rootkit.boot.sst.b and maybe more

A computer in my office is now infected by rootkit.boot.sst.b and heavens know what else. Google redirects are in full force and I'm getting plenty of pop-ups from Smart HDD. I'm unable to load Malwarebytes even in Safe Mode. I was able to run ESET Online Scanner and it turned up the following:

C:\Documents and Settings\All Users\Application Data\uQPiuYoYUryntvk.exe a variant of Win32/Kryptik.ALTW trojan cleaned by deleting - quarantined
C:\Documents and Settings\All Users\Application Data\WFkfyPLJRO.exe Win32/Adware.HDDRescue.AB application cleaned by deleting - quarantined
C:\Documents and Settings\All Users\Application Data\yXptnfAKEwGtwP.exe Win32/Adware.HDDRescue.AB application cleaned by deleting - quarantined
C:\Documents and Settings\OFFICE\viabmhhattppfukegei.exe a variant of Win32/Kryptik.ALTW trojan cleaned by deleting - quarantined
C:\RECYCLER\S-1-5-18\$86746bb189bc4e300c3e207780b1c78a\n a variant of Win32/Kryptik.ALUC trojan cleaned by deleting (after the next restart) - quarantined
C:\RECYCLER\S-1-5-18\$86746bb189bc4e300c3e207780b1c78a\U\00000004.@ Win32/Conedex.D trojan cleaned by deleting - quarantined
C:\RECYCLER\S-1-5-18\$86746bb189bc4e300c3e207780b1c78a\U\00000008.@ Win32/Sirefef.FG trojan cleaned by deleting - quarantined
C:\RECYCLER\S-1-5-18\$86746bb189bc4e300c3e207780b1c78a\U\000000cb.@ Win32/Conedex.E trojan cleaned by deleting - quarantined
C:\RECYCLER\S-1-5-18\$86746bb189bc4e300c3e207780b1c78a\U\80000000.@ a variant of Win32/Sirefef.FA trojan cleaned by deleting - quarantined
C:\RECYCLER\S-1-5-18\$86746bb189bc4e300c3e207780b1c78a\U\80000032.@ a variant of Win32/Sirefef.FD trojan cleaned by deleting - quarantined
C:\RECYCLER\S-1-5-21-1811741157-1253689203-1252976962-1005\$86746bb189bc4e300c3e207780b1c78a\n a variant of Win32/Kryptik.ALUC trojan cleaned by deleting (after the next restart) - quarantined
C:\WINDOWS\msiserv.exe a variant of Win32/Kryptik.ALUF trojan cleaned by deleting (after the next restart) - quarantined
Operating memory multiple threats

However, that didn't clean out everything. The DDS log is as follows:

.
DDS (Ver_2011-08-26.01) - NTFSx86 NETWORK
Internet Explorer: 8.0.6001.18702
Run by OFFICE at 12:39:54 on 2012-09-14
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2037.1527 [GMT -5:00]
.
AV: ESET NOD32 Antivirus 4.0 *Disabled/Outdated* {E5E70D32-0101-4F12-8FB0-D96ACA4F34C0}
.
============== Running Processes ===============
.
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\system32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\Program Files\SUPERAntiSpyware\SASCORE.EXE
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\Documents and Settings\OFFICE\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\OFFICE\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\OFFICE\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://www.google.com/
uSearch Page = hxxp://www.google.com
uSearch Bar = hxxp://toolbar.inbox.com/search/dispatcher.aspx?tp=aus&qkw=%s&tbid=%tb_id&%language
uDefault_Page_URL = www.google.com/ig/dell?hl=en&client=dell-usuk&channel=us&ibd=4090108
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search/?q=%s
mSearchAssistant = hxxp://toolbar.inbox.com/search/ie.aspx?tbid=80116
mCustomizeSearch = hxxp://toolbar.inbox.com/help/sa_customize.aspx?tbid=80116
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: {5C255C8A-E604-49b4-9D64-90988571CECB} - No File
BHO: Groove GFS Browser Helper: {72853161-30c5-4d22-b7f9-0bbc1d38a37e} - c:\program files\microsoft office\office12\GrooveShellExtensions.dll
BHO: SSVHelper Class: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre6\bin\ssv.dll
BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.7.7529.1424\swg.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: ShopAtHomeIEHelper Class: {e8daaa30-6caa-4b58-9603-8e54238219e2} - c:\program files\selectrebates\toolbar\ShopAtHomeToolbar.dll
TB: ShopAtHome Toolbar: {98279c38-de4b-4bcf-93c9-8ec26069d6f4} - c:\program files\selectrebates\toolbar\ShopAtHomeToolbar.dll
TB: Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
TB: {4B3803EA-5230-4DC3-A7FC-33638F3D3542} - No File
TB: {D7E97865-918F-41E4-9CD0-25AB1C574CE8} - No File
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [swg] "c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe"
uRun: [Google Update] "c:\documents and settings\office\local settings\application data\google\update\GoogleUpdate.exe" /c
uRun: [SUPERAntiSpyware] c:\program files\superantispyware\SUPERAntiSpyware.exe
mRun: [<NO NAME>]
mRun: [Cobian Backup 9] "c:\program files\cobian backup 9\Cobian.exe"
mRun: [egui] "c:\program files\eset\eset nod32 antivirus\egui.exe" /hide /waitservice
mRun: [Intuit SyncManager] c:\program files\common files\intuit\sync\IntuitSyncManager.exe startup
mRun: [APSDaemon] "c:\program files\common files\apple\apple application support\APSDaemon.exe"
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [syshost32] c:\windows\installer\{2460812c-4fa4-aaf9-6fa9-02414f5707ed}\syshost.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\quickb~1.lnk - c:\program files\common files\intuit\quickbooks\qbupdate\qbupdate.exe
IE: E&xport to Microsoft Excel - c:\progra~1\micros~3\office12\EXCEL.EXE/3000
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0016-0000-0011-ABCDEFFEDCBC} - c:\program files\java\jre6\bin\jp2iexp.dll
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~1\micros~3\office12\ONBttnIE.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~3\office12\REFIEBAR.DLL
LSP: mswsock.dll
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1262120403597
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1262120397941
DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} - hxxp://download.eset.com/special/eos/OnlineScanner.cab
DPF: {8100D56A-5661-482C-BEE8-AFECE305D968} - hxxp://upload.facebook.com/controls/2009.07.28_v5.5.8.1/FacebookPhotoUploader55.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab
DPF: {A796D216-2DE1-4EA8-BABB-FE6E7C959098} - hxxp://www.hp.com/cpso-support-new/SDD/hpsddObjSigned.cab
DPF: {CAFEEFAC-0016-0000-0011-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
TCP: DhcpNameServer = 192.168.1.254
TCP: Interfaces\{630C88F1-3C10-4C79-95BC-6266A695BD7E} : DhcpNameServer = 192.168.1.254
Handler: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - c:\program files\microsoft office\office12\GrooveSystemServices.dll
Handler: intu-help-qb1 - {9B0F96C7-2E4B-433e-ABF3-043BA1B54AE3} - c:\program files\intuit\quickbooks 2008\HelpAsyncPluggableProtocol.dll
Handler: intu-help-qb3 - {c5e479ea-0a65-4b05-8c6c-2fc8cc682eb4} - c:\program files\intuit\quickbooks 2010\HelpAsyncPluggableProtocol.dll
Handler: qbwc - {FC598A64-626C-4447-85B8-53150405FD57} - c:\windows\system32\mscoree.dll
Notify: GoToAssist - c:\program files\citrix\gotoassist\514\G2AWinLogon.dll
Notify: igfxcui - igfxdev.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: Groove GFS Stub Execution Hook: {b5a7f190-dda6-4420-b3ba-52453494e6cd} - c:\program files\microsoft office\office12\GrooveShellExtensions.dll
SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:\program files\superantispyware\SASSEH.DLL
Hosts: 192.168.1.74 JUSTINSTONER
.
============= SERVICES / DRIVERS ===============
.
R2 !SASCORE;SAS Core Service;c:\program files\superantispyware\SASCore.exe [2012-7-11 116608]
S1 ehdrv;ehdrv;c:\windows\system32\drivers\ehdrv.sys [2009-4-9 108792]
S1 epfwtdir;epfwtdir;c:\windows\system32\drivers\epfwtdir.sys [2008-10-24 96408]
S1 SASDIFSV;SASDIFSV;c:\program files\superantispyware\sasdifsv.sys [2011-7-22 12880]
S1 SASKUTIL;SASKUTIL;c:\program files\superantispyware\SASKUTIL.SYS [2011-7-12 67664]
S2 ekrn;ESET Service;c:\program files\eset\eset nod32 antivirus\ekrn.exe [2009-11-16 735960]
S2 gupdate;Google Update Service (gupdate);c:\program files\google\update\GoogleUpdate.exe [2010-2-2 135664]
S3 AdobeFlashPlayerUpdateSvc;Adobe Flash Player Update Service;c:\windows\system32\macromed\flash\FlashPlayerUpdateService.exe [2012-5-18 257696]
S3 gupdatem;Google Update Service (gupdatem);c:\program files\google\update\GoogleUpdate.exe [2010-2-2 135664]
S3 HPFXFAX;HPFXFAX;c:\windows\system32\drivers\hpfxfax.sys [2009-1-21 20504]
S3 MBAMSwissArmy;MBAMSwissArmy;c:\windows\system32\drivers\mbamswissarmy.sys [2012-9-13 40776]
S3 QuickBooksDB20;QuickBooksDB20;c:\progra~1\intuit\quickb~2\qbdbmgrn.exe -hvquickbooksdb20 --> c:\progra~1\intuit\quickb~2\QBDBMgrN.exe -hvQuickBooksDB20 [?]
S4 QuickBooksDB18;QuickBooksDB18;c:\progra~1\intuit\quickb~1\qbdbmgrn.exe -hvquickbooksdb18 --> c:\progra~1\intuit\quickb~1\QBDBMgrN.exe -hvQuickBooksDB18 [?]
.
=============== Created Last 30 ================
.
2012-09-14 14:19:52 72448 ----a-w- c:\windows\system32\drivers\70ff91dbcb60682f.sys
2012-09-13 16:51:34 -------- d--h--w- C:\TDSSKiller_Quarantine
2012-09-13 16:49:35 -------- d--h--w- c:\documents and settings\office\application data\SUPERAntiSpyware.com
2012-09-13 16:49:23 -------- d--h--w- c:\program files\SUPERAntiSpyware
2012-09-13 16:49:23 -------- d--h--w- c:\documents and settings\all users\application data\SUPERAntiSpyware.com
2012-09-13 16:09:05 102400 ---ha-w- c:\windows\RegBootClean.exe
2012-09-13 16:04:21 256904 ---ha-w- c:\windows\system32\drivers\tmcomm.sys
2012-09-13 15:25:36 40776 ---ha-w- c:\windows\system32\drivers\mbamswissarmy.sys
.
==================== Find3M ====================
.
2012-09-07 22:04:46 22856 ----a-w- c:\windows\system32\drivers\mbam.sys
.
============= FINISH: 12:47:37.37 ===============

GMER Log is attached.

Greetings and Welcome to The Forums!!

My name is Gringo and I'll be glad to help you with your computer problems.

I have put together somethings for you to keep in mind while I am helping you to make things go easier and faster for both of us

• Please do not run any tools unless instructed to do so.
  
  • We ask you to run different tools in a specific order to ensure the malware is completely removed from your machine, and running any additional tools may detect false positives, interfere with our tools, or cause unforeseen damage or system instability.
• Please do not attach logs or use code boxes, just copy and paste the text.
  
  • Due to the high volume of logs we receive it helps to receive everything in the same format, and code boxes make the logs very difficult to read. Also, attachments require us to download and open the reports when it is easier to just read the reports in your post.
• Please read every post completely before doing anything.
  
  • Pay special attention to the NOTE: lines, these entries identify an individual issue or important step in the cleanup process.
• Please provide feedback about your experience as we go.
  
  • A short statement describing how the computer is working helps us understand where to go next, for example: I am still getting redirected, the computer is running normally, etc. Please do not describe the computer as "the same", this requires the extra step of looking back at your previous post.

NOTE: At the top of your post, click on the Watch Topic Button, select Immediate Notification, and click on Proceed. This will send you an e-mail as soon as I reply to your topic, allowing us to resolve the issue faster.

NOTE: Backup any files that cannot be replaced. Removing malware can be unpredictable and this step can save a lot of hartaches if things don't go as planed. You can put them on a CD/DVD, external drive or a pen drive, anywhere except on the computer.

NOTE: It is good practice to copy and paste the instructions into notepad and print them in case it is necessary for you to go offline during the cleanup process. To open notepad, navigate to Start Menu > All Programs > Accessories > Notepad. Please remember to copy the entire post so you do not miss any instructions.

Security Check

• Download Security Check by screen317 from here.
• Save it to your Desktop.
• Double click SecurityCheck.exe and follow the onscreen instructions inside of the black box.
• A Notepad document should open automatically called checkup.txt; please post the contents of that document.

-AdwCleaner-

• Please download AdwCleaner by Xplode onto your desktop.
  
• Close all open programs and internet browsers.
• Double click on AdwCleaner.exe to run the tool.
• Click on Delete.
• Confirm each time with Ok.
• Your computer will be rebooted automatically. A text file will open after the restart.
• Please post the content of that logfile with your next answer.
• You can find the logfile at C:\AdwCleaner[S1].txt as well.

--RogueKiller--

• Download & SAVE to your Desktop RogueKiller or from here
  
• Quit all programs that you may have started.
• Please disconnect any USB or external drives from the computer before you run this scan!
• For Vista or Windows 7, right-click and select "Run as Administrator to start"
• For Windows XP, double-click to start.
• Wait until Prescan has finished ...
• Then Click on "Scan" button
• Wait until the Status box shows "Scan Finished"
• click on "delete"
• Wait until the Status box shows "Deleting Finished"
• Click on "Report" and copy/paste the content of the Notepad into your next reply.
• The log should be found in RKreport[1].txt on your Desktop
• Exit/Close RogueKiller+

Gringo

Hello

48 Hour bump

It has been more than 48 hours since my last post.

• do you still need help with this?
• do you need more time?
• are you having problems following my instructions?
  
• if after 48hrs you have not replied to this thread then it will have to be closed!

Gringo

I'm back in the office and have resumed tackling this. Here's what happened:

On Friday, I got through the first two steps before leaving for the day. I ran Security Check and it installed, but it locked up and I received the following message:

The procedure entry point MigrateWinsockConfiguration could not be located in the dynamic link library MSWSOCK.dll

I then attempted to run AdwCleaner, and it generated the following log:

# AdwCleaner v2.001 - Logfile created 09/14/2012 at 17:09:41
# Updated 09/09/2012 by Xplode
# Operating system : Microsoft Windows XP Service Pack 3 (32 bits)
# User : OFFICE - MARIA
# Boot Mode : Safe mode with networking
# Running from : C:\Documents and Settings\OFFICE\My Documents\Downloads\adwcleaner.exe
# Option [Delete]


***** [Services] *****


***** [Files / Folders] *****

Folder Deleted : C:\Program Files\SelectRebates

***** [Registry] *****

Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Settings\{1CB20BF0-BBAE-40A7-93F4-6435FF3D0411}
Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Settings\{4B3803EA-5230-4DC3-A7FC-33638F3D3542}
Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Settings\{98279C38-DE4B-4BCF-93C9-8EC26069D6F4}
Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Settings\{D3D233D5-9F6D-436C-B6C7-E63F77503B30}
Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Settings\{D7E97865-918F-41E4-9CD0-25AB1C574CE8}
Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Settings\{E8DAAA30-6CAA-4B58-9603-8E54238219E2}
Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{042DA63B-0933-403D-9395-B49307691690}
Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{1CB20BF0-BBAE-40A7-93F4-6435FF3D0411}
Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{4B3803EA-5230-4DC3-A7FC-33638F3D3542}
Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{8736C681-37A0-40C6-A0F0-4C083409151C}
Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{98279C38-DE4B-4BCF-93C9-8EC26069D6F4}
Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{D3D233D5-9F6D-436C-B6C7-E63F77503B30}
Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{D7E97865-918F-41E4-9CD0-25AB1C574CE8}
Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{E8DAAA30-6CAA-4B58-9603-8E54238219E2}
Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{042DA63B-0933-403D-9395-B49307691690}
Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{98279C38-DE4B-4BCF-93C9-8EC26069D6F4}
Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{E8DAAA30-6CAA-4B58-9603-8E54238219E2}
Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{E8DAAA30-6CAA-4B58-9603-8E54238219E2}
Value Deleted : HKCU\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser [{4B3803EA-5230-4DC3-A7FC-33638F3D3542}]
Value Deleted : HKCU\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser [{98279C38-DE4B-4BCF-93C9-8EC26069D6F4}]
Value Deleted : HKCU\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser [{D7E97865-918F-41E4-9CD0-25AB1C574CE8}]
Value Deleted : HKLM\SOFTWARE\Microsoft\Internet Explorer\Toolbar [{98279C38-DE4B-4BCF-93C9-8EC26069D6F4}]

***** [Internet Browsers] *****

-\\ Internet Explorer v8.0.6001.18702

Restored : [HKCU\Software\Microsoft\Internet Explorer\SearchScopes - DefaultScope]
Restored : [HKLM\SOFTWARE\Microsoft\Internet Explorer\SearchScopes - DefaultScope]
Restored : [HKU\S-1-5-18\Software\Microsoft\Internet Explorer\SearchScopes - DefaultScope]
Restored : [HKU\S-1-5-19\Software\Microsoft\Internet Explorer\SearchScopes - DefaultScope]
Restored : [HKU\S-1-5-20\Software\Microsoft\Internet Explorer\SearchScopes - DefaultScope]
Replaced : [HKLM\SOFTWARE\Microsoft\Internet Explorer\Main - SearchAssistant] = hxxp://toolbar.inbox.com/search/ie.aspx?tbid=80116 --> hxxp://www.google.com
Replaced : [HKLM\SOFTWARE\Microsoft\Internet Explorer\Main - CustomizeSearch] = hxxp://toolbar.inbox.com/help/sa_customize.aspx?tbid=80116 --> hxxp://www.google.com
Replaced : [HKCU\Software\Microsoft\Internet Explorer\Main - Search Bar] = hxxp://toolbar.inbox.com/search/dispatcher.aspx?tp=aus&qkw=%s&tbid=%tb_id&%language --> hxxp://www.google.com
Replaced : [HKLM\SOFTWARE\Microsoft\Internet Explorer\Search - SearchAssistant] = hxxp://toolbar.inbox.com/search/ie.aspx?tbid=80116 --> hxxp://www.google.com
Replaced : [HKLM\SOFTWARE\Microsoft\Internet Explorer\Search - CustomizeSearch] = hxxp://toolbar.inbox.com/help/sa_customize.aspx?tbid=80116 --> hxxp://www.google.com

-\\ Google Chrome v21.0.1180.89

File : C:\Documents and Settings\OFFICE\Local Settings\Application Data\Google\Chrome\User Data\Default\Preferences

[OK] File is clean.

*************************

AdwCleaner[S1].txt - [4462 octets] - [14/09/2012 17:09:41]

########## EOF - C:\AdwCleaner[S1].txt - [4522 octets] ##########

At that point, I left for the day and was planning on picking up where I left off this morning. When I came in, it appeared that the system had restarted itself and was generating fake antivirus warnings, so I decided to start from Step One again. This time, when I ran Security Check, the window would flash for a brief second and it would automatically close itself. ADWCleaner gave me the following:

# AdwCleaner v2.001 - Logfile created 09/17/2012 at 07:55:39
# Updated 09/09/2012 by Xplode
# Operating system : Microsoft Windows XP Service Pack 3 (32 bits)
# User : OFFICE - MARIA
# Boot Mode : Normal
# Running from : C:\Documents and Settings\OFFICE\My Documents\Downloads\adwcleaner.exe
# Option [Delete]


***** [Services] *****


***** [Files / Folders] *****


***** [Registry] *****


***** [Internet Browsers] *****

-\\ Internet Explorer v8.0.6001.18702

Restored : [HKCU\Software\Microsoft\Internet Explorer\SearchScopes - DefaultScope]

-\\ Google Chrome v21.0.1180.89

File : C:\Documents and Settings\OFFICE\Local Settings\Application Data\Google\Chrome\User Data\Default\Preferences

[OK] File is clean.

*************************

AdwCleaner[S1].txt - [4591 octets] - [14/09/2012 17:09:41]
AdwCleaner[S2].txt - [840 octets] - [17/09/2012 07:55:39]

########## EOF - C:\AdwCleaner[S2].txt - [899 octets] ##########

Finally, RogueKiller generated this:

RogueKiller V8.0.3 [09/13/2012] by Tigzy
mail: tigzyRK<at>gmail<dot>com
Feedback: http://www.geekstogo.com/forum/files/file/413-roguekiller/
Blog: http://tigzyrk.blogspot.com

Operating System: Windows XP (5.1.2600 Service Pack 3) 32 bits version
Started in : Normal mode
User : OFFICE [Admin rights]
Mode : Scan -- Date : 09/17/2012 08:01:55

¤¤¤ Bad processes : 8 ¤¤¤
[SUSP PATH] msiserv.exe -- C:\WINDOWS\msiserv.exe -> KILLED [TermProc]
[SUSP PATH][DLL] rundll32.exe -- C:\WINDOWS\system32\rundll32.exe : -> KILLED [TermProc]
[SUSP PATH][DLL] rundll32.exe -- C:\WINDOWS\system32\rundll32.exe : -> KILLED [TermProc]
[SUSP PATH] wshus.exe -- C:\Documents and Settings\OFFICE\wshus.exe -> KILLED [TermProc]
[SUSP PATH] plonvv.exe -- C:\Documents and Settings\OFFICE\Application Data\plonvv.exe -> KILLED [TermProc]
[SUSP PATH] fisifp.exe -- C:\Documents and Settings\OFFICE\Application Data\fisifp.exe -> KILLED [TermProc]
[HIDDEN] msiserv.exe -- C:\WINDOWS\msiserv.exe -> KILLED [TermProc]
[HIDDEN] wshus.exe -- C:\Documents and Settings\OFFICE\wshus.exe -> KILLED [TermProc]

¤¤¤ Registry Entries : 25 ¤¤¤
[RUN][SUSP PATH] HKCU\[...]\Run : Wmssso (C:\Documents and Settings\OFFICE\Application Data\Wmssso.scr) -> FOUND
[RUN][BLACKLIST DLL] HKLM\[...]\Run : lgspn (rundll32.exe "C:\Documents and Settings\OFFICE\Application Data\lgspn.dll",Init) -> FOUND
[RUN][BLACKLIST DLL] HKLM\[...]\Run : ortpt ("C:\WINDOWS\system32\rundll32.exe" "C:\Documents and Settings\OFFICE\Application Data\ortpt.dll",SetClosure) -> FOUND
[RUN][SUSP PATH] HKLM\[...]\Run : Rjk3QTkwMjI3RDYyQkQxQz (C:\Documents and Settings\OFFICE\wshus.exe) -> FOUND
[RUN][SUSP PATH] HKUS\S-1-5-21-1811741157-1253689203-1252976962-1005[...]\Run : Wmssso (C:\Documents and Settings\OFFICE\Application Data\Wmssso.scr) -> FOUND
[HJPOL] HKLM\[...]\System : DisableTaskMgr (0) -> FOUND
[HJ SMENU] HKCU\[...]\Advanced : Start_ShowMyComputer (0) -> FOUND
[HJ SMENU] HKCU\[...]\Advanced : Start_ShowSearch (0) -> FOUND
[HJ SMENU] HKCU\[...]\Advanced : Start_ShowMyDocs (0) -> FOUND
[HJ SMENU] HKCU\[...]\Advanced : Start_ShowRecentDocs (0) -> FOUND
[HJ SMENU] HKCU\[...]\Advanced : Start_ShowUser (0) -> FOUND
[HJ SMENU] HKCU\[...]\Advanced : Start_ShowMyPics (0) -> FOUND
[HJ SMENU] HKCU\[...]\Advanced : Start_ShowMyGames (0) -> FOUND
[HJ SMENU] HKCU\[...]\Advanced : Start_ShowMyMusic (0) -> FOUND
[HJ SMENU] HKCU\[...]\Advanced : Start_ShowControlPanel (0) -> FOUND
[HJ SMENU] HKCU\[...]\Advanced : Start_ShowHelp (0) -> FOUND
[HJ SMENU] HKCU\[...]\Advanced : Start_ShowPrinters (0) -> FOUND
[HJ SMENU] HKCU\[...]\Advanced : Start_ShowRun (0) -> FOUND
[HJ SMENU] HKCU\[...]\Advanced : Start_ShowSetProgramAccessAndDefaults (0) -> FOUND
[HJ DESK] HKCU\[...]\ClassicStartMenu : {20D04FE0-3AEA-1069-A2D8-08002B30309D} (1) -> FOUND
[HJ DESK] HKCU\[...]\ClassicStartMenu : {645FF040-5081-101B-9F08-00AA002F954E} (1) -> FOUND
[HJ DESK] HKLM\[...]\NewStartPanel : {20D04FE0-3AEA-1069-A2D8-08002B30309D} (1) -> FOUND
[HJ INPROC][ZeroAccess] HKCR\[...]\InprocServer32 : (C:\RECYCLER\S-1-5-21-1811741157-1253689203-1252976962-1005\$86746bb189bc4e300c3e207780b1c78a\n.) -> FOUND
[HJ INPROC][ZeroAccess] HKCR\[...]\InprocServer32 : (C:\RECYCLER\S-1-5-18\$86746bb189bc4e300c3e207780b1c78a\n.) -> FOUND
[HJ INPROC][ZeroAccess] HKLM\[...]\InprocServer32 : (C:\RECYCLER\S-1-5-18\$86746bb189bc4e300c3e207780b1c78a\n.) -> FOUND

¤¤¤ Particular Files / Folders: ¤¤¤
[ZeroAccess][FILE] Desktop.ini : C:\WINDOWS\Assembly\GAC\Desktop.ini --> FOUND
[ZeroAccess][FILE] n : C:\RECYCLER\S-1-5-18\$86746bb189bc4e300c3e207780b1c78a\n --> FOUND
[ZeroAccess][FILE] n : C:\RECYCLER\S-1-5-21-1811741157-1253689203-1252976962-1005\$86746bb189bc4e300c3e207780b1c78a\n --> FOUND
[ZeroAccess][FILE] @ : C:\RECYCLER\S-1-5-18\$86746bb189bc4e300c3e207780b1c78a\@ --> FOUND
[ZeroAccess][FILE] @ : C:\RECYCLER\S-1-5-21-1811741157-1253689203-1252976962-1005\$86746bb189bc4e300c3e207780b1c78a\@ --> FOUND
[ZeroAccess][FOLDER] U : C:\RECYCLER\S-1-5-18\$86746bb189bc4e300c3e207780b1c78a\U --> FOUND
[ZeroAccess][FOLDER] U : C:\RECYCLER\S-1-5-21-1811741157-1253689203-1252976962-1005\$86746bb189bc4e300c3e207780b1c78a\U --> FOUND
[ZeroAccess][FOLDER] L : C:\RECYCLER\S-1-5-18\$86746bb189bc4e300c3e207780b1c78a\L --> FOUND
[ZeroAccess][FOLDER] L : C:\RECYCLER\S-1-5-21-1811741157-1253689203-1252976962-1005\$86746bb189bc4e300c3e207780b1c78a\L --> FOUND

¤¤¤ Driver : [NOT LOADED] ¤¤¤

¤¤¤ Infection : ZeroAccess|Root.MBR ¤¤¤

¤¤¤ HOSTS File: ¤¤¤
--> C:\WINDOWS\system32\drivers\etc\hosts

127.0.0.1 localhost
192.168.1.74 JUSTINS


¤¤¤ MBR Check: ¤¤¤

+++++ PhysicalDrive0: MURPHY +++++
--- User ---
[MBR] ff1bd715d82fb5c4e98ab2c654491fb8
[BSP] dc6bdd04f539c665a8c0f9839ea946bc : Windows Vista MBR Code
Partition table:
0 - [XXXXXX] DELL-UTIL (0xde) [VISIBLE] Offset (sectors): 63 | Size: 39 Mo
1 - [ACTIVE] NTFS (0x07) [VISIBLE] Offset (sectors): 80325 | Size: 476890 Mo
User != LL1 ... KO!
--- LL1 ---
[MBR] 32bf2e3bdb3f0dd80b7aad1e5222f68e
[BSP] 21ac8127068de3b58ba176628a160bbc : Windows XP MBR Code [possible maxSST in 2!]
Partition table:
0 - [XXXXXX] DELL-UTIL (0xde) [VISIBLE] Offset (sectors): 63 | Size: 39 Mo
1 - [XXXXXX] NTFS (0x07) [VISIBLE] Offset (sectors): 80325 | Size: 476890 Mo
2 - [ACTIVE] NTFS (0x17) [HIDDEN!] Offset (sectors): 976752000 | Size: 7 Mo
Error reading LL2 MBR!

Finished : << RKreport[1].txt >>
RKreport[1].txt

________________________________________________

ogueKiller V8.0.3 [09/13/2012] by Tigzy
mail: tigzyRK<at>gmail<dot>com
Feedback: http://www.geekstogo.com/forum/files/file/413-roguekiller/
Blog: http://tigzyrk.blogspot.com

Operating System: Windows XP (5.1.2600 Service Pack 3) 32 bits version
Started in : Normal mode
User : OFFICE [Admin rights]
Mode : Remove -- Date : 09/17/2012 08:02:50

¤¤¤ Bad processes : 8 ¤¤¤
[SUSP PATH] msiserv.exe -- C:\WINDOWS\msiserv.exe -> KILLED [TermProc]
[SUSP PATH][DLL] rundll32.exe -- C:\WINDOWS\system32\rundll32.exe : -> KILLED [TermProc]
[SUSP PATH][DLL] rundll32.exe -- C:\WINDOWS\system32\rundll32.exe : -> KILLED [TermProc]
[SUSP PATH] wshus.exe -- C:\Documents and Settings\OFFICE\wshus.exe -> KILLED [TermProc]
[SUSP PATH] plonvv.exe -- C:\Documents and Settings\OFFICE\Application Data\plonvv.exe -> KILLED [TermProc]
[SUSP PATH] fisifp.exe -- C:\Documents and Settings\OFFICE\Application Data\fisifp.exe -> KILLED [TermProc]
[HIDDEN] msiserv.exe -- C:\WINDOWS\msiserv.exe -> KILLED [TermProc]
[HIDDEN] wshus.exe -- C:\Documents and Settings\OFFICE\wshus.exe -> KILLED [TermProc]

¤¤¤ Registry Entries : 23 ¤¤¤
[RUN][SUSP PATH] HKCU\[...]\Run : Wmssso (C:\Documents and Settings\OFFICE\Application Data\Wmssso.scr) -> DELETED
[RUN][BLACKLIST DLL] HKLM\[...]\Run : lgspn (rundll32.exe "C:\Documents and Settings\OFFICE\Application Data\lgspn.dll",Init) -> DELETED
[RUN][BLACKLIST DLL] HKLM\[...]\Run : ortpt ("C:\WINDOWS\system32\rundll32.exe" "C:\Documents and Settings\OFFICE\Application Data\ortpt.dll",SetClosure) -> DELETED
[RUN][SUSP PATH] HKLM\[...]\Run : Rjk3QTkwMjI3RDYyQkQxQz (C:\Documents and Settings\OFFICE\wshus.exe) -> DELETED
[HJPOL] HKLM\[...]\System : DisableTaskMgr (0) -> DELETED
[HJ SMENU] HKCU\[...]\Advanced : Start_ShowMyComputer (0) -> REPLACED (1)
[HJ SMENU] HKCU\[...]\Advanced : Start_ShowSearch (0) -> REPLACED (1)
[HJ SMENU] HKCU\[...]\Advanced : Start_ShowMyDocs (0) -> REPLACED (1)
[HJ SMENU] HKCU\[...]\Advanced : Start_ShowRecentDocs (0) -> REPLACED (1)
[HJ SMENU] HKCU\[...]\Advanced : Start_ShowUser (0) -> REPLACED (1)
[HJ SMENU] HKCU\[...]\Advanced : Start_ShowMyPics (0) -> REPLACED (1)
[HJ SMENU] HKCU\[...]\Advanced : Start_ShowMyGames (0) -> REPLACED (1)
[HJ SMENU] HKCU\[...]\Advanced : Start_ShowMyMusic (0) -> REPLACED (1)
[HJ SMENU] HKCU\[...]\Advanced : Start_ShowControlPanel (0) -> REPLACED (1)
[HJ SMENU] HKCU\[...]\Advanced : Start_ShowHelp (0) -> REPLACED (1)
[HJ SMENU] HKCU\[...]\Advanced : Start_ShowPrinters (0) -> REPLACED (1)
[HJ SMENU] HKCU\[...]\Advanced : Start_ShowRun (0) -> REPLACED (1)
[HJ SMENU] HKCU\[...]\Advanced : Start_ShowSetProgramAccessAndDefaults (0) -> REPLACED (1)
[HJ DESK] HKCU\[...]\ClassicStartMenu : {20D04FE0-3AEA-1069-A2D8-08002B30309D} (1) -> REPLACED (0)
[HJ DESK] HKCU\[...]\ClassicStartMenu : {645FF040-5081-101B-9F08-00AA002F954E} (1) -> REPLACED (0)
[HJ DESK] HKLM\[...]\NewStartPanel : {20D04FE0-3AEA-1069-A2D8-08002B30309D} (1) -> REPLACED (0)
[HJ INPROC][ZeroAccess] HKCR\[...]\InprocServer32 : (C:\RECYCLER\S-1-5-21-1811741157-1253689203-1252976962-1005\$86746bb189bc4e300c3e207780b1c78a\n.) -> REPLACED (C:\WINDOWS\system32\shell32.dll)
[HJ INPROC][ZeroAccess] HKCR\[...]\InprocServer32 : (C:\RECYCLER\S-1-5-18\$86746bb189bc4e300c3e207780b1c78a\n.) -> REPLACED (C:\WINDOWS\system32\wbem\fastprox.dll)

¤¤¤ Particular Files / Folders: ¤¤¤
[ZeroAccess][FILE] Desktop.ini : C:\WINDOWS\Assembly\GAC\Desktop.ini --> REMOVED AT REBOOT
[ZeroAccess][FILE] n : C:\RECYCLER\S-1-5-18\$86746bb189bc4e300c3e207780b1c78a\n --> REMOVED AT REBOOT
[ZeroAccess][FILE] n : C:\RECYCLER\S-1-5-21-1811741157-1253689203-1252976962-1005\$86746bb189bc4e300c3e207780b1c78a\n --> REMOVED
[ZeroAccess][FILE] @ : C:\RECYCLER\S-1-5-18\$86746bb189bc4e300c3e207780b1c78a\@ --> REMOVED AT REBOOT
[ZeroAccess][FILE] @ : C:\RECYCLER\S-1-5-21-1811741157-1253689203-1252976962-1005\$86746bb189bc4e300c3e207780b1c78a\@ --> REMOVED
[Del.Parent][FILE] 00000004.@ : C:\RECYCLER\S-1-5-18\$86746bb189bc4e300c3e207780b1c78a\U\00000004.@ --> REMOVED
[Del.Parent][FILE] 00000008.@ : C:\RECYCLER\S-1-5-18\$86746bb189bc4e300c3e207780b1c78a\U\00000008.@ --> REMOVED
[Del.Parent][FILE] 000000cb.@ : C:\RECYCLER\S-1-5-18\$86746bb189bc4e300c3e207780b1c78a\U\000000cb.@ --> REMOVED
[Del.Parent][FILE] 80000000.@ : C:\RECYCLER\S-1-5-18\$86746bb189bc4e300c3e207780b1c78a\U\80000000.@ --> REMOVED
[Del.Parent][FILE] 80000032.@ : C:\RECYCLER\S-1-5-18\$86746bb189bc4e300c3e207780b1c78a\U\80000032.@ --> REMOVED
[ZeroAccess][FOLDER] ROOT : C:\RECYCLER\S-1-5-18\$86746bb189bc4e300c3e207780b1c78a\U --> REMOVED
[ZeroAccess][FOLDER] ROOT : C:\RECYCLER\S-1-5-21-1811741157-1253689203-1252976962-1005\$86746bb189bc4e300c3e207780b1c78a\U --> REMOVED
[Del.Parent][FILE] 00000004.@ : C:\RECYCLER\S-1-5-18\$86746bb189bc4e300c3e207780b1c78a\L\00000004.@ --> REMOVED
[Del.Parent][FILE] 201d3dde : C:\RECYCLER\S-1-5-18\$86746bb189bc4e300c3e207780b1c78a\L\201d3dde --> REMOVED
[ZeroAccess][FOLDER] ROOT : C:\RECYCLER\S-1-5-18\$86746bb189bc4e300c3e207780b1c78a\L --> REMOVED
[ZeroAccess][FOLDER] ROOT : C:\RECYCLER\S-1-5-21-1811741157-1253689203-1252976962-1005\$86746bb189bc4e300c3e207780b1c78a\L --> REMOVED

¤¤¤ Driver : [NOT LOADED] ¤¤¤

¤¤¤ Infection : ZeroAccess|Root.MBR ¤¤¤

¤¤¤ HOSTS File: ¤¤¤
--> C:\WINDOWS\system32\drivers\etc\hosts

127.0.0.1 localhost
192.168.1.74 JUSTINS


¤¤¤ MBR Check: ¤¤¤

+++++ PhysicalDrive0: MURPHY +++++
--- User ---
[MBR] ff1bd715d82fb5c4e98ab2c654491fb8
[BSP] dc6bdd04f539c665a8c0f9839ea946bc : Windows Vista MBR Code
Partition table:
0 - [XXXXXX] DELL-UTIL (0xde) [VISIBLE] Offset (sectors): 63 | Size: 39 Mo
1 - [ACTIVE] NTFS (0x07) [VISIBLE] Offset (sectors): 80325 | Size: 476890 Mo
User != LL1 ... KO!
--- LL1 ---
[MBR] 32bf2e3bdb3f0dd80b7aad1e5222f68e
[BSP] 21ac8127068de3b58ba176628a160bbc : Windows XP MBR Code [possible maxSST in 2!]
Partition table:
0 - [XXXXXX] DELL-UTIL (0xde) [VISIBLE] Offset (sectors): 63 | Size: 39 Mo
1 - [XXXXXX] NTFS (0x07) [VISIBLE] Offset (sectors): 80325 | Size: 476890 Mo
2 - [ACTIVE] NTFS (0x17) [HIDDEN!] Offset (sectors): 976752000 | Size: 7 Mo
Error reading LL2 MBR!

Finished : << RKreport[2].txt >>
RKreport[1].txt ; RKreport[2].txt

Greetings

I want you to run these next,

tdsskiller:

Please read carefully and follow these steps.

• Download TDSSKiller and save it to your Desktop.
• doubleclick on TDSSKiller.exe to run the application, then on Start Scan.
• If an infected file is detected, the default action will be Cure, click on Continue.
• If a suspicious file is detected, the default action will be Skip, click on Continue.
• It may ask you to reboot the computer to complete the process. Click on Reboot Now.
• If no reboot is require, click on Report. A log file should appear. Please copy and paste the contents of that file here.
• If a reboot is required, the report can also be found in your root directory, (usually C:\ folder) in the form of "TDSSKiller.[Version]_[Date]_[Time]_log.txt". Please copy and paste the contents of that file here.

Please download aswMBR to your desktop.

• Double click the aswMBR.exe icon to run it
• it will ask to download extra definitions - ALLOW IT
• Click the Scan button to start the scan
• On completion of the scan, click the save log button, save it to your desktop and post it in your next reply.

If you have any problems running either one come back and let me know

please reply with the reports from TDSSKiller and aswMBR

Gringo

Something seems to be blocking the direct links to the software you are posting. Other web pages are loading fine. I was able to download Tdsskiller by accessing it indirectly, but the program won't open. How should I proceed? Thanks for your help!

Greetings

I need you to make a bootable usb and to make a screenshot for me - follow the instructions below to do this

How to create a bootable Puppy USB Drive

• Download and save a copy of the latest Puppy ISO file
• Download and save a copy of Unetbootin for Windows.
• Insert an empty formatted USB drive into a USB port on the computer that's being used to create the bootable USB.
• Launch Unetbootin ....
• Ensure that Disk Image is selected.
• Using the browse button ... browse to and select the Puppy ISO file.
• Ensure that Type: is set to USB Drive and that the Drive: letter corresponds to the USB drive.
• Click OK

Unetbootin will now copy the Puppy files to the USB and make it a bootable device.

Next

You need to change the boot order of the computer to boot from a USB drive ....

• Read HERE for instructions how to do this.

Now boot into Puppylinux

when you get to the desktop Click on each of the drive items found in the bottom left corner to mount them (when mounted they will have a red cross next to them)

Next - Launch GParted which is found at Menu > System > GParted partition manager,
Click to select All Drives then click Okay
I need you to take a screenshot of the window that opens up - to do this follow these instructions

To take a screenshot in Puppy ....

With the GParted window open ...

• Click menu > Graphic > mtPaint-snapshot screen capture
• A small window will open ....
  
  
  • Click Capture Now
  • Click OK
• The mtPaint program will open ....
  
  • Click File > Save
  • Double click on ../
  • Double click on mnt/
  • Double click on sdb1/
  • Set File Format to JPEG
  • Enter screenshot1 into the text box
  • Click OK

This will save a file screenshot1.jpeg into the USB drive, paste or attach this to your next post

Next

• Click menu > shutdown > power off computer
• If prompted to save the session click on No

Puppy will now close down.

remove the usb and save it - we will use it again - boot back into windows and send me the screen capture

gringo

Greetings


I have not heard from you in a couple of days so I am coming by to check on you to see if you are having problems or you just need some more time.

Also to remind you that it is very important that we finish the process completely so as to not get reinfected. I will let you know when we are complete and I will ask to remove our tools




Gringo

We ended up having the machines in our office serviced yesterday and the tech cleaned up this mess and updated the antivirus software. Thanks for your help!

Thank you for letting me know


gringo

It appears that this issue is resolved, therefore I am closing the topic. If that is not the case and you need or wish to continue with this topic, please send me or any Moderator a Personal Message (PM) that you would like this topic re-opened.