Have multiple infections please help

rysktkr · June 26, 2012

My SEP detected Bloodhound.MalPE but was unable to remove it. I ran Malwarebytes it detected several viruses and trojans. Unfortunately the removal was not successful and I can't even run it anymore. I tried running DDS to get a log but it freezes everytime in the progress location. I was able to get a successful HJT log below:

Logfile of Trend Micro HijackThis v2.0.4

Scan saved at 7:29:29 PM, on 6/25/2012

Platform: Windows XP SP3 (WinNT 5.01.2600)

MSIE: Internet Explorer v8.00 (8.00.6001.18702)

Boot mode: Normal

Running processes:

C:\windows\System32\smss.exe

C:\windows\system32\winlogon.exe

C:\windows\system32\services.exe

C:\windows\system32\lsass.exe

C:\windows\system32\svchost.exe

C:\windows\System32\svchost.exe

C:\Program Files\Symantec\Symantec Endpoint Protection\Smc.exe

C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe

C:\windows\system32\spoolsv.exe

C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACService.exe

C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe

C:\Program Files\Bonjour\mDNSResponder.exe

C:\windows\system32\svchost.exe

C:\Program Files\Verizon\IHA_MessageCenter\Bin\Verizon_IHAMessageCenter.exe

C:\WINDOWS\system32\inetsrv\inetinfo.exe

C:\Program Files\Common Files\Intuit\Update Service\IntuitUpdateService.exe

C:\Program Files\Common Files\Intuit\Update Service v4\IntuitUpdateService.exe

C:\Program Files\Java\jre7\bin\jqs.exe

C:\Program Files\Common Files\LightScribe\LSSrvc.exe

C:\Program Files\Nero\Update\NASvc.exe

C:\Program Files\Common Files\Nero\Nero BackItUp 4\NBService.exe

C:\windows\System32\svchost.exe

C:\windows\system32\nvsvc32.exe

C:\windows\System32\svchost.exe

C:\Program Files\RemotelyAnywhere\x86\RaMaint.exe

C:\Program Files\RemotelyAnywhere\x86\RemotelyAnywhere.exe

C:\Program Files\Cyberlink\Shared files\RichVideo.exe

C:\Program Files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe

C:\Program Files\StorageCraft\ShadowProtect\ShadowProtectSvc.exe

C:\Program Files\Sling Media\SlingAgent\SlingAgentService.exe

C:\Program Files\VERIZONDM\bin\sprtsvc.exe

C:\windows\system32\svchost.exe

C:\Program Files\Symantec\Symantec Endpoint Protection\Rtvscan.exe

C:\Program Files\VERIZONDM\bin\tgsrvc.exe

C:\windows\System32\vssvc.exe

C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE

C:\Program Files\Yahoo!\SoftwareUpdate\YahooAUService.exe

C:\WINDOWS\system32\vsnapvss.exe

C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe

C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe

C:\Program Files\iPod\bin\iPodService.exe

C:\windows\System32\svchost.exe

C:\windows\System32\msiexec.exe

C:\WINDOWS\system32\msiexec.exe

C:\windows\System32\msiexec.exe

I:\hjt\Trend Micro\HiJackThis\HiJackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapps.yahoo.com/customize/ptec/defaults/sb/*http://www.yahoo.com/search/ie.html

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://red.clientapps.yahoo.com/customize/ptec/defaults/sp/*http://www.yahoo.com

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/?fr=fp-yie8

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =

R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =

R3 - Default URLSearchHook is missing

F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe

O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll

O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll

O2 - BHO: Adobe PDF Conversion Toolbar Helper - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll

O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.7.7227.1100\swg.dll

O2 - BHO: SmartSelect - {F4971EE7-DAA0-4053-9964-665D8EE6A077} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll

O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn3\yt.dll

O3 - Toolbar: DAEMON Tools Toolbar - {32099AAC-C132-4136-9E9A-4E364A424E17} - C:\Program Files\DAEMON Tools Toolbar\DTToolbar.dll

O3 - Toolbar: @C:\Program Files\MSN Toolbar\Platform\5.0.1449.0\npwinext.dll,-100 - {8dcb7100-df86-4384-8842-8fa844297b3f} - C:\Program Files\MSN Toolbar\Platform\5.0.1449.0\npwinext.dll

O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll

O3 - Toolbar: Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll

O4 - HKLM\..\Run: [V0230Mon.exe] C:\WINDOWS\system32\V0230Mon.exe

O4 - HKLM\..\Run: [NBAgent] "C:\Program Files\Nero\Nero 10\Nero BackItUp\NBAgent.exe" /WinStart

O4 - HKLM\..\Run: [AVFX Engine] C:\Program Files\Creative\Creative Live! Cam\VideoFX\StartFX.exe

O4 - HKLM\..\Run: [hpqSRMon] C:\Program Files\HP\Digital Imaging\bin\hpqSRMon.exe

O4 - HKLM\..\Run: [RemoteControl10] "C:\Program Files\CyberLink\PowerDVD10\PDVD10Serv.exe"

O4 - HKLM\..\Run: [bDRegion] C:\Program Files\Cyberlink\Shared files\brs.exe

O4 - HKLM\..\Run: [Nero MediaHome 4] "C:\Program Files\Nero\Nero MediaHome 4\NeroMediaHome.exe" /AUTORUN

O4 - HKLM\..\Run: [bluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent

O4 - HKLM\..\Run: [APSDaemon] "C:\Program Files\Common Files\Apple\Apple Application Support\APSDaemon.exe"

O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"

O4 - HKLM\..\Run: [sunJavaUpdateSched] "C:\Program Files\Common Files\Java\Java Update\jusched.exe"

O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime

O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup

O4 - HKLM\..\Run: [NvMediaCenter] RunDLL32.exe NvMCTray.dll,NvTaskbarInit -login

O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"

O4 - HKLM\..\Run: [Adobe ARM] "C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe"

O4 - HKLM\..\Run: [updatePDRShortCut] "C:\Program Files\CyberLink\PowerDirector10\MUITransfer\MUIStartMenu.exe" "C:\Program Files\CyberLink\PowerDirector10" UpdateWithCreateOnce "Software\CyberLink\PowerDirector\10.0"

O4 - HKLM\..\Run: [Adobe Acrobat Speed Launcher] "C:\Program Files\Adobe\Acrobat 9.0\Acrobat\Acrobat_sl.exe"

O4 - HKLM\..\Run: [Acrobat Assistant 8.0] "C:\Program Files\Adobe\Acrobat 9.0\Acrobat\Acrotray.exe"

O4 - HKLM\..\Run: [JMB36X IDE Setup] C:\WINDOWS\RaidTool\xInsIDE.exe

O4 - HKLM\..\Run: [36X Raid Configurer] C:\WINDOWS\system32\xRaidSetup.exe boot

O4 - HKLM\..\Run: [GiBbQUEPdGQQTat.exe] C:\Documents and Settings\All Users\Application Data\GiBbQUEPdGQQTat.exe

O4 - HKLM\..\Run: [DWQueuedReporting] "C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t

O4 - HKCU\..\RunOnce: [*NPE] "I:\NPE.exe" /POSTADVSCAN

O4 - HKUS\S-1-5-21-1960408961-1303643608-839522115-1003\..\Run: [swg] "C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" (User 'Mark')

O4 - HKUS\S-1-5-21-1960408961-1303643608-839522115-1003\..\Run: [Messenger (Yahoo!)] "C:\PROGRA~1\Yahoo!\MESSEN~1\YahooMessenger.exe" -quiet (User 'Mark')

O4 - HKUS\S-1-5-21-1960408961-1303643608-839522115-1003\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\wcescomm.exe" (User 'Mark')

O4 - HKUS\S-1-5-21-1960408961-1303643608-839522115-1003\..\Run: [DAEMON Tools Lite] "C:\util\DAEMON Tools Lite\DTLite.exe" -autorun (User 'Mark')

O4 - HKUS\S-1-5-21-1960408961-1303643608-839522115-1003\..\Run: [LightScribe Control Panel] C:\Program Files\Common Files\LightScribe\LightScribeControlPanel.exe -hidden (User 'Mark')

O4 - HKUS\S-1-5-21-1960408961-1303643608-839522115-1003\..\Run: [ctfmon.exe] C:\windows\system32\ctfmon.exe (User 'Mark')

O4 - HKUS\S-1-5-21-1960408961-1303643608-839522115-1003\..\Run: [Google Update] "C:\Documents and Settings\Mark\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" /c (User 'Mark')

O4 - HKUS\S-1-5-21-1960408961-1303643608-839522115-1003\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background (User 'Mark')

O4 - HKUS\S-1-5-21-1960408961-1303643608-839522115-1003\..\Run: [AnyDVD] C:\Program Files\SlySoft\AnyDVD\AnyDVDtray.exe (User 'Mark')

O4 - S-1-5-21-1960408961-1303643608-839522115-1003 Startup: Check for TWS Updates.lnk = C:\Program Files\Jts\WiseUpdt.exe (User 'Mark')

O4 - S-1-5-21-1960408961-1303643608-839522115-1003 User Startup: Check for TWS Updates.lnk = C:\Program Files\Jts\WiseUpdt.exe (User 'Mark')

O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~3\INetRepl.dll

O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~3\INetRepl.dll

O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~3\INetRepl.dll

O9 - Extra button: Skype add-on for Internet Explorer - {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - C:\Program Files\Skype\Toolbars\Internet Explorer\skypeieplugin.dll

O9 - Extra 'Tools' menuitem: Skype add-on for Internet Explorer - {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - C:\Program Files\Skype\Toolbars\Internet Explorer\skypeieplugin.dll

O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL

O9 - Extra button: @btrez.dll,-4015 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm

O9 - Extra 'Tools' menuitem: @btrez.dll,-12650 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm

O9 - Extra button: Show or hide HP Smart Web Printing - {DDE87865-83C5-48c4-8357-2F5B1AA84522} - C:\Program Files\HP\Digital Imaging\Smart Web Printing\hpswp_BHO.dll

O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\windows\Network Diagnostic\xpnetdiag.exe

O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\windows\Network Diagnostic\xpnetdiag.exe

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O16 - DPF: {0067DBFC-A752-458C-AE6E-B9C7E63D4824} (Device Detection) - http://www.logitech.com/devicedetector/plugins/LogitechDeviceDetection32.cab

O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://appldnld.apple.com.edgesuite.net/content.info.apple.com/QuickTime/qtactivex/qtplugin.cab

O16 - DPF: {106E49CF-797A-11D2-81A2-00E02C015623} (AlternaTIFF ActiveX) - http://www.alternatiff.com/install-ie/alttiff.cab

O16 - DPF: {1851174C-97BD-4217-A0CC-E908F60D5B7A} (Hewlett-Packard Online Support Services) - http://h20364.www2.hp.com/CSMWeb/Customer/cabs/HPISDataManager.CAB

O16 - DPF: {1E54D648-B804-468d-BC78-4AFFED8E262F} (System Requirements Lab) - http://www.nvidia.com/content/DriverDownload/srl/3.0.0.4/srl_bin/sysreqlab_nvd.cab

O16 - DPF: {3528A58B-595D-4AFD-A5F6-B914BD306DC3} (SlingHealth Class) - http://dishconnectivity.sling.com/dpit/downloads/pc/SlingHealth.cab

O16 - DPF: {6F15128C-E66A-490C-B848-5000B5ABEEAC} (HP Download Manager) - https://h20436.www2.hp.com/ediags/dex/secure/HPDEXAXO.cab

O16 - DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} (OnlineScanner Control) - http://download.eset.com/special/eos/OnlineScanner.cab

O16 - DPF: {B80CD4E6-5B02-4B6C-99BE-68F1511E9549} (WebSlingPlayer) - http://plugin.slingbox.com/downloads/pc/1.4.0.115/WebSlingPlayer.cab

O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab

O16 - DPF: {F6ACF75C-C32C-447B-9BEF-46B766368D29} (Creative Software AutoUpdate Support Package) - http://ccfiles.creative.com/Web/softwareupdate/su2/ocx/15112/CTPID.cab

O16 - DPF: {FD0B6769-6490-4A91-AA0A-B5AE0DC75AC9} (Performance Viewer Activex Control) - http://mypc:2000/activex/RACtrl.cab

O18 - Protocol: skype-ie-addon-data - {91774881-D725-4E58-B298-07617B9B86A8} - C:\Program Files\Skype\Toolbars\Internet Explorer\skypeieplugin.dll

O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL

O20 - AppInit_DLLs: C:\WINDOWS\system32 acaptuser32.dll

O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll

O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\windows\system32\browseui.dll

O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\windows\system32\browseui.dll

O23 - Service: ArcSoft Connect Daemon (ACDaemon) - ArcSoft Inc. - C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACService.exe

O23 - Service: Adobe Flash Player Update Service (AdobeFlashPlayerUpdateSvc) - Adobe Systems Incorporated - C:\WINDOWS\system32\Macromed\Flash\FlashPlayerUpdateService.exe

O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe

O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe

O23 - Service: Bluetooth Service (btwdins) - Broadcom Corporation. - C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe

O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe

O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe

O23 - Service: FLEXnet Licensing Service - Acresso Software Inc. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe

O23 - Service: Google Update Service (gupdate1ca0bc6b51516ae) (gupdate1ca0bc6b51516ae) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe

O23 - Service: Google Update Service (gupdatem) (gupdatem) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe

O23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe

O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe

O23 - Service: IHA_MessageCenter - Verizon - C:\Program Files\Verizon\IHA_MessageCenter\Bin\Verizon_IHAMessageCenter.exe

O23 - Service: Intuit Update Service (IntuitUpdateService) - Intuit Inc. - C:\Program Files\Common Files\Intuit\Update Service\IntuitUpdateService.exe

O23 - Service: Intuit Update Service v4 (IntuitUpdateServiceV4) - Intuit Inc. - C:\Program Files\Common Files\Intuit\Update Service v4\IntuitUpdateService.exe

O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe

O23 - Service: Java Quick Starter (JavaQuickStarterService) - Oracle Corporation - C:\Program Files\Java\jre7\bin\jqs.exe

O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe

O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE

O23 - Service: Mozilla Maintenance Service (MozillaMaintenance) - Mozilla Foundation - C:\Program Files\Mozilla Maintenance Service\maintenanceservice.exe

O23 - Service: @C:\Program Files\Nero\Update\NASvc.exe,-200 (NAUpdate) - Nero AG - C:\Program Files\Nero\Update\NASvc.exe

O23 - Service: Nero BackItUp Scheduler 4.0 - Nero AG - C:\Program Files\Common Files\Nero\Nero BackItUp 4\NBService.exe

O23 - Service: Nero MediaHome 4 Service (NeroMediaHomeService.4) - Nero AG - C:\Program Files\Nero\Nero MediaHome 4\NMMediaServerService.exe

O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\windows\system32\nvsvc32.exe

O23 - Service: NVIDIA Update Service Daemon (nvUpdatusService) - NVIDIA Corporation - C:\Program Files\NVIDIA Corporation\NVIDIA Updatus\daemonu.exe

O23 - Service: RemotelyAnywhere Maintenance Service (RAMaint) - LogMeIn, Inc. - C:\Program Files\RemotelyAnywhere\x86\RaMaint.exe

O23 - Service: RemotelyAnywhere - LogMeIn, Inc. - C:\Program Files\RemotelyAnywhere\x86\RemotelyAnywhere.exe

O23 - Service: Cyberlink RichVideo Service(CRVS) (RichVideo) - Unknown owner - C:\Program Files\Cyberlink\Shared files\RichVideo.exe

O23 - Service: ShadowProtect Service (ShadowProtectSvc) - StorageCraft Technology Corporation - C:\Program Files\StorageCraft\ShadowProtect\ShadowProtectSvc.exe

O23 - Service: SlingAgentService - Sling Media Inc. - C:\Program Files\Sling Media\SlingAgent\SlingAgentService.exe

O23 - Service: Symantec Management Client (SmcService) - Symantec Corporation - C:\Program Files\Symantec\Symantec Endpoint Protection\Smc.exe

O23 - Service: Symantec Network Access Control (SNAC) - Symantec Corporation - C:\Program Files\Symantec\Symantec Endpoint Protection\SNAC.EXE

O23 - Service: SupportSoft Sprocket Service (verizondm) (sprtsvc_verizondm) - SupportSoft, Inc. - C:\Program Files\VERIZONDM\bin\sprtsvc.exe

O23 - Service: StorageCraft Image Manager - StorageCraft Technology Corporation - C:\Program Files\StorageCraft\ImageManager\ImageManager.exe

O23 - Service: StorageCraft Image Manager (StorageCraft Image Manager32) - Unknown owner - C:\WINDOWS\system32\ntsdexts32.exe (file missing)

O23 - Service: Symantec Endpoint Protection (Symantec AntiVirus) - Symantec Corporation - C:\Program Files\Symantec\Symantec Endpoint Protection\Rtvscan.exe

O23 - Service: SupportSoft Repair Service (verizondm) (tgsrvc_verizondm) - SupportSoft, Inc. - C:\Program Files\VERIZONDM\bin\tgsrvc.exe

O23 - Service: StorageCraft Shadow Copy Provider (VSNAPVSS) - StorageCraft Technology Corporation - C:\WINDOWS\system32\vsnapvss.exe

O23 - Service: Yahoo! Updater (YahooAUService) - Yahoo! Inc. - C:\Program Files\Yahoo!\SoftwareUpdate\YahooAUService.exe

--

End of file - 18520 bytes

MrCharlie · June 26, 2012

Welcome to the forum.

Enable hidden files:

http://www.howtogeek...-folders-in-xp/

Using HJT>>>>

[*]Close all programs leaving only HijackThis running. Place a check against each of the following, making sure you get them all and not any others by mistake:

O4 - HKLM\..\Run: [GiBbQUEPdGQQTat.exe] C:\Documents and Settings\All Users\Application Data\GiBbQUEPdGQQTat.exe

Click on Fix Checked when finished and exit HijackThis.

---------------------------

Delete this file:

C:\Documents and Settings\All Users\Application Data\GiBbQUEPdGQQTat.exe

-----------------------------

Next......

Please remove any usb or external drives from the computer before you run this scan!

Please download and run RogueKiller.

For Windows XP, double-click to start.

For Vista or Windows 7, do a right-click on the program, select Run as Administrator to start, & when prompted Allow to run.

Click Scan to scan the system (don't run any other options, they're not all bad!!!!!!!)

Post back the report.

MrC

rysktkr · June 26, 2012

Hi MrCharlie,

I accomplished everything requested with the exception of:

Delete this file:

C:\Documents and Settings\All Users\Application Data\GiBbQUEPdGQQTat.exe

While HJT was running I opened up a windows explorer and could see this file. I waited for HJT to complete before trying to delete. Once HJT was finished I could not see any files in the C drive. Note this has been the case during this infection. Here is the log you requested.

RogueKiller V7.6.0 [06/26/2012] by Tigzy

mail: tigzyRK<at>gmail<dot>com

Feedback: http://www.geekstogo.com/forum/files/file/413-roguekiller/

Blog: http://tigzyrk.blogspot.com

Operating System: Windows XP (5.1.2600 Service Pack 3) 32 bits version

Started in : Normal mode

User: Administrator [Admin rights]

Mode: Scan -- Date: 06/26/2012 07:41:29

¤¤¤ Bad processes: 0 ¤¤¤

¤¤¤ Registry Entries: 2 ¤¤¤

[HJ] HKLM\[...]\NewStartPanel : {20D04FE0-3AEA-1069-A2D8-08002B30309D} (1) -> FOUND

[APPINIT_DLL] HKLM\[...]\Windows : AppInit_DLLs (C:\WINDOWS\system32 acaptuser32.dll) -> FOUND

¤¤¤ Particular Files / Folders: ¤¤¤

[ZeroAccess][FILE] @ : c:\windows\installer\{f53b4e5d-be5e-dbd5-89b7-192bca81046d}\@ --> FOUND

[ZeroAccess][FOLDER] U : c:\windows\installer\{f53b4e5d-be5e-dbd5-89b7-192bca81046d}\U --> FOUND

¤¤¤ Driver: [LOADED] ¤¤¤

SSDT[12] : NtAlertResumeThread @ 0x80637C36 -> HOOKED (Unknown @ 0x875185C0)

SSDT[13] : NtAlertThread @ 0x80592EFA -> HOOKED (Unknown @ 0x87519260)

SSDT[17] : NtAllocateVirtualMemory @ 0x80570BC5 -> HOOKED (Unknown @ 0x875185F8)

SSDT[43] : NtCreateMutant @ 0x80580B62 -> HOOKED (Unknown @ 0x8A048920)

SSDT[53] : NtCreateThread @ 0x805860C0 -> HOOKED (Unknown @ 0x874E1420)

SSDT[83] : NtFreeVirtualMemory @ 0x805710BF -> HOOKED (Unknown @ 0x87523770)

SSDT[89] : NtImpersonateAnonymousToken @ 0x8059BB5D -> HOOKED (Unknown @ 0x8A085E00)

SSDT[91] : NtImpersonateThread @ 0x805874C1 -> HOOKED (Unknown @ 0x8A085EC0)

SSDT[108] : NtMapViewOfSection @ 0x8057AA19 -> HOOKED (Unknown @ 0x874C9838)

SSDT[114] : NtOpenEvent @ 0x80589B69 -> HOOKED (Unknown @ 0x8A048860)

SSDT[123] : NtOpenProcessToken @ 0x805784F6 -> HOOKED (Unknown @ 0x8A062500)

SSDT[129] : NtOpenThreadToken @ 0x805746D2 -> HOOKED (Unknown @ 0x8A083EF0)

SSDT[206] : NtResumeThread @ 0x80586737 -> HOOKED (Unknown @ 0x8A05CCB0)

SSDT[213] : NtSetContextThread @ 0x8063629D -> HOOKED (Unknown @ 0x8A05ADC0)

SSDT[228] : NtSetInformationProcess @ 0x80574B1F -> HOOKED (Unknown @ 0x8A083FC0)

SSDT[229] : NtSetInformationThread @ 0x80576ABD -> HOOKED (Unknown @ 0x8A083678)

SSDT[253] : NtSuspendProcess @ 0x80637B7B -> HOOKED (Unknown @ 0x8A0487A0)

SSDT[254] : NtSuspendThread @ 0x80637A97 -> HOOKED (Unknown @ 0x87521120)

SSDT[257] : NtTerminateProcess @ 0x8058E6B9 -> HOOKED (Unknown @ 0x8A087498)

SSDT[258] : NtTerminateThread @ 0x80582DD9 -> HOOKED (Unknown @ 0x88A13D90)

SSDT[267] : NtUnmapViewOfSection @ 0x8057A5A1 -> HOOKED (Unknown @ 0x8A05C258)

SSDT[277] : NtWriteVirtualMemory @ 0x805873F6 -> HOOKED (Unknown @ 0x87523840)

IRP[iRP_MJ_CREATE] : Unknown -> HOOKED ([MAJOR] atapi.sys @ 0xF7978B40)

IRP[iRP_MJ_CLOSE] : Unknown -> HOOKED ([MAJOR] atapi.sys @ 0xF7978B40)

IRP[iRP_MJ_DEVICE_CONTROL] : Unknown -> HOOKED ([MAJOR] atapi.sys @ 0xF7978B40)

IRP[iRP_MJ_SYSTEM_CONTROL] : Unknown -> HOOKED ([MAJOR] atapi.sys @ 0xF7978B40)

IRP[iRP_MJ_DEVICE_CHANGE] : Unknown -> HOOKED ([MAJOR] atapi.sys @ 0xF7978B40)

¤¤¤ Infection : ZeroAccess|Root.MBR ¤¤¤

¤¤¤ HOSTS File: ¤¤¤

¤¤¤ MBR Check: ¤¤¤

+++++ PhysicalDrive0: Hitachi HDS5C3020ALA632 +++++

--- User ---

[MBR] 643c28cbc44b82ab1d3fc24bbfdf4f69

[bSP] 57baa9068b859ee8a3cfb5a321dc6037 : Windows XP MBR Code

Partition table:

0 - [ACTIVE] NTFS (0x07) [VISIBLE] Offset (sectors): 63 | Size: 1907726 Mo

User = LL1 ... OK!

User != LL2 ... KO!

--- LL2 ---

[MBR] 832b7b432331ebc868a045aad743990a

[bSP] 57baa9068b859ee8a3cfb5a321dc6037 : Windows XP MBR Code

Partition table:

0 - [XXXXXX] NTFS (0x07) [VISIBLE] Offset (sectors): 63 | Size: 1907726 Mo

1 - [ACTIVE] NTFS (0x17) [HIDDEN!] Offset (sectors): 3907024065 | Size: 2 Mo

+++++ PhysicalDrive1: ST3500630AS +++++

--- User ---

[MBR] 643c28cbc44b82ab1d3fc24bbfdf4f69

[bSP] 57baa9068b859ee8a3cfb5a321dc6037 : Windows XP MBR Code

Partition table:

0 - [ACTIVE] NTFS (0x07) [VISIBLE] Offset (sectors): 63 | Size: 1907726 Mo

User = LL1 ... OK!

User != LL2 ... KO!

--- LL2 ---

[MBR] 1406de26d4acd19c9b0ddec378f968d3

[bSP] 93a4ad19c181e7d325737ffc772b14db : Windows XP MBR Code

Partition table:

0 - [ACTIVE] NTFS (0x07) [VISIBLE] Offset (sectors): 63 | Size: 476929 Mo

+++++ PhysicalDrive2: WDC WD7500AADS-00L5B1 +++++

--- User ---

[MBR] 643c28cbc44b82ab1d3fc24bbfdf4f69

[bSP] 57baa9068b859ee8a3cfb5a321dc6037 : Windows XP MBR Code

Partition table:

0 - [ACTIVE] NTFS (0x07) [VISIBLE] Offset (sectors): 63 | Size: 1907726 Mo

User = LL1 ... OK!

User != LL2 ... KO!

--- LL2 ---

[MBR] c83fcee3155eb6114d8c84d54c112317

[bSP] eaf482a9766f3000634a695d502e8c7f : Windows XP MBR Code

Partition table:

0 - [XXXXXX] NTFS (0x07) [VISIBLE] Offset (sectors): 63 | Size: 715402 Mo

+++++ PhysicalDrive3: SATA ST3320620AS SCSI Disk Device +++++

--- User ---

[MBR] 0326145d3c46a04484f1aa0bb439fb72

[bSP] 6367311c297c53c8fa575c4c03192a94 : Windows XP MBR Code

Partition table:

0 - [XXXXXX] LINUX-SWP (0x42) [VISIBLE] Offset (sectors): 63 | Size: 305242 Mo

User = LL1 ... OK!

Error reading LL2 MBR!

Finished : << RKreport[2].txt >>

RKreport[1].txt ; RKreport[2].txt

MrCharlie · June 26, 2012

Running unhide should "unhide" the files:

http://www.bleepingc...opic405109.html <---unhide

-------------------------------------

From the RogueKiller log it shows....

[ZeroAccess] infection, so I have to give you this warning:

Your computer is infected with a nasty rootkit. Please read the following information first.

You're infected with Rootkit.ZeroAccess, a BackDoor Trojan.

BACKDOOR WARNING

------------------------------

One or more of the identified infections is known to use a backdoor.

This allows hackers to remotely control your computer, steal critical system information and download and execute files.

I would advice you to disconnect this PC from the Internet immediately. If you do any banking or other financial transactions on the PC or if it should contain any other sensitive information, please get to a known clean computer and change all passwords where applicable, and it would be wise to contact those same financial institutions to apprise them of your situation.

Though the infection has been identified and because of it's backdoor functionality, your PC is very likely compromised and there is no way to be sure your computer can ever again be trusted. Many experts in the security community believe that once infected with this type of trojan, the best course of action would be a reformat and reinstall of the OS. Please read these for more information:

How Do I Handle Possible Identify Theft, Internet Fraud and CC Fraud?

http://www.dslreports.com/faq/10451

When Should I Format, How Should I Reinstall

http://www.dslreports.com/faq/10063

I will try my best to clean this machine but I can't guarantee that it will be 100% secure afterwards and......

There's a possibility that you'll lose your internet connections which I may not be able to correct and will require a repair install.
There's also a possibility that during the cleaning procedure the computer will become unusable (won't boot) which will result in a repair install or complete format and install.
I strongly suggest you back up all of the important items on the system before we continue.

Please let me know you have read this and agree to it.

Let me know what you decide to do. If you decide to go through with the cleanup, please proceed with the following steps.

------------------------------------------

Please download and run ComboFix.

The most important things to remember when running it is to disable all your malware programs and run Combofix from your desktop.

Please visit this webpage for download links, and instructions for running ComboFix

http://www.bleepingc...to-use-combofix

Ensure you have disabled all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

Information on disabling your malware programs can be found Here.

Make sure you run ComboFix from your desktop.

Give it at least 30-45 minutes to finish if needed.

Please include the C:\ComboFix.txt in your next reply for further review.

---------->NOTE<----------

If you get the message Illegal operation attempted on registry key that has been marked for deletion after you run ComboFix....please reboot the computer, this should resolve the problem. You may have to do this several times if needed.

MrC

rysktkr · June 26, 2012

Actually, was now able to delete C:\Documents and Settings\All Users\Application Data\GiBbQUEPdGQQTat.exe. Whatever, infection I have it turned file view back to "Do not show hidden files and folders". I was able to switch it back and delete it. Unfortunately it looks like all file and folder attributes were changed to "hidden" on all my drives.

MrCharlie · June 26, 2012

That's what these infection do, if you run ComboFix it will correct it. MrC

rysktkr · June 26, 2012

Just got your latest post yikes! If I opt to attempt cleanup rather than nuke and pave what are my chances this rootkit is removed? 70%, 50%, etc?

MrCharlie · June 26, 2012

I really can't be 100% sure but I think we can clean it up, MrC

rysktkr · June 26, 2012

Well I ran combofix twice both times it hung the computer. It mentioned that I had ZeroAccess and that it was inserted into the TCP/IP stack. I am hoping that doesn't imply that it could of spread itself to other computers on my home network.

MrCharlie · June 26, 2012

Well I ran combofix twice both times it hung the computer. It mentioned that I had ZeroAccess and that it was inserted into the TCP/IP stack. I am hoping that doesn't imply that it could of spread itself to other computers on my home network.

As far as I'm concerned that's the worst version on ZA that you can have and sometimes is very difficult to remove.

I believe that it can spread to other computers on a network.

-------------------------------------

Reboot into safe mode and run ComboFix, please allow at least 3/4 to 1 hour for it to work.

Keep in mind the warnings I advised you about.

MrC

rysktkr · June 27, 2012

No Luck . I tried combofix in safe mode several times and hung the computer. Even tried letting it run over night.

MrCharlie · June 27, 2012

Try it this way.....

Delete your copy of ComboFix. Grab a fresh copy and save it to your Desktop, but do not run it yet.

Please reboot to Safe Mode (tap the F8 key just before Windows starts to load and select the Safe Mode option from the menu).

Click Start --> Run, and enter this command exactly as shown:

"%userprofile%\desktop\combofix.exe" /nombr

See if it will run successfully now. MrC

rysktkr · June 27, 2012

That worked! Below is the log:

ComboFix 12-06-27.01 - Mark 06/27/2012 10:39:02.10.4 - x86

Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.3582.2595 [GMT -7:00]

Running from: c:\documents and settings\Mark\desktop\ComboFix.exe

Command switches used :: /nombr

AV: Symantec Endpoint Protection *Disabled/Updated* {FB06448E-52B8-493A-90F3-E43226D3305C}

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.

c:\documents and settings\All Users\Application Data\22500634ug8u87c8e64k6l3sf3v

c:\documents and settings\All Users\Application Data\kpI0dn6tFIoruY

c:\documents and settings\All Users\Application Data\l0gdw4nUSn3xA4

c:\documents and settings\All Users\Application Data\l0gdw4nUSn3xA4.exe

c:\documents and settings\All Users\Application Data\TEMP

c:\documents and settings\All Users\Application Data\TEMP\{324F76CC-D8DD-4D87-B77D-D4AF5E1AA7B3}\PostBuild.exe

c:\documents and settings\All Users\Application Data\TEMP\{324F76CC-D8DD-4D87-B77D-D4AF5E1AA7B3}\Setup.ilg

c:\documents and settings\All Users\Application Data\TEMP\{B0B4F6D2-F2AE-451A-9496-6F2F6A897B32}\PostBuild.exe

c:\documents and settings\All Users\Application Data\TEMP\{B0B4F6D2-F2AE-451A-9496-6F2F6A897B32}\Setup.exe

c:\documents and settings\All Users\Application Data\TEMP\{CB099890-1D5F-11D5-9EA9-0050BAE317E1}\PostBuild.exe

c:\documents and settings\All Users\Application Data\TEMP\{E8C64028-08E5-4BF0-B1C0-DBAAC6A77DF1}\PostBuild.exe

c:\documents and settings\Mark\Application Data\Gomodu

c:\documents and settings\Mark\Application Data\Gomodu\ywnui.exe

c:\documents and settings\Mark\Application Data\Isar

c:\documents and settings\Mark\Application Data\Isar\pudy.exe

c:\documents and settings\Mark\Application Data\Soavw

c:\documents and settings\Mark\Application Data\Soavw\ockec.adl

c:\documents and settings\Mark\Desktop\Data_Recovery.lnk

c:\documents and settings\Mark\Local Settings\Application Data\ummcbzl.exe

c:\documents and settings\Mark\My Documents\~WRL1063.tmp

c:\documents and settings\Mark\My Documents\~WRL1136.tmp

c:\documents and settings\Mark\My Documents\~WRL1308.tmp

c:\documents and settings\Mark\My Documents\~WRL1422.tmp

c:\documents and settings\Mark\My Documents\~WRL2838.tmp

c:\documents and settings\Mark\My Documents\~WRL3027.tmp

c:\documents and settings\Mark\My Documents\~WRL3959.tmp

c:\documents and settings\Mark\My Documents\~WRL4047.tmp

C:\NPE.exe

c:\windows\system32\cttype.nls

c:\windows\system32\dllcache\dlimport.exe

.

((((((((((((((((((((((((( Files Created from 2012-05-27 to 2012-06-27 )))))))))))))))))))))))))))))))

.

2012-06-27 15:40 . 2012-06-27 15:40 -------- d-----w- c:\documents and settings\Mark\Application Data\Ozbuir

2012-06-27 15:40 . 2012-06-27 15:40 -------- d-----w- C:\Reg_Backup

2012-06-27 15:40 . 2012-06-27 16:08 181064 ----a-w- c:\windows\PSEXESVC.EXE

2012-06-27 15:38 . 2012-06-27 15:49 -------- d-----w- c:\documents and settings\Mark\Application Data\Taubox

2012-06-27 15:38 . 2012-06-27 15:38 -------- d-----w- c:\documents and settings\Mark\Application Data\Arpy

2012-06-27 15:38 . 2012-06-27 15:42 -------- d-----w- C:\Tweaking.com_Windows_Repair_Logs

2012-06-26 17:40 . 2012-06-26 18:06 -------- d-----w- C:\fred

2012-06-26 15:51 . 2012-06-26 15:51 40776 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys

2012-06-26 14:35 . 2012-06-26 14:35 -------- d-----w- c:\documents and settings\Administrator.MYPC\Local Settings\Application Data\Google

2012-06-26 14:21 . 2012-06-26 14:21 -------- d-----w- c:\program files\Trend Micro

2012-06-26 02:30 . 2012-06-26 02:30 -------- d-----w- c:\documents and settings\Administrator.MYPC\Application Data\Malwarebytes

2012-06-26 02:28 . 2012-06-26 02:28 388096 ----a-r- c:\documents and settings\Administrator.MYPC\Application Data\Microsoft\Installer\{45A66726-69BC-466B-A7A4-12FCBA4883D7}\HiJackThis.exe

2012-06-26 02:23 . 2012-06-26 02:23 -------- d-sh--w- c:\documents and settings\Administrator.MYPC\IETldCache

2012-06-25 22:35 . 2012-06-25 22:43 -------- d-----w- c:\documents and settings\Administrator.MYPC\Local Settings\Application Data\NPE

2012-06-25 22:35 . 2012-06-25 22:35 -------- d-----w- c:\documents and settings\All Users\Application Data\Norton

2012-06-25 15:04 . 2012-06-25 15:04 607260 ------r- C:\dds.scr

2012-06-07 18:14 . 2012-06-07 18:14 421200 ----a-w- c:\program files\Mozilla Firefox\msvcp100.dll

2012-06-07 18:14 . 2012-06-07 18:14 770384 ----a-w- c:\program files\Mozilla Firefox\msvcr100.dll

2012-06-05 04:49 . 2012-06-05 04:49 -------- d-----w- c:\documents and settings\Mark\Application Data\FreeArc

2012-06-05 04:46 . 2012-06-05 04:46 -------- d-----w- c:\windows\system32\3081

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2012-06-27 15:10 . 2012-05-05 16:36 426184 ----a-w- c:\windows\system32\FlashPlayerApp.exe

2012-06-27 15:10 . 2011-05-20 18:21 70344 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl

2012-06-27 15:10 . 2012-05-05 17:10 9815752 ----a-w- c:\windows\system32\FlashPlayerInstaller.exe

2012-06-02 22:19 . 2008-10-16 21:09 22040 ----a-w- c:\windows\system32\wucltui.dll.mui

2012-06-02 22:19 . 2009-04-12 00:25 329240 ----a-w- c:\windows\system32\wucltui.dll

2012-06-02 22:19 . 2009-04-12 00:25 210968 ----a-w- c:\windows\system32\wuweb.dll

2012-06-02 22:19 . 2009-04-12 00:25 219160 ----a-w- c:\windows\system32\wuaucpl.cpl

2012-06-02 22:19 . 2008-10-16 21:07 15384 ----a-w- c:\windows\system32\wuaucpl.cpl.mui

2012-06-02 22:19 . 2009-04-12 00:25 53784 ----a-w- c:\windows\system32\wuauclt.exe

2012-06-02 22:19 . 2009-04-12 00:25 35864 ----a-w- c:\windows\system32\wups.dll

2012-06-02 22:19 . 2008-10-16 21:09 45080 ----a-w- c:\windows\system32\wups2.dll

2012-06-02 22:19 . 2008-10-16 21:07 15384 ----a-w- c:\windows\system32\wuapi.dll.mui

2012-06-02 22:19 . 2004-08-04 12:00 97304 ----a-w- c:\windows\system32\cdm.dll

2012-06-02 22:19 . 2008-10-16 21:07 17944 ----a-w- c:\windows\system32\wuaueng.dll.mui

2012-06-02 22:19 . 2009-04-12 00:25 577048 ----a-w- c:\windows\system32\wuapi.dll

2012-06-02 22:19 . 2009-04-12 00:25 1933848 ----a-w- c:\windows\system32\wuaueng.dll

2012-04-19 23:17 . 2012-04-19 23:17 40960 ----a-r- c:\documents and settings\Mark\Application Data\Microsoft\Installer\{F6BA8EF2-A9F8-45B7-BD59-0A15DA9F7D68}\Omron_Health_Manag_F6BA8EF2A9F845B7BD590A15DA9F7D68_6.exe

2012-04-19 23:17 . 2012-04-19 23:17 40960 ----a-r- c:\documents and settings\Mark\Application Data\Microsoft\Installer\{F6BA8EF2-A9F8-45B7-BD59-0A15DA9F7D68}\Omron_Health_Manag_F6BA8EF2A9F845B7BD590A15DA9F7D68_5.exe

2012-04-11 13:14 . 2004-08-04 12:00 2148352 ----a-w- c:\windows\system32\ntoskrnl.exe

2012-04-11 13:12 . 2004-08-04 12:00 1862272 ----a-w- c:\windows\system32\win32k.sys

2012-04-11 12:35 . 2004-08-03 22:59 2026496 ----a-w- c:\windows\system32\ntkrnlpa.exe

2012-04-04 22:56 . 2011-07-28 14:38 22344 ----a-w- c:\windows\system32\drivers\mbam.sys

2012-06-07 18:14 . 2012-05-14 15:38 85472 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

.

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2009-04-17 39408]

"Messenger (Yahoo!)"="c:\progra~1\Yahoo!\MESSEN~1\YahooMessenger.exe" [2010-06-01 5252408]

"H/PC Connection Agent"="c:\program files\Microsoft ActiveSync\wcescomm.exe" [2006-11-13 1289000]

"DAEMON Tools Lite"="c:\util\DAEMON Tools Lite\DTLite.exe" [2009-10-30 369200]

"LightScribe Control Panel"="c:\program files\Common Files\LightScribe\LightScribeControlPanel.exe" [2009-06-17 2363392]

"AnyDVD"="c:\program files\SlySoft\AnyDVD\AnyDVDtray.exe" [2012-03-09 5934712]

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"V0230Mon.exe"="c:\windows\system32\V0230Mon.exe" [2006-07-19 36961]

"NBAgent"="c:\program files\Nero\Nero 10\Nero BackItUp\NBAgent.exe" [2010-02-23 1226024]

"AVFX Engine"="c:\program files\Creative\Creative Live! Cam\VideoFX\StartFX.exe" [2006-06-09 24576]

"hpqSRMon"="c:\program files\HP\Digital Imaging\bin\hpqSRMon.exe" [2008-07-23 150528]

"RemoteControl10"="c:\program files\CyberLink\PowerDVD10\PDVD10Serv.exe" [2010-02-03 87336]

"BDRegion"="c:\program files\Cyberlink\Shared files\brs.exe" [2010-11-18 75048]

"Nero MediaHome 4"="c:\program files\Nero\Nero MediaHome 4\NeroMediaHome.exe" [2008-09-11 3622184]

"BluetoothAuthenticationAgent"="bthprops.cpl" [2008-04-14 110592]

"APSDaemon"="c:\program files\Common Files\Apple\Apple Application Support\APSDaemon.exe" [2011-09-27 59240]

"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2011-11-13 421736]

"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2011-05-04 252136]

"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2011-10-24 421888]

"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2011-05-21 13895272]

"NvMediaCenter"="NvMCTray.dll" [2011-05-21 111208]

"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2009-10-03 35696]

"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2012-01-03 843712]

"UpdatePDRShortCut"="c:\program files\CyberLink\PowerDirector10\MUITransfer\MUIStartMenu.exe" [2010-09-17 222504]

"Adobe Acrobat Speed Launcher"="c:\program files\Adobe\Acrobat 9.0\Acrobat\Acrobat_sl.exe" [2012-01-04 40376]

"Acrobat Assistant 8.0"="c:\program files\Adobe\Acrobat 9.0\Acrobat\Acrotray.exe" [2012-01-03 640440]

"JMB36X IDE Setup"="c:\windows\RaidTool\xInsIDE.exe" [2007-03-20 36864]

"36X Raid Configurer"="c:\windows\system32\xRaidSetup.exe" [2007-11-19 1966080]

.

c:\documents and settings\Mark\Start Menu\Programs\Startup\

Check for TWS Updates.lnk - c:\program files\Jts\WiseUpdt.exe [2011-9-7 194775]

.

c:\documents and settings\All Users\Start Menu\Programs\Startup\

Adobe Gamma Loader.lnk - c:\program files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2011-6-24 113664]

Bluetooth.lnk - c:\program files\WIDCOMM\Bluetooth Software\BTTray.exe [2009-7-29 607584]

HP Digital Imaging Monitor.lnk - c:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2010-5-28 276328]

Microsoft Office.lnk - c:\program files\Microsoft Office\Office10\OSA.EXE [2001-2-12 83360]

TotalMedia Server.lnk - c:\program files\ArcSoft\TotalMedia Theatre 5\TotalMedia Server\TM Server.exe [2011-8-17 519744]

.

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]

"EnableLinkedConnections"= 1 (0x1)

.

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\system]

"DisableRegedit"= 0 (0x0)

.

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]

"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

.

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]

2009-09-03 21:21 548352 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.dll

.

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]

"AppInit_DLLs"=c:\windows\system32\acaptuser32.dll

.

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]

"DisableMonitoring"=dword:00000001

.

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"%windir%\\system32\\sessmgr.exe"=

"c:\\Program Files\\ArcSoft\\TotalMedia Theatre 5\\TotalMedia Server\\TM Server.exe"=

"c:\\Program Files\\Microsoft ActiveSync\\rapimgr.exe"=

"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=

.

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]

"50000:UDP"= 50000:UDP:IHA_MessageCenter

.

R0 sptd;sptd;\SystemRoot\\SystemRoot\System32\Drivers\sptd.sys --> \SystemRoot\\SystemRoot\System32\Drivers\sptd.sys [?]

R0 stcvsm;stcvsm;c:\windows\system32\drivers\stcvsm.sys [4/11/2009 5:49 PM 113904]

R1 archlp;archlp;c:\windows\system32\drivers\archlp.sys [6/27/2009 9:53 AM 96512]

R1 ArcSec;archlp;c:\windows\system32\drivers\ArcSec.sys [9/21/2010 9:10 AM 192504]

R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [2/17/2010 10:25 AM 12872]

R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [2/17/2010 10:15 AM 66632]

R1 sbmount;StorageCraft Image Mount Driver;c:\windows\system32\drivers\sbmount.sys [4/11/2009 5:49 PM 79616]

R2 {1BA31E5A-C098-42d8-8F88-3C9F78A2FDDC};Power Control [2011/03/24 13:54];c:\program files\Cyberlink\PowerDVD10\NavFilter\000.fcl [11/17/2010 9:29 PM 87536]

R2 {B154377D-700F-42cc-9474-23858FBDF4BD};Power Control [2009/05/31 16:45];c:\program files\Cyberlink\PowerDVD9\000.fcl [3/30/2009 5:53 PM 87536]

R2 cpuz134;cpuz134;c:\windows\system32\drivers\cpuz134_x32.sys [11/18/2010 3:58 PM 20328]

R2 IHA_MessageCenter;IHA_MessageCenter;c:\program files\Verizon\IHA_MessageCenter\Bin\Verizon_IHAMessageCenter.exe [5/24/2011 4:02 PM 335888]

R2 IntuitUpdateServiceV4;Intuit Update Service v4;c:\program files\Common Files\Intuit\Update Service v4\IntuitUpdateService.exe [8/25/2011 5:53 PM 13672]

R2 NAUpdate;@c:\program files\Nero\Update\NASvc.exe,-200;c:\program files\Nero\Update\NASvc.exe [2/18/2010 3:01 PM 462632]

R2 nvUpdatusService;NVIDIA Update Service Daemon;c:\program files\NVIDIA Corporation\NVIDIA Updatus\daemonu.exe [12/22/2011 4:52 PM 2214504]

R2 RAInfo;RemotelyAnywhere Kernel Information Provider;c:\program files\RemotelyAnywhere\x86\rainfo.sys [4/17/2007 2:00 PM 12992]

R2 RARfsDriver;RemotelyAnywhere Remote File System Driver;c:\windows\system32\drivers\RARfsDriver.sys [4/4/2010 8:20 AM 46000]

R2 ShadowProtectSvc;ShadowProtect Service;c:\program files\StorageCraft\ShadowProtect\ShadowProtectSvc.exe [4/11/2009 5:49 PM 1990656]

R2 SlingAgentService;SlingAgentService;c:\program files\Sling Media\SlingAgent\SlingAgentService.exe [9/25/2009 2:16 PM 93960]

R2 sprtsvc_verizondm;SupportSoft Sprocket Service (verizondm);c:\program files\VERIZONDM\bin\sprtsvc.exe [2/1/2011 5:54 AM 206120]

R2 StorageCraft Image Manager;StorageCraft Image Manager;c:\program files\StorageCraft\ImageManager\ImageManager.exe [10/24/2007 3:26 PM 69632]

R2 tgsrvc_verizondm;SupportSoft Repair Service (verizondm);c:\program files\VERIZONDM\bin\tgsrvc.exe [2/1/2011 5:54 AM 185640]

R2 thdudf;TOSHIBA UDF2.5 Reader File System Driver;c:\windows\system32\drivers\thdudf.sys [5/29/2009 10:02 AM 66944]

R2 VSNAPVSS;StorageCraft Shadow Copy Provider;c:\windows\system32\vsnapvss.exe [4/11/2009 5:49 PM 61952]

R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [6/7/2012 7:20 PM 106656]

R3 ramirr;ramirr;c:\windows\system32\drivers\ramirr.sys [4/17/2007 2:00 PM 10168]

R3 V0230Vfx;V0230Vfx;c:\windows\system32\drivers\V0230Vfx.sys [6/25/2010 12:43 AM 6272]

R3 V0230VID;Live! Cam Video IM Pro;c:\windows\system32\drivers\V0230VID.sys [6/25/2010 12:43 AM 500480]

S2 {FE4C91E7-22C2-4D0C-9F6B-82F1B7742054};{FE4C91E7-22C2-4D0C-9F6B-82F1B7742054};\??\c:\program files\PowerDVD8\PowerDVD8\000.fcl --> c:\program files\PowerDVD8\PowerDVD8\000.fcl [?]

S2 gupdate1ca0bc6b51516ae;Google Update Service (gupdate1ca0bc6b51516ae);c:\program files\Google\Update\GoogleUpdate.exe [7/23/2009 11:52 AM 133104]

S2 StorageCraft Image Manager32;StorageCraft Image Manager ;c:\windows\system32\ntsdexts32.exe --> c:\windows\system32\ntsdexts32.exe [?]

S3 AdobeFlashPlayerUpdateSvc;Adobe Flash Player Update Service;c:\windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe [5/5/2012 9:36 AM 250056]

S3 Ambfilt;Ambfilt;c:\windows\system32\drivers\ambfilt.sys [8/11/2009 8:45 AM 1684736]

S3 epmntdrv;epmntdrv;c:\windows\system32\epmntdrv.sys [7/7/2011 9:11 AM 13192]

S3 EuGdiDrv;EuGdiDrv;c:\windows\system32\EuGdiDrv.sys [7/7/2011 9:11 AM 8456]

S3 gupdatem;Google Update Service (gupdatem);c:\program files\Google\Update\GoogleUpdate.exe [7/23/2009 11:52 AM 133104]

S3 MBAMSwissArmy;MBAMSwissArmy;c:\windows\system32\drivers\mbamswissarmy.sys [6/26/2012 8:51 AM 40776]

S3 MozillaMaintenance;Mozilla Maintenance Service;c:\program files\Mozilla Maintenance Service\maintenanceservice.exe [5/14/2012 8:38 AM 113120]

S3 pcouffin;VSO Software pcouffin;c:\windows\system32\drivers\pcouffin.sys [5/26/2009 9:59 PM 47360]

S3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [2/17/2010 10:15 AM 12872]

S4 RARfsClientNP;RARfsClientNP; [x]

.

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]

HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12

HPService REG_MULTI_SZ HPSLPSVC

hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc

.

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{10880D85-AAD9-4558-ABDC-2AB1552D831F}]

2009-06-17 19:11 451872 ----a-w- c:\program files\Common Files\LightScribe\LSRunOnce.exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{A509B1FF-37FF-4bFF-8CFF-4F3A747040FF}]

2009-03-08 12:32 128512 ----a-w- c:\windows\system32\advpack.dll

.

Contents of the 'Scheduled Tasks' folder

.

2012-06-27 c:\windows\Tasks\Adobe Flash Player Updater.job

- c:\windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe [2012-05-05 15:10]

.

2012-06-21 c:\windows\Tasks\AppleSoftwareUpdate.job

- c:\program files\Apple Software Update\SoftwareUpdate.exe [2011-06-02 19:34]

.

2012-06-26 c:\windows\Tasks\At1.job

- c:\windows\system32\rasphonne.exe [2004-08-04 00:12]

.

2012-06-27 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job

- c:\program files\Google\Update\GoogleUpdate.exe [2009-07-23 18:52]

.

2012-06-27 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job

- c:\program files\Google\Update\GoogleUpdate.exe [2009-07-23 18:52]

.

2012-06-27 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1960408961-1303643608-839522115-1003Core.job

- c:\documents and settings\Mark\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2011-06-29 18:37]

.

2012-06-27 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1960408961-1303643608-839522115-1003UA.job

- c:\documents and settings\Mark\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2011-06-29 18:37]

.

2012-06-27 c:\windows\Tasks\User_Feed_Synchronization-{A7972C66-43AF-4964-A40E-32D2946479FE}.job

- c:\windows\system32\msfeedssync.exe [2007-08-14 12:31]

.

------- Supplementary Scan -------

.

uStart Page = hxxp://www.yahoo.com/

mStart Page = hxxp://www.yahoo.com/?fr=fp-yie8

IE: Append to existing PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppend.html

IE: Convert link target to Adobe PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIECaptureSelLinks.html

IE: Convert link target to existing PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppendSelLinks.html

IE: Convert to Adobe PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIECapture.html

Trusted Zone: intuit.com\ttlc

TCP: DhcpNameServer = 192.168.1.1

DPF: {3528A58B-595D-4AFD-A5F6-B914BD306DC3} - hxxp://dishconnectivity.sling.com/dpit/downloads/pc/SlingHealth.cab

FF - ProfilePath - c:\documents and settings\Mark\Application Data\Mozilla\Firefox\Profiles\p5oo56mt.default\

FF - prefs.js: browser.search.defaulturl - hxxp://search.yahoo.com/search?fr=ffsp1&p=

FF - prefs.js: browser.startup.homepage - hxxp://www.yahoo.com

FF - prefs.js: keyword.URL - hxxp://search.conduit.com/ResultsExt.aspx?ctid=CT2786678&q=

FF - user.js: network.cookie.cookieBehavior - 0

FF - user.js: privacy.clearOnShutdown.cookies - false

FF - user.js: security.warn_viewing_mixed - false

FF - user.js: security.warn_viewing_mixed.show_once - false

FF - user.js: security.warn_submit_insecure - false

FF - user.js: security.warn_submit_insecure.show_once - false

.

- - - - ORPHANS REMOVED - - - -

.

HKCU-Run-Codexii - c:\documents and settings\Mark\Application Data\Gomodu\ywnui.exe

AddRemove-Octoshape add-in for Adobe Flash Player - c:\documents and settings\Mark\Application Data\Macromedia\Flash Player\www.macromedia.com\bin\octoshape\octoshape.exe

.

**************************************************************************

.

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2012-06-27 11:27

Windows 5.1.2600 Service Pack 3 NTFS

.

scanning hidden processes ...

.

c:\windows\system32\wuauclt.exe [3576] 0x8722E020

.

scanning hidden autostart entries ...

.

scanning hidden files ...

.

scan completed successfully

hidden files: 0

.

**************************************************************************

.

[HKEY_LOCAL_MACHINE\System\ControlSet003\Services\{1BA31E5A-C098-42d8-8F88-3C9F78A2FDDC}]

"ImagePath"="\??\c:\program files\CyberLink\PowerDVD10\NavFilter\000.fcl"

.

[HKEY_LOCAL_MACHINE\System\ControlSet003\Services\{B154377D-700F-42cc-9474-23858FBDF4BD}]

"ImagePath"="\??\c:\program files\CyberLink\PowerDVD9\000.fcl"

.

[HKEY_LOCAL_MACHINE\System\ControlSet003\Services\{FE4C91E7-22C2-4D0C-9F6B-82F1B7742054}]

"ImagePath"="\??\c:\program files\PowerDVD8\PowerDVD8\000.fcl"

.

--------------------- LOCKED REGISTRY KEYS ---------------------

.

[HKEY_USERS\S-1-5-21-1960408961-1303643608-839522115-1003\Software\Microsoft\SystemCertificates\AddressBook*]

@Allowed: (Read) (RestrictedCode)

.

--------------------- DLLs Loaded Under Running Processes ---------------------

.

- - - - - - - > 'winlogon.exe'(820)

c:\program files\SUPERAntiSpyware\SASWINLO.dll

c:\windows\system32\WININET.dll

c:\windows\system32\RARfsClientNP.dll

.

- - - - - - - > 'lsass.exe'(876)

c:\windows\system32\RARfsClientNP.dll

.

Completion time: 2012-06-27 11:44:40

ComboFix-quarantined-files.txt 2012-06-27 18:44

ComboFix2.txt 2011-12-20 00:00

.

Pre-Run: 223,872,761,856 bytes free

Post-Run: 238,820,614,144 bytes free

.

- - End Of File - - 481BF3507BE7909831EB576D9B18FEAC

MrCharlie · June 27, 2012

Enable Hidden files:

http://www.howtogeek...-folders-in-xp/

I believe these are all malware related, take a look and if you don't recognize them or they're empty...please delete them:

c:\documents and settings\Mark\Application Data\Ozbuir

c:\documents and settings\Mark\Application Data\Taubox

c:\documents and settings\Mark\Application Data\Arpy

-------------------------------------------

See if you can run ComboFix in regular mode now.

MrC

rysktkr · June 28, 2012

Unfortunately, running combofix in normal mode it hung the computer. Before it hung, a dialog box appeared saying I was infected with zeroaccess infection.

rysktkr · June 28, 2012

Also, how do i prevent this from spreading to other PCs on my home network. Daughter's laptop and HTPC I have found infections with similiar symptoms. They both accessed shared drive on zeroaccess infected computer (the one we are working on this thread). My wifes computer is clean, at least as far as MWB and eset scans. She hasn't accessed infected computer. I'm guessing the answer is to turn off sharing until all computers are clean?

MrCharlie · June 28, 2012

Also, how do i prevent this from spreading to other PCs on my home network. Daughter's laptop and HTPC I have found infections with similiar symptoms. They both accessed shared drive on zeroaccess infected computer (the one we are working on this thread). My wifes computer is clean, at least as far as MWB and eset scans. She hasn't accessed infected computer. I'm guessing the answer is to turn off sharing until all computers are clean?

Yes and don't use any pen drives from computer to computer.

------------------------------

Did you run ComboFix like this as we did before: (in normal mode)

"%userprofile%\desktop\combofix.exe" /nombr

MrC

rysktkr · June 28, 2012

Prior to your last post reran in normal mode just as normal combofix. After reading your last post reran "%userprofile%\desktop\combofix.exe" /nombr in normal mode and was successful. Here is the log:

ComboFix 12-06-27.01 - Mark 06/28/2012 8:40.11.4 - x86

Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.3582.2506 [GMT -7:00]

Running from: c:\documents and settings\Mark\desktop\ComboFix.exe

Command switches used :: /nombr

AV: Symantec Endpoint Protection *Disabled/Updated* {FB06448E-52B8-493A-90F3-E43226D3305C}

.

((((((((((((((((((((((((( Files Created from 2012-05-28 to 2012-06-28 )))))))))))))))))))))))))))))))