Can't Run Mbam, access blocked, loseing control.

[Chgallos]

Like many other people here, after installing (or re-installing) Mbam, it will run for a few seconds and then disapear. If I attempt to run it again, it says I don't have permission. I have attempted to run it in safe mode hoping to duplicate the success of others, but I have not been successful. I have no idea what this infection is, but it has disabled everything that I have attempted to install to get rid of it (Ad-aware, HiJackThis, Spybot, etc.). My virus protection seems to be working still (eTrust EZ Antivirus), but I don't have much faith in it's protective abilities since this infection slip in under it's nose.

I am a total loss as to what to do at this point. Any help is greatly appreciated.

[screen317]

Hi and welcome to Malwarebytes.

Please do not post multiple topics for the same issue. There are hundreds of people who have posted before you. I will close your second topic.

Please update MBAM, run a Quick Scan, and post its log.

After that, please visit this webpage for instructions for running ComboFix:

http://www.bleepingcomputer.com/combofix/how-to-use-combofix

• When the tool is finished, it will produce a report for you.
  
• Please post the C:\ComboFix.txt along with a new HijackThis log so we may continue cleaning the system.
  

-screen317

[Chgallos]

Sorry for being impatient.

I re-installed MBAM and ran it. Like before, it ran for about 2 seconds and then vanished. No log to post other than the old one from the 19th.

When I attempted to run ComboFix it gave me an application error (0xc0000142). I took a screenshot of the first one. Right after that there was another one that looked just like it, but before I could get a screen shot the Blue Screen of Death did a memory dump and reset my computer for me.

I tried ComboFix again, thinking that maybe it was the screenshot that caused the problem, but it only ran for a few seconds more before BSoD. I briefly read the bit about it taking 10 minutes (or double) that time. There is no C:\ComboFix.txt file.

I doubt the screenshot will be useful, so I will post the old log that I have from a few days ago. Back then I was just getting my browser hijacked.

Malwarebytes' Anti-Malware 1.40

Database version: 2657

Windows 5.1.2600 Service Pack 3

8/19/2009 10:34:47 AM

mbam-log-2009-08-19 (10-34-47).txt

Scan type: Quick Scan

Objects scanned: 102311

Time elapsed: 4 minute(s), 15 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 1

Registry Keys Infected: 6

Registry Values Infected: 0

Registry Data Items Infected: 0

Folders Infected: 0

Files Infected: 11

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

C:\WINDOWS\system32\dddesot.dll (Trojan.FakeAlert) -> Delete on reboot.

Registry Keys Infected:

HKEY_CLASSES_ROOT\CLSID\{76dc0b63-1533-4ba9-8be8-d59eb676fa02} (Trojan.FakeAlert) -> Quarantined and deleted successfully.

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{76dc0b63-1533-4ba9-8be8-d59eb676fa02} (Trojan.FakeAlert) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{76dc0b63-1533-4ba9-8be8-d59eb676fa02} (Trojan.FakeAlert) -> Quarantined and deleted successfully.

HKEY_CLASSES_ROOT\popcaploader.popcaploaderctrl2 (Adware.PopCap) -> Quarantined and deleted successfully.

HKEY_CLASSES_ROOT\popcaploader.popcaploaderctrl2.1 (Adware.PopCap) -> Quarantined and deleted successfully.

HKEY_USERS\S-1-5-18\SOFTWARE\Windows antiVirus pro (Rogue.Trace) -> Quarantined and deleted successfully.

Registry Values Infected:

(No malicious items detected)

Registry Data Items Infected:

(No malicious items detected)

Folders Infected:

(No malicious items detected)

Files Infected:

C:\WINDOWS\system32\dddesot.dll (Trojan.FakeAlert) -> Quarantined and deleted successfully.

C:\WINDOWS\system32\net.net (Trojan.Downloader) -> Quarantined and deleted successfully.

C:\Documents and Settings\Potter House\Local Settings\Temp\UAC557.tmp (Trojan.TDSS) -> Quarantined and deleted successfully.

C:\Documents and Settings\Potter House\Local Settings\Temp\mwexacorsn.tmp (Trojan.Downloader) -> Quarantined and deleted successfully.

C:\Documents and Settings\Potter House\Local Settings\Temp\nemxowrcsa.tmp (Trojan.TDSS) -> Quarantined and deleted successfully.

C:\WINDOWS\system32\bincd32.dat (Malware.Trace) -> Quarantined and deleted successfully.

C:\WINDOWS\system32\h@tkeysh@@k.dll (Trojan.Agent) -> Quarantined and deleted successfully.

C:\WINDOWS\system32\onhelp.htm (Rogue.Trace) -> Quarantined and deleted successfully.

C:\WINDOWS\system32\sonhelp.htm (Malware.Trace) -> Quarantined and deleted successfully.

C:\WINDOWS\system32\UACvthalkmivd.dll (Trojan.Agent) -> Quarantined and deleted successfully.

C:\WINDOWS\system32\drivers\UACafmuvijnsv.sys (Trojan.Agent) -> Quarantined and deleted successfully.

[screen317]

Hi,

Delete your copy of ComboFix. Download it from here instead.

If that doesn't run, do this instead.

Please download Win32kDiag.exe by AD to your Desktop. Double click on it. It will make a diagnostic and produce a report on the desktop. Post that report on your next reply:

-screen317

[Chgallos]

I get a 404 error when trying to get ComboFix from the "here" link. Not sure if that is my machine or a typo on the post (or whatever). I will try using the second program.

[Chgallos]

Here is the Win32kDiag report:

WARNING: Could not get backup privileges!

Searching 'C:\WINDOWS'...

Found mount point : C:\WINDOWS\$hf_mig$\KB904706\KB904706

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\$hf_mig$\KB912945\KB912945

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\$hf_mig$\KB920213\KB920213

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\$hf_mig$\KB924496\KB924496

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\$hf_mig$\KB931784\KB931784

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\$hf_mig$\KB932168\KB932168

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\$hf_mig$\KB938127\KB938127

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\$hf_mig$\KB941568\KB941568

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\$hf_mig$\KB942615\KB942615

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\$hf_mig$\KB943460\KB943460

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\$hf_mig$\KB944338\KB944338

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\$hf_mig$\KB947864\KB947864

Mount point destination : \Device\__max++>\^

Cannot access: C:\WINDOWS\system32\dumprep.exe

[1] 2004-08-10 04:00:00 10752 C:\WINDOWS\$NtServicePackUninstall$\dumprep.exe (Microsoft Corporation)

[1] 2008-04-13 17:12:18 10752 C:\WINDOWS\ServicePackFiles\i386\dumprep.exe (Microsoft Corporation)

[1] 2008-04-13 17:12:18 10752 C:\WINDOWS\system32\dumprep.exe ()

[1] 2004-08-10 04:00:00 10752 C:\i386\dumprep.exe (Microsoft Corporation)

Cannot access: C:\WINDOWS\system32\eventlog.dll

[1] 2004-08-10 04:00:00 55808 C:\WINDOWS\$NtServicePackUninstall$\eventlog.dll (Microsoft Corporation)

[1] 2008-04-13 17:11:53 56320 C:\WINDOWS\ServicePackFiles\i386\eventlog.dll (Microsoft Corporation)

[1] 2008-04-13 17:11:53 62464 C:\WINDOWS\system32\eventlog.dll ()

[2] 2008-04-13 17:11:53 56320 C:\WINDOWS\system32\logevent.dll (Microsoft Corporation)

[1] 2004-08-10 04:00:00 55808 C:\i386\eventlog.dll (Microsoft Corporation)

Finished!

[screen317]

Hi,

Please delete your copy of Win32kDiag.

Please save this file to your Desktop. Click on Start->Run, and copy-paste the following command (the bolded text) into the "Open" box, and click OK. When it's finished, there will be a log called Win32kDiag.txt on your desktop. Please open it with Notepad and post the contents here.

"%userprofile%\desktop\win32kdiag.exe" -f -r

Restart your computer, and see if ComboFix (rename it to anything else besides ComboFix before you download it to your Desktop) will run.

-screen317

[Chgallos]

I didn't delete the old log, but assuming that it wrote over it here is the new one.

Log file is located at: C:\Documents and Settings\Potter House\Desktop\Win32kDiag.txt

Removing all found mount points.

Attempting to reset file permissions.

WARNING: Could not get backup privileges!

Searching 'C:\WINDOWS'...

Found mount point : C:\WINDOWS\$hf_mig$\KB904706\KB904706

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\$hf_mig$\KB904706\KB904706

Found mount point : C:\WINDOWS\$hf_mig$\KB912945\KB912945

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\$hf_mig$\KB912945\KB912945

Found mount point : C:\WINDOWS\$hf_mig$\KB920213\KB920213

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\$hf_mig$\KB920213\KB920213

Found mount point : C:\WINDOWS\$hf_mig$\KB924496\KB924496

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\$hf_mig$\KB924496\KB924496

Found mount point : C:\WINDOWS\$hf_mig$\KB931784\KB931784

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\$hf_mig$\KB931784\KB931784

Found mount point : C:\WINDOWS\$hf_mig$\KB932168\KB932168

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\$hf_mig$\KB932168\KB932168

Found mount point : C:\WINDOWS\$hf_mig$\KB938127\KB938127

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\$hf_mig$\KB938127\KB938127

Found mount point : C:\WINDOWS\$hf_mig$\KB941568\KB941568

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\$hf_mig$\KB941568\KB941568

Found mount point : C:\WINDOWS\$hf_mig$\KB942615\KB942615

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\$hf_mig$\KB942615\KB942615

Found mount point : C:\WINDOWS\$hf_mig$\KB943460\KB943460

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\$hf_mig$\KB943460\KB943460

Found mount point : C:\WINDOWS\$hf_mig$\KB944338\KB944338

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\$hf_mig$\KB944338\KB944338

Found mount point : C:\WINDOWS\$hf_mig$\KB947864\KB947864

Mount point destination : \Device\__max++>\^

Removing mount point : C:\WINDOWS\$hf_mig$\KB947864\KB947864

Cannot access: C:\WINDOWS\system32\dumprep.exe

Attempting to restore permissions of : C:\WINDOWS\system32\dumprep.exe

[1] 2004-08-10 04:00:00 10752 C:\WINDOWS\$NtServicePackUninstall$\dumprep.exe (Microsoft Corporation)

[1] 2008-04-13 17:12:18 10752 C:\WINDOWS\ServicePackFiles\i386\dumprep.exe (Microsoft Corporation)

[1] 2008-04-13 17:12:18 10752 C:\WINDOWS\system32\dumprep.exe (Microsoft Corporation)

[1] 2004-08-10 04:00:00 10752 C:\i386\dumprep.exe (Microsoft Corporation)

Cannot access: C:\WINDOWS\system32\eventlog.dll

Attempting to restore permissions of : C:\WINDOWS\system32\eventlog.dll

[1] 2004-08-10 04:00:00 55808 C:\WINDOWS\$NtServicePackUninstall$\eventlog.dll (Microsoft Corporation)

[1] 2008-04-13 17:11:53 56320 C:\WINDOWS\ServicePackFiles\i386\eventlog.dll (Microsoft Corporation)

[1] 2008-04-13 17:11:53 62464 C:\WINDOWS\system32\eventlog.dll ()

[2] 2008-04-13 17:11:53 56320 C:\WINDOWS\system32\logevent.dll (Microsoft Corporation)

[1] 2004-08-10 04:00:00 55808 C:\i386\eventlog.dll (Microsoft Corporation)

Finished!

[Chgallos]

I tried restarting and downloading ComboFix again. Named it LilBunnyCF.exe. Ran for a while ... maybe 2-3 minutes. No error screens this time. It just vanished. Tried a second time ... maybe 20 seconds then vanished. Just to see what would happen I deleted it, restarted and downloaded again. This time named as MiddleFingerCF.exe. That time it might have been the same 20 seconds, but may have been less. I dont see any reports/log on my desktop or C:.

Hope this new info means something to you. I appreciate your help.

[screen317]

Hi Chgallos,

Click Start --> Run, and enter the following command:

cmd /c copy C:\WINDOWS\ServicePackFiles\i386\eventlog.dll "C:\Documents and Settings\All Users"

Next, we need to execute an Avenger2 script.

Note to users reading this topic! This script was created specifically for the particular infection on this specific machine! If you are not this user, do NOT follow these directions as they could damage the workings of your system.

1. Please download The Avenger2 by SwanDog46.
   
2. Unzip avenger.exe to your desktop.
   
3. Copy the text in the following codebox by selecting all of it, and pressing (<Control> + C) or by right clicking and selecting "Copy"
   

   Files to move:
   C:\Documents and Settings\All Users\eventlog.dll | C:\WINDOWS\system32\eventlog.dll

   
   

4. Now start The Avenger2 by double clicking avenger.exe on your desktop.
   
5. Read the prompt that appears, and press OK.
   
6. Paste the script into the textbox that appears, using (<Control> + V) or by right clicking and choosing "Paste".
   
7. Press the "Execute" button.
   
8. You will be presented with 2 confirmation prompts. Select yes on each. Your system will reboot.
   Note: It is possible that Avenger will reboot your system TWICE.
   
9. Upon reboot, a command prompt window will appear on your screen for a few seconds, and then Avenger's log will open. Please paste that log here in your next post.
   

Next, try ComboFix.

-screen317

[Chgallos]

Avenger log:

Logfile of The Avenger Version 2.0, © by Swandog46

http://swandog46.geekstogo.com

Platform: Windows XP

*******************

Script file opened successfully.

Script file read successfully.

Backups directory opened successfully at C:\Avenger

*******************

Beginning to process script file:

Rootkit scan active.

Hidden driver "aqtv986q" found!

Start Type: 3 (Manual)

Rootkit scan completed.

File move operation "C:\Documents and Settings\All Users\eventlog.dll|C:\WINDOWS\system32\eventlog.dll" completed successfully.

Completed script processing.

*******************

Finished! Terminate.

[Chgallos]

When I run combofix it shows me the "this may take 10 minutes" screen and then BSoD.

[Chgallos]

Just to see what would happen I reinstalled and ran MBAM. It RAN!!!

Found 40 infected items. It says I need to restart, but I wanted to post the log first:

Malwarebytes' Anti-Malware 1.40

Database version: 2700

Windows 5.1.2600 Service Pack 3

8/26/2009 10:19:40 AM

mbam-log-2009-08-26 (10-19-40).txt

Scan type: Quick Scan

Objects scanned: 110465

Time elapsed: 5 minute(s), 57 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 1

Registry Values Infected: 0

Registry Data Items Infected: 0

Folders Infected: 2

Files Infected: 37

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

HKEY_LOCAL_MACHINE\System\CurrentControlSet\Enum\Root\LEGACY_ANTIPPRO2009_100 (Trojan.FakeAlert) -> Quarantined and deleted successfully.

Registry Values Infected:

(No malicious items detected)

Registry Data Items Infected:

(No malicious items detected)

Folders Infected:

C:\Program Files\IEToolbar\Bullseye Tool Bar (Adware.BullseyeToolbar) -> Quarantined and deleted successfully.

C:\Program Files\runit (Trojan.Agent) -> Quarantined and deleted successfully.

Files Infected:

C:\dxis.exe (Trojan.Dropper) -> Quarantined and deleted successfully.

C:\qtowjid.exe (Trojan.Dropper) -> Quarantined and deleted successfully.

C:\tqbckpxd.exe (Trojan.Dropper) -> Quarantined and deleted successfully.

C:\veyakmpb.exe (Trojan.Dropper) -> Quarantined and deleted successfully.

C:\wgkorh.exe (Trojan.Dropper) -> Quarantined and deleted successfully.

C:\WINDOWS\system32\kbiwkmqrodeagu.dll (Rootkit.TDSS) -> Delete on reboot.

C:\WINDOWS\system32\vdut.exe (Adware.Agent) -> Quarantined and deleted successfully.

C:\WINDOWS\system32\tapi.nfo (Trojan.Agent) -> Quarantined and deleted successfully.

C:\WINDOWS\system32\tajf83ikdmf.dll (Trojan.Downloader) -> Quarantined and deleted successfully.

C:\Documents and Settings\Potter House\Local Settings\Temporary Internet Files\Content.IE5\6VJRVWYP\unkbo[1].htm (Trojan.Dropper) -> Quarantined and deleted successfully.

C:\Documents and Settings\Potter House\Local Settings\Temporary Internet Files\Content.IE5\6VJRVWYP\20090817043818[1].exe (Trojan.TDSS) -> Quarantined and deleted successfully.

C:\Documents and Settings\Potter House\Local Settings\Temporary Internet Files\Content.IE5\7IZXRAHZ\hvfjj[1].htm (Trojan.Dropper) -> Quarantined and deleted successfully.

C:\Documents and Settings\Potter House\Local Settings\Temporary Internet Files\Content.IE5\7IZXRAHZ\zftxxb[1].htm (Trojan.Dropper) -> Quarantined and deleted successfully.

C:\Documents and Settings\Potter House\Local Settings\Temporary Internet Files\Content.IE5\DWEK1AS2\fvoogxxl[1].txt (Trojan.Dropper) -> Quarantined and deleted successfully.

C:\Documents and Settings\Potter House\Local Settings\Temporary Internet Files\Content.IE5\DWEK1AS2\jtdhyccuu[1].htm (Trojan.Dropper) -> Quarantined and deleted successfully.

C:\WINDOWS\ukms35315.exe (Trojan.Agent) -> Quarantined and deleted successfully.

C:\WINDOWS\dnavt3507.exe (Trojan.Dropper) -> Quarantined and deleted successfully.

C:\WINDOWS\iqpb8002.exe (Trojan.Clicker) -> Quarantined and deleted successfully.

C:\Program Files\IEToolbar\Bullseye Tool Bar\basis.xml (Adware.BullseyeToolbar) -> Quarantined and deleted successfully.

C:\Program Files\IEToolbar\Bullseye Tool Bar\date2.html (Adware.BullseyeToolbar) -> Quarantined and deleted successfully.

C:\Program Files\IEToolbar\Bullseye Tool Bar\icons.bmp (Adware.BullseyeToolbar) -> Quarantined and deleted successfully.

C:\Program Files\IEToolbar\Bullseye Tool Bar\info.txt (Adware.BullseyeToolbar) -> Quarantined and deleted successfully.

C:\Program Files\IEToolbar\Bullseye Tool Bar\lw.crc (Adware.BullseyeToolbar) -> Quarantined and deleted successfully.

C:\Program Files\IEToolbar\Bullseye Tool Bar\lw.dll (Adware.BullseyeToolbar) -> Quarantined and deleted successfully.

C:\Program Files\IEToolbar\Bullseye Tool Bar\lwpopper.html (Adware.BullseyeToolbar) -> Quarantined and deleted successfully.

C:\Program Files\IEToolbar\Bullseye Tool Bar\popper3.html (Adware.BullseyeToolbar) -> Quarantined and deleted successfully.

C:\Program Files\IEToolbar\Bullseye Tool Bar\popup1.html (Adware.BullseyeToolbar) -> Quarantined and deleted successfully.

C:\Program Files\IEToolbar\Bullseye Tool Bar\popup2.html (Adware.BullseyeToolbar) -> Quarantined and deleted successfully.

C:\Program Files\IEToolbar\Bullseye Tool Bar\tbhelper.dll (Adware.BullseyeToolbar) -> Quarantined and deleted successfully.

C:\Program Files\IEToolbar\Bullseye Tool Bar\uninstall.exe (Adware.BullseyeToolbar) -> Quarantined and deleted successfully.

C:\Program Files\IEToolbar\Bullseye Tool Bar\version.txt (Adware.BullseyeToolbar) -> Quarantined and deleted successfully.

C:\Program Files\IEToolbar\Bullseye Tool Bar\your_logo.png (Adware.BullseyeToolbar) -> Quarantined and deleted successfully.

C:\Program Files\runit\config.txt (Trojan.Agent) -> Quarantined and deleted successfully.

C:\Program Files\runit\runitu_32.exe (Trojan.Agent) -> Quarantined and deleted successfully.

C:\Documents and Settings\Potter House\Start Menu\Programs\Startup\runit_32.lnk (Rogue.Link) -> Quarantined and deleted successfully.

C:\WINDOWS\system32\UACiemygmnbyd.dll (Trojan.Agent) -> Quarantined and deleted successfully.

C:\WINDOWS\system32\drivers\UACmxbywcbwsa.sys (Trojan.Agent) -> Quarantined and deleted successfully.

[Chgallos]

When I attempt to run ComboFix I still get the Blue Screen of Death every time. I uninstalled, re-downloaded and re-installed HiJackThis and it ran for the first time. I will post the log of that also. MBAM says the sytem is now clean, but it is still running much slower than before the infection. I just want to make sure that everything is clean before I go on my merry way.

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 11:38:32 AM, on 8/26/2009

Platform: Windows XP SP3 (WinNT 5.01.2600)

MSIE: Internet Explorer v8.00 (8.00.6001.18702)

Boot mode: Normal

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\Program Files\Windows Defender\MsMpEng.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\spoolsv.exe

C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe

C:\Program Files\Bonjour\mDNSResponder.exe

C:\WINDOWS\system32\CTsvcCDA.exe

C:\WINDOWS\eHome\ehRecvr.exe

C:\WINDOWS\eHome\ehSched.exe

C:\WINDOWS\system32\nvsvc32.exe

C:\WINDOWS\system32\PnkBstrA.exe

C:\WINDOWS\system32\svchost.exe

D:\Program Files\eTrust\eTrust EZ Antivirus\VetMsg.exe

C:\WINDOWS\system32\SearchIndexer.exe

C:\WINDOWS\system32\dllhost.exe

C:\WINDOWS\system32\wscntfy.exe

C:\WINDOWS\Explorer.EXE

C:\Program Files\Creative\Sound Blaster X-Fi\Volume Panel\VolPanel.exe

C:\Program Files\Creative\Shared Files\Module Loader\DLLML.exe

C:\Program Files\Windows Defender\MSASCui.exe

D:\Program Files\eTrust\caissdt.exe

D:\Program Files\eTrust\eTrust EZ Antivirus\CAVTray.exe

D:\Program Files\eTrust\eTrust EZ Antivirus\CAVRID.exe

C:\WINDOWS\CTHELPER.EXE

C:\WINDOWS\system32\CTXFIHLP.EXE

C:\WINDOWS\System32\DLA\DLACTRLW.EXE

C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe

C:\WINDOWS\system32\RUNDLL32.EXE

C:\WINDOWS\stsystra.exe

C:\WINDOWS\SYSTEM32\CTXFISPI.EXE

C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe

C:\WINDOWS\system32\ctfmon.exe

C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe

C:\Program Files\Windows Desktop Search\WindowsSearch.exe

C:\WINDOWS\system32\rundll32.exe

C:\WINDOWS\system32\SearchProtocolHost.exe

C:\Program Files\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = www.angelfire.com/wa3/potterhouse/uberpage.mht

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =

R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.dell.com/

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local

O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll

O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll

O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\System32\DLA\DLASHX_W.DLL

O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll

O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)

O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll

O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll

O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll

O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup

O4 - HKLM\..\Run: [VolPanel] "C:\Program Files\Creative\Sound Blaster X-Fi\Volume Panel\VolPanel.exe" /r

O4 - HKLM\..\Run: [AudioDrvEmulator] "C:\Program Files\Creative\Shared Files\Module Loader\DLLML.exe" -1 AudioDrvEmulator "C:\Program Files\Creative\Shared Files\Module Loader\Audio Emulator\AudDrvEm.dll"

O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide

O4 - HKLM\..\Run: [CaISSDT] "D:\Program Files\eTrust\caissdt.exe"

O4 - HKLM\..\Run: [CaAvTray] "D:\Program Files\eTrust\eTrust EZ Antivirus\CAVTray.exe"

O4 - HKLM\..\Run: [CAVRID] "D:\Program Files\eTrust\eTrust EZ Antivirus\CAVRID.exe"

O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE

O4 - HKLM\..\Run: [CTxfiHlp] CTXFIHLP.EXE

O4 - HKLM\..\Run: [DLA] C:\WINDOWS\System32\DLA\DLACTRLW.EXE

O4 - HKLM\..\Run: [iSUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start

O4 - HKLM\..\Run: [iSUSPM Startup] c:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\isuspm.exe -startup

O4 - HKLM\..\Run: [nwiz] nwiz.exe /install

O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit

O4 - HKLM\..\Run: [sigmatelSysTrayApp] stsystra.exe

O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime

O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"

O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k

O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe

O4 - HKCU\..\Run: [spybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe

O4 - Global Startup: Windows Desktop Search.lnk = C:\Program Files\Windows Desktop Search\WindowsSearch.exe

O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\Office12\EXCEL.EXE/3000

O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll

O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll

O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MI1933~1\Office12\REFIEBAR.DLL

O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll

O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll

O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O16 - DPF: {01A88BB1-1174-41EC-ACCB-963509EAE56B} (SysProWmi Class) - http://support.dell.com/systemprofiler/SysPro.CAB

O16 - DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} (Facebook Photo Uploader 5 Control) - http://upload.facebook.com/controls/2008.1...toUploader5.cab

O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll

O16 - DPF: {493ACF15-5CD9-4474-82A6-91670C3DD66E} (LinkedIn ContactFinderControl) - http://www.linkedin.com/cab/LinkedInContactFinderControl.cab

O16 - DPF: {64D01C7F-810D-446E-A07E-456746835644} (AtlBoxWordCtlAttrib Class) - http://uk.games.myspace.com/gameshell/game...n/abcisland.cab

O16 - DPF: {B516CA4E-A5BA-405C-AFCF-A97F08CC7429} (GoBit Games Player) - http://www.shockwave.com/content/burgersho...esPlayer_v5.cab

O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - https://fpdownload.macromedia.com/get/shock...ash/swflash.cab

O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://www.shockwave.com/content/bejeweled...ploader_v10.cab

O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab

O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe

O23 - Service: Autodesk Licensing Service - Autodesk - C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe

O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe

O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.exe

O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe

O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe

O23 - Service: Lavasoft Ad-Aware Service - Unknown owner - C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe (file missing)

O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe

O23 - Service: PnkBstrA - Unknown owner - C:\WINDOWS\system32\PnkBstrA.exe

O23 - Service: VET Message Service (VETMSGNT) - Computer Associates International, Inc. - D:\Program Files\eTrust\eTrust EZ Antivirus\VetMsg.exe

--

End of file - 9523 bytes

[screen317]

Hi,

What does the BSoD say when you run ComboFix?

Try deleting your copy, grabbing the latest version and trying again.

If no joy, please run a GMER Rootkit scan:

Download GMER's application from here:

http://www.gmer.net/gmer.zip

Unzip it and start the GMER.exe

Click the Rootkit tab and click the Scan button.

Once done, click the Copy button.

This will copy the results to your clipboard.

Paste the results in your next reply.

Warning ! Please, do not select the "Show all" checkbox during the scan.

Next, download DDS by sUBs and save it to your Desktop.

Double-click on the DDS icon and let the scan run. When it has run two logs will be produced, please post please post the one that is not minimized.

-screen317

[Chgallos]

I've attached a camera pic of the BSoD that I got after deleting and re-downloading (from your link). The short version is: something attempted to write to read-only memory. Make sure new hard/software is properly installed and updated.

I'm not savvy enough to fully understand what bios caching or shadowing has to do with this problem.

I will run GMER.

[Chgallos]

I ran GMER. It took a while. Here is the outcome:

GMER 1.0.15.15077 [gmer.exe] - http://www.gmer.net

Rootkit scan 2009-08-27 01:45:55

Windows 5.1.2600 Service Pack 3

---- System - GMER 1.0.15 ----

INT 0x63 ? 8AEC1BF8

INT 0x73 ? 8AEC1BF8

INT 0x83 ? 8AEC1BF8

Code 897DEF08 ZwEnumerateKey

Code 897AFE80 ZwFlushInstructionCache

Code 8994325E ZwSaveKey

Code 8980DEDE ZwSaveKeyEx

Code 894AD12E IofCallDriver

Code 89E73026 IofCompleteRequest

---- Kernel code sections - GMER 1.0.15 ----

.text ntkrnlpa.exe!IofCallDriver 804EF1A6 5 Bytes JMP 894AD133

.text ntkrnlpa.exe!IofCompleteRequest 804EF236 5 Bytes JMP 89E7302B

? spui.sys The system cannot find the file specified. !

.text USBPORT.SYS!DllUnload B8CB08AC 5 Bytes JMP 8AC251D8

---- User code sections - GMER 1.0.15 ----

.text C:\WINDOWS\system32\SearchIndexer.exe[460] kernel32.dll!WriteFile 7C810E27 7 Bytes JMP 01121B19 C:\WINDOWS\system32\mssrch.dll (mssrch.lib/Microsoft Corporation)

.text C:\WINDOWS\Explorer.EXE[2628] ntdll.dll!LdrLoadDll 7C9163C3 5 Bytes JMP 00B7000A

---- Kernel IAT/EAT - GMER 1.0.15 ----

IAT atapi.sys[HAL.dll!READ_PORT_UCHAR] [b9EA8042] spui.sys

IAT atapi.sys[HAL.dll!READ_PORT_BUFFER_USHORT] [b9EA813E] spui.sys

IAT atapi.sys[HAL.dll!READ_PORT_USHORT] [b9EA80C0] spui.sys

IAT atapi.sys[HAL.dll!WRITE_PORT_BUFFER_USHORT] [b9EA8800] spui.sys

IAT atapi.sys[HAL.dll!WRITE_PORT_UCHAR] [b9EA86D6] spui.sys

---- Devices - GMER 1.0.15 ----

Device \FileSystem\Ntfs \Ntfs 8AEC01F8

Device \Driver\USB_RNDIS \Device\{2A28D736-6915-4867-BAF8-20FA45C84550} RNDISMP.SYS (Remote NDIS Miniport/Microsoft Corporation)

Device \Driver\usbohci \Device\USBPDO-0 8AC241F8

Device \Driver\sptd \Device\166299352 spui.sys

Device \Driver\dmio \Device\DmControl\DmIoDaemon 8AEC21F8

Device \Driver\dmio \Device\DmControl\DmConfig 8AEC21F8

Device \Driver\dmio \Device\DmControl\DmPnP 8AEC21F8

Device \Driver\dmio \Device\DmControl\DmInfo 8AEC21F8

Device \Driver\usbehci \Device\USBPDO-1 8AC181F8

Device \Driver\PCI_PNP6852 \Device\00000055 spui.sys

Device \Driver\Ftdisk \Device\HarddiskVolume1 8AE4F1F8

Device \Driver\Ftdisk \Device\HarddiskVolume2 8AE4F1F8

Device \Driver\Cdrom \Device\CdRom0 8AC0B1F8

Device \Driver\Cdrom \Device\CdRom1 8AC0B1F8

Device \Driver\Ftdisk \Device\HarddiskVolume3 8AE4F1F8

Device \Driver\Ftdisk \Device\HarddiskVolume4 8AE4F1F8

Device \Driver\USBSTOR \Device\00000080 88A41500

Device \Driver\USBSTOR \Device\00000081 88A41500

Device \Driver\USBSTOR \Device\00000082 88A41500

Device \Driver\NetBT \Device\NetBt_Wins_Export 8A935500

Device \Driver\USBSTOR \Device\00000084 88A41500

Device \Driver\USBSTOR \Device\00000078 88A41500

Device \Driver\NetBT \Device\NetbiosSmb 8A935500

Device \Driver\usbohci \Device\USBFDO-0 8AC241F8

Device \Driver\usbehci \Device\USBFDO-1 8AC181F8

Device \FileSystem\MRxSmb \Device\LanmanDatagramReceiver 8A937500

Device \FileSystem\MRxSmb \Device\LanmanRedirector 8A937500

Device \Driver\Ftdisk \Device\FtControl 8AE4F1F8

Device \Driver\NetBT \Device\NetBT_Tcpip_{2A28D736-6915-4867-BAF8-20FA45C84550} 8A935500

Device \Driver\USBSTOR \Device\0000007e 88A41500

Device \Driver\USBSTOR \Device\0000007f 88A41500

Device \Driver\aru4bnoq \Device\Scsi\aru4bnoq1Port5Path0Target0Lun0 8ABB61F8

Device \Driver\aru4bnoq \Device\Scsi\aru4bnoq1 8ABB61F8

Device \FileSystem\Fastfat \Fat 8AAEC500

Device \FileSystem\Fastfat \Fat AD901297

Device \FileSystem\Cdfs \Cdfs 88B91500

Device \FileSystem\Cdfs \Cdfs DLAIFS_M.SYS (Drive Letter Access Component/Sonic Solutions)

---- Services - GMER 1.0.15 ----

Service C:\WINDOWS\system32\drivers\kbiwkmtoggyseb.sys (*** hidden *** ) [sYSTEM] kbiwkmmuvudfbi <-- ROOTKIT !!!

---- Registry - GMER 1.0.15 ----

Reg HKLM\SYSTEM\CurrentControlSet\Services\kbiwkmmuvudfbi

Reg HKLM\SYSTEM\CurrentControlSet\Services\kbiwkmmuvudfbi@start 1

Reg HKLM\SYSTEM\CurrentControlSet\Services\kbiwkmmuvudfbi@type 1

Reg HKLM\SYSTEM\CurrentControlSet\Services\kbiwkmmuvudfbi@group file system

Reg HKLM\SYSTEM\CurrentControlSet\Services\kbiwkmmuvudfbi@imagepath \systemroot\system32\drivers\kbiwkmtoggyseb.sys

Reg HKLM\SYSTEM\CurrentControlSet\Services\kbiwkmmuvudfbi\main

Reg HKLM\SYSTEM\CurrentControlSet\Services\kbiwkmmuvudfbi\main@aid 10002

Reg HKLM\SYSTEM\CurrentControlSet\Services\kbiwkmmuvudfbi\main@sid 1

Reg HKLM\SYSTEM\CurrentControlSet\Services\kbiwkmmuvudfbi\main@cmddelay 14400

Reg HKLM\SYSTEM\CurrentControlSet\Services\kbiwkmmuvudfbi\main\delete

Reg HKLM\SYSTEM\CurrentControlSet\Services\kbiwkmmuvudfbi\main\injector

Reg HKLM\SYSTEM\CurrentControlSet\Services\kbiwkmmuvudfbi\main\injector@* kbiwkmwsp.dll

Reg HKLM\SYSTEM\CurrentControlSet\Services\kbiwkmmuvudfbi\main\tasks

Reg HKLM\SYSTEM\CurrentControlSet\Services\kbiwkmmuvudfbi\modules

Reg HKLM\SYSTEM\CurrentControlSet\Services\kbiwkmmuvudfbi\modules@kbiwkmrk.sys \systemroot\system32\drivers\kbiwkmtoggyseb.sys

Reg HKLM\SYSTEM\CurrentControlSet\Services\kbiwkmmuvudfbi\modules@kbiwkmcmd.dll \systemroot\system32\kbiwkmqrodeagu.dll

Reg HKLM\SYSTEM\CurrentControlSet\Services\kbiwkmmuvudfbi\modules@kbiwkmlog.dat \systemroot\system32\kbiwkmvxssqgvo.dat

Reg HKLM\SYSTEM\CurrentControlSet\Services\kbiwkmmuvudfbi\modules@kbiwkmwsp.dll \systemroot\system32\kbiwkmohexwxej.dll

Reg HKLM\SYSTEM\CurrentControlSet\Services\kbiwkmmuvudfbi\modules@kbiwkm.dat \systemroot\system32\kbiwkmvmyqvxew.dat

Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC

Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@p0 C:\Program Files\DAEMON Tools Lite\

Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@h0 1

Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@hdf12 0x9B 0x01 0xB4 0x2A ...

Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001

Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001@a0 0x20 0x01 0x00 0x00 ...

Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001@hdf12 0xC1 0x5D 0xC3 0xCE ...

Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq0

Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq0@hdf12 0x80 0xC9 0x43 0x80 ...

Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4

Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@h0 0

Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@khjeh 0x0B 0x07 0xA2 0x27 ...

Reg HKLM\SYSTEM\ControlSet002\Services\kbiwkmmuvudfbi (not active ControlSet)

Reg HKLM\SYSTEM\ControlSet002\Services\kbiwkmmuvudfbi@start 1

Reg HKLM\SYSTEM\ControlSet002\Services\kbiwkmmuvudfbi@type 1

Reg HKLM\SYSTEM\ControlSet002\Services\kbiwkmmuvudfbi@group file system

Reg HKLM\SYSTEM\ControlSet002\Services\kbiwkmmuvudfbi@imagepath \systemroot\system32\drivers\kbiwkmtoggyseb.sys

Reg HKLM\SYSTEM\ControlSet002\Services\kbiwkmmuvudfbi\main (not active ControlSet)

Reg HKLM\SYSTEM\ControlSet002\Services\kbiwkmmuvudfbi\main@aid 10002

Reg HKLM\SYSTEM\ControlSet002\Services\kbiwkmmuvudfbi\main@sid 1

Reg HKLM\SYSTEM\ControlSet002\Services\kbiwkmmuvudfbi\main@cmddelay 14400

Reg HKLM\SYSTEM\ControlSet002\Services\kbiwkmmuvudfbi\main\delete (not active ControlSet)

Reg HKLM\SYSTEM\ControlSet002\Services\kbiwkmmuvudfbi\main\injector (not active ControlSet)

Reg HKLM\SYSTEM\ControlSet002\Services\kbiwkmmuvudfbi\main\injector@* kbiwkmwsp.dll

Reg HKLM\SYSTEM\ControlSet002\Services\kbiwkmmuvudfbi\main\tasks (not active ControlSet)

Reg HKLM\SYSTEM\ControlSet002\Services\kbiwkmmuvudfbi\modules (not active ControlSet)

Reg HKLM\SYSTEM\ControlSet002\Services\kbiwkmmuvudfbi\modules@kbiwkmrk.sys \systemroot\system32\drivers\kbiwkmtoggyseb.sys

Reg HKLM\SYSTEM\ControlSet002\Services\kbiwkmmuvudfbi\modules@kbiwkmcmd.dll \systemroot\system32\kbiwkmqrodeagu.dll

Reg HKLM\SYSTEM\ControlSet002\Services\kbiwkmmuvudfbi\modules@kbiwkmlog.dat \systemroot\system32\kbiwkmvxssqgvo.dat

Reg HKLM\SYSTEM\ControlSet002\Services\kbiwkmmuvudfbi\modules@kbiwkmwsp.dll \systemroot\system32\kbiwkmohexwxej.dll

Reg HKLM\SYSTEM\ControlSet002\Services\kbiwkmmuvudfbi\modules@kbiwkm.dat \systemroot\system32\kbiwkmvmyqvxew.dat

Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC (not active ControlSet)

Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@p0 C:\Program Files\DAEMON Tools Lite\

Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@h0 1

Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@hdf12 0x9B 0x01 0xB4 0x2A ...

Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001 (not active ControlSet)

Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001@a0 0x20 0x01 0x00 0x00 ...

Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001@hdf12 0xC1 0x5D 0xC3 0xCE ...

Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq0 (not active ControlSet)

Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq0@hdf12 0x80 0xC9 0x43 0x80 ...

Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4 (not active ControlSet)

Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@h0 0

Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@khjeh 0x0B 0x07 0xA2 0x27 ...

Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@DeviceNotSelectedTimeout 15

Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@GDIProcessHandleQuota 10000

Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@Spooler yes

Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@swapdisk

Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@TransmissionRetryTimeout 90

Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@USERProcessHandleQuota 10000

Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{40B63A11-24DA-4F1A-F331-AF6562EB360B}

Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{40B63A11-24DA-4F1A-F331-AF6562EB360B}@oanhccajkkpbaobmmafebgpgoaohne 0x64 0x61 0x6E 0x62 ...

Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{40B63A11-24DA-4F1A-F331-AF6562EB360B}@oajhgelahcijbiomgfdpodbkbedeap 0x6B 0x61 0x61 0x63 ...

Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{40B63A11-24DA-4F1A-F331-AF6562EB360B}@napgablpacflgkjnjmdlokjfcehn 0x6B 0x61 0x61 0x63 ...

---- Files - GMER 1.0.15 ----

File C:\Documents and Settings\All Users\Application Data\Microsoft\Search\Data\Applications\Windows\MSS0F459.log 131072 bytes

File C:\Documents and Settings\All Users\Application Data\Microsoft\Search\Data\Applications\Windows\MSS0F45A.log 131072 bytes

File C:\Documents and Settings\All Users\Application Data\Microsoft\Search\Data\Applications\Windows\MSS0F45B.log 131072 bytes

File C:\Documents and Settings\All Users\Application Data\Microsoft\Search\Data\Applications\Windows\MSS0F45C.log 131072 bytes

File C:\Documents and Settings\All Users\Application Data\Microsoft\Search\Data\Applications\Windows\MSS0F45D.log 131072 bytes

File C:\Documents and Settings\All Users\Application Data\Microsoft\Search\Data\Applications\Windows\MSS0F45E.log 131072 bytes

File C:\Documents and Settings\All Users\Application Data\Microsoft\Search\Data\Applications\Windows\MSS0F45F.log 131072 bytes

File C:\Documents and Settings\All Users\Application Data\Microsoft\Search\Data\Applications\Windows\Projects\SystemIndex\Indexer\CiFiles\0001001C.ci 0 bytes

File C:\Documents and Settings\All Users\Application Data\Microsoft\Search\Data\Applications\Windows\Projects\SystemIndex\Indexer\CiFiles\0001001C.dir 0 bytes

File C:\Documents and Settings\All Users\Application Data\Microsoft\Search\Data\Applications\Windows\Projects\SystemIndex\Indexer\CiFiles\0001001C.wid 0 bytes

File C:\Documents and Settings\All Users\Application Data\Microsoft\Search\Data\Applications\Windows\Projects\SystemIndex\Indexer\CiFiles\0001001D.ci 73728 bytes

File C:\Documents and Settings\All Users\Application Data\Microsoft\Search\Data\Applications\Windows\Projects\SystemIndex\Indexer\CiFiles\0001001D.dir 4096 bytes

File C:\Documents and Settings\All Users\Application Data\Microsoft\Search\Data\Applications\Windows\Projects\SystemIndex\Indexer\CiFiles\0001001D.wid 65536 bytes

File C:\Documents and Settings\All Users\Application Data\Microsoft\Search\Data\Applications\Windows\Projects\SystemIndex\Indexer\CiFiles\0001001E.ci 4096 bytes

File C:\Documents and Settings\All Users\Application Data\Microsoft\Search\Data\Applications\Windows\Projects\SystemIndex\Indexer\CiFiles\0001001E.dir 4096 bytes

File C:\Documents and Settings\All Users\Application Data\Microsoft\Search\Data\Applications\Windows\Projects\SystemIndex\Indexer\CiFiles\0001001E.wid 65536 bytes

File C:\Documents and Settings\All Users\Application Data\Microsoft\Search\Data\Applications\Windows\Projects\SystemIndex\Indexer\CiFiles\00010002.ci 86016 bytes

File C:\Documents and Settings\All Users\Application Data\Microsoft\Search\Data\Applications\Windows\Projects\SystemIndex\Indexer\CiFiles\00010002.wid 65536 bytes

File C:\Documents and Settings\All Users\Application Data\Microsoft\Search\Data\Applications\Windows\Projects\SystemIndex\Indexer\CiFiles\00010006.ci 0 bytes

File C:\Documents and Settings\All Users\Application Data\Microsoft\Search\Data\Applications\Windows\Projects\SystemIndex\Indexer\CiFiles\00010006.dir 4096 bytes

File C:\Documents and Settings\All Users\Application Data\Microsoft\Search\Data\Applications\Windows\Projects\SystemIndex\Indexer\CiFiles\00010006.wid 0 bytes

File C:\Documents and Settings\All Users\Application Data\Microsoft\Search\Data\Applications\Windows\Projects\SystemIndex\Indexer\CiFiles\00010007.ci 32768 bytes

File C:\Documents and Settings\All Users\Application Data\Microsoft\Search\Data\Applications\Windows\Projects\SystemIndex\Indexer\CiFiles\00010007.dir 4096 bytes

File C:\Documents and Settings\All Users\Application Data\Microsoft\Search\Data\Applications\Windows\Projects\SystemIndex\Indexer\CiFiles\00010007.wid 65536 bytes

File C:\Documents and Settings\All Users\Application Data\Microsoft\Search\Data\Applications\Windows\Projects\SystemIndex\Indexer\CiFiles\0001000A.ci 102400 bytes

File C:\Documents and Settings\All Users\Application Data\Microsoft\Search\Data\Applications\Windows\Projects\SystemIndex\Indexer\CiFiles\0001000A.dir 4096 bytes

File C:\Documents and Settings\All Users\Application Data\Microsoft\Search\Data\Applications\Windows\Projects\SystemIndex\Indexer\CiFiles\0001000A.wid 65536 bytes

File C:\Documents and Settings\All Users\Application Data\Microsoft\Search\Data\Applications\Windows\Projects\SystemIndex\Indexer\CiFiles\0001000B.ci 36864 bytes

File C:\Documents and Settings\All Users\Application Data\Microsoft\Search\Data\Applications\Windows\Projects\SystemIndex\Indexer\CiFiles\0001000B.dir 4096 bytes

File C:\Documents and Settings\All Users\Application Data\Microsoft\Search\Data\Applications\Windows\Projects\SystemIndex\Indexer\CiFiles\0001000B.wid 65536 bytes

File C:\Documents and Settings\All Users\Application Data\Microsoft\Search\Data\Applications\Windows\Projects\SystemIndex\Indexer\CiFiles\00010020.ci 73728 bytes

File C:\Documents and Settings\All Users\Application Data\Microsoft\Search\Data\Applications\Windows\Projects\SystemIndex\Indexer\CiFiles\00010020.dir 4096 bytes

File C:\Documents and Settings\All Users\Application Data\Microsoft\Search\Data\Applications\Windows\Projects\SystemIndex\Indexer\CiFiles\00010020.wid 65536 bytes

File C:\Documents and Settings\All Users\Application Data\Microsoft\Search\Data\Applications\Windows\Projects\SystemIndex\Indexer\CiFiles\00010023.ci 290816 bytes

File C:\Documents and Settings\All Users\Application Data\Microsoft\Search\Data\Applications\Windows\Projects\SystemIndex\Indexer\CiFiles\00010023.dir 4096 bytes

File C:\Documents and Settings\All Users\Application Data\Microsoft\Search\Data\Applications\Windows\Projects\SystemIndex\Indexer\CiFiles\00010023.wid 65536 bytes

File C:\Documents and Settings\All Users\Application Data\Microsoft\Search\Data\Applications\Windows\Projects\SystemIndex\Indexer\CiFiles\00010025.ci 151552 bytes

File C:\Documents and Settings\All Users\Application Data\Microsoft\Search\Data\Applications\Windows\Projects\SystemIndex\Indexer\CiFiles\00010025.dir 4096 bytes

File C:\Documents and Settings\All Users\Application Data\Microsoft\Search\Data\Applications\Windows\Projects\SystemIndex\Indexer\CiFiles\00010025.wid 65536 bytes

File C:\Documents and Settings\All Users\Application Data\Microsoft\Search\Data\Applications\Windows\Projects\SystemIndex\Indexer\CiFiles\00010026.ci 73728 bytes

File C:\Documents and Settings\All Users\Application Data\Microsoft\Search\Data\Applications\Windows\Projects\SystemIndex\Indexer\CiFiles\00010026.dir 4096 bytes

File C:\Documents and Settings\All Users\Application Data\Microsoft\Search\Data\Applications\Windows\Projects\SystemIndex\Indexer\CiFiles\00010026.wid 65536 bytes

File C:\Documents and Settings\All Users\Application Data\Microsoft\Search\Data\Applications\Windows\Projects\SystemIndex\Indexer\CiFiles\00010027.ci 73728 bytes

File C:\Documents and Settings\All Users\Application Data\Microsoft\Search\Data\Applications\Windows\Projects\SystemIndex\Indexer\CiFiles\00010027.dir 4096 bytes

File C:\Documents and Settings\All Users\Application Data\Microsoft\Search\Data\Applications\Windows\Projects\SystemIndex\Indexer\CiFiles\00010027.wid 65536 bytes

File C:\Documents and Settings\All Users\Application Data\Microsoft\Search\Data\Applications\Windows\Projects\SystemIndex\Indexer\CiFiles\00010029.ci 163840 bytes

File C:\Documents and Settings\All Users\Application Data\Microsoft\Search\Data\Applications\Windows\Projects\SystemIndex\Indexer\CiFiles\00010029.dir 4096 bytes

File C:\Documents and Settings\All Users\Application Data\Microsoft\Search\Data\Applications\Windows\Projects\SystemIndex\Indexer\CiFiles\00010029.wid 65536 bytes

File C:\Documents and Settings\All Users\Application Data\Microsoft\Search\Data\Applications\Windows\Projects\SystemIndex\Indexer\CiFiles\0001002A.ci 131072 bytes

File C:\Documents and Settings\All Users\Application Data\Microsoft\Search\Data\Applications\Windows\Projects\SystemIndex\Indexer\CiFiles\0001002A.dir 4096 bytes

File C:\Documents and Settings\All Users\Application Data\Microsoft\Search\Data\Applications\Windows\Projects\SystemIndex\Indexer\CiFiles\0001002A.wid 65536 bytes

File C:\WINDOWS\system32\kbiwkmohexwxej.dll 19968 bytes executable

File C:\WINDOWS\system32\kbiwkmqrodeagu.dll 45056 bytes executable

File C:\WINDOWS\system32\kbiwkmvmyqvxew.dat 91 bytes

File C:\WINDOWS\system32\kbiwkmvxssqgvo.dat 56232 bytes

File C:\WINDOWS\system32\drivers\kbiwkmtoggyseb.sys 71168 bytes executable <-- ROOTKIT !!!

---- EOF - GMER 1.0.15 ----

[Chgallos]

Niether log was minimized. I will post the one that was in front. If it is the wrong one (as I suspect it might be, since it says not to post it) then let me know. I will save both of them.

UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.

IF REQUESTED, ZIP IT UP & ATTACH IT

DDS (Ver_09-07-30.01)

Microsoft Windows XP Professional

Boot Device: \Device\HarddiskVolume2

Install Date: 4/15/2008 7:37:52 AM

System Uptime: 8/26/2009 11:17:19 PM (2 hours ago)

Motherboard: Dell Inc. | | 0UY253

Processor: Intel® Core2 Quad CPU @ 2.40GHz | Microprocessor | 2394/1066mhz

==== Disk Partitions =========================

C: is FIXED (NTFS) - 293 GiB total, 171.528 GiB free.

D: is FIXED (NTFS) - 149 GiB total, 30.336 GiB free.

E: is CDROM ()

F: is CDROM ()

G: is Removable

H: is Removable

I: is Removable

J: is Removable

K: is Removable

==== Disabled Device Manager Items =============

Class GUID: {4D36E972-E325-11CE-BFC1-08002BE10318}

Description: Broadcom NetXtreme 57xx Gigabit Controller

Device ID: PCI\VEN_14E4&DEV_1677&SUBSYS_02071028&REV_21\4&3601BAE0&0&0028

Manufacturer: Broadcom

Name: Broadcom NetXtreme 57xx Gigabit Controller

PNP Device ID: PCI\VEN_14E4&DEV_1677&SUBSYS_02071028&REV_21\4&3601BAE0&0&0028

Service: b57w2k

Class GUID: {4D36E96C-E325-11CE-BFC1-08002BE10318}

Description: Microsoft Kernel DLS Synthesizer

Device ID: SW\{8C07DD50-7A8D-11D2-8F8C-00C04FBF8FEF}\DMUSIC

Manufacturer: Microsoft

Name: Microsoft Kernel DLS Synthesizer

PNP Device ID: SW\{8C07DD50-7A8D-11D2-8F8C-00C04FBF8FEF}\DMUSIC

Service: DMusic

==== System Restore Points ===================

RP537: 8/18/2009 10:12:37 AM - System Checkpoint

RP538: 8/18/2009 10:12:38 AM - System Checkpoint

RP539: 8/18/2009 10:12:39 AM - Software Distribution Service 3.0

RP540: 8/18/2009 10:12:39 AM - System Checkpoint

RP541: 8/18/2009 10:12:40 AM - System Checkpoint

RP542: 8/18/2009 10:12:40 AM - System Checkpoint

RP543: 8/18/2009 10:12:41 AM - Software Distribution Service 3.0

RP544: 8/18/2009 10:12:42 AM - System Checkpoint

RP545: 8/18/2009 10:12:43 AM - Installed Google SketchUp 7

RP546: 8/18/2009 10:12:43 AM - Removed Google SketchUp 6

RP547: 8/18/2009 10:12:44 AM - Removed Google SketchUp 6

RP548: 8/18/2009 10:12:44 AM - System Checkpoint

RP549: 8/18/2009 10:12:45 AM - Software Distribution Service 3.0

RP550: 8/18/2009 10:12:46 AM - System Checkpoint

RP551: 8/18/2009 10:12:47 AM - System Checkpoint

RP552: 8/18/2009 10:12:48 AM - System Checkpoint

RP553: 8/18/2009 10:12:48 AM - System Checkpoint

RP554: 8/18/2009 10:12:50 AM - Software Distribution Service 3.0

RP555: 8/18/2009 10:12:51 AM - System Checkpoint

RP556: 8/18/2009 10:12:52 AM - System Checkpoint

RP557: 8/18/2009 10:12:52 AM - Software Distribution Service 3.0

RP558: 8/18/2009 10:12:53 AM - Removed BioShock

RP559: 8/18/2009 10:12:54 AM - Removed Star Wars: Empire at War

RP560: 8/18/2009 10:12:55 AM - System Checkpoint

RP561: 8/18/2009 10:12:55 AM - System Checkpoint

RP562: 8/18/2009 10:12:55 AM - System Checkpoint

RP563: 8/18/2009 10:12:56 AM - Software Distribution Service 3.0

RP564: 8/18/2009 10:12:57 AM - System Checkpoint

RP565: 8/18/2009 10:12:57 AM - System Checkpoint

RP566: 8/18/2009 10:12:57 AM - Software Distribution Service 3.0

RP567: 8/18/2009 10:12:58 AM - System Checkpoint

RP568: 8/18/2009 10:12:59 AM - Software Distribution Service 3.0

RP569: 8/18/2009 10:12:59 AM - Software Distribution Service 3.0

RP570: 8/18/2009 10:13:00 AM - System Checkpoint

RP571: 8/18/2009 10:13:01 AM - System Checkpoint

RP572: 8/18/2009 10:13:01 AM - Software Distribution Service 3.0

RP573: 8/18/2009 10:13:02 AM - System Checkpoint

RP574: 8/18/2009 10:13:03 AM - System Checkpoint

RP575: 8/18/2009 10:13:05 AM - Software Distribution Service 3.0

RP576: 8/18/2009 10:13:05 AM - System Checkpoint

RP577: 8/18/2009 10:13:06 AM - System Checkpoint

RP578: 8/18/2009 10:13:06 AM - System Checkpoint

RP579: 8/18/2009 10:13:07 AM - Software Distribution Service 3.0

RP580: 8/18/2009 10:13:09 AM - System Checkpoint

RP581: 8/18/2009 10:13:10 AM - System Checkpoint

RP582: 8/18/2009 10:13:11 AM - System Checkpoint

RP583: 8/18/2009 10:13:13 AM - Software Distribution Service 3.0

RP584: 8/18/2009 10:13:14 AM - SPTD setup V1.58

RP585: 8/18/2009 10:13:14 AM - Installed DirectX

RP586: 8/18/2009 10:13:15 AM - Installed %1 %2.

RP587: 8/18/2009 10:13:16 AM - Printer Driver Microsoft XPS Document Writer Installed

RP588: 8/18/2009 10:13:17 AM - Installed %1 %2.

RP589: 8/18/2009 10:13:17 AM - Printer Driver Microsoft XPS Document Writer Installed

RP590: 8/18/2009 10:13:18 AM - Installed DirectX

RP591: 8/18/2009 10:13:19 AM - System Checkpoint

RP592: 8/18/2009 10:13:20 AM - System Checkpoint

RP593: 8/18/2009 10:13:20 AM - System Checkpoint

RP594: 8/18/2009 10:13:21 AM - Software Distribution Service 3.0

RP595: 8/18/2009 10:13:22 AM - System Checkpoint

RP596: 8/18/2009 10:13:23 AM - System Checkpoint

RP597: 8/18/2009 10:13:23 AM - Installed DirectX

RP598: 8/18/2009 10:13:24 AM - Software Distribution Service 3.0

RP599: 8/18/2009 10:13:25 AM - Software Distribution Service 3.0

RP600: 8/18/2009 10:13:26 AM - System Checkpoint

RP601: 8/18/2009 10:13:26 AM - System Checkpoint

RP602: 8/18/2009 10:13:26 AM - System Checkpoint

RP603: 8/18/2009 10:13:27 AM - Software Distribution Service 3.0

RP604: 8/18/2009 10:13:27 AM - Software Distribution Service 3.0

RP605: 8/18/2009 10:13:28 AM - System Checkpoint

RP606: 8/18/2009 10:13:28 AM - System Checkpoint

RP607: 8/18/2009 10:13:29 AM - Software Distribution Service 3.0

RP608: 8/18/2009 10:13:29 AM - System Checkpoint

RP609: 8/18/2009 10:13:30 AM - System Checkpoint

RP610: 8/18/2009 10:13:31 AM - System Checkpoint

RP611: 8/18/2009 10:13:31 AM - Software Distribution Service 3.0

RP612: 8/18/2009 10:13:32 AM - System Checkpoint

RP613: 8/18/2009 10:13:32 AM - System Checkpoint

RP614: 8/18/2009 10:13:33 AM - Software Distribution Service 3.0

RP615: 8/18/2009 10:13:33 AM - Software Distribution Service 3.0

RP616: 8/18/2009 10:13:34 AM - System Checkpoint

RP617: 8/18/2009 10:13:34 AM - System Checkpoint

RP618: 8/18/2009 10:13:34 AM - System Checkpoint

RP619: 8/18/2009 10:13:35 AM - Software Distribution Service 3.0

RP620: 8/18/2009 10:13:35 AM - System Checkpoint

RP621: 8/18/2009 10:13:35 AM - Software Distribution Service 3.0

RP622: 8/18/2009 10:13:36 AM - Software Distribution Service 3.0

RP623: 8/18/2009 10:13:36 AM - Software Distribution Service 3.0

RP624: 8/18/2009 10:13:37 AM - System Checkpoint

RP625: 8/18/2009 10:13:37 AM - System Checkpoint

RP626: 8/18/2009 10:13:38 AM - System Checkpoint

RP627: 8/18/2009 10:13:38 AM - Software Distribution Service 3.0

RP628: 8/18/2009 10:13:38 AM - System Checkpoint

RP629: 8/18/2009 10:13:38 AM - System Checkpoint

RP630: 8/18/2009 10:13:39 AM - Software Distribution Service 3.0

RP631: 8/18/2009 10:13:39 AM - Software Distribution Service 3.0

RP632: 8/18/2009 10:13:39 AM - Software Distribution Service 3.0

RP633: 8/18/2009 10:13:40 AM - System Checkpoint

RP634: 8/18/2009 10:13:40 AM - System Checkpoint

RP635: 8/18/2009 10:13:40 AM - System Checkpoint

RP636: 8/18/2009 10:13:41 AM - Software Distribution Service 3.0

RP637: 8/18/2009 10:13:41 AM - System Checkpoint

RP638: 8/18/2009 10:13:41 AM - System Checkpoint

RP639: 8/18/2009 10:13:41 AM - Software Distribution Service 3.0

RP640: 8/18/2009 10:13:41 AM - System Checkpoint

RP641: 8/18/2009 10:13:42 AM - System Checkpoint

RP642: 8/18/2009 10:13:42 AM - System Checkpoint

RP643: 8/18/2009 10:13:42 AM - Software Distribution Service 3.0

RP644: 8/18/2009 10:13:42 AM - System Checkpoint

RP645: 8/18/2009 10:13:43 AM - System Checkpoint

RP646: 8/18/2009 10:13:43 AM - Software Distribution Service 3.0

RP647: 8/18/2009 10:13:43 AM - System Checkpoint

RP648: 8/18/2009 10:13:43 AM - System Checkpoint

RP649: 8/18/2009 10:13:44 AM - Software Distribution Service 3.0

RP650: 8/18/2009 10:13:44 AM - System Checkpoint

RP651: 8/18/2009 10:13:44 AM - Software Distribution Service 3.0

RP652: 8/21/2009 1:34:33 PM - Windows Defender Checkpoint

RP653: 8/21/2009 4:58:10 PM - Printer Driver Microsoft XPS Document Writer Installed

==== Installed Programs ======================

[screen317]

Hi,

Run GMER again.

Right click this entry:

Service C:\WINDOWS\system32\drivers\kbiwkmtoggyseb.sys (*** hidden *** ) [sYSTEM] kbiwkmmuvudfbi <-- ROOTKIT !!!

Click Disable Service. Answer yes to any prompts. Click Delete Service and answer yes to any prompts. Click Kill File and press yes to any prompts.

Delete your copy of ComboFix, download it, save it to your Desktop, then try running it.

-screen317

[Chgallos]

Wow. It worked. Here is the combofix log. Near the top there is a list of all the names I re-named ComboFix (ComboHyphenFix, NoJoke, MiddleFingerCF, ect.). I never noticed those files before because I was looking for a txt file.

After running the program I got a phone call and when I came back I could see my wallpaper, but none of my icons or start menu or anthing (like explorer crashed or it was restarting). I waited a few minutes and nothing was happening, so I manually turned off and back on. After bootup combofix had a window up and eventually gave me a log. I hope that I was not just being impatient again.

Anyway, here is the Combofix Log:

ComboFix 09-08-27.A3 - Potter House 08/28/2009 11:07.1.4 - NTFSx86

Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.3069.2510 [GMT -7:00]

Running from: c:\documents and settings\Potter House\Desktop\CampingFox.exe

AV: eTrust EZ Antivirus *On-access scanning disabled* (Updated) {17CFD1EA-56CF-40B5-A06B-BD3A27397C93}

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.

c:\docume~1\POTTER~1\LOCALS~1\Temp\1.wmv

c:\program files\IEToolbar

c:\windows\Downloaded Program Files\popcaploader.dll

c:\windows\Downloaded Program Files\popcaploader.inf

c:\windows\Downloaded Program Files\Temp

c:\windows\Fonts\AcadEref.ttf

c:\windows\Fonts\ZWAdobeF.TTF

c:\windows\Installer\8dc30.msp

c:\windows\Installer\d75ae81.msi

c:\windows\Installer\e018a9e.msp

c:\windows\kb913800.exe

c:\windows\lcggg0805.exe

c:\windows\system32\drivers\kbiwkmtoggyseb.sys

c:\windows\system32\kbiwkmientrdmx.dll

c:\windows\system32\kbiwkmnsfoowyr.dat

c:\windows\system32\kbiwkmohexwxej.dll

c:\windows\system32\kbiwkmpfuxtstp.dll

c:\windows\system32\kbiwkmqrodeagu.dll

c:\windows\system32\kbiwkmvmyqvxew.dat

c:\windows\system32\kbiwkmvxompdwf.dat

c:\windows\system32\kbiwkmvxssqgvo.dat

c:\windows\winhelp.ini

.

((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))

.

-------\Legacy_NPF

-------\Legacy_{79007602-0CDB-4405-9DBF-1257BB3226ED}

-------\Legacy_{79007602-0CDB-4405-9DBF-1257BB3226EE}

((((((((((((((((((((((((( Files Created from 2009-07-28 to 2009-08-28 )))))))))))))))))))))))))))))))

.

2009-08-28 15:45 . 2009-08-28 15:48 -------- d-s---w- C:\Comb-Fox

2009-08-27 16:41 . 2009-07-03 14:49 15688 ----a-w- c:\windows\system32\lsdelete.exe

2009-08-27 16:05 . 2009-07-03 14:49 64160 ----a-w- c:\windows\system32\drivers\Lbd.sys

2009-08-27 16:05 . 2009-08-27 16:05 -------- dc-h--w- c:\documents and settings\All Users\Application Data\{EF63305C-BAD7-4144-9208-D65528260864}

2009-08-27 16:05 . 2009-07-08 17:28 2920112 -c--a-w- c:\documents and settings\All Users\Application Data\{EF63305C-BAD7-4144-9208-D65528260864}\Ad-AwareAE.exe

2009-08-27 16:05 . 2009-08-27 16:05 -------- d-----w- c:\program files\Lavasoft

2009-08-27 04:56 . 2009-08-27 04:58 -------- d-s---w- C:\ComboHyphenFix

2009-08-26 18:28 . 2009-08-26 18:30 -------- d-s---w- C:\NoJoke

2009-08-26 15:45 . 2009-08-26 15:46 -------- d-s---w- C:\MiddleFingerCF

2009-08-25 16:02 . 2009-08-25 16:03 -------- d-s---w- C:\LilBunnyCF

2009-08-24 04:24 . 2009-08-25 15:58 -------- d-s---w- C:\ComboFix

2009-08-24 03:15 . 2009-08-24 03:20 -------- d-s---w- C:\Combo-Fix

2009-08-23 05:09 . 2009-08-23 05:09 -------- d-----w- C:\installers

2009-08-22 02:04 . 2009-08-22 02:04 -------- d-----w- c:\program files\Trend Micro

2009-08-22 02:03 . 2009-08-21 20:51 812344 ----a-w- c:\documents and settings\Potter House\HJTInstall.exe

2009-08-22 00:10 . 2009-08-03 20:36 38160 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys

2009-08-22 00:10 . 2009-08-26 17:12 -------- d-----w- c:\program files\Malwarebytes' Anti-MalwareSAFE

2009-08-22 00:10 . 2009-08-03 20:36 19096 ----a-w- c:\windows\system32\drivers\mbam.sys

2009-08-22 00:02 . 2009-08-22 00:02 -------- d-----w- c:\program files\Trend MicroSAFE

2009-08-21 23:46 . 2009-08-21 23:47 -------- d-----w- C:\92b1978b295196649367e8

2009-08-21 23:46 . 2009-08-21 23:57 -------- d-----w- c:\windows\SxsCaPendDel

2009-08-21 23:20 . 2009-08-27 16:28 -------- d-----w- c:\program files\Spybot - Search & Destroy

2009-08-21 23:20 . 2009-08-27 15:52 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy

2009-08-21 21:13 . 2009-08-27 16:05 -------- d-----w- c:\documents and settings\All Users\Application Data\Lavasoft

2009-08-21 19:58 . 2009-08-21 19:58 174080 ----a-w- C:\btfoltoo.exe

2009-08-19 17:28 . 2009-08-19 17:28 -------- d-----w- c:\documents and settings\Potter House\Application Data\Malwarebytes

2009-08-19 17:28 . 2009-08-19 17:28 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes

2009-08-19 05:35 . 2009-08-19 05:35 -------- d-sh--w- c:\windows\system32\config\systemprofile\IETldCache

2009-08-13 05:05 . 2009-07-10 13:27 1315328 ------w- c:\windows\system32\dllcache\msoe.dll

2009-08-06 20:42 . 2009-08-06 20:42 1962544 ----a-w- c:\documents and settings\All Users\Application Data\NOS\Adobe_Downloads\install_flash_player_ax.exe

2009-08-06 20:41 . 2009-08-07 00:57 -------- d-----w- c:\documents and settings\All Users\Application Data\NOS

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2009-08-27 23:31 . 2008-03-25 19:22 -------- d--h--w- c:\program files\InstallShield Installation Information

2009-08-27 17:02 . 2008-05-26 19:09 -------- d-----w- c:\documents and settings\Potter House\Application Data\LimeWire

2009-08-27 16:43 . 2008-04-15 14:45 86864 ----a-w- c:\documents and settings\Potter House\Local Settings\Application Data\GDIPFONTCACHEV1.DAT

2009-08-27 16:30 . 2009-08-27 16:30 5632 --sha-w- c:\program files\Thumbs.db

2009-08-27 16:23 . 2009-04-02 01:42 -------- d-----w- c:\documents and settings\All Users\Application Data\Microsoft Corporation

2009-08-26 05:30 . 2008-04-25 17:09 -------- d-----w- c:\documents and settings\Potter House\Application Data\gtk-2.0

2009-08-25 16:25 . 2008-04-24 00:21 -------- d-----w- c:\documents and settings\Potter House\Application Data\TrueCrypt

2009-08-18 17:25 . 2008-08-23 16:31 -------- d-----w- c:\program files\Firefox

2009-08-18 17:22 . 2009-03-30 17:42 -------- d-----w- c:\documents and settings\Potter House\Application Data\uTorrent

2009-08-18 11:10 . 2009-01-27 19:33 -------- d-----w- c:\documents and settings\Potter House\Application Data\Key Folder

2009-08-13 13:26 . 2008-04-17 17:13 -------- d-----w- c:\documents and settings\All Users\Application Data\Microsoft Help

2009-08-07 01:03 . 2009-02-26 19:01 5 ----a-w- c:\windows\sbacknt.bin

2009-08-06 20:35 . 2008-04-15 20:21 -------- d-----w- c:\program files\Microsoft Silverlight

2009-08-05 09:01 . 2005-08-16 10:18 204800 ----a-w- c:\windows\system32\mswebdvd.dll

2009-07-31 20:21 . 2009-02-26 18:57 152904 ----a-w- c:\windows\system32\vghd.scr

2009-07-17 19:01 . 2005-08-16 10:18 58880 ----a-w- c:\windows\system32\atl.dll

2009-07-14 06:43 . 2005-08-16 10:19 286208 ----a-w- c:\windows\system32\wmpdxm.dll

2009-07-03 17:09 . 2005-08-16 10:18 915456 ----a-w- c:\windows\system32\wininet.dll

2009-07-02 20:57 . 2009-06-26 04:20 -------- d-----w- c:\program files\DAEMON Tools Lite

2009-07-02 05:45 . 2009-07-02 05:44 -------- d-----w- c:\program files\Microsoft Games for Windows - LIVE

2009-06-26 04:13 . 2008-09-16 22:44 721904 ----a-w- c:\windows\system32\drivers\sptd.sys

2009-06-16 14:36 . 2005-08-16 10:18 119808 ----a-w- c:\windows\system32\t2embed.dll

2009-06-16 14:36 . 2005-08-16 10:18 81920 ----a-w- c:\windows\system32\fontsub.dll

2009-06-12 12:31 . 2005-08-16 10:18 80896 ----a-w- c:\windows\system32\tlntsess.exe

2009-06-12 12:31 . 2005-08-16 10:18 76288 ----a-w- c:\windows\system32\telnet.exe

2009-06-10 16:19 . 2005-08-16 10:37 2066432 ----a-w- c:\windows\system32\mstscax.dll

2009-06-10 14:13 . 2005-08-16 10:18 84992 ----a-w- c:\windows\system32\avifil32.dll

2009-06-10 06:14 . 2005-08-16 10:18 132096 ----a-w- c:\windows\system32\wkssvc.dll

2009-06-03 19:09 . 2005-08-16 10:18 1291264 ----a-w- c:\windows\system32\quartz.dll

2008-06-10 01:23 . 2008-04-24 03:30 88 --sh--r- c:\windows\system32\254C04F909.sys

2006-05-03 10:06 . 2009-01-26 19:28 163328 --sh--r- c:\windows\system32\flvDX.dll

2008-06-10 01:24 . 2008-04-24 03:30 2828 --sha-w- c:\windows\system32\KGyGaAvL.sys

2007-02-21 11:47 . 2009-01-26 19:28 31232 --sh--r- c:\windows\system32\msfDX.dll

2008-03-16 13:30 . 2009-01-26 19:28 216064 --sh--r- c:\windows\system32\nbDX.dll

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2008-09-17 13574144]

"VolPanel"="c:\program files\Creative\Sound Blaster X-Fi\Volume Panel\VolPanel.exe" [2005-10-14 122880]

"AudioDrvEmulator"="c:\program files\Creative\Shared Files\Module Loader\DLLML.exe" [2005-11-04 49152]

"Windows Defender"="c:\program files\Windows Defender\MSASCui.exe" [2006-11-04 866584]

"CaISSDT"="d:\program files\eTrust\caissdt.exe" [2006-06-26 165392]

"CaAvTray"="d:\program files\eTrust\eTrust EZ Antivirus\CAVTray.exe" [2008-04-15 230928]

"CAVRID"="d:\program files\eTrust\eTrust EZ Antivirus\CAVRID.exe" [2008-04-15 185872]

"DLA"="c:\windows\System32\DLA\DLACTRLW.EXE" [2005-09-08 122940]

"ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2004-07-27 81920]

"ISUSPM Startup"="c:\progra~1\COMMON~1\INSTAL~1\UPDATE~1\isuspm.exe" [2004-07-27 221184]

"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2008-09-17 86016]

"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2008-05-27 413696]

"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-10-15 39792]

"CTHelper"="CTHELPER.EXE" - c:\windows\CTHELPER.EXE [2005-11-08 16384]

"CTxfiHlp"="CTXFIHLP.EXE" - c:\windows\system32\CTXFIHLP.EXE [2006-03-02 18944]

"nwiz"="nwiz.exe" - c:\windows\system32\nwiz.exe [2008-09-17 1657376]

"SigmatelSysTrayApp"="stsystra.exe" - c:\windows\stsystra.exe [2006-07-27 282624]

c:\documents and settings\All Users\Start Menu\Programs\Startup\

Windows Desktop Search.lnk - c:\program files\Windows Desktop Search\WindowsSearch.exe [2007-2-5 118784]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]

"{56F9679E-7826-4C84-81F3-532071A8BCC5}"= "c:\program files\Windows Desktop Search\MSNLNamespaceMgr.dll" [2007-02-05 294400]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Lavasoft Ad-Aware Service]

@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend]

@="Service"

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\ComputerAssociatesAntiVirus]

"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]

"DisableNotifications"= 1 (0x1)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=

"d:\\Games\\Splinter Cell\\Splinter Cell Pandora Tomorrow\\pandora.exe"=

"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=

"c:\\Program Files\\uTorrent\\uTorrent.exe"=

"c:\\Program Files\\LimeWire\\LimeWire.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]

"11980:TCP"= 11980:TCP:BitComet 11980 TCP

"11980:UDP"= 11980:UDP:BitComet 11980 UDP

R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [8/27/2009 9:05 AM 64160]

R2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\Lavasoft\Ad-Aware\AAWService.exe [7/3/2009 7:49 AM 1029456]

R2 WinDefend;Windows Defender;c:\program files\Windows Defender\MsMpEng.exe [11/3/2006 7:19 PM 13592]

S3 s0016bus;Sony Ericsson Device 0016 driver (WDM);c:\windows\system32\drivers\s0016bus.sys [12/10/2008 5:55 PM 89256]

S3 s0016mdfl;Sony Ericsson Device 0016 USB WMC Modem Filter;c:\windows\system32\drivers\s0016mdfl.sys [12/10/2008 5:55 PM 15016]

S3 s0016mdm;Sony Ericsson Device 0016 USB WMC Modem Driver;c:\windows\system32\drivers\s0016mdm.sys [12/10/2008 5:55 PM 120744]

S3 s0016mgmt;Sony Ericsson Device 0016 USB WMC Device Management Drivers (WDM);c:\windows\system32\drivers\s0016mgmt.sys [12/10/2008 5:55 PM 114216]

S3 s0016nd5;Sony Ericsson Device 0016 USB Ethernet Emulation SEMC0016 (NDIS);c:\windows\system32\drivers\s0016nd5.sys [12/10/2008 5:55 PM 25512]

S3 s0016obex;Sony Ericsson Device 0016 USB WMC OBEX Interface;c:\windows\system32\drivers\s0016obex.sys [12/10/2008 5:55 PM 110632]

S3 s0016unic;Sony Ericsson Device 0016 USB Ethernet Emulation SEMC0016 (WDM);c:\windows\system32\drivers\s0016unic.sys [12/10/2008 5:55 PM 115752]

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\>{60B49E34-C7CC-11D0-8953-00A0C90347FF}]

"c:\windows\system32\rundll32.exe" "c:\windows\system32\iedkcs32.dll",BrandIEActiveSetup SIGNUP

.

Contents of the 'Scheduled Tasks' folder

2009-08-27 c:\windows\Tasks\Ad-Aware Update (Weekly).job

- c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2009-07-03 14:49]

2009-08-28 c:\windows\Tasks\MP Scheduled Scan.job

- c:\program files\Windows Defender\MpCmdRun.exe [2006-11-04 02:20]

2009-08-28 c:\windows\Tasks\User_Feed_Synchronization-{EA44E479-FB04-4855-AFB1-08BE50634A84}.job

- c:\windows\system32\msfeedssync.exe [2007-08-14 11:31]

.

.

------- Supplementary Scan -------

.

uStart Page = www.angelfire.com/wa3/potterhouse/uberpage.mht

uInternet Connection Wizard,ShellNext = hxxp://www.dell.com/

uInternet Settings,ProxyOverride = *.local

IE: E&xport to Microsoft Excel - c:\progra~1\MI1933~1\Office12\EXCEL.EXE/3000

DPF: {64D01C7F-810D-446E-A07E-456746835644} - hxxp://uk.games.myspace.com/gameshell/games/channel--110372603/lc--en/room--0fa147b9-5572-440b-8d7d-7813fb7fa3ba/online/abc_island/en/abcisland.cab

DPF: {B516CA4E-A5BA-405C-AFCF-A97F08CC7429} - hxxp://www.shockwave.com/content/burgershop/sis/GoBitGamesPlayer_v5.cab

DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab

FF - ProfilePath - c:\documents and settings\Potter House\Application Data\Mozilla\Firefox\Profiles\unb5fzhk.default\

.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2009-08-28 11:23

Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

HKLM\Software\Microsoft\Windows\CurrentVersion\Run

CTHelper = CTHELPER.EXE??R?.?E?X?E??

CTxfiHlp = CTXFIHLP.EXE??P?.?E?X?E??

DLA = c:\windows\System32\DLA\DLACTRLW.EXE??\?D?L?A?\?D?L?A?C?T?R?L?W?.?E?X?E??

ISUSScheduler = "c:\program files\Common Files\InstallShield\UpdateService\issch.exe" -start??h?i?e?l?d?\?U?p?d?a?t?e?S?e?r?v?i?c?e?\?i?s?s?c?h?.?e?x?e?"? ?-?s?t?a?r?t??

scanning hidden files ...

scan completed successfully

hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\PSSdk21]

"ImagePath"="\??\c:\windows\system32\Drivers\HNPsSdk.drv"

.

--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-2740426159-3304903004-2380553705-1005\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{40B63A11-24DA-4F1A-F331-AF6562EB360B}*]

@Allowed: (Read) (RestrictedCode)

@Allowed: (Read) (RestrictedCode)

"oanhccajkkpbaobmmafebgpgoaohne"=hex:64,61,6e,62,6e,68,69,6e,00,90

"oajhgelahcijbiomgfdpodbkbedeap"=hex:6b,61,61,63,65,68,65,6b,63,65,69,62,63,6e,

6f,65,70,6d,6d,66,64,6f,00,00

"napgablpacflgkjnjmdlokjfcehn"=hex:6b,61,61,63,65,68,65,6b,63,65,69,62,63,6e,

6f,65,70,6d,6d,66,64,6f,00,00

[HKEY_USERS\S-1-5-21-2740426159-3304903004-2380553705-1005\Software\SecuROM\!CAUTION! NEVER A OR CHANGE ANY KEY*]

"??"=hex:53,de,e6,7e,7c,da,a6,0f,36,c1,f7,48,55,1e,35,6e,a5,b6,d4,4d,8b,26,9b,

b6,f8,ef,c8,a0,e5,f5,16,5e,6c,8a,cf,4d,ba,8e,70,73,5c,f1,e1,76,8f,7b,ca,73,\

"??"=hex:cf,55,c7,95,2b,14,4d,f8,66,7b,0c,1b,19,52,fe,22

[HKEY_USERS\S-1-5-21-2740426159-3304903004-2380553705-1005\Software\SecuROM\License information*]

"datasecu"=hex:dc,d6,a7,df,41,30,ef,39,68,a0,21,db,8a,1a,d8,d9,76,a2,5f,f8,0c,

40,26,a6,a2,3d,f2,59,b2,dd,27,59,06,0a,88,2c,0e,7c,46,02,f9,d4,3f,33,ae,b1,\

"rkeysecu"=hex:bc,f5,52,ce,8d,e9,7b,80,30,16,f4,58,23,11,cd,b4

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{19114156-8E9A-4D4E-9EE9-17A0E48D3BBB}]

@Denied: (A 2) (Everyone)

@="FlashBroker"

"LocalizedString"="@c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10c.exe,-101"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{19114156-8E9A-4D4E-9EE9-17A0E48D3BBB}\Elevation]

"Enabled"=dword:00000001

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{19114156-8E9A-4D4E-9EE9-17A0E48D3BBB}\LocalServer32]

@="c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10c.exe"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{19114156-8E9A-4D4E-9EE9-17A0E48D3BBB}\TypeLib]

@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{1D4C8A81-B7AC-460A-8C23-98713C41D6B3}]

@Denied: (A 2) (Everyone)

@="IFlashBroker3"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{1D4C8A81-B7AC-460A-8C23-98713C41D6B3}\ProxyStubClsid32]

@="{00020424-0000-0000-C000-000000000046}"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{1D4C8A81-B7AC-460A-8C23-98713C41D6B3}\TypeLib]

@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"

"Version"="1.0"

.

--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'explorer.exe'(3968)

c:\windows\system32\WININET.dll

c:\windows\system32\nview.dll

c:\program files\Windows Desktop Search\deskbar.dll

c:\program files\Windows Desktop Search\en-us\dbres.dll.mui

c:\program files\Windows Desktop Search\dbres.dll

c:\program files\Windows Desktop Search\wordwheel.dll

c:\program files\Windows Desktop Search\en-us\msnlExtRes.dll.mui

c:\program files\Windows Desktop Search\msnlExtRes.dll

c:\progra~1\WINDOW~3\wmpband.dll

c:\windows\system32\ieframe.dll

c:\windows\system32\webcheck.dll

c:\windows\system32\WPDShServiceObj.dll

c:\windows\system32\PortableDeviceTypes.dll

c:\windows\system32\PortableDeviceApi.dll

.

------------------------ Other Running Processes ------------------------

.

c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe

c:\program files\Bonjour\mDNSResponder.exe

c:\windows\system32\CTSVCCDA.EXE

c:\windows\ehome\ehrecvr.exe

c:\windows\ehome\ehSched.exe

c:\windows\system32\nvsvc32.exe

d:\program files\eTrust\eTrust EZ Antivirus\VetMsg.exe

c:\windows\system32\searchindexer.exe

c:\windows\ehome\mcrdsvc.exe

c:\windows\system32\dllhost.exe

c:\windows\system32\wbem\unsecapp.exe

c:\windows\system32\wscntfy.exe

c:\windows\system32\CTXFISPI.EXE

c:\windows\system32\rundll32.exe

c:\windows\system32\rundll32.exe

c:\windows\system32\searchprotocolhost.exe

c:\program files\Lavasoft\Ad-Aware\AAWTray.exe

c:\windows\system32\searchfilterhost.exe

.

**************************************************************************

.

Completion time: 2009-08-28 11:32 - machine was rebooted

ComboFix-quarantined-files.txt 2009-08-28 18:32

Pre-Run: 195,607,183,360 bytes free

Post-Run: 196,957,974,528 bytes free

281 --- E O F --- 2009-08-28 18:30

[screen317]

Hi,

Please go to VirusTotal, and upload the following file for analysis:

c:\windows\system32\Drivers\HNPsSdk.drv

Post the results in your reply.

Next, please use the Internet Explorer browser and click here to use the F-Secure Online Scanner.

• Click Start Scanning.
  
• You should get a notification bar (on top) to install the ActiveX control.
  
• Click on it and select to install the ActiveX.
  
• Once the ActiveX is installed, you should accept the License terms by clicking OK below to start the scan.
  
• In case you are having problems with installing the ActiveX/starting the scan, please read here.
  
• Click the Full System Scan button.
  
• It will start to download scanner components and databases. This can take a while.
  
• The main scan will start.
  
• Once the scan has finished scanning, click the Automatic cleaning (recommended) button
  
• It could be possible that your firewall gives an alert - allow it, because that's a connection you establish to submit infected files to F-Secure.
  
• The cleaning can take a while, so please be patient.
  
• Then click the Show report button and Copy/Paste what is present under results in your next reply.
  

Next, download my Security Check from here or here.

• Save it to your Desktop.
  
• Double click SecurityCheck.exe and follow the onscreen instructions inside of the black box.
  
• A Notepad document should open automatically called checkup.txt; please post the contents of that document.
  

Let me know how things are running now and what issues remain.

-screen317

[Chgallos]

Umm ... I'm at a crossroads here. I am posting this is safe mode because when I boot normally, windows USUALLY loads all the start-up programs and then freezes completely. Sometimes it doesn't even finish loading all the start-up stuff before freezing. Once it froze at the log-in screen.

I attempted to restore my system to a previous date and it says I dont have any restore points. That seems odd since many of the programs I have been running lately say they are creating a restore point before running. Are those accessable by some other means?

At this point I would love to follow your last advice, but given the circumstances, I would greatly appreciate more feedback before proceeding.

Preferably this will have to be something that can be done in safe mode.

Thanks a million.

[screen317]

Hi,

Do you remember when this started??

Perform the instructions above in Safe Mode with Networking.

-screen317

[Chgallos]

I believe this started Aug 7th. My wife woke up one morning to see an adware pop-up on the desktop (I think it was called "Windows Anti Virus" or something). She attemted to say no and she got the BSoD. She took a screenshot of it (I still have it if you want to see it). I think that it was only after that day that every once in a while I would notice Windows Defender telling me to turn my firewall back on, but I never turned it off. I used my antivirus (eTrust EZ Antivurus) to try to clean. I cleaned some, but didn't fix the prob. At that point I used one anti-malware or another (I dont recall which). It seemed to have gotten better for a few days. No issues. Then, when Googling, clicking on a link led to random web sites. Used different cleaners. Some of them didn't run at all. About that time was when I started posting on this site. After starting this post I had my computer on for about 20 mins a day to check email and whatnot.

A few days ago it seemed pretty good. I even played a video game for a few hours because it seemed clean. Then it all came tumbling down. iexplorer gets hijacked constantly, I have strange programs that I dont recognize in my task manager-processes from time to time. Even when not on the internet I get strange audio that sounds like tv commercials or something, and there is in fact multiple iexplorers running in "processes" but not "applications". I try running cleaners and they crash, vanish, I get the BSoD or the whole thing just freezes so I cant to anything but a manual power-down. Even now, in Safe Mode with Networking I have iexplorers running and the occasional pop-up (see attached jpg).

So, I think this is what you want from the F-Secure (full report).

Scanning Report

Sunday, August 30, 2009 20:23:05 - 21:04:35

Computer name: POTTERHOUSE

Scanning type: Scan system for malware, spyware and rootkits

Target: C:\ D:\

--------------------------------------------------------------------------------

27 malware found

TrackingCookie.Questionmarket (spyware)

System (Disinfected)

TrackingCookie.2o7 (spyware)

System (Disinfected)

TrackingCookie.Advertising (spyware)

System (Disinfected)

TrackingCookie.Atdmt (spyware)

System (Disinfected)

TrackingCookie.Doubleclick (spyware)

System (Disinfected)

MemScan:Trojan.Clicker.MUC (spyware)

System (Disinfected)

TrackingCookie.Revsci (spyware)

System (Disinfected)

TrackingCookie.Adbrite (spyware)

System (Disinfected)

TrackingCookie.Xiti (spyware)

System (Disinfected)

TrackingCookie.Mediaplex (spyware)

System (Disinfected)

Trojan.TDss.WT (spyware)

System (Disinfected)

TrackingCookie.Statcounter (spyware)

System (Disinfected)

TrackingCookie.Atwola (spyware)

System (Disinfected)

TrackingCookie.Yieldmanager (spyware)

System (Disinfected)

Trojan-Downloader:W32/Renos.gen!C (spyware)

System (Disinfected)

Trojan-Downloader:W32/Renos.gen!C (virus)

C:\WINDOWS\MSA.EXE (Not cleaned)

Trojan-Downloader:W32/Renos.gen!C (virus)

C:\WINDOWS\MSB.EXE (Not cleaned)

Backdoor:W32/TDSS.CX (virus)

C:\SYSTEM VOLUME INFORMATION\_RESTORE{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP653\A0051425.SYS (Renamed & Submitted)

Trojan:W32/TDSS.CW (virus)

C:\SYSTEM VOLUME INFORMATION\_RESTORE{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP653\A0051426.DLL (Renamed & Submitted)

Trojan:W32/Alureon.R (virus)

C:\SYSTEM VOLUME INFORMATION\_RESTORE{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP653\A0051427.DLL (Renamed)

Trojan:W32/Alureon.R (virus)

C:\SYSTEM VOLUME INFORMATION\_RESTORE{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP653\A0051428.DLL (Renamed)

Trojan:W32/TDSS.CW (virus)

C:\SYSTEM VOLUME INFORMATION\_RESTORE{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP653\A0051429.DLL (Renamed & Submitted)

Trojan.Generic.1644710 (virus)

C:\PROGRAM FILES\WMA TO MP3 CONVERTER\READMEDIA.DLL (Renamed & Submitted)

Trojan-Downloader:W32/Renos.gen!C (virus)

C:\DOCUMENTS AND SETTINGS\POTTER HOUSE\LOCAL SETTINGS\TEMP\C.EXE (Not cleaned)

Trojan-Downloader:W32/Renos.gen!C (virus)

C:\DOCUMENTS AND SETTINGS\POTTER HOUSE\LOCAL SETTINGS\TEMP\D.EXE (Not cleaned)

Trojan-Downloader:W32/Renos.gen!C (virus)

C:\DOCUMENTS AND SETTINGS\POTTER HOUSE\LOCAL SETTINGS\TEMP\F.EXE (Not cleaned)

Trojan.Generic.1443458 (virus)

C:\DOCUMENTS AND SETTINGS\POTTER HOUSE\APPLICATION DATA\KEY FOLDER\SQL2005.DLL (Renamed & Submitted)

--------------------------------------------------------------------------------

Statistics

Scanned:

Files: 51129

System: 3996

Not scanned: 13

Actions:

Disinfected: 15

Renamed: 7

Deleted: 0

Not cleaned: 5

Submitted: 5

Files not scanned:

C:\PAGEFILE.SYS

C:\WINDOWS\SYSTEM32\DUMPREP.EXE

C:\WINDOWS\SYSTEM32\DRIVERS\SPTD.SYS

C:\WINDOWS\SYSTEM32\CONFIG\DEFAULT

C:\WINDOWS\SYSTEM32\CONFIG\SAM

C:\WINDOWS\SYSTEM32\CONFIG\SECURITY

C:\WINDOWS\SYSTEM32\CONFIG\SOFTWARE

C:\WINDOWS\SYSTEM32\CONFIG\SYSTEM

C:\SYSTEM VOLUME INFORMATION\MOUNTPOINTMANAGERREMOTEDATABASE

C:\PROGRAM FILES\TREND MICROSAFE\HIJACKTHIS\HIJACKTHIS.EXE

C:\PROGRAM FILES\TREND MICRO\HIJACKTHIS\HIJACKTHIS.EXE

C:\PROGRAM FILES\SPYBOT - SEARCH & DESTROY\SPYBOTSD.EXE

C:\DOCUMENTS AND SETTINGS\ALL USERS\APPLICATION DATA\LAVASOFT\AD-AWARE\MINIMESSAGE\2

--------------------------------------------------------------------------------

Options

Scanning engines:

Scanning options:

Scan defined files: COM EXE SYS OV? BIN SCR DLL SHS HTM HTML HTT VBS JS INF VXD DO? XL? RTF CPL WIZ HTA PP? PWZ P?T MSO PIF . ACM ASP AX CNV CSC DRV INI MDB MPD MPP MPT OBD OBT OCX PCI TLB TSP WBK WBT WPC WSH VWP WML BOO HLP TD0 TT6 MSG ASD JSE VBE WSC CHM EML PRC SHB LNK WSF {* PDF ZL? XML XXX ANI AVB BAT CMD JOB LSP MAP MHT MIF PHP POT SWF WMF NWS TAR

Use advanced heuristics

--------------------------------------------------------------------------------

Copyright

[Chgallos]

This is what happens when i try to kill one of the iexplorers manually.