Badly Infected PC

[Steven J. Marty]

Hi,

I am attempting to clean a relative's PC in Texas (I'm in Florida). I'm having a heck of a time. All of the anti-virus and anti-malware programs that are installed are completing their scans with no hits but the PC continues to exhibit malicious behavior. Without a browser even loaded, MBAM is actively blocking attempts to go to web sites. Microsoft Update is blocked. I can't even post to this forum from the PC. Between virus and malware scans, I cleaned up 55 infections but the problems persist. If someone can offer assistance, I would be very appreciative.

Hopefully, I included all of the correct files and logs. Here they are...

DDS (Ver_10-03-17.01) - NTFSx86

Run by Steve at 20:03:14.45 on Wed 06/09/2010

Internet Explorer: 8.0.6001.18702

Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.992.342 [GMT -5:00]

AV: Symantec AntiVirus Corporate Edition *On-access scanning enabled* (Updated) {FB06448E-52B8-493A-90F3-E43226D3305C}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch

svchost.exe

C:\Program Files\Windows Defender\MsMpEng.exe

C:\WINDOWS\System32\svchost.exe -k netsvcs

svchost.exe

svchost.exe

C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe

C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe

C:\WINDOWS\system32\spoolsv.exe

svchost.exe

C:\WINDOWS\system32\acs.exe

C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe

C:\Program Files\Bonjour\mDNSResponder.exe

C:\Program Files\Symantec AntiVirus\DefWatch.exe

C:\WINDOWS\system32\svchost.exe -k hpdevmgmt

C:\WINDOWS\system32\svchost.exe -k HPService

C:\Program Files\Java\jre6\bin\jqs.exe

C:\Program Files\LogMeIn\x86\RaMaint.exe

C:\Program Files\LogMeIn\x86\LogMeIn.exe

C:\Program Files\LogMeIn\x86\LMIGuardian.exe

C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe

C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE

C:\WINDOWS\System32\svchost.exe -k HPZ12

C:\WINDOWS\system32\oodag.exe

C:\WINDOWS\System32\svchost.exe -k HPZ12

C:\WINDOWS\system32\svchost.exe -k imgsvc

C:\Program Files\Symantec AntiVirus\Rtvscan.exe

C:\Program Files\LogMeIn\x86\LogMeIn.exe

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\system32\keyhook.exe

C:\WINDOWS\htpatch.exe

C:\Program Files\Common Files\Symantec Shared\ccApp.exe

C:\PROGRA~1\SYMANT~1\VPTray.exe

C:\Program Files\Microsoft IntelliPoint\ipoint.exe

C:\Program Files\Microsoft IntelliType Pro\itype.exe

C:\Program Files\iTunes\iTunesHelper.exe

C:\Program Files\Symantec AntiVirus\DoScan.exe

C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe

C:\Program Files\Windows Defender\MSASCui.exe

C:\Program Files\LogMeIn\x86\LogMeInSystray.exe

C:\Program Files\HP\HP Software Update\HPWuSchd2.exe

C:\Program Files\LogMeIn\x86\LMIGuardian.exe

C:\Program Files\Common Files\Java\Java Update\jusched.exe

C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe

C:\WINDOWS\system32\ctfmon.exe

C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe

C:\WINDOWS\system32\sistray.exe

C:\Program Files\iPod\bin\iPodService.exe

C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe

C:\Program Files\HP\Digital Imaging\bin\hpqbam08.exe

C:\Program Files\HP\Digital Imaging\bin\hpqgpc01.exe

C:\Documents and Settings\Steve\Desktop\dds.scr

============== Pseudo HJT Report ===============

uInternet Settings,ProxyOverride = *.local

BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll

BHO: Java Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll

BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll

uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe

mRun: [siS Windows KeyHook] c:\windows\system32\keyhook.exe

mRun: [HTpatch] c:\windows\htpatch.exe

mRun: [ccApp] "c:\program files\common files\symantec shared\ccApp.exe"

mRun: [vptray] c:\progra~1\symant~1\VPTray.exe

mRun: [intelliPoint] "c:\program files\microsoft intellipoint\ipoint.exe"

mRun: [itype] "c:\program files\microsoft intellitype pro\itype.exe"

mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime

mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"

mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"

mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"

mRun: [Windows Defender] "c:\program files\windows defender\MSASCui.exe" -hide

mRun: [LogMeIn GUI] "c:\program files\logmein\x86\LogMeInSystray.exe"

mRun: [HP Software Update] c:\program files\hp\hp software update\HPWuSchd2.exe

mRun: [OODefragTray] c:\windows\system32\oodtray.exe

mRun: [NeroFilterCheck] c:\windows\system32\NeroCheck.exe

mRun: [sunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"

mRun: [Malwarebytes' Anti-Malware] "c:\program files\malwarebytes' anti-malware\mbamgui.exe" /starttray

StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\hpdigi~1.lnk - c:\program files\hp\digital imaging\bin\hpqtra08.exe

StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\utilit~1.lnk - c:\windows\system32\sistray.exe

mPolicies-explorer: NoActiveDesktop = 1 (0x1)

IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe

IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe

IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\mi1933~1\office11\REFIEBAR.DLL

Trusted Zone: microsoft.com\update

Trusted Zone: microsoft.com\windowsupdate

DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://download.microsoft.com/download/E/5/6/E5611B10-0D6D-4117-8430-A67417AA88CD/LegitCheckControl.cab

DPF: {32C3FEAE-0877-4767-8C20-62A5829A0945} - hxxp://static.ak.facebook.com/fbplugin/win32/axfbootloader.cab

DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1265941972359

DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1265942047359

DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab

DPF: {CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab

DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab

Notify: LMIinit - LMIinit.dll

Notify: NavLogon - c:\windows\system32\NavLogon.dll

SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll

SEH: Microsoft AntiMalware ShellExecuteHook: {091eb208-39dd-417d-a5dd-7e2c2d8fb9cb} - c:\progra~1\wifd1f~1\MpShHook.dll

============= SERVICES / DRIVERS ===============

R1 SAVRT;SAVRT;c:\program files\symantec antivirus\savrt.sys [2009-6-14 339328]

R1 SAVRTPEL;SAVRTPEL;c:\program files\symantec antivirus\Savrtpel.sys [2009-6-14 55168]

R2 ccEvtMgr;Symantec Event Manager;c:\program files\common files\symantec shared\ccEvtMgr.exe [2009-8-3 191848]

R2 ccSetMgr;Symantec Settings Manager;c:\program files\common files\symantec shared\ccSetMgr.exe [2009-8-3 169320]

R2 LMIInfo;LogMeIn Kernel Information Provider;c:\program files\logmein\x86\rainfo.sys [2008-8-11 12856]

R2 LMIRfsDriver;LogMeIn Remote File System Driver;c:\windows\system32\drivers\LMIRfsDriver.sys [2010-2-20 47640]

R2 MBAMService;MBAMService;c:\program files\malwarebytes' anti-malware\mbamservice.exe [2010-6-9 304464]

R2 Symantec AntiVirus;Symantec AntiVirus;c:\program files\symantec antivirus\Rtvscan.exe [2009-9-1 1966008]

R2 WinDefend;Windows Defender;c:\program files\windows defender\MsMpEng.exe [2006-11-3 13592]

R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\common files\symantec shared\eengine\EraserUtilRebootDrv.sys [2010-5-27 102448]

R3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [2010-6-9 20952]

R3 NAVENG;NAVENG;c:\progra~1\common~1\symant~1\virusd~1\20100609.003\naveng.sys [2010-6-9 85552]

R3 NAVEX15;NAVEX15;c:\progra~1\common~1\symant~1\virusd~1\20100609.003\navex15.sys [2010-6-9 1347504]

R3 SMCWPCIG;SMCWPCI-G 54Mbps Wireless PCI adapter Service;c:\windows\system32\drivers\SMCWPCIG.sys [2010-3-6 458208]

S1 PDRV;PDRV;\??\c:\windows\system32\drivers\pdrv.sys --> c:\windows\system32\drivers\PDRV.sys [?]

S3 SavRoam;SAVRoam;c:\program files\symantec antivirus\SavRoam.exe [2009-9-1 116664]

S3 wlanndi5;wlanndi5 NDIS Protocol Driver;c:\windows\system32\wlanndi5.sys [2004-4-21 16384]

S4 LMIRfsClientNP;LMIRfsClientNP; [x]

=============== Created Last 30 ================

2010-06-10 00:47:49 0 ----a-w- c:\documents and settings\steve\defogger_reenable

2010-06-09 23:03:37 0 d-----w- c:\program files\Spybot - Search & Destroy

2010-06-09 23:03:37 0 d-----w- c:\docume~1\alluse~1\applic~1\Spybot - Search & Destroy

2010-06-09 22:47:47 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys

2010-06-09 22:47:41 20952 ----a-w- c:\windows\system32\drivers\mbam.sys

2010-06-09 22:47:39 0 d-----w- c:\program files\Malwarebytes' Anti-Malware

2010-06-09 00:48:32 664 ----a-w- c:\windows\system32\d3d9caps.dat

2010-06-07 23:47:27 0 d-----w- c:\docume~1\steve\applic~1\Malwarebytes

2010-06-07 22:27:44 0 d-----w- c:\docume~1\alluse~1\applic~1\Malwarebytes

2010-05-19 20:59:10 73728 ----a-w- c:\windows\system32\javacpl.cpl

2010-05-19 20:59:10 411368 ----a-w- c:\windows\system32\deployJava1.dll

==================== Find3M ====================

2010-05-21 19:14:28 221568 ------w- c:\windows\system32\MpSigStub.exe

============= FINISH: 20:05:23.48 ===============

Malwarebytes' Anti-Malware 1.46

www.malwarebytes.org

Database version: 4184

Windows 5.1.2600 Service Pack 3

Internet Explorer 8.0.6001.18702

6/9/2010 6:00:34 PM

mbam-log-2010-06-09 (18-00-34).txt

Scan type: Full scan (C:\|)

Objects scanned: 20877

Time elapsed: 10 minute(s), 3 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 0

Registry Values Infected: 0

Registry Data Items Infected: 0

Folders Infected: 0

Files Infected: 0

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

(No malicious items detected)

Registry Values Infected:

(No malicious items detected)

Registry Data Items Infected:

(No malicious items detected)

Folders Infected:

(No malicious items detected)

Files Infected:

(No malicious items detected)

17:49:52 Steve MESSAGE Protection started successfully

17:50:03 Steve MESSAGE IP Protection started successfully

17:50:03 Steve IP-BLOCK 94.228.209.202

17:50:03 Steve IP-BLOCK 94.228.209.202

17:50:05 Steve IP-BLOCK 64.106.198.74

17:50:06 Steve IP-BLOCK 94.228.209.202

17:50:06 Steve IP-BLOCK 94.228.209.202

17:50:07 Steve IP-BLOCK 94.228.209.202

17:50:08 Steve IP-BLOCK 64.106.198.74

17:50:12 Steve IP-BLOCK 94.228.209.202

17:50:12 Steve IP-BLOCK 94.228.209.202

17:50:24 Steve IP-BLOCK 64.106.198.74

17:50:27 Steve IP-BLOCK 64.106.198.74

17:50:33 Steve IP-BLOCK 64.106.198.74

17:50:37 Steve IP-BLOCK 94.228.209.202

17:50:40 Steve IP-BLOCK 94.228.209.202

17:50:46 Steve IP-BLOCK 94.228.209.202

17:53:48 Steve IP-BLOCK 94.228.209.202

17:53:51 Steve IP-BLOCK 94.228.209.202

17:53:57 Steve IP-BLOCK 94.228.209.202

17:54:46 Steve IP-BLOCK 64.106.198.74

17:54:49 Steve IP-BLOCK 64.106.198.74

17:54:55 Steve IP-BLOCK 64.106.198.74

17:58:48 Steve IP-BLOCK 85.12.46.158

17:58:51 Steve IP-BLOCK 85.12.46.158

17:58:57 Steve IP-BLOCK 85.12.46.158

17:59:09 Steve IP-BLOCK 85.12.46.157

17:59:12 Steve IP-BLOCK 85.12.46.157

17:59:18 Steve IP-BLOCK 85.12.46.157

17:59:31 Steve IP-BLOCK 85.12.46.155

17:59:34 Steve IP-BLOCK 85.12.46.155

17:59:40 Steve IP-BLOCK 85.12.46.155

17:59:52 Steve IP-BLOCK 85.12.46.155

17:59:55 Steve IP-BLOCK 85.12.46.155

18:00:01 Steve IP-BLOCK 85.12.46.155

18:00:13 Steve IP-BLOCK 85.12.46.158

18:00:16 Steve IP-BLOCK 85.12.46.158

18:00:22 Steve IP-BLOCK 85.12.46.158

18:00:34 Steve IP-BLOCK 91.212.226.130

18:00:37 Steve IP-BLOCK 91.212.226.130

18:00:43 Steve IP-BLOCK 91.212.226.130

18:00:55 Steve IP-BLOCK 91.212.226.178

18:00:58 Steve IP-BLOCK 91.212.226.178

18:01:04 Steve IP-BLOCK 91.212.226.178

18:01:17 Steve IP-BLOCK 85.12.46.158

18:01:19 Steve IP-BLOCK 85.12.46.158

18:01:25 Steve IP-BLOCK 85.12.46.158

18:18:54 Steve IP-BLOCK 94.228.209.200

18:18:57 Steve IP-BLOCK 94.228.209.200

18:19:03 Steve IP-BLOCK 94.228.209.200

18:41:16 Steve IP-BLOCK 94.228.209.200

18:41:19 Steve IP-BLOCK 94.228.209.200

18:41:25 Steve IP-BLOCK 94.228.209.200

19:05:39 Steve IP-BLOCK 94.228.209.200

19:05:42 Steve IP-BLOCK 94.228.209.200

19:05:48 Steve IP-BLOCK 94.228.209.200

19:12:01 Steve IP-BLOCK 94.228.209.200

19:12:04 Steve IP-BLOCK 94.228.209.200

19:12:10 Steve IP-BLOCK 94.228.209.200

19:13:04 Steve IP-BLOCK 85.12.46.158

19:13:07 Steve IP-BLOCK 85.12.46.158

19:13:13 Steve IP-BLOCK 85.12.46.158

19:13:25 Steve IP-BLOCK 85.12.46.157

19:13:28 Steve IP-BLOCK 85.12.46.157

19:13:34 Steve IP-BLOCK 85.12.46.157

19:13:55 Steve IP-BLOCK 85.12.46.155

19:13:58 Steve IP-BLOCK 85.12.46.155

19:14:04 Steve IP-BLOCK 85.12.46.155

19:14:16 Steve IP-BLOCK 85.12.46.155

19:14:19 Steve IP-BLOCK 85.12.46.155

19:14:25 Steve IP-BLOCK 85.12.46.155

19:14:37 Steve IP-BLOCK 85.12.46.158

19:14:40 Steve IP-BLOCK 85.12.46.158

19:14:46 Steve IP-BLOCK 85.12.46.158

19:14:58 Steve IP-BLOCK 91.212.226.130

19:15:01 Steve IP-BLOCK 91.212.226.130

19:15:07 Steve IP-BLOCK 91.212.226.130

19:15:19 Steve IP-BLOCK 91.212.226.178

19:15:22 Steve IP-BLOCK 91.212.226.178

19:15:28 Steve IP-BLOCK 91.212.226.178

19:15:40 Steve IP-BLOCK 85.12.46.158

19:15:43 Steve IP-BLOCK 85.12.46.158

19:15:49 Steve IP-BLOCK 85.12.46.158

19:15:58 Steve IP-BLOCK 208.87.33.151

19:16:01 Steve IP-BLOCK 208.87.33.151

19:23:22 Steve IP-BLOCK 94.228.209.200

19:23:25 Steve IP-BLOCK 94.228.209.200

19:23:31 Steve IP-BLOCK 94.228.209.200

19:40:34 Steve IP-BLOCK 91.212.226.67

19:40:36 Steve IP-BLOCK 91.212.226.67

19:40:42 Steve IP-BLOCK 91.212.226.67

19:56:43 (null) IP-BLOCK 94.228.209.200

19:56:46 (null) IP-BLOCK 94.228.209.200

20:02:09 Steve MESSAGE Protection started successfully

20:02:17 Steve MESSAGE IP Protection started successfully

20:07:53 Steve IP-BLOCK 94.228.209.200

20:07:56 Steve IP-BLOCK 94.228.209.200

20:08:02 Steve IP-BLOCK 94.228.209.200

20:08:52 Steve IP-BLOCK 94.228.209.200

20:08:55 Steve IP-BLOCK 94.228.209.200

20:09:01 Steve IP-BLOCK 94.228.209.200

20:20:13 Steve IP-BLOCK 94.228.209.200

20:20:16 Steve IP-BLOCK 94.228.209.200

20:20:22 Steve IP-BLOCK 94.228.209.200

20:45:34 Steve IP-BLOCK 94.228.209.200

20:45:37 Steve IP-BLOCK 94.228.209.200

20:45:43 Steve IP-BLOCK 94.228.209.200

20:57:55 Steve IP-BLOCK 94.228.209.200

20:57:58 Steve IP-BLOCK 94.228.209.200

20:58:04 Steve IP-BLOCK 94.228.209.200

21:10:46 Steve IP-BLOCK 91.212.226.67

21:10:49 Steve IP-BLOCK 91.212.226.67

21:10:55 Steve IP-BLOCK 91.212.226.67

21:11:09 Steve IP-BLOCK 208.73.210.28

21:11:12 Steve IP-BLOCK 208.73.210.28

21:11:18 Steve IP-BLOCK 208.73.210.28

21:18:16 Steve IP-BLOCK 94.228.209.200

21:18:19 Steve IP-BLOCK 94.228.209.200

21:18:25 Steve IP-BLOCK 94.228.209.200

21:21:07 Steve IP-BLOCK 91.212.226.59

21:21:10 Steve IP-BLOCK 91.212.226.59

21:21:16 Steve IP-BLOCK 91.212.226.59

Please let me know if I have failed to include anything.

Thank you,

-Steve

[Elise]

Since this is a duplicate topic, I requested it to be closed.