Thinkpoint & TDL4 rootkit

Hi. I've got a doozy here. Originally started as a Thinkpoint infection, which I was able to clear up. But now there seems to be a rootkit problem, as well as other issues (DNS cannot resolve malwarebytes.org, Google redirects, etc.). I'm turning to the experts - please help!



DDS (Ver_10-11-09.01) - NTFSx86
Run by Administrator at 15:33:49.39 on Tue 11/09/2010
Internet Explorer: 8.0.6001.18702
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1023.217 [GMT -8:00]

AV: Symantec AntiVirus Corporate Edition *On-access scanning disabled* (Updated) {FB06448E-52B8-493A-90F3-E43226D3305C}

============== Running Processes ===============

C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\Program Files\LANDesk\LDClient\softmon.exe
C:\WINDOWS\Explorer.EXE
svchost.exe
C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
C:\WINDOWS\AGRSMMSG.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\LANDesk\LDClient\LocalSch.EXE
C:\Program Files\LANDesk\LDClient\webportal\sdclientmonitor.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\WINDOWS\system32\CBA\pds.exe
C:\Program Files\LANDesk\LDClient\qipclnt.exe
C:\Program Files\Logitech\SetPointP\SetPoint.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\LANDesk\LDClient\tmcsvc.exe
C:\Program Files\Microsoft Firewall Client 2004\FwcMgmt.exe
C:\PROGRA~1\LANDesk\LDClient\issuser.exe
C:\WINDOWS\System32\svchost.exe -k HPZ12
C:\Program Files\Paltronics\OneLink Slots Director 2.0.8.44777\SlotsDirector.PlayerTrackingServerWindowsService.exe
C:\Program Files\Common Files\LogiShrd\KHAL3\KHALMNPR.EXE
C:\Program Files\Paltronics\OneLink Slots Director 2.0.8.44777\SlotsDirector.OneLinkSlotsFloorWindowsService.exe
C:\WINDOWS\System32\svchost.exe -k HPZ12
C:\Program Files\Symantec AntiVirus\SavRoam.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\Program Files\Logitech\SetPointP\LU\LULnchr.exe
C:\Program Files\Logitech\SetPointP\LU\LogitechUpdate.exe
C:\WINDOWS\system32\MsPMSPSv.exe
C:\WINDOWS\system32\SearchIndexer.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\System32\mshta.exe
C:\WINDOWS\system32\MDM.EXE
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\SearchProtocolHost.exe
C:\Documents and Settings\Administrator\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.atronic.com/
uInternet Settings,ProxyServer = usproxy.gg:3128
uInternet Settings,ProxyOverride = <local>
mWinlogon: Userinit=c:\windows\system32\userinit.exe,c:\program files\landesk\ldclient\softmon.exe,
TB: SnagIt: {8ff5e183-abde-46eb-b09e-d2aab95cabe3} - c:\program files\techsmith\snagit 8\SnagItIEAddin.dll
TB: Adobe PDF: {47833539-d0c5-4125-9fa8-0819e2eaac93} - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll
TB: {8FF5E180-ABDE-46EB-B09E-D2AAB95CABE3} - No File
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [HNUGROXRrse] c:\docume~1\admini~1\locals~1\temp\svchost.exe
uRun: [MKfa] c:\windows\win.exe
uRun: [MKcZ] c:\windows\mdm.exe
uRun: [HNUGROXRmSc] c:\docume~1\admini~1\locals~1\temp\avp32.exe
uRun: [MKbta] c:\windows\install.exe
uRun: [MKfre] c:\windows\wininst.exe
uRun: [MKasc] c:\windows\drweb.exe
uRun: [HNUGROXRnoc] c:\docume~1\admini~1\locals~1\temp\debug.exe
uRun: [MKeg] c:\windows\smss.exe
uRun: [MKdw+] c:\windows\nvsvc32.exe
uRun: [HNUGROXRpw+] c:\docume~1\admini~1\locals~1\temp\nvsvc32.exe
uRun: [MKeuf] c:\windows\spoolsv.exe
mRun: [AGRSMMSG] AGRSMMSG.exe
mRun: [ATIPTA] c:\program files\ati technologies\ati control panel\atiptaxx.exe
mRun: [IntelAPMClient] "c:\program files\landesk\ldclient\amclient.exe" /apm /s /ro
mRun: [SDClientMonitor] "c:\program files\landesk\ldclient\webportal\sdclientmonitor.exe"
mRun: [SynTPLpr] c:\program files\synaptics\syntp\SynTPLpr.exe
mRun: [SynTPEnh] c:\program files\synaptics\syntp\SynTPEnh.exe
mRun: [<NO NAME>]
mRun: [EvtMgr6] c:\program files\logitech\setpointp\SetPoint.exe /launchGaming
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
StartupFolder: c:\docume~1\admini~1\startm~1\programs\startup\hardcopy.lnk - c:\program files\hardcopy\hardcopy.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\micros~1.lnk - c:\program files\microsoft firewall client 2004\FwcMgmt.exe
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office11\EXCEL.EXE/3000
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0016-0000-0001-ABCDEFFEDCBC} - c:\program files\java\jre1.6.0_01\bin\ssv.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office11\REFIEBAR.DLL
LSP: c:\program files\microsoft firewall client 2004\FwcWsp.dll
DPF: {05CA9FB0-3E3E-4B36-BF41-0E3A5CAA8CD8} - hxxp://download.microsoft.com/download/e/7/3/e7345c16-80aa-4488-ae10-9ac6be844f99/OGAControl.cab
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1260731960471
DPF: {6B75345B-AA36-438A-BBE6-4078B4C6984D} - hxxp://h20270.www2.hp.com/ediags/gmn2/install/HPProductDetection.cab
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1257524397207
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_01-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/polarbear/ultrashim.cab
DPF: {AB6633A8-60A9-4F5D-B66C-ABE268CC3227} - hxxp://www.solidworks.com/sw/support/subscription/sldimdownload.cab
DPF: {C7DB51B4-BCF7-4923-8874-7F1A0DC92277} - hxxp://office.microsoft.com/officeupdate/content/opuc4.cab
DPF: {CAFEEFAC-0016-0000-0001-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_01-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_01-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
Handler: saphtmlp - {D1F8BD1E-7967-11D2-B43A-006094B9EADB} - c:\program files\sap\frontend\controls\SAPHTMLP.DLL
Handler: sapr3 - {D1F8BD1E-7967-11D2-B43A-006094B9EADB} - c:\program files\sap\frontend\controls\SAPHTMLP.DLL
Notify: AtiExtEvent - Ati2evxx.dll
Notify: LBTWlgn - c:\program files\common files\logishrd\bluetooth\LBTWlgn.dll
Notify: NavLogon - c:\windows\system32\NavLogon.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: Windows Desktop Search Namespace Manager: {56f9679e-7826-4c84-81f3-532071a8bcc5} - c:\program files\windows desktop search\MSNLNamespaceMgr.dll

============= SERVICES / DRIVERS ===============

R1 SASDIFSV;SASDIFSV;c:\docume~1\admini~1\locals~1\temp\sas_selfextract\SASDIFSV.SYS [2010-2-17 12872]
R1 SASKUTIL;SASKUTIL;c:\docume~1\admini~1\locals~1\temp\sas_selfextract\SASKUTIL.SYS [2010-5-10 67656]
R1 SAVRT;SAVRT;c:\program files\symantec antivirus\savrt.sys [2006-9-6 337592]
R1 SAVRTPEL;SAVRTPEL;c:\program files\symantec antivirus\Savrtpel.sys [2006-9-6 54968]
R2 ccEvtMgr;Symantec Event Manager;c:\program files\common files\symantec shared\ccEvtMgr.exe [2007-5-29 192104]
R2 ccSetMgr;Symantec Settings Manager;c:\program files\common files\symantec shared\ccSetMgr.exe [2007-5-29 169576]
R2 cpuz133;cpuz133;c:\windows\system32\drivers\cpuz133_x32.sys [2010-4-1 20968]
R2 FwcAgent;Firewall Client Agent;c:\program files\microsoft firewall client 2004\FwcAgent.exe [2006-12-9 128832]
R2 HiiLib32;HiiLib32;c:\windows\system32\drivers\HiiLib32.sys [2004-3-1 102352]
R2 OneLink Player Tracking 2.0.8.44777;OneLink Player Tracking 2.0.8.44777;c:\program files\paltronics\onelink slots director 2.0.8.44777\SlotsDirector.PlayerTrackingServerWindowsService.exe [2009-9-1 10240]
R2 OneLink Slots Poller 2.0.8.44777;OneLink Slots Poller 2.0.8.44777;c:\program files\paltronics\onelink slots director 2.0.8.44777\SlotsDirector.OneLinkSlotsFloorWindowsService.exe [2009-9-1 28672]
R2 SavRoam;SAVRoam;c:\program files\symantec antivirus\SavRoam.exe [2007-10-7 116664]
R2 Symantec AntiVirus;Symantec AntiVirus;c:\program files\symantec antivirus\Rtvscan.exe [2007-10-7 1822648]
R2 VirtualDrive;VirtualDrive;c:\program files\all image\vdd-x86.sys [2010-7-20 10752]
R3 CONAN;CONAN;c:\windows\system32\drivers\o2mmb.sys [2007-5-8 196480]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\common files\symantec shared\eengine\EraserUtilRebootDrv.sys [2010-7-7 102448]
R3 ldmirror;ldmirror;c:\windows\system32\drivers\ldmirror.sys [2007-5-7 5120]
R3 LEqdUsb;Logitech SetPoint Unifying KMDF USB Filter;c:\windows\system32\drivers\LEqdUsb.sys [2009-11-10 40848]
R3 LHidEqd;Logitech SetPoint Unifying KMDF HID Filter;c:\windows\system32\drivers\LHidEqd.sys [2009-11-10 10384]
R3 mirrorflt;Mirror Filter Driver for Uninstall;c:\windows\system32\drivers\mirrorflt.sys [2007-5-7 6656]
R3 NAVENG;NAVENG;c:\progra~1\common~1\symant~1\virusd~1\20101108.002\naveng.sys [2010-11-9 86064]
R3 NAVEX15;NAVEX15;c:\progra~1\common~1\symant~1\virusd~1\20101108.002\navex15.sys [2010-11-9 1371184]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\microsoft.net\framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]
S2 gupdate1ca2778a0e573b0;Google Update Service (gupdate1ca2778a0e573b0);c:\program files\google\update\GoogleUpdate.exe [2009-8-27 133104]
S2 vzpvw;Update Task;c:\windows\system32\svchost.exe -k netsvcs [2006-2-28 14336]
S3 bcm;Beceem Communications Inc. Tarang3;c:\windows\system32\drivers\drxvi314.sys [2009-10-24 233472]
S3 bcmbusctr;Beceem Devices' Enumerator Driver;c:\windows\system32\drivers\BcmBusCtr.sys [2009-10-24 54784]
S3 MbxStby;MbxStby;c:\windows\system32\drivers\MbxStby.sys [2007-5-8 6844]
S3 MeiUsb;MEI USB Driver;c:\windows\system32\drivers\MeiUsb.sys [2009-1-7 9599]
S3 vsdatant;vsdatant;c:\windows\system32\vsdatant.sys [2005-1-26 280344]
S3 W3pnrsrvf;W3pnrsrvf; [x]
S3 WinRM;Windows Remote Management (WS-Management);c:\windows\system32\svchost.exe -k WINRM [2006-2-28 14336]
S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\microsoft.net\framework\v4.0.30319\wpf\WPFFontCache_v0400.exe [2010-3-18 753504]
S4 aqkdlp;aqkdlp;c:\windows\system32\drivers\aqkdlp.sys [2010-10-23 0]

=============== Created Last 30 ================

2010-11-09 23:19:41 1033728 ----a-w- c:\windows\OLDB.tmp
2010-11-09 21:40:23 -------- d-----w- c:\program files\CCleaner
2010-11-09 02:04:50 -------- d-----w- c:\docume~1\alluse~1\applic~1\SUPERAntiSpyware.com
2010-11-09 02:04:50 -------- d-----w- c:\docume~1\admini~1\applic~1\SUPERAntiSpyware.com
2010-11-09 01:20:40 0 ----a-w- c:\windows\Udenafuxujabowix.bin
2010-11-09 01:20:35 -------- d-----w- c:\docume~1\admini~1\locals~1\applic~1\{16610BFB-5634-4D32-9942-A571646F0F5E}
2010-11-09 01:19:07 761856 ----a-w- c:\windows\system32\drivers\dxeswiwx.sys
2010-11-09 01:18:52 -------- d-----w- c:\docume~1\alluse~1\applic~1\bEiHl02038
2010-11-09 01:18:42 209 ----a-w- c:\docume~1\admini~1\applic~1\sdrfzfgd.bat
2010-11-09 01:18:39 -------- d-----w- c:\docume~1\alluse~1\applic~1\WSTB
2010-11-09 01:10:32 -------- d-sh--w- c:\documents and settings\administrator\PrivacIE
2010-11-09 01:08:47 -------- d-----w- c:\docume~1\admini~1\locals~1\applic~1\Ahead
2010-11-09 01:08:37 -------- d-----w- c:\docume~1\admini~1\applic~1\Malwarebytes
2010-11-09 01:08:09 -------- d-sh--w- c:\documents and settings\administrator\IETldCache
2010-11-08 11:54:41 -------- d-----w- c:\windows\Recent
2010-10-23 23:21:08 54016 ----a-w- c:\windows\system32\drivers\gtyicvir.sys
2010-10-23 18:38:32 0 ----a-w- c:\windows\system32\drivers\aqkdlp.sys

==================== Find3M ====================

2010-11-09 23:15:44 507904 ----a-w- c:\windows\system32\winlogon.exe

=================== ROOTKIT ====================

Stealth MBR rootkit/Mebroot/Sinowal/TDL4 detector 0.4.2 by Gmer, http://www.gmer.net
Windows 5.1.2600 Disk: FUJITSU_MHV2040AH rev.00830096 -> Harddisk0\DR0 -> \Device\Ide\IdePort0 P0T0L0-3

device: opened successfully
user: MBR read successfully

Disk trace:
called modules: ntoskrnl.exe CLASSPNP.SYS disk.sys ACPI.sys hal.dll >>UNKNOWN [0x87359446]<<
_asm { PUSH EBP; MOV EBP, ESP; PUSH ECX; MOV EAX, [EBP+0x8]; CMP EAX, [0x8735f504]; MOV EAX, [0x8735f580]; PUSH EBX; PUSH ESI; MOV ESI, [EBP+0xc]; MOV EBX, [ESI+0x60]; PUSH EDI; JNZ 0x20; MOV [EBP+0x8], EAX; }
1 nt!IofCallDriver[0x804E37D5] -> \Device\Harddisk0\DR0[0x8734AAB8]
3 CLASSPNP[0xF782EFD7] -> nt!IofCallDriver[0x804E37D5] -> \Device\000000a3[0x87346750]
5 ACPI[0xF77A5620] -> nt!IofCallDriver[0x804E37D5] -> [0x8734D940]
\Driver\atapi[0x872DC368] -> IRP_MJ_CREATE -> 0x87359446
kernel: MBR read successfully
_asm { XOR AX, AX; MOV SS, AX; MOV SP, 0x7c00; MOV ES, AX; MOV DS, AX; MOV SI, 0x7c00; MOV DI, 0x600; MOV CX, 0x200; CLD ; REP MOVSB ; PUSH AX; PUSH 0x61c; RETF ; STI ; PUSHA ; MOV CX, 0x137; MOV BP, 0x62a; ROR BYTE [BP+0x0], CL; INC BP; }
detected disk devices:
\Device\Ide\IdeDeviceP0T0L0-3 -> \??\IDE#DiskFUJITSU_MHV2040AH_______________________00830096#5&94ae9cc&0&0.0.0#{53f56307-b6bf-11d0-94f2-00a0c91efb8b} device not found
detected hooks:
\Driver\atapi DriverStartIo -> 0x87359292
user != kernel MBR !!!
sectors 78140158 (+255): user != kernel
Warning: possible TDL4 rootkit infection !
TDL4 rootkit infection detected ! Use: "mbr.exe -f" to fix.

============= FINISH: 15:35:48.83 ===============

Hi and welcome to the Virus/Trojan/Spyware/Malware Removal forum,

I am thcbytes and I am here to help you!

I ask that you refrain from running tools other than those I suggest to you while I am cleaning up your computer. The reason for this is so I know what is going on with the machine at any time. Some programs can interfere with others and hamper the recovery process.

Please perform all steps in the order received and do not proceed if you need clarification.

Please copy and paste all logs into your post unless directed otherwise. Please do not re-run any programs I suggest. If you encounter problems please stop and tell me about it. When your computer is clean I will alert you of such. I will also provide you with detailed suggestions for prevention.

In the upper right hand corner of the topic you will see a button called Watch this topic. Click on this then choose Immediate E-Mail notification and then Proceed and you will be advised when I respond to your topic by email.

After 5 days if your topic is not replied I we assume it has been abandoned and I will close it.

I would also like to inform you that most of us here at Bleeping Computer offer our expert assistance out of the goodness of our hearts. Please be courteous and appreciative for the assistance provided!

Again I would like to remind you to make no further changes to your computer unless I direct you to do so. Your computer fix will be based on the current condition of your computer! Any changes might delay my ability to help you.

==========

Download and Run ComboFix (by sUBs)

You must rename it before saving it.





Please download ComboFix from one of these locations:

Link 1
Link 2

Save thcbytes.exe to your Desktop <-- Important!!!

• Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. Please refer to this link for instructions.
  
  
• Double click on thcbytes.exe & follow the prompts.
  
  
• As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  
  
• Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.

**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:



Click on Yes, to continue scanning for malware.

When finished, it will produce a log for you. Please include the C:\ComboFix.txt in your next reply

A word of warning: Neither I nor sUBs are responsible for any damage you may have caused your machine by running ComboFix on your own.
This tool is not a toy and not for everyday use.
ComboFix SHOULD NOT be used unless requested by a forum helper

How is your computer running now?

Regards,
thcbytes

Thanks for your quick response!
Still cannot access certain websites (malwarebytes.org, microsoft.com, etc.) after running Combofix. Log below.




ComboFix 10-11-09.01 - Administrator 11/09/2010 18:31:16.1.1 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1023.450 [GMT -8:00]
Running from: c:\documents and settings\Administrator\Desktop\Bleeping Computer\thcbytes.exe
AV: Symantec AntiVirus Corporate Edition *On-access scanning disabled* (Updated) {FB06448E-52B8-493A-90F3-E43226D3305C}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\Administrator\Application Data\install
c:\documents and settings\Administrator\Desktop\System Tool 2011.lnk
c:\documents and settings\Administrator\Local Settings\Application Data\{16610BFB-5634-4D32-9942-A571646F0F5E}
c:\documents and settings\Administrator\Local Settings\Application Data\{16610BFB-5634-4D32-9942-A571646F0F5E}\chrome.manifest
c:\documents and settings\Administrator\Local Settings\Application Data\{16610BFB-5634-4D32-9942-A571646F0F5E}\chrome\content\_cfg.js
c:\documents and settings\Administrator\Local Settings\Application Data\{16610BFB-5634-4D32-9942-A571646F0F5E}\chrome\content\overlay.xul
c:\documents and settings\Administrator\Local Settings\Application Data\{16610BFB-5634-4D32-9942-A571646F0F5E}\install.rdf
c:\documents and settings\Administrator\Start Menu\Programs\System Tool
c:\documents and settings\Administrator\Start Menu\Programs\System Tool\System Tool 2011.lnk
c:\documents and settings\All Users\Application Data\bEiHl02038
c:\documents and settings\All Users\Application Data\bEiHl02038\bEiHl02038
c:\documents and settings\All Users\Application Data\bEiHl02038\bEiHl02038.exe
c:\documents and settings\G018152\Application Data\3C83AC58B81CA0E47E0A563E916AD92F
c:\documents and settings\G018152\Application Data\3C83AC58B81CA0E47E0A563E916AD92F\enemies-names.txt
c:\documents and settings\G018152\Application Data\3C83AC58B81CA0E47E0A563E916AD92F\formtell70700loadraw.exe
c:\documents and settings\G018152\Application Data\3C83AC58B81CA0E47E0A563E916AD92F\local.ini
c:\documents and settings\G018152\Application Data\3C83AC58B81CA0E47E0A563E916AD92F\lsrslt.ini
c:\documents and settings\G018152\Application Data\install
c:\documents and settings\G018152\g2mdlhlpx.exe
c:\documents and settings\G018152\System
c:\documents and settings\G018152\System\win_qs8.jqx
C:\Install.exe
c:\windows\system32\regedit.exe
c:\windows\Tasks\At1.job
c:\windows\Tasks\At10.job
c:\windows\Tasks\At11.job
c:\windows\Tasks\At12.job
c:\windows\Tasks\At13.job
c:\windows\Tasks\At14.job
c:\windows\Tasks\At15.job
c:\windows\Tasks\At16.job
c:\windows\Tasks\At17.job
c:\windows\Tasks\At18.job
c:\windows\Tasks\At19.job
c:\windows\Tasks\At2.job
c:\windows\Tasks\At20.job
c:\windows\Tasks\At21.job
c:\windows\Tasks\At22.job
c:\windows\Tasks\At23.job
c:\windows\Tasks\At24.job
c:\windows\Tasks\At25.job
c:\windows\Tasks\At26.job
c:\windows\Tasks\At27.job
c:\windows\Tasks\At28.job
c:\windows\Tasks\At29.job
c:\windows\Tasks\At3.job
c:\windows\Tasks\At30.job
c:\windows\Tasks\At31.job
c:\windows\Tasks\At32.job
c:\windows\Tasks\At33.job
c:\windows\Tasks\At34.job
c:\windows\Tasks\At35.job
c:\windows\Tasks\At36.job
c:\windows\Tasks\At37.job
c:\windows\Tasks\At38.job
c:\windows\Tasks\At39.job
c:\windows\Tasks\At4.job
c:\windows\Tasks\At40.job
c:\windows\Tasks\At41.job
c:\windows\Tasks\At42.job
c:\windows\Tasks\At43.job
c:\windows\Tasks\At44.job
c:\windows\Tasks\At45.job
c:\windows\Tasks\At46.job
c:\windows\Tasks\At47.job
c:\windows\Tasks\At48.job
c:\windows\Tasks\At5.job
c:\windows\Tasks\At6.job
c:\windows\Tasks\At7.job
c:\windows\Tasks\At8.job
c:\windows\Tasks\At9.job

Infected copy of c:\windows\system32\DRIVERS\intelide.sys was found and disinfected
Restored copy from - c:\windows\ServicePackFiles\i386\intelide.sys

.
\\.\PhysicalDrive0 - Bootkit TDL4 was found and disinfected
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_6TO4


((((((((((((((((((((((((( Files Created from 2010-10-10 to 2010-11-10 )))))))))))))))))))))))))))))))
.

2010-11-10 02:42 . 2010-11-10 02:42 4096 ----a-w- c:\windows\system32\06.tmp
2010-11-09 21:40 . 2010-11-09 21:40 -------- d-----w- c:\program files\CCleaner
2010-11-09 02:04 . 2010-11-09 02:04 -------- d-----w- c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com
2010-11-09 02:04 . 2010-11-09 02:04 -------- d-----w- c:\documents and settings\Administrator\Application Data\SUPERAntiSpyware.com
2010-11-09 01:20 . 2010-11-09 01:20 0 ----a-w- c:\windows\Udenafuxujabowix.bin
2010-11-09 01:19 . 2010-11-10 02:45 761856 ----a-w- c:\windows\system32\drivers\dxeswiwx.sys
2010-11-09 01:18 . 2010-11-09 01:18 209 ----a-w- c:\documents and settings\Administrator\Application Data\sdrfzfgd.bat
2010-11-09 01:18 . 2010-11-09 18:49 -------- d-----w- c:\documents and settings\All Users\Application Data\WSTB
2010-11-09 01:10 . 2010-11-09 01:10 -------- d-sh--w- c:\documents and settings\Administrator\PrivacIE
2010-11-09 01:08 . 2010-11-09 01:08 -------- d-----w- c:\documents and settings\Administrator\Local Settings\Application Data\Ahead
2010-11-09 01:08 . 2010-11-09 01:08 -------- d-----w- c:\documents and settings\Administrator\Application Data\Logitech
2010-11-09 01:08 . 2010-11-09 01:08 -------- d-----w- c:\documents and settings\Administrator\Application Data\Malwarebytes
2010-11-09 01:08 . 2010-11-09 01:08 -------- d-sh--w- c:\documents and settings\Administrator\IETldCache
2010-11-08 11:54 . 2010-11-08 11:54 -------- d-----w- c:\windows\Recent
2010-10-23 23:21 . 2010-10-23 23:21 54016 ----a-w- c:\windows\system32\drivers\gtyicvir.sys
2010-10-23 18:40 . 2010-10-23 22:46 -------- d-sh--w- c:\windows\system32\config\systemprofile\IETldCache
2010-10-23 18:38 . 2010-10-23 18:38 196 ----a-w- c:\documents and settings\G018152\Application Data\10855.bat
2010-10-23 18:38 . 2010-10-23 23:22 0 ----a-w- c:\windows\system32\drivers\aqkdlp.sys
2010-10-23 18:37 . 2010-11-09 18:49 -------- d-----w- c:\documents and settings\G018152\Application Data\Etho
2010-10-23 18:37 . 2010-10-23 22:52 -------- d-----w- c:\documents and settings\G018152\Application Data\Uhweix

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-11-09 23:15 . 2006-02-28 12:00 507904 ----a-w- c:\windows\system32\winlogon.exe
2010-11-09 21:58 . 2010-08-27 01:15 16400 ----a-w- c:\windows\system32\drivers\LNonPnP.sys
2010-08-27 01:16 . 2010-08-27 01:16 53248 ----a-r- c:\documents and settings\G018152\Application Data\Microsoft\Installer\{3EE9BCAE-E9A9-45E5-9B1C-83A4D357E05C}\ARPPRODUCTICON.exe
.

------- Sigcheck -------

[-] 2010-11-09 . 2DD2B32BB307DABF830D33AE4295CDA4 . 507904 . . [5.1.2600.5512] . . c:\windows\system32\winlogon.exe
[7] 2008-04-14 . ED0EF0A136DEC83DF69F04118870003E . 507904 . . [5.1.2600.5512] . . c:\windows\ServicePackFiles\i386\winlogon.exe
[7] 2006-02-28 . 01C3346C241652F43AED8E2149881BFE . 502272 . . [5.1.2600.2180] . . c:\windows\$NtServicePackUninstall$\winlogon.exe
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"AGRSMMSG"="AGRSMMSG.exe" [2005-04-19 88209]
"ATIPTA"="c:\program files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2005-06-08 344064]
"IntelAPMClient"="c:\program files\LANDesk\LDClient\amclient.exe" [2005-08-09 307459]
"SDClientMonitor"="c:\program files\LANDesk\LDClient\webportal\sdclientmonitor.exe" [2004-12-20 253952]
"SynTPLpr"="c:\program files\Synaptics\SynTP\SynTPLpr.exe" [2005-02-03 102492]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2005-02-03 692316]
"EvtMgr6"="c:\program files\Logitech\SetPointP\SetPoint.exe" [2010-01-27 1312848]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2009-05-27 413696]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Microsoft Firewall Client Management.lnk - c:\program files\Microsoft Firewall Client 2004\FwcMgmt.exe [2006-12-9 117568]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{56F9679E-7826-4C84-81F3-532071A8BCC5}"= "c:\program files\Windows Desktop Search\MSNLNamespaceMgr.dll" [2009-05-25 304128]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\LBTWlgn]
2010-01-29 21:17 64592 ----a-w- c:\program files\Common Files\LogiShrd\Bluetooth\LBTWLgn.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
@="Driver"

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Desktop Manager.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Desktop Manager.lnk
backup=c:\windows\pss\Desktop Manager.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Digital Imaging Monitor.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\HP Digital Imaging Monitor.lnk
backup=c:\windows\pss\HP Digital Imaging Monitor.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^VPN Client.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\VPN Client.lnk
backup=c:\windows\pss\VPN Client.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Windows Search.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Windows Search.lnk
backup=c:\windows\pss\Windows Search.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Acrobat Assistant 8.0]
2009-10-03 07:32 640376 ----a-w- c:\program files\Adobe\Acrobat 9.0\Acrobat\acrotray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Acrobat Speed Launcher]
2009-10-03 12:08 38768 ----a-w- c:\program files\Adobe\Acrobat 9.0\Acrobat\acrobat_sl.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe ARM]
2010-09-21 18:37 932288 ----a-w- c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AdobeCS4ServiceManager]
2009-11-06 18:14 611712 ----a-w- c:\program files\Common Files\Adobe\CS4ServiceManager\CS4ServiceManager.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ccApp]
2007-05-30 00:33 52840 ----a-w- c:\program files\Common Files\Symantec Shared\ccApp.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Google Update]
2010-03-27 16:15 136176 ----atw- c:\documents and settings\G018152\Local Settings\Application Data\Google\Update\GoogleUpdate.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Software Update]
2010-06-10 03:55 49208 ----a-w- c:\program files\HP\HP Software Update\hpwuschd2.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IndxStoreSvr_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}]
2008-06-25 00:06 1840424 ----a-w- c:\program files\Common Files\Nero\Lib\NMIndexStoreSvr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
2008-07-09 23:39 570664 ----a-w- c:\program files\Common Files\Nero\Lib\NeroCheck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
2009-05-27 00:18 413696 ----a-w- c:\program files\QuickTime\QTTask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RoxAssistant]
2003-06-27 07:29 90112 ----a-w- c:\program files\Common Files\Roxio Shared\Upgrade\roxassist.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RoxioDragToDisc]
2003-06-27 07:21 868352 ----a-w- c:\program files\Roxio\Easy CD Creator 6\DragToDisc\DrgToDsc.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RoxioEngineUtility]
2003-05-02 01:44 65536 -c--a-w- c:\program files\Common Files\Roxio Shared\System\EngUtil.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SolidWorks_CheckForUpdates]
2009-03-20 02:30 7308584 ----a-w- c:\program files\Common Files\SolidWorks Installation Manager\Scheduler\sldIMScheduler.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
2007-03-14 10:43 83608 -c--a-w- c:\program files\Java\jre1.6.0_01\bin\jusched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\vptray]
2007-10-08 04:48 125368 ----a-w- c:\progra~1\SYMANT~1\VPTray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"iPod Service"=3 (0x3)
"NMIndexingService"=3 (0x3)
"wlidsvc"=2 (0x2)
"gupdate1ca2778a0e573b0"=2 (0x2)

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\WINDOWS\\system32\\cba\\pds.exe"=
"c:\\Program Files\\LANDesk\\LDClient\\issuser.exe"=
"c:\\Program Files\\LANDesk\\LDClient\\tmcsvc.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqtra08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqste08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpofxm08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposfx08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposid01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqscnvw.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqCopy.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpfccopy.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpzwiz01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqPhUnl.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqDIA.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpoews01.exe"=
"c:\\Program Files\\Common Files\\Adobe\\CS4ServiceManager\\CS4ServiceManager.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"5353:TCP"= 5353:TCP:Adobe CSI CS4
"5985:TCP"= 5985:TCP:*:Disabled:Windows Remote Management
"5427:TCP"= 5427:TCP:adqphyn

R2 cpuz133;cpuz133;c:\windows\system32\drivers\cpuz133_x32.sys [4/1/2010 12:30 PM 20968]
R2 FwcAgent;Firewall Client Agent;c:\program files\Microsoft Firewall Client 2004\FwcAgent.exe [12/9/2006 6:04 PM 128832]
R2 HiiLib32;HiiLib32;c:\windows\system32\drivers\HiiLib32.sys [3/1/2004 1:51 PM 102352]
R2 OneLink Player Tracking 2.0.8.44777;OneLink Player Tracking 2.0.8.44777;c:\program files\Paltronics\OneLink Slots Director 2.0.8.44777\SlotsDirector.PlayerTrackingServerWindowsService.exe [9/1/2009 6:14 PM 10240]
R2 OneLink Slots Poller 2.0.8.44777;OneLink Slots Poller 2.0.8.44777;c:\program files\Paltronics\OneLink Slots Director 2.0.8.44777\SlotsDirector.OneLinkSlotsFloorWindowsService.exe [9/1/2009 6:14 PM 28672]
R2 SavRoam;SAVRoam;c:\program files\Symantec AntiVirus\SavRoam.exe [10/7/2007 8:48 PM 116664]
R2 VirtualDrive;VirtualDrive;c:\program files\All Image\vdd-x86.sys [7/20/2010 1:10 AM 10752]
R3 CONAN;CONAN;c:\windows\system32\drivers\o2mmb.sys [5/8/2007 8:38 AM 196480]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [7/7/2010 6:52 AM 102448]
R3 ldmirror;ldmirror;c:\windows\system32\drivers\ldmirror.sys [5/7/2007 1:20 PM 5120]
R3 mirrorflt;Mirror Filter Driver for Uninstall;c:\windows\system32\drivers\mirrorflt.sys [5/7/2007 1:20 PM 6656]
S1 SASDIFSV;SASDIFSV;\??\c:\docume~1\ADMINI~1\LOCALS~1\Temp\SAS_SelfExtract\SASDIFSV.SYS --> c:\docume~1\ADMINI~1\LOCALS~1\Temp\SAS_SelfExtract\SASDIFSV.SYS [?]
S1 SASKUTIL;SASKUTIL;\??\c:\docume~1\ADMINI~1\LOCALS~1\Temp\SAS_SelfExtract\SASKUTIL.SYS --> c:\docume~1\ADMINI~1\LOCALS~1\Temp\SAS_SelfExtract\SASKUTIL.SYS [?]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [3/18/2010 12:16 PM 130384]
S2 gupdate1ca2778a0e573b0;Google Update Service (gupdate1ca2778a0e573b0);c:\program files\Google\Update\GoogleUpdate.exe [8/27/2009 4:43 PM 133104]
S2 vzpvw;Update Task;c:\windows\system32\svchost.exe -k netsvcs [2/28/2006 4:00 AM 14336]
S3 bcm;Beceem Communications Inc. Tarang3;c:\windows\system32\drivers\drxvi314.sys [10/24/2009 10:46 AM 233472]
S3 bcmbusctr;Beceem Devices' Enumerator Driver;c:\windows\system32\drivers\BcmBusCtr.sys [10/24/2009 10:46 AM 54784]
S3 LEqdUsb;Logitech SetPoint Unifying KMDF USB Filter;c:\windows\system32\drivers\LEqdUsb.sys [11/10/2009 3:54 AM 40848]
S3 LHidEqd;Logitech SetPoint Unifying KMDF HID Filter;c:\windows\system32\drivers\LHidEqd.sys [11/10/2009 3:54 AM 10384]
S3 MbxStby;MbxStby;c:\windows\system32\drivers\MbxStby.sys [5/8/2007 8:38 AM 6844]
S3 MeiUsb;MEI USB Driver;c:\windows\system32\drivers\MeiUsb.sys [1/7/2009 2:45 PM 9599]
S3 W3pnrsrvf;W3pnrsrvf; [x]
S3 WinRM;Windows Remote Management (WS-Management);c:\windows\system32\svchost.exe -k WINRM [2/28/2006 4:00 AM 14336]
S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\Microsoft.NET\Framework\v4.0.30319\WPF\WPFFontCache_v0400.exe [3/18/2010 12:16 PM 753504]
S4 aqkdlp;aqkdlp;c:\windows\system32\drivers\aqkdlp.sys [10/23/2010 10:38 AM 0]
S4 sptd;sptd;c:\windows\system32\drivers\sptd.sys [11/3/2009 2:33 PM 721904]

--- Other Services/Drivers In Memory ---

*Deregistered* - dxeswiwx

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
WINRM REG_MULTI_SZ WINRM

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
vzpvw
.
Contents of the 'Scheduled Tasks' folder

2010-11-10 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-08-28 00:43]

2010-11-10 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-08-28 00:43]

2010-10-22 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-909772816-612835887-627194967-17720Core.job
- c:\documents and settings\G018152\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2010-04-12 16:15]

2010-11-10 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-909772816-612835887-627194967-17720UA.job
- c:\documents and settings\G018152\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2010-04-12 16:15]

2010-11-10 c:\windows\Tasks\SDMsgUpdate (TE).job
- c:\progra~1\SMARTD~1\Messages\SDNotify.exe [2010-08-02 17:29]

2010-11-10 c:\windows\Tasks\User_Feed_Synchronization-{93C043FF-EF8E-4D9B-BF22-7176F089697B}.job
- c:\windows\system32\msfeedssync.exe [2006-10-17 11:31]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.atronic.com/
uInternet Settings,ProxyServer = usproxy.gg:3128
uInternet Settings,ProxyOverride = <local>
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
LSP: c:\program files\Microsoft Firewall Client 2004\FwcWsp.dll
DPF: {AB6633A8-60A9-4F5D-B66C-ABE268CC3227} - hxxp://www.solidworks.com/sw/support/subscription/sldimdownload.cab
.
- - - - ORPHANS REMOVED - - - -

WebBrowser-{8FF5E180-ABDE-46EB-B09E-D2AAB95CABE3} - (no file)
HKCU-Run-MKfa - c:\windows\win.exe
HKCU-Run-MKcZ - c:\windows\mdm.exe
HKCU-Run-MKbta - c:\windows\install.exe
HKCU-Run-MKfre - c:\windows\wininst.exe
HKCU-Run-MKasc - c:\windows\drweb.exe
HKCU-Run-MKeg - c:\windows\smss.exe
HKCU-Run-MKdw+ - c:\windows\nvsvc32.exe
HKCU-Run-MKeuf - c:\windows\spoolsv.exe
MSConfigStartUp-Adobe Acrobat Synchronizer - c:\program files\Adobe\Acrobat 8.0\Acrobat\AdobeCollabSync.exe
MSConfigStartUp-BlackBerryAutoUpdate - c:\program files\Common Files\Research In Motion\Auto Update\RIMAutoUpdate.exe
MSConfigStartUp-Clearwire Connection Manager - c:\program files\Clearwire\Connection Manager\ClearwireCM.exe
MSConfigStartUp-iTunesHelper - c:\program files\iTunes\iTunesHelper.exe
MSConfigStartUp-swg - c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
AddRemove-HijackThis - b:\hijackthis\HijackThis.exe



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-11-09 18:45
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\dxeswiwx]

--

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\vzpvw]
"ServiceDll"="c:\windows\system32\pakuqf.dll"
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-1296045835-834605719-1369985625-500\Software\Microsoft\Internet Explorer\User Preferences]
@Denied: (2) (Administrator)
"88D7D0879DAB32E14DE5B3A805A34F98AFF34F5977"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,de,45,25,99,99,63,99,44,83,73,ab,\
"2D53CFFC5C1A3DD2E97B7979AC2A92BD59BC839E81"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,de,45,25,99,99,63,99,44,83,73,ab,\

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10i_ActiveX.exe,-101"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]
"Enabled"=dword:00000001

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]
@="c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10i_ActiveX.exe"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
@Denied: (A 2) (Everyone)
@="IFlashBroker4"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"

[HKEY_LOCAL_MACHINE\software\DeterministicNetworks\DNE\Parameters]
"SymbolicLinkValue"=hex(6):5c,00,52,00,65,00,67,00,69,00,73,00,74,00,72,00,79,
00,5c,00,4d,00,61,00,63,00,68,00,69,00,6e,00,65,00,5c,00,53,00,79,00,73,00,\
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(1820)
c:\windows\system32\Ati2evxx.dll
c:\program files\common files\logishrd\bluetooth\LBTWlgn.dll

- - - - - - - > 'explorer.exe'(3468)
c:\windows\system32\WININET.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\program files\Microsoft Virtual PC\VPCShExH.DLL
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\Ati2evxx.exe
c:\program files\Common Files\Symantec Shared\ccSetMgr.exe
c:\program files\Common Files\Symantec Shared\ccEvtMgr.exe
c:\program files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
c:\program files\Cisco Systems\VPN Client\cvpnd.exe
c:\program files\Symantec AntiVirus\DefWatch.exe
c:\program files\LANDesk\LDClient\LocalSch.EXE
c:\windows\system32\CBA\pds.exe
c:\program files\LANDesk\LDClient\qipclnt.exe
c:\program files\LANDesk\LDClient\tmcsvc.exe
c:\progra~1\LANDesk\LDClient\issuser.exe
c:\program files\Analog Devices\SoundMAX\SMAgent.exe
c:\program files\Symantec AntiVirus\Rtvscan.exe
c:\windows\system32\Ati2evxx.exe
c:\windows\system32\MsPMSPSv.exe
c:\windows\system32\SearchIndexer.exe
c:\windows\AGRSMMSG.exe
c:\program files\Common Files\LogiShrd\KHAL3\KHALMNPR.EXE
c:\program files\Logitech\SetPointP\LU\LULnchr.exe
c:\program files\Logitech\SetPointP\LU\LogitechUpdate.exe
.
**************************************************************************
.
Completion time: 2010-11-09 18:50:39 - machine was rebooted
ComboFix-quarantined-files.txt 2010-11-10 02:50

Pre-Run: 5,443,211,264 bytes free
Post-Run: 5,322,301,440 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
UnsupportedDebug="do not select this" /debug
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect

- - End Of File - - 0892A7D8D4ADEE742CF5638812DDEC14

Well done.

Please sign off here or I will close this thread.
http://www.dslreports.com/forum/r25054932-Rootkit-Thinkpoint-rootkit-infection

==========

What a mess. Your still infected but were moving in the right direction.

Please note...

One or more of the identified infections was a Backdoor trojan/Rootkit.

This can allow hackers to potentially remotely control your computer, steal critical system information and download and execute files.

If you do any banking or other financial transactions on the PC or if it should contain any other sensitive information, please change all passwords where applicable, and it would be wise to contact those same financial institutions to apprise them of your situation.

Though the trojan has been identified and killed, because of it's backdoor functionality, your PC might be compromised to a point that there is no way to be sure your computer can ever again be trusted. Many experts in the security community believe that once infected with this type of trojan, the best course of action would be a reformat and reinstall of the OS. Please read these for more information:

How Do I Handle Possible Identify Theft, Internet Fraud and CC Fraud?
When Should I Format, How Should I Reinstall

I can still clean this machine but I can't guarantee that it will be 100% secure afterwards. If after careful consideration you have decided to move forward with cleanup then please proceed as I have outlined below.

==========

Warning: This script was specifically written and designed for this user only. Unsupervised use of this tool could render your computer unbootable permanently!!

1. Close any open browsers.

2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

3. Open notepad and copy/paste the all of the text in the quotebox below (including the hyperlink if present but excluding the word "quote" ) into it:

4. Combofix might upload a few suspicious files. Please allow this!!

http://www.bleepingcomputer.com/forums/topic359528.html/page__pid__2010952#entry2010952

Collect::
c:\windows\system32\06.tmp
c:\windows\Udenafuxujabowix.bin
c:\windows\system32\drivers\dxeswiwx.sys
c:\documents and settings\Administrator\Application Data\sdrfzfgd.bat
c:\windows\system32\drivers\gtyicvir.sys
c:\documents and settings\G018152\Application Data\10855.bat
c:\windows\system32\drivers\aqkdlp.sys

DirLook::
c:\documents and settings\G018152\Application Data\Etho
c:\documents and settings\G018152\Application Data\Uhweix

FCopy::
c:\windows\ServicePackFiles\i386\winlogon.exe | c:\windows\system32\winlogon.exe

Folder::
c:\documents and settings\All Users\Application Data\WSTB

Registry::
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"5427:TCP"=-

Driver::
vzpvw
aqkdlp
dxeswiwx
gtyicvir

NetSvc::
vzpvw

DDS::
uInternet Settings,ProxyServer = usproxy.gg:3128

Save this as CFScript.txt, in the same location as ComboFix.exe




Refering to the picture above, drag CFScript into ComboFix.exe

When finished, it shall produce a log for you at C:\ComboFix.txt which I will require in your next reply.

==========

• Have you signed off at the other site?
• How is your computer running now?

Regards,
thcbytes

The post on the other site is deleted. Sorry for that.

What a mess indeed! I only save the good ones for the experts. ;) DNS issues appear to be resolved (able to access malwarebytes.org, microsoft.com, etc.). Google redirects appear to be gone. IE keeps saying it is not the default browser for some reason. Looking good!




ComboFix 10-11-09.01 - Administrator 11/10/2010 7:51.2.1 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1023.383 [GMT -8:00]
Running from: c:\documents and settings\Administrator\Desktop\Bleeping Computer\thcbytes.exe
Command switches used :: c:\documents and settings\Administrator\Desktop\Bleeping Computer\CFScript.txt
AV: Symantec AntiVirus Corporate Edition *On-access scanning disabled* (Updated) {FB06448E-52B8-493A-90F3-E43226D3305C}

file zipped: c:\documents and settings\Administrator\Application Data\sdrfzfgd.bat
file zipped: c:\documents and settings\G018152\Application Data\10855.bat
file zipped: c:\windows\system32\drivers\aqkdlp.sys
file zipped: c:\windows\system32\drivers\dxeswiwx.sys
file zipped: c:\windows\system32\drivers\gtyicvir.sys
file zipped: c:\windows\Udenafuxujabowix.bin
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\Administrator\Application Data\sdrfzfgd.bat
c:\documents and settings\All Users\Application Data\WSTB
c:\documents and settings\G018152\Application Data\10855.bat
c:\windows\system32\drivers\aqkdlp.sys
c:\windows\system32\drivers\dxeswiwx.sys
c:\windows\system32\drivers\gtyicvir.sys
c:\windows\Udenafuxujabowix.bin

.
--------------- FCopy ---------------

c:\windows\ServicePackFiles\i386\winlogon.exe --> c:\windows\system32\winlogon.exe
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_AQKDLP
-------\Legacy_DXESWIWX
-------\Legacy_VZPVW
-------\Service_aqkdlp
-------\Service_dxeswiwx
-------\Service_vzpvw


((((((((((((((((((((((((( Files Created from 2010-10-10 to 2010-11-10 )))))))))))))))))))))))))))))))
.

2010-11-10 02:16 . 2010-11-10 02:50 -------- d-----w- C:\thcbytes
2010-11-09 21:40 . 2010-11-09 21:40 -------- d-----w- c:\program files\CCleaner
2010-11-09 02:04 . 2010-11-09 02:04 -------- d-----w- c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com
2010-11-09 02:04 . 2010-11-09 02:04 -------- d-----w- c:\documents and settings\Administrator\Application Data\SUPERAntiSpyware.com
2010-11-09 01:10 . 2010-11-09 01:10 -------- d-sh--w- c:\documents and settings\Administrator\PrivacIE
2010-11-09 01:08 . 2010-11-09 01:08 -------- d-----w- c:\documents and settings\Administrator\Local Settings\Application Data\Ahead
2010-11-09 01:08 . 2010-11-09 01:08 -------- d-----w- c:\documents and settings\Administrator\Application Data\Logitech
2010-11-09 01:08 . 2010-11-09 01:08 -------- d-----w- c:\documents and settings\Administrator\Application Data\Malwarebytes
2010-11-09 01:08 . 2010-11-09 01:08 -------- d-sh--w- c:\documents and settings\Administrator\IETldCache
2010-11-08 11:54 . 2010-11-08 11:54 -------- d-----w- c:\windows\Recent
2010-10-23 18:40 . 2010-10-23 22:46 -------- d-sh--w- c:\windows\system32\config\systemprofile\IETldCache
2010-10-23 18:37 . 2010-11-09 18:49 -------- d-----w- c:\documents and settings\G018152\Application Data\Etho
2010-10-23 18:37 . 2010-10-23 22:52 -------- d-----w- c:\documents and settings\G018152\Application Data\Uhweix

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-11-09 21:58 . 2010-08-27 01:15 16400 ----a-w- c:\windows\system32\drivers\LNonPnP.sys
2010-08-27 01:16 . 2010-08-27 01:16 53248 ----a-r- c:\documents and settings\G018152\Application Data\Microsoft\Installer\{3EE9BCAE-E9A9-45E5-9B1C-83A4D357E05C}\ARPPRODUCTICON.exe
.

(((((((((((((((((((((((((((((((((((((((((((( Look )))))))))))))))))))))))))))))))))))))))))))))))))))))))))
.
---- Directory of c:\documents and settings\G018152\Application Data\Etho ----


---- Directory of c:\documents and settings\G018152\Application Data\Uhweix ----

2010-10-23 23:20 . 2010-10-23 23:20 605 ----a-w- c:\documents and settings\G018152\Application Data\Uhweix\ociki.erz


((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"AGRSMMSG"="AGRSMMSG.exe" [2005-04-19 88209]
"ATIPTA"="c:\program files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2005-06-08 344064]
"IntelAPMClient"="c:\program files\LANDesk\LDClient\amclient.exe" [2005-08-09 307459]
"SDClientMonitor"="c:\program files\LANDesk\LDClient\webportal\sdclientmonitor.exe" [2004-12-20 253952]
"SynTPLpr"="c:\program files\Synaptics\SynTP\SynTPLpr.exe" [2005-02-03 102492]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2005-02-03 692316]
"EvtMgr6"="c:\program files\Logitech\SetPointP\SetPoint.exe" [2010-01-27 1312848]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2009-05-27 413696]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Microsoft Firewall Client Management.lnk - c:\program files\Microsoft Firewall Client 2004\FwcMgmt.exe [2006-12-9 117568]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{56F9679E-7826-4C84-81F3-532071A8BCC5}"= "c:\program files\Windows Desktop Search\MSNLNamespaceMgr.dll" [2009-05-25 304128]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\LBTWlgn]
2010-01-29 21:17 64592 ----a-w- c:\program files\Common Files\LogiShrd\Bluetooth\LBTWLgn.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
@="Driver"

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Desktop Manager.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Desktop Manager.lnk
backup=c:\windows\pss\Desktop Manager.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Digital Imaging Monitor.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\HP Digital Imaging Monitor.lnk
backup=c:\windows\pss\HP Digital Imaging Monitor.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^VPN Client.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\VPN Client.lnk
backup=c:\windows\pss\VPN Client.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Windows Search.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Windows Search.lnk
backup=c:\windows\pss\Windows Search.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Acrobat Assistant 8.0]
2009-10-03 07:32 640376 ----a-w- c:\program files\Adobe\Acrobat 9.0\Acrobat\acrotray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Acrobat Speed Launcher]
2009-10-03 12:08 38768 ----a-w- c:\program files\Adobe\Acrobat 9.0\Acrobat\acrobat_sl.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe ARM]
2010-09-21 18:37 932288 ----a-w- c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AdobeCS4ServiceManager]
2009-11-06 18:14 611712 ----a-w- c:\program files\Common Files\Adobe\CS4ServiceManager\CS4ServiceManager.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ccApp]
2007-05-30 00:33 52840 ----a-w- c:\program files\Common Files\Symantec Shared\ccApp.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Google Update]
2010-03-27 16:15 136176 ----atw- c:\documents and settings\G018152\Local Settings\Application Data\Google\Update\GoogleUpdate.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Software Update]
2010-06-10 03:55 49208 ----a-w- c:\program files\HP\HP Software Update\hpwuschd2.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IndxStoreSvr_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}]
2008-06-25 00:06 1840424 ----a-w- c:\program files\Common Files\Nero\Lib\NMIndexStoreSvr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
2008-07-09 23:39 570664 ----a-w- c:\program files\Common Files\Nero\Lib\NeroCheck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
2009-05-27 00:18 413696 ----a-w- c:\program files\QuickTime\QTTask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RoxAssistant]
2003-06-27 07:29 90112 ----a-w- c:\program files\Common Files\Roxio Shared\Upgrade\roxassist.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RoxioDragToDisc]
2003-06-27 07:21 868352 ----a-w- c:\program files\Roxio\Easy CD Creator 6\DragToDisc\DrgToDsc.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RoxioEngineUtility]
2003-05-02 01:44 65536 -c--a-w- c:\program files\Common Files\Roxio Shared\System\EngUtil.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SolidWorks_CheckForUpdates]
2009-03-20 02:30 7308584 ----a-w- c:\program files\Common Files\SolidWorks Installation Manager\Scheduler\sldIMScheduler.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
2007-03-14 10:43 83608 -c--a-w- c:\program files\Java\jre1.6.0_01\bin\jusched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\vptray]
2007-10-08 04:48 125368 ----a-w- c:\progra~1\SYMANT~1\VPTray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"iPod Service"=3 (0x3)
"NMIndexingService"=3 (0x3)
"wlidsvc"=2 (0x2)
"gupdate1ca2778a0e573b0"=2 (0x2)

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\WINDOWS\\system32\\cba\\pds.exe"=
"c:\\Program Files\\LANDesk\\LDClient\\issuser.exe"=
"c:\\Program Files\\LANDesk\\LDClient\\tmcsvc.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqtra08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqste08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpofxm08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposfx08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposid01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqscnvw.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqCopy.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpfccopy.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpzwiz01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqPhUnl.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqDIA.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpoews01.exe"=
"c:\\Program Files\\Common Files\\Adobe\\CS4ServiceManager\\CS4ServiceManager.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"5353:TCP"= 5353:TCP:Adobe CSI CS4
"5985:TCP"= 5985:TCP:*:Disabled:Windows Remote Management

R2 cpuz133;cpuz133;c:\windows\system32\drivers\cpuz133_x32.sys [4/1/2010 12:30 PM 20968]
R2 FwcAgent;Firewall Client Agent;c:\program files\Microsoft Firewall Client 2004\FwcAgent.exe [12/9/2006 6:04 PM 128832]
R2 HiiLib32;HiiLib32;c:\windows\system32\drivers\HiiLib32.sys [3/1/2004 1:51 PM 102352]
R2 OneLink Slots Poller 2.0.8.44777;OneLink Slots Poller 2.0.8.44777;c:\program files\Paltronics\OneLink Slots Director 2.0.8.44777\SlotsDirector.OneLinkSlotsFloorWindowsService.exe [9/1/2009 6:14 PM 28672]
R2 SavRoam;SAVRoam;c:\program files\Symantec AntiVirus\SavRoam.exe [10/7/2007 8:48 PM 116664]
R2 VirtualDrive;VirtualDrive;c:\program files\All Image\vdd-x86.sys [7/20/2010 1:10 AM 10752]
R3 CONAN;CONAN;c:\windows\system32\drivers\o2mmb.sys [5/8/2007 8:38 AM 196480]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [7/7/2010 6:52 AM 102448]
R3 ldmirror;ldmirror;c:\windows\system32\drivers\ldmirror.sys [5/7/2007 1:20 PM 5120]
R3 mirrorflt;Mirror Filter Driver for Uninstall;c:\windows\system32\drivers\mirrorflt.sys [5/7/2007 1:20 PM 6656]
S1 SASDIFSV;SASDIFSV;\??\c:\docume~1\ADMINI~1\LOCALS~1\Temp\SAS_SelfExtract\SASDIFSV.SYS --> c:\docume~1\ADMINI~1\LOCALS~1\Temp\SAS_SelfExtract\SASDIFSV.SYS [?]
S1 SASKUTIL;SASKUTIL;\??\c:\docume~1\ADMINI~1\LOCALS~1\Temp\SAS_SelfExtract\SASKUTIL.SYS --> c:\docume~1\ADMINI~1\LOCALS~1\Temp\SAS_SelfExtract\SASKUTIL.SYS [?]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [3/18/2010 12:16 PM 130384]
S2 gupdate1ca2778a0e573b0;Google Update Service (gupdate1ca2778a0e573b0);c:\program files\Google\Update\GoogleUpdate.exe [8/27/2009 4:43 PM 133104]
S2 OneLink Player Tracking 2.0.8.44777;OneLink Player Tracking 2.0.8.44777;c:\program files\Paltronics\OneLink Slots Director 2.0.8.44777\SlotsDirector.PlayerTrackingServerWindowsService.exe [9/1/2009 6:14 PM 10240]
S3 bcm;Beceem Communications Inc. Tarang3;c:\windows\system32\drivers\drxvi314.sys [10/24/2009 10:46 AM 233472]
S3 bcmbusctr;Beceem Devices' Enumerator Driver;c:\windows\system32\drivers\BcmBusCtr.sys [10/24/2009 10:46 AM 54784]
S3 LEqdUsb;Logitech SetPoint Unifying KMDF USB Filter;c:\windows\system32\drivers\LEqdUsb.sys [11/10/2009 3:54 AM 40848]
S3 LHidEqd;Logitech SetPoint Unifying KMDF HID Filter;c:\windows\system32\drivers\LHidEqd.sys [11/10/2009 3:54 AM 10384]
S3 MbxStby;MbxStby;c:\windows\system32\drivers\MbxStby.sys [5/8/2007 8:38 AM 6844]
S3 MeiUsb;MEI USB Driver;c:\windows\system32\drivers\MeiUsb.sys [1/7/2009 2:45 PM 9599]
S3 W3pnrsrvf;W3pnrsrvf; [x]
S3 WinRM;Windows Remote Management (WS-Management);c:\windows\system32\svchost.exe -k WINRM [2/28/2006 4:00 AM 14336]
S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\Microsoft.NET\Framework\v4.0.30319\WPF\WPFFontCache_v0400.exe [3/18/2010 12:16 PM 753504]
S4 sptd;sptd;c:\windows\system32\drivers\sptd.sys [11/3/2009 2:33 PM 721904]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
WINRM REG_MULTI_SZ WINRM
.
Contents of the 'Scheduled Tasks' folder

2010-11-10 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-08-28 00:43]

2010-11-10 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-08-28 00:43]

2010-11-10 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-909772816-612835887-627194967-17720Core.job
- c:\documents and settings\G018152\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2010-04-12 16:15]

2010-11-10 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-909772816-612835887-627194967-17720UA.job
- c:\documents and settings\G018152\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2010-04-12 16:15]

2010-11-10 c:\windows\Tasks\SDMsgUpdate (TE).job
- c:\progra~1\SMARTD~1\Messages\SDNotify.exe [2010-08-02 17:29]

2010-11-10 c:\windows\Tasks\User_Feed_Synchronization-{93C043FF-EF8E-4D9B-BF22-7176F089697B}.job
- c:\windows\system32\msfeedssync.exe [2006-10-17 11:31]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.atronic.com/
uInternet Settings,ProxyOverride = <local>
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
LSP: c:\program files\Microsoft Firewall Client 2004\FwcWsp.dll
DPF: {AB6633A8-60A9-4F5D-B66C-ABE268CC3227} - hxxp://www.solidworks.com/sw/support/subscription/sldimdownload.cab
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-11-10 08:06
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-1296045835-834605719-1369985625-500\Software\Microsoft\Internet Explorer\User Preferences]
@Denied: (2) (Administrator)
"88D7D0879DAB32E14DE5B3A805A34F98AFF34F5977"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,de,45,25,99,99,63,99,44,83,73,ab,\
"2D53CFFC5C1A3DD2E97B7979AC2A92BD59BC839E81"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,de,45,25,99,99,63,99,44,83,73,ab,\

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10i_ActiveX.exe,-101"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]
"Enabled"=dword:00000001

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]
@="c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10i_ActiveX.exe"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
@Denied: (A 2) (Everyone)
@="IFlashBroker4"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"

[HKEY_LOCAL_MACHINE\software\DeterministicNetworks\DNE\Parameters]
"SymbolicLinkValue"=hex(6):5c,00,52,00,65,00,67,00,69,00,73,00,74,00,72,00,79,
00,5c,00,4d,00,61,00,63,00,68,00,69,00,6e,00,65,00,5c,00,53,00,79,00,73,00,\
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(1812)
c:\windows\system32\Ati2evxx.dll
c:\program files\common files\logishrd\bluetooth\LBTWlgn.dll

- - - - - - - > 'explorer.exe'(3388)
c:\windows\system32\WININET.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\program files\Microsoft Virtual PC\VPCShExH.DLL
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\Ati2evxx.exe
c:\program files\Common Files\Symantec Shared\ccSetMgr.exe
c:\program files\Common Files\Symantec Shared\ccEvtMgr.exe
c:\program files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
c:\program files\Cisco Systems\VPN Client\cvpnd.exe
c:\program files\Symantec AntiVirus\DefWatch.exe
c:\program files\LANDesk\LDClient\LocalSch.EXE
c:\windows\system32\CBA\pds.exe
c:\program files\LANDesk\LDClient\qipclnt.exe
c:\program files\LANDesk\LDClient\tmcsvc.exe
c:\windows\system32\Ati2evxx.exe
c:\progra~1\LANDesk\LDClient\issuser.exe
c:\windows\AGRSMMSG.exe
c:\program files\Analog Devices\SoundMAX\SMAgent.exe
c:\program files\Symantec AntiVirus\Rtvscan.exe
c:\windows\system32\MsPMSPSv.exe
c:\windows\system32\SearchIndexer.exe
c:\program files\Common Files\LogiShrd\KHAL3\KHALMNPR.EXE
c:\program files\Logitech\SetPointP\LU\LULnchr.exe
c:\program files\Logitech\SetPointP\LU\LogitechUpdate.exe
.
**************************************************************************
.
Completion time: 2010-11-10 08:10:24 - machine was rebooted
ComboFix-quarantined-files.txt 2010-11-10 16:10
ComboFix2.txt 2010-11-10 02:50

Pre-Run: 5,294,215,168 bytes free
Post-Run: 5,278,978,048 bytes free

- - End Of File - - DDDA8F2DD8C0B4A1513797689B3B9D14

Much better.

This next please..

Warning: This script was specifically written and designed for this user only. Unsupervised use of this tool could render your computer unbootable permanently!!

1. Close any open browsers.

2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

3. Open notepad and copy/paste the all of the text in the quotebox below (including the hyperlink if present) into it:

4. Combofix might upload a few suspicious files. Please allow this!!

Folder::
c:\documents and settings\G018152\Application Data\Etho
c:\documents and settings\G018152\Application Data\Uhweix

Save this as CFScript.txt, in the same location as ComboFix.exe




Refering to the picture above, drag CFScript into ComboFix.exe

When finished, it shall produce a log for you at C:\ComboFix.txt which I will require in your next reply.

Regards,
thcbytes

ComboFix 10-11-09.01 - Administrator 11/10/2010 10:28:42.3.1 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1023.372 [GMT -8:00]
Running from: c:\documents and settings\Administrator\Desktop\Bleeping Computer\thcbytes.exe
Command switches used :: c:\documents and settings\Administrator\Desktop\Bleeping Computer\CFScript.txt
AV: Symantec AntiVirus Corporate Edition *On-access scanning disabled* (Updated) {FB06448E-52B8-493A-90F3-E43226D3305C}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\G018152\Application Data\Etho
c:\documents and settings\G018152\Application Data\Uhweix
c:\documents and settings\G018152\Application Data\Uhweix\ociki.erz

.
((((((((((((((((((((((((( Files Created from 2010-10-10 to 2010-11-10 )))))))))))))))))))))))))))))))
.

2010-11-10 02:16 . 2010-11-10 02:50 -------- d-----w- C:\thcbytes
2010-11-09 21:40 . 2010-11-09 21:40 -------- d-----w- c:\program files\CCleaner
2010-11-09 02:04 . 2010-11-09 02:04 -------- d-----w- c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com
2010-11-09 02:04 . 2010-11-09 02:04 -------- d-----w- c:\documents and settings\Administrator\Application Data\SUPERAntiSpyware.com
2010-11-09 01:10 . 2010-11-09 01:10 -------- d-sh--w- c:\documents and settings\Administrator\PrivacIE
2010-11-09 01:08 . 2010-11-09 01:08 -------- d-----w- c:\documents and settings\Administrator\Local Settings\Application Data\Ahead
2010-11-09 01:08 . 2010-11-09 01:08 -------- d-----w- c:\documents and settings\Administrator\Application Data\Logitech
2010-11-09 01:08 . 2010-11-09 01:08 -------- d-----w- c:\documents and settings\Administrator\Application Data\Malwarebytes
2010-11-09 01:08 . 2010-11-09 01:08 -------- d-sh--w- c:\documents and settings\Administrator\IETldCache
2010-11-08 11:54 . 2010-11-08 11:54 -------- d-----w- c:\windows\Recent
2010-10-23 18:40 . 2010-10-23 22:46 -------- d-sh--w- c:\windows\system32\config\systemprofile\IETldCache

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-11-09 21:58 . 2010-08-27 01:15 16400 ----a-w- c:\windows\system32\drivers\LNonPnP.sys
2010-08-27 01:16 . 2010-08-27 01:16 53248 ----a-r- c:\documents and settings\G018152\Application Data\Microsoft\Installer\{3EE9BCAE-E9A9-45E5-9B1C-83A4D357E05C}\ARPPRODUCTICON.exe
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"AGRSMMSG"="AGRSMMSG.exe" [2005-04-19 88209]
"ATIPTA"="c:\program files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2005-06-08 344064]
"IntelAPMClient"="c:\program files\LANDesk\LDClient\amclient.exe" [2005-08-09 307459]
"SDClientMonitor"="c:\program files\LANDesk\LDClient\webportal\sdclientmonitor.exe" [2004-12-20 253952]
"SynTPLpr"="c:\program files\Synaptics\SynTP\SynTPLpr.exe" [2005-02-03 102492]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2005-02-03 692316]
"EvtMgr6"="c:\program files\Logitech\SetPointP\SetPoint.exe" [2010-01-27 1312848]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2009-05-27 413696]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Microsoft Firewall Client Management.lnk - c:\program files\Microsoft Firewall Client 2004\FwcMgmt.exe [2006-12-9 117568]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{56F9679E-7826-4C84-81F3-532071A8BCC5}"= "c:\program files\Windows Desktop Search\MSNLNamespaceMgr.dll" [2009-05-25 304128]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\LBTWlgn]
2010-01-29 21:17 64592 ----a-w- c:\program files\Common Files\LogiShrd\Bluetooth\LBTWLgn.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
@="Driver"

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Desktop Manager.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Desktop Manager.lnk
backup=c:\windows\pss\Desktop Manager.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Digital Imaging Monitor.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\HP Digital Imaging Monitor.lnk
backup=c:\windows\pss\HP Digital Imaging Monitor.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^VPN Client.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\VPN Client.lnk
backup=c:\windows\pss\VPN Client.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Windows Search.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Windows Search.lnk
backup=c:\windows\pss\Windows Search.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Acrobat Assistant 8.0]
2009-10-03 07:32 640376 ----a-w- c:\program files\Adobe\Acrobat 9.0\Acrobat\acrotray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Acrobat Speed Launcher]
2009-10-03 12:08 38768 ----a-w- c:\program files\Adobe\Acrobat 9.0\Acrobat\acrobat_sl.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe ARM]
2010-09-21 18:37 932288 ----a-w- c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AdobeCS4ServiceManager]
2009-11-06 18:14 611712 ----a-w- c:\program files\Common Files\Adobe\CS4ServiceManager\CS4ServiceManager.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ccApp]
2007-05-30 00:33 52840 ----a-w- c:\program files\Common Files\Symantec Shared\ccApp.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Google Update]
2010-03-27 16:15 136176 ----atw- c:\documents and settings\G018152\Local Settings\Application Data\Google\Update\GoogleUpdate.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Software Update]
2010-06-10 03:55 49208 ----a-w- c:\program files\HP\HP Software Update\hpwuschd2.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IndxStoreSvr_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}]
2008-06-25 00:06 1840424 ----a-w- c:\program files\Common Files\Nero\Lib\NMIndexStoreSvr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
2008-07-09 23:39 570664 ----a-w- c:\program files\Common Files\Nero\Lib\NeroCheck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
2009-05-27 00:18 413696 ----a-w- c:\program files\QuickTime\QTTask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RoxAssistant]
2003-06-27 07:29 90112 ----a-w- c:\program files\Common Files\Roxio Shared\Upgrade\roxassist.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RoxioDragToDisc]
2003-06-27 07:21 868352 ----a-w- c:\program files\Roxio\Easy CD Creator 6\DragToDisc\DrgToDsc.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RoxioEngineUtility]
2003-05-02 01:44 65536 -c--a-w- c:\program files\Common Files\Roxio Shared\System\EngUtil.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SolidWorks_CheckForUpdates]
2009-03-20 02:30 7308584 ----a-w- c:\program files\Common Files\SolidWorks Installation Manager\Scheduler\sldIMScheduler.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
2007-03-14 10:43 83608 -c--a-w- c:\program files\Java\jre1.6.0_01\bin\jusched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\vptray]
2007-10-08 04:48 125368 ----a-w- c:\progra~1\SYMANT~1\VPTray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"iPod Service"=3 (0x3)
"NMIndexingService"=3 (0x3)
"wlidsvc"=2 (0x2)
"gupdate1ca2778a0e573b0"=2 (0x2)

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\WINDOWS\\system32\\cba\\pds.exe"=
"c:\\Program Files\\LANDesk\\LDClient\\issuser.exe"=
"c:\\Program Files\\LANDesk\\LDClient\\tmcsvc.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqtra08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqste08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpofxm08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposfx08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposid01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqscnvw.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqCopy.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpfccopy.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpzwiz01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqPhUnl.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqDIA.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpoews01.exe"=
"c:\\Program Files\\Common Files\\Adobe\\CS4ServiceManager\\CS4ServiceManager.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"5353:TCP"= 5353:TCP:Adobe CSI CS4
"5985:TCP"= 5985:TCP:*:Disabled:Windows Remote Management

R2 cpuz133;cpuz133;c:\windows\system32\drivers\cpuz133_x32.sys [4/1/2010 12:30 PM 20968]
R2 FwcAgent;Firewall Client Agent;c:\program files\Microsoft Firewall Client 2004\FwcAgent.exe [12/9/2006 6:04 PM 128832]
R2 HiiLib32;HiiLib32;c:\windows\system32\drivers\HiiLib32.sys [3/1/2004 1:51 PM 102352]
R2 OneLink Slots Poller 2.0.8.44777;OneLink Slots Poller 2.0.8.44777;c:\program files\Paltronics\OneLink Slots Director 2.0.8.44777\SlotsDirector.OneLinkSlotsFloorWindowsService.exe [9/1/2009 6:14 PM 28672]
R2 SavRoam;SAVRoam;c:\program files\Symantec AntiVirus\SavRoam.exe [10/7/2007 8:48 PM 116664]
R2 VirtualDrive;VirtualDrive;c:\program files\All Image\vdd-x86.sys [7/20/2010 1:10 AM 10752]
R3 CONAN;CONAN;c:\windows\system32\drivers\o2mmb.sys [5/8/2007 8:38 AM 196480]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [7/7/2010 6:52 AM 102448]
R3 ldmirror;ldmirror;c:\windows\system32\drivers\ldmirror.sys [5/7/2007 1:20 PM 5120]
R3 mirrorflt;Mirror Filter Driver for Uninstall;c:\windows\system32\drivers\mirrorflt.sys [5/7/2007 1:20 PM 6656]
S1 SASDIFSV;SASDIFSV;\??\c:\docume~1\ADMINI~1\LOCALS~1\Temp\SAS_SelfExtract\SASDIFSV.SYS --> c:\docume~1\ADMINI~1\LOCALS~1\Temp\SAS_SelfExtract\SASDIFSV.SYS [?]
S1 SASKUTIL;SASKUTIL;\??\c:\docume~1\ADMINI~1\LOCALS~1\Temp\SAS_SelfExtract\SASKUTIL.SYS --> c:\docume~1\ADMINI~1\LOCALS~1\Temp\SAS_SelfExtract\SASKUTIL.SYS [?]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [3/18/2010 12:16 PM 130384]
S2 gupdate1ca2778a0e573b0;Google Update Service (gupdate1ca2778a0e573b0);c:\program files\Google\Update\GoogleUpdate.exe [8/27/2009 4:43 PM 133104]
S2 OneLink Player Tracking 2.0.8.44777;OneLink Player Tracking 2.0.8.44777;c:\program files\Paltronics\OneLink Slots Director 2.0.8.44777\SlotsDirector.PlayerTrackingServerWindowsService.exe [9/1/2009 6:14 PM 10240]
S3 bcm;Beceem Communications Inc. Tarang3;c:\windows\system32\drivers\drxvi314.sys [10/24/2009 10:46 AM 233472]
S3 bcmbusctr;Beceem Devices' Enumerator Driver;c:\windows\system32\drivers\BcmBusCtr.sys [10/24/2009 10:46 AM 54784]
S3 LEqdUsb;Logitech SetPoint Unifying KMDF USB Filter;c:\windows\system32\drivers\LEqdUsb.sys [11/10/2009 3:54 AM 40848]
S3 LHidEqd;Logitech SetPoint Unifying KMDF HID Filter;c:\windows\system32\drivers\LHidEqd.sys [11/10/2009 3:54 AM 10384]
S3 MbxStby;MbxStby;c:\windows\system32\drivers\MbxStby.sys [5/8/2007 8:38 AM 6844]
S3 MeiUsb;MEI USB Driver;c:\windows\system32\drivers\MeiUsb.sys [1/7/2009 2:45 PM 9599]
S3 W3pnrsrvf;W3pnrsrvf; [x]
S3 WinRM;Windows Remote Management (WS-Management);c:\windows\system32\svchost.exe -k WINRM [2/28/2006 4:00 AM 14336]
S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\Microsoft.NET\Framework\v4.0.30319\WPF\WPFFontCache_v0400.exe [3/18/2010 12:16 PM 753504]
S4 sptd;sptd;c:\windows\system32\drivers\sptd.sys [11/3/2009 2:33 PM 721904]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
WINRM REG_MULTI_SZ WINRM
.
Contents of the 'Scheduled Tasks' folder

2010-11-10 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-08-28 00:43]

2010-11-10 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-08-28 00:43]

2010-11-10 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-909772816-612835887-627194967-17720Core.job
- c:\documents and settings\G018152\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2010-04-12 16:15]

2010-11-10 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-909772816-612835887-627194967-17720UA.job
- c:\documents and settings\G018152\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2010-04-12 16:15]

2010-11-10 c:\windows\Tasks\SDMsgUpdate (TE).job
- c:\progra~1\SMARTD~1\Messages\SDNotify.exe [2010-08-02 17:29]

2010-11-10 c:\windows\Tasks\User_Feed_Synchronization-{93C043FF-EF8E-4D9B-BF22-7176F089697B}.job
- c:\windows\system32\msfeedssync.exe [2006-10-17 11:31]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.atronic.com/
uInternet Settings,ProxyOverride = <local>
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
LSP: c:\program files\Microsoft Firewall Client 2004\FwcWsp.dll
DPF: {AB6633A8-60A9-4F5D-B66C-ABE268CC3227} - hxxp://www.solidworks.com/sw/support/subscription/sldimdownload.cab
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-11-10 10:35
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-1296045835-834605719-1369985625-500\Software\Microsoft\Internet Explorer\User Preferences]
@Denied: (2) (Administrator)
"88D7D0879DAB32E14DE5B3A805A34F98AFF34F5977"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,de,45,25,99,99,63,99,44,83,73,ab,\
"2D53CFFC5C1A3DD2E97B7979AC2A92BD59BC839E81"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,de,45,25,99,99,63,99,44,83,73,ab,\

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10i_ActiveX.exe,-101"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]
"Enabled"=dword:00000001

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]
@="c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10i_ActiveX.exe"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
@Denied: (A 2) (Everyone)
@="IFlashBroker4"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"

[HKEY_LOCAL_MACHINE\software\DeterministicNetworks\DNE\Parameters]
"SymbolicLinkValue"=hex(6):5c,00,52,00,65,00,67,00,69,00,73,00,74,00,72,00,79,
00,5c,00,4d,00,61,00,63,00,68,00,69,00,6e,00,65,00,5c,00,53,00,79,00,73,00,\
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(1812)
c:\windows\system32\Ati2evxx.dll
c:\program files\common files\logishrd\bluetooth\LBTWlgn.dll
.
Completion time: 2010-11-10 10:37:58
ComboFix-quarantined-files.txt 2010-11-10 18:37
ComboFix2.txt 2010-11-10 16:10
ComboFix3.txt 2010-11-10 02:50

Pre-Run: 5,287,600,128 bytes free
Post-Run: 5,268,258,816 bytes free

- - End Of File - - 8BDEDA906A070D19027591E40B49FCC4

Nicely done.

Next..

Please rerun MBAM.

MBAM may "make changes to your registry" as part of its disinfection routine. If using other security programs that detect registry changes (ie Spybot's Teatimer), they may interfere or alert you. Temporarily disable such programs or permit them to allow the changes.

• Make sure you are connected to the Internet.
  
  • Update Malwarebytes' Anti-Malware <--- Important!!
  • Launch Malwarebytes' Anti-Malware
• Then click Finish.

MBAM will automatically start and you will be asked to update the program before performing a scan.

• If an update is found, the program will automatically update itself. Press the OK button to close that box and continue.
• If you encounter any problems while downloading the definition updates, manually download them from here and just double-click on mbam-rules.exe to install.

On the Scanner tab:

• Make sure the "Perform Quick Scan" option is selected.
• Then click on the Scan button.
• If asked to select the drives to scan, leave all the drives selected and click on the Start Scan button.
• The scan will begin and "Scan in progress" will show at the top. It may take some time to complete so please be patient.
• When the scan is finished, a message box will say "The scan completed successfully. Click 'Show Results' to display all objects found".
• Click OK to close the message box and continue with the removal process.

Back at the main Scanner screen:

• Click on the Show Results button to see a list of any malware that was found.
• Make sure that everything is checked, and click Remove Selected.
• When removal is completed, a log report will open in Notepad.
• The log is automatically saved and can be viewed by clicking the Logs tab in MBAM.
• Copy and paste the contents of that report in your next reply. Be sure to post the complete log to include the top portion which shows MBAM's database version and your operating system.
• Exit MBAM when done.

Note: If MBAM encounters a file that is difficult to remove, you will be asked to reboot your computer so MBAM can proceed with the disinfection process. If asked to restart the computer, please do so immediately. Failure to reboot normally (not into safe mode) will prevent MBAM from removing all the malware.

==========

Then...

Perform an online scan with Kaspersky WebScanner. This can take a long time so please be patient.

If you have troubles getting it to run.... - STOP - and tell me about it!

(Requires free Java Runtime Environment (JRE) be installed before scanning for malware as ActiveX is no longer being used.)

• Click on the ...button.
• The program will launch and fill in the Information section ... on the left.
• Read the "Requirements and Limitations" then press... the ...button.
• The program will begin downloading the latest program and definition files.
  It takes a while... please be patient and let it finish.
• Once the files have been downloaded, click on the ...button.
  In the scan settings make sure the following are selected:
  • Detect malicious programs of the following categories:
    Viruses, Worms, Trojan Horses, Rootkits
    Spyware, Adware, Dialers and other potentially dangerous programs
  • Scan compound files (doesn't apply to the File scan area):
    Archives
    Mail databases
    By default the above items should already be checked.
  • Click the ...button, if you made any changes.
• Now under the Scan section on the left:Select My Computer
• The program will start and scan your system. This will run for a while, be patient... let it run.
  Once the scan is complete, it will display if your system has been infected.
• Save the scan results as a Text file ... save it to your desktop.
• Copy and paste the saved scan results file in your next reply.

Any further troubles?

Regards,
thcbytes

Ran MBAM first, then the Kaspersky, which errored out during the initial update. The error persists after multiple attempts.


Kaspersky error: Update has failed The program could not be started. Please close the window of Kaspersky Online Scanner 7.0 and start the program again from the web site of Kaspersky Lab. Successful updating of Kaspersky Online Scanner 7.0 and scanning of your computer requires uninterrupted Internet connection. Please make sure that the Internet connection is established. [ERROR: License has expired]




Malwarebytes' Anti-Malware 1.46
www.malwarebytes.org

Database version: 5096

Windows 5.1.2600 Service Pack 3
Internet Explorer 8.0.6001.18702

11/11/2010 3:55:30 PM
mbam-log-2010-11-11 (15-55-30).txt

Scan type: Quick scan
Objects scanned: 165729
Time elapsed: 7 minute(s), 57 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 12
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\mkeg (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\hnugroxrrse (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\hnugroxrmsc (Trojan.Downloader.Gen) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\hnugroxrnoc (Trojan.Downloader.Gen) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\hnugroxrpw+ (Trojan.Downloader.Gen) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\mkasc (Trojan.Downloader) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\mkbta (Trojan.Downloader) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\mkcz (Trojan.Downloader) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\mkdw+ (Trojan.Downloader) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\mkeuf (Trojan.Downloader) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\mkfa (Trojan.Downloader) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\mkfre (Trojan.Downloader) -> Quarantined and deleted successfully.

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

This instead...

I'd like us to scan your machine with ESET OnlineScan

• Hold down Control and click on the following link to open ESET OnlineScan in a new window.
  ESET OnlineScan
• Click the button.
• For alternate browsers only: (Microsoft Internet Explorer users can skip these steps)
  • Click on to download the ESET Smart Installer. Save it to your desktop.
  • Double click on the icon on your desktop.
• Check
• Click the button.
• Accept any security warnings from your browser.
• Check
• Push the Start button.
• ESET will then download updates for itself, install itself, and begin scanning your computer. Please be patient as this can take some time.
• When the scan completes, push
• Push , and save the file to your desktop using a unique name, such as ESETScan. Include the contents of this report in your next reply.
• Push the button.
• Push

==========

Update and re-run MBAM. Post the log.

Regards,
thcbytes

Are you still there?

Due to the lack of feedback this Topic is closed.

If you need this topic reopened, please request this by sending the moderating team a PM with the address of the thread. This applies only to the original topic starter.

Everyone else please begin a New Topic