BleepingComputer.com: Windows XP Recovery, Internet Redirects, Start Menu Empty

This is kind of a nasty little bugger here. I got 2 computers doing this. First they got a Windows XP Recovery Popup wanting me to do a scan and register the program and buy it, I DID NOT DO THIS. when I clicked cancel it then rebooted the computer. Under the user it hides the desktop icons, removes the quick launch Icons but leaves the toolbar for the quick launch. It then also disables the task manager and right click on the desktop. It hides the contents of the computer. This is all I had seen that it had done, I then ran my malwarebytes anti-malware program and scanned the computer.

Here is the Log contents:
Malwarebytes' Anti-Malware 1.50.1.1100
www.malwarebytes.org

Database version: 6788

Windows 5.1.2600 Service Pack 3
Internet Explorer 8.0.6001.18702

6/6/2011 12:45:52 PM
mbam-log-2011-06-06 (12-45-32).txt

Scan type: Full scan (C:\|)
Objects scanned: 340495
Time elapsed: 1 hour(s), 17 minute(s), 27 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 1
Folders Infected: 0
Files Infected: 3

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableTaskMgr (PUM.Hijack.TaskManager) -> Bad: (1) Good: (0) -> No action taken.

Folders Infected:
(No malicious items detected)

Files Infected:
c:\documents and settings\all users\application data\17948452.exe (Trojan.FakeMS) -> No action taken.
c:\documents and settings\all users\application data\vyuamrmefielc.exe (Trojan.FakeMS) -> No action taken.
c:\documents and settings\ecarey.themissouribank\local settings\Temp\pdfupd.exe (Trojan.FakeAlert) -> No action taken.

End of Log


I have been through so many posts about trying to get rid of this my head has started to go in circles.

I had then seen the Remove Windows Recovery (Uninstall Guide) on this site under the Spyware Removal tab. http://www.bleepingcomputer.com/virus-removal/remove-windows-recovery

When I tried to download and run the RKill program I get a message about it not being a Valid Win32 application.

I did the Unhide and it worked, now I have my desktop Icons back and I can right click on the desktop and can even get to the task manager. However I still have (empty) in all my Items in Start|All Programs| except the ones I have installed since like the newer version of Malwarebytes and Spybot S&D.

After fixing the above I did a Spybot S&D also and it found another version of the FakeAlert|grb so I then did a search on that and found the stinger from MCaffee and downloaded that and run it. Here is the log for that:

McAfee® Labs Stinger™ Version 10.1.0.1629 built on May 27 2011
Copyright © 2011 McAfee, Inc. All Rights Reserved.
Virus data file v1000.0000 created on May 27 2011.
Ready to scan for 2422 viruses, trojans and variants.

Scan initiated on Tue Jun 07 12:32:44 2011
C:\Documents and Settings\All Users\Application Data\16441124
Found the FakeAlert!grb trojan !!!
C:\Documents and Settings\All Users\Application Data\16441124 is infected with the FakeAlert!grb virus !!!
C:\Documents and Settings\All Users\Application Data\16441124 has been deleted.
C:\Documents and Settings\All Users\Application Data\~16441124
Found the FakeAlert!grb trojan !!!
C:\Documents and Settings\All Users\Application Data\~16441124 is infected with the FakeAlert!grb virus !!!
C:\Documents and Settings\All Users\Application Data\~16441124 has been deleted.
C:\Documents and Settings\All Users\Application Data\~16441124r
Found the FakeAlert!grb trojan !!!
C:\Documents and Settings\All Users\Application Data\~16441124r is infected with the FakeAlert!grb virus !!!
C:\Documents and Settings\All Users\Application Data\~16441124r has been deleted.
C:\WINDOWS\Downloaded Program Files\FP_AX_CAB_INSTALLER.exe
Found the FakeAlert!fakealert-REP trojan !!!
C:\WINDOWS\Downloaded Program Files\FP_AX_CAB_INSTALLER.exe is infected with the FakeAlert!fakealert-REP virus !!!
C:\WINDOWS\Downloaded Program Files\FP_AX_CAB_INSTALLER.exe has been deleted.
Number of clean files: 314840
Number of infected files: 4
Number of files cleaned: 4

End of Log.



I have Symantec EndPoint Protection for the Antivirus, and I also have Watchgaurd Firebox for my Firewall along with my cisco 2811.

Any thoughts on anything else I need or could do to recover anything in the Start|All Programs Items? or to make sure that all good and back to normal.

This post has been edited by hamluis: 07 June 2011 - 03:50 PM
Reason for edit: No logs, moved from MRL to AII.

Welcome aboard

First of all, your MBAM log says "No action taken".
Re-run MBAM "Quick scan" and FIX all issues.
Post new log.

When done...

Download MBRCheck to your desktop

Double click MBRCheck.exe to run (Vista and Windows 7 users, right click and select Run as Administrator).
It will show a black screen with some data on it.
Enter N to exit.
A report called MBRcheckxxxx.txt will be on your desktop
Open this report and post its content in your next reply.


=========================================================================

Please download Rootkit Unhooker from one of the following links and save it to your desktop.

Link 1 (.exe file)
Link 2 (zipped file)
Link 3 (.rar file)

In order to use this tool if you downloaded from either of the second two links, you will need to extract the RKUnhookerLE.exe file using a program capable of extracing ZIP and RAR compressed files. If you don't have an extraction program, you can downlaod, install and use the free 7-zip utility.

• Double-click on RKUnhookerLE.exe to start the program.
  Vista/Windows 7 users right-click and select Run As Administrator.
  
• Click the Report tab, then click Scan.
  
• Check Drivers, Stealth, and uncheck the rest.
  
• Click OK.
  
• Wait until it's finished and then go to File > Save Report.
  
• Save the report to your Desktop.
  
• Copy and paste the contents of the report into your next reply.

-- Note: You may get this warning...just ignore it, click OK and continue: "Rootkit Unhooker has detected a parasite inside itself! It is recommended to remove parasite, okay?".

MBR Report is as Follows

MBRCheck, version 1.2.3
© 2010, AD

Command-line:
Windows Version: Windows XP Professional
Windows Information: Service Pack 3 (build 2600)
Logical Drives Mask: 0x0240542c

Kernel Drivers (total 128):
0x804D7000 \WINDOWS\system32\ntkrnlpa.exe
0x806E4000 \WINDOWS\system32\hal.dll
0xBA5A8000 \WINDOWS\system32\KDCOM.DLL
0xBA4B8000 \WINDOWS\system32\BOOTVID.dll
0xB9F79000 ACPI.sys
0xBA5AA000 \WINDOWS\system32\DRIVERS\WMILIB.SYS
0xB9F68000 pci.sys
0xBA0A8000 isapnp.sys
0xBA0B8000 ohci1394.sys
0xBA0C8000 \WINDOWS\system32\DRIVERS\1394BUS.SYS
0xBA670000 pciide.sys
0xBA328000 \WINDOWS\system32\DRIVERS\PCIIDEX.SYS
0xBA0D8000 MountMgr.sys
0xB9F49000 ftdisk.sys
0xBA5AC000 dmload.sys
0xB9F23000 dmio.sys
0xBA330000 PartMgr.sys
0xBA0E8000 VolSnap.sys
0xB9F0B000 atapi.sys
0xBA0F8000 disk.sys
0xBA108000 \WINDOWS\system32\DRIVERS\CLASSPNP.SYS
0xB9EEB000 fltmgr.sys
0xB9ED9000 sr.sys
0xB9EC2000 KSecDD.sys
0xB9E35000 Ntfs.sys
0xB9E08000 NDIS.sys
0xB9DEE000 Mup.sys
0xBA268000 \SystemRoot\system32\DRIVERS\intelppm.sys
0xB9160000 \SystemRoot\system32\DRIVERS\igxpmp32.sys
0xB914C000 \SystemRoot\system32\DRIVERS\VIDEOPRT.SYS
0xBA278000 \SystemRoot\system32\DRIVERS\HECI.sys
0xB910B000 \SystemRoot\system32\DRIVERS\e1e5132.sys
0xBA400000 \SystemRoot\system32\DRIVERS\usbuhci.sys
0xB90E7000 \SystemRoot\system32\DRIVERS\USBPORT.SYS
0xBA408000 \SystemRoot\system32\DRIVERS\usbehci.sys
0xB90BF000 \SystemRoot\system32\DRIVERS\HDAudBus.sys
0xBA288000 \SystemRoot\system32\DRIVERS\cdrom.sys
0xBA298000 \SystemRoot\system32\DRIVERS\redbook.sys
0xB909C000 \SystemRoot\system32\DRIVERS\ks.sys
0xBA2A8000 \SystemRoot\system32\DRIVERS\nic1394.sys
0xBA2B8000 \SystemRoot\system32\DRIVERS\i8042prt.sys
0xBA410000 \SystemRoot\system32\DRIVERS\kbdclass.sys
0xBA2D8000 \SystemRoot\system32\DRIVERS\serial.sys
0xB9D71000 \SystemRoot\system32\DRIVERS\serenum.sys
0xBA773000 \SystemRoot\system32\DRIVERS\audstub.sys
0xBA2E8000 \SystemRoot\system32\DRIVERS\rasl2tp.sys
0xB9D6D000 \SystemRoot\system32\DRIVERS\ndistapi.sys
0xB9085000 \SystemRoot\system32\DRIVERS\ndiswan.sys
0xBA2F8000 \SystemRoot\system32\DRIVERS\raspppoe.sys
0xBA308000 \SystemRoot\system32\DRIVERS\raspptp.sys
0xBA418000 \SystemRoot\system32\DRIVERS\TDI.SYS
0xB9074000 \SystemRoot\system32\DRIVERS\psched.sys
0xBA318000 \SystemRoot\system32\DRIVERS\msgpc.sys
0xBA420000 \SystemRoot\system32\DRIVERS\ptilink.sys
0xBA428000 \SystemRoot\system32\DRIVERS\raspti.sys
0xB9044000 \SystemRoot\system32\DRIVERS\rdpdr.sys
0xBA128000 \SystemRoot\system32\DRIVERS\termdd.sys
0xBA430000 \SystemRoot\system32\DRIVERS\mouclass.sys
0xB900E000 \SystemRoot\system32\DRIVERS\teefer2.sys
0xBA5E8000 \SystemRoot\system32\DRIVERS\swenum.sys
0xB8FB0000 \SystemRoot\system32\DRIVERS\update.sys
0xB96E7000 \SystemRoot\system32\DRIVERS\mssmbios.sys
0xB8DB8000 \SystemRoot\System32\Drivers\NDProxy.SYS
0xB8D78000 \SystemRoot\system32\DRIVERS\usbhub.sys
0xBA602000 \SystemRoot\system32\DRIVERS\USBD.SYS
0xA6CA7000 \SystemRoot\system32\drivers\RtkHDAud.sys
0xA6C83000 \SystemRoot\system32\drivers\portcls.sys
0xA7B6F000 \SystemRoot\system32\drivers\drmk.sys
0xA56B0000 \SystemRoot\System32\Drivers\SRTSP.SYS
0xA4327000 \??\C:\PROGRA~1\COMMON~1\SYMANT~1\VIRUSD~1\20101128.002\NAVEX15.SYS
0xA4302000 \??\C:\WINDOWS\system32\Drivers\SYMEVENT.SYS
0xA42EE000 \??\C:\PROGRA~1\COMMON~1\SYMANT~1\VIRUSD~1\20101128.002\NAVENG.SYS
0xA67BF000 \SystemRoot\system32\DRIVERS\hidusb.sys
0xA7729000 \SystemRoot\system32\DRIVERS\HIDCLASS.SYS
0xA7377000 \SystemRoot\system32\DRIVERS\HIDPARSE.SYS
0xA67AF000 \SystemRoot\system32\DRIVERS\usbscan.sys
0xA67A7000 \SystemRoot\system32\DRIVERS\mouhid.sys
0xBA1C8000 \SystemRoot\System32\Drivers\SRTSPX.SYS
0xBA660000 \SystemRoot\System32\Drivers\Fs_Rec.SYS
0xBA6E3000 \SystemRoot\System32\Drivers\Null.SYS
0x9EF63000 \SystemRoot\System32\Drivers\Beep.SYS
0xA279B000 \SystemRoot\System32\drivers\vga.sys
0x9EF55000 \SystemRoot\System32\Drivers\mnmdd.SYS
0x9EF53000 \SystemRoot\System32\DRIVERS\RDPCDD.sys
0xA278B000 \SystemRoot\System32\Drivers\Msfs.SYS
0xA416F000 \SystemRoot\System32\Drivers\Npfs.SYS
0xA573A000 \SystemRoot\system32\DRIVERS\rasacd.sys
0x9D0CF000 \SystemRoot\system32\DRIVERS\ipsec.sys
0x9D076000 \SystemRoot\system32\DRIVERS\tcpip.sys
0x9D050000 \SystemRoot\system32\DRIVERS\ipnat.sys
0x9D022000 \SystemRoot\System32\Drivers\SYMTDI.SYS
0x9DC46000 \SystemRoot\system32\DRIVERS\wanarp.sys
0xB8F50000 \??\C:\WINDOWS\system32\drivers\wpsdrvnt.sys
0xB83C3000 \SystemRoot\system32\DRIVERS\arp1394.sys
0x9CFFA000 \SystemRoot\system32\DRIVERS\netbt.sys
0x9CFD8000 \SystemRoot\System32\drivers\afd.sys
0x9DBF6000 \SystemRoot\system32\DRIVERS\netbios.sys
0x9CF6F000 \??\C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCDrv.sys
0x9CF44000 \SystemRoot\system32\DRIVERS\rdbss.sys
0x9CED4000 \SystemRoot\system32\DRIVERS\mrxsmb.sys
0xA1E11000 \SystemRoot\System32\Drivers\Fips.SYS
0x9CE76000 \??\C:\Program Files\Common Files\Symantec Shared\EENGINE\eeCtrl.sys
0x9CE59000 \??\C:\Program Files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys
0xB8D48000 \SystemRoot\System32\Drivers\Cdfs.SYS
0x9CE41000 \SystemRoot\System32\Drivers\dump_atapi.sys
0xBA654000 \SystemRoot\System32\Drivers\dump_WMILIB.SYS
0xBF800000 \SystemRoot\System32\win32k.sys
0x9ECA4000 \SystemRoot\System32\drivers\Dxapi.sys
0xA7C02000 \SystemRoot\System32\watchdog.sys
0xBF000000 \SystemRoot\System32\drivers\dxg.sys
0xBA6DF000 \SystemRoot\System32\drivers\dxgthk.sys
0xBF024000 \SystemRoot\System32\igxpgd32.dll
0xBF012000 \SystemRoot\System32\igxprd32.dll
0xBF04E000 \SystemRoot\System32\igxpdv32.DLL
0xBF1F2000 \SystemRoot\System32\igxpdx32.DLL
0xA67B3000 \SystemRoot\system32\DRIVERS\ndisuio.sys
0xBFFA0000 \SystemRoot\System32\ATMFD.DLL
0x9CC5C000 \SystemRoot\system32\DRIVERS\mrxdav.sys
0x9CBB5000 \SystemRoot\system32\DRIVERS\srv.sys
0xBA3D0000 \SystemRoot\System32\Drivers\TDTCP.SYS
0x9C8C2000 \SystemRoot\System32\Drivers\RDPWD.SYS
0x9C795000 \SystemRoot\system32\drivers\wdmaud.sys
0xA1D91000 \SystemRoot\system32\drivers\sysaudio.sys
0x9C024000 \SystemRoot\System32\Drivers\HTTP.sys
0xA7387000 \SystemRoot\System32\Drivers\SYMREDRV.SYS
0x9C541000 \SystemRoot\system32\DRIVERS\asyncmac.sys
0x9B373000 \SystemRoot\system32\drivers\kmixer.sys
0x7C900000 \WINDOWS\system32\ntdll.dll

Processes (total 56):
0 System Idle Process
4 System
1008 C:\WINDOWS\system32\smss.exe
1060 csrss.exe
1088 C:\WINDOWS\system32\winlogon.exe
1132 C:\WINDOWS\system32\services.exe
1144 C:\WINDOWS\system32\lsass.exe
1328 C:\WINDOWS\system32\svchost.exe
1428 svchost.exe
1540 C:\WINDOWS\system32\svchost.exe
1632 C:\Program Files\Symantec\Symantec Endpoint Protection\Smc.exe
1724 svchost.exe
1852 svchost.exe
2004 C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
348 C:\WINDOWS\system32\spoolsv.exe
1004 svchost.exe
1320 C:\Program Files\Microsoft Small Business\Business Contact Manager\BcmSqlStartupSvc.exe
1496 C:\Program Files\Java\jre6\bin\jqs.exe
1612 C:\Program Files\Common Files\LightScribe\LSSrvc.exe
1720 C:\Program Files\Nero\Nero8\Nero BackItUp\NBService.exe
388 C:\WINDOWS\system32\svchost.exe
588 C:\WINDOWS\system32\IoctlSvc.exe
468 C:\WINDOWS\system32\svchost.exe
888 C:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe
924 C:\WINDOWS\system32\svchost.exe
1232 C:\Program Files\Symantec\Symantec Endpoint Protection\Rtvscan.exe
1564 wdfmgr.exe
1528 C:\WINDOWS\system32\searchindexer.exe
2484 sqlservr.exe
3020 alg.exe
3960 C:\WINDOWS\explorer.exe
680 C:\Program Files\Symantec\Symantec Endpoint Protection\SmcGui.exe
636 C:\WINDOWS\system32\igfxtray.exe
3804 C:\WINDOWS\system32\hkcmd.exe
3664 C:\WINDOWS\system32\igfxpers.exe
312 C:\WINDOWS\RTHDCPL.exe
1456 C:\WINDOWS\system32\igfxsrvc.exe
2096 C:\Program Files\Common Files\Symantec Shared\ccApp.exe
1920 C:\Program Files\Common Files\Java\Java Update\jusched.exe
2760 C:\Program Files\Common Files\Nero\Lib\NMIndexStoreSvr.exe
780 C:\Program Files\Common Files\LightScribe\LightScribeControlPanel.exe
3828 C:\WINDOWS\system32\ctfmon.exe
3716 C:\Program Files\Messenger\msmsgs.exe
3704 C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
3316 C:\Program Files\Ambir\AmbirScan 2.0\AmbirScan.exe
4036 C:\Program Files\Common Files\Nero\Lib\NMIndexingService.exe
3044 C:\PROGRA~1\MICROS~2\Office12\OUTLOOK.EXE
4300 C:\WINDOWS\system32\mstsc.exe
3700 C:\Program Files\Internet Explorer\iexplore.exe
4008 C:\Program Files\Internet Explorer\iexplore.exe
2328 C:\Program Files\Mozilla Firefox\firefox.exe
5944 \Device\LanmanRedirector\WNmain\Apps\Support\mobankhelpdesk.exe
2600 C:\DOCUME~1\ECAREY~1.THE\LOCALS~1\Temp\7zSAB.tmp\winvnc.exe
4348 C:\WINDOWS\system32\searchprotocolhost.exe
6128 searchfilterhost.exe
5300 \Device\LanmanRedirector\WNmain\Apps\Tools\MBRCheck.exe

\\.\C: --> \\.\PhysicalDrive0 at offset 0x00000000`00007e00 (NTFS)

PhysicalDrive0 Model Number: ST380815AS, Rev: 4.AAB

Size Device Name MBR Status
--------------------------------------------
74 GB \\.\PhysicalDrive0 Windows XP MBR code detected
SHA1: DA38B874B7713D1B51CBC449F4EF809B0DEC644A


Done!


RootHook Report is as Follows:


RkU Version: 3.8.389.593, Type LE (SR2)
==============================================
OS Name: Windows XP
Version 5.1.2600 (Service Pack 3)
Number of processors #4
==============================================
>Drivers
==============================================
0xB9160000 C:\WINDOWS\system32\DRIVERS\igxpmp32.sys 5763072 bytes (Intel Corporation, Intel Graphics Miniport Driver)
0xA6CA7000 C:\WINDOWS\system32\drivers\RtkHDAud.sys 4583424 bytes (Realtek Semiconductor Corp., Realtek® High Definition Audio Function Driver)
0xBF1F2000 C:\WINDOWS\System32\igxpdx32.DLL 2732032 bytes (Intel Corporation, DirectDraw® Driver for Intel® Graphics Technology)
0x804D7000 C:\WINDOWS\system32\ntkrnlpa.exe 2150400 bytes (Microsoft Corporation, NT Kernel & System)
0x804D7000 PnpManager 2150400 bytes
0x804D7000 RAW 2150400 bytes
0x804D7000 WMIxWDM 2150400 bytes
0xBF800000 Win32k 1851392 bytes
0xBF800000 C:\WINDOWS\System32\win32k.sys 1851392 bytes (Microsoft Corporation, Multi-User Win32 Driver)
0xBF04E000 C:\WINDOWS\System32\igxpdv32.DLL 1720320 bytes (Intel Corporation, Component GHAL Driver)
0xA4327000 C:\PROGRA~1\COMMON~1\SYMANT~1\VIRUSD~1\20101128.002\NAVEX15.SYS 1368064 bytes (Symantec Corporation, AV Engine)
0xB9E35000 Ntfs.sys 577536 bytes (Microsoft Corporation, NT File System Driver)
0x9CED4000 C:\WINDOWS\system32\DRIVERS\mrxsmb.sys 458752 bytes (Microsoft Corporation, Windows NT SMB Minirdr)
0x9CF6F000 C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCDrv.sys 430080 bytes (Symantec Corporation, SPBBC Driver)
0x9CE76000 C:\Program Files\Common Files\Symantec Shared\EENGINE\eeCtrl.sys 385024 bytes (Symantec Corporation, Symantec Eraser Control Driver)
0xB8FB0000 C:\WINDOWS\system32\DRIVERS\update.sys 385024 bytes (Microsoft Corporation, Update Driver)
0x9D076000 C:\WINDOWS\system32\DRIVERS\tcpip.sys 364544 bytes (Microsoft Corporation, TCP/IP Protocol Driver)
0x9CBB5000 C:\WINDOWS\system32\DRIVERS\srv.sys 356352 bytes (Microsoft Corporation, Server driver)
0xA56B0000 C:\WINDOWS\System32\Drivers\SRTSP.SYS 303104 bytes (Symantec Corporation, Symantec AutoProtect)
0xBFFA0000 C:\WINDOWS\System32\ATMFD.DLL 286720 bytes (Adobe Systems Incorporated, Windows NT OpenType/Type 1 Font Driver)
0xB910B000 C:\WINDOWS\system32\DRIVERS\e1e5132.sys 266240 bytes (Intel Corporation, Intel® PRO/1000 Adapter NDIS 5.2 deserialized driver)
0x9C024000 C:\WINDOWS\System32\Drivers\HTTP.sys 266240 bytes (Microsoft Corporation, HTTP Protocol Stack)
0xB900E000 C:\WINDOWS\system32\DRIVERS\teefer2.sys 221184 bytes (Symantec Corporation, Symantec CMC Firewall Teefer2)
0xB9044000 C:\WINDOWS\system32\DRIVERS\rdpdr.sys 196608 bytes (Microsoft Corporation, Microsoft RDP Device redirector)
0xB9F79000 ACPI.sys 188416 bytes (Microsoft Corporation, ACPI Driver for NT)
0x9D022000 C:\WINDOWS\System32\Drivers\SYMTDI.SYS 188416 bytes (Symantec Corporation, Network Dispatch Driver)
0x9CC5C000 C:\WINDOWS\system32\DRIVERS\mrxdav.sys 184320 bytes (Microsoft Corporation, Windows NT WebDav Minirdr)
0xB9E08000 NDIS.sys 184320 bytes (Microsoft Corporation, NDIS 5.1 wrapper driver)
0x9CF44000 C:\WINDOWS\system32\DRIVERS\rdbss.sys 176128 bytes (Microsoft Corporation, Redirected Drive Buffering SubSystem Driver)
0xBF024000 C:\WINDOWS\System32\igxpgd32.dll 172032 bytes (Intel Corporation, Intel Graphics 2D Driver)
0xB90BF000 C:\WINDOWS\system32\DRIVERS\HDAudBus.sys 163840 bytes (Windows ® Server 2003 DDK provider, High Definition Audio Bus Driver v1.0a)
0x9CFFA000 C:\WINDOWS\system32\DRIVERS\netbt.sys 163840 bytes (Microsoft Corporation, MBT Transport driver)
0xB9F23000 dmio.sys 155648 bytes (Microsoft Corp., Veritas Software, NT Disk Manager I/O Driver)
0x9D050000 C:\WINDOWS\system32\DRIVERS\ipnat.sys 155648 bytes (Microsoft Corporation, IP Network Address Translator)
0xA4302000 C:\WINDOWS\system32\Drivers\SYMEVENT.SYS 151552 bytes (Symantec Corporation, Symantec Event Library)
0xA6C83000 C:\WINDOWS\system32\drivers\portcls.sys 147456 bytes (Microsoft Corporation, Port Class (Class Driver for Port/Miniport Devices))
0xB90E7000 C:\WINDOWS\system32\DRIVERS\USBPORT.SYS 147456 bytes (Microsoft Corporation, USB 1.1 & 2.0 Port Driver)
0xB909C000 C:\WINDOWS\system32\DRIVERS\ks.sys 143360 bytes (Microsoft Corporation, Kernel CSA Library)
0x9C8C2000 C:\WINDOWS\System32\Drivers\RDPWD.SYS 143360 bytes (Microsoft Corporation, RDP Terminal Stack Driver (US/Canada Only, Not for Export))
0x9CFD8000 C:\WINDOWS\System32\drivers\afd.sys 139264 bytes (Microsoft Corporation, Ancillary Function Driver for WinSock)
0x806E4000 ACPI_HAL 134400 bytes
0x806E4000 C:\WINDOWS\system32\hal.dll 134400 bytes (Microsoft Corporation, Hardware Abstraction Layer DLL)
0xB9EEB000 fltmgr.sys 131072 bytes (Microsoft Corporation, Microsoft Filesystem Filter Manager)
0xB9F49000 ftdisk.sys 126976 bytes (Microsoft Corporation, FT Disk Driver)
0x9CE59000 C:\Program Files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys 118784 bytes (Symantec Corporation, Symantec Eraser Utility Driver)
0xB9DEE000 Mup.sys 106496 bytes (Microsoft Corporation, Multiple UNC Provider driver)
0xB9F0B000 atapi.sys 98304 bytes (Microsoft Corporation, IDE/ATAPI Port Driver)
0x9CE41000 C:\WINDOWS\System32\Drivers\dump_atapi.sys 98304 bytes
0xB9EC2000 KSecDD.sys 94208 bytes (Microsoft Corporation, Kernel Security Support Provider Interface)
0xB9085000 C:\WINDOWS\system32\DRIVERS\ndiswan.sys 94208 bytes (Microsoft Corporation, MS PPP Framing Driver (Strong Encryption))
0x9C795000 C:\WINDOWS\system32\drivers\wdmaud.sys 86016 bytes (Microsoft Corporation, MMSYSTEM Wave/Midi API mapper)
0xA42EE000 C:\PROGRA~1\COMMON~1\SYMANT~1\VIRUSD~1\20101128.002\NAVENG.SYS 81920 bytes (Symantec Corporation, AV Engine)
0xB914C000 C:\WINDOWS\system32\DRIVERS\VIDEOPRT.SYS 81920 bytes (Microsoft Corporation, Video Port Driver)
0x9D0CF000 C:\WINDOWS\system32\DRIVERS\ipsec.sys 77824 bytes (Microsoft Corporation, IPSec Driver)
0xBF000000 C:\WINDOWS\System32\drivers\dxg.sys 73728 bytes (Microsoft Corporation, DirectX Graphics Driver)
0xBF012000 C:\WINDOWS\System32\igxprd32.dll 73728 bytes (Intel Corporation, Intel Graphics 2D Rotation Driver)
0xB9ED9000 sr.sys 73728 bytes (Microsoft Corporation, System Restore Filesystem Filter Driver)
0xB9F68000 pci.sys 69632 bytes (Microsoft Corporation, NT Plug and Play PCI Enumerator)
0xB9074000 C:\WINDOWS\system32\DRIVERS\psched.sys 69632 bytes (Microsoft Corporation, MS QoS Packet Scheduler)
0xB8D48000 C:\WINDOWS\System32\Drivers\Cdfs.SYS 65536 bytes (Microsoft Corporation, CD-ROM File System Driver)
0xBA288000 C:\WINDOWS\system32\DRIVERS\cdrom.sys 65536 bytes (Microsoft Corporation, SCSI CD-ROM Driver)
0xBA2A8000 C:\WINDOWS\system32\DRIVERS\nic1394.sys 65536 bytes (Microsoft Corporation, IEEE1394 Ndis Miniport and Call Manager)
0xBA0B8000 ohci1394.sys 65536 bytes (Microsoft Corporation, 1394 OpenHCI Port Driver)
0xBA2D8000 C:\WINDOWS\system32\DRIVERS\serial.sys 65536 bytes (Microsoft Corporation, Serial Device Driver)
0xB83C3000 C:\WINDOWS\system32\DRIVERS\arp1394.sys 61440 bytes (Microsoft Corporation, IP/1394 Arp Client)
0xA7B6F000 C:\WINDOWS\system32\drivers\drmk.sys 61440 bytes (Microsoft Corporation, Microsoft Kernel DRM Descrambler Filter)
0xBA298000 C:\WINDOWS\system32\DRIVERS\redbook.sys 61440 bytes (Microsoft Corporation, Redbook Audio Filter Driver)
0xA1D91000 C:\WINDOWS\system32\drivers\sysaudio.sys 61440 bytes (Microsoft Corporation, System Audio WDM Filter)
0xB8D78000 C:\WINDOWS\system32\DRIVERS\usbhub.sys 61440 bytes (Microsoft Corporation, Default Hub Driver for USB)
0xBA0C8000 C:\WINDOWS\system32\DRIVERS\1394BUS.SYS 57344 bytes (Microsoft Corporation, 1394 Bus Device Driver)
0xB8F50000 C:\WINDOWS\system32\drivers\wpsdrvnt.sys 57344 bytes (Symantec Corporation, Symantec CMC Firewall WPS)
0xBA108000 C:\WINDOWS\system32\DRIVERS\CLASSPNP.SYS 53248 bytes (Microsoft Corporation, SCSI Class System Dll)
0xBA2B8000 C:\WINDOWS\system32\DRIVERS\i8042prt.sys 53248 bytes (Microsoft Corporation, i8042 Port Driver)
0xBA2E8000 C:\WINDOWS\system32\DRIVERS\rasl2tp.sys 53248 bytes (Microsoft Corporation, RAS L2TP mini-port/call-manager driver)
0xBA0E8000 VolSnap.sys 53248 bytes (Microsoft Corporation, Volume Shadow Copy Driver)
0xBA308000 C:\WINDOWS\system32\DRIVERS\raspptp.sys 49152 bytes (Microsoft Corporation, Peer-to-Peer Tunneling Protocol)
0xA1E11000 C:\WINDOWS\System32\Drivers\Fips.SYS 45056 bytes (Microsoft Corporation, FIPS Crypto Driver)
0xBA278000 C:\WINDOWS\system32\DRIVERS\HECI.sys 45056 bytes (Intel Corporation, Intel® Management Engine Interface)
0xBA0D8000 MountMgr.sys 45056 bytes (Microsoft Corporation, Mount Manager)
0xBA2F8000 C:\WINDOWS\system32\DRIVERS\raspppoe.sys 45056 bytes (Microsoft Corporation, RAS PPPoE mini-port/call-manager driver)
0xBA0A8000 isapnp.sys 40960 bytes (Microsoft Corporation, PNP ISA Bus Driver)
0xB8DB8000 C:\WINDOWS\System32\Drivers\NDProxy.SYS 40960 bytes (Microsoft Corporation, NDIS Proxy)
0xBA1C8000 C:\WINDOWS\System32\Drivers\SRTSPX.SYS 40960 bytes (Symantec Corporation, Symantec AutoProtect)
0xBA128000 C:\WINDOWS\system32\DRIVERS\termdd.sys 40960 bytes (Microsoft Corporation, Terminal Server Driver)
0x9BD51000 C:\WINDOWS\System32\Drivers\BlackBox.SYS 36864 bytes (RKU Driver)
0xBA0F8000 disk.sys 36864 bytes (Microsoft Corporation, PnP Disk Driver)
0xA7729000 C:\WINDOWS\system32\DRIVERS\HIDCLASS.SYS 36864 bytes (Microsoft Corporation, Hid Class Library)
0xBA268000 C:\WINDOWS\system32\DRIVERS\intelppm.sys 36864 bytes (Microsoft Corporation, Processor Device Driver)
0xBA318000 C:\WINDOWS\system32\DRIVERS\msgpc.sys 36864 bytes (Microsoft Corporation, MS General Packet Classifier)
0x9DBF6000 C:\WINDOWS\system32\DRIVERS\netbios.sys 36864 bytes (Microsoft Corporation, NetBIOS interface driver)
0x9DC46000 C:\WINDOWS\system32\DRIVERS\wanarp.sys 36864 bytes (Microsoft Corporation, MS Remote Access and Routing ARP Driver)
0xA416F000 C:\WINDOWS\System32\Drivers\Npfs.SYS 32768 bytes (Microsoft Corporation, NPFS Driver)
0xBA408000 C:\WINDOWS\system32\DRIVERS\usbehci.sys 32768 bytes (Microsoft Corporation, EHCI eUSB Miniport Driver)
0xA7377000 C:\WINDOWS\system32\DRIVERS\HIDPARSE.SYS 28672 bytes (Microsoft Corporation, Hid Parsing Library)
0xBA328000 C:\WINDOWS\system32\DRIVERS\PCIIDEX.SYS 28672 bytes (Microsoft Corporation, PCI IDE Bus Driver Extension)
0xBA410000 C:\WINDOWS\system32\DRIVERS\kbdclass.sys 24576 bytes (Microsoft Corporation, Keyboard Class Driver)
0xBA430000 C:\WINDOWS\system32\DRIVERS\mouclass.sys 24576 bytes (Microsoft Corporation, Mouse Class Driver)
0xA7387000 C:\WINDOWS\System32\Drivers\SYMREDRV.SYS 24576 bytes (Symantec Corporation, Redirector Filter Driver)
0xBA3D0000 C:\WINDOWS\System32\Drivers\TDTCP.SYS 24576 bytes (Microsoft Corporation, TCP Transport Driver)
0xBA400000 C:\WINDOWS\system32\DRIVERS\usbuhci.sys 24576 bytes (Microsoft Corporation, UHCI USB Miniport Driver)
0xA279B000 C:\WINDOWS\System32\drivers\vga.sys 24576 bytes (Microsoft Corporation, VGA/Super VGA Video Driver)
0xA278B000 C:\WINDOWS\System32\Drivers\Msfs.SYS 20480 bytes (Microsoft Corporation, Mailslot driver)
0xBA330000 PartMgr.sys 20480 bytes (Microsoft Corporation, Partition Manager)
0xBA420000 C:\WINDOWS\system32\DRIVERS\ptilink.sys 20480 bytes (Parallel Technologies, Inc., Parallel Technologies DirectParallel IO Library)
0xBA428000 C:\WINDOWS\system32\DRIVERS\raspti.sys 20480 bytes (Microsoft Corporation, PTI DirectParallel® mini-port/call-manager driver)
0xBA418000 C:\WINDOWS\system32\DRIVERS\TDI.SYS 20480 bytes (Microsoft Corporation, TDI Wrapper)
0xA7C02000 C:\WINDOWS\System32\watchdog.sys 20480 bytes (Microsoft Corporation, Watchdog Driver)
0x9C541000 C:\WINDOWS\system32\DRIVERS\asyncmac.sys 16384 bytes (Microsoft Corporation, MS Remote Access serial network driver)
0xB96E7000 C:\WINDOWS\system32\DRIVERS\mssmbios.sys 16384 bytes (Microsoft Corporation, System Management BIOS Driver)
0xA67B3000 C:\WINDOWS\system32\DRIVERS\ndisuio.sys 16384 bytes (Microsoft Corporation, NDIS User mode I/O Driver)
0xB9D71000 C:\WINDOWS\system32\DRIVERS\serenum.sys 16384 bytes (Microsoft Corporation, Serial Port Enumerator)
0xA67AF000 C:\WINDOWS\system32\DRIVERS\usbscan.sys 16384 bytes (Microsoft Corporation, USB Scanner Driver)
0xBA4B8000 C:\WINDOWS\system32\BOOTVID.dll 12288 bytes (Microsoft Corporation, VGA Boot Driver)
0x9ECA4000 C:\WINDOWS\System32\drivers\Dxapi.sys 12288 bytes (Microsoft Corporation, DirectX API Driver)
0xA67BF000 C:\WINDOWS\system32\DRIVERS\hidusb.sys 12288 bytes (Microsoft Corporation, USB Miniport Driver for Input Devices)
0xA67A7000 C:\WINDOWS\system32\DRIVERS\mouhid.sys 12288 bytes (Microsoft Corporation, HID Mouse Filter Driver)
0xB9D6D000 C:\WINDOWS\system32\DRIVERS\ndistapi.sys 12288 bytes (Microsoft Corporation, NDIS 3.0 connection wrapper driver)
0xA573A000 C:\WINDOWS\system32\DRIVERS\rasacd.sys 12288 bytes (Microsoft Corporation, RAS Automatic Connection Driver)
0x9EF63000 C:\WINDOWS\System32\Drivers\Beep.SYS 8192 bytes (Microsoft Corporation, BEEP Driver)
0xBA5AC000 dmload.sys 8192 bytes (Microsoft Corp., Veritas Software., NT Disk Manager Startup Driver)
0xBA654000 C:\WINDOWS\System32\Drivers\dump_WMILIB.SYS 8192 bytes
0xBA660000 C:\WINDOWS\System32\Drivers\Fs_Rec.SYS 8192 bytes (Microsoft Corporation, File System Recognizer Driver)
0xBA5A8000 C:\WINDOWS\system32\KDCOM.DLL 8192 bytes (Microsoft Corporation, Kernel Debugger HW Extension DLL)
0x9EF55000 C:\WINDOWS\System32\Drivers\mnmdd.SYS 8192 bytes (Microsoft Corporation, Frame buffer simulator)
0x9EF53000 C:\WINDOWS\System32\DRIVERS\RDPCDD.sys 8192 bytes (Microsoft Corporation, RDP Miniport)
0xBA5E8000 C:\WINDOWS\system32\DRIVERS\swenum.sys 8192 bytes (Microsoft Corporation, Plug and Play Software Device Enumerator)
0xBA602000 C:\WINDOWS\system32\DRIVERS\USBD.SYS 8192 bytes (Microsoft Corporation, Universal Serial Bus Driver)
0xBA5AA000 C:\WINDOWS\system32\DRIVERS\WMILIB.SYS 8192 bytes (Microsoft Corporation, WMILIB WMI support library Dll)
0xBA773000 C:\WINDOWS\system32\DRIVERS\audstub.sys 4096 bytes (Microsoft Corporation, AudStub Driver)
0xBA6DF000 C:\WINDOWS\System32\drivers\dxgthk.sys 4096 bytes (Microsoft Corporation, DirectX Graphics Driver Thunk)
0xBA6E3000 C:\WINDOWS\System32\Drivers\Null.SYS 4096 bytes (Microsoft Corporation, NULL Driver)
0xBA670000 pciide.sys 4096 bytes (Microsoft Corporation, Generic PCI IDE Bus Driver)
==============================================
>Stealth
==============================================
0x8A5C8A91 Unknown page with executable code, 1391 bytes
0x8A5C7288 Unknown page with executable code, 3448 bytes
0x8A5C9191 Unknown page with executable code, 3695 bytes
0xBA0E8000 WARNING: Virus alike driver modification [VolSnap.sys], 53248 bytes
0x8A5CBE7A Unknown thread object [ ETHREAD 0x8A66FDA8 ] TID: 124, 600 bytes
0x8A5CE008 Unknown thread object [ ETHREAD 0x8A628DA8 ] TID: 128, 600 bytes
0x8A5CDCDC Unknown page with executable code, 804 bytes

New Malwarebytes scan log:

Malwarebytes' Anti-Malware 1.50.1.1100
www.malwarebytes.org

Database version: 6796

Windows 5.1.2600 Service Pack 3
Internet Explorer 8.0.6001.18702

6/8/2011 10:33:32 AM
mbam-log-2011-06-08 (10-33-32).txt

Scan type: Full scan (C:\|)
Objects scanned: 390390
Time elapsed: 1 hour(s), 1 minute(s), 50 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 2
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\ActiveDesktop\NoChangingWallPaper (PUM.Hijack.DisplayProperties) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableTaskMgr (PUM.Hijack.TaskManager) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)




So even though I cleaned things up yesterday on these machines it would appear that something still lurks on them.

Thanks

This post has been edited by ABCB: 08 June 2011 - 10:42 AM

You're infected with a rootkit, so...

With the information you have provided I believe you will need help from the malware removal team. I would like you to start a new thread and post a DDS log HERE and include a link to this thread. Please make sure that you read the information about getting started before you start your thread.

It would be helpful if you post a note here once you have completed the steps in the guide and have started your topic in malware removal. Good luck and be patient. Help is on the way!