Cannot run HJT; problem with msa.exe and cannot access Spybot S&D to remove properly

Hi Blade,
ComboFix still crashed. I was able to delete the dll, dat and sys files in C:\WINDOWS\system32 and C:\WINDOWS\system32\drivers\ starting with kbiwk using GMER. They were easy to find because they were in red font. The first time I had two dll, two dat and one sys (zero db). ComboFix crashed. I ran GMER again. This time there were two dll, one dat and one sys (zero db). Rebooted and ComboFix crashed again.

I appreciate your time and help.

Regards, Sed
 
GMER 1.0.15.15077 [g1frkdri.exe] - http://www.gmer.net
Rootkit scan 2009-08-29 09:32:36
Windows 5.1.2600 Service Pack 2


---- System - GMER 1.0.15 ----

Code 860726D8 ZwEnumerateKey
Code 860716D8 ZwFlushInstructionCache
Code 860746D6 ZwSaveKey
Code 860736D6 ZwSaveKeyEx
Code 860756D6 IofCallDriver
Code 860766D6 IofCompleteRequest

---- Kernel code sections - GMER 1.0.15 ----

.text ntoskrnl.exe!IofCallDriver 804E13A7 5 Bytes JMP 860756DB
.text ntoskrnl.exe!IofCompleteRequest 804E17BD 5 Bytes JMP 860766DB

---- User code sections - GMER 1.0.15 ----

.text C:\WINDOWS\Explorer.EXE[1424] ntdll.dll!LdrLoadDll 7C915CBB 5 Bytes JMP 00A1000A

---- User IAT/EAT - GMER 1.0.15 ----

IAT C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe[1984] @ C:\WINDOWS\system32\GDI32.dll [KERNEL32.dll!LoadLibraryExW] [6113A21C] C:\Program Files\Yahoo!\Messenger\yui.dll
IAT C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe[1984] @ C:\WINDOWS\system32\GDI32.dll [KERNEL32.dll!LoadLibraryA] [6113A14E] C:\Program Files\Yahoo!\Messenger\yui.dll
IAT C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe[1984] @ C:\WINDOWS\system32\GDI32.dll [KERNEL32.dll!GetProcAddress] [61139B0C] C:\Program Files\Yahoo!\Messenger\yui.dll
IAT C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe[1984] @ C:\WINDOWS\system32\GDI32.dll [KERNEL32.dll!LoadLibraryW] [6113A18E] C:\Program Files\Yahoo!\Messenger\yui.dll
IAT C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe[1984] @ C:\WINDOWS\system32\USER32.dll [GDI32.dll!GetStockObject] [61138F3A] C:\Program Files\Yahoo!\Messenger\yui.dll
IAT C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe[1984] @ C:\WINDOWS\system32\USER32.dll [KERNEL32.dll!LoadLibraryExW] [6113A21C] C:\Program Files\Yahoo!\Messenger\yui.dll
IAT C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe[1984] @ C:\WINDOWS\system32\USER32.dll [KERNEL32.dll!LoadLibraryA] [6113A14E] C:\Program Files\Yahoo!\Messenger\yui.dll
IAT C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe[1984] @ C:\WINDOWS\system32\USER32.dll [KERNEL32.dll!GetProcAddress] [61139B0C] C:\Program Files\Yahoo!\Messenger\yui.dll
IAT C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe[1984] @ C:\WINDOWS\system32\USER32.dll [KERNEL32.dll!LoadLibraryW] [6113A18E] C:\Program Files\Yahoo!\Messenger\yui.dll
IAT C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe[1984] @ C:\WINDOWS\system32\SHLWAPI.dll [GDI32.dll!GetStockObject] [61138F3A] C:\Program Files\Yahoo!\Messenger\yui.dll
IAT C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe[1984] @ C:\WINDOWS\system32\SHLWAPI.dll [KERNEL32.dll!LoadLibraryExA] [6113A1CE] C:\Program Files\Yahoo!\Messenger\yui.dll
IAT C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe[1984] @ C:\WINDOWS\system32\SHLWAPI.dll [KERNEL32.dll!LoadLibraryExW] [6113A21C] C:\Program Files\Yahoo!\Messenger\yui.dll
IAT C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe[1984] @ C:\WINDOWS\system32\SHLWAPI.dll [KERNEL32.dll!LoadLibraryW] [6113A18E] C:\Program Files\Yahoo!\Messenger\yui.dll
IAT C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe[1984] @ C:\WINDOWS\system32\SHLWAPI.dll [KERNEL32.dll!LoadLibraryA] [6113A14E] C:\Program Files\Yahoo!\Messenger\yui.dll
IAT C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe[1984] @ C:\WINDOWS\system32\SHLWAPI.dll [KERNEL32.dll!GetProcAddress] [61139B0C] C:\Program Files\Yahoo!\Messenger\yui.dll
IAT C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe[1984] @ C:\WINDOWS\system32\SHLWAPI.dll [USER32.dll!DefWindowProcA] [61139723] C:\Program Files\Yahoo!\Messenger\yui.dll
IAT C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe[1984] @ C:\WINDOWS\system32\SHLWAPI.dll [USER32.dll!DefWindowProcW] [61139723] C:\Program Files\Yahoo!\Messenger\yui.dll
IAT C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe[1984] @ C:\WINDOWS\system32\SHLWAPI.dll [USER32.dll!GetSysColor] [61138E7D] C:\Program Files\Yahoo!\Messenger\yui.dll
IAT C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe[1984] @ C:\WINDOWS\system32\SHLWAPI.dll [USER32.dll!TrackPopupMenu] [61138E01] C:\Program Files\Yahoo!\Messenger\yui.dll
IAT C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe[1984] @ C:\WINDOWS\system32\SHLWAPI.dll [USER32.dll!TrackPopupMenuEx] [61138E3F] C:\Program Files\Yahoo!\Messenger\yui.dll
IAT C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe[1984] @ C:\WINDOWS\system32\SHELL32.dll [GDI32.dll!GetStockObject] [61138F3A] C:\Program Files\Yahoo!\Messenger\yui.dll
IAT C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe[1984] @ C:\WINDOWS\system32\SHELL32.dll [KERNEL32.dll!LoadLibraryA] [6113A14E] C:\Program Files\Yahoo!\Messenger\yui.dll
IAT C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe[1984] @ C:\WINDOWS\system32\SHELL32.dll [KERNEL32.dll!LoadLibraryW] [6113A18E] C:\Program Files\Yahoo!\Messenger\yui.dll
IAT C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe[1984] @ C:\WINDOWS\system32\SHELL32.dll [KERNEL32.dll!GetProcAddress] [61139B0C] C:\Program Files\Yahoo!\Messenger\yui.dll
IAT C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe[1984] @ C:\WINDOWS\system32\SHELL32.dll [KERNEL32.dll!LoadLibraryExW] [6113A21C] C:\Program Files\Yahoo!\Messenger\yui.dll
IAT C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe[1984] @ C:\WINDOWS\system32\SHELL32.dll [KERNEL32.dll!LoadLibraryExA] [6113A1CE] C:\Program Files\Yahoo!\Messenger\yui.dll
IAT C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe[1984] @ C:\WINDOWS\system32\SHELL32.dll [USER32.dll!AnimateWindow] [61138F78] C:\Program Files\Yahoo!\Messenger\yui.dll
IAT C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe[1984] @ C:\WINDOWS\system32\SHELL32.dll [USER32.dll!TrackPopupMenuEx] [61138E3F] C:\Program Files\Yahoo!\Messenger\yui.dll
IAT C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe[1984] @ C:\WINDOWS\system32\SHELL32.dll [USER32.dll!DefWindowProcA] [61139723] C:\Program Files\Yahoo!\Messenger\yui.dll
IAT C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe[1984] @ C:\WINDOWS\system32\SHELL32.dll [USER32.dll!GetSysColor] [61138E7D] C:\Program Files\Yahoo!\Messenger\yui.dll
IAT C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe[1984] @ C:\WINDOWS\system32\SHELL32.dll [USER32.dll!DefWindowProcW] [61139723] C:\Program Files\Yahoo!\Messenger\yui.dll
IAT C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe[1984] @ C:\WINDOWS\system32\SHELL32.dll [USER32.dll!GetSysColorBrush] [61138F40] C:\Program Files\Yahoo!\Messenger\yui.dll
IAT C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe[1984] @ C:\WINDOWS\system32\SHELL32.dll [USER32.dll!TrackPopupMenu] [61138E01] C:\Program Files\Yahoo!\Messenger\yui.dll
IAT C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe[1984] @ C:\WINDOWS\system32\PSAPI.DLL [KERNEL32.dll!LoadLibraryA] [6113A14E] C:\Program Files\Yahoo!\Messenger\yui.dll
IAT C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe[1984] @ C:\WINDOWS\system32\PSAPI.DLL [KERNEL32.dll!GetProcAddress] [61139B0C] C:\Program Files\Yahoo!\Messenger\yui.dll

---- Services - GMER 1.0.15 ----

Service C:\WINDOWS\system32\drivers\kbiwkmsswuypdw.sys (*** hidden *** ) [SYSTEM] kbiwkmlnmbftko <-- ROOTKIT !!!

---- Registry - GMER 1.0.15 ----

Reg HKLM\SYSTEM\CurrentControlSet\Services\kbiwkmlnmbftko
Reg HKLM\SYSTEM\CurrentControlSet\Services\kbiwkmlnmbftko@start 1
Reg HKLM\SYSTEM\CurrentControlSet\Services\kbiwkmlnmbftko@type 1
Reg HKLM\SYSTEM\CurrentControlSet\Services\kbiwkmlnmbftko@group file system
Reg HKLM\SYSTEM\CurrentControlSet\Services\kbiwkmlnmbftko@imagepath \systemroot\system32\drivers\kbiwkmsswuypdw.sys
Reg HKLM\SYSTEM\CurrentControlSet\Services\kbiwkmlnmbftko\main
Reg HKLM\SYSTEM\CurrentControlSet\Services\kbiwkmlnmbftko\main@aid 20029
Reg HKLM\SYSTEM\CurrentControlSet\Services\kbiwkmlnmbftko\main@sid 0
Reg HKLM\SYSTEM\CurrentControlSet\Services\kbiwkmlnmbftko\main@cmddelay 14400
Reg HKLM\SYSTEM\CurrentControlSet\Services\kbiwkmlnmbftko\main\delete
Reg HKLM\SYSTEM\CurrentControlSet\Services\kbiwkmlnmbftko\main\injector
Reg HKLM\SYSTEM\CurrentControlSet\Services\kbiwkmlnmbftko\main\injector@* kbiwkmwsp.dll
Reg HKLM\SYSTEM\CurrentControlSet\Services\kbiwkmlnmbftko\main\tasks
Reg HKLM\SYSTEM\CurrentControlSet\Services\kbiwkmlnmbftko\modules
Reg HKLM\SYSTEM\CurrentControlSet\Services\kbiwkmlnmbftko\modules@kbiwkmrk.sys \systemroot\system32\drivers\kbiwkmsswuypdw.sys
Reg HKLM\SYSTEM\CurrentControlSet\Services\kbiwkmlnmbftko\modules@kbiwkmcmd.dll \systemroot\system32\kbiwkmqipyviyq.dll
Reg HKLM\SYSTEM\CurrentControlSet\Services\kbiwkmlnmbftko\modules@kbiwkmlog.dat \systemroot\system32\kbiwkmxfubsdnq.dat
Reg HKLM\SYSTEM\CurrentControlSet\Services\kbiwkmlnmbftko\modules@kbiwkmwsp.dll \systemroot\system32\kbiwkmwbkfceep.dll
Reg HKLM\SYSTEM\CurrentControlSet\Services\kbiwkmlnmbftko\modules@kbiwkm.dat \systemroot\system32\kbiwkmphqbyexm.dat
Reg HKLM\SYSTEM\ControlSet003\Services\kbiwkmlnmbftko (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet003\Services\kbiwkmlnmbftko@start 1
Reg HKLM\SYSTEM\ControlSet003\Services\kbiwkmlnmbftko@type 1
Reg HKLM\SYSTEM\ControlSet003\Services\kbiwkmlnmbftko@group file system
Reg HKLM\SYSTEM\ControlSet003\Services\kbiwkmlnmbftko@imagepath \systemroot\system32\drivers\kbiwkmsswuypdw.sys
Reg HKLM\SYSTEM\ControlSet003\Services\kbiwkmlnmbftko\main (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet003\Services\kbiwkmlnmbftko\main@aid 20029
Reg HKLM\SYSTEM\ControlSet003\Services\kbiwkmlnmbftko\main@sid 0
Reg HKLM\SYSTEM\ControlSet003\Services\kbiwkmlnmbftko\main@cmddelay 14400
Reg HKLM\SYSTEM\ControlSet003\Services\kbiwkmlnmbftko\main\delete (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet003\Services\kbiwkmlnmbftko\main\injector (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet003\Services\kbiwkmlnmbftko\main\injector@* kbiwkmwsp.dll
Reg HKLM\SYSTEM\ControlSet003\Services\kbiwkmlnmbftko\main\tasks (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet003\Services\kbiwkmlnmbftko\modules (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet003\Services\kbiwkmlnmbftko\modules@kbiwkmrk.sys \systemroot\system32\drivers\kbiwkmsswuypdw.sys
Reg HKLM\SYSTEM\ControlSet003\Services\kbiwkmlnmbftko\modules@kbiwkmcmd.dll \systemroot\system32\kbiwkmqipyviyq.dll
Reg HKLM\SYSTEM\ControlSet003\Services\kbiwkmlnmbftko\modules@kbiwkmlog.dat \systemroot\system32\kbiwkmxfubsdnq.dat
Reg HKLM\SYSTEM\ControlSet003\Services\kbiwkmlnmbftko\modules@kbiwkmwsp.dll \systemroot\system32\kbiwkmwbkfceep.dll
Reg HKLM\SYSTEM\ControlSet003\Services\kbiwkmlnmbftko\modules@kbiwkm.dat \systemroot\system32\kbiwkmphqbyexm.dat
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@DeviceNotSelectedTimeout 15
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@GDIProcessHandleQuota 10000
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@Spooler yes
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@swapdisk
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@TransmissionRetryTimeout 90
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@USERProcessHandleQuota 10000

---- EOF - GMER 1.0.15 ----
 
Hi,

Remove all these files in c:\windows\system32 folder thru GMER if present (if that folder has other kbiwkm* files with .dll, .dat, .db extensions, delete those too):
kbiwkmqipyviyq.dll
kbiwkmlog.dat
kbiwkmxfubsdnq.dat
kbiwkmwsp.dll
kbiwkmwbkfceep.dll
kbiwkm.dat
kbiwkmphqbyexm.dat


Then kill the driver by right clicking rooter GMER found (in red colour) and select "delete service". You should be prompted for a reboot. After reboot, run ComboFix again.
 
Last edited:
Hi,
ComboFix crashed again twice. I rebooted, shut down all open apps; used Windows Task Manager to End Process TeaTimer then opened GMER. In GMER I clicked on >>> then choose Files then drilled down to c:\windows\system32 I saw two dll and two dat files that started with kbiwk, which I deleted in GMER. I then drilled down to c:\windows\system32\drivers\ and saw one sys file that started with kbiwk; I then clicked on "Kill". I was asked if I wanted to Kill the file and I clicked "yes". I got a message saying the file was killed successfully. Then I deleted this sys file in GMER. I rebooted and ran ComboFix and it crashed.

Attempt 2: same as above but with one more step. Went to "Services" tab in GMER and scrolled down and found the service that started with kbiwk (in red font). I right clicked on it and chose "delete". Rebooted, ran ComboFix and it crashed again.

Thanks for being so patient - this bug sure is resilient. Regards, Sed
 
Hi,

Please attempt same thing again. This time make sure following two conditions are fulfilled first:
1. ComboFix is the latest version available:
*Delete your present copy
*Get fresh copy of one of these links to your desktop (rename the file to sVCHost.exe while you choose the destination for it):
Link 1
Link 2
2. Disconnect network cable to make sure nothing gets downloaded background.
 
Hi Blade,
I don't think an internet connection is method of reinstalling files. ComboFix still crashed. I downloaded a fresh copy of ComboFix.exe and saved it to my desktop as sVCHost.exe then unplugged internet connection cable. Then opened GMER and deleted files and killed the service (see previous post for steps). Ran sVCHost.exe and it crashed. The file renamed itself back to ComboFix.exe

Second attempt: started all steps over closed GMER and restart GMER and the files would reappear (with no internet connection) - they reinstalled themselves.

Note: in SYSTEM32 directory, did not rewrite unless closed GMER and then restart GMER. In Service tab, sys file would not rewrite unless close GMER and then restart GMER. In DRIVER directory would rewrite itself if I only changed file directory in GMER (e.g. from SYSTEM32 to DRIVER and back).

When I double clicked sVCHost.exe and ComboFix started running, the file name on my desktop changed itself from sVCHost.exe to ComboFix.exe

What does scecli.dll do? I came across a similiar/same issue I am having here. I tried to figure out why Katana mentioned this file (since it was not in the logs posted by Nicademas) - what do you think?

http://forums.spybot.info/showthread.php?t=50599&highlight=msa.exe&page=3

Thanks, Sed
 
Hi,

Open notepad and then copy and paste the bolded lines below into it. Go to File > save as and name the file fixes.bat, change the Save as type to all files and save it to your desktop.
@echo off
dir /s /a C:\WINDOWS\system32\eventlog.dll >c:\fileCheck.txt

Double-click on fixes.bat file to execute it. Post back contents of c:\fileCheck.txt file.


1. Start GMER and do a quick scan. It should give a message about rootkit activity.
2. If it asks for full scan, select "no".
3. Right click kbiwkmlnmbftko and select "disable service". You'll be most likely asked to reboot system. Please, let it do so.
4. After reboot, open GMER again and see if the corresponding service is in disabled state.

If it is in disabled state, try to run ComboFix again. If it still fails, post a fresh GMER log.
 
SUCCESS! Thank you for your persistence. Sed

Here are the contents of c:\fileCheck.txt

Volume in drive C has no label.
Volume Serial Number is 68DA-F59B

Directory of C:\WINDOWS\system32

07/27/2007 05:00 AM 55,808 eventlog.dll
1 File(s) 55,808 bytes

Directory of C:\WINDOWS\system32\dllcache

07/27/2007 05:00 AM 55,808 eventlog.dll
1 File(s) 55,808 bytes

Total Files Listed:
2 File(s) 111,616 bytes
0 Dir(s) 143,669,596,160 bytes free


Here is the ComboFix log:

ComboFix 09-08-29.01 - Ed 08/30/2009 8:49.1.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1023.629 [GMT -7:00]
Running from: c:\documents and settings\Ed\Desktop\ComboFix.exe
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\recycler\S-1-5-21-2817313480-2510513228-1861896776-500
c:\windows\Fonts\ZWAdobeF.TTF
c:\windows\Installer\WMEncoder.msi
c:\windows\system32\drivers\kbiwkmsswuypdw.sys
c:\windows\system32\kbiwkmbesvjibc.dll
c:\windows\system32\kbiwkmdibimxfq.dll
c:\windows\system32\kbiwkmrcvbdwyp.dat
c:\windows\system32\kbiwkmwmcqpful.dat
c:\windows\system32\uninstall.exe
M:\autorun.inf

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_kbiwkmlnmbftko
-------\Legacy_{79007602-0CDB-4405-9DBF-1257BB3226ED}
-------\Legacy_{79007602-0CDB-4405-9DBF-1257BB3226EE}
-------\Service_kbiwkmlnmbftko


((((((((((((((((((((((((( Files Created from 2009-07-28 to 2009-08-30 )))))))))))))))))))))))))))))))
.

2009-08-29 23:41 . 2009-08-29 23:41 1924440 ----a-w- c:\documents and settings\Ed\Application Data\Macromedia\Flash Player\www.macromedia.com\bin\fpupdatepl\fpupdatepl.exe
2009-08-29 19:29 . 2009-08-29 19:30 -------- d-s---w- C:\asp
2009-08-28 19:41 . 2009-08-03 20:36 38160 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-08-28 19:41 . 2009-08-28 19:41 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-08-28 19:41 . 2009-08-03 20:36 19096 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-08-28 18:37 . 2009-08-28 18:37 -------- d-----w- c:\program files\Trend Micro
2009-08-26 23:18 . 2009-08-26 23:18 -------- d-----w- c:\documents and settings\Ed\Application Data\Malwarebytes
2009-08-26 23:18 . 2009-08-26 23:18 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-08-26 21:23 . 2009-08-26 21:23 -------- d-----w- C:\rsit
2009-08-25 18:33 . 2009-08-25 18:33 70656 ----a-w- c:\windows\system32\drivers\yyqdsvrcgtsiuwiv.sys
2009-08-23 21:06 . 2009-08-23 21:06 -------- d-----w- C:\New Folder
2009-08-13 15:25 . 2009-08-13 15:25 -------- d-----w- c:\windows\ServicePackFiles

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-08-28 19:41 . 2008-06-03 17:50 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2009-08-27 17:34 . 2009-04-28 20:28 664 ----a-w- c:\windows\system32\d3d9caps.dat
2009-08-26 19:03 . 2008-06-03 17:50 -------- d-----w- c:\program files\Spybot - Search & Destroy
2009-08-26 16:08 . 2009-05-06 06:17 -------- d-----w- c:\documents and settings\Ed\Application Data\uTorrent
2009-08-24 17:55 . 2008-05-11 20:55 -------- d-----w- c:\documents and settings\Ed\Application Data\AdobeUM
2009-08-23 21:34 . 2008-08-28 05:51 -------- d-----w- c:\documents and settings\All Users\Application Data\DVD Shrink
2009-08-18 16:32 . 2008-05-21 21:22 -------- d-----w- c:\documents and settings\Sue\Application Data\AdobeUM
2009-08-17 02:36 . 2008-08-07 22:42 82216 ----a-w- c:\documents and settings\Sue\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-08-05 09:11 . 2007-07-27 12:00 204800 ----a-w- c:\windows\system32\mswebdvd.dll
2009-07-30 19:30 . 2008-05-10 17:21 82216 ----a-w- c:\documents and settings\Ed\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-07-27 04:51 . 2009-01-23 01:16 -------- d-----w- c:\documents and settings\All Users\Application Data\Microsoft Help
2009-07-21 04:34 . 2008-06-19 06:14 -------- d-----w- c:\documents and settings\Ed\Application Data\FileZilla
2009-07-20 17:57 . 2008-05-24 16:07 -------- d-----w- c:\program files\SG2
2009-07-17 21:01 . 2008-12-11 17:29 -------- d-----w- c:\documents and settings\Ed\Application Data\webex
2009-07-17 18:55 . 2007-07-27 12:00 58880 ----a-w- c:\windows\system32\atl.dll
2009-07-14 06:43 . 2007-07-27 12:00 286208 ----a-w- c:\windows\system32\wmpdxm.dll
2009-07-12 20:07 . 2009-07-12 20:07 -------- d-----w- c:\program files\PCFriendly
2009-06-26 16:18 . 2007-07-27 12:00 659456 ----a-w- c:\windows\system32\wininet.dll
2009-06-26 16:18 . 2007-07-27 12:00 81920 ----a-w- c:\windows\system32\ieencode.dll
2009-06-25 18:36 . 2007-07-27 12:00 95744 ----a-w- c:\windows\system32\mqsec.dll
2009-06-25 18:36 . 2007-07-27 12:00 661504 ----a-w- c:\windows\system32\mqqm.dll
2009-06-25 18:36 . 2007-07-27 12:00 517120 ----a-w- c:\windows\system32\mqsnap.dll
2009-06-25 18:36 . 2007-07-27 12:00 48640 ----a-w- c:\windows\system32\mqupgrd.dll
2009-06-25 18:36 . 2007-07-27 12:00 471552 ----a-w- c:\windows\system32\mqutil.dll
2009-06-25 18:36 . 2007-07-27 12:00 47104 ----a-w- c:\windows\system32\mqdscli.dll
2009-06-25 18:36 . 2007-07-27 12:00 225280 ----a-w- c:\windows\system32\mqoa.dll
2009-06-25 18:36 . 2007-07-27 12:00 186880 ----a-w- c:\windows\system32\mqtrig.dll
2009-06-25 18:36 . 2007-07-27 12:00 177152 ----a-w- c:\windows\system32\mqrt.dll
2009-06-25 18:36 . 2007-07-27 12:00 16896 ----a-w- c:\windows\system32\mqise.dll
2009-06-25 18:36 . 2007-07-27 12:00 138240 ----a-w- c:\windows\system32\mqad.dll
2009-06-25 18:36 . 2007-07-27 12:00 123392 ----a-w- c:\windows\system32\mqrtdep.dll
2009-06-25 08:44 . 2007-07-27 12:00 724480 ----a-w- c:\windows\system32\lsasrv.dll
2009-06-25 08:44 . 2007-07-27 12:00 59392 ----a-w- c:\windows\system32\wdigest.dll
2009-06-25 08:44 . 2007-07-27 12:00 56320 ----a-w- c:\windows\system32\secur32.dll
2009-06-25 08:44 . 2007-07-27 12:00 298496 ----a-w- c:\windows\system32\kerberos.dll
2009-06-25 08:44 . 2007-07-27 12:00 168448 ----a-w- c:\windows\system32\schannel.dll
2009-06-25 08:44 . 2007-07-27 12:00 133632 ----a-w- c:\windows\system32\msv1_0.dll
2009-06-22 11:49 . 2007-07-27 12:00 19968 ----a-w- c:\windows\system32\mqbkup.exe
2009-06-22 11:49 . 2007-07-27 12:00 117248 ----a-w- c:\windows\system32\mqtgsvc.exe
2009-06-22 11:49 . 2007-07-27 12:00 4608 ----a-w- c:\windows\system32\mqsvc.exe
2009-06-22 11:48 . 2007-07-27 12:00 91776 ----a-w- c:\windows\system32\drivers\mqac.sys
2009-06-22 11:34 . 2007-07-27 12:00 92544 ----a-w- c:\windows\system32\drivers\ksecdd.sys
2009-06-16 14:55 . 2007-07-27 12:00 82432 ----a-w- c:\windows\system32\fontsub.dll
2009-06-16 14:55 . 2007-07-27 12:00 119808 ----a-w- c:\windows\system32\t2embed.dll
2009-06-12 11:50 . 2007-07-27 12:00 80896 ----a-w- c:\windows\system32\tlntsess.exe
2009-06-12 11:50 . 2007-07-27 12:00 76288 ----a-w- c:\windows\system32\telnet.exe
2009-06-10 14:21 . 2007-07-27 12:00 84992 ----a-w- c:\windows\system32\avifil32.dll
2009-06-10 06:32 . 2007-07-27 12:00 132096 ----a-w- c:\windows\system32\wkssvc.dll
2009-06-05 07:42 . 2009-01-23 00:50 655872 ----a-w- c:\windows\system32\mstscax.dll
2009-06-03 19:27 . 2007-07-27 12:00 1290752 ----a-w- c:\windows\system32\quartz.dll
2002-09-11 14:26 . 2008-12-20 19:55 63730 ----a-w- c:\program files\viewsonicinstruct_xp.pdf
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Messenger (Yahoo!)"="c:\program files\Yahoo!\Messenger\YahooMessenger.exe" [2008-11-06 4347120]
"SpybotSD TeaTimer"="c:\program files\Spybot - Search & Destroy\TeaTimer.exe" [2009-03-05 2260480]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2007-10-04 8491008]
"RemoteControl"="c:\program files\CyberLink\PowerDVD\PDVDServ.exe" [2006-11-23 56928]
"LanguageShortcut"="c:\program files\CyberLink\PowerDVD\Language\Language.exe" [2006-12-06 54832]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2007-10-04 81920]
"EEventManager"="c:\program files\EPSON\Creativity Suite\Event Manager\EEventManager.exe" [2006-03-17 102400]
"NeroCheck"="c:\windows\system32\NeroCheck.exe" [2001-07-09 155648]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2008-09-06 413696]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2008-10-02 289576]
"UVS10 Preload"="c:\program files\Ulead Systems\Ulead VideoStudio SE DVD\uvPL.exe" [2006-08-09 36864]
"nwiz"="nwiz.exe" - c:\windows\system32\nwiz.exe [2007-10-04 1626112]
"RTHDCPL"="RTHDCPL.EXE" - c:\windows\RTHDCPL.exe [2007-08-20 16384512]
"Kernel and Hardware Abstraction Layer"="KHALMNPR.EXE" - c:\windows\KHALMNPR.Exe [2007-01-23 101136]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Acrobat Assistant.lnk - c:\program files\Adobe\Acrobat 6.0\Distillr\acrotray.exe [2003-5-15 217193]
Adobe Gamma Loader.exe.lnk - c:\program files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2008-12-17 113664]
Logitech SetPoint.lnk - c:\program files\Logitech\SetPoint\SetPoint.exe [2008-5-19 688128]
Microsoft Office.lnk - c:\program files\Microsoft Office\Office\OSA9.EXE [1999-2-17 65588]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WdfLoadGroup]
@=""

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001
"FirewallOverride"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Microsoft Office\\Office10\\FRONTPG.EXE"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"c:\\Program Files\\SkyGolf\\SkyCaddie Desktop\\SkyCaddieDesktop.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"2553:UDP"= 2553:UDP:Windows Media Format SDK (iexplore.exe)
"2552:UDP"= 2552:UDP:Windows Media Format SDK (iexplore.exe)

S3 SetupNTGLM7X;SetupNTGLM7X;\??\d:\ntglm7x.sys --> d:\NTGLM7X.sys [?]
S3 SysProtDrv.sys;SysProtDrv.sys;c:\documents and settings\Ed\Desktop\sysProt\SysProt\SysProt\SysProtDrv.sys [8/26/2009 3:25 PM 44288]
S4 Slasocdnndkm;Slasocdnndkm; [x]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
.
- - - - ORPHANS REMOVED - - - -

WebBrowser-{8FF5E180-ABDE-46EB-B09E-D2AAB95CABE3} - (no file)


.
------- Supplementary Scan -------
.
uStart Page = hxxp://statgeeks.football.cbssports.com/
mSearch Bar = hxxp://us.rd.yahoo.com/customize/ie/defaults/sb/msgr9/*http://www.yahoo.com/ext/search/search.html
uInternet Settings,ProxyOverride = *.local
uSearchURL,(Default) = hxxp://us.rd.yahoo.com/customize/ie/defaults/su/msgr9/*http://www.yahoo.com
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
FF - ProfilePath - c:\documents and settings\Ed\Application Data\Mozilla\Firefox\Profiles\tl11ba9k.default\
FF - prefs.js: browser.search.defaulturl - hxxp://search.yahoo.com/search?fr=ffsp1&p=
FF - prefs.js: browser.search.selectedEngine - Yahoo
FF - prefs.js: browser.startup.homepage - hxxp://statgeeks.football.sportsline.com/|http://www.google.com/firefox?client=firefox-a&rls=org.mozilla:en-US:official
FF - prefs.js: keyword.URL - hxxp://search.yahoo.com/search?fr=ffds1&p=
FF - component: c:\documents and settings\Ed\Application Data\Mozilla\Firefox\Profiles\tl11ba9k.default\extensions\piclens@cooliris.com\components\piclensstub.dll
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-08-30 09:03
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...


c:\windows\system32\wbem\Performance\WmiApRpl_new.ini 924 bytes

scan completed successfully
hidden files: 1

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'explorer.exe'(3544)
c:\program files\Logitech\SetPoint\lgscroll.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\windows\system32\nvsvc32.exe
c:\program files\CyberLink\Shared Files\RichVideo.exe
c:\program files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
c:\windows\system32\rundll32.exe
c:\program files\Common Files\Logitech\khalshared\KHALMNPR.exe
c:\program files\iPod\bin\iPodService.exe
.
**************************************************************************
.
Completion time: 2009-08-30 9:08 - machine was rebooted
ComboFix-quarantined-files.txt 2009-08-30 16:08

Pre-Run: 143,592,009,728 bytes free
Post-Run: 144,225,214,464 bytes free

195 --- E O F --- 2009-08-26 22:43
 
Sweet!! :D:


Disable Spybot's TeaTimer to make sure it won't interfere with fixes. You can re-enable it when you're clean again:
  • Run Spybot-S&D in Advanced Mode
  • If it is not already set to do this, go to the Mode menu
    select
    Advanced Mode
  • On the left hand side, click on Tools
  • Then click on the Resident icon in the list
  • Uncheck
    Resident TeaTimer
     and OK any prompts.
  • Restart your computer


Open notepad and copy/paste the text in the quotebox below into it:

Code: 
Driver::
Slasocdnndkm
File::
c:\windows\system32\drivers\yyqdsvrcgtsiuwiv.sys
Folder::
c:\documents and settings\Ed\Application Data\uTorrent
Registry::
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=-
"FirewallOverride"=-


Save this as
CFScript

A word of warning: Neither I nor sUBs are responsible for any damage you may have caused your machine. This tool is not a toy and not for everyday use.

CFScriptB-4.gif


Close all browser windows and refering to the picture above, drag CFScript into ComboFix.exe
Then post the resultant log.


Combofix should never take more that 20 minutes including the reboot if malware is detected.
If it does, open Task Manager then Processes tab (press ctrl, alt and del at the same time) and end any processes of findstr, find, sed or swreg, then combofix should continue.
If that happened we want to know, and also what process you had to end.


Do you necessarily need these programs:
Adobe Acrobat 4.0
Adobe Acrobat 6.0 Standard

If not, it's recommended to uninstall both since those are heavily outdated and vulnerable. If you still need them let me know if it's just converting to PDFs or something else.



Uninstall vulnerable Flash versions by following instructions here. Fresh version can be obtained here.



Download ATF (Atribune Temp File) Cleaner© by Atribune to your desktop.

Double-click ATF Cleaner.exe to open it

Under Main choose:
Windows Temp
Current User Temp
All Users Temp
Cookies
Temporary Internet Files
Prefetch
Java Cache
*The other boxes are optional*
Then click the Empty Selected button.

If you use Firefox:
Click Firefox at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click NO at the prompt.

If you use Opera:
Click Opera at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click NO at the prompt.

Click Exit on the Main menu to close the program.


* Go here to run an online scanner from ESET.
  • Tick the box next to YES, I accept the Terms of Use.
  • Click Start
  • Make sure that the option Remove found threats is UNchecked and the option Scan unwanted applications is checkmarked.
  • Click Scan
  • Wait for the scan to finish
  • Use notepad to open the logfile located at C:\Program Files\EsetOnlineScanner\log.txt
  • Post back its report, a fresh dds.txt log and above mentioned ComboFix resultant log.

Run Win32kDiag and post back its report too.
 
Hi Blade,
I am not able to run Spybot S&D. This is exactly like it was at the very beginning. When I try to start Spybot I get an error message stating "Windows cannot access the specified device, path or file. You may not have the appropriate permissions to access the item." After the first failure, I unistalled the program and went and got a "fresh" executable file and reinstalled Spybot. It stopped midway to tell me that SpybotSD.exe is a "read only" file and did I want to abort, ignore or retry. I clicked on retry a couple of times, but it did not continue.

I think we are getting close. Thanks, Sed
 
Hi,

Place this file in Spybot folder and drag SpybotSD.exe file to it. That will release the lock. If you face any similarly behaving files do same thing for them.
 
SUCCESS! Inherit.exe worked perfectly to unlock SpybotSD.exe

I have unistalled Adobe Acrobat 4.0
I am keeping Adobe Acrobat 6.0 Standard to created/edit PDF files
I assume I should download and install Adobe Reader 9.1 to view PDF files (and make it my default reader) - correct?
I removed previous versions of Flash by using the uninstall program from Adobe
I downloaded and installed Adobe Flash Player version 10.0.32.18

I dropped CFScript.txt into ComboFix (see log below).

I will run ATF Cleaner.exe and run an online scan from ESET to follow.

Thanks, Sed


ComboFix 09-08-29.01 - Ed 08/30/2009 11:18.2.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1023.658 [GMT -7:00]
Running from: c:\documents and settings\Ed\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Ed\Desktop\CFScript.txt

FILE ::
"c:\windows\system32\drivers\yyqdsvrcgtsiuwiv.sys"
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\Ed\Application Data\uTorrent
c:\documents and settings\Ed\Application Data\uTorrent\dht.dat
c:\documents and settings\Ed\Application Data\uTorrent\dht.dat.old
c:\documents and settings\Ed\Application Data\uTorrent\resume.dat
c:\documents and settings\Ed\Application Data\uTorrent\resume.dat.old
c:\documents and settings\Ed\Application Data\uTorrent\rss.dat
c:\documents and settings\Ed\Application Data\uTorrent\rss.dat.old
c:\documents and settings\Ed\Application Data\uTorrent\settings.dat
c:\documents and settings\Ed\Application Data\uTorrent\settings.dat.old
c:\windows\system32\drivers\yyqdsvrcgtsiuwiv.sys

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Service_Slasocdnndkm


((((((((((((((((((((((((( Files Created from 2009-07-28 to 2009-08-30 )))))))))))))))))))))))))))))))
.

2009-08-29 23:41 . 2009-08-29 23:41 1924440 ----a-w- c:\documents and settings\Ed\Application Data\Macromedia\Flash Player\www.macromedia.com\bin\fpupdatepl\fpupdatepl.exe
2009-08-29 19:29 . 2009-08-29 19:30 -------- d-s---w- C:\asp
2009-08-28 19:41 . 2009-08-03 20:36 38160 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-08-28 19:41 . 2009-08-28 19:41 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-08-28 19:41 . 2009-08-03 20:36 19096 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-08-28 18:37 . 2009-08-28 18:37 -------- d-----w- c:\program files\Trend Micro
2009-08-26 23:18 . 2009-08-26 23:18 -------- d-----w- c:\documents and settings\Ed\Application Data\Malwarebytes
2009-08-26 23:18 . 2009-08-26 23:18 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-08-26 21:23 . 2009-08-26 21:23 -------- d-----w- C:\rsit
2009-08-23 21:06 . 2009-08-23 21:06 -------- d-----w- C:\New Folder
2009-08-13 15:25 . 2009-08-13 15:25 -------- d-----w- c:\windows\ServicePackFiles

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-08-30 18:10 . 2008-06-03 17:50 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2009-08-30 18:07 . 2008-06-03 17:50 -------- d-----w- c:\program files\Spybot - Search & Destroy
2009-08-30 17:52 . 2008-05-10 17:45 -------- d-----w- c:\program files\Common Files\Adobe
2009-08-27 17:34 . 2009-04-28 20:28 664 ----a-w- c:\windows\system32\d3d9caps.dat
2009-08-24 17:55 . 2008-05-11 20:55 -------- d-----w- c:\documents and settings\Ed\Application Data\AdobeUM
2009-08-23 21:34 . 2008-08-28 05:51 -------- d-----w- c:\documents and settings\All Users\Application Data\DVD Shrink
2009-08-18 16:32 . 2008-05-21 21:22 -------- d-----w- c:\documents and settings\Sue\Application Data\AdobeUM
2009-08-17 02:36 . 2008-08-07 22:42 82216 ----a-w- c:\documents and settings\Sue\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-08-05 09:11 . 2007-07-27 12:00 204800 ----a-w- c:\windows\system32\mswebdvd.dll
2009-07-30 19:30 . 2008-05-10 17:21 82216 ----a-w- c:\documents and settings\Ed\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-07-27 04:51 . 2009-01-23 01:16 -------- d-----w- c:\documents and settings\All Users\Application Data\Microsoft Help
2009-07-21 04:34 . 2008-06-19 06:14 -------- d-----w- c:\documents and settings\Ed\Application Data\FileZilla
2009-07-20 17:57 . 2008-05-24 16:07 -------- d-----w- c:\program files\SG2
2009-07-17 21:01 . 2008-12-11 17:29 -------- d-----w- c:\documents and settings\Ed\Application Data\webex
2009-07-17 18:55 . 2007-07-27 12:00 58880 ----a-w- c:\windows\system32\atl.dll
2009-07-14 06:43 . 2007-07-27 12:00 286208 ----a-w- c:\windows\system32\wmpdxm.dll
2009-07-12 20:07 . 2009-07-12 20:07 -------- d-----w- c:\program files\PCFriendly
2009-06-26 16:18 . 2007-07-27 12:00 659456 ------w- c:\windows\system32\wininet.dll
2009-06-26 16:18 . 2007-07-27 12:00 81920 ----a-w- c:\windows\system32\ieencode.dll
2009-06-25 18:36 . 2007-07-27 12:00 95744 ----a-w- c:\windows\system32\mqsec.dll
2009-06-25 18:36 . 2007-07-27 12:00 661504 ----a-w- c:\windows\system32\mqqm.dll
2009-06-25 18:36 . 2007-07-27 12:00 517120 ----a-w- c:\windows\system32\mqsnap.dll
2009-06-25 18:36 . 2007-07-27 12:00 48640 ----a-w- c:\windows\system32\mqupgrd.dll
2009-06-25 18:36 . 2007-07-27 12:00 471552 ----a-w- c:\windows\system32\mqutil.dll
2009-06-25 18:36 . 2007-07-27 12:00 47104 ----a-w- c:\windows\system32\mqdscli.dll
2009-06-25 18:36 . 2007-07-27 12:00 225280 ----a-w- c:\windows\system32\mqoa.dll
2009-06-25 18:36 . 2007-07-27 12:00 186880 ----a-w- c:\windows\system32\mqtrig.dll
2009-06-25 18:36 . 2007-07-27 12:00 177152 ----a-w- c:\windows\system32\mqrt.dll
2009-06-25 18:36 . 2007-07-27 12:00 16896 ----a-w- c:\windows\system32\mqise.dll
2009-06-25 18:36 . 2007-07-27 12:00 138240 ----a-w- c:\windows\system32\mqad.dll
2009-06-25 18:36 . 2007-07-27 12:00 123392 ----a-w- c:\windows\system32\mqrtdep.dll
2009-06-25 08:44 . 2007-07-27 12:00 724480 ----a-w- c:\windows\system32\lsasrv.dll
2009-06-25 08:44 . 2007-07-27 12:00 59392 ----a-w- c:\windows\system32\wdigest.dll
2009-06-25 08:44 . 2007-07-27 12:00 56320 ----a-w- c:\windows\system32\secur32.dll
2009-06-25 08:44 . 2007-07-27 12:00 298496 ----a-w- c:\windows\system32\kerberos.dll
2009-06-25 08:44 . 2007-07-27 12:00 168448 ----a-w- c:\windows\system32\schannel.dll
2009-06-25 08:44 . 2007-07-27 12:00 133632 ----a-w- c:\windows\system32\msv1_0.dll
2009-06-22 11:49 . 2007-07-27 12:00 19968 ----a-w- c:\windows\system32\mqbkup.exe
2009-06-22 11:49 . 2007-07-27 12:00 117248 ----a-w- c:\windows\system32\mqtgsvc.exe
2009-06-22 11:49 . 2007-07-27 12:00 4608 ----a-w- c:\windows\system32\mqsvc.exe
2009-06-22 11:48 . 2007-07-27 12:00 91776 ----a-w- c:\windows\system32\drivers\mqac.sys
2009-06-22 11:34 . 2007-07-27 12:00 92544 ----a-w- c:\windows\system32\drivers\ksecdd.sys
2009-06-16 14:55 . 2007-07-27 12:00 82432 ----a-w- c:\windows\system32\fontsub.dll
2009-06-16 14:55 . 2007-07-27 12:00 119808 ----a-w- c:\windows\system32\t2embed.dll
2009-06-12 11:50 . 2007-07-27 12:00 80896 ----a-w- c:\windows\system32\tlntsess.exe
2009-06-12 11:50 . 2007-07-27 12:00 76288 ----a-w- c:\windows\system32\telnet.exe
2009-06-10 14:21 . 2007-07-27 12:00 84992 ----a-w- c:\windows\system32\avifil32.dll
2009-06-10 06:32 . 2007-07-27 12:00 132096 ----a-w- c:\windows\system32\wkssvc.dll
2009-06-05 07:42 . 2009-01-23 00:50 655872 ----a-w- c:\windows\system32\mstscax.dll
2009-06-03 19:27 . 2007-07-27 12:00 1290752 ----a-w- c:\windows\system32\quartz.dll
2002-09-11 14:26 . 2008-12-20 19:55 63730 ----a-w- c:\program files\viewsonicinstruct_xp.pdf
.

((((((((((((((((((((((((((((( SnapShot@2009-08-30_16.03.52 )))))))))))))))))))))))))))))))))))))))))
.
+ 2009-08-30 18:26 . 2009-08-30 18:26 16384 c:\windows\temp\Perflib_Perfdata_688.dat
+ 2009-08-30 18:14 . 2009-08-30 18:14 16384 c:\windows\temp\Perflib_Perfdata_63c.dat
+ 2007-07-27 12:00 . 2009-08-30 18:19 40196 c:\windows\system32\perfc009.dat
- 2007-07-27 12:00 . 2009-08-30 15:44 40196 c:\windows\system32\perfc009.dat
+ 2009-08-30 18:01 . 2009-08-30 18:01 84661 c:\windows\system32\Macromed\Flash\uninstall_plugin.exe
- 2008-05-29 16:29 . 2009-08-29 23:41 84661 c:\windows\system32\Macromed\Flash\uninstall_plugin.exe
+ 2007-07-27 12:00 . 2009-08-30 18:19 311934 c:\windows\system32\perfh009.dat
- 2007-07-27 12:00 . 2009-08-30 15:44 311934 c:\windows\system32\perfh009.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Messenger (Yahoo!)"="c:\program files\Yahoo!\Messenger\YahooMessenger.exe" [2008-11-06 4347120]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2007-10-04 8491008]
"RemoteControl"="c:\program files\CyberLink\PowerDVD\PDVDServ.exe" [2006-11-23 56928]
"LanguageShortcut"="c:\program files\CyberLink\PowerDVD\Language\Language.exe" [2006-12-06 54832]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2007-10-04 81920]
"EEventManager"="c:\program files\EPSON\Creativity Suite\Event Manager\EEventManager.exe" [2006-03-17 102400]
"NeroCheck"="c:\windows\system32\NeroCheck.exe" [2001-07-09 155648]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2008-09-06 413696]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2008-10-02 289576]
"UVS10 Preload"="c:\program files\Ulead Systems\Ulead VideoStudio SE DVD\uvPL.exe" [2006-08-09 36864]
"nwiz"="nwiz.exe" - c:\windows\system32\nwiz.exe [2007-10-04 1626112]
"RTHDCPL"="RTHDCPL.EXE" - c:\windows\RTHDCPL.exe [2007-08-20 16384512]
"Kernel and Hardware Abstraction Layer"="KHALMNPR.EXE" - c:\windows\KHALMNPR.Exe [2007-01-23 101136]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Acrobat Assistant.lnk - c:\program files\Adobe\Acrobat 6.0\Distillr\acrotray.exe [2003-5-15 217193]
Adobe Gamma Loader.exe.lnk - c:\program files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2008-12-17 113664]
Logitech SetPoint.lnk - c:\program files\Logitech\SetPoint\SetPoint.exe [2008-5-19 688128]
Microsoft Office.lnk - c:\program files\Microsoft Office\Office\OSA9.EXE [1999-2-17 65588]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WdfLoadGroup]
@=""

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Microsoft Office\\Office10\\FRONTPG.EXE"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"c:\\Program Files\\SkyGolf\\SkyCaddie Desktop\\SkyCaddieDesktop.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"2553:UDP"= 2553:UDP:Windows Media Format SDK (iexplore.exe)
"2552:UDP"= 2552:UDP:Windows Media Format SDK (iexplore.exe)

S3 SetupNTGLM7X;SetupNTGLM7X;\??\d:\ntglm7x.sys --> d:\NTGLM7X.sys [?]
S3 SysProtDrv.sys;SysProtDrv.sys;c:\documents and settings\Ed\Desktop\sysProt\SysProt\SysProt\SysProtDrv.sys [8/26/2009 3:25 PM 44288]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
.
- - - - ORPHANS REMOVED - - - -

WebBrowser-{8FF5E180-ABDE-46EB-B09E-D2AAB95CABE3} - (no file)


.
------- Supplementary Scan -------
.
uStart Page = hxxp://statgeeks.football.cbssports.com/
mSearch Bar = hxxp://us.rd.yahoo.com/customize/ie/defaults/sb/msgr9/*http://www.yahoo.com/ext/search/search.html
uInternet Settings,ProxyOverride = *.local
uSearchURL,(Default) = hxxp://us.rd.yahoo.com/customize/ie/defaults/su/msgr9/*http://www.yahoo.com
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
FF - ProfilePath - c:\documents and settings\Ed\Application Data\Mozilla\Firefox\Profiles\tl11ba9k.default\
FF - prefs.js: browser.search.defaulturl - hxxp://search.yahoo.com/search?fr=ffsp1&p=
FF - prefs.js: browser.search.selectedEngine - Yahoo
FF - prefs.js: browser.startup.homepage - hxxp://statgeeks.football.sportsline.com/|http://www.google.com/firefox?client=firefox-a&rls=org.mozilla:en-US:official
FF - prefs.js: keyword.URL - hxxp://search.yahoo.com/search?fr=ffds1&p=
FF - component: c:\documents and settings\Ed\Application Data\Mozilla\Firefox\Profiles\tl11ba9k.default\extensions\piclens@cooliris.com\components\piclensstub.dll
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-08-30 11:26
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'explorer.exe'(3684)
c:\program files\Logitech\SetPoint\lgscroll.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\windows\system32\nvsvc32.exe
c:\program files\CyberLink\Shared Files\RichVideo.exe
c:\program files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
c:\windows\system32\wscntfy.exe
c:\windows\system32\rundll32.exe
c:\program files\Common Files\Logitech\khalshared\KHALMNPR.exe
c:\program files\iPod\bin\iPodService.exe
.
**************************************************************************
.
Completion time: 2009-08-30 11:31 - machine was rebooted
ComboFix-quarantined-files.txt 2009-08-30 18:31
ComboFix2.txt 2009-08-30 16:08

Pre-Run: 144,132,718,592 bytes free
Post-Run: 144,082,923,520 bytes free

200 --- E O F --- 2009-08-26 22:43
 
Successfully ran ATF-Cleaner.exe
Successfully ran ESET (see report below)
Fresh dds.txt log (see below)
Win32kDiag (see report below)

Thanks, Sed



ESETSmartInstaller@High as downloader log:
all ok
# version=6
# OnlineScannerApp.exe=1.0.0.1
# OnlineScanner.ocx=1.0.0.6050
# api_version=3.0.2
# EOSSerial=bbe8f24b76b5614a8ead7c7c5f458dad
# end=finished
# remove_checked=false
# archives_checked=false
# unwanted_checked=true
# unsafe_checked=true
# antistealth_checked=true
# utc_time=2009-08-30 09:22:23
# local_time=2009-08-30 02:22:23 (-0800, Pacific Daylight Time)
# country="United States"
# lang=1033
# osver=5.1.2600 NT Service Pack 2
# scanned=979736
# found=38
# cleaned=0
# scan_time=9013
C:\Old Hard Drive July 2004\Program Files\Outlook Express\Ed Jan '99\Mail\Inbox.mbx Coke joke 00000000000000000000000000000000 I
C:\Old Hard Drive July 2004\Program Files\Outlook Express\Ed Jan '99\Mail\Sent Items.mbx Flipped joke 00000000000000000000000000000000 I
C:\Old Hard Drive July 2004\WINDOWS\Application Data\Microsoft\Outlook Express\sent archive '97.dbx Flipped joke 00000000000000000000000000000000 I
C:\Old Hard Drive July 2004\WINDOWS\Application Data\Microsoft\Outlook Express\Mail\Inbox.mbx Coke joke 00000000000000000000000000000000 I
C:\Old Hard Drive July 2004\WINDOWS\Application Data\Microsoft\Outlook Express\Mail\Sent Items.mbx Flipped joke 00000000000000000000000000000000 I
C:\Old Hard Drive July 2004\WINDOWS\TEMP\csstub\CSSecure.dll Win32/Adware.Comet application 00000000000000000000000000000000 I
C:\Old Hard Drive July 2004\WINDOWS\TEMP\csstub\dm.exe probably a variant of Win32/Adware.Comet application 00000000000000000000000000000000 I
C:\Old Hard Drive July 2004\WINDOWS\TEMP\csstub\dmfilemap.xml Win32/Adware.Comet application 00000000000000000000000000000000 I
C:\Old Hard Drive July 2004\WINDOWS\TEMP\csstub\dmproxy.dll Win32/Adware.Comet application 00000000000000000000000000000000 I
C:\Old Hard Drive July 2004\WINDOWS\TEMP\csstub\DMUpdate.exe Win32/TrojanDownloader.Comet.A trojan 00000000000000000000000000000000 I
C:\old_hard_drive_April_2008\Documents and Settings\SAYER\Local Settings\Temporary Internet Files\Content.IE5\PLWFANXD\2440sogjdgxo[1].exe probably a variant of Win32/TrojanDownloader.Delf trojan 00000000000000000000000000000000 I
C:\old_hard_drive_April_2008\Documents and Settings\SAYER\SAYER's Documents\Old Hard Drive July 2004\Program Files\Outlook Express\Ed Jan '99\Mail\Inbox.mbx Coke joke 00000000000000000000000000000000 I
C:\old_hard_drive_April_2008\Documents and Settings\SAYER\SAYER's Documents\Old Hard Drive July 2004\Program Files\Outlook Express\Ed Jan '99\Mail\Sent Items.mbx Flipped joke 00000000000000000000000000000000 I
C:\old_hard_drive_April_2008\Documents and Settings\SAYER\SAYER's Documents\Old Hard Drive July 2004\WINDOWS\Application Data\Microsoft\Outlook Express\sent archive '97.dbx Flipped joke 00000000000000000000000000000000 I
C:\old_hard_drive_April_2008\Documents and Settings\SAYER\SAYER's Documents\Old Hard Drive July 2004\WINDOWS\Application Data\Microsoft\Outlook Express\Mail\Inbox.mbx Coke joke 00000000000000000000000000000000 I
C:\old_hard_drive_April_2008\Documents and Settings\SAYER\SAYER's Documents\Old Hard Drive July 2004\WINDOWS\Application Data\Microsoft\Outlook Express\Mail\Sent Items.mbx Flipped joke 00000000000000000000000000000000 I
C:\old_hard_drive_April_2008\Documents and Settings\SAYER\SAYER's Documents\Old Hard Drive July 2004\WINDOWS\TEMP\csstub\CSSecure.dll Win32/Adware.Comet application 00000000000000000000000000000000 I
C:\old_hard_drive_April_2008\Documents and Settings\SAYER\SAYER's Documents\Old Hard Drive July 2004\WINDOWS\TEMP\csstub\dm.exe probably a variant of Win32/Adware.Comet application 00000000000000000000000000000000 I
C:\old_hard_drive_April_2008\Documents and Settings\SAYER\SAYER's Documents\Old Hard Drive July 2004\WINDOWS\TEMP\csstub\dmfilemap.xml Win32/Adware.Comet application 00000000000000000000000000000000 I
C:\old_hard_drive_April_2008\Documents and Settings\SAYER\SAYER's Documents\Old Hard Drive July 2004\WINDOWS\TEMP\csstub\dmproxy.dll Win32/Adware.Comet application 00000000000000000000000000000000 I
C:\old_hard_drive_April_2008\Documents and Settings\SAYER\SAYER's Documents\Old Hard Drive July 2004\WINDOWS\TEMP\csstub\DMUpdate.exe Win32/TrojanDownloader.Comet.A trojan 00000000000000000000000000000000 I
C:\old_hard_drive_April_2008\Documents and Settings\SAYER\Start Menu\Programs\Startup\PowerReg Scheduler.exe Win32/PowerReg application 00000000000000000000000000000000 I
C:\Qoobox\Quarantine\C\WINDOWS\system32\drivers\kbiwkmsswuypdw.sys.vir a variant of Win32/Rootkit.Kryptik.I trojan 00000000000000000000000000000000 I
C:\Qoobox\Quarantine\C\WINDOWS\system32\drivers\yyqdsvrcgtsiuwiv.sys.vir a variant of Win32/Rootkit.Kryptik.I trojan 00000000000000000000000000000000 I
C:\System Volume Information\_restore{0AB16BD1-A7E7-48B0-AE94-B14A97538217}\RP380\A0149257.sys a variant of Win32/Rootkit.Kryptik.I trojan 00000000000000000000000000000000 I
C:\System Volume Information\_restore{0AB16BD1-A7E7-48B0-AE94-B14A97538217}\RP380\A0149538.sys a variant of Win32/Rootkit.Kryptik.I trojan 00000000000000000000000000000000 I
M:\Maxtor backup\SAYER_home_Ed_My_Docs_Oct_2007\C\Documents and Settings\SAYER\My Documents\Old Hard Drive July 2004\Back Up of updated files\QuickBackup_Repository\C\WINDOWS\Application Data\Microsoft\Outlook Express\sent archive '97.dbx Flipped joke 00000000000000000000000000000000 I
M:\Maxtor backup\SAYER_home_Ed_My_Docs_Oct_2007\C\Documents and Settings\SAYER\My Documents\Old Hard Drive July 2004\Back Up of updated files\QuickBackup_Repository\C\WINDOWS\Application Data\Microsoft\Outlook Express\Mail\Inbox.mbx Coke joke 00000000000000000000000000000000 I
M:\Maxtor backup\SAYER_home_Ed_My_Docs_Oct_2007\C\Documents and Settings\SAYER\My Documents\Old Hard Drive July 2004\Back Up of updated files\QuickBackup_Repository\C\WINDOWS\Application Data\Microsoft\Outlook Express\Mail\Sent Items.mbx Flipped joke 00000000000000000000000000000000 I
M:\Maxtor backup\SAYER_home_Ed_My_Docs_Oct_2007\C\Documents and Settings\SAYER\My Documents\Old Hard Drive July 2004\Program Files\Outlook Express\Ed Jan '99\Mail\Inbox.mbx Coke joke 00000000000000000000000000000000 I
M:\Maxtor backup\SAYER_home_Ed_My_Docs_Oct_2007\C\Documents and Settings\SAYER\My Documents\Old Hard Drive July 2004\Program Files\Outlook Express\Ed Jan '99\Mail\Sent Items.mbx Flipped joke 00000000000000000000000000000000 I
M:\Maxtor backup\SAYER_home_Ed_My_Docs_Oct_2007\C\Documents and Settings\SAYER\My Documents\Old Hard Drive July 2004\WINDOWS\Application Data\Microsoft\Outlook Express\sent archive '97.dbx Flipped joke 00000000000000000000000000000000 I
M:\Maxtor backup\SAYER_home_Ed_My_Docs_Oct_2007\C\Documents and Settings\SAYER\My Documents\Old Hard Drive July 2004\WINDOWS\Application Data\Microsoft\Outlook Express\Mail\Inbox.mbx Coke joke 00000000000000000000000000000000 I
M:\Maxtor backup\SAYER_home_Ed_My_Docs_Oct_2007\C\Documents and Settings\SAYER\My Documents\Old Hard Drive July 2004\WINDOWS\Application Data\Microsoft\Outlook Express\Mail\Sent Items.mbx Flipped joke 00000000000000000000000000000000 I
M:\Maxtor backup\SAYER_home_Ed_My_Docs_Oct_2007\C\Documents and Settings\SAYER\My Documents\Old Hard Drive July 2004\WINDOWS\TEMP\csstub\CSSecure.dll Win32/Adware.Comet application 00000000000000000000000000000000 I
M:\Maxtor backup\SAYER_home_Ed_My_Docs_Oct_2007\C\Documents and Settings\SAYER\My Documents\Old Hard Drive July 2004\WINDOWS\TEMP\csstub\dmfilemap.xml Win32/Adware.Comet application 00000000000000000000000000000000 I
M:\Maxtor backup\SAYER_home_Ed_My_Docs_Oct_2007\C\Documents and Settings\SAYER\My Documents\Old Hard Drive July 2004\WINDOWS\TEMP\csstub\dmproxy.dll Win32/Adware.Comet application 00000000000000000000000000000000 I
M:\Maxtor backup\SAYER_home_Ed_My_Docs_Oct_2007\C\Documents and Settings\SAYER\My Documents\Old Hard Drive July 2004\WINDOWS\TEMP\csstub\DMUpdate.exe Win32/TrojanDownloader.Comet.A trojan 00000000000000000000000000000000 I






DDS (Ver_09-07-30.01) - NTFSx86
Run by Ed at 15:08:02.43 on Sun 08/30/2009
Internet Explorer: 6.0.2900.2180
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1023.251 [GMT -7:00]


============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe -k HPZ12
C:\Program Files\CyberLink\Shared Files\RichVideo.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\EPSON\Creativity Suite\Event Manager\EEventManager.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
C:\Program Files\Logitech\SetPoint\SetPoint.exe
C:\Program Files\Common Files\Logitech\khalshared\KHALMNPR.EXE
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\explorer.exe
C:\PROGRA~1\MICROS~2\Office\OUTLOOK.EXE
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Documents and Settings\Ed\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://statgeeks.football.cbssports.com/
mSearch Bar = hxxp://us.rd.yahoo.com/customize/ie/defaults/sb/msgr9/*http://www.yahoo.com/ext/search/search.html
uInternet Settings,ProxyOverride = *.local
uSearchURL,(Default) = hxxp://us.rd.yahoo.com/customize/ie/defaults/su/msgr9/*http://www.yahoo.com
uURLSearchHooks: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\progra~1\yahoo!\companion\installs\cpn\yt.dll
BHO: HelperObject Class: {00c6482d-c502-44c8-8409-fce54ad9c208} - c:\program files\techsmith\snagit 8\SnagItBHO.dll
BHO: &Yahoo! Toolbar Helper: {02478d38-c3f9-4efb-9b51-7695eca05670} - c:\progra~1\yahoo!\companion\installs\cpn\yt.dll
BHO: AcroIEHlprObj Class: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\adobe\acrobat 6.0\acrobat\activex\AcroIEHelper.dll
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybot~1\SDHelper.dll
BHO: AcroIEToolbarHelper Class: {ae7cd045-e861-484f-8273-0445ee161910} - c:\program files\adobe\acrobat 6.0\acrobat\AcroIEFavClient.dll
BHO: SingleInstance Class: {fdad4da1-61a2-4fd8-9c17-86f7ac245081} - c:\progra~1\yahoo!\companion\installs\cpn\YTSingleInstance.dll
TB: SnagIt: {8ff5e183-abde-46eb-b09e-d2aab95cabe3} - c:\program files\techsmith\snagit 8\SnagItIEAddin.dll
TB: Adobe PDF: {47833539-d0c5-4125-9fa8-0819e2eaac93} - c:\program files\adobe\acrobat 6.0\acrobat\AcroIEFavClient.dll
TB: {8FF5E180-ABDE-46EB-B09E-D2AAB95CABE3} - No File
uRun: [Messenger (Yahoo!)] "c:\program files\yahoo!\messenger\YahooMessenger.exe" -quiet
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [nwiz] nwiz.exe /install
mRun: [RTHDCPL] RTHDCPL.EXE
mRun: [RemoteControl] "c:\program files\cyberlink\powerdvd\PDVDServ.exe"
mRun: [LanguageShortcut] "c:\program files\cyberlink\powerdvd\language\Language.exe"
mRun: [NvMediaCenter] RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInit
mRun: [Kernel and Hardware Abstraction Layer] KHALMNPR.EXE
mRun: [EEventManager] c:\program files\epson\creativity suite\event manager\EEventManager.exe
mRun: [NeroCheck] c:\windows\system32\NeroCheck.exe
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [UVS10 Preload] c:\program files\ulead systems\ulead videostudio se dvd\uvPL.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\acroba~1.lnk - c:\program files\adobe\acrobat 6.0\distillr\acrotray.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\adobeg~1.lnk - c:\program files\common files\adobe\calibration\Adobe Gamma Loader.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\logite~1.lnk - c:\program files\logitech\setpoint\SetPoint.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\micros~1.lnk - c:\program files\microsoft office\office\OSA9.EXE
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office12\EXCEL.EXE/3000
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office12\REFIEBAR.DLL
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dll
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} - hxxps://freetrial.webex.com/client/T26L/webex/ieatgpc.cab
Handler: cdo - {CD00020A-8B95-11D1-82DB-00C04FB1625D} - c:\program files\common files\microsoft shared\web folders\PKMCDO.DLL
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\ed\applic~1\mozilla\firefox\profiles\tl11ba9k.default\
FF - prefs.js: browser.search.defaulturl - hxxp://search.yahoo.com/search?fr=ffsp1&p=
FF - prefs.js: browser.search.selectedEngine - Yahoo
FF - prefs.js: browser.startup.homepage - hxxp://statgeeks.football.sportsline.com/|http://www.google.com/firefox?client=firefox-a&rls=org.mozilla:en-US:official
FF - prefs.js: keyword.URL - hxxp://search.yahoo.com/search?fr=ffds1&p=
FF - component: c:\documents and settings\ed\application data\mozilla\firefox\profiles\tl11ba9k.default\extensions\piclens@cooliris.com\components\piclensstub.dll

============= SERVICES / DRIVERS ===============

S3 SetupNTGLM7X;SetupNTGLM7X;\??\d:\ntglm7x.sys --> d:\NTGLM7X.sys [?]
S3 SysProtDrv.sys;SysProtDrv.sys;c:\documents and settings\ed\desktop\sysprot\sysprot\sysprot\SysProtDrv.sys [2009-8-26 44288]

=============== Created Last 30 ================

2009-08-30 11:44 <DIR> --d----- c:\program files\ESET
2009-08-30 09:07 <DIR> -cd----- c:\windows\system32\dllcache\cache
2009-08-29 12:29 <DIR> --ds---- C:\asp
2009-08-28 12:41 38,160 a------- c:\windows\system32\drivers\mbamswissarmy.sys
2009-08-28 12:41 19,096 a------- c:\windows\system32\drivers\mbam.sys
2009-08-28 12:41 <DIR> --d----- c:\program files\Malwarebytes' Anti-Malware
2009-08-28 11:37 <DIR> --d----- c:\program files\Trend Micro
2009-08-28 11:19 <DIR> a-dshr-- C:\cmdcons
2009-08-28 11:17 229,376 a------- c:\windows\PEV.exe
2009-08-28 11:17 161,792 a------- c:\windows\SWREG.exe
2009-08-28 11:17 98,816 a------- c:\windows\sed.exe
2009-08-26 16:18 <DIR> --d----- c:\docume~1\ed\applic~1\Malwarebytes
2009-08-26 16:18 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Malwarebytes
2009-08-23 14:06 <DIR> --d----- C:\New Folder
2009-08-13 08:25 <DIR> --d----- c:\windows\ServicePackFiles

==================== Find3M ====================

2009-08-05 02:11 204,800 a------- c:\windows\system32\mswebdvd.dll
2009-07-17 11:55 58,880 a------- c:\windows\system32\atl.dll
2009-07-13 23:43 286,208 a------- c:\windows\system32\wmpdxm.dll
2009-06-26 09:18 659,456 -------- c:\windows\system32\wininet.dll
2009-06-26 09:18 81,920 a------- c:\windows\system32\ieencode.dll
2009-06-25 11:36 661,504 a------- c:\windows\system32\mqqm.dll
2009-06-25 11:36 517,120 a------- c:\windows\system32\mqsnap.dll
2009-06-25 11:36 471,552 a------- c:\windows\system32\mqutil.dll
2009-06-25 11:36 225,280 a------- c:\windows\system32\mqoa.dll
2009-06-25 11:36 186,880 a------- c:\windows\system32\mqtrig.dll
2009-06-25 11:36 177,152 a------- c:\windows\system32\mqrt.dll
2009-06-25 11:36 138,240 a------- c:\windows\system32\mqad.dll
2009-06-25 11:36 123,392 a------- c:\windows\system32\mqrtdep.dll
2009-06-25 11:36 95,744 a------- c:\windows\system32\mqsec.dll
2009-06-25 11:36 48,640 a------- c:\windows\system32\mqupgrd.dll
2009-06-25 11:36 47,104 a------- c:\windows\system32\mqdscli.dll
2009-06-25 11:36 16,896 a------- c:\windows\system32\mqise.dll
2009-06-25 01:44 724,480 a------- c:\windows\system32\lsasrv.dll
2009-06-25 01:44 298,496 a------- c:\windows\system32\kerberos.dll
2009-06-25 01:44 168,448 a------- c:\windows\system32\schannel.dll
2009-06-25 01:44 133,632 a------- c:\windows\system32\msv1_0.dll
2009-06-25 01:44 59,392 a------- c:\windows\system32\wdigest.dll
2009-06-25 01:44 56,320 a------- c:\windows\system32\secur32.dll
2009-06-22 04:49 117,248 a------- c:\windows\system32\mqtgsvc.exe
2009-06-22 04:49 19,968 a------- c:\windows\system32\mqbkup.exe
2009-06-22 04:49 4,608 a------- c:\windows\system32\mqsvc.exe
2009-06-16 07:55 119,808 a------- c:\windows\system32\t2embed.dll
2009-06-16 07:55 82,432 a------- c:\windows\system32\fontsub.dll
2009-06-12 04:50 80,896 a------- c:\windows\system32\tlntsess.exe
2009-06-12 04:50 76,288 a------- c:\windows\system32\telnet.exe
2009-06-10 07:21 84,992 a------- c:\windows\system32\avifil32.dll
2009-06-09 23:32 132,096 a------- c:\windows\system32\wkssvc.dll
2009-06-05 00:42 655,872 a------- c:\windows\system32\mstscax.dll
2009-06-03 12:27 1,290,752 a------- c:\windows\system32\quartz.dll
2002-09-11 07:26 63,730 a------- c:\program files\viewsonicinstruct_xp.pdf

============= FINISH: 15:08:20.17 ===============





Log file is located at: C:\Documents and Settings\Ed\Desktop\Win32kDiag.txt

WARNING: Could not get backup privileges!

Searching 'C:\WINDOWS'...





Finished!
 
Hi Blade,
I think we are almost done (but I will let you tell me so before floating away).

I wanted to express my gratitude. I am very competent with computers, but this attack would have consumed me without your assistance (I am sure my next steps would be to back up all my data files and reinstall Windows XP on my machine and even this may not have ultimately saved me). If I understand correctly, you are a volunteer - correct? Wow. My hat is off to you for your commitment. You have spent (easily) tens of hours (just with me) over the past three days. Again - thank you.

Out of curiosity, how did we break this one? I have followed a dozen or more similar threads and all seem to end a bit differently. Reminds me of a magician/chemist reaching into his bag of tricks and trying things/tests until the answer reveals itself. Anyway, I am impressed. Below is the paragraph where our case turned. Can you explain in one or two sentences what was the key that solve my adventure?

Deepest respect, Sed


Open notepad and then copy and paste the bolded lines below into it. Go to File > save as and name the file fixes.bat, change the Save as type to all files and save it to your desktop.
@echo off
dir /s /a C:\WINDOWS\system32\eventlog.dll >c:\fileCheck.txt

Double-click on fixes.bat file to execute it. Post back contents of c:\fileCheck.txt file.


1. Start GMER and do a quick scan. It should give a message about rootkit activity.
2. If it asks for full scan, select "no".
3. Right click kbiwkmlnmbftko and select "disable service". You'll be most likely asked to reboot system. Please, let it do so.
4. After reboot, open GMER again and see if the corresponding service is in disabled state.

If it is in disabled state, try to run ComboFix again. If it still fails, post a fresh GMER log.
 
I assume I should download and install Adobe Reader 9.1 to view PDF files (and make it my default reader) - correct?
Click to expand...
Yes, and install updates 9.1.2 & 9.1.3 for it. Alternatively, you may check free readers introduced here or get Foxit Reader here. Make sure you don't install toolbar if choose Foxit Reader!

Out of curiosity, how did we break this one? I have followed a dozen or more similar threads and all seem to end a bit differently.
Click to expand...
Yes, every malware removal case is a unique one. That's why we ask users to create own topics if they have issues instead of following instructions given for someone else. In your case we should had disabled the rooter in the first place and not attempt to delete it straight away.

Of those ESET findings delete those not QooBox or system restore related ones. These other two will be cleaned in final stage.

Please post a fresh dds.txt log and I'll give the final instructions if nothing else turns up :)
 
Hi Blade,
I installed Adobe Reader 9.1 and update 9.1.3

I deleted the files in ESET findings except for
C:\Qoobox\Quarantine\C\WINDOWS\system32\drivers\kbiwkmsswuypdw.sys.vir a variant of Win32/Rootkit.Kryptik.I trojan
C:\Qoobox\Quarantine\C\WINDOWS\system32\drivers\yyqdsvrcgtsiuwiv.sys.vir a variant of Win32/Rootkit.Kryptik.I trojan
C:\System Volume Information\_restore{0AB16BD1-A7E7-48B0-AE94-B14A97538217}\RP380\A0149257.sys a variant of Win32/Rootkit.Kryptik.I trojan
C:\System Volume Information\_restore{0AB16BD1-A7E7-48B0-AE94-B14A97538217}\RP380\A0149538.sys a variant of Win32/Rootkit.Kryptik.I trojan

Here is a fresh DDS log

DDS (Ver_09-07-30.01) - NTFSx86
Run by Ed at 10:17:25.81 on Mon 08/31/2009
Internet Explorer: 6.0.2900.2180
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1023.492 [GMT -7:00]


============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe -k HPZ12
C:\Program Files\CyberLink\Shared Files\RichVideo.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\EPSON\Creativity Suite\Event Manager\EEventManager.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
C:\Program Files\Logitech\SetPoint\SetPoint.exe
C:\Program Files\Common Files\Logitech\khalshared\KHALMNPR.EXE
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\WINDOWS\explorer.exe
C:\PROGRA~1\MICROS~2\Office\OUTLOOK.EXE
C:\Program Files\internet explorer\iexplore.exe
C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE
C:\Program Files\iTunes\iTunes.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\DllHost.exe
C:\WINDOWS\System32\svchost.exe -k getPlusHelper
C:\WINDOWS\system32\wuauclt.exe
C:\Documents and Settings\Ed\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://statgeeks.football.cbssports.com/
mSearch Bar = hxxp://us.rd.yahoo.com/customize/ie/defaults/sb/msgr9/*http://www.yahoo.com/ext/search/search.html
uInternet Settings,ProxyOverride = *.local
uSearchURL,(Default) = hxxp://us.rd.yahoo.com/customize/ie/defaults/su/msgr9/*http://www.yahoo.com
uURLSearchHooks: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\progra~1\yahoo!\companion\installs\cpn\yt.dll
BHO: HelperObject Class: {00c6482d-c502-44c8-8409-fce54ad9c208} - c:\program files\techsmith\snagit 8\SnagItBHO.dll
BHO: &Yahoo! Toolbar Helper: {02478d38-c3f9-4efb-9b51-7695eca05670} - c:\progra~1\yahoo!\companion\installs\cpn\yt.dll
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybot~1\SDHelper.dll
BHO: AcroIEToolbarHelper Class: {ae7cd045-e861-484f-8273-0445ee161910} - c:\program files\adobe\acrobat 6.0\acrobat\AcroIEFavClient.dll
BHO: SingleInstance Class: {fdad4da1-61a2-4fd8-9c17-86f7ac245081} - c:\progra~1\yahoo!\companion\installs\cpn\YTSingleInstance.dll
TB: SnagIt: {8ff5e183-abde-46eb-b09e-d2aab95cabe3} - c:\program files\techsmith\snagit 8\SnagItIEAddin.dll
TB: Adobe PDF: {47833539-d0c5-4125-9fa8-0819e2eaac93} - c:\program files\adobe\acrobat 6.0\acrobat\AcroIEFavClient.dll
TB: {8FF5E180-ABDE-46EB-B09E-D2AAB95CABE3} - No File
uRun: [Messenger (Yahoo!)] "c:\program files\yahoo!\messenger\YahooMessenger.exe" -quiet
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [nwiz] nwiz.exe /install
mRun: [RTHDCPL] RTHDCPL.EXE
mRun: [RemoteControl] "c:\program files\cyberlink\powerdvd\PDVDServ.exe"
mRun: [LanguageShortcut] "c:\program files\cyberlink\powerdvd\language\Language.exe"
mRun: [NvMediaCenter] RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInit
mRun: [Kernel and Hardware Abstraction Layer] KHALMNPR.EXE
mRun: [EEventManager] c:\program files\epson\creativity suite\event manager\EEventManager.exe
mRun: [NeroCheck] c:\windows\system32\NeroCheck.exe
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [UVS10 Preload] c:\program files\ulead systems\ulead videostudio se dvd\uvPL.exe
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
mRunOnce: [Uninstall Adobe Download Manager] "c:\windows\system32\rundll32.exe" "c:\program files\nos\bin\getPlus_Helper.dll",Uninstall /Get1noarp
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\acroba~1.lnk - c:\program files\adobe\acrobat 6.0\distillr\acrotray.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\adobeg~1.lnk - c:\program files\common files\adobe\calibration\Adobe Gamma Loader.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\logite~1.lnk - c:\program files\logitech\setpoint\SetPoint.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\micros~1.lnk - c:\program files\microsoft office\office\OSA9.EXE
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office12\EXCEL.EXE/3000
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office12\REFIEBAR.DLL
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dll
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} - hxxps://freetrial.webex.com/client/T26L/webex/ieatgpc.cab
Handler: cdo - {CD00020A-8B95-11D1-82DB-00C04FB1625D} - c:\program files\common files\microsoft shared\web folders\PKMCDO.DLL
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\ed\applic~1\mozilla\firefox\profiles\tl11ba9k.default\
FF - prefs.js: browser.search.defaulturl - hxxp://search.yahoo.com/search?fr=ffsp1&p=
FF - prefs.js: browser.search.selectedEngine - Yahoo
FF - prefs.js: browser.startup.homepage - hxxp://statgeeks.football.sportsline.com/|http://www.google.com/firefox?client=firefox-a&rls=org.mozilla:en-US:official
FF - prefs.js: keyword.URL - hxxp://search.yahoo.com/search?fr=ffds1&p=
FF - component: c:\documents and settings\ed\application data\mozilla\firefox\profiles\tl11ba9k.default\extensions\piclens@cooliris.com\components\piclensstub.dll
FF - plugin: c:\documents and settings\ed\application data\mozilla\firefox\profiles\tl11ba9k.default\extensions\{e2883e8f-472f-4fb0-9522-ac9bf37916a7}\plugins\np_gp.dll

============= SERVICES / DRIVERS ===============

R3 getPlusHelper;getPlus(R) Helper;c:\windows\system32\svchost.exe -k getPlusHelper [2007-7-27 14336]
S3 SetupNTGLM7X;SetupNTGLM7X;\??\d:\ntglm7x.sys --> d:\NTGLM7X.sys [?]
S3 SysProtDrv.sys;SysProtDrv.sys;c:\documents and settings\ed\desktop\sysprot\sysprot\sysprot\SysProtDrv.sys [2009-8-26 44288]

=============== Created Last 30 ================

2009-08-30 11:44 <DIR> --d----- c:\program files\ESET
2009-08-30 09:07 <DIR> -cd----- c:\windows\system32\dllcache\cache
2009-08-29 12:29 <DIR> --ds---- C:\asp
2009-08-28 12:41 38,160 a------- c:\windows\system32\drivers\mbamswissarmy.sys
2009-08-28 12:41 19,096 a------- c:\windows\system32\drivers\mbam.sys
2009-08-28 12:41 <DIR> --d----- c:\program files\Malwarebytes' Anti-Malware
2009-08-28 11:37 <DIR> --d----- c:\program files\Trend Micro
2009-08-28 11:19 <DIR> a-dshr-- C:\cmdcons
2009-08-28 11:17 229,376 a------- c:\windows\PEV.exe
2009-08-28 11:17 161,792 a------- c:\windows\SWREG.exe
2009-08-28 11:17 98,816 a------- c:\windows\sed.exe
2009-08-26 16:18 <DIR> --d----- c:\docume~1\ed\applic~1\Malwarebytes
2009-08-26 16:18 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Malwarebytes
2009-08-23 14:06 <DIR> --d----- C:\New Folder
2009-08-13 08:25 <DIR> --d----- c:\windows\ServicePackFiles

==================== Find3M ====================

2009-08-05 02:11 204,800 a------- c:\windows\system32\mswebdvd.dll
2009-07-17 11:55 58,880 a------- c:\windows\system32\atl.dll
2009-07-13 23:43 286,208 a------- c:\windows\system32\wmpdxm.dll
2009-06-26 09:18 659,456 -------- c:\windows\system32\wininet.dll
2009-06-26 09:18 81,920 a------- c:\windows\system32\ieencode.dll
2009-06-25 11:36 661,504 a------- c:\windows\system32\mqqm.dll
2009-06-25 11:36 517,120 a------- c:\windows\system32\mqsnap.dll
2009-06-25 11:36 471,552 a------- c:\windows\system32\mqutil.dll
2009-06-25 11:36 225,280 a------- c:\windows\system32\mqoa.dll
2009-06-25 11:36 186,880 a------- c:\windows\system32\mqtrig.dll
2009-06-25 11:36 177,152 a------- c:\windows\system32\mqrt.dll
2009-06-25 11:36 138,240 a------- c:\windows\system32\mqad.dll
2009-06-25 11:36 123,392 a------- c:\windows\system32\mqrtdep.dll
2009-06-25 11:36 95,744 a------- c:\windows\system32\mqsec.dll
2009-06-25 11:36 48,640 a------- c:\windows\system32\mqupgrd.dll
2009-06-25 11:36 47,104 a------- c:\windows\system32\mqdscli.dll
2009-06-25 11:36 16,896 a------- c:\windows\system32\mqise.dll
2009-06-25 01:44 724,480 a------- c:\windows\system32\lsasrv.dll
2009-06-25 01:44 298,496 a------- c:\windows\system32\kerberos.dll
2009-06-25 01:44 168,448 a------- c:\windows\system32\schannel.dll
2009-06-25 01:44 133,632 a------- c:\windows\system32\msv1_0.dll
2009-06-25 01:44 59,392 a------- c:\windows\system32\wdigest.dll
2009-06-25 01:44 56,320 a------- c:\windows\system32\secur32.dll
2009-06-22 04:49 117,248 a------- c:\windows\system32\mqtgsvc.exe
2009-06-22 04:49 19,968 a------- c:\windows\system32\mqbkup.exe
2009-06-22 04:49 4,608 a------- c:\windows\system32\mqsvc.exe
2009-06-16 07:55 119,808 a------- c:\windows\system32\t2embed.dll
2009-06-16 07:55 82,432 a------- c:\windows\system32\fontsub.dll
2009-06-12 04:50 80,896 a------- c:\windows\system32\tlntsess.exe
2009-06-12 04:50 76,288 a------- c:\windows\system32\telnet.exe
2009-06-10 07:21 84,992 a------- c:\windows\system32\avifil32.dll
2009-06-09 23:32 132,096 a------- c:\windows\system32\wkssvc.dll
2009-06-05 00:42 655,872 a------- c:\windows\system32\mstscax.dll
2009-06-03 12:27 1,290,752 a------- c:\windows\system32\quartz.dll
2002-09-11 07:26 63,730 a------- c:\program files\viewsonicinstruct_xp.pdf

============= FINISH: 10:17:45.93 ===============
 
Well congrats, it appears your system is all clean Are you still noticing any problems? If not, it's time to secure your system to prevent against further intrusions.


THESE STEPS ARE VERY IMPORTANT

Let's reset system restore
Reset and Re-enable your System Restore to remove infected files that have been backed up by Windows. The files in System Restore are protected to prevent any programs changing those files. This is the only way to clean these files: You will lose all previous restore points which are likely to be infected. Please note you need Administrator Access to do clean the restore points.

1. Turn off System Restore.
On the Desktop, right-click My Computer.
Click Properties.
Click the System Restore tab.
Check Turn off System Restore.
Click Apply, and then click OK.

2. Reboot.

3. Turn ON System Restore.
On the Desktop, right-click My Computer.
Click Properties.
Click the System Restore tab.
UN-Check *Turn off System Restore*.
Click Apply, and then click OK.
NOTE: only do this ONCE,NOT on a regular basis




Now lets uninstall ComboFix:
  • Click START then RUN
  • Now copy-paste Combofix /u in the runbox and click OK

Next we remove all used tools.

Please download OTC and save it to desktop.
  • Double-click OTC.exe.
  • Click the CleanUp! button.
  • Select Yes when the
    Begin cleanup Process?
    prompt appears.
  • If you are prompted to Reboot during the cleanup, select Yes.
  • The tool will delete itself once it finishes, if not delete it by yourself.

Note: If you receive a warning from your firewall or other security programs regarding OTC attempting to contact the internet, please allow it to do so.


DDS and Win32kDiag + related logs can be removed too.


UPDATING WINDOWS AND INTERNET EXPLORER

IMPORTANT: You Need to Update Windows and Internet Explorer to protect your computer from the malware that is around on the Internet. Please go to the windows update site to get the critical updates.

If you are running Microsoft Office, or any portion thereof, go to the Microsoft's Office Update site and make sure you have at least all the critical updates installed (Free) Microsoft Office Update.


Make your Internet Explorer more secure

This can be done by following these simple instructions:
From within Internet Explorer click on the Tools menu and then click on Options.
Click once on the Security tab
Click once on the Internet icon so it becomes highlighted.
Click once on the Custom Level button.
Change the Download signed ActiveX controls to Prompt
Change the Download unsigned ActiveX controls to Disable
Change the Initialize and script ActiveX controls not marked as safe to Disable
Change the Installation of desktop items to Prompt
Change the Launching programs and files in an IFRAME to Prompt
Change the Navigate sub-frames across different domains to Prompt
When all these settings have been made, click on the OK button.
If it prompts you as to whether or not you want to save the settings, press the Yes button.
Next press the Apply button and then the OK to exit the Internet Properties page.



The following are recommended third party programs that are designed to keep your computer clean. A link as well as a brief description is included with each item.

  • hosts file:
    • Every version of windows has a hosts file as part of them.
    • In a very basic sense, they are used to locate webpages.
    • We can customize a hosts file so that it blocks certain webpages.
    • However, it can slow down certain computers.
    • This is why using a hosts file is optional!!
    Download it here. Make sure you read the instructions on how to install the hosts file. There is a good tutorial here
    If you decide to download the hosts file, the slowdown problems can usually be avoided by following these steps:
    1. [*]Click the start button (at the lower left hand corner of your screen) [*]Click run [*]In the dialog box, type services.msc [*]hit enter, then locate dns client [*]Highlight it, then double-click it. [*]On the dropdown box, change the setting from automatic to manual. [*]Click ok
  • Get Anti Virus Software and keep it updated - Most AVs will update automatically, but if not I would recommend making updating the AV the first job every time the PC is connected to the internet. An AV that is using defs that are seven days old is not going to be much protection. If you do not update your anti virus software then it will not be able to catch any of the new variants that may come out. Good free antivirus programs are:
    Antivir
    Avast!
    Good commercial ones are from:
    Kaspersky and
    ESET
  • Use a Firewall - I can not stress how important it is that you use a Firewall on your computer. Without a firewall your computer is susceptible to being hacked and taken over. Simply using a Firewall in its default configuration can lower your risk greatly. For more info, check this webpage out.
    If you don't have a 3rd party firewall or a router behind NAT then I recommend getting one. I recommend either Online Armor Free or Comodo Firewall Pro (If you choose Comodo: Uncheck during installation "Install Comodo HopSurf..", Make Comodo my default search provider" and "Make Comodo Search my homepage" and install firewall ONLY!). Both providers have support forums that help with configuration related questions.


Just a final reminder for you. I am trying to stress these two points.
UPDATE UPDATE UPDATE!!! Make sure you do this about every 1-2 weeks.
Make sure all of your security programs are up to date.
Visit Microsoft's Windows Update Site Frequently - It is important that you visit http://www.windowsupdate.com regularly. This will ensure your computer has always the latest security updates available installed on your computer. If there are new updates to install, install them immediately, reboot your computer, and revisit the site until there are no more critical updates.


Once again, please post and tell me how things are going with your system... problems etc.

Have a great day,
Blade :cool:
 
Since this issue appears to be resolved ... this Topic has been closed. Glad I could help. :)

Note:If it has been four days or more since your last post, and the helper assisting you posted a response to that post to which you did not reply, your topic will not be reopened. At that point, if you still require help, please start a new topic and include a fresh HijackThis log and a link to your previous thread.

If it has been less than four days since your last response and you need the thread re-opened, please send me or MOD a private message (pm). A valid, working link to the closed topic is required.
 
You must log in or register to reply here.
Back
Top