Solved

Microsoft.WindowsSecurityCenter_disabled  Problem virus

Posted on 2011-01-26
2,705 Views
Last Modified: 2013-11-22
Hello all, i am cleaning virus's from a machine and Spybot keeps coming up and removing the virus  - Microsoft.WindowsSecurityCenter_disabled  Problem virus .  I have restarted the Security Center service but within 30 seconds it is back off again.  

I have run Malwarebytes, Spybot, TDSSKiller, and a host of other programs to no avail.

I have updated my Java and removed all older versions as well.

I was running MIcrosoft security essentials however this virus diabled it and i am not able to open, update or scan with the security essentials now.

After checking all over the web for an instance that seemed to fit my application i cant find anything so here i am asking for help.
0
Question by:speednutt
    32 Comments
     
    LVL 6

    Accepted Solution

    by:
    Did you run combofix yet?
    0
     
    LVL 4

    Expert Comment

    by:Ara-
    Did you run the scans in safe mode?
    0
     
    LVL 23

    Assisted Solution

    by:phototropic
    Hitman Pro is another good scanner:

     http://www.surfright.nl/en/home/

    If you do run Combofix, post the log for review.
    0
     
    LVL 25

    Expert Comment

    by:Thomas Zucker-Scharff
    You also might have a rootkit.  Scan for rootkits using one of the tools reviewed in this article:

    http://www.experts-exchange.com/Virus_and_Spyware/Anti-Virus/A_2245-Anti-rootkit-software.html

    You should scan with at least 3 anti-rootkit tools - they all detect differently.  IF you find and clean something be sure to scan again with regular anti-malware app.
    0
     

    Author Comment

    by:speednutt
    OK, i ran the ComboFix and this is the report.  I still am unable to run the security center.

    ComboFix 11-01-25.05 - Administrator 01/26/2011  15:13:06.1.1 - x86
    Microsoft Windows XP Professional  5.1.2600.3.1252.1.1033.18.1015.647 [GMT -6:00]
    Running from: c:\documents and settings\Administrator\Desktop\ComboFix.exe
    AV: Microsoft Security Essentials *Disabled/Updated* {BCF43643-A118-4432-AEDE-D861FCBCFCDF}
    .

    (((((((((((((((((((((((((((((((((((((((   Other Deletions   )))))))))))))))))))))))))))))))))))))))))))))))))
    .

    c:\documents and settings\Administrator\Application Data\install
    c:\documents and settings\Administrator\Application Data\install_pal
    c:\documents and settings\Administrator\Application Data\PriceGong
    c:\documents and settings\Administrator\Application Data\PriceGong\Data\1.xml
    c:\documents and settings\Administrator\Application Data\PriceGong\Data\a.xml
    c:\documents and settings\Administrator\Application Data\PriceGong\Data\b.xml
    c:\documents and settings\Administrator\Application Data\PriceGong\Data\c.xml
    c:\documents and settings\Administrator\Application Data\PriceGong\Data\d.xml
    c:\documents and settings\Administrator\Application Data\PriceGong\Data\e.xml
    c:\documents and settings\Administrator\Application Data\PriceGong\Data\f.xml
    c:\documents and settings\Administrator\Application Data\PriceGong\Data\g.xml
    c:\documents and settings\Administrator\Application Data\PriceGong\Data\h.xml
    c:\documents and settings\Administrator\Application Data\PriceGong\Data\i.xml
    c:\documents and settings\Administrator\Application Data\PriceGong\Data\J.xml
    c:\documents and settings\Administrator\Application Data\PriceGong\Data\k.xml
    c:\documents and settings\Administrator\Application Data\PriceGong\Data\l.xml
    c:\documents and settings\Administrator\Application Data\PriceGong\Data\m.xml
    c:\documents and settings\Administrator\Application Data\PriceGong\Data\mru.xml
    c:\documents and settings\Administrator\Application Data\PriceGong\Data\n.xml
    c:\documents and settings\Administrator\Application Data\PriceGong\Data\o.xml
    c:\documents and settings\Administrator\Application Data\PriceGong\Data\p.xml
    c:\documents and settings\Administrator\Application Data\PriceGong\Data\q.xml
    c:\documents and settings\Administrator\Application Data\PriceGong\Data\r.xml
    c:\documents and settings\Administrator\Application Data\PriceGong\Data\s.xml
    c:\documents and settings\Administrator\Application Data\PriceGong\Data\t.xml
    c:\documents and settings\Administrator\Application Data\PriceGong\Data\u.xml
    c:\documents and settings\Administrator\Application Data\PriceGong\Data\v.xml
    c:\documents and settings\Administrator\Application Data\PriceGong\Data\w.xml
    c:\documents and settings\Administrator\Application Data\PriceGong\Data\x.xml
    c:\documents and settings\Administrator\Application Data\PriceGong\Data\y.xml
    c:\documents and settings\Administrator\Application Data\PriceGong\Data\z.xml
    c:\documents and settings\Administrator\Application Data\uid_pal
    c:\windows\system32\drivers\etc\lmhosts
    c:\windows\system32\User.ini
    c:\windows\Tasks\At1.job
    c:\windows\Tasks\At10.job
    c:\windows\Tasks\At11.job
    c:\windows\Tasks\At12.job
    c:\windows\Tasks\At13.job
    c:\windows\Tasks\At14.job
    c:\windows\Tasks\At15.job
    c:\windows\Tasks\At16.job
    c:\windows\Tasks\At17.job
    c:\windows\Tasks\At18.job
    c:\windows\Tasks\At19.job
    c:\windows\Tasks\At2.job
    c:\windows\Tasks\At20.job
    c:\windows\Tasks\At21.job
    c:\windows\Tasks\At22.job
    c:\windows\Tasks\At23.job
    c:\windows\Tasks\At24.job
    c:\windows\Tasks\At25.job
    c:\windows\Tasks\At26.job
    c:\windows\Tasks\At27.job
    c:\windows\Tasks\At28.job
    c:\windows\Tasks\At29.job
    c:\windows\Tasks\At3.job
    c:\windows\Tasks\At30.job
    c:\windows\Tasks\At31.job
    c:\windows\Tasks\At32.job
    c:\windows\Tasks\At33.job
    c:\windows\Tasks\At34.job
    c:\windows\Tasks\At35.job
    c:\windows\Tasks\At36.job
    c:\windows\Tasks\At37.job
    c:\windows\Tasks\At38.job
    c:\windows\Tasks\At39.job
    c:\windows\Tasks\At4.job
    c:\windows\Tasks\At40.job
    c:\windows\Tasks\At41.job
    c:\windows\Tasks\At42.job
    c:\windows\Tasks\At43.job
    c:\windows\Tasks\At44.job
    c:\windows\Tasks\At45.job
    c:\windows\Tasks\At46.job
    c:\windows\Tasks\At47.job
    c:\windows\Tasks\At5.job
    c:\windows\Tasks\At6.job
    c:\windows\Tasks\At7.job
    c:\windows\Tasks\At8.job
    c:\windows\Tasks\At9.job

    .
    (((((((((((((((((((((((((((((((((((((((   Drivers/Services   )))))))))))))))))))))))))))))))))))))))))))))))))
    .

    -------\Legacy_6TO4
    -------\Legacy_SSHNAS
    -------\Service_6to4


    (((((((((((((((((((((((((   Files Created from 2010-12-26 to 2011-01-26  )))))))))))))))))))))))))))))))
    .

    2011-01-26 19:14 . 2011-01-26 19:14      --------      d-----w-      C:\TDSSKiller_Quarantine
    2011-01-26 18:53 . 2011-01-26 18:53      --------      d-----w-      c:\program files\Common Files\Java
    2011-01-26 18:53 . 2010-11-13 00:53      472808      ----a-w-      c:\windows\system32\deployJava1.dll
    2011-01-26 18:49 . 2010-12-23 01:45      2336384      ----a-w-      c:\windows\system32\BootMan.exe
    2011-01-26 18:49 . 2010-07-15 14:44      86408      ----a-w-      c:\windows\system32\setupempdrv03.exe
    2011-01-26 18:49 . 2010-07-15 14:44      8456      ----a-w-      c:\windows\system32\EuGdiDrv.sys
    2011-01-26 18:49 . 2010-07-15 14:44      13192      ----a-w-      c:\windows\system32\epmntdrv.sys
    2011-01-26 18:49 . 2010-07-15 14:44      14848      ----a-w-      c:\windows\system32\EuEpmGdi.dll
    2011-01-26 18:41 . 2011-01-26 18:49      --------      d-----w-      c:\program files\EASEUS
    2011-01-26 18:28 . 2008-04-14 01:11      21504      -c--a-w-      c:\windows\system32\dllcache\hidserv.dll
    2011-01-26 18:28 . 2008-04-14 01:11      21504      ----a-w-      c:\windows\system32\hidserv.dll
    2011-01-26 18:28 . 2008-04-13 19:39      14592      -c--a-w-      c:\windows\system32\dllcache\kbdhid.sys
    2011-01-26 18:28 . 2008-04-13 19:39      14592      ----a-w-      c:\windows\system32\drivers\kbdhid.sys
    2011-01-26 18:28 . 2008-04-13 19:45      32128      -c--a-w-      c:\windows\system32\dllcache\usbccgp.sys
    2011-01-26 18:28 . 2008-04-13 19:45      32128      ----a-w-      c:\windows\system32\drivers\usbccgp.sys
    2011-01-25 02:38 . 2010-06-16 14:59      5588304      ----a-w-      c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{07E9068C-999A-4B16-BE22-E7553328509D}\mpengine.dll
    2011-01-25 02:35 . 2011-01-25 02:35      --------      d--h--w-      c:\windows\system32\GroupPolicy
    2011-01-25 02:14 . 2011-01-25 02:14      --------      d-----w-      c:\windows\TempFEF64CCA-7CD1-DB4B-53AC-309D31BC8067-Signatures
    2011-01-25 02:12 . 2011-01-25 02:41      --------      d-----w-      C:\de0d2a4396998aa3183a61fd35f4f9
    2011-01-24 23:02 . 2011-01-24 23:02      79360      --sha-r-      c:\windows\system32\smime3N.dll
    2011-01-24 22:53 . 2011-01-24 22:57      --------      d-----w-      c:\documents and settings\LocalService\Local Settings\Application Data\Adobe
    2011-01-20 22:57 . 2011-01-20 22:57      --------      d-----w-      c:\windows\system32\%APPDATA%
    2011-01-20 19:19 . 2011-01-20 19:19      --------      d-sh--w-      c:\windows\system32\config\systemprofile\IETldCache
    2011-01-20 19:19 . 2011-01-20 19:19      18297      ----a-w-      c:\windows\system32\MAI4.tmp
    2011-01-20 19:17 . 2011-01-20 19:20      --------      d-----w-      c:\documents and settings\NetworkService\Local Settings\Application Data\Adobe
    2011-01-20 19:00 . 2011-01-20 19:00      --------      d-----w-      C:\Temp
    2011-01-15 14:23 . 2011-01-15 14:57      --------      d-----w-      c:\documents and settings\Administrator\.SSRB2

    .
    ((((((((((((((((((((((((((((((((((((((((   Find3M Report   ))))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    2010-12-21 00:09 . 2010-10-24 01:46      38224      ----a-w-      c:\windows\system32\drivers\mbamswissarmy.sys
    2010-12-21 00:08 . 2010-10-24 01:46      20952      ----a-w-      c:\windows\system32\drivers\mbam.sys
    2010-12-13 19:01 . 2010-06-02 00:00      53632      ----a-w-      c:\windows\system32\Spool\prtprocs\w32x86\LMIproc.dll
    2010-12-13 19:01 . 2010-06-02 00:00      83360      ----a-w-      c:\windows\system32\LMIRfsClientNP.dll
    2010-12-13 19:01 . 2010-06-02 00:00      29568      ----a-w-      c:\windows\system32\LMIport.dll
    2010-12-13 19:01 . 2010-06-02 00:00      87424      ----a-w-      c:\windows\system32\LMIinit.dll
    2010-11-18 18:12 . 2008-04-06 03:16      81920      ----a-w-      c:\windows\system32\isign32.dll
    2010-11-12 22:34 . 2008-04-07 15:52      73728      ----a-w-      c:\windows\system32\javacpl.cpl
    2010-11-10 04:33 . 2010-06-22 22:00      6273872      ----a-w-      c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\Backup\mpengine.dll
    2010-11-09 14:52 . 2004-08-04 12:00      249856      ----a-w-      c:\windows\system32\odbc32.dll
    2010-11-06 00:26 . 2004-08-04 12:00      916480      ----a-w-      c:\windows\system32\wininet.dll
    2010-11-06 00:26 . 2004-08-04 12:00      43520      ------w-      c:\windows\system32\licmgr10.dll
    2010-11-06 00:26 . 2004-08-04 12:00      1469440      ------w-      c:\windows\system32\inetcpl.cpl
    2010-11-03 12:25 . 2004-08-04 12:00      385024      ----a-w-      c:\windows\system32\html.iec
    2010-11-02 15:17 . 2004-08-04 12:00      40960      ----a-w-      c:\windows\system32\drivers\ndproxy.sys
    .

    (((((((((((((((((((((((((((((((((((((   Reg Loading Points   ))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    *Note* empty entries & legit default entries are not shown
    REGEDIT4

    [HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{FD72061E-9FDE-484D-A58A-0BAB4151CAD8}]
    2010-08-13 00:46      194912      ------w-      c:\program files\Yontoo Layers Client\YontooIEClient.dll

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-09-21 932288]
    "LogMeIn GUI"="c:\program files\LogMeIn\x86\LogMeInSystray.exe" [2008-08-11 63048]
    "Malwarebytes Anti-Malware (reboot)"="c:\program files\Malwarebytes' Anti-Malware\mbam.exe" [2010-12-21 963976]
    "SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-05-14 248552]

    [HKEY_LOCAL_MACHINE\software\microsoft\windows\Currentversion\policies\explorer\Run]
    "oddc"="c:\windows\system32\smime3N.dll" [2011-01-24 79360]

    c:\documents and settings\admin\Start Menu\Programs\Startup\
    OpenOffice.org 2.3.lnk - c:\program files\OpenOffice.org 2.3\program\quickstart.exe [2007-8-17 393216]

    c:\documents and settings\All Users\Start Menu\Programs\Startup\
    Brock Hot Key.exe.lnk - c:\program files\Brock Supply Co\Brock Hotkey\Brock Hot Key.exe [2008-1-17 327680]
    Car-Part.com Trading Partner Software.lnk - c:\car-part\CPKeySrv.exe [2009-9-21 446976]
    Service Manager.lnk - c:\program files\MICROSOFT SQL SERVER\80\TOOLS\BINN\sqlmangr.exe [2005-5-3 81920]
    UPS WorldShip Messaging Utility.lnk - c:\ups\WSTD\WSTDMessaging.exe [2009-12-1 393216]
    UPS WorldShip PLD Reminder Utility.lnk - c:\ups\WSTD\wstdPldReminder.exe [2009-12-1 40960]

    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\LMIinit]
    2010-12-13 19:01      87424      ----a-w-      c:\windows\system32\LMIinit.dll

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MsMpSvc]
    @="Service"

    [HKLM\~\startupfolder\C:^Documents and Settings^Administrator^Start Menu^Programs^Startup^OpenOffice.org 2.3.lnk]
    path=c:\documents and settings\Administrator\Start Menu\Programs\Startup\OpenOffice.org 2.3.lnk
    backup=c:\windows\pss\OpenOffice.org 2.3.lnkStartup

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Seagull Drivers]
    ssdal_nc.exe startup [X]

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
    2010-09-24 09:15      40368      ----a-w-      c:\program files\Adobe\Reader 8.0\Reader\reader_sl.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\hpbdfawep]
    2007-04-25 19:28      954368      ----a-w-      c:\program files\HP\Dfawep\bin\hpbdfawep.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NA1Messenger]
    2009-12-02 02:36      24576      ----a-w-      c:\ups\WSTD\UPSNA1Msgr.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TPPOLL]
    2005-03-02 22:12      24576      ----a-w-      c:\program files\Topro\tppoll.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
    "DisableMonitoring"=dword:00000001

    [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
    "DisableMonitoring"=dword:00000001

    [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
    "DisableMonitoring"=dword:00000001

    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
    "%windir%\\system32\\sessmgr.exe"=
    "%windir%\\Network Diagnostic\\xpnetdiag.exe"=
    "c:\\Program Files\\Messenger\\msmsgs.exe"=
    "c:\\WINDOWS\\system32\\mmc.exe"=

    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
    "6160:TCP"= 6160:TCP:Seagull Driver Networking

    R2 LinksysUpdater;Linksys Updater;c:\program files\Linksys\Linksys Updater\bin\LinksysUpdater.exe [1/15/2008 9:28 AM 204800]
    R2 LMIGuardianSvc;LMIGuardianSvc;c:\program files\LogMeIn\x86\LMIGuardianSvc.exe [10/13/2010 11:29 AM 374152]
    R2 LMIInfo;LogMeIn Kernel Information Provider;c:\program files\LogMeIn\x86\rainfo.sys [8/11/2008 11:41 AM 12856]
    R2 MSSQL$UPSWSDBSERVER;MSSQL$UPSWSDBSERVER;c:\ups\WSTD\MSSQL$UPSWSDBSERVER\Binn\sqlservr.exe -sUPSWSDBSERVER --> c:\ups\WSTD\MSSQL$UPSWSDBSERVER\Binn\sqlservr.exe -sUPSWSDBSERVER [?]
    S3 DCamUSBIntel;Digi-Microscope;c:\windows\system32\drivers\TP6800.sys [4/8/2008 9:36 AM 211680]
    S3 epmntdrv;epmntdrv;c:\windows\system32\epmntdrv.sys [1/26/2011 12:49 PM 13192]
    S3 EuGdiDrv;EuGdiDrv;c:\windows\system32\EuGdiDrv.sys [1/26/2011 12:49 PM 8456]
    S3 SQLAgent$UPSWSDBSERVER;SQLAgent$UPSWSDBSERVER;c:\ups\WSTD\MSSQL$UPSWSDBSERVER\Binn\sqlagent.EXE -i UPSWSDBSERVER --> c:\ups\WSTD\MSSQL$UPSWSDBSERVER\Binn\sqlagent.EXE -i UPSWSDBSERVER [?]
    .
    Contents of the 'Scheduled Tasks' folder

    2011-01-26 c:\windows\Tasks\User_Feed_Synchronization-{67A22DCE-2AE1-42B8-80D0-FCC1A2018453}.job
    - c:\windows\system32\msfeedssync.exe [2007-08-13 10:31]
    .
    .
    ------- Supplementary Scan -------
    .
    uInternet Connection Wizard,ShellNext = iexplore
    DPF: {7876E4A5-78B7-4020-B08F-C960A1ED54C9} - hxxp://69.21.158.138/WinWebPush.cab
    DPF: {97BB6657-DC7F-4489-9067-51FAB9D8857E} - hxxp://cflive.audatex.us/cf1live/static/weblaunch/weblaunch2.cab
    .
    - - - - ORPHANS REMOVED - - - -

    Toolbar-Locked - (no file)
    WebBrowser-{604BC32A-9680-40D1-9AC6-E06B23A1BA4C} - (no file)
    MSConfigStartUp-Adobe Updater - c:\windows\system32\AdbUpdater.exe



    **************************************************************************

    catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
    Rootkit scan 2011-01-26 15:19
    Windows 5.1.2600 Service Pack 3 NTFS

    scanning hidden processes ...  

    scanning hidden autostart entries ...

    scanning hidden files ...  

    scan completed successfully
    hidden files: 0

    **************************************************************************
    .
    --------------------- LOCKED REGISTRY KEYS ---------------------

    [HKEY_USERS\.Default\Software\Microsoft\Internet Explorer\User Preferences]
    @Denied: (2) (LocalSystem)
    "88D7D0879DAB32E14DE5B3A805A34F98AFF34F5977"=hex:01,00,00,00,d0,8c,9d,df,01,15,
       d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,0a,fc,65,15,a2,f7,dc,49,9d,71,86,\
    "2D53CFFC5C1A3DD2E97B7979AC2A92BD59BC839E81"=hex:01,00,00,00,d0,8c,9d,df,01,15,
       d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,0a,fc,65,15,a2,f7,dc,49,9d,71,86,\

    [HKEY_USERS\S-1-5-21-1659004503-1409082233-682003330-500\Software\Microsoft\Internet Explorer\User Preferences]
    @Denied: (2) (Administrator)
    "88D7D0879DAB32E14DE5B3A805A34F98AFF34F5977"=hex:01,00,00,00,d0,8c,9d,df,01,15,
       d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,e2,b7,62,e4,ee,54,13,45,9a,0a,49,\
    "2D53CFFC5C1A3DD2E97B7979AC2A92BD59BC839E81"=hex:01,00,00,00,d0,8c,9d,df,01,15,
       d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,d2,3f,e9,54,1a,5e,bd,47,96,85,8f,\
    "6256FFB019F8FDFBD36745B06F4540E9AEAF222A25"=hex:01,00,00,00,d0,8c,9d,df,01,15,
       d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,e2,b7,62,e4,ee,54,13,45,9a,0a,49,\

    [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
    @Denied: (A 2) (Everyone)
    @="FlashBroker"
    "LocalizedString"="@c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10l_ActiveX.exe,-101"

    [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]
    "Enabled"=dword:00000001

    [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]
    @="c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10l_ActiveX.exe"

    [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]
    @="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"

    [HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
    @Denied: (A 2) (Everyone)
    @="IFlashBroker4"

    [HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
    @="{00020424-0000-0000-C000-000000000046}"

    [HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]
    @="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
    "Version"="1.0"

    [HKEY_LOCAL_MACHINE\software\Microsoft\Internet Explorer\User Preferences]
    @Denied: (2) (Administrator)
    "88D7D0879DAB32E14DE5B3A805A34F98AFF34F5977"=hex:01,00,00,00,d0,8c,9d,df,01,15,
       d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,e2,b7,62,e4,ee,54,13,45,9a,0a,49,\
    "6256FFB019F8FDFBD36745B06F4540E9AEAF222A25"=hex:01,00,00,00,d0,8c,9d,df,01,15,
       d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,e2,b7,62,e4,ee,54,13,45,9a,0a,49,\
    .
    --------------------- DLLs Loaded Under Running Processes ---------------------

    - - - - - - - > 'winlogon.exe'(640)
    c:\windows\system32\LMIinit.dll
    c:\windows\system32\LMIRfsClientNP.dll

    - - - - - - - > 'explorer.exe'(2448)
    c:\windows\system32\WININET.dll
    c:\windows\system32\ieframe.dll
    c:\windows\system32\webcheck.dll
    .
    ------------------------ Other Running Processes ------------------------
    .
    c:\program files\Java\jre6\bin\jqs.exe
    c:\program files\LogMeIn\x86\RaMaint.exe
    c:\program files\LogMeIn\x86\LogMeIn.exe
    c:\windows\system32\java.exe
    c:\ups\WSTD\MSSQL$UPSWSDBSERVER\Binn\sqlservr.exe
    c:\windows\System32\spool\DRIVERS\W32X86\3\HP1006MC.EXE
    c:\windows\system32\rundll32.exe
    .
    **************************************************************************
    .
    Completion time: 2011-01-26  15:24:16 - machine was rebooted
    ComboFix-quarantined-files.txt  2011-01-26 21:24

    Pre-Run: 67,614,236,672 bytes free
    Post-Run: 67,736,350,720 bytes free

    WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
    [boot loader]
    timeout=2
    default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
    [operating systems]
    c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
    UnsupportedDebug="do not select this" /debug
    multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect
    [spybotsd]
    timeout.old=30

    - - End Of File - - CD0A6BE910B4ABB2A98294C2753210DA


    Hope this helps.  and Thanks
    0
     

    Author Comment

    by:speednutt
    Also, i just tried to reinstall Security Essentials and after it tries to install it gives error code: 0x80070643  (not a BSOD code)

    thanks
    0
     
    LVL 13

    Expert Comment

    by:BCipollone
    0
     
    LVL 13

    Expert Comment

    by:BCipollone
    0
     
    LVL 23

    Expert Comment

    by:phototropic
    Looks like the rootkit is still there.  Try a scan with Unhackme:

    http://www.greatis.com/unhackme/download.htm

    Download and install the trial version. Click on "Check me now!" - if it says no Trojan is found, click OK, then select "Test Windows boot process". Agree the reboot. The pc will reboot.
    The program will now load and run before your desktop loads. Then it will say "You have a number of suspicious programs." Click on "Fix Programs".
    It will set a restore point, then give you a list of boot processes. For each one, you can select "Get it out!", "False positive" or "I'm not sure..." which gives you a report on how bad/good the program may be.
    I usually terminate anything assessed to be over 30% "bad".
    The app. will then need to reboot.
    Once the pc is clean, you should uninstall Unhackme - it is a very intrusive program.

    0
     
    LVL 13

    Expert Comment

    by:BCipollone
    And if none of that works a fresh install is always a good route ;)
    0
     

    Author Comment

    by:speednutt
    I have tried the microsoft fixit tool.  No luck.  I tried the scan with unhack me and it didnt come up with anything dangerous.  All the files if looked at are my normal program files.  

    I am about ready to do a complete reinstall, but this computer is for a business and that is only an absolute last result as there are lots of files that would take days to redo.

    Any other suggestions??  I am all ears.  

    Lets hear some thoughts on doing a Repair install of windows?????  Do you think that could solve it?

    I know, i am grasping at straws.

    thanks for all the suggestions thus far.
    0
     
    LVL 27

    Assisted Solution

    by:Jonvee
    Try running Rkill.  It is a small, freeware and portable tool designed to terminate active malware processes:
    http://www.technibble.com/rkill-repair-tool-of-the-week/

    Then re-try Microsoft Security Essentials to see if theres an improvement.

    If unresolved and you'd like to use one more scanner, download Dr.Web CureIt!.
    Double-click on the downloaded file.
    Choose a desired protection mode.
    http://www.freedrweb.com/cureit/?lng=en
    0
     
    LVL 27

    Expert Comment

    by:Jonvee
    imho an attempt to Repair install is unlikely to improve the situation, but others may not agree....i appreciate a reformat is your last resort.

    Another possible option is to select "Request Attention" top right of this thread, and request that this question is also entered in the HijackThis TA where hopefully rpggamergirl(if she's around) can expertly analyse your ComboFix log and provide a small script for a ComboFix re-run.
    0
     
    LVL 27

    Expert Comment

    by:Jonvee
    Speaking of which ....have a look under sub-heading "Scan for rootkits" in one of her articles & you'll see Gmer and RootRepeal, they're worth trying >>

    http://www.experts-exchange.com/Software/Internet_Email/Anti-Virus/A_1979-THINGS-YOU-NEED-TO-DO-WHEN-YOUR-PC-IS-INFECTED.html
    0
     

    Author Comment

    by:speednutt
    Ok all, i have done all of the recommendations as listed.  I am still fighting it.   I know it can be fixed as when i run RKill at least i am able  start and update security essentials.  However it is right back after a restart.  I tried to run all available scans to find the culprit after the Rkill as well.

    I have also cloned the drive now.  I am willing to do some riskier tricks to get this thng cured as i know i have backup if i get carried away.

    Thanks for all the suggestions thus far.

    0
     
    LVL 27

    Expert Comment

    by:Jonvee
      >>willing to do some riskier tricks<<

    Okay ..well, have recognised two nasties at least, in the ComboFix log.   Will compose a script, & get back to you within the hour hopefully.
    0
     
    LVL 11

    Expert Comment

    by:ocanada_techguy
    Some malware is so much of a moving target that no anti-malware can fix it.  Even the best anti-virus only catches about 95%.  Yours may be that 5%.  There's probably some undetected part of malware that is re-installing the rest of the malware, so even if you clean it it'll come back.

    Understand that an in-place reinstall won't remedy the issue, because by it's very nature, an inplace reinstall retains the user settings AND all the programs that have been added to the OS, it only replaces the OS files themselves.

    You might try under Safe Mode to use System Restore to put the system back to the way it was up to 30 days ago IF whenever that was before this infestation hooked itself into the OS/registry.  But there's still a risk that some other portion will re-add itself.  No firewall will stop it because it is not an intrusion intiated from outside, it is inside reaching out to get it.

    You probably have to build a new box/hard drive, and then migrate the user's documents, purchased downloads, photos, and the often forgotten: favorites, email local storage, address book, (some email, hotmail gmail yahoo or exchange server kept on the server anyway).  Make an inventory list of all the programs that are needed to be put on, maybe they don't all have to go on today necessarily.  Keep the old drive on a shelf in case something was forgotten it can be obtained.

    You've likely now exceeded the time required to rebuild trying to fix it, and you've already done a more than very thorough attempt.  I know it seems like you've almost got it, but you may be stuck at "almost" forever.

    Besides, the risk to the rest of the machines on the enterprise side of the firewall is too great.
    0
     
    LVL 27

    Expert Comment

    by:Jonvee
    If you're still willing to run a script, here we are.   Have included the appropriate instructions>


    1. Open Notepad.
    2. Copy & paste all text between the lines below, into Notepad window:
    ======================================================

    File::
    c:\windows\system32\EuEpmGdi.dll
    c:\windows\system32\EuGdiDrv.sys
    c:\windows\system32\epmntdrv.sys

    Folder::
    c:\windows\system32\EuGdiDrv.sys
    c:\windows\system32\epmntdrv.sys


    ==================================================
    3. Now Save the above as CFScript.txt on your desktop.
    4. Then drag the CFScript.txt just created into ComboFix.exe. This will re-start ComboFix & hopefully remove the problem.

    Then, quickly re-run HitmanPro or Malwarebytes, the aim being to remove any remaining Malware fragments, *before* you reboot the computer again.

    5. Finally, please attach the newComboFix logfile.

    Worth a try i believe ...& good luck.
    0
     
    LVL 27

    Expert Comment

    by:Jonvee
    My last comment was obviously done in a hurry, & it may not catch everything ...worth trying nevertheless!
    May i suggest you run 2 or 3 of the best scanners you were given earlier, *before* you re-boot or re-start.

    These last comments are with great respect for the last posting by ocanada_tec… , which i agree does sound logical if theres a serious time constraint.
    0
     
    LVL 27

    Expert Comment

    by:Jonvee
    New version of script will be with you in 5 minutes.
    0
     
    LVL 27

    Expert Comment

    by:Jonvee
    1. Open Notepad.
    2. Copy & paste all text between the lines below, into Notepad window:
    ======================================================

    File::
    c:\windows\system32\EuEpmGdi.dll
    c:\windows\system32\EuGdiDrv.sys
    c:\windows\system32\epmntdrv.sys

    Folder::
    c:\windows\system32\EuGdiDrv.sys
    c:\windows\system32\epmntdrv.sys

    Drivers::
    \Legacy_6TO4
    \Legacy_SSHNAS
    \Service_6to4

    Services::
    \Legacy_6TO4
    \Legacy_SSHNAS
    \Service_6to4


    ==================================================
    3. Now Save the above as CFScript.txt on your desktop.
    4. Then drag the CFScript.txt just created into ComboFix.exe. This will re-start ComboFix & hopefully remove the problem.

    Then, quickly re-run HitmanPro or Malwarebytes, the aim being to remove any remaining Malware fragments, *before* you reboot the computer again.

    5. Finally, please attach the newComboFix logfile.
    0
     

    Author Comment

    by:speednutt
    ok, i will run the script.  Be back with results shortly.
    0
     

    Author Comment

    by:speednutt
    ok here is the report after running the script.  Unfortunately still the same result.  I have to run Rkill to get security essentials to startup and run.  

    ComboFix 11-01-27.01 - testing 01/27/2011  14:42:00.2.1 - x86
    Microsoft Windows XP Professional  5.1.2600.3.1252.1.1033.18.1015.685 [GMT -6:00]
    Running from: c:\documents and settings\testing\Desktop\ComboFix.exe
    Command switches used :: c:\documents and settings\testing\Desktop\CFScript.txt
    AV: Microsoft Security Essentials *Disabled/Updated* {BCF43643-A118-4432-AEDE-D861FCBCFCDF}
    AV: Microsoft Security Essentials *Disabled/Updated* {EDB4FA23-53B8-4AFA-8C5D-99752CCA7095}

    FILE ::
    "c:\windows\system32\epmntdrv.sys"
    "c:\windows\system32\EuEpmGdi.dll"
    "c:\windows\system32\EuGdiDrv.sys"
    .

    (((((((((((((((((((((((((((((((((((((((   Other Deletions   )))))))))))))))))))))))))))))))))))))))))))))))))
    .

    c:\windows\system32\epmntdrv.sys
    c:\windows\system32\EuEpmGdi.dll
    c:\windows\system32\EuGdiDrv.sys

    .
    (((((((((((((((((((((((((((((((((((((((   Drivers/Services   )))))))))))))))))))))))))))))))))))))))))))))))))
    .

    -------\Legacy_epmntdrv
    -------\Legacy_EuGdiDrv
    -------\Service_epmntdrv
    -------\Service_EuGdiDrv


    (((((((((((((((((((((((((   Files Created from 2010-12-27 to 2011-01-27  )))))))))))))))))))))))))))))))
    .

    2011-01-27 20:31 . 2008-04-14 01:12      116224      -c--a-w-      c:\windows\system32\dllcache\xrxwiadr.dll
    2011-01-27 20:31 . 2001-08-18 04:36      23040      -c--a-w-      c:\windows\system32\dllcache\xrxwbtmp.dll
    2011-01-27 20:31 . 2008-04-14 01:12      18944      -c--a-w-      c:\windows\system32\dllcache\xrxscnui.dll
    2011-01-27 20:31 . 2001-08-18 04:37      27648      -c--a-w-      c:\windows\system32\dllcache\xrxftplt.exe
    2011-01-27 20:31 . 2001-08-18 04:37      4608      -c--a-w-      c:\windows\system32\dllcache\xrxflnch.exe
    2011-01-27 20:31 . 2001-08-18 04:37      99865      -c--a-w-      c:\windows\system32\dllcache\xlog.exe
    2011-01-27 20:31 . 2001-08-17 18:11      16970      -c--a-w-      c:\windows\system32\dllcache\xem336n5.sys
    2011-01-27 20:31 . 2004-08-04 04:29      19455      -c--a-w-      c:\windows\system32\dllcache\wvchntxx.sys
    2011-01-27 20:30 . 2004-08-04 04:29      12063      -c--a-w-      c:\windows\system32\dllcache\wsiintxx.sys
    2011-01-27 20:30 . 2008-04-14 01:12      8192      -c--a-w-      c:\windows\system32\dllcache\wshirda.dll
    2011-01-27 20:30 . 2008-04-13 19:36      8832      -c--a-w-      c:\windows\system32\dllcache\wmiacpi.sys
    2011-01-27 20:30 . 2004-08-04 04:31      154624      -c--a-w-      c:\windows\system32\dllcache\wlluc48.sys
    2011-01-27 20:30 . 2001-08-17 18:12      34890      -c--a-w-      c:\windows\system32\dllcache\wlandrv2.sys
    2011-01-27 20:30 . 2001-08-17 19:28      771581      -c--a-w-      c:\windows\system32\dllcache\winacisa.sys
    2011-01-27 20:30 . 2001-08-18 04:36      53760      -c--a-w-      c:\windows\system32\dllcache\wiamsmud.dll
    2011-01-27 20:28 . 2001-08-17 19:28      604253      -c--a-w-      c:\windows\system32\dllcache\vmodem.sys
    2011-01-27 20:27 . 2001-08-18 04:36      94720      -c--a-w-      c:\windows\system32\dllcache\umaxud32.dll
    2011-01-27 20:26 . 2001-08-17 18:51      159232      -c--a-w-      c:\windows\system32\dllcache\tridkbm.sys
    2011-01-27 20:25 . 2001-08-17 18:13      17129      -c--a-w-      c:\windows\system32\dllcache\tdkcd31.sys
    2011-01-27 20:24 . 2001-08-18 04:36      41472      -c--a-w-      c:\windows\system32\dllcache\sw_effct.dll
    2011-01-27 20:23 . 2001-08-17 19:53      9600      -c--a-w-      c:\windows\system32\dllcache\sonymc.sys
    2011-01-27 20:22 . 2001-08-17 18:12      91294      -c--a-w-      c:\windows\system32\dllcache\skfpwin.sys
    2011-01-27 20:21 . 2001-08-17 19:48      17664      -c--a-w-      c:\windows\system32\dllcache\sermouse.sys
    2011-01-27 20:20 . 2001-08-18 04:36      62496      -c--a-w-      c:\windows\system32\dllcache\s3mtrio.dll
    2011-01-27 20:19 . 2001-08-17 19:51      19584      -c--a-w-      c:\windows\system32\dllcache\rasirda.sys
    2011-01-27 20:18 . 2001-08-18 04:36      35328      -c--a-w-      c:\windows\system32\dllcache\psisload.dll
    2011-01-27 20:17 . 2001-08-17 20:07      27296      -c--a-w-      c:\windows\system32\dllcache\perc2.sys
    2011-01-27 20:16 . 2001-08-17 20:05      25088      -c--a-w-      c:\windows\system32\dllcache\ovca.sys
    2011-01-27 20:15 . 2001-08-17 18:12      32840      -c--a-w-      c:\windows\system32\dllcache\ngrpci.sys
    2011-01-27 20:14 . 2001-08-17 19:50      21888      -c--a-w-      c:\windows\system32\dllcache\mxcard.sys
    2011-01-27 20:14 . 2001-08-17 18:50      103296      -c--a-w-      c:\windows\system32\dllcache\mtxvideo.sys
    2011-01-27 20:14 . 2008-04-13 19:46      49024      -c--a-w-      c:\windows\system32\dllcache\mstape.sys
    2011-01-27 20:14 . 2001-08-17 19:48      12416      -c--a-w-      c:\windows\system32\dllcache\msriffwv.sys
    2011-01-27 20:14 . 2001-08-17 20:00      2944      -c--a-w-      c:\windows\system32\dllcache\msmpu401.sys
    2011-01-27 20:14 . 2008-04-13 19:54      22016      -c--a-w-      c:\windows\system32\dllcache\msircomm.sys
    2011-01-27 20:14 . 2001-08-17 20:02      35200      -c--a-w-      c:\windows\system32\dllcache\msgame.sys
    2011-01-27 20:14 . 2001-08-17 19:48      6016      -c--a-w-      c:\windows\system32\dllcache\msfsio.sys
    2011-01-27 20:14 . 2008-04-13 19:46      51200      -c--a-w-      c:\windows\system32\dllcache\msdv.sys
    2011-01-27 20:13 . 2001-08-17 19:52      17280      -c--a-w-      c:\windows\system32\dllcache\mraid35x.sys
    2011-01-27 20:13 . 2008-04-13 19:46      15232      -c--a-w-      c:\windows\system32\dllcache\mpe.sys
    2011-01-27 20:13 . 2001-08-17 19:57      16128      -c--a-w-      c:\windows\system32\dllcache\modemcsa.sys
    2011-01-27 20:13 . 2001-08-17 19:52      6528      -c--a-w-      c:\windows\system32\dllcache\miniqic.sys
    2011-01-27 20:13 . 2001-08-17 18:50      320384      -c--a-w-      c:\windows\system32\dllcache\mgaum.sys
    2011-01-27 20:13 . 2001-08-17 20:56      235648      -c--a-w-      c:\windows\system32\dllcache\mgaud.dll
    2011-01-27 20:13 . 2008-04-13 19:41      26112      -c--a-w-      c:\windows\system32\dllcache\memstpci.sys
    2011-01-27 20:13 . 2001-08-18 04:36      47616      -c--a-w-      c:\windows\system32\dllcache\memgrp.dll
    2011-01-27 20:13 . 2001-08-17 19:58      8320      -c--a-w-      c:\windows\system32\dllcache\memcard.sys
    2011-01-27 20:13 . 2001-08-17 18:12      164586      -c--a-w-      c:\windows\system32\dllcache\mdgndis5.sys
    2011-01-27 20:11 . 2001-08-17 18:12      19016      -c--a-w-      c:\windows\system32\dllcache\ktc111.sys
    2011-01-27 20:11 . 2001-08-18 04:36      37376      -c--a-w-      c:\windows\system32\dllcache\kousd.dll
    2011-01-27 20:11 . 2008-04-14 01:11      253952      -c--a-w-      c:\windows\system32\dllcache\kdsusd.dll
    2011-01-27 20:11 . 2008-04-14 01:11      48640      -c--a-w-      c:\windows\system32\dllcache\kdsui.dll
    2011-01-27 20:11 . 2001-08-17 19:49      26624      -c--a-w-      c:\windows\system32\dllcache\irstusb.sys
    2011-01-27 20:11 . 2001-08-17 19:51      18688      -c--a-w-      c:\windows\system32\dllcache\irsir.sys
    2011-01-27 20:11 . 2008-04-14 01:11      28160      -c--a-w-      c:\windows\system32\dllcache\irmon.dll
    2011-01-27 20:11 . 2001-08-17 19:49      23552      -c--a-w-      c:\windows\system32\dllcache\irmk7.sys
    2011-01-27 20:11 . 2008-04-14 01:12      151552      -c--a-w-      c:\windows\system32\dllcache\irftp.exe
    2011-01-27 20:11 . 2008-04-13 19:54      88192      -c--a-w-      c:\windows\system32\dllcache\irda.sys
    2011-01-27 20:11 . 2001-08-17 18:12      45632      -c--a-w-      c:\windows\system32\dllcache\ip5515.sys
    2011-01-27 20:10 . 2001-08-18 04:36      90200      -c--a-w-      c:\windows\system32\dllcache\io8ports.dll
    2011-01-27 20:10 . 2001-08-17 19:50      38784      -c--a-w-      c:\windows\system32\dllcache\io8.sys
    2011-01-27 20:10 . 2001-08-17 19:47      13056      -c--a-w-      c:\windows\system32\dllcache\inport.sys
    2011-01-27 20:10 . 2001-08-17 19:52      16000      -c--a-w-      c:\windows\system32\dllcache\ini910u.sys
    2011-01-27 20:10 . 2001-08-18 04:36      372824      -c--a-w-      c:\windows\system32\dllcache\iconf32.dll
    2011-01-27 20:10 . 2001-08-17 20:06      100992      -c--a-w-      c:\windows\system32\dllcache\icam5usb.sys
    2011-01-27 20:10 . 2001-08-18 04:36      20480      -c--a-w-      c:\windows\system32\dllcache\icam5ext.dll
    2011-01-27 20:10 . 2001-08-18 04:36      45056      -c--a-w-      c:\windows\system32\dllcache\icam5com.dll
    2011-01-27 20:10 . 2001-08-17 20:06      154496      -c--a-w-      c:\windows\system32\dllcache\icam4usb.sys
    2011-01-27 20:08 . 2001-08-17 19:28      488383      -c--a-w-      c:\windows\system32\dllcache\hsf_v124.sys
    2011-01-27 20:07 . 2001-08-18 04:36      126976      -c--a-w-      c:\windows\system32\dllcache\hpgt34tk.dll
    2011-01-27 20:06 . 2001-08-18 04:36      92160      -c--a-w-      c:\windows\system32\dllcache\fuusd.dll
    2011-01-27 20:05 . 2004-08-04 04:32      137088      -c--a-w-      c:\windows\system32\dllcache\essm2e.sys
    2011-01-27 20:04 . 2001-08-17 18:12      19594      -c--a-w-      c:\windows\system32\dllcache\e100isa4.sys
    2011-01-27 20:03 . 2001-08-18 04:36      419357      -c--a-w-      c:\windows\system32\dllcache\dgconfig.dll
    2011-01-27 20:02 . 2008-04-13 19:36      10240      -c--a-w-      c:\windows\system32\dllcache\compbatt.sys
    2011-01-27 20:01 . 2001-08-17 19:51      13824      -c--a-w-      c:\windows\system32\dllcache\bulltlp3.sys
    2011-01-27 20:00 . 2001-08-17 18:49      26624      -c--a-w-      c:\windows\system32\dllcache\ativxbar.sys
    2011-01-27 19:59 . 2001-08-17 20:56      66048      -c--a-w-      c:\windows\system32\dllcache\s3legacy.dll
    2011-01-27 17:59 . 2011-01-13 07:41      5890896      ----a-w-      c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{C0B4DEB8-89B1-40AF-972B-CE30B7299DA7}\mpengine.dll
    2011-01-27 02:27 . 2011-01-27 02:27      2      --shatr-      c:\windows\winstart.bat
    2011-01-27 02:27 . 2011-01-27 02:35      --------      d-----w-      c:\program files\UnHackMe
    2011-01-27 02:21 . 2011-01-27 02:22      --------      d-----w-      c:\documents and settings\testing
    2011-01-27 02:17 . 2011-01-27 02:18      --------      d-----w-      c:\program files\Microsoft Security Client
    2011-01-26 21:40 . 2011-01-26 21:40      --------      d-----w-      c:\program files\Sophos
    2011-01-26 18:53 . 2011-01-26 18:53      --------      d-----w-      c:\program files\Common Files\Java
    2011-01-26 18:53 . 2010-11-13 00:53      472808      ----a-w-      c:\windows\system32\deployJava1.dll
    2011-01-26 18:49 . 2010-12-23 01:45      2336384      ----a-w-      c:\windows\system32\BootMan.exe
    2011-01-26 18:49 . 2010-07-15 14:44      86408      ----a-w-      c:\windows\system32\setupempdrv03.exe
    2011-01-26 18:41 . 2011-01-26 18:49      --------      d-----w-      c:\program files\EASEUS
    2011-01-26 18:28 . 2008-04-14 01:11      21504      -c--a-w-      c:\windows\system32\dllcache\hidserv.dll
    2011-01-26 18:28 . 2008-04-14 01:11      21504      ----a-w-      c:\windows\system32\hidserv.dll
    2011-01-26 18:28 . 2008-04-13 19:39      14592      -c--a-w-      c:\windows\system32\dllcache\kbdhid.sys
    2011-01-26 18:28 . 2008-04-13 19:39      14592      ----a-w-      c:\windows\system32\drivers\kbdhid.sys
    2011-01-26 18:28 . 2008-04-13 19:45      32128      -c--a-w-      c:\windows\system32\dllcache\usbccgp.sys
    2011-01-26 18:28 . 2008-04-13 19:45      32128      ----a-w-      c:\windows\system32\drivers\usbccgp.sys
    2011-01-25 02:35 . 2011-01-25 02:35      --------      d--h--w-      c:\windows\system32\GroupPolicy
    2011-01-25 02:14 . 2011-01-25 02:14      --------      d-----w-      c:\windows\TempFEF64CCA-7CD1-DB4B-53AC-309D31BC8067-Signatures
    2011-01-25 02:12 . 2011-01-27 02:50      --------      d-----w-      C:\junk
    2011-01-24 23:02 . 2011-01-24 23:02      79360      --sha-r-      c:\windows\system32\smime3N.dll
    2011-01-24 22:53 . 2011-01-24 22:57      --------      d-----w-      c:\documents and settings\LocalService\Local Settings\Application Data\Adobe
    2011-01-20 22:57 . 2011-01-20 22:57      --------      d-----w-      c:\windows\system32\%APPDATA%
    2011-01-20 19:19 . 2011-01-20 19:19      --------      d-sh--w-      c:\windows\system32\config\systemprofile\IETldCache
    2011-01-20 19:19 . 2011-01-20 19:19      18297      ----a-w-      c:\windows\system32\MAI4.tmp
    2011-01-20 19:17 . 2011-01-20 19:20      --------      d-----w-      c:\documents and settings\NetworkService\Local Settings\Application Data\Adobe
    2011-01-20 19:00 . 2011-01-20 19:00      --------      d-----w-      C:\Temp
    2011-01-15 14:23 . 2011-01-15 14:57      --------      d-----w-      c:\documents and settings\Administrator\.SSRB2

    .
    ((((((((((((((((((((((((((((((((((((((((   Find3M Report   ))))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    2011-01-13 07:41 . 2010-06-22 22:00      5890896      ----a-w-      c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\Backup\mpengine.dll
    2010-12-21 00:09 . 2010-10-24 01:46      38224      ----a-w-      c:\windows\system32\drivers\mbamswissarmy.sys
    2010-12-21 00:08 . 2010-10-24 01:46      20952      ----a-w-      c:\windows\system32\drivers\mbam.sys
    2010-12-13 19:01 . 2010-06-02 00:00      53632      ----a-w-      c:\windows\system32\Spool\prtprocs\w32x86\LMIproc.dll
    2010-12-13 19:01 . 2010-06-02 00:00      83360      ----a-w-      c:\windows\system32\LMIRfsClientNP.dll
    2010-12-13 19:01 . 2010-06-02 00:00      29568      ----a-w-      c:\windows\system32\LMIport.dll
    2010-12-13 19:01 . 2010-06-02 00:00      87424      ----a-w-      c:\windows\system32\LMIinit.dll
    2010-11-18 18:12 . 2008-04-06 03:16      81920      ----a-w-      c:\windows\system32\isign32.dll
    2010-11-12 22:34 . 2008-04-07 15:52      73728      ----a-w-      c:\windows\system32\javacpl.cpl
    2010-11-09 14:52 . 2004-08-04 12:00      249856      ----a-w-      c:\windows\system32\odbc32.dll
    2010-11-06 00:26 . 2004-08-04 12:00      916480      ----a-w-      c:\windows\system32\wininet.dll
    2010-11-06 00:26 . 2004-08-04 12:00      43520      ------w-      c:\windows\system32\licmgr10.dll
    2010-11-06 00:26 . 2004-08-04 12:00      1469440      ------w-      c:\windows\system32\inetcpl.cpl
    2010-11-03 12:25 . 2004-08-04 12:00      385024      ----a-w-      c:\windows\system32\html.iec
    2010-11-02 15:17 . 2004-08-04 12:00      40960      ----a-w-      c:\windows\system32\drivers\ndproxy.sys
    .

    (((((((((((((((((((((((((((((((((((((   Reg Loading Points   ))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    *Note* empty entries & legit default entries are not shown
    REGEDIT4

    [HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{FD72061E-9FDE-484D-A58A-0BAB4151CAD8}]
    2010-08-13 00:46      194912      ------w-      c:\program files\Yontoo Layers Client\YontooIEClient.dll

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-09-21 932288]
    "LogMeIn GUI"="c:\program files\LogMeIn\x86\LogMeInSystray.exe" [2008-08-11 63048]
    "Malwarebytes Anti-Malware (reboot)"="c:\program files\Malwarebytes' Anti-Malware\mbam.exe" [2010-12-21 963976]
    "SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-05-14 248552]
    "MSC"="c:\program files\Microsoft Security Client\msseces.exe" [2010-11-30 997408]

    [HKEY_LOCAL_MACHINE\software\microsoft\windows\Currentversion\policies\explorer\Run]
    "oddc"="c:\windows\system32\smime3N.dll" [2011-01-24 79360]

    c:\documents and settings\admin\Start Menu\Programs\Startup\
    OpenOffice.org 2.3.lnk - c:\program files\OpenOffice.org 2.3\program\quickstart.exe [2007-8-17 393216]

    c:\documents and settings\All Users\Start Menu\Programs\Startup\
    Brock Hot Key.exe.lnk - c:\program files\Brock Supply Co\Brock Hotkey\Brock Hot Key.exe [2008-1-17 327680]
    Car-Part.com Trading Partner Software.lnk - c:\car-part\CPKeySrv.exe [2009-9-21 446976]
    Service Manager.lnk - c:\program files\MICROSOFT SQL SERVER\80\TOOLS\BINN\sqlmangr.exe [2005-5-3 81920]
    UPS WorldShip Messaging Utility.lnk - c:\ups\WSTD\WSTDMessaging.exe [2009-12-1 393216]
    UPS WorldShip PLD Reminder Utility.lnk - c:\ups\WSTD\wstdPldReminder.exe [2009-12-1 40960]

    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon]
    "Taskman"=""

    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\LMIinit]
    2010-12-13 19:01      87424      ----a-w-      c:\windows\system32\LMIinit.dll

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MsMpSvc]
    @="Service"

    [HKLM\~\startupfolder\C:^Documents and Settings^Administrator^Start Menu^Programs^Startup^OpenOffice.org 2.3.lnk]
    path=c:\documents and settings\Administrator\Start Menu\Programs\Startup\OpenOffice.org 2.3.lnk
    backup=c:\windows\pss\OpenOffice.org 2.3.lnkStartup

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Seagull Drivers]
    ssdal_nc.exe startup [X]

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
    2010-09-24 09:15      40368      ----a-w-      c:\program files\Adobe\Reader 8.0\Reader\reader_sl.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\hpbdfawep]
    2007-04-25 19:28      954368      ----a-w-      c:\program files\HP\Dfawep\bin\hpbdfawep.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NA1Messenger]
    2009-12-02 02:36      24576      ----a-w-      c:\ups\WSTD\UPSNA1Msgr.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TPPOLL]
    2005-03-02 22:12      24576      ----a-w-      c:\program files\Topro\tppoll.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
    "DisableMonitoring"=dword:00000001

    [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
    "DisableMonitoring"=dword:00000001

    [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
    "DisableMonitoring"=dword:00000001

    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
    "%windir%\\system32\\sessmgr.exe"=
    "%windir%\\Network Diagnostic\\xpnetdiag.exe"=
    "c:\\Program Files\\Messenger\\msmsgs.exe"=
    "c:\\WINDOWS\\system32\\mmc.exe"=

    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
    "6160:TCP"= 6160:TCP:Seagull Driver Networking

    R2 LinksysUpdater;Linksys Updater;c:\program files\Linksys\Linksys Updater\bin\LinksysUpdater.exe [1/15/2008 9:28 AM 204800]
    R2 LMIGuardianSvc;LMIGuardianSvc;c:\program files\LogMeIn\x86\LMIGuardianSvc.exe [10/13/2010 11:29 AM 374152]
    R2 LMIInfo;LogMeIn Kernel Information Provider;c:\program files\LogMeIn\x86\rainfo.sys [8/11/2008 11:41 AM 12856]
    R2 MSSQL$UPSWSDBSERVER;MSSQL$UPSWSDBSERVER;c:\ups\WSTD\MSSQL$UPSWSDBSERVER\Binn\sqlservr.exe -sUPSWSDBSERVER --> c:\ups\WSTD\MSSQL$UPSWSDBSERVER\Binn\sqlservr.exe -sUPSWSDBSERVER [?]
    S3 DCamUSBIntel;Digi-Microscope;c:\windows\system32\drivers\TP6800.sys [4/8/2008 9:36 AM 211680]
    S3 MEMSWEEP2;MEMSWEEP2;\??\c:\windows\system32\35.tmp --> c:\windows\system32\35.tmp [?]
    S3 SQLAgent$UPSWSDBSERVER;SQLAgent$UPSWSDBSERVER;c:\ups\WSTD\MSSQL$UPSWSDBSERVER\Binn\sqlagent.EXE -i UPSWSDBSERVER --> c:\ups\WSTD\MSSQL$UPSWSDBSERVER\Binn\sqlagent.EXE -i UPSWSDBSERVER [?]
    .
    Contents of the 'Scheduled Tasks' folder

    2011-01-27 c:\windows\Tasks\MP Scheduled Scan.job
    - c:\program files\Microsoft Security Client\Antimalware\MpCmdRun.exe [2010-11-11 18:26]

    2011-01-27 c:\windows\Tasks\User_Feed_Synchronization-{67A22DCE-2AE1-42B8-80D0-FCC1A2018453}.job
    - c:\windows\system32\msfeedssync.exe [2007-08-13 10:31]
    .
    .
    ------- Supplementary Scan -------
    .
    DPF: {7876E4A5-78B7-4020-B08F-C960A1ED54C9} - hxxp://69.21.158.138/WinWebPush.cab
    DPF: {97BB6657-DC7F-4489-9067-51FAB9D8857E} - hxxp://cflive.audatex.us/cf1live/static/weblaunch/weblaunch2.cab
    FF - ProfilePath -
    .
    - - - - ORPHANS REMOVED - - - -

    WebBrowser-{604BC32A-9680-40D1-9AC6-E06B23A1BA4C} - (no file)



    **************************************************************************

    catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
    Rootkit scan 2011-01-27 14:49
    Windows 5.1.2600 Service Pack 3 NTFS

    scanning hidden processes ...  

    scanning hidden autostart entries ...

    scanning hidden files ...  

    scan completed successfully
    hidden files: 0

    **************************************************************************

    [HKEY_LOCAL_MACHINE\System\ControlSet001\Services\MEMSWEEP2]
    "ImagePath"="\??\c:\windows\system32\35.tmp"
    .
    --------------------- LOCKED REGISTRY KEYS ---------------------

    [HKEY_USERS\.Default\Software\Microsoft\Internet Explorer\User Preferences]
    @Denied: (2) (LocalSystem)
    "88D7D0879DAB32E14DE5B3A805A34F98AFF34F5977"=hex:01,00,00,00,d0,8c,9d,df,01,15,
       d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,0a,fc,65,15,a2,f7,dc,49,9d,71,86,\
    "2D53CFFC5C1A3DD2E97B7979AC2A92BD59BC839E81"=hex:01,00,00,00,d0,8c,9d,df,01,15,
       d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,0a,fc,65,15,a2,f7,dc,49,9d,71,86,\

    [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
    @Denied: (A 2) (Everyone)
    @="FlashBroker"
    "LocalizedString"="@c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10l_ActiveX.exe,-101"

    [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]
    "Enabled"=dword:00000001

    [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]
    @="c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10l_ActiveX.exe"

    [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]
    @="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"

    [HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
    @Denied: (A 2) (Everyone)
    @="IFlashBroker4"

    [HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
    @="{00020424-0000-0000-C000-000000000046}"

    [HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]
    @="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
    "Version"="1.0"

    [HKEY_LOCAL_MACHINE\software\Microsoft\Internet Explorer\User Preferences]
    @Denied: (2) (Administrator)
    "88D7D0879DAB32E14DE5B3A805A34F98AFF34F5977"=hex:01,00,00,00,d0,8c,9d,df,01,15,
       d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,e2,b7,62,e4,ee,54,13,45,9a,0a,49,\
    "6256FFB019F8FDFBD36745B06F4540E9AEAF222A25"=hex:01,00,00,00,d0,8c,9d,df,01,15,
       d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,e2,b7,62,e4,ee,54,13,45,9a,0a,49,\
    .
    --------------------- DLLs Loaded Under Running Processes ---------------------

    - - - - - - - > 'winlogon.exe'(644)
    c:\windows\system32\LMIinit.dll

    - - - - - - - > 'explorer.exe'(3372)
    c:\windows\system32\WININET.dll
    c:\windows\system32\ieframe.dll
    c:\windows\system32\webcheck.dll
    .
    ------------------------ Other Running Processes ------------------------
    .
    c:\program files\Java\jre6\bin\jqs.exe
    c:\program files\LogMeIn\x86\RaMaint.exe
    c:\windows\system32\java.exe
    c:\program files\LogMeIn\x86\LogMeIn.exe
    c:\ups\WSTD\MSSQL$UPSWSDBSERVER\Binn\sqlservr.exe
    c:\windows\System32\spool\DRIVERS\W32X86\3\HP1006MC.EXE
    c:\windows\system32\rundll32.exe
    .
    **************************************************************************
    .
    Completion time: 2011-01-27  14:53:49 - machine was rebooted
    ComboFix-quarantined-files.txt  2011-01-27 20:53

    Pre-Run: 66,960,146,432 bytes free
    Post-Run: 66,977,177,600 bytes free

    - - End Of File - - 61B406892BBD060A1477547BE601D139


    It is looking more and more like i will have to start over with a new drive.

    Thanks for all the help and suggestions.    At least now the system is managable with Rkill.  
    0
     
    LVL 27

    Expert Comment

    by:Jonvee
    Pity the script writing wasn't successful.   So good luck with the new drive.
    0
     
    LVL 38

    Expert Comment

    by:younghv
    @speednutt,
    You had a lot of great advice, but I didn't see anywhere that you had cleaned all of the Temp/Junk files from the normal user's account.

    Malware will very often reside in those folders and continually re-infect the system.

    A very simple (and free) tool I use is from www.ccleaner.com - but it needs to be run from each profile on the computer.

    There is another good cleaner program out there (the name escapes me) that will clear all profiles with one run.
    0
     

    Author Comment

    by:speednutt
    Well everyone, i would call this one a wrap.  We tried everything mentioned ( i mean everything) and i still came up a bit short.  Thats the breaks.  I did learn a great deal from all that contributed though so that is worth something.

    I am going to do a fresh install on a new dri ve and take a look back at this drive in a couple weeks or so.  Maybe something will give then.  

    The next question, how is it recommended that i apply the points that i offered for your help?  I know that there were several that contributed and some answers were more in depth than others so i would like to apply the points the best way possible.  if there were only a couple responses it would be a lot easier.

    I do appreciate everyones help and that is why i pay my monthly fees even though i havent used the service as much as i probably should.

    Thanks much.
    0
     
    LVL 27

    Expert Comment

    by:Jonvee
    speednutt,
    Glad to help, but wish we could have resolved it!  

    Suggest the points are equally shared between those you feel contributed something of use for your future troubleshooting, as well as our attempts at restoring the drive.  Rkill obviously contributed something, but i'll go along with whatever you all decide.

    Have to logoff now for ~48 hours, so i'm taking the easy way out!
    Its over to the others for their thoughts ....!!
    0
     
    LVL 6

    Expert Comment

    by:originalbiffmalibu
    Distribute the points the way you see fit.  The posts that have information that benefits you in the future are sure to earn something.  I wish we could have helped.  There was a lot of effort and good suggestions.
    0
     

    Author Closing Comment

    by:speednutt
    Thanks for all the help.  Also, thanks for being so quick in your response times.  If there were a way to give the points to everyone i would have done that.
    0
     

    Author Comment

    by:speednutt
    Just wanted to update everyone that the problem has finally been solved.  I ran Hitman Pro 3.5 for a second time and if found the rootkit and successfully cleared it out.  Mission accomplished and thanks so much for everyones help in this matter.  I didnt have to wipe the drive and all the data was saved.

    I cant thank you all enough.
    0
     
    LVL 27

    Expert Comment

    by:Jonvee
    Its very rewarding for us all to get this kind of feedback ...thank you!
    Glad you were able to recover all data.
    0
     
    LVL 23

    Expert Comment

    by:phototropic
    Glad to hear than your problem is resolved.
    0

    Write Comment

    Please enter a first name

    Please enter a last name

    We will never share this with anyone. Privacy Policy Terms of Use

    Featured Post

    Product Review - Android Remix

    Come along for the ride with our Senior Product Manager, Brian Matis, as he reviews the Android Remix.

    I use more than 1 computer in my office for various reasons. Multiple keyboards and mice take up more than just extra space, they make working a little more complicated. Using one mouse and keyboard for all of my computers makes life easier. This co…
    Healthcare providers, insurance companies and other covered entities trust eFax Corporate to transmit their most sensitive documents. eFax Corporate can help your organization implement a HIPAA compliant cloud faxing solution.
    This video demonstrates how to use each tool, their shortcuts, where and when to use them, and how to use the keyboard to improve workflow.
    The viewer will learn how to back up with the free utility from runtime software, DriveImageXML using Windows 8. Download DriveImageXML from www.runtime.org: Open folder where it was saved: Start installation by double clicking the install scrip…

    679 members asked questions and received personalized solutions in the past 7 days.

    Join the community of 500,000 technology professionals and ask your questions.

    Join & Ask a Question

    Need Help in Real-Time?

    Connect with top rated Experts

    33 Experts available now in Live!

    Get 1:1 Help Now