Virus preventing all AntiVirus Updates

opie · March 9, 2010

I had a virus (XP Pro) and now I can't get anything to update, and I can't visit sites like Microsoft Update or any forums related to anti-virus protection. I can't get MBAM or Avast to update either. I've attached the ark.txt, attach.txt, and the MBAM log (program still runs, just won't update) that shows what viruses it cleaned during quick scan. Full scan didn't find anything else. DDS below...

DDS (Ver_09-12-01.01) - NTFSx86

Run by Administrator at 0:12:31.14 on Tue 03/09/2010

Internet Explorer: 8.0.6001.18702

Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.510.226 [GMT -5:00]

AV: avast! Antivirus *On-access scanning disabled* (Outdated) {7591DB91-41F0-48A3-B128-1A293FD8233D}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch

svchost.exe

C:\WINDOWS\System32\svchost.exe -k netsvcs

C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup

svchost.exe

C:\Program Files\Alwil Software\Avast5\AvastSvc.exe

C:\WINDOWS\system32\LEXBCES.EXE

C:\WINDOWS\system32\spoolsv.exe

C:\WINDOWS\system32\LEXPPS.EXE

C:\WINDOWS\Explorer.EXE

svchost.exe

C:\Program Files\Analog Devices\Core\smax4pnp.exe

C:\WINDOWS\BCMSMMSG.exe

C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe

C:\Program Files\Bonjour\mDNSResponder.exe

C:\Program Files\Common Files\Intuit\Update Service\IntuitUpdateService.exe

C:\Program Files\Dell AIO Printer A920\dlbkbmgr.exe

C:\Program Files\Dell AIO Printer A920\dlbkbmon.exe

C:\Program Files\iTunes\iTunesHelper.exe

C:\Program Files\LeapFrog\LeapFrog Connect\Monitor.exe

C:\PROGRA~1\ALWILS~1\Avast5\avastUI.exe

C:\Program Files\LeapFrog\LeapFrog Connect\CommandService.exe

C:\Program Files\Windows Live\Messenger\msnmsgr.exe

C:\WINDOWS\system32\ctfmon.exe

C:\Program Files\TomTom HOME 2\TomTomHOMERunner.exe

C:\Program Files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe

C:\WINDOWS\system32\svchost.exe -k netsvc6

C:\WINDOWS\System32\svchost.exe -k imgsvc

C:\Program Files\TomTom HOME 2\TomTomHOMEService.exe

C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE

C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe

c:\docume~1\admini~1\locals~1\temp\NTI_NINJA\Open.exe

C:\WINDOWS\system32\wscntfy.exe

C:\Program Files\iPod\bin\iPodService.exe

F:\dds.scr

============== Pseudo HJT Report ===============

uSearch Page =

uSearch Bar =

uInternet Settings,ProxyOverride = *.local

mSearchAssistant =

BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll

BHO: {5C255C8A-E604-49b4-9D64-90988571CECB} - No File

BHO: {8A9D74F9-560B-4FE7-ABEB-3B2E638E5CD6} - No File

BHO: Windows Live ID Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll

EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File

uRun: [msnmsgr] "c:\program files\windows live\messenger\msnmsgr.exe" /background

uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe

uRun: [TomTomHOME.exe] "c:\program files\tomtom home 2\TomTomHOMERunner.exe"

mRun: [soundMAXPnP] c:\program files\analog devices\core\smax4pnp.exe

mRun: [bCMSMMSG] BCMSMMSG.exe

mRun: [igfxTray] c:\windows\system32\igfxtray.exe

mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe

mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"

mRun: [Dell AIO Printer A920] "c:\program files\dell aio printer a920\dlbkbmgr.exe"

mRun: [LogitechQuickCamRibbon] "c:\program files\logitech\logitech webcam software\LWS.exe" /hide

mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime

mRun: [XeroxRegistation] "c:\docume~1\admini~1\locals~1\temp\xerox\ereg\EReg.exe" /Startup

mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"

mRun: [Monitor] "c:\program files\leapfrog\leapfrog connect\Monitor.exe"

mRun: [avast5] c:\progra~1\alwils~1\avast5\avastUI.exe /nogui

mRunOnce: [Malwarebytes' Anti-Malware] c:\program files\malwarebytes' anti-malware\mbamgui.exe /install /silent

StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\micros~1.lnk - c:\program files\microsoft office\office10\OSA.EXE

StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\ntiope~1.lnk - c:\program files\newtech infosystems\nti ninja\OpenNinja.exe

IE: E&xport to Microsoft Excel - c:\progra~1\mi1933~1\office10\EXCEL.EXE/3000

IE: Google Sidewiki... - c:\program files\google\google toolbar\component\GoogleToolbarDynamic_mui_en_60D6097707281E79.dll/cmsidewiki.html

IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe

IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe

Trusted Zone: intuit.com\ttlc

DPF: DirectAnimation Java Classes - file://c:\windows\java\classes\dajava.cab

DPF: Microsoft XML Parser for Java - file://c:\windows\java\classes\xmldso.cab

DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1252361607125

DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1252363858828

DPF: {8100D56A-5661-482C-BEE8-AFECE305D968} - hxxp://upload.facebook.com/controls/2009.07.28_v5.5.8.1/FacebookPhotoUploader55.cab

DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab

Notify: igfxcui - igfxsrvc.dll

SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll

============= SERVICES / DRIVERS ===============

R1 aswSP;aswSP;c:\windows\system32\drivers\aswSP.sys [2009-9-7 162512]

R1 o6ko;ML Display Class Docfile Intel;c:\windows\system32\drivers\o6ko.sys [2009-11-8 32768]

R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [2009-9-7 19024]

R2 avast! Antivirus;avast! Antivirus;c:\program files\alwil software\avast5\AvastSvc.exe [2010-3-8 40384]

R2 fssfltr;FssFltr;c:\windows\system32\drivers\fssfltr_tdi.sys [2009-9-7 54752]

R2 srvoko6;Security List Class Service Secondary OpcEnum Fonts Control;c:\windows\system32\svchost.exe -k netsvc6 [2002-8-29 14336]

R2 TomTomHOMEService;TomTomHOMEService;c:\program files\tomtom home 2\TomTomHOMEService.exe [2009-8-27 92008]

R3 avast! Mail Scanner;avast! Mail Scanner;c:\program files\alwil software\avast5\AvastSvc.exe [2010-3-8 40384]

R3 avast! Web Scanner;avast! Web Scanner;c:\program files\alwil software\avast5\AvastSvc.exe [2010-3-8 40384]

R3 NtiEnc;NtiEnc;c:\windows\system32\drivers\NtiEnc.sys [2009-9-15 135264]

S3 FlyUsb;FLY Fusion;c:\windows\system32\drivers\FlyUsb.sys [2009-12-29 18560]

S3 fsssvc;Windows Live Family Safety Service;c:\program files\windows live\family safety\fsssvc.exe [2009-8-5 704864]

S3 NinjaService;NinjaService;c:\program files\newtech infosystems\nti shadow 4\NinjaService.exe [2008-12-24 190264]

=============== Created Last 30 ================

2010-03-09 05:11:02 0 ----a-w- c:\documents and settings\administrator\defogger_reenable

2010-03-09 04:08:28 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys

2010-03-09 04:08:25 19160 ----a-w- c:\windows\system32\drivers\mbam.sys

2010-03-09 04:08:25 0 d-----w- c:\program files\Malwarebytes' Anti-Malware

2010-03-09 03:58:43 0 d-----w- c:\program files\CCleaner

2010-03-09 01:52:37 0 d-----w- c:\docume~1\alluse~1\applic~1\Alwil Software

2010-03-09 01:13:29 0 d-----w- c:\docume~1\admini~1\applic~1\Malwarebytes

2010-03-09 01:13:23 0 d-----w- c:\docume~1\alluse~1\applic~1\Malwarebytes

2010-03-09 01:09:04 12160 -c--a-w- c:\windows\system32\dllcache\mouhid.sys

2010-03-09 01:09:04 12160 ----a-w- c:\windows\system32\drivers\mouhid.sys

2010-03-09 01:08:59 10368 -c--a-w- c:\windows\system32\dllcache\hidusb.sys

2010-03-09 01:08:59 10368 ----a-w- c:\windows\system32\drivers\hidusb.sys

2010-03-05 20:06:49 10107 ----a-w- c:\windows\fs1235.dat1

2010-03-04 17:19:46 1 ----a-w- c:\windows\lgo

2010-03-04 16:45:50 1 ----a-w- c:\windows\ligh

2010-03-04 16:45:42 67072 ---h--w- c:\windows\bill103.exe

==================== Find3M ====================

2010-03-09 04:04:57 135264 ----a-w- c:\windows\system32\drivers\NtiEnc.sys

2010-03-02 16:42:12 20984 ----a-w- c:\docume~1\admini~1\applic~1\GDIPFONTCACHEV1.DAT

2009-12-21 19:14:05 916480 ----a-w- c:\windows\system32\wininet.dll

2009-12-16 18:43:27 343040 ----a-w- c:\windows\system32\mspaint.exe

2009-12-14 07:08:23 33280 ----a-w- c:\windows\system32\csrsrv.dll

============= FINISH: 0:12:54.67 ===============

Attach.zip

Maniac · March 9, 2010

Hello opie!

My name is Borislav and I will be glad to help you solve your problems with malware. Before we begin, please note the following:

The process of cleaning your system may take some time, so please be patient.
Stay with the topic until I tell you that your system is clean. Missing symptoms does not mean that everything is okay.
Instructions that I give are for your system only!
If you don't know or can't understand something please ask.
Do not install any software or hardware, while work on.

Step 1:

Please uninstall the following application:

Adobe Reader 9.1.3

After finish our work, please download and install the latest version of Adobe Reader from:

http://www.adobe.com

Step 2:

Please visit Combofix Guide & Instructions for instructions for installing the recovery console and downloading and running ComboFix.

The only thing different from the instructions there is that when downloading and saving the ComboFix.exe I would like you to rename it to Combo-Fix.exe please.

Post the log from ComboFix.

Important notes regarding ComboFix:

ComboFix may reset a number of Internet Explorer's settings, including making it the default browser. This can easily be changed once we're finished.

ComboFix also prevents autorun of ALL CDs, floppies and USB devices to assist with malware removal & increase security. If this is an issue or makes it difficult for you, please let me know. This can be undone manually when we're finished. Read HERE for an article written by dvk01 on why we disable autoruns.

Note: During this process, it would help a great deal and be very much appreciated if you would refrain from installing any new software or hardware on this machine, unless absolutely necessary, until the clean up process is finished as it makes our job more tedious, with additional new files that may have to be researched, which is very time consuming.

Also, please do not run any security programs or fixes on your own as doing so may compromise what we will be doing. It is important that you wait for instructions.

opie · March 10, 2010

ComboFix 10-03-09.04 - Administrator 03/09/2010 22:14:57.1.1 - x86

Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.510.281 [GMT -5:00]

Running from: F:\Combo-Fix.exe

AV: avast! Antivirus *On-access scanning disabled* (Outdated) {7591DB91-41F0-48A3-B128-1A293FD8233D}

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.

c:\windows\bill103.exe

c:\windows\lgo

c:\windows\ligh

.

((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))

.

-------\Legacy_SRVOKO6

-------\Service_srvoko6

((((((((((((((((((((((((( Files Created from 2010-02-10 to 2010-03-10 )))))))))))))))))))))))))))))))

.

2010-03-09 04:56 . 2010-03-09 04:56 -------- d-----w- c:\program files\ERUNT

2010-03-09 04:08 . 2010-01-07 21:07 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys

2010-03-09 04:08 . 2010-03-09 04:08 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware

2010-03-09 04:08 . 2010-01-07 21:07 19160 ----a-w- c:\windows\system32\drivers\mbam.sys

2010-03-09 03:58 . 2010-03-09 03:58 -------- d-----w- c:\program files\CCleaner

2010-03-09 01:52 . 2010-03-09 01:52 -------- d-----w- c:\documents and settings\All Users\Application Data\Alwil Software

2010-03-09 01:13 . 2010-03-09 01:13 -------- d-----w- c:\documents and settings\Administrator\Application Data\Malwarebytes

2010-03-09 01:13 . 2010-03-09 01:13 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes

2010-03-09 01:12 . 2010-03-09 01:12 209408 ----a-w- c:\documents and settings\Administrator\Local Settings\Application Data\rdr_1268097118.exe

2010-03-09 01:09 . 2001-08-17 18:48 12160 -c--a-w- c:\windows\system32\dllcache\mouhid.sys

2010-03-09 01:09 . 2001-08-17 18:48 12160 ----a-w- c:\windows\system32\drivers\mouhid.sys

2010-03-09 01:08 . 2008-04-13 19:45 10368 -c--a-w- c:\windows\system32\dllcache\hidusb.sys

2010-03-09 01:08 . 2008-04-13 19:45 10368 ----a-w- c:\windows\system32\drivers\hidusb.sys

2010-03-08 18:40 . 2010-03-08 18:40 209408 ----a-w- c:\documents and settings\Administrator\Local Settings\Application Data\rdr_1268073619.exe

2010-03-08 17:47 . 2010-03-08 17:47 209408 ----a-w- c:\documents and settings\Administrator\Local Settings\Application Data\rdr_1268070442.exe

2010-03-06 17:59 . 2010-03-06 17:59 210432 ----a-w- c:\documents and settings\Administrator\Local Settings\Application Data\rdr_1267898393.exe

2010-03-05 19:51 . 2010-03-05 19:51 210432 ----a-w- c:\documents and settings\Administrator\Local Settings\Application Data\rdr_1267818652.exe

2010-03-05 17:31 . 2010-03-05 17:31 206336 ----a-w- c:\documents and settings\Administrator\Local Settings\Application Data\rdr_1267810302.exe

2010-03-05 01:21 . 2010-03-05 01:21 206336 ----a-w- c:\documents and settings\Administrator\Local Settings\Application Data\rdr_1267752115.exe

2010-03-04 17:26 . 2010-03-04 17:26 206848 ----a-w- c:\documents and settings\Administrator\Local Settings\Application Data\rdr_1267723566.exe

2010-03-04 17:14 . 2010-03-04 17:14 206848 ----a-w- c:\documents and settings\Administrator\Local Settings\Application Data\rdr_1267722882.exe

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2010-03-10 03:23 . 2009-09-16 01:04 135264 ----a-w- c:\windows\system32\drivers\NtiEnc.sys

2010-03-09 02:08 . 2009-09-08 00:59 -------- d-----w- c:\program files\Alwil Software

2010-03-04 02:02 . 2010-01-10 05:56 725608 ----a-w- c:\documents and settings\LocalService\Local Settings\Application Data\FontCache3.0.0.0.dat

2010-02-11 18:53 . 2009-09-08 01:00 38848 ----a-w- c:\windows\system32\avastSS.scr

2010-02-11 18:53 . 2009-09-08 00:59 153184 ----a-w- c:\windows\system32\aswBoot.exe

2010-02-11 18:42 . 2009-09-08 01:00 46672 ----a-w- c:\windows\system32\drivers\aswTdi.sys

2010-02-11 18:42 . 2009-09-08 01:00 162512 ----a-w- c:\windows\system32\drivers\aswSP.sys

2010-02-11 18:39 . 2009-09-08 01:00 23376 ----a-w- c:\windows\system32\drivers\aswRdr.sys

2010-02-11 18:38 . 2009-09-08 01:00 100432 ----a-w- c:\windows\system32\drivers\aswmon2.sys

2010-02-11 18:38 . 2009-09-08 01:00 94800 ----a-w- c:\windows\system32\drivers\aswmon.sys

2010-02-11 18:38 . 2009-09-08 01:00 19024 ----a-w- c:\windows\system32\drivers\aswFsBlk.sys

2010-02-11 18:38 . 2009-09-08 01:00 28880 ----a-w- c:\windows\system32\drivers\aavmker4.sys

2010-01-26 00:52 . 2009-09-08 00:07 -------- d-----w- c:\program files\Microsoft Silverlight

2010-01-09 18:56 . 2009-11-23 23:13 -------- d-----w- c:\program files\HP-12C Financial Emulator

2010-01-09 13:54 . 2009-09-07 22:49 20984 ----a-w- c:\documents and settings\Administrator\Local Settings\Application Data\GDIPFONTCACHEV1.DAT

2010-01-09 13:53 . 2010-01-09 13:53 -------- d-----w- c:\documents and settings\Administrator\Application Data\Intuit

2010-01-09 13:53 . 2010-01-09 13:53 -------- d-----w- c:\program files\Common Files\AnswerWorks 5.0

2010-01-09 13:52 . 2010-01-09 13:45 -------- d-----w- c:\program files\Common Files\Intuit

2010-01-09 13:50 . 2010-01-09 13:43 -------- d-----w- c:\documents and settings\All Users\Application Data\Intuit

2010-01-09 13:43 . 2010-01-09 13:43 -------- d-----w- c:\program files\TurboTax

2009-12-31 16:50 . 2002-08-29 12:00 353792 ----a-w- c:\windows\system32\drivers\srv.sys

2009-12-30 03:19 . 2009-12-30 03:19 28696928 ----a-w- c:\documents and settings\All Users\Application Data\Leapfrog\LeapFrog Connect\Updates\UPCInstaller.exe

2009-12-30 03:18 . 2009-12-30 03:18 6106960 ----a-w- c:\documents and settings\All Users\Application Data\Leapfrog\LeapFrog Connect\Updates\TagPlugin.exe

2009-12-21 19:14 . 2002-08-29 12:00 916480 ----a-w- c:\windows\system32\wininet.dll

2009-12-16 18:43 . 2009-09-07 21:48 343040 ----a-w- c:\windows\system32\mspaint.exe

2009-12-14 07:08 . 2002-08-29 12:00 33280 ----a-w- c:\windows\system32\csrsrv.dll

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"msnmsgr"="c:\program files\Windows Live\Messenger\msnmsgr.exe" [2009-07-26 3883856]

"TomTomHOME.exe"="c:\program files\TomTom HOME 2\TomTomHOMERunner.exe" [2009-08-27 247144]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"SoundMAXPnP"="c:\program files\Analog Devices\Core\smax4pnp.exe" [2004-10-14 1404928]

"BCMSMMSG"="BCMSMMSG.exe" [2003-08-29 122880]

"IgfxTray"="c:\windows\system32\igfxtray.exe" [2005-10-19 155648]

"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2005-10-19 126976]

"Dell AIO Printer A920"="c:\program files\Dell AIO Printer A920\dlbkbmgr.exe" [2003-05-12 270336]

"LogitechQuickCamRibbon"="c:\program files\Logitech\Logitech WebCam Software\LWS.exe" [2009-05-08 2780432]

"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2009-09-05 417792]

"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2009-10-29 141600]

"Monitor"="c:\program files\LeapFrog\LeapFrog Connect\Monitor.exe" [2009-11-10 443728]

"avast5"="c:\progra~1\ALWILS~1\Avast5\avastUI.exe" [2010-02-11 2756488]

c:\documents and settings\All Users\Start Menu\Programs\Startup\

Microsoft Office.lnk - c:\program files\Microsoft Office\Office10\OSA.EXE [2001-2-13 83360]

NTI Open.lnk - c:\program files\NewTech Infosystems\NTI Ninja\OpenNinja.exe [2008-12-24 255800]

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"%windir%\\system32\\sessmgr.exe"=

"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

"c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"=

"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=

"c:\\Program Files\\Windows Live\\Sync\\WindowsLiveSync.exe"=

"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=

"c:\\Program Files\\iTunes\\iTunes.exe"=

"c:\\WINDOWS\\system32\\LEXPPS.EXE"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]

"8085:TCP"= 8085:TCP:GateOKO

R1 aswSP;aswSP;c:\windows\system32\drivers\aswSP.sys [9/7/2009 8:00 PM 162512]

R1 o6ko;ML Display Class Docfile Intel;c:\windows\system32\drivers\o6ko.sys [11/8/2009 6:38 PM 32768]

R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [9/7/2009 8:00 PM 19024]

R2 fssfltr;FssFltr;c:\windows\system32\drivers\fssfltr_tdi.sys [9/7/2009 7:07 PM 54752]

R2 TomTomHOMEService;TomTomHOMEService;c:\program files\TomTom HOME 2\TomTomHOMEService.exe [8/27/2009 10:05 AM 92008]

R3 NtiEnc;NtiEnc;c:\windows\system32\drivers\NtiEnc.sys [9/15/2009 8:04 PM 135264]

S3 FlyUsb;FLY Fusion;c:\windows\system32\drivers\FlyUsb.sys [12/29/2009 10:22 PM 18560]

S3 fsssvc;Windows Live Family Safety Service;c:\program files\Windows Live\Family Safety\fsssvc.exe [8/5/2009 9:48 PM 704864]

S3 NinjaService;NinjaService;c:\program files\NewTech Infosystems\NTI Shadow 4\NinjaService.exe [12/24/2008 3:32 PM 190264]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]

netsvc6 REG_MULTI_SZ srvoko6

.

Contents of the 'Scheduled Tasks' folder

2010-03-09 c:\windows\Tasks\AppleSoftwareUpdate.job

- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 16:34]

.

------- Supplementary Scan -------

.

uInternet Settings,ProxyOverride = *.local

IE: E&xport to Microsoft Excel - c:\progra~1\MI1933~1\Office10\EXCEL.EXE/3000

IE: Google Sidewiki... - c:\program files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_60D6097707281E79.dll/cmsidewiki.html

Trusted Zone: intuit.com\ttlc

DPF: DirectAnimation Java Classes - file://c:\windows\Java\classes\dajava.cab

DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab

.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2010-03-09 22:22

Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully

hidden files: 0

**************************************************************************

.

--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-1292428093-1004336348-839522115-500\Software\Microsoft\Internet Explorer\User Preferences]

@Denied: (2) (Administrator)

"88D7D0879DAB32E14DE5B3A805A34F98AFF34F5977"=hex:01,00,00,00,d0,8c,9d,df,01,15,

d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,9f,dc,d0,6b,b7,a0,6c,48,94,5c,f9,\

"2D53CFFC5C1A3DD2E97B7979AC2A92BD59BC839E81"=hex:01,00,00,00,d0,8c,9d,df,01,15,

d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,fb,be,46,f1,b2,d2,92,43,b4,f0,ae,\

"6256FFB019F8FDFBD36745B06F4540E9AEAF222A25"=hex:01,00,00,00,d0,8c,9d,df,01,15,

d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,fb,be,46,f1,b2,d2,92,43,b4,f0,ae,\

.

--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'explorer.exe'(5364)

c:\windows\system32\WININET.dll

c:\windows\TEMP\logishrd\LVPrcInj01.dll

c:\windows\system32\ieframe.dll

c:\windows\system32\webcheck.dll

c:\windows\system32\WPDShServiceObj.dll

c:\windows\system32\PortableDeviceTypes.dll

c:\windows\system32\PortableDeviceApi.dll

.

------------------------ Other Running Processes ------------------------

.

c:\program files\Alwil Software\Avast5\AvastSvc.exe

c:\windows\system32\LEXBCES.EXE

c:\windows\system32\LEXPPS.EXE

c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe

c:\program files\Bonjour\mDNSResponder.exe

c:\program files\Common Files\Intuit\Update Service\IntuitUpdateService.exe

c:\program files\LeapFrog\LeapFrog Connect\CommandService.exe

c:\program files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe

c:\program files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE

c:\program files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe

c:\windows\system32\wscntfy.exe

c:\windows\BCMSMMSG.exe

c:\program files\Dell AIO Printer A920\dlbkbmon.exe

c:\program files\Common Files\Logishrd\LQCVFX\COCIManager.exe

c:\program files\iPod\bin\iPodService.exe

c:\docume~1\admini~1\locals~1\temp\NTI_NINJA\Open.exe

.

**************************************************************************

.

Completion time: 2010-03-09 22:27:24 - machine was rebooted

ComboFix-quarantined-files.txt 2010-03-10 03:27

Pre-Run: 29,029,818,368 bytes free

Post-Run: 29,260,541,952 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe

[boot loader]

timeout=2

default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS

[operating systems]

c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons

multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /fastdetect /NoExecute=OptIn

- - End Of File - - B4B110B52D46929063AA2EE37F3D5598

Maniac · March 10, 2010

Open Notepad and copy and paste the text in the code box below into it:

KillAll::

File::
c:\documents and settings\Administrator\Local Settings\Application Data\rdr_1268097118.exe
c:\documents and settings\Administrator\Local Settings\Application Data\rdr_1268073619.exe
c:\documents and settings\Administrator\Local Settings\Application Data\rdr_1268070442.exe
c:\documents and settings\Administrator\Local Settings\Application Data\rdr_1267898393.exe
c:\documents and settings\Administrator\Local Settings\Application Data\rdr_1267818652.exe
c:\documents and settings\Administrator\Local Settings\Application Data\rdr_1267810302.exe
c:\documents and settings\Administrator\Local Settings\Application Data\rdr_1267752115.exe
c:\documents and settings\Administrator\Local Settings\Application Data\rdr_1267723566.exe
c:\documents and settings\Administrator\Local Settings\Application Data\rdr_1267722882.exe

DDS::
BHO: {5C255C8A-E604-49b4-9D64-90988571CECB} - No File
BHO: {8A9D74F9-560B-4FE7-ABEB-3B2E638E5CD6} - No File
EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File

Save the file to your desktop and name it CFScript.txt

Then drag the CFScript.txt into the ComboFix.exe as shown in the screenshot below.

This will start ComboFix again. It may ask to reboot. Post the contents of Combofix.txt in your next reply together with a new HijackThis log.

Note: These instructions and script were created specifically for this user. If you are not this user, do NOT follow these instructions or use this script as it could damage the workings of your system.

opie · March 10, 2010

Here are the new logs. I installed HijackThis to give you the second log below. It gave me an error while running but still generated the log.

ComboFix 10-03-09.08 - Administrator 03/10/2010 6:26.2.1 - x86

Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.510.227 [GMT -5:00]

Running from: c:\documents and settings\Administrator\Desktop\Combo-Fix.exe

Command switches used :: c:\documents and settings\Administrator\Desktop\CFScript.txt

AV: avast! Antivirus *On-access scanning disabled* (Updated) {7591DB91-41F0-48A3-B128-1A293FD8233D}

FILE ::

"c:\documents and settings\Administrator\Local Settings\Application Data\rdr_1267722882.exe"

"c:\documents and settings\Administrator\Local Settings\Application Data\rdr_1267723566.exe"

"c:\documents and settings\Administrator\Local Settings\Application Data\rdr_1267752115.exe"

"c:\documents and settings\Administrator\Local Settings\Application Data\rdr_1267810302.exe"

"c:\documents and settings\Administrator\Local Settings\Application Data\rdr_1267818652.exe"

"c:\documents and settings\Administrator\Local Settings\Application Data\rdr_1267898393.exe"

"c:\documents and settings\Administrator\Local Settings\Application Data\rdr_1268070442.exe"

"c:\documents and settings\Administrator\Local Settings\Application Data\rdr_1268073619.exe"

"c:\documents and settings\Administrator\Local Settings\Application Data\rdr_1268097118.exe"

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.

c:\documents and settings\Administrator\Local Settings\Application Data\rdr_1267722882.exe

c:\documents and settings\Administrator\Local Settings\Application Data\rdr_1267723566.exe

c:\documents and settings\Administrator\Local Settings\Application Data\rdr_1267752115.exe

c:\documents and settings\Administrator\Local Settings\Application Data\rdr_1267810302.exe

c:\documents and settings\Administrator\Local Settings\Application Data\rdr_1267818652.exe

c:\documents and settings\Administrator\Local Settings\Application Data\rdr_1267898393.exe

c:\documents and settings\Administrator\Local Settings\Application Data\rdr_1268070442.exe

c:\documents and settings\Administrator\Local Settings\Application Data\rdr_1268073619.exe

c:\documents and settings\Administrator\Local Settings\Application Data\rdr_1268097118.exe