Want to win a PS4? Go Premium and enter to win our High-Tech Treats giveaway. Enter to Win

x
?
Solved

Microsoft.WindowsSecurityCenter_disabled  Problem virus

Posted on 2011-01-26
34
Medium Priority
?
2,781 Views
Last Modified: 2013-11-22
Hello all, i am cleaning virus's from a machine and Spybot keeps coming up and removing the virus  - Microsoft.WindowsSecurityCenter_disabled  Problem virus .  I have restarted the Security Center service but within 30 seconds it is back off again.  

I have run Malwarebytes, Spybot, TDSSKiller, and a host of other programs to no avail.

I have updated my Java and removed all older versions as well.

I was running MIcrosoft security essentials however this virus diabled it and i am not able to open, update or scan with the security essentials now.

After checking all over the web for an instance that seemed to fit my application i cant find anything so here i am asking for help.
0
Comment
Question by:speednutt
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 11
  • 9
  • 3
  • +6
34 Comments
 
LVL 6

Accepted Solution

by:
originalbiffmalibu earned 800 total points
ID: 34705865
Did you run combofix yet?
0
 
LVL 4

Expert Comment

by:Ara-
ID: 34705979
Did you run the scans in safe mode?
0
 
LVL 23

Assisted Solution

by:phototropic
phototropic earned 400 total points
ID: 34705999
Hitman Pro is another good scanner:

 http://www.surfright.nl/en/home/

If you do run Combofix, post the log for review.
0
Automating Your MSP Business

The road to profitability.
Delivering superior services is key to ensuring customer satisfaction and the consequent long-term relationships that enable MSPs to lock in predictable, recurring revenue. What's the best way to deliver superior service? One word: automation.

 
LVL 30

Expert Comment

by:Thomas Zucker-Scharff
ID: 34706391
You also might have a rootkit.  Scan for rootkits using one of the tools reviewed in this article:

http://www.experts-exchange.com/Virus_and_Spyware/Anti-Virus/A_2245-Anti-rootkit-software.html

You should scan with at least 3 anti-rootkit tools - they all detect differently.  IF you find and clean something be sure to scan again with regular anti-malware app.
0
 

Author Comment

by:speednutt
ID: 34706491
OK, i ran the ComboFix and this is the report.  I still am unable to run the security center.

ComboFix 11-01-25.05 - Administrator 01/26/2011  15:13:06.1.1 - x86
Microsoft Windows XP Professional  5.1.2600.3.1252.1.1033.18.1015.647 [GMT -6:00]
Running from: c:\documents and settings\Administrator\Desktop\ComboFix.exe
AV: Microsoft Security Essentials *Disabled/Updated* {BCF43643-A118-4432-AEDE-D861FCBCFCDF}
.

(((((((((((((((((((((((((((((((((((((((   Other Deletions   )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\Administrator\Application Data\install
c:\documents and settings\Administrator\Application Data\install_pal
c:\documents and settings\Administrator\Application Data\PriceGong
c:\documents and settings\Administrator\Application Data\PriceGong\Data\1.xml
c:\documents and settings\Administrator\Application Data\PriceGong\Data\a.xml
c:\documents and settings\Administrator\Application Data\PriceGong\Data\b.xml
c:\documents and settings\Administrator\Application Data\PriceGong\Data\c.xml
c:\documents and settings\Administrator\Application Data\PriceGong\Data\d.xml
c:\documents and settings\Administrator\Application Data\PriceGong\Data\e.xml
c:\documents and settings\Administrator\Application Data\PriceGong\Data\f.xml
c:\documents and settings\Administrator\Application Data\PriceGong\Data\g.xml
c:\documents and settings\Administrator\Application Data\PriceGong\Data\h.xml
c:\documents and settings\Administrator\Application Data\PriceGong\Data\i.xml
c:\documents and settings\Administrator\Application Data\PriceGong\Data\J.xml
c:\documents and settings\Administrator\Application Data\PriceGong\Data\k.xml
c:\documents and settings\Administrator\Application Data\PriceGong\Data\l.xml
c:\documents and settings\Administrator\Application Data\PriceGong\Data\m.xml
c:\documents and settings\Administrator\Application Data\PriceGong\Data\mru.xml
c:\documents and settings\Administrator\Application Data\PriceGong\Data\n.xml
c:\documents and settings\Administrator\Application Data\PriceGong\Data\o.xml
c:\documents and settings\Administrator\Application Data\PriceGong\Data\p.xml
c:\documents and settings\Administrator\Application Data\PriceGong\Data\q.xml
c:\documents and settings\Administrator\Application Data\PriceGong\Data\r.xml
c:\documents and settings\Administrator\Application Data\PriceGong\Data\s.xml
c:\documents and settings\Administrator\Application Data\PriceGong\Data\t.xml
c:\documents and settings\Administrator\Application Data\PriceGong\Data\u.xml
c:\documents and settings\Administrator\Application Data\PriceGong\Data\v.xml
c:\documents and settings\Administrator\Application Data\PriceGong\Data\w.xml
c:\documents and settings\Administrator\Application Data\PriceGong\Data\x.xml
c:\documents and settings\Administrator\Application Data\PriceGong\Data\y.xml
c:\documents and settings\Administrator\Application Data\PriceGong\Data\z.xml
c:\documents and settings\Administrator\Application Data\uid_pal
c:\windows\system32\drivers\etc\lmhosts
c:\windows\system32\User.ini
c:\windows\Tasks\At1.job
c:\windows\Tasks\At10.job
c:\windows\Tasks\At11.job
c:\windows\Tasks\At12.job
c:\windows\Tasks\At13.job
c:\windows\Tasks\At14.job
c:\windows\Tasks\At15.job
c:\windows\Tasks\At16.job
c:\windows\Tasks\At17.job
c:\windows\Tasks\At18.job
c:\windows\Tasks\At19.job
c:\windows\Tasks\At2.job
c:\windows\Tasks\At20.job
c:\windows\Tasks\At21.job
c:\windows\Tasks\At22.job
c:\windows\Tasks\At23.job
c:\windows\Tasks\At24.job
c:\windows\Tasks\At25.job
c:\windows\Tasks\At26.job
c:\windows\Tasks\At27.job
c:\windows\Tasks\At28.job
c:\windows\Tasks\At29.job
c:\windows\Tasks\At3.job
c:\windows\Tasks\At30.job
c:\windows\Tasks\At31.job
c:\windows\Tasks\At32.job
c:\windows\Tasks\At33.job
c:\windows\Tasks\At34.job
c:\windows\Tasks\At35.job
c:\windows\Tasks\At36.job
c:\windows\Tasks\At37.job
c:\windows\Tasks\At38.job
c:\windows\Tasks\At39.job
c:\windows\Tasks\At4.job
c:\windows\Tasks\At40.job
c:\windows\Tasks\At41.job
c:\windows\Tasks\At42.job
c:\windows\Tasks\At43.job
c:\windows\Tasks\At44.job
c:\windows\Tasks\At45.job
c:\windows\Tasks\At46.job
c:\windows\Tasks\At47.job
c:\windows\Tasks\At5.job
c:\windows\Tasks\At6.job
c:\windows\Tasks\At7.job
c:\windows\Tasks\At8.job
c:\windows\Tasks\At9.job

.
(((((((((((((((((((((((((((((((((((((((   Drivers/Services   )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_6TO4
-------\Legacy_SSHNAS
-------\Service_6to4


(((((((((((((((((((((((((   Files Created from 2010-12-26 to 2011-01-26  )))))))))))))))))))))))))))))))
.

2011-01-26 19:14 . 2011-01-26 19:14      --------      d-----w-      C:\TDSSKiller_Quarantine
2011-01-26 18:53 . 2011-01-26 18:53      --------      d-----w-      c:\program files\Common Files\Java
2011-01-26 18:53 . 2010-11-13 00:53      472808      ----a-w-      c:\windows\system32\deployJava1.dll
2011-01-26 18:49 . 2010-12-23 01:45      2336384      ----a-w-      c:\windows\system32\BootMan.exe
2011-01-26 18:49 . 2010-07-15 14:44      86408      ----a-w-      c:\windows\system32\setupempdrv03.exe
2011-01-26 18:49 . 2010-07-15 14:44      8456      ----a-w-      c:\windows\system32\EuGdiDrv.sys
2011-01-26 18:49 . 2010-07-15 14:44      13192      ----a-w-      c:\windows\system32\epmntdrv.sys
2011-01-26 18:49 . 2010-07-15 14:44      14848      ----a-w-      c:\windows\system32\EuEpmGdi.dll
2011-01-26 18:41 . 2011-01-26 18:49      --------      d-----w-      c:\program files\EASEUS
2011-01-26 18:28 . 2008-04-14 01:11      21504      -c--a-w-      c:\windows\system32\dllcache\hidserv.dll
2011-01-26 18:28 . 2008-04-14 01:11      21504      ----a-w-      c:\windows\system32\hidserv.dll
2011-01-26 18:28 . 2008-04-13 19:39      14592      -c--a-w-      c:\windows\system32\dllcache\kbdhid.sys
2011-01-26 18:28 . 2008-04-13 19:39      14592      ----a-w-      c:\windows\system32\drivers\kbdhid.sys
2011-01-26 18:28 . 2008-04-13 19:45      32128      -c--a-w-      c:\windows\system32\dllcache\usbccgp.sys
2011-01-26 18:28 . 2008-04-13 19:45      32128      ----a-w-      c:\windows\system32\drivers\usbccgp.sys
2011-01-25 02:38 . 2010-06-16 14:59      5588304      ----a-w-      c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{07E9068C-999A-4B16-BE22-E7553328509D}\mpengine.dll
2011-01-25 02:35 . 2011-01-25 02:35      --------      d--h--w-      c:\windows\system32\GroupPolicy
2011-01-25 02:14 . 2011-01-25 02:14      --------      d-----w-      c:\windows\TempFEF64CCA-7CD1-DB4B-53AC-309D31BC8067-Signatures
2011-01-25 02:12 . 2011-01-25 02:41      --------      d-----w-      C:\de0d2a4396998aa3183a61fd35f4f9
2011-01-24 23:02 . 2011-01-24 23:02      79360      --sha-r-      c:\windows\system32\smime3N.dll
2011-01-24 22:53 . 2011-01-24 22:57      --------      d-----w-      c:\documents and settings\LocalService\Local Settings\Application Data\Adobe
2011-01-20 22:57 . 2011-01-20 22:57      --------      d-----w-      c:\windows\system32\%APPDATA%
2011-01-20 19:19 . 2011-01-20 19:19      --------      d-sh--w-      c:\windows\system32\config\systemprofile\IETldCache
2011-01-20 19:19 . 2011-01-20 19:19      18297      ----a-w-      c:\windows\system32\MAI4.tmp
2011-01-20 19:17 . 2011-01-20 19:20      --------      d-----w-      c:\documents and settings\NetworkService\Local Settings\Application Data\Adobe
2011-01-20 19:00 . 2011-01-20 19:00      --------      d-----w-      C:\Temp
2011-01-15 14:23 . 2011-01-15 14:57      --------      d-----w-      c:\documents and settings\Administrator\.SSRB2

.
((((((((((((((((((((((((((((((((((((((((   Find3M Report   ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-12-21 00:09 . 2010-10-24 01:46      38224      ----a-w-      c:\windows\system32\drivers\mbamswissarmy.sys
2010-12-21 00:08 . 2010-10-24 01:46      20952      ----a-w-      c:\windows\system32\drivers\mbam.sys
2010-12-13 19:01 . 2010-06-02 00:00      53632      ----a-w-      c:\windows\system32\Spool\prtprocs\w32x86\LMIproc.dll
2010-12-13 19:01 . 2010-06-02 00:00      83360      ----a-w-      c:\windows\system32\LMIRfsClientNP.dll
2010-12-13 19:01 . 2010-06-02 00:00      29568      ----a-w-      c:\windows\system32\LMIport.dll
2010-12-13 19:01 . 2010-06-02 00:00      87424      ----a-w-      c:\windows\system32\LMIinit.dll
2010-11-18 18:12 . 2008-04-06 03:16      81920      ----a-w-      c:\windows\system32\isign32.dll
2010-11-12 22:34 . 2008-04-07 15:52      73728      ----a-w-      c:\windows\system32\javacpl.cpl
2010-11-10 04:33 . 2010-06-22 22:00      6273872      ----a-w-      c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\Backup\mpengine.dll
2010-11-09 14:52 . 2004-08-04 12:00      249856      ----a-w-      c:\windows\system32\odbc32.dll
2010-11-06 00:26 . 2004-08-04 12:00      916480      ----a-w-      c:\windows\system32\wininet.dll
2010-11-06 00:26 . 2004-08-04 12:00      43520      ------w-      c:\windows\system32\licmgr10.dll
2010-11-06 00:26 . 2004-08-04 12:00      1469440      ------w-      c:\windows\system32\inetcpl.cpl
2010-11-03 12:25 . 2004-08-04 12:00      385024      ----a-w-      c:\windows\system32\html.iec
2010-11-02 15:17 . 2004-08-04 12:00      40960      ----a-w-      c:\windows\system32\drivers\ndproxy.sys
.

(((((((((((((((((((((((((((((((((((((   Reg Loading Points   ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{FD72061E-9FDE-484D-A58A-0BAB4151CAD8}]
2010-08-13 00:46      194912      ------w-      c:\program files\Yontoo Layers Client\YontooIEClient.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-09-21 932288]
"LogMeIn GUI"="c:\program files\LogMeIn\x86\LogMeInSystray.exe" [2008-08-11 63048]
"Malwarebytes Anti-Malware (reboot)"="c:\program files\Malwarebytes' Anti-Malware\mbam.exe" [2010-12-21 963976]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-05-14 248552]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\Currentversion\policies\explorer\Run]
"oddc"="c:\windows\system32\smime3N.dll" [2011-01-24 79360]

c:\documents and settings\admin\Start Menu\Programs\Startup\
OpenOffice.org 2.3.lnk - c:\program files\OpenOffice.org 2.3\program\quickstart.exe [2007-8-17 393216]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Brock Hot Key.exe.lnk - c:\program files\Brock Supply Co\Brock Hotkey\Brock Hot Key.exe [2008-1-17 327680]
Car-Part.com Trading Partner Software.lnk - c:\car-part\CPKeySrv.exe [2009-9-21 446976]
Service Manager.lnk - c:\program files\MICROSOFT SQL SERVER\80\TOOLS\BINN\sqlmangr.exe [2005-5-3 81920]
UPS WorldShip Messaging Utility.lnk - c:\ups\WSTD\WSTDMessaging.exe [2009-12-1 393216]
UPS WorldShip PLD Reminder Utility.lnk - c:\ups\WSTD\wstdPldReminder.exe [2009-12-1 40960]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\LMIinit]
2010-12-13 19:01      87424      ----a-w-      c:\windows\system32\LMIinit.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MsMpSvc]
@="Service"

[HKLM\~\startupfolder\C:^Documents and Settings^Administrator^Start Menu^Programs^Startup^OpenOffice.org 2.3.lnk]
path=c:\documents and settings\Administrator\Start Menu\Programs\Startup\OpenOffice.org 2.3.lnk
backup=c:\windows\pss\OpenOffice.org 2.3.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Seagull Drivers]
ssdal_nc.exe startup [X]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
2010-09-24 09:15      40368      ----a-w-      c:\program files\Adobe\Reader 8.0\Reader\reader_sl.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\hpbdfawep]
2007-04-25 19:28      954368      ----a-w-      c:\program files\HP\Dfawep\bin\hpbdfawep.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NA1Messenger]
2009-12-02 02:36      24576      ----a-w-      c:\ups\WSTD\UPSNA1Msgr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TPPOLL]
2005-03-02 22:12      24576      ----a-w-      c:\program files\Topro\tppoll.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\WINDOWS\\system32\\mmc.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"6160:TCP"= 6160:TCP:Seagull Driver Networking

R2 LinksysUpdater;Linksys Updater;c:\program files\Linksys\Linksys Updater\bin\LinksysUpdater.exe [1/15/2008 9:28 AM 204800]
R2 LMIGuardianSvc;LMIGuardianSvc;c:\program files\LogMeIn\x86\LMIGuardianSvc.exe [10/13/2010 11:29 AM 374152]
R2 LMIInfo;LogMeIn Kernel Information Provider;c:\program files\LogMeIn\x86\rainfo.sys [8/11/2008 11:41 AM 12856]
R2 MSSQL$UPSWSDBSERVER;MSSQL$UPSWSDBSERVER;c:\ups\WSTD\MSSQL$UPSWSDBSERVER\Binn\sqlservr.exe -sUPSWSDBSERVER --> c:\ups\WSTD\MSSQL$UPSWSDBSERVER\Binn\sqlservr.exe -sUPSWSDBSERVER [?]
S3 DCamUSBIntel;Digi-Microscope;c:\windows\system32\drivers\TP6800.sys [4/8/2008 9:36 AM 211680]
S3 epmntdrv;epmntdrv;c:\windows\system32\epmntdrv.sys [1/26/2011 12:49 PM 13192]
S3 EuGdiDrv;EuGdiDrv;c:\windows\system32\EuGdiDrv.sys [1/26/2011 12:49 PM 8456]
S3 SQLAgent$UPSWSDBSERVER;SQLAgent$UPSWSDBSERVER;c:\ups\WSTD\MSSQL$UPSWSDBSERVER\Binn\sqlagent.EXE -i UPSWSDBSERVER --> c:\ups\WSTD\MSSQL$UPSWSDBSERVER\Binn\sqlagent.EXE -i UPSWSDBSERVER [?]
.
Contents of the 'Scheduled Tasks' folder

2011-01-26 c:\windows\Tasks\User_Feed_Synchronization-{67A22DCE-2AE1-42B8-80D0-FCC1A2018453}.job
- c:\windows\system32\msfeedssync.exe [2007-08-13 10:31]
.
.
------- Supplementary Scan -------
.
uInternet Connection Wizard,ShellNext = iexplore
DPF: {7876E4A5-78B7-4020-B08F-C960A1ED54C9} - hxxp://69.21.158.138/WinWebPush.cab
DPF: {97BB6657-DC7F-4489-9067-51FAB9D8857E} - hxxp://cflive.audatex.us/cf1live/static/weblaunch/weblaunch2.cab
.
- - - - ORPHANS REMOVED - - - -

Toolbar-Locked - (no file)
WebBrowser-{604BC32A-9680-40D1-9AC6-E06B23A1BA4C} - (no file)
MSConfigStartUp-Adobe Updater - c:\windows\system32\AdbUpdater.exe



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2011-01-26 15:19
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...  

scanning hidden autostart entries ...

scanning hidden files ...  

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\.Default\Software\Microsoft\Internet Explorer\User Preferences]
@Denied: (2) (LocalSystem)
"88D7D0879DAB32E14DE5B3A805A34F98AFF34F5977"=hex:01,00,00,00,d0,8c,9d,df,01,15,
   d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,0a,fc,65,15,a2,f7,dc,49,9d,71,86,\
"2D53CFFC5C1A3DD2E97B7979AC2A92BD59BC839E81"=hex:01,00,00,00,d0,8c,9d,df,01,15,
   d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,0a,fc,65,15,a2,f7,dc,49,9d,71,86,\

[HKEY_USERS\S-1-5-21-1659004503-1409082233-682003330-500\Software\Microsoft\Internet Explorer\User Preferences]
@Denied: (2) (Administrator)
"88D7D0879DAB32E14DE5B3A805A34F98AFF34F5977"=hex:01,00,00,00,d0,8c,9d,df,01,15,
   d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,e2,b7,62,e4,ee,54,13,45,9a,0a,49,\
"2D53CFFC5C1A3DD2E97B7979AC2A92BD59BC839E81"=hex:01,00,00,00,d0,8c,9d,df,01,15,
   d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,d2,3f,e9,54,1a,5e,bd,47,96,85,8f,\
"6256FFB019F8FDFBD36745B06F4540E9AEAF222A25"=hex:01,00,00,00,d0,8c,9d,df,01,15,
   d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,e2,b7,62,e4,ee,54,13,45,9a,0a,49,\

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10l_ActiveX.exe,-101"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]
"Enabled"=dword:00000001

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]
@="c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10l_ActiveX.exe"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
@Denied: (A 2) (Everyone)
@="IFlashBroker4"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"

[HKEY_LOCAL_MACHINE\software\Microsoft\Internet Explorer\User Preferences]
@Denied: (2) (Administrator)
"88D7D0879DAB32E14DE5B3A805A34F98AFF34F5977"=hex:01,00,00,00,d0,8c,9d,df,01,15,
   d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,e2,b7,62,e4,ee,54,13,45,9a,0a,49,\
"6256FFB019F8FDFBD36745B06F4540E9AEAF222A25"=hex:01,00,00,00,d0,8c,9d,df,01,15,
   d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,e2,b7,62,e4,ee,54,13,45,9a,0a,49,\
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(640)
c:\windows\system32\LMIinit.dll
c:\windows\system32\LMIRfsClientNP.dll

- - - - - - - > 'explorer.exe'(2448)
c:\windows\system32\WININET.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\LogMeIn\x86\RaMaint.exe
c:\program files\LogMeIn\x86\LogMeIn.exe
c:\windows\system32\java.exe
c:\ups\WSTD\MSSQL$UPSWSDBSERVER\Binn\sqlservr.exe
c:\windows\System32\spool\DRIVERS\W32X86\3\HP1006MC.EXE
c:\windows\system32\rundll32.exe
.
**************************************************************************
.
Completion time: 2011-01-26  15:24:16 - machine was rebooted
ComboFix-quarantined-files.txt  2011-01-26 21:24

Pre-Run: 67,614,236,672 bytes free
Post-Run: 67,736,350,720 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
UnsupportedDebug="do not select this" /debug
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect
[spybotsd]
timeout.old=30

- - End Of File - - CD0A6BE910B4ABB2A98294C2753210DA


Hope this helps.  and Thanks
0
 

Author Comment

by:speednutt
ID: 34706510
Also, i just tried to reinstall Security Essentials and after it tries to install it gives error code: 0x80070643  (not a BSOD code)

thanks
0
 
LVL 13

Expert Comment

by:BCipollone
ID: 34707114
0
 
LVL 13

Expert Comment

by:BCipollone
ID: 34707125
0
 
LVL 23

Expert Comment

by:phototropic
ID: 34707213
Looks like the rootkit is still there.  Try a scan with Unhackme:

http://www.greatis.com/unhackme/download.htm

Download and install the trial version. Click on "Check me now!" - if it says no Trojan is found, click OK, then select "Test Windows boot process". Agree the reboot. The pc will reboot.
The program will now load and run before your desktop loads. Then it will say "You have a number of suspicious programs." Click on "Fix Programs".
It will set a restore point, then give you a list of boot processes. For each one, you can select "Get it out!", "False positive" or "I'm not sure..." which gives you a report on how bad/good the program may be.
I usually terminate anything assessed to be over 30% "bad".
The app. will then need to reboot.
Once the pc is clean, you should uninstall Unhackme - it is a very intrusive program.

0
 
LVL 13

Expert Comment

by:BCipollone
ID: 34707231
And if none of that works a fresh install is always a good route ;)
0
 

Author Comment

by:speednutt
ID: 34709153
I have tried the microsoft fixit tool.  No luck.  I tried the scan with unhack me and it didnt come up with anything dangerous.  All the files if looked at are my normal program files.  

I am about ready to do a complete reinstall, but this computer is for a business and that is only an absolute last result as there are lots of files that would take days to redo.

Any other suggestions??  I am all ears.  

Lets hear some thoughts on doing a Repair install of windows?????  Do you think that could solve it?

I know, i am grasping at straws.

thanks for all the suggestions thus far.
0
 
LVL 27

Assisted Solution

by:Jonvee
Jonvee earned 800 total points
ID: 34709335
Try running Rkill.  It is a small, freeware and portable tool designed to terminate active malware processes:
http://www.technibble.com/rkill-repair-tool-of-the-week/

Then re-try Microsoft Security Essentials to see if theres an improvement.

If unresolved and you'd like to use one more scanner, download Dr.Web CureIt!.
Double-click on the downloaded file.
Choose a desired protection mode.
http://www.freedrweb.com/cureit/?lng=en
0
 
LVL 27

Expert Comment

by:Jonvee
ID: 34709407
imho an attempt to Repair install is unlikely to improve the situation, but others may not agree....i appreciate a reformat is your last resort.

Another possible option is to select "Request Attention" top right of this thread, and request that this question is also entered in the HijackThis TA where hopefully rpggamergirl(if she's around) can expertly analyse your ComboFix log and provide a small script for a ComboFix re-run.
0
 
LVL 27

Expert Comment

by:Jonvee
ID: 34709427
Speaking of which ....have a look under sub-heading "Scan for rootkits" in one of her articles & you'll see Gmer and RootRepeal, they're worth trying >> 

http://www.experts-exchange.com/Software/Internet_Email/Anti-Virus/A_1979-THINGS-YOU-NEED-TO-DO-WHEN-YOUR-PC-IS-INFECTED.html
0
 

Author Comment

by:speednutt
ID: 34713812
Ok all, i have done all of the recommendations as listed.  I am still fighting it.   I know it can be fixed as when i run RKill at least i am able  start and update security essentials.  However it is right back after a restart.  I tried to run all available scans to find the culprit after the Rkill as well.

I have also cloned the drive now.  I am willing to do some riskier tricks to get this thng cured as i know i have backup if i get carried away.

Thanks for all the suggestions thus far.

0
 
LVL 27

Expert Comment

by:Jonvee
ID: 34714709
  >>willing to do some riskier tricks<<

Okay ..well, have recognised two nasties at least, in the ComboFix log.   Will compose a script, & get back to you within the hour hopefully.
0
 
LVL 11

Expert Comment

by:ocanada_techguy
ID: 34714807
Some malware is so much of a moving target that no anti-malware can fix it.  Even the best anti-virus only catches about 95%.  Yours may be that 5%.  There's probably some undetected part of malware that is re-installing the rest of the malware, so even if you clean it it'll come back.

Understand that an in-place reinstall won't remedy the issue, because by it's very nature, an inplace reinstall retains the user settings AND all the programs that have been added to the OS, it only replaces the OS files themselves.

You might try under Safe Mode to use System Restore to put the system back to the way it was up to 30 days ago IF whenever that was before this infestation hooked itself into the OS/registry.  But there's still a risk that some other portion will re-add itself.  No firewall will stop it because it is not an intrusion intiated from outside, it is inside reaching out to get it.

You probably have to build a new box/hard drive, and then migrate the user's documents, purchased downloads, photos, and the often forgotten: favorites, email local storage, address book, (some email, hotmail gmail yahoo or exchange server kept on the server anyway).  Make an inventory list of all the programs that are needed to be put on, maybe they don't all have to go on today necessarily.  Keep the old drive on a shelf in case something was forgotten it can be obtained.

You've likely now exceeded the time required to rebuild trying to fix it, and you've already done a more than very thorough attempt.  I know it seems like you've almost got it, but you may be stuck at "almost" forever.

Besides, the risk to the rest of the machines on the enterprise side of the firewall is too great.
0
 
LVL 27

Expert Comment

by:Jonvee
ID: 34714902
If you're still willing to run a script, here we are.   Have included the appropriate instructions>


1. Open Notepad.
2. Copy & paste all text between the lines below, into Notepad window:
======================================================

File::
c:\windows\system32\EuEpmGdi.dll
c:\windows\system32\EuGdiDrv.sys
c:\windows\system32\epmntdrv.sys

Folder::
c:\windows\system32\EuGdiDrv.sys
c:\windows\system32\epmntdrv.sys


==================================================
3. Now Save the above as CFScript.txt on your desktop.
4. Then drag the CFScript.txt just created into ComboFix.exe. This will re-start ComboFix & hopefully remove the problem.

Then, quickly re-run HitmanPro or Malwarebytes, the aim being to remove any remaining Malware fragments, *before* you reboot the computer again.

5. Finally, please attach the newComboFix logfile.

Worth a try i believe ...& good luck.
0
 
LVL 27

Expert Comment

by:Jonvee
ID: 34714984
My last comment was obviously done in a hurry, & it may not catch everything ...worth trying nevertheless!
May i suggest you run 2 or 3 of the best scanners you were given earlier, *before* you re-boot or re-start.

These last comments are with great respect for the last posting by ocanada_tec… , which i agree does sound logical if theres a serious time constraint.
0
 
LVL 27

Expert Comment

by:Jonvee
ID: 34715028
New version of script will be with you in 5 minutes.
0
 
LVL 27

Expert Comment

by:Jonvee
ID: 34715086
1. Open Notepad.
2. Copy & paste all text between the lines below, into Notepad window:
======================================================

File::
c:\windows\system32\EuEpmGdi.dll
c:\windows\system32\EuGdiDrv.sys
c:\windows\system32\epmntdrv.sys

Folder::
c:\windows\system32\EuGdiDrv.sys
c:\windows\system32\epmntdrv.sys

Drivers::
\Legacy_6TO4
\Legacy_SSHNAS
\Service_6to4

Services::
\Legacy_6TO4
\Legacy_SSHNAS
\Service_6to4


==================================================
3. Now Save the above as CFScript.txt on your desktop.
4. Then drag the CFScript.txt just created into ComboFix.exe. This will re-start ComboFix & hopefully remove the problem.

Then, quickly re-run HitmanPro or Malwarebytes, the aim being to remove any remaining Malware fragments, *before* you reboot the computer again.

5. Finally, please attach the newComboFix logfile.
0
 

Author Comment

by:speednutt
ID: 34715137
ok, i will run the script.  Be back with results shortly.
0
 

Author Comment

by:speednutt
ID: 34718602
ok here is the report after running the script.  Unfortunately still the same result.  I have to run Rkill to get security essentials to startup and run.  

ComboFix 11-01-27.01 - testing 01/27/2011  14:42:00.2.1 - x86
Microsoft Windows XP Professional  5.1.2600.3.1252.1.1033.18.1015.685 [GMT -6:00]
Running from: c:\documents and settings\testing\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\testing\Desktop\CFScript.txt
AV: Microsoft Security Essentials *Disabled/Updated* {BCF43643-A118-4432-AEDE-D861FCBCFCDF}
AV: Microsoft Security Essentials *Disabled/Updated* {EDB4FA23-53B8-4AFA-8C5D-99752CCA7095}

FILE ::
"c:\windows\system32\epmntdrv.sys"
"c:\windows\system32\EuEpmGdi.dll"
"c:\windows\system32\EuGdiDrv.sys"
.

(((((((((((((((((((((((((((((((((((((((   Other Deletions   )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\system32\epmntdrv.sys
c:\windows\system32\EuEpmGdi.dll
c:\windows\system32\EuGdiDrv.sys

.
(((((((((((((((((((((((((((((((((((((((   Drivers/Services   )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_epmntdrv
-------\Legacy_EuGdiDrv
-------\Service_epmntdrv
-------\Service_EuGdiDrv


(((((((((((((((((((((((((   Files Created from 2010-12-27 to 2011-01-27  )))))))))))))))))))))))))))))))
.

2011-01-27 20:31 . 2008-04-14 01:12      116224      -c--a-w-      c:\windows\system32\dllcache\xrxwiadr.dll
2011-01-27 20:31 . 2001-08-18 04:36      23040      -c--a-w-      c:\windows\system32\dllcache\xrxwbtmp.dll
2011-01-27 20:31 . 2008-04-14 01:12      18944      -c--a-w-      c:\windows\system32\dllcache\xrxscnui.dll
2011-01-27 20:31 . 2001-08-18 04:37      27648      -c--a-w-      c:\windows\system32\dllcache\xrxftplt.exe
2011-01-27 20:31 . 2001-08-18 04:37      4608      -c--a-w-      c:\windows\system32\dllcache\xrxflnch.exe
2011-01-27 20:31 . 2001-08-18 04:37      99865      -c--a-w-      c:\windows\system32\dllcache\xlog.exe
2011-01-27 20:31 . 2001-08-17 18:11      16970      -c--a-w-      c:\windows\system32\dllcache\xem336n5.sys
2011-01-27 20:31 . 2004-08-04 04:29      19455      -c--a-w-      c:\windows\system32\dllcache\wvchntxx.sys
2011-01-27 20:30 . 2004-08-04 04:29      12063      -c--a-w-      c:\windows\system32\dllcache\wsiintxx.sys
2011-01-27 20:30 . 2008-04-14 01:12      8192      -c--a-w-      c:\windows\system32\dllcache\wshirda.dll
2011-01-27 20:30 . 2008-04-13 19:36      8832      -c--a-w-      c:\windows\system32\dllcache\wmiacpi.sys
2011-01-27 20:30 . 2004-08-04 04:31      154624      -c--a-w-      c:\windows\system32\dllcache\wlluc48.sys
2011-01-27 20:30 . 2001-08-17 18:12      34890      -c--a-w-      c:\windows\system32\dllcache\wlandrv2.sys
2011-01-27 20:30 . 2001-08-17 19:28      771581      -c--a-w-      c:\windows\system32\dllcache\winacisa.sys
2011-01-27 20:30 . 2001-08-18 04:36      53760      -c--a-w-      c:\windows\system32\dllcache\wiamsmud.dll
2011-01-27 20:28 . 2001-08-17 19:28      604253      -c--a-w-      c:\windows\system32\dllcache\vmodem.sys
2011-01-27 20:27 . 2001-08-18 04:36      94720      -c--a-w-      c:\windows\system32\dllcache\umaxud32.dll
2011-01-27 20:26 . 2001-08-17 18:51      159232      -c--a-w-      c:\windows\system32\dllcache\tridkbm.sys
2011-01-27 20:25 . 2001-08-17 18:13      17129      -c--a-w-      c:\windows\system32\dllcache\tdkcd31.sys
2011-01-27 20:24 . 2001-08-18 04:36      41472      -c--a-w-      c:\windows\system32\dllcache\sw_effct.dll
2011-01-27 20:23 . 2001-08-17 19:53      9600      -c--a-w-      c:\windows\system32\dllcache\sonymc.sys
2011-01-27 20:22 . 2001-08-17 18:12      91294      -c--a-w-      c:\windows\system32\dllcache\skfpwin.sys
2011-01-27 20:21 . 2001-08-17 19:48      17664      -c--a-w-      c:\windows\system32\dllcache\sermouse.sys
2011-01-27 20:20 . 2001-08-18 04:36      62496      -c--a-w-      c:\windows\system32\dllcache\s3mtrio.dll
2011-01-27 20:19 . 2001-08-17 19:51      19584      -c--a-w-      c:\windows\system32\dllcache\rasirda.sys
2011-01-27 20:18 . 2001-08-18 04:36      35328      -c--a-w-      c:\windows\system32\dllcache\psisload.dll
2011-01-27 20:17 . 2001-08-17 20:07      27296      -c--a-w-      c:\windows\system32\dllcache\perc2.sys
2011-01-27 20:16 . 2001-08-17 20:05      25088      -c--a-w-      c:\windows\system32\dllcache\ovca.sys
2011-01-27 20:15 . 2001-08-17 18:12      32840      -c--a-w-      c:\windows\system32\dllcache\ngrpci.sys
2011-01-27 20:14 . 2001-08-17 19:50      21888      -c--a-w-      c:\windows\system32\dllcache\mxcard.sys
2011-01-27 20:14 . 2001-08-17 18:50      103296      -c--a-w-      c:\windows\system32\dllcache\mtxvideo.sys
2011-01-27 20:14 . 2008-04-13 19:46      49024      -c--a-w-      c:\windows\system32\dllcache\mstape.sys
2011-01-27 20:14 . 2001-08-17 19:48      12416      -c--a-w-      c:\windows\system32\dllcache\msriffwv.sys
2011-01-27 20:14 . 2001-08-17 20:00      2944      -c--a-w-      c:\windows\system32\dllcache\msmpu401.sys
2011-01-27 20:14 . 2008-04-13 19:54      22016      -c--a-w-      c:\windows\system32\dllcache\msircomm.sys
2011-01-27 20:14 . 2001-08-17 20:02      35200      -c--a-w-      c:\windows\system32\dllcache\msgame.sys
2011-01-27 20:14 . 2001-08-17 19:48      6016      -c--a-w-      c:\windows\system32\dllcache\msfsio.sys
2011-01-27 20:14 . 2008-04-13 19:46      51200      -c--a-w-      c:\windows\system32\dllcache\msdv.sys
2011-01-27 20:13 . 2001-08-17 19:52      17280      -c--a-w-      c:\windows\system32\dllcache\mraid35x.sys
2011-01-27 20:13 . 2008-04-13 19:46      15232      -c--a-w-      c:\windows\system32\dllcache\mpe.sys
2011-01-27 20:13 . 2001-08-17 19:57      16128      -c--a-w-      c:\windows\system32\dllcache\modemcsa.sys
2011-01-27 20:13 . 2001-08-17 19:52      6528      -c--a-w-      c:\windows\system32\dllcache\miniqic.sys
2011-01-27 20:13 . 2001-08-17 18:50      320384      -c--a-w-      c:\windows\system32\dllcache\mgaum.sys
2011-01-27 20:13 . 2001-08-17 20:56      235648      -c--a-w-      c:\windows\system32\dllcache\mgaud.dll
2011-01-27 20:13 . 2008-04-13 19:41      26112      -c--a-w-      c:\windows\system32\dllcache\memstpci.sys
2011-01-27 20:13 . 2001-08-18 04:36      47616      -c--a-w-      c:\windows\system32\dllcache\memgrp.dll
2011-01-27 20:13 . 2001-08-17 19:58      8320      -c--a-w-      c:\windows\system32\dllcache\memcard.sys
2011-01-27 20:13 . 2001-08-17 18:12      164586      -c--a-w-      c:\windows\system32\dllcache\mdgndis5.sys
2011-01-27 20:11 . 2001-08-17 18:12      19016      -c--a-w-      c:\windows\system32\dllcache\ktc111.sys
2011-01-27 20:11 . 2001-08-18 04:36      37376      -c--a-w-      c:\windows\system32\dllcache\kousd.dll
2011-01-27 20:11 . 2008-04-14 01:11      253952      -c--a-w-      c:\windows\system32\dllcache\kdsusd.dll
2011-01-27 20:11 . 2008-04-14 01:11      48640      -c--a-w-      c:\windows\system32\dllcache\kdsui.dll
2011-01-27 20:11 . 2001-08-17 19:49      26624      -c--a-w-      c:\windows\system32\dllcache\irstusb.sys
2011-01-27 20:11 . 2001-08-17 19:51      18688      -c--a-w-      c:\windows\system32\dllcache\irsir.sys
2011-01-27 20:11 . 2008-04-14 01:11      28160      -c--a-w-      c:\windows\system32\dllcache\irmon.dll
2011-01-27 20:11 . 2001-08-17 19:49      23552      -c--a-w-      c:\windows\system32\dllcache\irmk7.sys
2011-01-27 20:11 . 2008-04-14 01:12      151552      -c--a-w-      c:\windows\system32\dllcache\irftp.exe
2011-01-27 20:11 . 2008-04-13 19:54      88192      -c--a-w-      c:\windows\system32\dllcache\irda.sys
2011-01-27 20:11 . 2001-08-17 18:12      45632      -c--a-w-      c:\windows\system32\dllcache\ip5515.sys
2011-01-27 20:10 . 2001-08-18 04:36      90200      -c--a-w-      c:\windows\system32\dllcache\io8ports.dll
2011-01-27 20:10 . 2001-08-17 19:50      38784      -c--a-w-      c:\windows\system32\dllcache\io8.sys
2011-01-27 20:10 . 2001-08-17 19:47      13056      -c--a-w-      c:\windows\system32\dllcache\inport.sys
2011-01-27 20:10 . 2001-08-17 19:52      16000      -c--a-w-      c:\windows\system32\dllcache\ini910u.sys
2011-01-27 20:10 . 2001-08-18 04:36      372824      -c--a-w-      c:\windows\system32\dllcache\iconf32.dll
2011-01-27 20:10 . 2001-08-17 20:06      100992      -c--a-w-      c:\windows\system32\dllcache\icam5usb.sys
2011-01-27 20:10 . 2001-08-18 04:36      20480      -c--a-w-      c:\windows\system32\dllcache\icam5ext.dll
2011-01-27 20:10 . 2001-08-18 04:36      45056      -c--a-w-      c:\windows\system32\dllcache\icam5com.dll
2011-01-27 20:10 . 2001-08-17 20:06      154496      -c--a-w-      c:\windows\system32\dllcache\icam4usb.sys
2011-01-27 20:08 . 2001-08-17 19:28      488383      -c--a-w-      c:\windows\system32\dllcache\hsf_v124.sys
2011-01-27 20:07 . 2001-08-18 04:36      126976      -c--a-w-      c:\windows\system32\dllcache\hpgt34tk.dll
2011-01-27 20:06 . 2001-08-18 04:36      92160      -c--a-w-      c:\windows\system32\dllcache\fuusd.dll
2011-01-27 20:05 . 2004-08-04 04:32      137088      -c--a-w-      c:\windows\system32\dllcache\essm2e.sys
2011-01-27 20:04 . 2001-08-17 18:12      19594      -c--a-w-      c:\windows\system32\dllcache\e100isa4.sys
2011-01-27 20:03 . 2001-08-18 04:36      419357      -c--a-w-      c:\windows\system32\dllcache\dgconfig.dll
2011-01-27 20:02 . 2008-04-13 19:36      10240      -c--a-w-      c:\windows\system32\dllcache\compbatt.sys
2011-01-27 20:01 . 2001-08-17 19:51      13824      -c--a-w-      c:\windows\system32\dllcache\bulltlp3.sys
2011-01-27 20:00 . 2001-08-17 18:49      26624      -c--a-w-      c:\windows\system32\dllcache\ativxbar.sys
2011-01-27 19:59 . 2001-08-17 20:56      66048      -c--a-w-      c:\windows\system32\dllcache\s3legacy.dll
2011-01-27 17:59 . 2011-01-13 07:41      5890896      ----a-w-      c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{C0B4DEB8-89B1-40AF-972B-CE30B7299DA7}\mpengine.dll
2011-01-27 02:27 . 2011-01-27 02:27      2      --shatr-      c:\windows\winstart.bat
2011-01-27 02:27 . 2011-01-27 02:35      --------      d-----w-      c:\program files\UnHackMe
2011-01-27 02:21 . 2011-01-27 02:22      --------      d-----w-      c:\documents and settings\testing
2011-01-27 02:17 . 2011-01-27 02:18      --------      d-----w-      c:\program files\Microsoft Security Client
2011-01-26 21:40 . 2011-01-26 21:40      --------      d-----w-      c:\program files\Sophos
2011-01-26 18:53 . 2011-01-26 18:53      --------      d-----w-      c:\program files\Common Files\Java
2011-01-26 18:53 . 2010-11-13 00:53      472808      ----a-w-      c:\windows\system32\deployJava1.dll
2011-01-26 18:49 . 2010-12-23 01:45      2336384      ----a-w-      c:\windows\system32\BootMan.exe
2011-01-26 18:49 . 2010-07-15 14:44      86408      ----a-w-      c:\windows\system32\setupempdrv03.exe
2011-01-26 18:41 . 2011-01-26 18:49      --------      d-----w-      c:\program files\EASEUS
2011-01-26 18:28 . 2008-04-14 01:11      21504      -c--a-w-      c:\windows\system32\dllcache\hidserv.dll
2011-01-26 18:28 . 2008-04-14 01:11      21504      ----a-w-      c:\windows\system32\hidserv.dll
2011-01-26 18:28 . 2008-04-13 19:39      14592      -c--a-w-      c:\windows\system32\dllcache\kbdhid.sys
2011-01-26 18:28 . 2008-04-13 19:39      14592      ----a-w-      c:\windows\system32\drivers\kbdhid.sys
2011-01-26 18:28 . 2008-04-13 19:45      32128      -c--a-w-      c:\windows\system32\dllcache\usbccgp.sys
2011-01-26 18:28 . 2008-04-13 19:45      32128      ----a-w-      c:\windows\system32\drivers\usbccgp.sys
2011-01-25 02:35 . 2011-01-25 02:35      --------      d--h--w-      c:\windows\system32\GroupPolicy
2011-01-25 02:14 . 2011-01-25 02:14      --------      d-----w-      c:\windows\TempFEF64CCA-7CD1-DB4B-53AC-309D31BC8067-Signatures
2011-01-25 02:12 . 2011-01-27 02:50      --------      d-----w-      C:\junk
2011-01-24 23:02 . 2011-01-24 23:02      79360      --sha-r-      c:\windows\system32\smime3N.dll
2011-01-24 22:53 . 2011-01-24 22:57      --------      d-----w-      c:\documents and settings\LocalService\Local Settings\Application Data\Adobe
2011-01-20 22:57 . 2011-01-20 22:57      --------      d-----w-      c:\windows\system32\%APPDATA%
2011-01-20 19:19 . 2011-01-20 19:19      --------      d-sh--w-      c:\windows\system32\config\systemprofile\IETldCache
2011-01-20 19:19 . 2011-01-20 19:19      18297      ----a-w-      c:\windows\system32\MAI4.tmp
2011-01-20 19:17 . 2011-01-20 19:20      --------      d-----w-      c:\documents and settings\NetworkService\Local Settings\Application Data\Adobe
2011-01-20 19:00 . 2011-01-20 19:00      --------      d-----w-      C:\Temp
2011-01-15 14:23 . 2011-01-15 14:57      --------      d-----w-      c:\documents and settings\Administrator\.SSRB2

.
((((((((((((((((((((((((((((((((((((((((   Find3M Report   ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-01-13 07:41 . 2010-06-22 22:00      5890896      ----a-w-      c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\Backup\mpengine.dll
2010-12-21 00:09 . 2010-10-24 01:46      38224      ----a-w-      c:\windows\system32\drivers\mbamswissarmy.sys
2010-12-21 00:08 . 2010-10-24 01:46      20952      ----a-w-      c:\windows\system32\drivers\mbam.sys
2010-12-13 19:01 . 2010-06-02 00:00      53632      ----a-w-      c:\windows\system32\Spool\prtprocs\w32x86\LMIproc.dll
2010-12-13 19:01 . 2010-06-02 00:00      83360      ----a-w-      c:\windows\system32\LMIRfsClientNP.dll
2010-12-13 19:01 . 2010-06-02 00:00      29568      ----a-w-      c:\windows\system32\LMIport.dll
2010-12-13 19:01 . 2010-06-02 00:00      87424      ----a-w-      c:\windows\system32\LMIinit.dll
2010-11-18 18:12 . 2008-04-06 03:16      81920      ----a-w-      c:\windows\system32\isign32.dll
2010-11-12 22:34 . 2008-04-07 15:52      73728      ----a-w-      c:\windows\system32\javacpl.cpl
2010-11-09 14:52 . 2004-08-04 12:00      249856      ----a-w-      c:\windows\system32\odbc32.dll
2010-11-06 00:26 . 2004-08-04 12:00      916480      ----a-w-      c:\windows\system32\wininet.dll
2010-11-06 00:26 . 2004-08-04 12:00      43520      ------w-      c:\windows\system32\licmgr10.dll
2010-11-06 00:26 . 2004-08-04 12:00      1469440      ------w-      c:\windows\system32\inetcpl.cpl
2010-11-03 12:25 . 2004-08-04 12:00      385024      ----a-w-      c:\windows\system32\html.iec
2010-11-02 15:17 . 2004-08-04 12:00      40960      ----a-w-      c:\windows\system32\drivers\ndproxy.sys
.

(((((((((((((((((((((((((((((((((((((   Reg Loading Points   ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{FD72061E-9FDE-484D-A58A-0BAB4151CAD8}]
2010-08-13 00:46      194912      ------w-      c:\program files\Yontoo Layers Client\YontooIEClient.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-09-21 932288]
"LogMeIn GUI"="c:\program files\LogMeIn\x86\LogMeInSystray.exe" [2008-08-11 63048]
"Malwarebytes Anti-Malware (reboot)"="c:\program files\Malwarebytes' Anti-Malware\mbam.exe" [2010-12-21 963976]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-05-14 248552]
"MSC"="c:\program files\Microsoft Security Client\msseces.exe" [2010-11-30 997408]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\Currentversion\policies\explorer\Run]
"oddc"="c:\windows\system32\smime3N.dll" [2011-01-24 79360]

c:\documents and settings\admin\Start Menu\Programs\Startup\
OpenOffice.org 2.3.lnk - c:\program files\OpenOffice.org 2.3\program\quickstart.exe [2007-8-17 393216]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Brock Hot Key.exe.lnk - c:\program files\Brock Supply Co\Brock Hotkey\Brock Hot Key.exe [2008-1-17 327680]
Car-Part.com Trading Partner Software.lnk - c:\car-part\CPKeySrv.exe [2009-9-21 446976]
Service Manager.lnk - c:\program files\MICROSOFT SQL SERVER\80\TOOLS\BINN\sqlmangr.exe [2005-5-3 81920]
UPS WorldShip Messaging Utility.lnk - c:\ups\WSTD\WSTDMessaging.exe [2009-12-1 393216]
UPS WorldShip PLD Reminder Utility.lnk - c:\ups\WSTD\wstdPldReminder.exe [2009-12-1 40960]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon]
"Taskman"=""

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\LMIinit]
2010-12-13 19:01      87424      ----a-w-      c:\windows\system32\LMIinit.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MsMpSvc]
@="Service"

[HKLM\~\startupfolder\C:^Documents and Settings^Administrator^Start Menu^Programs^Startup^OpenOffice.org 2.3.lnk]
path=c:\documents and settings\Administrator\Start Menu\Programs\Startup\OpenOffice.org 2.3.lnk
backup=c:\windows\pss\OpenOffice.org 2.3.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Seagull Drivers]
ssdal_nc.exe startup [X]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
2010-09-24 09:15      40368      ----a-w-      c:\program files\Adobe\Reader 8.0\Reader\reader_sl.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\hpbdfawep]
2007-04-25 19:28      954368      ----a-w-      c:\program files\HP\Dfawep\bin\hpbdfawep.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NA1Messenger]
2009-12-02 02:36      24576      ----a-w-      c:\ups\WSTD\UPSNA1Msgr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TPPOLL]
2005-03-02 22:12      24576      ----a-w-      c:\program files\Topro\tppoll.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\WINDOWS\\system32\\mmc.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"6160:TCP"= 6160:TCP:Seagull Driver Networking

R2 LinksysUpdater;Linksys Updater;c:\program files\Linksys\Linksys Updater\bin\LinksysUpdater.exe [1/15/2008 9:28 AM 204800]
R2 LMIGuardianSvc;LMIGuardianSvc;c:\program files\LogMeIn\x86\LMIGuardianSvc.exe [10/13/2010 11:29 AM 374152]
R2 LMIInfo;LogMeIn Kernel Information Provider;c:\program files\LogMeIn\x86\rainfo.sys [8/11/2008 11:41 AM 12856]
R2 MSSQL$UPSWSDBSERVER;MSSQL$UPSWSDBSERVER;c:\ups\WSTD\MSSQL$UPSWSDBSERVER\Binn\sqlservr.exe -sUPSWSDBSERVER --> c:\ups\WSTD\MSSQL$UPSWSDBSERVER\Binn\sqlservr.exe -sUPSWSDBSERVER [?]
S3 DCamUSBIntel;Digi-Microscope;c:\windows\system32\drivers\TP6800.sys [4/8/2008 9:36 AM 211680]
S3 MEMSWEEP2;MEMSWEEP2;\??\c:\windows\system32\35.tmp --> c:\windows\system32\35.tmp [?]
S3 SQLAgent$UPSWSDBSERVER;SQLAgent$UPSWSDBSERVER;c:\ups\WSTD\MSSQL$UPSWSDBSERVER\Binn\sqlagent.EXE -i UPSWSDBSERVER --> c:\ups\WSTD\MSSQL$UPSWSDBSERVER\Binn\sqlagent.EXE -i UPSWSDBSERVER [?]
.
Contents of the 'Scheduled Tasks' folder

2011-01-27 c:\windows\Tasks\MP Scheduled Scan.job
- c:\program files\Microsoft Security Client\Antimalware\MpCmdRun.exe [2010-11-11 18:26]

2011-01-27 c:\windows\Tasks\User_Feed_Synchronization-{67A22DCE-2AE1-42B8-80D0-FCC1A2018453}.job
- c:\windows\system32\msfeedssync.exe [2007-08-13 10:31]
.
.
------- Supplementary Scan -------
.
DPF: {7876E4A5-78B7-4020-B08F-C960A1ED54C9} - hxxp://69.21.158.138/WinWebPush.cab
DPF: {97BB6657-DC7F-4489-9067-51FAB9D8857E} - hxxp://cflive.audatex.us/cf1live/static/weblaunch/weblaunch2.cab
FF - ProfilePath -
.
- - - - ORPHANS REMOVED - - - -

WebBrowser-{604BC32A-9680-40D1-9AC6-E06B23A1BA4C} - (no file)



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2011-01-27 14:49
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...  

scanning hidden autostart entries ...

scanning hidden files ...  

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\MEMSWEEP2]
"ImagePath"="\??\c:\windows\system32\35.tmp"
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\.Default\Software\Microsoft\Internet Explorer\User Preferences]
@Denied: (2) (LocalSystem)
"88D7D0879DAB32E14DE5B3A805A34F98AFF34F5977"=hex:01,00,00,00,d0,8c,9d,df,01,15,
   d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,0a,fc,65,15,a2,f7,dc,49,9d,71,86,\
"2D53CFFC5C1A3DD2E97B7979AC2A92BD59BC839E81"=hex:01,00,00,00,d0,8c,9d,df,01,15,
   d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,0a,fc,65,15,a2,f7,dc,49,9d,71,86,\

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10l_ActiveX.exe,-101"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]
"Enabled"=dword:00000001

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]
@="c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10l_ActiveX.exe"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
@Denied: (A 2) (Everyone)
@="IFlashBroker4"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"

[HKEY_LOCAL_MACHINE\software\Microsoft\Internet Explorer\User Preferences]
@Denied: (2) (Administrator)
"88D7D0879DAB32E14DE5B3A805A34F98AFF34F5977"=hex:01,00,00,00,d0,8c,9d,df,01,15,
   d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,e2,b7,62,e4,ee,54,13,45,9a,0a,49,\
"6256FFB019F8FDFBD36745B06F4540E9AEAF222A25"=hex:01,00,00,00,d0,8c,9d,df,01,15,
   d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,e2,b7,62,e4,ee,54,13,45,9a,0a,49,\
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(644)
c:\windows\system32\LMIinit.dll

- - - - - - - > 'explorer.exe'(3372)
c:\windows\system32\WININET.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\LogMeIn\x86\RaMaint.exe
c:\windows\system32\java.exe
c:\program files\LogMeIn\x86\LogMeIn.exe
c:\ups\WSTD\MSSQL$UPSWSDBSERVER\Binn\sqlservr.exe
c:\windows\System32\spool\DRIVERS\W32X86\3\HP1006MC.EXE
c:\windows\system32\rundll32.exe
.
**************************************************************************
.
Completion time: 2011-01-27  14:53:49 - machine was rebooted
ComboFix-quarantined-files.txt  2011-01-27 20:53

Pre-Run: 66,960,146,432 bytes free
Post-Run: 66,977,177,600 bytes free

- - End Of File - - 61B406892BBD060A1477547BE601D139


It is looking more and more like i will have to start over with a new drive.

Thanks for all the help and suggestions.    At least now the system is managable with Rkill.  
0
 
LVL 27

Expert Comment

by:Jonvee
ID: 34721957
Pity the script writing wasn't successful.   So good luck with the new drive.
0
 
LVL 38

Expert Comment

by:younghv
ID: 34723629
@speednutt,
You had a lot of great advice, but I didn't see anywhere that you had cleaned all of the Temp/Junk files from the normal user's account.

Malware will very often reside in those folders and continually re-infect the system.

A very simple (and free) tool I use is from www.ccleaner.com - but it needs to be run from each profile on the computer.

There is another good cleaner program out there (the name escapes me) that will clear all profiles with one run.
0
 

Author Comment

by:speednutt
ID: 34731275
Well everyone, i would call this one a wrap.  We tried everything mentioned ( i mean everything) and i still came up a bit short.  Thats the breaks.  I did learn a great deal from all that contributed though so that is worth something.

I am going to do a fresh install on a new dri ve and take a look back at this drive in a couple weeks or so.  Maybe something will give then.  

The next question, how is it recommended that i apply the points that i offered for your help?  I know that there were several that contributed and some answers were more in depth than others so i would like to apply the points the best way possible.  if there were only a couple responses it would be a lot easier.

I do appreciate everyones help and that is why i pay my monthly fees even though i havent used the service as much as i probably should.

Thanks much.
0
 
LVL 27

Expert Comment

by:Jonvee
ID: 34732808
speednutt,
Glad to help, but wish we could have resolved it!  

Suggest the points are equally shared between those you feel contributed something of use for your future troubleshooting, as well as our attempts at restoring the drive.  Rkill obviously contributed something, but i'll go along with whatever you all decide.

Have to logoff now for ~48 hours, so i'm taking the easy way out!
Its over to the others for their thoughts ....!!
0
 
LVL 6

Expert Comment

by:originalbiffmalibu
ID: 34734067
Distribute the points the way you see fit.  The posts that have information that benefits you in the future are sure to earn something.  I wish we could have helped.  There was a lot of effort and good suggestions.
0
 

Author Closing Comment

by:speednutt
ID: 34735963
Thanks for all the help.  Also, thanks for being so quick in your response times.  If there were a way to give the points to everyone i would have done that.
0
 

Author Comment

by:speednutt
ID: 34869027
Just wanted to update everyone that the problem has finally been solved.  I ran Hitman Pro 3.5 for a second time and if found the rootkit and successfully cleared it out.  Mission accomplished and thanks so much for everyones help in this matter.  I didnt have to wipe the drive and all the data was saved.

I cant thank you all enough.
0
 
LVL 27

Expert Comment

by:Jonvee
ID: 34869699
Its very rewarding for us all to get this kind of feedback ...thank you!
Glad you were able to recover all data.
0
 
LVL 23

Expert Comment

by:phototropic
ID: 34870767
Glad to hear than your problem is resolved.
0

Featured Post

VIDEO: THE CONCERTO CLOUD FOR HEALTHCARE

Modern healthcare requires a modern cloud. View this brief video to understand how the Concerto Cloud for Healthcare can help your organization.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Sometimes Administrators rights are not enough. These cases call for the SYSTEM account. The process in this article outlines the steps required to execute commands using the SYSTEM account.
Ransomware, the malware that locks down its victim’s files until they pay up, has always been a frustrating issue to deal with. However, a recent mobile ransomware will make the issue a little more personal… by sharing the victim’s mobile browsing h…
This is used to tweak the memory usage for your computer, it is used for servers more so than workstations but just be careful editing registry settings as it may cause irreversible results. I hold no responsibility for anything you do to the regist…
With the power of JIRA, there's an unlimited number of ways you can customize it, use it and benefit from it. With that in mind, there's bound to be things that I wasn't able to cover in this course. With this summary we'll look at some places to go…

610 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question