e
c:\program files\LogMeIn\x86\RaMaint. exe
c:\program files\LogMeIn\x86\LogMeIn. exe
c:\windows\system32\java.e xe
c:\ups\WSTD\MSSQL$UPSWSDBS ERVER\Binn \sqlservr. exe
c:\windows\System32\spool\ DRIVERS\W3 2X86\3\HP1 006MC.EXE
c:\windows\system32\rundll 32.exe
.
************************** ********** ********** ********** ********** ********
.
Completion time: 2011-01-26 15:24:16 - machine was rebooted
ComboFix-quarantined-files .txt 2011-01-26 21:24
Pre-Run: 67,614,236,672 bytes free
Post-Run: 67,736,350,720 bytes free
WindowsXP-KB310994-SP2-Pro -BootDisk- ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdi sk(0)parti tion(1)\WI NDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="M icrosoft Windows Recovery Console" /cmdcons
UnsupportedDebug="do not select this" /debug
multi(0)disk(0)rdisk(0)par tition(1)\ WINDOWS="M icrosoft Windows XP Professional" /noexecute=optin /fastdetect
[spybotsd]
timeout.old=30
- - End Of File - - CD0A6BE910B4ABB2A98294C275 3210DA
Hope this helps. and Thanks
ComboFix 11-01-25.05 - Administrator 01/26/2011 15:13:06.1.1 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.
Running from: c:\documents and settings\Administrator\Des
AV: Microsoft Security Essentials *Disabled/Updated* {BCF43643-A118-4432-AEDE-D
.
((((((((((((((((((((((((((
.
c:\documents and settings\Administrator\App
c:\documents and settings\Administrator\App
c:\documents and settings\Administrator\App
c:\documents and settings\Administrator\App
c:\documents and settings\Administrator\App
c:\documents and settings\Administrator\App
c:\documents and settings\Administrator\App
c:\documents and settings\Administrator\App
c:\documents and settings\Administrator\App
c:\documents and settings\Administrator\App
c:\documents and settings\Administrator\App
c:\documents and settings\Administrator\App
c:\documents and settings\Administrator\App
c:\documents and settings\Administrator\App
c:\documents and settings\Administrator\App
c:\documents and settings\Administrator\App
c:\documents and settings\Administrator\App
c:\documents and settings\Administrator\App
c:\documents and settings\Administrator\App
c:\documents and settings\Administrator\App
c:\documents and settings\Administrator\App
c:\documents and settings\Administrator\App
c:\documents and settings\Administrator\App
c:\documents and settings\Administrator\App
c:\documents and settings\Administrator\App
c:\documents and settings\Administrator\App
c:\documents and settings\Administrator\App
c:\documents and settings\Administrator\App
c:\documents and settings\Administrator\App
c:\documents and settings\Administrator\App
c:\documents and settings\Administrator\App
c:\documents and settings\Administrator\App
c:\windows\system32\driver
c:\windows\system32\User.i
c:\windows\Tasks\At1.job
c:\windows\Tasks\At10.job
c:\windows\Tasks\At11.job
c:\windows\Tasks\At12.job
c:\windows\Tasks\At13.job
c:\windows\Tasks\At14.job
c:\windows\Tasks\At15.job
c:\windows\Tasks\At16.job
c:\windows\Tasks\At17.job
c:\windows\Tasks\At18.job
c:\windows\Tasks\At19.job
c:\windows\Tasks\At2.job
c:\windows\Tasks\At20.job
c:\windows\Tasks\At21.job
c:\windows\Tasks\At22.job
c:\windows\Tasks\At23.job
c:\windows\Tasks\At24.job
c:\windows\Tasks\At25.job
c:\windows\Tasks\At26.job
c:\windows\Tasks\At27.job
c:\windows\Tasks\At28.job
c:\windows\Tasks\At29.job
c:\windows\Tasks\At3.job
c:\windows\Tasks\At30.job
c:\windows\Tasks\At31.job
c:\windows\Tasks\At32.job
c:\windows\Tasks\At33.job
c:\windows\Tasks\At34.job
c:\windows\Tasks\At35.job
c:\windows\Tasks\At36.job
c:\windows\Tasks\At37.job
c:\windows\Tasks\At38.job
c:\windows\Tasks\At39.job
c:\windows\Tasks\At4.job
c:\windows\Tasks\At40.job
c:\windows\Tasks\At41.job
c:\windows\Tasks\At42.job
c:\windows\Tasks\At43.job
c:\windows\Tasks\At44.job
c:\windows\Tasks\At45.job
c:\windows\Tasks\At46.job
c:\windows\Tasks\At47.job
c:\windows\Tasks\At5.job
c:\windows\Tasks\At6.job
c:\windows\Tasks\At7.job
c:\windows\Tasks\At8.job
c:\windows\Tasks\At9.job
.
((((((((((((((((((((((((((
.
-------\Legacy_6TO4
-------\Legacy_SSHNAS
-------\Service_6to4
((((((((((((((((((((((((( Files Created from 2010-12-26 to 2011-01-26 ))))))))))))))))))))))))))
.
2011-01-26 19:14 . 2011-01-26 19:14 -------- d-----w- C:\TDSSKiller_Quarantine
2011-01-26 18:53 . 2011-01-26 18:53 -------- d-----w- c:\program files\Common Files\Java
2011-01-26 18:53 . 2010-11-13 00:53 472808 ----a-w- c:\windows\system32\deploy
2011-01-26 18:49 . 2010-12-23 01:45 2336384 ----a-w- c:\windows\system32\BootMa
2011-01-26 18:49 . 2010-07-15 14:44 86408 ----a-w- c:\windows\system32\setupe
2011-01-26 18:49 . 2010-07-15 14:44 8456 ----a-w- c:\windows\system32\EuGdiD
2011-01-26 18:49 . 2010-07-15 14:44 13192 ----a-w- c:\windows\system32\epmntd
2011-01-26 18:49 . 2010-07-15 14:44 14848 ----a-w- c:\windows\system32\EuEpmG
2011-01-26 18:41 . 2011-01-26 18:49 -------- d-----w- c:\program files\EASEUS
2011-01-26 18:28 . 2008-04-14 01:11 21504 -c--a-w- c:\windows\system32\dllcac
2011-01-26 18:28 . 2008-04-14 01:11 21504 ----a-w- c:\windows\system32\hidser
2011-01-26 18:28 . 2008-04-13 19:39 14592 -c--a-w- c:\windows\system32\dllcac
2011-01-26 18:28 . 2008-04-13 19:39 14592 ----a-w- c:\windows\system32\driver
2011-01-26 18:28 . 2008-04-13 19:45 32128 -c--a-w- c:\windows\system32\dllcac
2011-01-26 18:28 . 2008-04-13 19:45 32128 ----a-w- c:\windows\system32\driver
2011-01-25 02:38 . 2010-06-16 14:59 5588304 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{07E9068C-999A-4B1
2011-01-25 02:35 . 2011-01-25 02:35 -------- d--h--w- c:\windows\system32\GroupP
2011-01-25 02:14 . 2011-01-25 02:14 -------- d-----w- c:\windows\TempFEF64CCA-7C
2011-01-25 02:12 . 2011-01-25 02:41 -------- d-----w- C:\de0d2a4396998aa3183a61f
2011-01-24 23:02 . 2011-01-24 23:02 79360 --sha-r- c:\windows\system32\smime3
2011-01-24 22:53 . 2011-01-24 22:57 -------- d-----w- c:\documents and settings\LocalService\Loca
2011-01-20 22:57 . 2011-01-20 22:57 -------- d-----w- c:\windows\system32\%APPDA
2011-01-20 19:19 . 2011-01-20 19:19 -------- d-sh--w- c:\windows\system32\config
2011-01-20 19:19 . 2011-01-20 19:19 18297 ----a-w- c:\windows\system32\MAI4.t
2011-01-20 19:17 . 2011-01-20 19:20 -------- d-----w- c:\documents and settings\NetworkService\Lo
2011-01-20 19:00 . 2011-01-20 19:00 -------- d-----w- C:\Temp
2011-01-15 14:23 . 2011-01-15 14:57 -------- d-----w- c:\documents and settings\Administrator\.SS
.
((((((((((((((((((((((((((
.
2010-12-21 00:09 . 2010-10-24 01:46 38224 ----a-w- c:\windows\system32\driver
2010-12-21 00:08 . 2010-10-24 01:46 20952 ----a-w- c:\windows\system32\driver
2010-12-13 19:01 . 2010-06-02 00:00 53632 ----a-w- c:\windows\system32\Spool\
2010-12-13 19:01 . 2010-06-02 00:00 83360 ----a-w- c:\windows\system32\LMIRfs
2010-12-13 19:01 . 2010-06-02 00:00 29568 ----a-w- c:\windows\system32\LMIpor
2010-12-13 19:01 . 2010-06-02 00:00 87424 ----a-w- c:\windows\system32\LMIini
2010-11-18 18:12 . 2008-04-06 03:16 81920 ----a-w- c:\windows\system32\isign3
2010-11-12 22:34 . 2008-04-07 15:52 73728 ----a-w- c:\windows\system32\javacp
2010-11-10 04:33 . 2010-06-22 22:00 6273872 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\Backup\mpengine.dl
2010-11-09 14:52 . 2004-08-04 12:00 249856 ----a-w- c:\windows\system32\odbc32
2010-11-06 00:26 . 2004-08-04 12:00 916480 ----a-w- c:\windows\system32\winine
2010-11-06 00:26 . 2004-08-04 12:00 43520 ------w- c:\windows\system32\licmgr
2010-11-06 00:26 . 2004-08-04 12:00 1469440 ------w- c:\windows\system32\inetcp
2010-11-03 12:25 . 2004-08-04 12:00 385024 ----a-w- c:\windows\system32\html.i
2010-11-02 15:17 . 2004-08-04 12:00 40960 ----a-w- c:\windows\system32\driver
.
((((((((((((((((((((((((((
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_LOCAL_MACHINE\~\Brow
2010-08-13 00:46 194912 ------w- c:\program files\Yontoo Layers Client\YontooIEClient.dll
[HKEY_LOCAL_MACHINE\SOFTWA
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeA
"LogMeIn GUI"="c:\program files\LogMeIn\x86\LogMeInS
"Malwarebytes Anti-Malware (reboot)"="c:\program files\Malwarebytes' Anti-Malware\mbam.exe" [2010-12-21 963976]
"SunJavaUpdateSched"="c:\p
[HKEY_LOCAL_MACHINE\softwa
"oddc"="c:\windows\system3
c:\documents and settings\admin\Start Menu\Programs\Startup\
OpenOffice.org 2.3.lnk - c:\program files\OpenOffice.org 2.3\program\quickstart.exe
c:\documents and settings\All Users\Start Menu\Programs\Startup\
Brock Hot Key.exe.lnk - c:\program files\Brock Supply Co\Brock Hotkey\Brock Hot Key.exe [2008-1-17 327680]
Car-Part.com Trading Partner Software.lnk - c:\car-part\CPKeySrv.exe [2009-9-21 446976]
Service Manager.lnk - c:\program files\MICROSOFT SQL SERVER\80\TOOLS\BINN\sqlma
UPS WorldShip Messaging Utility.lnk - c:\ups\WSTD\WSTDMessaging.
UPS WorldShip PLD Reminder Utility.lnk - c:\ups\WSTD\wstdPldReminde
[HKEY_LOCAL_MACHINE\softwa
2010-12-13 19:01 87424 ----a-w- c:\windows\system32\LMIini
[HKEY_LOCAL_MACHINE\SYSTEM
@="Service"
[HKLM\~\startupfolder\C:^D
path=c:\documents and settings\Administrator\Sta
backup=c:\windows\pss\Open
[HKEY_LOCAL_MACHINE\softwa
ssdal_nc.exe startup [X]
[HKEY_LOCAL_MACHINE\softwa
2010-09-24 09:15 40368 ----a-w- c:\program files\Adobe\Reader 8.0\Reader\reader_sl.exe
[HKEY_LOCAL_MACHINE\softwa
2007-04-25 19:28 954368 ----a-w- c:\program files\HP\Dfawep\bin\hpbdfa
[HKEY_LOCAL_MACHINE\softwa
2009-12-02 02:36 24576 ----a-w- c:\ups\WSTD\UPSNA1Msgr.exe
[HKEY_LOCAL_MACHINE\softwa
2005-03-02 22:12 24576 ----a-w- c:\program files\Topro\tppoll.exe
[HKEY_LOCAL_MACHINE\softwa
"DisableMonitoring"=dword:
[HKEY_LOCAL_MACHINE\softwa
"DisableMonitoring"=dword:
[HKEY_LOCAL_MACHINE\softwa
"DisableMonitoring"=dword:
[HKLM\~\services\sharedacc
"%windir%\\system32\\sessm
"%windir%\\Network Diagnostic\\xpnetdiag.exe"
"c:\\Program Files\\Messenger\\msmsgs.e
"c:\\WINDOWS\\system32\\mm
[HKLM\~\services\sharedacc
"6160:TCP"= 6160:TCP:Seagull Driver Networking
R2 LinksysUpdater;Linksys Updater;c:\program files\Linksys\Linksys Updater\bin\LinksysUpdater
R2 LMIGuardianSvc;LMIGuardian
R2 LMIInfo;LogMeIn Kernel Information Provider;c:\program files\LogMeIn\x86\rainfo.s
R2 MSSQL$UPSWSDBSERVER;MSSQL$
S3 DCamUSBIntel;Digi-Microsco
S3 epmntdrv;epmntdrv;c:\windo
S3 EuGdiDrv;EuGdiDrv;c:\windo
S3 SQLAgent$UPSWSDBSERVER;SQL
.
Contents of the 'Scheduled Tasks' folder
2011-01-26 c:\windows\Tasks\User_Feed
- c:\windows\system32\msfeed
.
.
------- Supplementary Scan -------
.
uInternet Connection Wizard,ShellNext = iexplore
DPF: {7876E4A5-78B7-4020-B08F-C
DPF: {97BB6657-DC7F-4489-9067-5
.
- - - - ORPHANS REMOVED - - - -
Toolbar-Locked - (no file)
WebBrowser-{604BC32A-9680-
MSConfigStartUp-Adobe Updater - c:\windows\system32\AdbUpd
**************************
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2011-01-26 15:19
Windows 5.1.2600 Service Pack 3 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------
[HKEY_USERS\.Default\Softw
@Denied: (2) (LocalSystem)
"88D7D0879DAB32E14DE5B3A80
d1,11,8c,7a,00,c0,4f,c2,97
"2D53CFFC5C1A3DD2E97B7979A
d1,11,8c,7a,00,c0,4f,c2,97
[HKEY_USERS\S-1-5-21-16590
@Denied: (2) (Administrator)
"88D7D0879DAB32E14DE5B3A80
d1,11,8c,7a,00,c0,4f,c2,97
"2D53CFFC5C1A3DD2E97B7979A
d1,11,8c,7a,00,c0,4f,c2,97
"6256FFB019F8FDFBD36745B06
d1,11,8c,7a,00,c0,4f,c2,97
[HKEY_LOCAL_MACHINE\softwa
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\WI
[HKEY_LOCAL_MACHINE\softwa
"Enabled"=dword:00000001
[HKEY_LOCAL_MACHINE\softwa
@="c:\\WINDOWS\\system32\\
[HKEY_LOCAL_MACHINE\softwa
@="{FAB3E735-69C7-453B-A44
[HKEY_LOCAL_MACHINE\softwa
@Denied: (A 2) (Everyone)
@="IFlashBroker4"
[HKEY_LOCAL_MACHINE\softwa
@="{00020424-0000-0000-C00
[HKEY_LOCAL_MACHINE\softwa
@="{FAB3E735-69C7-453B-A44
"Version"="1.0"
[HKEY_LOCAL_MACHINE\softwa
@Denied: (2) (Administrator)
"88D7D0879DAB32E14DE5B3A80
d1,11,8c,7a,00,c0,4f,c2,97
"6256FFB019F8FDFBD36745B06
d1,11,8c,7a,00,c0,4f,c2,97
.
--------------------- DLLs Loaded Under Running Processes ---------------------
- - - - - - - > 'winlogon.exe'(640)
c:\windows\system32\LMIini
c:\windows\system32\LMIRfs
- - - - - - - > 'explorer.exe'(2448)
c:\windows\system32\WININE
c:\windows\system32\iefram
c:\windows\system32\webche
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Java\jre6\bin\jqs.ex
c:\program files\LogMeIn\x86\RaMaint.
c:\program files\LogMeIn\x86\LogMeIn.
c:\windows\system32\java.e
c:\ups\WSTD\MSSQL$UPSWSDBS
c:\windows\System32\spool\
c:\windows\system32\rundll
.
**************************
.
Completion time: 2011-01-26 15:24:16 - machine was rebooted
ComboFix-quarantined-files
Pre-Run: 67,614,236,672 bytes free
Post-Run: 67,736,350,720 bytes free
WindowsXP-KB310994-SP2-Pro
[boot loader]
timeout=2
default=multi(0)disk(0)rdi
[operating systems]
c:\cmdcons\BOOTSECT.DAT="M
UnsupportedDebug="do not select this" /debug
multi(0)disk(0)rdisk(0)par
[spybotsd]
timeout.old=30
- - End Of File - - CD0A6BE910B4ABB2A98294C275
Hope this helps. and Thanks
ASKER
Also, i just tried to reinstall Security Essentials and after it tries to install it gives error code: 0x80070643 (not a BSOD code)
thanks
thanks
You could try this: http://support.microsoft.com/kb/958052
Here is an article related to your issue as well: http://social.answers.microsoft.com/Forums/en-US/msestart/thread/908fad3e-f9fc-4d8a-be83-ae7d3bc48db5
Looks like the rootkit is still there. Try a scan with Unhackme:
http://www.greatis.com/unhackme/download.htm
Download and install the trial version. Click on "Check me now!" - if it says no Trojan is found, click OK, then select "Test Windows boot process". Agree the reboot. The pc will reboot.
The program will now load and run before your desktop loads. Then it will say "You have a number of suspicious programs." Click on "Fix Programs".
It will set a restore point, then give you a list of boot processes. For each one, you can select "Get it out!", "False positive" or "I'm not sure..." which gives you a report on how bad/good the program may be.
I usually terminate anything assessed to be over 30% "bad".
The app. will then need to reboot.
Once the pc is clean, you should uninstall Unhackme - it is a very intrusive program.
http://www.greatis.com/unhackme/download.htm
Download and install the trial version. Click on "Check me now!" - if it says no Trojan is found, click OK, then select "Test Windows boot process". Agree the reboot. The pc will reboot.
The program will now load and run before your desktop loads. Then it will say "You have a number of suspicious programs." Click on "Fix Programs".
It will set a restore point, then give you a list of boot processes. For each one, you can select "Get it out!", "False positive" or "I'm not sure..." which gives you a report on how bad/good the program may be.
I usually terminate anything assessed to be over 30% "bad".
The app. will then need to reboot.
Once the pc is clean, you should uninstall Unhackme - it is a very intrusive program.
And if none of that works a fresh install is always a good route ;)
ASKER
I have tried the microsoft fixit tool. No luck. I tried the scan with unhack me and it didnt come up with anything dangerous. All the files if looked at are my normal program files.
I am about ready to do a complete reinstall, but this computer is for a business and that is only an absolute last result as there are lots of files that would take days to redo.
Any other suggestions?? I am all ears.
Lets hear some thoughts on doing a Repair install of windows????? Do you think that could solve it?
I know, i am grasping at straws.
thanks for all the suggestions thus far.
I am about ready to do a complete reinstall, but this computer is for a business and that is only an absolute last result as there are lots of files that would take days to redo.
Any other suggestions?? I am all ears.
Lets hear some thoughts on doing a Repair install of windows????? Do you think that could solve it?
I know, i am grasping at straws.
thanks for all the suggestions thus far.
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
imho an attempt to Repair install is unlikely to improve the situation, but others may not agree....i appreciate a reformat is your last resort.
Another possible option is to select "Request Attention" top right of this thread, and request that this question is also entered in the HijackThis TA where hopefully rpggamergirl(if she's around) can expertly analyse your ComboFix log and provide a small script for a ComboFix re-run.
Another possible option is to select "Request Attention" top right of this thread, and request that this question is also entered in the HijackThis TA where hopefully rpggamergirl(if she's around) can expertly analyse your ComboFix log and provide a small script for a ComboFix re-run.
Speaking of which ....have a look under sub-heading "Scan for rootkits" in one of her articles & you'll see Gmer and RootRepeal, they're worth trying >>
https://www.experts-exchange.com/Software/Internet_Email/Anti-Virus/A_1979-THINGS-YOU-NEED-TO-DO-WHEN-YOUR-PC-IS-INFECTED.html
https://www.experts-exchange.com/Software/Internet_Email/Anti-Virus/A_1979-THINGS-YOU-NEED-TO-DO-WHEN-YOUR-PC-IS-INFECTED.html
ASKER
Ok all, i have done all of the recommendations as listed. I am still fighting it. I know it can be fixed as when i run RKill at least i am able start and update security essentials. However it is right back after a restart. I tried to run all available scans to find the culprit after the Rkill as well.
I have also cloned the drive now. I am willing to do some riskier tricks to get this thng cured as i know i have backup if i get carried away.
Thanks for all the suggestions thus far.
I have also cloned the drive now. I am willing to do some riskier tricks to get this thng cured as i know i have backup if i get carried away.
Thanks for all the suggestions thus far.
>>willing to do some riskier tricks<<
Okay ..well, have recognised two nasties at least, in the ComboFix log. Will compose a script, & get back to you within the hour hopefully.
Okay ..well, have recognised two nasties at least, in the ComboFix log. Will compose a script, & get back to you within the hour hopefully.
Some malware is so much of a moving target that no anti-malware can fix it. Even the best anti-virus only catches about 95%. Yours may be that 5%. There's probably some undetected part of malware that is re-installing the rest of the malware, so even if you clean it it'll come back.
Understand that an in-place reinstall won't remedy the issue, because by it's very nature, an inplace reinstall retains the user settings AND all the programs that have been added to the OS, it only replaces the OS files themselves.
You might try under Safe Mode to use System Restore to put the system back to the way it was up to 30 days ago IF whenever that was before this infestation hooked itself into the OS/registry. But there's still a risk that some other portion will re-add itself. No firewall will stop it because it is not an intrusion intiated from outside, it is inside reaching out to get it.
You probably have to build a new box/hard drive, and then migrate the user's documents, purchased downloads, photos, and the often forgotten: favorites, email local storage, address book, (some email, hotmail gmail yahoo or exchange server kept on the server anyway). Make an inventory list of all the programs that are needed to be put on, maybe they don't all have to go on today necessarily. Keep the old drive on a shelf in case something was forgotten it can be obtained.
You've likely now exceeded the time required to rebuild trying to fix it, and you've already done a more than very thorough attempt. I know it seems like you've almost got it, but you may be stuck at "almost" forever.
Besides, the risk to the rest of the machines on the enterprise side of the firewall is too great.
Understand that an in-place reinstall won't remedy the issue, because by it's very nature, an inplace reinstall retains the user settings AND all the programs that have been added to the OS, it only replaces the OS files themselves.
You might try under Safe Mode to use System Restore to put the system back to the way it was up to 30 days ago IF whenever that was before this infestation hooked itself into the OS/registry. But there's still a risk that some other portion will re-add itself. No firewall will stop it because it is not an intrusion intiated from outside, it is inside reaching out to get it.
You probably have to build a new box/hard drive, and then migrate the user's documents, purchased downloads, photos, and the often forgotten: favorites, email local storage, address book, (some email, hotmail gmail yahoo or exchange server kept on the server anyway). Make an inventory list of all the programs that are needed to be put on, maybe they don't all have to go on today necessarily. Keep the old drive on a shelf in case something was forgotten it can be obtained.
You've likely now exceeded the time required to rebuild trying to fix it, and you've already done a more than very thorough attempt. I know it seems like you've almost got it, but you may be stuck at "almost" forever.
Besides, the risk to the rest of the machines on the enterprise side of the firewall is too great.
If you're still willing to run a script, here we are. Have included the appropriate instructions>
1. Open Notepad.
2. Copy & paste all text between the lines below, into Notepad window:
========================== ========== ========== ========
File::
c:\windows\system32\EuEpmG di.dll
c:\windows\system32\EuGdiD rv.sys
c:\windows\system32\epmntd rv.sys
Folder::
c:\windows\system32\EuGdiD rv.sys
c:\windows\system32\epmntd rv.sys
========================== ========== ========== ====
3. Now Save the above as CFScript.txt on your desktop.
4. Then drag the CFScript.txt just created into ComboFix.exe. This will re-start ComboFix & hopefully remove the problem.
Then, quickly re-run HitmanPro or Malwarebytes, the aim being to remove any remaining Malware fragments, *before* you reboot the computer again.
5. Finally, please attach the newComboFix logfile.
Worth a try i believe ...& good luck.
1. Open Notepad.
2. Copy & paste all text between the lines below, into Notepad window:
==========================
File::
c:\windows\system32\EuEpmG
c:\windows\system32\EuGdiD
c:\windows\system32\epmntd
Folder::
c:\windows\system32\EuGdiD
c:\windows\system32\epmntd
==========================
3. Now Save the above as CFScript.txt on your desktop.
4. Then drag the CFScript.txt just created into ComboFix.exe. This will re-start ComboFix & hopefully remove the problem.
Then, quickly re-run HitmanPro or Malwarebytes, the aim being to remove any remaining Malware fragments, *before* you reboot the computer again.
5. Finally, please attach the newComboFix logfile.
Worth a try i believe ...& good luck.
My last comment was obviously done in a hurry, & it may not catch everything ...worth trying nevertheless!
May i suggest you run 2 or 3 of the best scanners you were given earlier, *before* you re-boot or re-start.
These last comments are with great respect for the last posting by ocanada_tec… , which i agree does sound logical if theres a serious time constraint.
May i suggest you run 2 or 3 of the best scanners you were given earlier, *before* you re-boot or re-start.
These last comments are with great respect for the last posting by ocanada_tec… , which i agree does sound logical if theres a serious time constraint.
New version of script will be with you in 5 minutes.
1. Open Notepad.
2. Copy & paste all text between the lines below, into Notepad window:
========================== ========== ========== ========
File::
c:\windows\system32\EuEpmG di.dll
c:\windows\system32\EuGdiD rv.sys
c:\windows\system32\epmntd rv.sys
Folder::
c:\windows\system32\EuGdiD rv.sys
c:\windows\system32\epmntd rv.sys
Drivers::
\Legacy_6TO4
\Legacy_SSHNAS
\Service_6to4
Services::
\Legacy_6TO4
\Legacy_SSHNAS
\Service_6to4
========================== ========== ========== ====
3. Now Save the above as CFScript.txt on your desktop.
4. Then drag the CFScript.txt just created into ComboFix.exe. This will re-start ComboFix & hopefully remove the problem.
Then, quickly re-run HitmanPro or Malwarebytes, the aim being to remove any remaining Malware fragments, *before* you reboot the computer again.
5. Finally, please attach the newComboFix logfile.
2. Copy & paste all text between the lines below, into Notepad window:
==========================
File::
c:\windows\system32\EuEpmG
c:\windows\system32\EuGdiD
c:\windows\system32\epmntd
Folder::
c:\windows\system32\EuGdiD
c:\windows\system32\epmntd
Drivers::
\Legacy_6TO4
\Legacy_SSHNAS
\Service_6to4
Services::
\Legacy_6TO4
\Legacy_SSHNAS
\Service_6to4
==========================
3. Now Save the above as CFScript.txt on your desktop.
4. Then drag the CFScript.txt just created into ComboFix.exe. This will re-start ComboFix & hopefully remove the problem.
Then, quickly re-run HitmanPro or Malwarebytes, the aim being to remove any remaining Malware fragments, *before* you reboot the computer again.
5. Finally, please attach the newComboFix logfile.
ASKER
ok, i will run the script. Be back with results shortly.
ASKER
ok here is the report after running the script. Unfortunately still the same result. I have to run Rkill to get security essentials to startup and run.
ComboFix 11-01-27.01 - testing 01/27/2011 14:42:00.2.1 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18. 1015.685 [GMT -6:00]
Running from: c:\documents and settings\testing\Desktop\C omboFix.ex e
Command switches used :: c:\documents and settings\testing\Desktop\C FScript.tx t
AV: Microsoft Security Essentials *Disabled/Updated* {BCF43643-A118-4432-AEDE-D 861FCBCFCD F}
AV: Microsoft Security Essentials *Disabled/Updated* {EDB4FA23-53B8-4AFA-8C5D-9 9752CCA709 5}
FILE ::
"c:\windows\system32\epmnt drv.sys"
"c:\windows\system32\EuEpm Gdi.dll"
"c:\windows\system32\EuGdi Drv.sys"
.
(((((((((((((((((((((((((( (((((((((( ((( Other Deletions )))))))))))))))))))))))))) )))))))))) )))))))))) )))
.
c:\windows\system32\epmntd rv.sys
c:\windows\system32\EuEpmG di.dll
c:\windows\system32\EuGdiD rv.sys
.
(((((((((((((((((((((((((( (((((((((( ((( Drivers/Services )))))))))))))))))))))))))) )))))))))) )))))))))) )))
.
-------\Legacy_epmntdrv
-------\Legacy_EuGdiDrv
-------\Service_epmntdrv
-------\Service_EuGdiDrv
((((((((((((((((((((((((( Files Created from 2010-12-27 to 2011-01-27 )))))))))))))))))))))))))) )))))
.
2011-01-27 20:31 . 2008-04-14 01:12 116224 -c--a-w- c:\windows\system32\dllcac he\xrxwiad r.dll
2011-01-27 20:31 . 2001-08-18 04:36 23040 -c--a-w- c:\windows\system32\dllcac he\xrxwbtm p.dll
2011-01-27 20:31 . 2008-04-14 01:12 18944 -c--a-w- c:\windows\system32\dllcac he\xrxscnu i.dll
2011-01-27 20:31 . 2001-08-18 04:37 27648 -c--a-w- c:\windows\system32\dllcac he\xrxftpl t.exe
2011-01-27 20:31 . 2001-08-18 04:37 4608 -c--a-w- c:\windows\system32\dllcac he\xrxflnc h.exe
2011-01-27 20:31 . 2001-08-18 04:37 99865 -c--a-w- c:\windows\system32\dllcac he\xlog.ex e
2011-01-27 20:31 . 2001-08-17 18:11 16970 -c--a-w- c:\windows\system32\dllcac he\xem336n 5.sys
2011-01-27 20:31 . 2004-08-04 04:29 19455 -c--a-w- c:\windows\system32\dllcac he\wvchntx x.sys
2011-01-27 20:30 . 2004-08-04 04:29 12063 -c--a-w- c:\windows\system32\dllcac he\wsiintx x.sys
2011-01-27 20:30 . 2008-04-14 01:12 8192 -c--a-w- c:\windows\system32\dllcac he\wshirda .dll
2011-01-27 20:30 . 2008-04-13 19:36 8832 -c--a-w- c:\windows\system32\dllcac he\wmiacpi .sys
2011-01-27 20:30 . 2004-08-04 04:31 154624 -c--a-w- c:\windows\system32\dllcac he\wlluc48 .sys
2011-01-27 20:30 . 2001-08-17 18:12 34890 -c--a-w- c:\windows\system32\dllcac he\wlandrv 2.sys
2011-01-27 20:30 . 2001-08-17 19:28 771581 -c--a-w- c:\windows\system32\dllcac he\winacis a.sys
2011-01-27 20:30 . 2001-08-18 04:36 53760 -c--a-w- c:\windows\system32\dllcac he\wiamsmu d.dll
2011-01-27 20:28 . 2001-08-17 19:28 604253 -c--a-w- c:\windows\system32\dllcac he\vmodem. sys
2011-01-27 20:27 . 2001-08-18 04:36 94720 -c--a-w- c:\windows\system32\dllcac he\umaxud3 2.dll
2011-01-27 20:26 . 2001-08-17 18:51 159232 -c--a-w- c:\windows\system32\dllcac he\tridkbm .sys
2011-01-27 20:25 . 2001-08-17 18:13 17129 -c--a-w- c:\windows\system32\dllcac he\tdkcd31 .sys
2011-01-27 20:24 . 2001-08-18 04:36 41472 -c--a-w- c:\windows\system32\dllcac he\sw_effc t.dll
2011-01-27 20:23 . 2001-08-17 19:53 9600 -c--a-w- c:\windows\system32\dllcac he\sonymc. sys
2011-01-27 20:22 . 2001-08-17 18:12 91294 -c--a-w- c:\windows\system32\dllcac he\skfpwin .sys
2011-01-27 20:21 . 2001-08-17 19:48 17664 -c--a-w- c:\windows\system32\dllcac he\sermous e.sys
2011-01-27 20:20 . 2001-08-18 04:36 62496 -c--a-w- c:\windows\system32\dllcac he\s3mtrio .dll
2011-01-27 20:19 . 2001-08-17 19:51 19584 -c--a-w- c:\windows\system32\dllcac he\rasirda .sys
2011-01-27 20:18 . 2001-08-18 04:36 35328 -c--a-w- c:\windows\system32\dllcac he\psisloa d.dll
2011-01-27 20:17 . 2001-08-17 20:07 27296 -c--a-w- c:\windows\system32\dllcac he\perc2.s ys
2011-01-27 20:16 . 2001-08-17 20:05 25088 -c--a-w- c:\windows\system32\dllcac he\ovca.sy s
2011-01-27 20:15 . 2001-08-17 18:12 32840 -c--a-w- c:\windows\system32\dllcac he\ngrpci. sys
2011-01-27 20:14 . 2001-08-17 19:50 21888 -c--a-w- c:\windows\system32\dllcac he\mxcard. sys
2011-01-27 20:14 . 2001-08-17 18:50 103296 -c--a-w- c:\windows\system32\dllcac he\mtxvide o.sys
2011-01-27 20:14 . 2008-04-13 19:46 49024 -c--a-w- c:\windows\system32\dllcac he\mstape. sys
2011-01-27 20:14 . 2001-08-17 19:48 12416 -c--a-w- c:\windows\system32\dllcac he\msriffw v.sys
2011-01-27 20:14 . 2001-08-17 20:00 2944 -c--a-w- c:\windows\system32\dllcac he\msmpu40 1.sys
2011-01-27 20:14 . 2008-04-13 19:54 22016 -c--a-w- c:\windows\system32\dllcac he\msircom m.sys
2011-01-27 20:14 . 2001-08-17 20:02 35200 -c--a-w- c:\windows\system32\dllcac he\msgame. sys
2011-01-27 20:14 . 2001-08-17 19:48 6016 -c--a-w- c:\windows\system32\dllcac he\msfsio. sys
2011-01-27 20:14 . 2008-04-13 19:46 51200 -c--a-w- c:\windows\system32\dllcac he\msdv.sy s
2011-01-27 20:13 . 2001-08-17 19:52 17280 -c--a-w- c:\windows\system32\dllcac he\mraid35 x.sys
2011-01-27 20:13 . 2008-04-13 19:46 15232 -c--a-w- c:\windows\system32\dllcac he\mpe.sys
2011-01-27 20:13 . 2001-08-17 19:57 16128 -c--a-w- c:\windows\system32\dllcac he\modemcs a.sys
2011-01-27 20:13 . 2001-08-17 19:52 6528 -c--a-w- c:\windows\system32\dllcac he\miniqic .sys
2011-01-27 20:13 . 2001-08-17 18:50 320384 -c--a-w- c:\windows\system32\dllcac he\mgaum.s ys
2011-01-27 20:13 . 2001-08-17 20:56 235648 -c--a-w- c:\windows\system32\dllcac he\mgaud.d ll
2011-01-27 20:13 . 2008-04-13 19:41 26112 -c--a-w- c:\windows\system32\dllcac he\memstpc i.sys
2011-01-27 20:13 . 2001-08-18 04:36 47616 -c--a-w- c:\windows\system32\dllcac he\memgrp. dll
2011-01-27 20:13 . 2001-08-17 19:58 8320 -c--a-w- c:\windows\system32\dllcac he\memcard .sys
2011-01-27 20:13 . 2001-08-17 18:12 164586 -c--a-w- c:\windows\system32\dllcac he\mdgndis 5.sys
2011-01-27 20:11 . 2001-08-17 18:12 19016 -c--a-w- c:\windows\system32\dllcac he\ktc111. sys
2011-01-27 20:11 . 2001-08-18 04:36 37376 -c--a-w- c:\windows\system32\dllcac he\kousd.d ll
2011-01-27 20:11 . 2008-04-14 01:11 253952 -c--a-w- c:\windows\system32\dllcac he\kdsusd. dll
2011-01-27 20:11 . 2008-04-14 01:11 48640 -c--a-w- c:\windows\system32\dllcac he\kdsui.d ll
2011-01-27 20:11 . 2001-08-17 19:49 26624 -c--a-w- c:\windows\system32\dllcac he\irstusb .sys
2011-01-27 20:11 . 2001-08-17 19:51 18688 -c--a-w- c:\windows\system32\dllcac he\irsir.s ys
2011-01-27 20:11 . 2008-04-14 01:11 28160 -c--a-w- c:\windows\system32\dllcac he\irmon.d ll
2011-01-27 20:11 . 2001-08-17 19:49 23552 -c--a-w- c:\windows\system32\dllcac he\irmk7.s ys
2011-01-27 20:11 . 2008-04-14 01:12 151552 -c--a-w- c:\windows\system32\dllcac he\irftp.exe
2011-01-27 20:11 . 2008-04-13 19:54 88192 -c--a-w- c:\windows\system32\dllcac he\irda.sy s
2011-01-27 20:11 . 2001-08-17 18:12 45632 -c--a-w- c:\windows\system32\dllcac he\ip5515. sys
2011-01-27 20:10 . 2001-08-18 04:36 90200 -c--a-w- c:\windows\system32\dllcac he\io8port s.dll
2011-01-27 20:10 . 2001-08-17 19:50 38784 -c--a-w- c:\windows\system32\dllcac he\io8.sys
2011-01-27 20:10 . 2001-08-17 19:47 13056 -c--a-w- c:\windows\system32\dllcac he\inport. sys
2011-01-27 20:10 . 2001-08-17 19:52 16000 -c--a-w- c:\windows\system32\dllcac he\ini910u .sys
2011-01-27 20:10 . 2001-08-18 04:36 372824 -c--a-w- c:\windows\system32\dllcac he\iconf32 .dll
2011-01-27 20:10 . 2001-08-17 20:06 100992 -c--a-w- c:\windows\system32\dllcac he\icam5us b.sys
2011-01-27 20:10 . 2001-08-18 04:36 20480 -c--a-w- c:\windows\system32\dllcac he\icam5ex t.dll
2011-01-27 20:10 . 2001-08-18 04:36 45056 -c--a-w- c:\windows\system32\dllcac he\icam5co m.dll
2011-01-27 20:10 . 2001-08-17 20:06 154496 -c--a-w- c:\windows\system32\dllcac he\icam4us b.sys
2011-01-27 20:08 . 2001-08-17 19:28 488383 -c--a-w- c:\windows\system32\dllcac he\hsf_v12 4.sys
2011-01-27 20:07 . 2001-08-18 04:36 126976 -c--a-w- c:\windows\system32\dllcac he\hpgt34t k.dll
2011-01-27 20:06 . 2001-08-18 04:36 92160 -c--a-w- c:\windows\system32\dllcac he\fuusd.d ll
2011-01-27 20:05 . 2004-08-04 04:32 137088 -c--a-w- c:\windows\system32\dllcac he\essm2e. sys
2011-01-27 20:04 . 2001-08-17 18:12 19594 -c--a-w- c:\windows\system32\dllcac he\e100isa 4.sys
2011-01-27 20:03 . 2001-08-18 04:36 419357 -c--a-w- c:\windows\system32\dllcac he\dgconfi g.dll
2011-01-27 20:02 . 2008-04-13 19:36 10240 -c--a-w- c:\windows\system32\dllcac he\compbat t.sys
2011-01-27 20:01 . 2001-08-17 19:51 13824 -c--a-w- c:\windows\system32\dllcac he\bulltlp 3.sys
2011-01-27 20:00 . 2001-08-17 18:49 26624 -c--a-w- c:\windows\system32\dllcac he\ativxba r.sys
2011-01-27 19:59 . 2001-08-17 20:56 66048 -c--a-w- c:\windows\system32\dllcac he\s3legac y.dll
2011-01-27 17:59 . 2011-01-13 07:41 5890896 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{C0B4DEB8-89B1-40A F-972B-CE3 0B7299DA7} \mpengine. dll
2011-01-27 02:27 . 2011-01-27 02:27 2 --shatr- c:\windows\winstart.bat
2011-01-27 02:27 . 2011-01-27 02:35 -------- d-----w- c:\program files\UnHackMe
2011-01-27 02:21 . 2011-01-27 02:22 -------- d-----w- c:\documents and settings\testing
2011-01-27 02:17 . 2011-01-27 02:18 -------- d-----w- c:\program files\Microsoft Security Client
2011-01-26 21:40 . 2011-01-26 21:40 -------- d-----w- c:\program files\Sophos
2011-01-26 18:53 . 2011-01-26 18:53 -------- d-----w- c:\program files\Common Files\Java
2011-01-26 18:53 . 2010-11-13 00:53 472808 ----a-w- c:\windows\system32\deploy Java1.dll
2011-01-26 18:49 . 2010-12-23 01:45 2336384 ----a-w- c:\windows\system32\BootMa n.exe
2011-01-26 18:49 . 2010-07-15 14:44 86408 ----a-w- c:\windows\system32\setupe mpdrv03.ex e
2011-01-26 18:41 . 2011-01-26 18:49 -------- d-----w- c:\program files\EASEUS
2011-01-26 18:28 . 2008-04-14 01:11 21504 -c--a-w- c:\windows\system32\dllcac he\hidserv .dll
2011-01-26 18:28 . 2008-04-14 01:11 21504 ----a-w- c:\windows\system32\hidser v.dll
2011-01-26 18:28 . 2008-04-13 19:39 14592 -c--a-w- c:\windows\system32\dllcac he\kbdhid. sys
2011-01-26 18:28 . 2008-04-13 19:39 14592 ----a-w- c:\windows\system32\driver s\kbdhid.s ys
2011-01-26 18:28 . 2008-04-13 19:45 32128 -c--a-w- c:\windows\system32\dllcac he\usbccgp .sys
2011-01-26 18:28 . 2008-04-13 19:45 32128 ----a-w- c:\windows\system32\driver s\usbccgp. sys
2011-01-25 02:35 . 2011-01-25 02:35 -------- d--h--w- c:\windows\system32\GroupP olicy
2011-01-25 02:14 . 2011-01-25 02:14 -------- d-----w- c:\windows\TempFEF64CCA-7C D1-DB4B-53 AC-309D31B C8067-Sign atures
2011-01-25 02:12 . 2011-01-27 02:50 -------- d-----w- C:\junk
2011-01-24 23:02 . 2011-01-24 23:02 79360 --sha-r- c:\windows\system32\smime3 N.dll
2011-01-24 22:53 . 2011-01-24 22:57 -------- d-----w- c:\documents and settings\LocalService\Loca l Settings\Application Data\Adobe
2011-01-20 22:57 . 2011-01-20 22:57 -------- d-----w- c:\windows\system32\%APPDA TA%
2011-01-20 19:19 . 2011-01-20 19:19 -------- d-sh--w- c:\windows\system32\config \systempro file\IETld Cache
2011-01-20 19:19 . 2011-01-20 19:19 18297 ----a-w- c:\windows\system32\MAI4.t mp
2011-01-20 19:17 . 2011-01-20 19:20 -------- d-----w- c:\documents and settings\NetworkService\Lo cal Settings\Application Data\Adobe
2011-01-20 19:00 . 2011-01-20 19:00 -------- d-----w- C:\Temp
2011-01-15 14:23 . 2011-01-15 14:57 -------- d-----w- c:\documents and settings\Administrator\.SS RB2
.
(((((((((((((((((((((((((( (((((((((( (((( Find3M Report )))))))))))))))))))))))))) )))))))))) )))))))))) ))))))
.
2011-01-13 07:41 . 2010-06-22 22:00 5890896 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\Backup\mpengine.dl l
2010-12-21 00:09 . 2010-10-24 01:46 38224 ----a-w- c:\windows\system32\driver s\mbamswis sarmy.sys
2010-12-21 00:08 . 2010-10-24 01:46 20952 ----a-w- c:\windows\system32\driver s\mbam.sys
2010-12-13 19:01 . 2010-06-02 00:00 53632 ----a-w- c:\windows\system32\Spool\ prtprocs\w 32x86\LMIp roc.dll
2010-12-13 19:01 . 2010-06-02 00:00 83360 ----a-w- c:\windows\system32\LMIRfs ClientNP.d ll
2010-12-13 19:01 . 2010-06-02 00:00 29568 ----a-w- c:\windows\system32\LMIpor t.dll
2010-12-13 19:01 . 2010-06-02 00:00 87424 ----a-w- c:\windows\system32\LMIini t.dll
2010-11-18 18:12 . 2008-04-06 03:16 81920 ----a-w- c:\windows\system32\isign3 2.dll
2010-11-12 22:34 . 2008-04-07 15:52 73728 ----a-w- c:\windows\system32\javacp l.cpl
2010-11-09 14:52 . 2004-08-04 12:00 249856 ----a-w- c:\windows\system32\odbc32 .dll
2010-11-06 00:26 . 2004-08-04 12:00 916480 ----a-w- c:\windows\system32\winine t.dll
2010-11-06 00:26 . 2004-08-04 12:00 43520 ------w- c:\windows\system32\licmgr 10.dll
2010-11-06 00:26 . 2004-08-04 12:00 1469440 ------w- c:\windows\system32\inetcp l.cpl
2010-11-03 12:25 . 2004-08-04 12:00 385024 ----a-w- c:\windows\system32\html.i ec
2010-11-02 15:17 . 2004-08-04 12:00 40960 ----a-w- c:\windows\system32\driver s\ndproxy. sys
.
(((((((((((((((((((((((((( (((((((((( ( Reg Loading Points )))))))))))))))))))))))))) )))))))))) )))))))))) ))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_LOCAL_MACHINE\~\Brow ser Helper Objects\{FD72061E-9FDE-484 D-A58A-0BA B4151CAD8} ]
2010-08-13 00:46 194912 ------w- c:\program files\Yontoo Layers Client\YontooIEClient.dll
[HKEY_LOCAL_MACHINE\SOFTWA RE\Microso ft\Windows \CurrentVe rsion\Run]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeA RM.exe" [2010-09-21 932288]
"LogMeIn GUI"="c:\program files\LogMeIn\x86\LogMeInS ystray.exe " [2008-08-11 63048]
"Malwarebytes Anti-Malware (reboot)"="c:\program files\Malwarebytes' Anti-Malware\mbam.exe" [2010-12-21 963976]
"SunJavaUpdateSched"="c:\p rogram files\Common Files\Java\Java Update\jusched.exe" [2010-05-14 248552]
"MSC"="c:\program files\Microsoft Security Client\msseces.exe" [2010-11-30 997408]
[HKEY_LOCAL_MACHINE\softwa re\microso ft\windows \Currentve rsion\poli cies\explo rer\Run]
"oddc"="c:\windows\system3 2\smime3N. dll" [2011-01-24 79360]
c:\documents and settings\admin\Start Menu\Programs\Startup\
OpenOffice.org 2.3.lnk - c:\program files\OpenOffice.org 2.3\program\quickstart.exe [2007-8-17 393216]
c:\documents and settings\All Users\Start Menu\Programs\Startup\
Brock Hot Key.exe.lnk - c:\program files\Brock Supply Co\Brock Hotkey\Brock Hot Key.exe [2008-1-17 327680]
Car-Part.com Trading Partner Software.lnk - c:\car-part\CPKeySrv.exe [2009-9-21 446976]
Service Manager.lnk - c:\program files\MICROSOFT SQL SERVER\80\TOOLS\BINN\sqlma ngr.exe [2005-5-3 81920]
UPS WorldShip Messaging Utility.lnk - c:\ups\WSTD\WSTDMessaging. exe [2009-12-1 393216]
UPS WorldShip PLD Reminder Utility.lnk - c:\ups\WSTD\wstdPldReminde r.exe [2009-12-1 40960]
[HKEY_LOCAL_MACHINE\softwa re\microso ft\windows nt\currentversion\winlogon ]
"Taskman"=""
[HKEY_LOCAL_MACHINE\softwa re\microso ft\windows nt\currentversion\winlogon \notify\LM Iinit]
2010-12-13 19:01 87424 ----a-w- c:\windows\system32\LMIini t.dll
[HKEY_LOCAL_MACHINE\SYSTEM \CurrentCo ntrolSet\C ontrol\Saf eBoot\Mini mal\MsMpSv c]
@="Service"
[HKLM\~\startupfolder\C:^D ocuments and Settings^Administrator^Sta rt Menu^Programs^Startup^Open Office.org 2.3.lnk]
path=c:\documents and settings\Administrator\Sta rt Menu\Programs\Startup\Open Office.org 2.3.lnk
backup=c:\windows\pss\Open Office.org 2.3.lnkStartup
[HKEY_LOCAL_MACHINE\softwa re\microso ft\shared tools\msconfig\startupreg\ Seagull Drivers]
ssdal_nc.exe startup [X]
[HKEY_LOCAL_MACHINE\softwa re\microso ft\shared tools\msconfig\startupreg\ Adobe Reader Speed Launcher]
2010-09-24 09:15 40368 ----a-w- c:\program files\Adobe\Reader 8.0\Reader\reader_sl.exe
[HKEY_LOCAL_MACHINE\softwa re\microso ft\shared tools\msconfig\startupreg\ hpbdfawep]
2007-04-25 19:28 954368 ----a-w- c:\program files\HP\Dfawep\bin\hpbdfa wep.exe
[HKEY_LOCAL_MACHINE\softwa re\microso ft\shared tools\msconfig\startupreg\ NA1Messeng er]
2009-12-02 02:36 24576 ----a-w- c:\ups\WSTD\UPSNA1Msgr.exe
[HKEY_LOCAL_MACHINE\softwa re\microso ft\shared tools\msconfig\startupreg\ TPPOLL]
2005-03-02 22:12 24576 ----a-w- c:\program files\Topro\tppoll.exe
[HKEY_LOCAL_MACHINE\softwa re\microso ft\securit y center\Monitoring]
"DisableMonitoring"=dword: 00000001
[HKEY_LOCAL_MACHINE\softwa re\microso ft\securit y center\Monitoring\Symantec AntiVirus]
"DisableMonitoring"=dword: 00000001
[HKEY_LOCAL_MACHINE\softwa re\microso ft\securit y center\Monitoring\Symantec Firewall]
"DisableMonitoring"=dword: 00000001
[HKLM\~\services\sharedacc ess\parame ters\firew allpolicy\ standardpr ofile\Auth orizedAppl ications\L ist]
"%windir%\\system32\\sessm gr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe" =
"c:\\Program Files\\Messenger\\msmsgs.e xe"=
"c:\\WINDOWS\\system32\\mm c.exe"=
[HKLM\~\services\sharedacc ess\parame ters\firew allpolicy\ standardpr ofile\Glob allyOpenPo rts\List]
"6160:TCP"= 6160:TCP:Seagull Driver Networking
R2 LinksysUpdater;Linksys Updater;c:\program files\Linksys\Linksys Updater\bin\LinksysUpdater .exe [1/15/2008 9:28 AM 204800]
R2 LMIGuardianSvc;LMIGuardian Svc;c:\pro gram files\LogMeIn\x86\LMIGuard ianSvc.exe [10/13/2010 11:29 AM 374152]
R2 LMIInfo;LogMeIn Kernel Information Provider;c:\program files\LogMeIn\x86\rainfo.s ys [8/11/2008 11:41 AM 12856]
R2 MSSQL$UPSWSDBSERVER;MSSQL$ UPSWSDBSER VER;c:\ups \WSTD\MSSQ L$UPSWSDBS ERVER\Binn \sqlservr. exe -sUPSWSDBSERVER --> c:\ups\WSTD\MSSQL$UPSWSDBS ERVER\Binn \sqlservr. exe -sUPSWSDBSERVER [?]
S3 DCamUSBIntel;Digi-Microsco pe;c:\wind ows\system 32\drivers \TP6800.sy s [4/8/2008 9:36 AM 211680]
S3 MEMSWEEP2;MEMSWEEP2;\??\c: \windows\s ystem32\35 .tmp --> c:\windows\system32\35.tmp [?]
S3 SQLAgent$UPSWSDBSERVER;SQL Agent$UPSW SDBSERVER; c:\ups\WST D\MSSQL$UP SWSDBSERVE R\Binn\sql agent.EXE -i UPSWSDBSERVER --> c:\ups\WSTD\MSSQL$UPSWSDBS ERVER\Binn \sqlagent. EXE -i UPSWSDBSERVER [?]
.
Contents of the 'Scheduled Tasks' folder
2011-01-27 c:\windows\Tasks\MP Scheduled Scan.job
- c:\program files\Microsoft Security Client\Antimalware\MpCmdRu n.exe [2010-11-11 18:26]
2011-01-27 c:\windows\Tasks\User_Feed _Synchroni zation-{67 A22DCE-2AE 1-42B8-80D 0-FCC1A201 8453}.job
- c:\windows\system32\msfeed ssync.exe [2007-08-13 10:31]
.
.
------- Supplementary Scan -------
.
DPF: {7876E4A5-78B7-4020-B08F-C 960A1ED54C 9} - hxxp://69.21.158.138/WinWe bPush.cab
DPF: {97BB6657-DC7F-4489-9067-5 1FAB9D8857 E} - hxxp://cflive.audatex.us/c f1live/sta tic/weblau nch/weblau nch2.cab
FF - ProfilePath -
.
- - - - ORPHANS REMOVED - - - -
WebBrowser-{604BC32A-9680- 40D1-9AC6- E06B23A1BA 4C} - (no file)
************************** ********** ********** ********** ********** ********
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2011-01-27 14:49
Windows 5.1.2600 Service Pack 3 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
************************** ********** ********** ********** ********** ********
[HKEY_LOCAL_MACHINE\System \ControlSe t001\Servi ces\MEMSWE EP2]
"ImagePath"="\??\c:\window s\system32 \35.tmp"
.
--------------------- LOCKED REGISTRY KEYS ---------------------
[HKEY_USERS\.Default\Softw are\Micros oft\Intern et Explorer\User Preferences]
@Denied: (2) (LocalSystem)
"88D7D0879DAB32E14DE5B3A80 5A34F98AFF 34F5977"=h ex:01,00,0 0,00,d0,8c ,9d,df,01, 15,
d1,11,8c,7a,00,c0,4f,c2,97 ,eb,01,00, 00,00,0a,f c,65,15,a2 ,f7,dc,49, 9d,71,86,\
"2D53CFFC5C1A3DD2E97B7979A C2A92BD59B C839E81"=h ex:01,00,0 0,00,d0,8c ,9d,df,01, 15,
d1,11,8c,7a,00,c0,4f,c2,97 ,eb,01,00, 00,00,0a,f c,65,15,a2 ,f7,dc,49, 9d,71,86,\
[HKEY_LOCAL_MACHINE\softwa re\Classes \CLSID\{A4 83C63A-CDB C-426E-BF9 3-872502E8 144E}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\WI NDOWS\\sys tem32\\Mac romed\\Fla sh\\FlashU til10l_Act iveX.exe,- 101"
[HKEY_LOCAL_MACHINE\softwa re\Classes \CLSID\{A4 83C63A-CDB C-426E-BF9 3-872502E8 144E}\Elev ation]
"Enabled"=dword:00000001
[HKEY_LOCAL_MACHINE\softwa re\Classes \CLSID\{A4 83C63A-CDB C-426E-BF9 3-872502E8 144E}\Loca lServer32]
@="c:\\WINDOWS\\system32\\ Macromed\\ Flash\\Fla shUtil10l_ ActiveX.ex e"
[HKEY_LOCAL_MACHINE\softwa re\Classes \CLSID\{A4 83C63A-CDB C-426E-BF9 3-872502E8 144E}\Type Lib]
@="{FAB3E735-69C7-453B-A44 6-B6823C6D F1C9}"
[HKEY_LOCAL_MACHINE\softwa re\Classes \Interface \{E3F2C3CB -5EB8-4A04 -B22C-7E3B 4B6AF30F}]
@Denied: (A 2) (Everyone)
@="IFlashBroker4"
[HKEY_LOCAL_MACHINE\softwa re\Classes \Interface \{E3F2C3CB -5EB8-4A04 -B22C-7E3B 4B6AF30F}\ ProxyStubC lsid32]
@="{00020424-0000-0000-C00 0-00000000 0046}"
[HKEY_LOCAL_MACHINE\softwa re\Classes \Interface \{E3F2C3CB -5EB8-4A04 -B22C-7E3B 4B6AF30F}\ TypeLib]
@="{FAB3E735-69C7-453B-A44 6-B6823C6D F1C9}"
"Version"="1.0"
[HKEY_LOCAL_MACHINE\softwa re\Microso ft\Interne t Explorer\User Preferences]
@Denied: (2) (Administrator)
"88D7D0879DAB32E14DE5B3A80 5A34F98AFF 34F5977"=h ex:01,00,0 0,00,d0,8c ,9d,df,01, 15,
d1,11,8c,7a,00,c0,4f,c2,97 ,eb,01,00, 00,00,e2,b 7,62,e4,ee ,54,13,45, 9a,0a,49,\
"6256FFB019F8FDFBD36745B06 F4540E9AEA F222A25"=h ex:01,00,0 0,00,d0,8c ,9d,df,01, 15,
d1,11,8c,7a,00,c0,4f,c2,97 ,eb,01,00, 00,00,e2,b 7,62,e4,ee ,54,13,45, 9a,0a,49,\
.
--------------------- DLLs Loaded Under Running Processes ---------------------
- - - - - - - > 'winlogon.exe'(644)
c:\windows\system32\LMIini t.dll
- - - - - - - > 'explorer.exe'(3372)
c:\windows\system32\WININE T.dll
c:\windows\system32\iefram e.dll
c:\windows\system32\webche ck.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Java\jre6\bin\jqs.ex e
c:\program files\LogMeIn\x86\RaMaint. exe
c:\windows\system32\java.e xe
c:\program files\LogMeIn\x86\LogMeIn. exe
c:\ups\WSTD\MSSQL$UPSWSDBS ERVER\Binn \sqlservr. exe
c:\windows\System32\spool\ DRIVERS\W3 2X86\3\HP1 006MC.EXE
c:\windows\system32\rundll 32.exe
.
************************** ********** ********** ********** ********** ********
.
Completion time: 2011-01-27 14:53:49 - machine was rebooted
ComboFix-quarantined-files .txt 2011-01-27 20:53
Pre-Run: 66,960,146,432 bytes free
Post-Run: 66,977,177,600 bytes free
- - End Of File - - 61B406892BBD060A1477547BE6 01D139
It is looking more and more like i will have to start over with a new drive.
Thanks for all the help and suggestions. At least now the system is managable with Rkill.
ComboFix 11-01-27.01 - testing 01/27/2011 14:42:00.2.1 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.
Running from: c:\documents and settings\testing\Desktop\C
Command switches used :: c:\documents and settings\testing\Desktop\C
AV: Microsoft Security Essentials *Disabled/Updated* {BCF43643-A118-4432-AEDE-D
AV: Microsoft Security Essentials *Disabled/Updated* {EDB4FA23-53B8-4AFA-8C5D-9
FILE ::
"c:\windows\system32\epmnt
"c:\windows\system32\EuEpm
"c:\windows\system32\EuGdi
.
((((((((((((((((((((((((((
.
c:\windows\system32\epmntd
c:\windows\system32\EuEpmG
c:\windows\system32\EuGdiD
.
((((((((((((((((((((((((((
.
-------\Legacy_epmntdrv
-------\Legacy_EuGdiDrv
-------\Service_epmntdrv
-------\Service_EuGdiDrv
((((((((((((((((((((((((( Files Created from 2010-12-27 to 2011-01-27 ))))))))))))))))))))))))))
.
2011-01-27 20:31 . 2008-04-14 01:12 116224 -c--a-w- c:\windows\system32\dllcac
2011-01-27 20:31 . 2001-08-18 04:36 23040 -c--a-w- c:\windows\system32\dllcac
2011-01-27 20:31 . 2008-04-14 01:12 18944 -c--a-w- c:\windows\system32\dllcac
2011-01-27 20:31 . 2001-08-18 04:37 27648 -c--a-w- c:\windows\system32\dllcac
2011-01-27 20:31 . 2001-08-18 04:37 4608 -c--a-w- c:\windows\system32\dllcac
2011-01-27 20:31 . 2001-08-18 04:37 99865 -c--a-w- c:\windows\system32\dllcac
2011-01-27 20:31 . 2001-08-17 18:11 16970 -c--a-w- c:\windows\system32\dllcac
2011-01-27 20:31 . 2004-08-04 04:29 19455 -c--a-w- c:\windows\system32\dllcac
2011-01-27 20:30 . 2004-08-04 04:29 12063 -c--a-w- c:\windows\system32\dllcac
2011-01-27 20:30 . 2008-04-14 01:12 8192 -c--a-w- c:\windows\system32\dllcac
2011-01-27 20:30 . 2008-04-13 19:36 8832 -c--a-w- c:\windows\system32\dllcac
2011-01-27 20:30 . 2004-08-04 04:31 154624 -c--a-w- c:\windows\system32\dllcac
2011-01-27 20:30 . 2001-08-17 18:12 34890 -c--a-w- c:\windows\system32\dllcac
2011-01-27 20:30 . 2001-08-17 19:28 771581 -c--a-w- c:\windows\system32\dllcac
2011-01-27 20:30 . 2001-08-18 04:36 53760 -c--a-w- c:\windows\system32\dllcac
2011-01-27 20:28 . 2001-08-17 19:28 604253 -c--a-w- c:\windows\system32\dllcac
2011-01-27 20:27 . 2001-08-18 04:36 94720 -c--a-w- c:\windows\system32\dllcac
2011-01-27 20:26 . 2001-08-17 18:51 159232 -c--a-w- c:\windows\system32\dllcac
2011-01-27 20:25 . 2001-08-17 18:13 17129 -c--a-w- c:\windows\system32\dllcac
2011-01-27 20:24 . 2001-08-18 04:36 41472 -c--a-w- c:\windows\system32\dllcac
2011-01-27 20:23 . 2001-08-17 19:53 9600 -c--a-w- c:\windows\system32\dllcac
2011-01-27 20:22 . 2001-08-17 18:12 91294 -c--a-w- c:\windows\system32\dllcac
2011-01-27 20:21 . 2001-08-17 19:48 17664 -c--a-w- c:\windows\system32\dllcac
2011-01-27 20:20 . 2001-08-18 04:36 62496 -c--a-w- c:\windows\system32\dllcac
2011-01-27 20:19 . 2001-08-17 19:51 19584 -c--a-w- c:\windows\system32\dllcac
2011-01-27 20:18 . 2001-08-18 04:36 35328 -c--a-w- c:\windows\system32\dllcac
2011-01-27 20:17 . 2001-08-17 20:07 27296 -c--a-w- c:\windows\system32\dllcac
2011-01-27 20:16 . 2001-08-17 20:05 25088 -c--a-w- c:\windows\system32\dllcac
2011-01-27 20:15 . 2001-08-17 18:12 32840 -c--a-w- c:\windows\system32\dllcac
2011-01-27 20:14 . 2001-08-17 19:50 21888 -c--a-w- c:\windows\system32\dllcac
2011-01-27 20:14 . 2001-08-17 18:50 103296 -c--a-w- c:\windows\system32\dllcac
2011-01-27 20:14 . 2008-04-13 19:46 49024 -c--a-w- c:\windows\system32\dllcac
2011-01-27 20:14 . 2001-08-17 19:48 12416 -c--a-w- c:\windows\system32\dllcac
2011-01-27 20:14 . 2001-08-17 20:00 2944 -c--a-w- c:\windows\system32\dllcac
2011-01-27 20:14 . 2008-04-13 19:54 22016 -c--a-w- c:\windows\system32\dllcac
2011-01-27 20:14 . 2001-08-17 20:02 35200 -c--a-w- c:\windows\system32\dllcac
2011-01-27 20:14 . 2001-08-17 19:48 6016 -c--a-w- c:\windows\system32\dllcac
2011-01-27 20:14 . 2008-04-13 19:46 51200 -c--a-w- c:\windows\system32\dllcac
2011-01-27 20:13 . 2001-08-17 19:52 17280 -c--a-w- c:\windows\system32\dllcac
2011-01-27 20:13 . 2008-04-13 19:46 15232 -c--a-w- c:\windows\system32\dllcac
2011-01-27 20:13 . 2001-08-17 19:57 16128 -c--a-w- c:\windows\system32\dllcac
2011-01-27 20:13 . 2001-08-17 19:52 6528 -c--a-w- c:\windows\system32\dllcac
2011-01-27 20:13 . 2001-08-17 18:50 320384 -c--a-w- c:\windows\system32\dllcac
2011-01-27 20:13 . 2001-08-17 20:56 235648 -c--a-w- c:\windows\system32\dllcac
2011-01-27 20:13 . 2008-04-13 19:41 26112 -c--a-w- c:\windows\system32\dllcac
2011-01-27 20:13 . 2001-08-18 04:36 47616 -c--a-w- c:\windows\system32\dllcac
2011-01-27 20:13 . 2001-08-17 19:58 8320 -c--a-w- c:\windows\system32\dllcac
2011-01-27 20:13 . 2001-08-17 18:12 164586 -c--a-w- c:\windows\system32\dllcac
2011-01-27 20:11 . 2001-08-17 18:12 19016 -c--a-w- c:\windows\system32\dllcac
2011-01-27 20:11 . 2001-08-18 04:36 37376 -c--a-w- c:\windows\system32\dllcac
2011-01-27 20:11 . 2008-04-14 01:11 253952 -c--a-w- c:\windows\system32\dllcac
2011-01-27 20:11 . 2008-04-14 01:11 48640 -c--a-w- c:\windows\system32\dllcac
2011-01-27 20:11 . 2001-08-17 19:49 26624 -c--a-w- c:\windows\system32\dllcac
2011-01-27 20:11 . 2001-08-17 19:51 18688 -c--a-w- c:\windows\system32\dllcac
2011-01-27 20:11 . 2008-04-14 01:11 28160 -c--a-w- c:\windows\system32\dllcac
2011-01-27 20:11 . 2001-08-17 19:49 23552 -c--a-w- c:\windows\system32\dllcac
2011-01-27 20:11 . 2008-04-14 01:12 151552 -c--a-w- c:\windows\system32\dllcac
2011-01-27 20:11 . 2008-04-13 19:54 88192 -c--a-w- c:\windows\system32\dllcac
2011-01-27 20:11 . 2001-08-17 18:12 45632 -c--a-w- c:\windows\system32\dllcac
2011-01-27 20:10 . 2001-08-18 04:36 90200 -c--a-w- c:\windows\system32\dllcac
2011-01-27 20:10 . 2001-08-17 19:50 38784 -c--a-w- c:\windows\system32\dllcac
2011-01-27 20:10 . 2001-08-17 19:47 13056 -c--a-w- c:\windows\system32\dllcac
2011-01-27 20:10 . 2001-08-17 19:52 16000 -c--a-w- c:\windows\system32\dllcac
2011-01-27 20:10 . 2001-08-18 04:36 372824 -c--a-w- c:\windows\system32\dllcac
2011-01-27 20:10 . 2001-08-17 20:06 100992 -c--a-w- c:\windows\system32\dllcac
2011-01-27 20:10 . 2001-08-18 04:36 20480 -c--a-w- c:\windows\system32\dllcac
2011-01-27 20:10 . 2001-08-18 04:36 45056 -c--a-w- c:\windows\system32\dllcac
2011-01-27 20:10 . 2001-08-17 20:06 154496 -c--a-w- c:\windows\system32\dllcac
2011-01-27 20:08 . 2001-08-17 19:28 488383 -c--a-w- c:\windows\system32\dllcac
2011-01-27 20:07 . 2001-08-18 04:36 126976 -c--a-w- c:\windows\system32\dllcac
2011-01-27 20:06 . 2001-08-18 04:36 92160 -c--a-w- c:\windows\system32\dllcac
2011-01-27 20:05 . 2004-08-04 04:32 137088 -c--a-w- c:\windows\system32\dllcac
2011-01-27 20:04 . 2001-08-17 18:12 19594 -c--a-w- c:\windows\system32\dllcac
2011-01-27 20:03 . 2001-08-18 04:36 419357 -c--a-w- c:\windows\system32\dllcac
2011-01-27 20:02 . 2008-04-13 19:36 10240 -c--a-w- c:\windows\system32\dllcac
2011-01-27 20:01 . 2001-08-17 19:51 13824 -c--a-w- c:\windows\system32\dllcac
2011-01-27 20:00 . 2001-08-17 18:49 26624 -c--a-w- c:\windows\system32\dllcac
2011-01-27 19:59 . 2001-08-17 20:56 66048 -c--a-w- c:\windows\system32\dllcac
2011-01-27 17:59 . 2011-01-13 07:41 5890896 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{C0B4DEB8-89B1-40A
2011-01-27 02:27 . 2011-01-27 02:27 2 --shatr- c:\windows\winstart.bat
2011-01-27 02:27 . 2011-01-27 02:35 -------- d-----w- c:\program files\UnHackMe
2011-01-27 02:21 . 2011-01-27 02:22 -------- d-----w- c:\documents and settings\testing
2011-01-27 02:17 . 2011-01-27 02:18 -------- d-----w- c:\program files\Microsoft Security Client
2011-01-26 21:40 . 2011-01-26 21:40 -------- d-----w- c:\program files\Sophos
2011-01-26 18:53 . 2011-01-26 18:53 -------- d-----w- c:\program files\Common Files\Java
2011-01-26 18:53 . 2010-11-13 00:53 472808 ----a-w- c:\windows\system32\deploy
2011-01-26 18:49 . 2010-12-23 01:45 2336384 ----a-w- c:\windows\system32\BootMa
2011-01-26 18:49 . 2010-07-15 14:44 86408 ----a-w- c:\windows\system32\setupe
2011-01-26 18:41 . 2011-01-26 18:49 -------- d-----w- c:\program files\EASEUS
2011-01-26 18:28 . 2008-04-14 01:11 21504 -c--a-w- c:\windows\system32\dllcac
2011-01-26 18:28 . 2008-04-14 01:11 21504 ----a-w- c:\windows\system32\hidser
2011-01-26 18:28 . 2008-04-13 19:39 14592 -c--a-w- c:\windows\system32\dllcac
2011-01-26 18:28 . 2008-04-13 19:39 14592 ----a-w- c:\windows\system32\driver
2011-01-26 18:28 . 2008-04-13 19:45 32128 -c--a-w- c:\windows\system32\dllcac
2011-01-26 18:28 . 2008-04-13 19:45 32128 ----a-w- c:\windows\system32\driver
2011-01-25 02:35 . 2011-01-25 02:35 -------- d--h--w- c:\windows\system32\GroupP
2011-01-25 02:14 . 2011-01-25 02:14 -------- d-----w- c:\windows\TempFEF64CCA-7C
2011-01-25 02:12 . 2011-01-27 02:50 -------- d-----w- C:\junk
2011-01-24 23:02 . 2011-01-24 23:02 79360 --sha-r- c:\windows\system32\smime3
2011-01-24 22:53 . 2011-01-24 22:57 -------- d-----w- c:\documents and settings\LocalService\Loca
2011-01-20 22:57 . 2011-01-20 22:57 -------- d-----w- c:\windows\system32\%APPDA
2011-01-20 19:19 . 2011-01-20 19:19 -------- d-sh--w- c:\windows\system32\config
2011-01-20 19:19 . 2011-01-20 19:19 18297 ----a-w- c:\windows\system32\MAI4.t
2011-01-20 19:17 . 2011-01-20 19:20 -------- d-----w- c:\documents and settings\NetworkService\Lo
2011-01-20 19:00 . 2011-01-20 19:00 -------- d-----w- C:\Temp
2011-01-15 14:23 . 2011-01-15 14:57 -------- d-----w- c:\documents and settings\Administrator\.SS
.
((((((((((((((((((((((((((
.
2011-01-13 07:41 . 2010-06-22 22:00 5890896 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\Backup\mpengine.dl
2010-12-21 00:09 . 2010-10-24 01:46 38224 ----a-w- c:\windows\system32\driver
2010-12-21 00:08 . 2010-10-24 01:46 20952 ----a-w- c:\windows\system32\driver
2010-12-13 19:01 . 2010-06-02 00:00 53632 ----a-w- c:\windows\system32\Spool\
2010-12-13 19:01 . 2010-06-02 00:00 83360 ----a-w- c:\windows\system32\LMIRfs
2010-12-13 19:01 . 2010-06-02 00:00 29568 ----a-w- c:\windows\system32\LMIpor
2010-12-13 19:01 . 2010-06-02 00:00 87424 ----a-w- c:\windows\system32\LMIini
2010-11-18 18:12 . 2008-04-06 03:16 81920 ----a-w- c:\windows\system32\isign3
2010-11-12 22:34 . 2008-04-07 15:52 73728 ----a-w- c:\windows\system32\javacp
2010-11-09 14:52 . 2004-08-04 12:00 249856 ----a-w- c:\windows\system32\odbc32
2010-11-06 00:26 . 2004-08-04 12:00 916480 ----a-w- c:\windows\system32\winine
2010-11-06 00:26 . 2004-08-04 12:00 43520 ------w- c:\windows\system32\licmgr
2010-11-06 00:26 . 2004-08-04 12:00 1469440 ------w- c:\windows\system32\inetcp
2010-11-03 12:25 . 2004-08-04 12:00 385024 ----a-w- c:\windows\system32\html.i
2010-11-02 15:17 . 2004-08-04 12:00 40960 ----a-w- c:\windows\system32\driver
.
((((((((((((((((((((((((((
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_LOCAL_MACHINE\~\Brow
2010-08-13 00:46 194912 ------w- c:\program files\Yontoo Layers Client\YontooIEClient.dll
[HKEY_LOCAL_MACHINE\SOFTWA
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeA
"LogMeIn GUI"="c:\program files\LogMeIn\x86\LogMeInS
"Malwarebytes Anti-Malware (reboot)"="c:\program files\Malwarebytes' Anti-Malware\mbam.exe" [2010-12-21 963976]
"SunJavaUpdateSched"="c:\p
"MSC"="c:\program files\Microsoft Security Client\msseces.exe" [2010-11-30 997408]
[HKEY_LOCAL_MACHINE\softwa
"oddc"="c:\windows\system3
c:\documents and settings\admin\Start Menu\Programs\Startup\
OpenOffice.org 2.3.lnk - c:\program files\OpenOffice.org 2.3\program\quickstart.exe
c:\documents and settings\All Users\Start Menu\Programs\Startup\
Brock Hot Key.exe.lnk - c:\program files\Brock Supply Co\Brock Hotkey\Brock Hot Key.exe [2008-1-17 327680]
Car-Part.com Trading Partner Software.lnk - c:\car-part\CPKeySrv.exe [2009-9-21 446976]
Service Manager.lnk - c:\program files\MICROSOFT SQL SERVER\80\TOOLS\BINN\sqlma
UPS WorldShip Messaging Utility.lnk - c:\ups\WSTD\WSTDMessaging.
UPS WorldShip PLD Reminder Utility.lnk - c:\ups\WSTD\wstdPldReminde
[HKEY_LOCAL_MACHINE\softwa
"Taskman"=""
[HKEY_LOCAL_MACHINE\softwa
2010-12-13 19:01 87424 ----a-w- c:\windows\system32\LMIini
[HKEY_LOCAL_MACHINE\SYSTEM
@="Service"
[HKLM\~\startupfolder\C:^D
path=c:\documents and settings\Administrator\Sta
backup=c:\windows\pss\Open
[HKEY_LOCAL_MACHINE\softwa
ssdal_nc.exe startup [X]
[HKEY_LOCAL_MACHINE\softwa
2010-09-24 09:15 40368 ----a-w- c:\program files\Adobe\Reader 8.0\Reader\reader_sl.exe
[HKEY_LOCAL_MACHINE\softwa
2007-04-25 19:28 954368 ----a-w- c:\program files\HP\Dfawep\bin\hpbdfa
[HKEY_LOCAL_MACHINE\softwa
2009-12-02 02:36 24576 ----a-w- c:\ups\WSTD\UPSNA1Msgr.exe
[HKEY_LOCAL_MACHINE\softwa
2005-03-02 22:12 24576 ----a-w- c:\program files\Topro\tppoll.exe
[HKEY_LOCAL_MACHINE\softwa
"DisableMonitoring"=dword:
[HKEY_LOCAL_MACHINE\softwa
"DisableMonitoring"=dword:
[HKEY_LOCAL_MACHINE\softwa
"DisableMonitoring"=dword:
[HKLM\~\services\sharedacc
"%windir%\\system32\\sessm
"%windir%\\Network Diagnostic\\xpnetdiag.exe"
"c:\\Program Files\\Messenger\\msmsgs.e
"c:\\WINDOWS\\system32\\mm
[HKLM\~\services\sharedacc
"6160:TCP"= 6160:TCP:Seagull Driver Networking
R2 LinksysUpdater;Linksys Updater;c:\program files\Linksys\Linksys Updater\bin\LinksysUpdater
R2 LMIGuardianSvc;LMIGuardian
R2 LMIInfo;LogMeIn Kernel Information Provider;c:\program files\LogMeIn\x86\rainfo.s
R2 MSSQL$UPSWSDBSERVER;MSSQL$
S3 DCamUSBIntel;Digi-Microsco
S3 MEMSWEEP2;MEMSWEEP2;\??\c:
S3 SQLAgent$UPSWSDBSERVER;SQL
.
Contents of the 'Scheduled Tasks' folder
2011-01-27 c:\windows\Tasks\MP Scheduled Scan.job
- c:\program files\Microsoft Security Client\Antimalware\MpCmdRu
2011-01-27 c:\windows\Tasks\User_Feed
- c:\windows\system32\msfeed
.
.
------- Supplementary Scan -------
.
DPF: {7876E4A5-78B7-4020-B08F-C
DPF: {97BB6657-DC7F-4489-9067-5
FF - ProfilePath -
.
- - - - ORPHANS REMOVED - - - -
WebBrowser-{604BC32A-9680-
**************************
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2011-01-27 14:49
Windows 5.1.2600 Service Pack 3 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************
[HKEY_LOCAL_MACHINE\System
"ImagePath"="\??\c:\window
.
--------------------- LOCKED REGISTRY KEYS ---------------------
[HKEY_USERS\.Default\Softw
@Denied: (2) (LocalSystem)
"88D7D0879DAB32E14DE5B3A80
d1,11,8c,7a,00,c0,4f,c2,97
"2D53CFFC5C1A3DD2E97B7979A
d1,11,8c,7a,00,c0,4f,c2,97
[HKEY_LOCAL_MACHINE\softwa
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\WI
[HKEY_LOCAL_MACHINE\softwa
"Enabled"=dword:00000001
[HKEY_LOCAL_MACHINE\softwa
@="c:\\WINDOWS\\system32\\
[HKEY_LOCAL_MACHINE\softwa
@="{FAB3E735-69C7-453B-A44
[HKEY_LOCAL_MACHINE\softwa
@Denied: (A 2) (Everyone)
@="IFlashBroker4"
[HKEY_LOCAL_MACHINE\softwa
@="{00020424-0000-0000-C00
[HKEY_LOCAL_MACHINE\softwa
@="{FAB3E735-69C7-453B-A44
"Version"="1.0"
[HKEY_LOCAL_MACHINE\softwa
@Denied: (2) (Administrator)
"88D7D0879DAB32E14DE5B3A80
d1,11,8c,7a,00,c0,4f,c2,97
"6256FFB019F8FDFBD36745B06
d1,11,8c,7a,00,c0,4f,c2,97
.
--------------------- DLLs Loaded Under Running Processes ---------------------
- - - - - - - > 'winlogon.exe'(644)
c:\windows\system32\LMIini
- - - - - - - > 'explorer.exe'(3372)
c:\windows\system32\WININE
c:\windows\system32\iefram
c:\windows\system32\webche
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Java\jre6\bin\jqs.ex
c:\program files\LogMeIn\x86\RaMaint.
c:\windows\system32\java.e
c:\program files\LogMeIn\x86\LogMeIn.
c:\ups\WSTD\MSSQL$UPSWSDBS
c:\windows\System32\spool\
c:\windows\system32\rundll
.
**************************
.
Completion time: 2011-01-27 14:53:49 - machine was rebooted
ComboFix-quarantined-files
Pre-Run: 66,960,146,432 bytes free
Post-Run: 66,977,177,600 bytes free
- - End Of File - - 61B406892BBD060A1477547BE6
It is looking more and more like i will have to start over with a new drive.
Thanks for all the help and suggestions. At least now the system is managable with Rkill.
Pity the script writing wasn't successful. So good luck with the new drive.
@speednutt,
You had a lot of great advice, but I didn't see anywhere that you had cleaned all of the Temp/Junk files from the normal user's account.
Malware will very often reside in those folders and continually re-infect the system.
A very simple (and free) tool I use is from www.ccleaner.com - but it needs to be run from each profile on the computer.
There is another good cleaner program out there (the name escapes me) that will clear all profiles with one run.
You had a lot of great advice, but I didn't see anywhere that you had cleaned all of the Temp/Junk files from the normal user's account.
Malware will very often reside in those folders and continually re-infect the system.
A very simple (and free) tool I use is from www.ccleaner.com - but it needs to be run from each profile on the computer.
There is another good cleaner program out there (the name escapes me) that will clear all profiles with one run.
ASKER
Well everyone, i would call this one a wrap. We tried everything mentioned ( i mean everything) and i still came up a bit short. Thats the breaks. I did learn a great deal from all that contributed though so that is worth something.
I am going to do a fresh install on a new dri ve and take a look back at this drive in a couple weeks or so. Maybe something will give then.
The next question, how is it recommended that i apply the points that i offered for your help? I know that there were several that contributed and some answers were more in depth than others so i would like to apply the points the best way possible. if there were only a couple responses it would be a lot easier.
I do appreciate everyones help and that is why i pay my monthly fees even though i havent used the service as much as i probably should.
Thanks much.
I am going to do a fresh install on a new dri ve and take a look back at this drive in a couple weeks or so. Maybe something will give then.
The next question, how is it recommended that i apply the points that i offered for your help? I know that there were several that contributed and some answers were more in depth than others so i would like to apply the points the best way possible. if there were only a couple responses it would be a lot easier.
I do appreciate everyones help and that is why i pay my monthly fees even though i havent used the service as much as i probably should.
Thanks much.
speednutt,
Glad to help, but wish we could have resolved it!
Suggest the points are equally shared between those you feel contributed something of use for your future troubleshooting, as well as our attempts at restoring the drive. Rkill obviously contributed something, but i'll go along with whatever you all decide.
Have to logoff now for ~48 hours, so i'm taking the easy way out!
Its over to the others for their thoughts ....!!
Glad to help, but wish we could have resolved it!
Suggest the points are equally shared between those you feel contributed something of use for your future troubleshooting, as well as our attempts at restoring the drive. Rkill obviously contributed something, but i'll go along with whatever you all decide.
Have to logoff now for ~48 hours, so i'm taking the easy way out!
Its over to the others for their thoughts ....!!
Distribute the points the way you see fit. The posts that have information that benefits you in the future are sure to earn something. I wish we could have helped. There was a lot of effort and good suggestions.
ASKER
Thanks for all the help. Also, thanks for being so quick in your response times. If there were a way to give the points to everyone i would have done that.
ASKER
Just wanted to update everyone that the problem has finally been solved. I ran Hitman Pro 3.5 for a second time and if found the rootkit and successfully cleared it out. Mission accomplished and thanks so much for everyones help in this matter. I didnt have to wipe the drive and all the data was saved.
I cant thank you all enough.
I cant thank you all enough.
Its very rewarding for us all to get this kind of feedback ...thank you!
Glad you were able to recover all data.
Glad you were able to recover all data.
Glad to hear than your problem is resolved.