Cannot remove rootkit.TDSS or Trojan.DNSChange

[tweis]

After several scans with mbam, I cannot get rid of these two. The most notable effect is my system will hang unless I boot into safe mode. Following the instructions in the master thread, I ran DeFogger, DDS, and the Rootkit Scanner, and am attaching all the relevant log files. FWIW, I am also having problems removing something called Rogue.SmartProtector when running SuperAntiSpyware.

Thanks for your help!

Most recent malwarebytes log:

-------------------------------------------------------------------------------------------------------------------------------

Malwarebytes' Anti-Malware 1.43

Database version: 3482

Windows 5.1.2600 Service Pack 3 (Safe Mode)

Internet Explorer 8.0.6001.18702

1/2/2010 3:27:19 PM

mbam-log-2010-01-02 (15-27-19).txt

Scan type: Quick Scan

Objects scanned: 256343

Time elapsed: 6 minute(s), 0 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 1

Registry Values Infected: 0

Registry Data Items Infected: 0

Folders Infected: 0

Files Infected: 1

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

HKEY_LOCAL_MACHINE\SOFTWARE\H8SRT (Rootkit.TDSS) -> Quarantined and deleted successfully.

Registry Values Infected:

(No malicious items detected)

Registry Data Items Infected:

(No malicious items detected)

Folders Infected:

(No malicious items detected)

Files Infected:

C:\WINPRO\system32\krl32mainweq.dll (Trojan.DNSChanger) -> Quarantined and deleted successfully.

-------------------------------------------------------------------------------------------------------------------------------

DDS.txt:

-------------------------------------------------------------------------------------------------------------------------------

DDS (Ver_09-12-01.01) - NTFSx86 NETWORK

Run by todd at 17:56:53.67 on Sat 01/02/2010

Internet Explorer: 8.0.6001.18702

Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.3327.3005 [GMT -8:00]

AV: Malware Defense *On-access scanning enabled* (Outdated) {28e00e3b-806e-4533-925c-f4c3d79514b9}

AV: AntiVir Desktop *On-access scanning disabled* (Outdated) {AD166499-45F9-482A-A743-FDD3350758C7}

============== Running Processes ===============

C:\WINPRO\system32\svchost -k DcomLaunch

svchost.exe

C:\WINPRO\system32\svchost.exe -k netsvcs

svchost.exe

svchost.exe

C:\WINPRO\Explorer.EXE

C:\WINPRO\system32\ctfmon.exe

C:\Program Files\Internet Explorer\iexplore.exe

C:\Program Files\Internet Explorer\iexplore.exe

C:\Program Files\Internet Explorer\Iexplore.exe

C:\Program Files\Internet Explorer\Iexplore.exe

C:\Documents and Settings\todd.DRBUNNY.003\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.google.com/

uInternet Settings,ProxyOverride = *.local

BHO: AcroIEHlprObj Class: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\adobe\acrobat 7.0\activex\AcroIEHelper.dll

BHO: SSVHelper Class: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre1.5.0_06\bin\ssv.dll

BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.1.1309.3572\swg.dll

TB: {8FF5E180-ABDE-46EB-B09E-D2AAB95CABE3} - No File

uRun: [ctfmon.exe] c:\winpro\system32\ctfmon.exe

uRunOnce: [FlashPlayerUpdate] c:\winpro\system32\macromed\flash\FlashUtil10c.exe

mRun: [DNS7reminder] "e:\program files\nuance\naturallyspeaking9\ereg\ereg.exe" -r "c:\documents and settings\all users.winpro\application data\nuance\naturallyspeaking9\Ereg.ini

mRun: [WD Button Manager] WDBtnMgr.exe

mRun: [sunJavaUpdateSched] c:\program files\java\jre1.5.0_06\bin\jusched.exe

mRun: [stxTrayMenu] "c:\program files\seagate\systemtray\StxMenuMgr.exe"

mRun: [sSBkgdUpdate] "c:\program files\common files\scansoft shared\ssbkgdupdate\SSBkgdupdate.exe" -Embedding -boot

mRun: [soundMan] SOUNDMAN.EXE

mRun: [RemoteControl8] "c:\program files\cyberlink\powerdvd8\PDVD8Serv.exe"

mRun: [PDVD8LanguageShortcut] "c:\program files\cyberlink\powerdvd8\language\Language.exe"

mRun: [NeroFilterCheck] c:\winpro\system32\NeroCheck.exe

mRun: [iSUSScheduler] "c:\program files\common files\installshield\updateservice\issch.exe" -start

mRun: [iSUSPM Startup] c:\progra~1\common~1\instal~1\update~1\ISUSPM.exe -startup

mRun: [nwiz] c:\program files\nvidia corporation\nview\nwiz.exe /install

mRun: [NvMediaCenter] RUNDLL32.EXE c:\winpro\system32\NvMcTray.dll,NvTaskbarInit

mRun: [NvCplDaemon] RUNDLL32.EXE c:\winpro\system32\NvCpl.dll,NvStartup

mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime

mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"

mRun: [Tvoxaxaga] rundll32.exe "c:\winpro\adiyosamavabowin.dll",Startup

mRun: [MSConfig] c:\winpro\pchealth\helpctr\binaries\MSConfig.exe /auto

mRun: [avgnt] "c:\program files\avira\antivir desktop\avgnt.exe" /min

mRun: [Malwarebytes Anti-Malware (reboot)] "c:\program files\malwarebytes' anti-malware\Copy of mbam.exe" /runcleanupscript

StartupFolder: c:\docume~1\todddr~1.003\startm~1\programs\startup\autoba~1.lnk - c:\program files\seagate\autobackup\MemeoLauncher.exe

StartupFolder: c:\docume~1\todddr~1.003\startm~1\programs\startup\hotsyn~1.lnk - c:\program files\palmone\HOTSYNC.EXE

StartupFolder: c:\documents and settings\todd.drbunny.003\start menu\programs\startup\PowerReg Scheduler.exe

StartupFolder: c:\docume~1\alluse~1.win\startm~1\programs\startup\adober~1.lnk - c:\program files\adobe\acrobat 7.0\reader\reader_sl.exe

StartupFolder: c:\docume~1\alluse~1.win\startm~1\programs\startup\billmi~1.lnk - c:\quickenw\BILLMIND.EXE

StartupFolder: c:\docume~1\alluse~1.win\startm~1\programs\startup\quicke~1.lnk - c:\quickenw\QWDLLS.EXE

StartupFolder: c:\docume~1\alluse~1.win\startm~1\programs\startup\vpncli~1.lnk - c:\winpro\installer\{4c271126-c295-4828-a901-5910ae0c258b}\Icon3E5562ED7.ico

IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office11\EXCEL.EXE/3000

IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe

IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe

IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0015-0000-0006-ABCDEFFEDCBC} - c:\program files\java\jre1.5.0_06\bin\ssv.dll

IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office11\REFIEBAR.DLL

Trusted Zone: internet

Trusted Zone: mcafee.com

Trusted Zone: turbotax.com

DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} - hxxp://appldnld.apple.com.edgesuite.net/content.info.apple.com/QuickTime/qtactivex/qtplugin.cab

DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} - hxxp://upload.facebook.com/controls/2008.10.10_v5.5.8/FacebookPhotoUploader5.cab

DPF: {1239CC52-59EF-4DFA-8C61-90FFA846DF7E} - hxxp://www.musicnotes.com/download/mnviewer.cab

DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://download.microsoft.com/download/5/b/0/5b0d4654-aa20-495c-b89f-c1c34c691085/LegitCheckControl.cab

DPF: {41F17733-B041-4099-A042-B518BB6A408C} - hxxp://a1540.g.akamai.net/7/1540/52/20060104/qtinstall.info.apple.com/snape/us/win/QuickTimeInstaller.exe

DPF: {493ACF15-5CD9-4474-82A6-91670C3DD66E} - hxxp://www.linkedin.com/cab/LinkedInContactFinderControl.cab

DPF: {4C39376E-FA9D-4349-BACC-D305C1750EF3} - hxxp://tools.ebayimg.com/eps/wl/activex/eBay_Enhanced_Picture_Control_v1-0-3-36.cab

DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_06-windows-i586.cab

DPF: {A8F2B9BD-A6A0-486A-9744-18920D898429} - hxxp://www.sibelius.com/download/software/win/ActiveXPlugin.cab

DPF: {B1E2B96C-12FE-45E2-BEF1-44A219113CDD} - hxxp://www.superadblocker.com/activex/sabspx.cab

DPF: {BE833F39-1E0C-468C-BA70-25AAEE55775E} - hxxp://www.systemrequirementslab.com/sysreqlab.cab

DPF: {CAFEEFAC-0014-0002-0004-ABCDEFFEDCBA} - hxxp://java.sun.com/products/plugin/autodl/jinstall-142-windows-i586.cab

DPF: {CAFEEFAC-0014-0002-0010-ABCDEFFEDCBA} - hxxp://java.sun.com/products/plugin/autodl/jinstall-142-windows-i586.cab

DPF: {CAFEEFAC-0015-0000-0006-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_06-windows-i586.cab

DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_06-windows-i586.cab

DPF: {CE8267C2-D41A-4A50-A69D-F32B5C289F14} - hxxp://plugin.fileopen.com/current/FileOpen.CAB

DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload.macromedia.com/pub/shockwave/cabs/flash/swflash.cab

DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} - hxxp://download.mcafee.com/molbin/iss-loc/mcfscan/2,2,0,5841/mcfscan.cab

Notify: !SASWinLogon - c:\program files\superantispyware\SASWINLO.dll

SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\winpro\system32\WPDShServiceObj.dll

SEH: Eudora's Shell Extension: {edb0e980-90bd-11d4-8599-0008c7d3b6f8} - c:\progra~1\qualcomm\eudora\EuShlExt.dll

SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:\program files\superantispyware\SASSEH.DLL

LSA: Notification Packages = scecli fsdcocl.dll

============= SERVICES / DRIVERS ===============

R1 Ext2fs;Ext2fs;c:\winpro\system32\drivers\ext2fs.sys [2006-5-13 131840]

R3 USBFVNETR;NETGEAR MA101 USB Adapter;c:\winpro\system32\drivers\ma101rnd.sys [2006-4-26 80000]

S0 qfyfiwn;qfyfiwn;c:\winpro\system32\drivers\sujcio.sys --> c:\winpro\system32\drivers\sujcio.sys [?]

S1 avgio;avgio;c:\program files\avira\antivir desktop\avgio.sys [2010-1-2 11608]

S1 IfsDrives;IfsDrives;c:\winpro\system32\drivers\IfsDrives.sys [2006-5-13 4608]

S1 mfehidk;McAfee Inc. mfehidk;c:\winpro\system32\drivers\mfehidk.sys [2009-11-4 214664]

S1 SASDIFSV;SASDIFSV;c:\program files\superantispyware\sasdifsv.sys [2009-12-16 9968]

S1 SASKUTIL;SASKUTIL;c:\program files\superantispyware\SASKUTIL.SYS [2009-12-16 74480]

S2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\avira\antivir desktop\sched.exe [2010-1-2 108289]

S2 AntiVirService;Avira AntiVir Guard;c:\program files\avira\antivir desktop\avguard.exe [2010-1-2 185089]

S2 avgntflt;avgntflt;c:\winpro\system32\drivers\avgntflt.sys [2010-1-2 55656]

S2 mpich_mpd;MPICH Daemon © 2001 Argonne National Lab;c:\program files\mpich\mpd\bin\mpd.exe [2006-6-7 184320]

S3 mferkdk;McAfee Inc. mferkdk;c:\winpro\system32\drivers\mferkdk.sys [2009-12-22 34248]

S3 PciCon;PciCon;\??\d:\pcicon.sys --> d:\PciCon.sys [?]

S3 SASENUM;SASENUM;c:\program files\superantispyware\SASENUM.SYS [2009-12-16 7408]

S3 TCNear;TC Near;c:\winpro\system32\drivers\TCNear.sys [2007-10-17 124800]

S3 TCNearAudio;TC Near Audio;c:\winpro\system32\drivers\TCNearAudio.sys [2007-10-17 20864]

S3 TCNearMidi;TC Near MIDI;c:\winpro\system32\drivers\TCNearMidi.sys [2007-10-17 20480]

S3 VisorUsb;Handspring USB;c:\winpro\system32\drivers\visorusb.sys --> c:\winpro\system32\drivers\VisorUsb.sys [?]

S3 vsdatant;vsdatant;c:\winpro\system32\vsdatant.sys [2005-1-26 280344]

=============== Created Last 30 ================

2010-01-03 01:55:32 202 ----a-w- c:\winpro\system32\srcr.dat

2010-01-03 01:50:58 0 ----a-w- c:\documents and settings\todd.drbunny.003\defogger_reenable

2010-01-02 23:29:56 869 ----a-w- c:\winpro\system32\krl32mainweq.dll

2010-01-02 18:34:19 0 d-----w- c:\winpro\LastGood.Tmp

2010-01-02 18:34:11 55656 ----a-w- c:\winpro\system32\drivers\avgntflt.sys

2010-01-02 18:34:06 0 d-----w- c:\program files\Avira

2010-01-02 18:34:06 0 d-----w- c:\docume~1\alluse~1.win\applic~1\Avira

2010-01-02 02:06:45 0 --sha-w- c:\winpro\nvDrv.sy

2009-12-29 07:48:20 0 d-----w- c:\program files\CCleaner

2009-12-29 07:22:36 0 d-----w- c:\docume~1\todddr~1.003\applic~1\McAfee

2009-12-29 00:43:26 0 d-----w- c:\docume~1\todddr~1.003\applic~1\Malwarebytes

2009-12-26 18:27:22 0 d-----w- c:\docume~1\alluse~1.win\applic~1\SUPERAntiSpyware.com

2009-12-26 18:16:58 38224 ----a-w- c:\winpro\system32\drivers\mbamswissarmy.sys

2009-12-26 18:16:57 19160 ----a-w- c:\winpro\system32\drivers\mbam.sys

2009-12-26 18:16:57 0 d-----w- c:\program files\Malwarebytes' Anti-Malware

2009-12-26 18:16:57 0 d-----w- c:\docume~1\alluse~1.win\applic~1\Malwarebytes

2009-12-26 18:15:32 0 d-----w- c:\program files\SUPERAntiSpyware

2009-12-26 18:15:32 0 d-----w- c:\docume~1\todddr~1.003\applic~1\SUPERAntiSpyware.com

2009-12-23 08:13:12 0 d-----w- c:\winpro\McAfee.com

2009-12-23 07:04:48 0 d-----w- c:\program files\McAfee.com

2009-12-23 07:04:48 0 d-----w- c:\program files\common files\McAfee

2009-12-23 07:04:37 0 d-----w- c:\program files\McAfee

2009-12-23 07:01:59 34248 ----a-w- c:\winpro\system32\drivers\mferkdk.sys

2009-12-22 15:30:12 120 ----a-w- c:\winpro\Gjeweziwa.dat

2009-12-22 15:30:12 0 ----a-w- c:\winpro\Tcetogilime.bin

2009-12-22 15:26:25 471552 -c----w- c:\winpro\system32\dllcache\aclayers.dll

==================== Find3M ====================

2009-11-05 00:54:12 214664 ----a-w- c:\winpro\system32\drivers\mfehidk.sys

2009-10-29 07:45:38 916480 ----a-w- c:\winpro\system32\wininet.dll

2009-10-21 05:38:36 75776 ----a-w- c:\winpro\system32\strmfilt.dll

2009-10-21 05:38:36 25088 ----a-w- c:\winpro\system32\httpapi.dll

2009-10-13 10:30:16 270336 ----a-w- c:\winpro\system32\oakley.dll

2009-10-12 13:38:19 149504 ----a-w- c:\winpro\system32\rastls.dll

2009-10-12 13:38:18 79872 ----a-w- c:\winpro\system32\raschap.dll

2009-10-12 00:43:57 41504 ---ha-w- c:\winpro\system32\mlfcache.dat

2007-07-31 04:01:14 604 ---ha-w- c:\program files\STLL Notifier

2008-09-04 04:06:00 32768 --sha-w- c:\winpro\system32\config\systemprofile\local settings\history\history.ie5\mshist012008090320080904\index.dat

============= FINISH: 17:58:08.34 ===============

Attach.zip

[sjpritch25]

Sorry for the delay

Do you still need assistance?

[tweis]

Yes please! I am considering reformatting but if my system can be cleaned I'd like to try.

[sjpritch25]

Download Combofix from this webpage: http://www.bleepingcomputer.com/combofix/how-to-use-combofix

**Note: It is important that it is saved directly to your desktop**

--------------------------------------------------------------------

1. Close any open browsers.

2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

--------------------------------------------------------------------

Double click on combofix.exe & follow the prompts.

• When finished, it will produce a report for you.
  
• Please post the "C:\ComboFix.txt" along with a new HijackThis log for further review.
  

Note:

Do not mouseclick combofix's window while it's running. That may cause it to stall

[tweis]

Thanks. I've attached the combofix log and here is the subsequent hijackthis log:

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 8:53:53 PM, on 1/5/2010

Platform: Windows XP SP3 (WinNT 5.01.2600)

MSIE: Internet Explorer v8.00 (8.00.6001.18702)

Boot mode: Safe mode with network support

Running processes:

C:\WINPRO\System32\smss.exe

C:\WINPRO\system32\winlogon.exe

C:\WINPRO\system32\services.exe

C:\WINPRO\system32\lsass.exe

C:\WINPRO\system32\svchost.exe

C:\WINPRO\system32\svchost.exe

C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe

C:\WINPRO\explorer.exe

C:\WINPRO\system32\ctfmon.exe

C:\Documents and Settings\todd.DRBUNNY.003\Desktop\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll

O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll

O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.1.1309.3572\swg.dll

O4 - HKLM\..\Run: [DNS7reminder] "E:\Program Files\Nuance\NaturallySpeaking9\Ereg\Ereg.exe" -r "C:\Documents and Settings\All Users.WINPRO\Application Data\Nuance\NaturallySpeaking9\Ereg.ini

O4 - HKLM\..\Run: [WD Button Manager] WDBtnMgr.exe

O4 - HKLM\..\Run: [sunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe

O4 - HKLM\..\Run: [stxTrayMenu] "C:\Program Files\Seagate\SystemTray\StxMenuMgr.exe"

O4 - HKLM\..\Run: [sSBkgdUpdate] "C:\Program Files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" -Embedding -boot

O4 - HKLM\..\Run: [soundMan] SOUNDMAN.EXE

O4 - HKLM\..\Run: [RemoteControl8] "C:\Program Files\CyberLink\PowerDVD8\PDVD8Serv.exe"

O4 - HKLM\..\Run: [PDVD8LanguageShortcut] "C:\Program Files\CyberLink\PowerDVD8\Language\Language.exe"

O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINPRO\system32\NeroCheck.exe

O4 - HKLM\..\Run: [iSUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start

O4 - HKLM\..\Run: [iSUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup

O4 - HKLM\..\Run: [nwiz] C:\Program Files\NVIDIA Corporation\nView\nwiz.exe /install

O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINPRO\system32\NvMcTray.dll,NvTaskbarInit

O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINPRO\system32\NvCpl.dll,NvStartup

O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime

O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"

O4 - HKLM\..\Run: [avgnt] "C:\Program Files\Avira\AntiVir Desktop\avgnt.exe" /min

O4 - HKLM\..\Run: [Malwarebytes Anti-Malware (reboot)] "C:\Program Files\Malwarebytes' Anti-Malware\Copy of mbam.exe" /runcleanupscript

O4 - HKCU\..\Run: [ctfmon.exe] C:\WINPRO\system32\ctfmon.exe

O4 - HKCU\..\RunOnce: [FlashPlayerUpdate] C:\WINPRO\system32\Macromed\Flash\FlashUtil10c.exe

O4 - Startup: AutoBackup Launcher.lnk = C:\Program Files\Seagate\AutoBackup\MemeoLauncher.exe

O4 - Startup: HotSync Manager.lnk = C:\Program Files\palmOne\HOTSYNC.EXE

O4 - Startup: PowerReg Scheduler.exe

O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe

O4 - Global Startup: Billminder.lnk = C:\QUICKENW\BILLMIND.EXE

O4 - Global Startup: Quicken Startup.lnk = C:\QUICKENW\QWDLLS.EXE

O4 - Global Startup: VPN Client.lnk = ?

O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000

O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll

O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll

O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL

O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINPRO\Network Diagnostic\xpnetdiag.exe

O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINPRO\Network Diagnostic\xpnetdiag.exe

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O15 - Trusted Zone: http://*.mcafee.com

O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://appldnld.apple.com.edgesuite.net/co...ex/qtplugin.cab

O16 - DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} (Facebook Photo Uploader 5 Control) - http://upload.facebook.com/controls/2008.1...toUploader5.cab

O16 - DPF: {1239CC52-59EF-4DFA-8C61-90FFA846DF7E} (Musicnotes Viewer) - http://www.musicnotes.com/download/mnviewer.cab

O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52/200601...meInstaller.exe

O16 - DPF: {493ACF15-5CD9-4474-82A6-91670C3DD66E} (LinkedIn ContactFinderControl) - http://www.linkedin.com/cab/LinkedInContactFinderControl.cab

O16 - DPF: {4C39376E-FA9D-4349-BACC-D305C1750EF3} (EPUImageControl Class) - http://tools.ebayimg.com/eps/wl/activex/eB...l_v1-0-3-36.cab

O16 - DPF: {A8F2B9BD-A6A0-486A-9744-18920D898429} (ScorchPlugin Class) - http://www.sibelius.com/download/software/...tiveXPlugin.cab

O16 - DPF: {B1E2B96C-12FE-45E2-BEF1-44A219113CDD} (SABScanProcesses Class) - http://www.superadblocker.com/activex/sabspx.cab

O16 - DPF: {BE833F39-1E0C-468C-BA70-25AAEE55775E} (System Requirements Lab) - http://www.systemrequirementslab.com/sysreqlab.cab

O16 - DPF: {CE8267C2-D41A-4A50-A69D-F32B5C289F14} (FileOpenInstaller) - http://plugin.fileopen.com/current/FileOpen.CAB

O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) - http://download.mcafee.com/molbin/iss-loc/...841/mcfscan.cab

O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll

O23 - Service: Avira AntiVir Scheduler (AntiVirSchedulerService) - Avira GmbH - C:\Program Files\Avira\AntiVir Desktop\sched.exe

O23 - Service: Avira AntiVir Guard (AntiVirService) - Avira GmbH - C:\Program Files\Avira\AntiVir Desktop\avguard.exe

O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe

O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe

O23 - Service: Cisco Systems, Inc. VPN Service (CVPND) - Cisco Systems, Inc. - C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe

O23 - Service: Google Software Updater (gusvc) - Unknown owner - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe (file missing)

O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe

O23 - Service: Intuit Update Service (IntuitUpdateService) - Intuit Inc. - C:\Program Files\Common Files\Intuit\Update Service\IntuitUpdateService.exe

O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe

O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe

O23 - Service: MPICH Daemon © 2001 Argonne National Lab (mpich_mpd) - Unknown owner - C:\Program Files\MPICH\mpd\bin\mpd.exe

O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINPRO\system32\nvsvc32.exe

O23 - Service: Retrospect Launcher (RetroLauncher) - Dantz Development Corporation - C:\Program Files\Dantz\Retrospect\retrorun.exe

O23 - Service: Retrospect WD Service (RetroWDSvc) - Dantz Development Corporation - C:\PROGRA~1\Dantz\RETROS~1\wdsvc.exe

O23 - Service: Cyberlink RichVideo Service(CRVS) (RichVideo) - Unknown owner - C:\Program Files\CyberLink\Shared files\RichVideo.exe

O23 - Service: Sandra Data Service (SandraDataSrv) - SiSoftware - C:\Program Files\SiSoftware\SiSoftware Sandra Lite 2007\Win32\RpcDataSrv.exe

O23 - Service: Sandra Service (SandraTheSrv) - SiSoftware - C:\Program Files\SiSoftware\SiSoftware Sandra Lite 2007\RpcSandraSrv.exe

--

End of file - 8781 bytes

combolog.txt

[sjpritch25]

Please make sure you have a fresh Copy of ComboFix. The current version is out of date.

Please download a fresh copy from here

http://www.bleepingcomputer.com/combofix/how-to-use-combofix

1. Close any open browsers.

2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

3. Open notepad and copy/paste the text in the quotebox below into it:

File::
c:\winpro\system32\drivers\ext2fs.sys
c:\winpro\system32\drivers\sujcio.sys
DeQuarantine::
C:\Qoobox\Quarantine\program files\Google\Common\Google Updater\GoogleUpdaterService.exe.vir
DirLook::
C:\winpro
Driver::
Ext2fs
qfyfiwn

Save this as CFScript.txt, in the same location as ComboFix.exe

Refering to the picture above, drag CFScript into ComboFix.exe

When finished, it shall produce a log for you at C:\ComboFix.txt which I will require in your next reply.

[tweis]

Ok, I ran the ComboFix script and it seemed to complete just fine. I've attached the new logfile.

Thanks again!

Cfixlog2.txt

[sjpritch25]

How is everything running??

[tweis]

I ran another scan with mbam (still in safe mode) and nothing was detected. Tonight I'll boot normally and test things out. Should I run DeFogger again to reactivate the drivers it disabled?

[sjpritch25]

Nope just run mbam in normal mode and post the results. Thanks

[tweis]

I ran a full system scan and found nothing!

Malwarebytes' Anti-Malware 1.44

Database version: 3524

Windows 5.1.2600 Service Pack 3

Internet Explorer 8.0.6001.18702

1/9/2010 8:55:25 AM

mbam-log-2010-01-09 (08-55-25).txt

Scan type: Full Scan (C:\|E:\|H:\|)

Objects scanned: 646396

Time elapsed: 1 hour(s), 57 minute(s), 22 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 0

Registry Values Infected: 0

Registry Data Items Infected: 0

Folders Infected: 0

Files Infected: 0

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

(No malicious items detected)

Registry Values Infected:

(No malicious items detected)

Registry Data Items Infected:

(No malicious items detected)

Folders Infected:

(No malicious items detected)

Files Infected:

(No malicious items detected)

[sjpritch25]

how is everything running?

[tweis]

Everything seems to be working ok. No more system freezes or spawning iexplorer.exe processes.

Can I assume I'm clean at this point?

[sjpritch25]

Yes but go to Start ---> Run ---> Type ComboFix /uninstall followed by enter.

[tweis]

Done! Thanks again for all your help!!

[sjpritch25]

no problem