BleepingComputer.com: infected wtih TDSS

Had the system fix virus and got rid of it following direction on BleepingComputers and then running Malwarebytes. Also restored missing stuff with unhide.exe. Downloaded TDSS killer and tried to run it (renamed it first) but it won't run. Guessing the TDSS stops it? Followed direction on the forum for posting this stuff. Ran various programs except for GMER. GMER copied to desktop, but when I try to run it, gives the following message:
LoadDriver("C:DOCUME~1\ANDREW~1.ARM\LOCALS~1\Temp\fgrorpoc.sys")error 0xC000010E: Cannot create a stable subkey under a volatile parent key. A bunch of the check boxes on the right side of the GMER screen were grayed out. Ran it anyway but the ark.txt file it generated is blank, so I cannot attach it.

Please help me get rid of the TDSS.

.
DDS (Ver_2011-08-26.01) - NTFSx86
Internet Explorer: 6.0.2900.5512 BrowserJavaVersion: 1.6.0_24
Run by andrewmarani at 13:13:49 on 2011-11-22
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1996.1110 [GMT -5:00]
.
AV: Symantec Endpoint Protection *Enabled/Updated* {FB06448E-52B8-493A-90F3-E43226D3305C}
.
============== Running Processes ===============
.
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\Program Files\Symantec\Symantec Endpoint Protection\Smc.exe
svchost.exe
svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\Program Files\APC\APC PowerChute Personal Edition\mainserv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
C:\Program Files\Intel\ASF Agent\ASFAgent.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\Symantec\Symantec Endpoint Protection\Rtvscan.exe
C:\WINDOWS\system32\SearchIndexer.exe
C:\Program Files\Symantec\Symantec Endpoint Protection\SmcGui.exe
C:\Program Files\Analog Devices\Core\smax4pnp.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\Program Files\CyberLink\PowerDVD DX\PDVDDXSrv.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\WINDOWS\system32\igfxsrvc.exe
C:\Program Files\GFI\FAXmaker Client\fmstart.exe
C:\Program Files\Google\Google Talk\googletalk.exe
C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Adobe\Acrobat 9.0\Acrobat\Acrotray.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Common Files\Java\Java Update\jucheck.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Mozilla Firefox\plugin-container.exe
C:\Program Files\Adobe\Reader 9.0\Reader\AcroRd32.exe
C:\Program Files\Microsoft Office\Office14\OUTLOOK.EXE
C:\Program Files\Windows Live\Toolbar\wltuser.exe
C:\WINDOWS\explorer.exe
C:\Documents and Settings\andrewmarani.ARMDOM\My Documents\Downloads\Defogger.exe
C:\WINDOWS\system32\SearchProtocolHost.exe
C:\Program Files\Internet Explorer\iexplore.exe
.
============== Pseudo HJT Report ===============
.
uSearch Page = hxxp://www.live.com
mDefault_Page_URL = hxxp://www.dell.com
mStart Page = hxxp://www.dell.com
uInternet Connection Wizard,ShellNext = hxxp://www.audiokarma.org/forums/login.php?a=pwd&u=80121&i=56535ea2a813af004c63730b6e67ead86293173e
mSearchAssistant = hxxp://www.searchqu.com/web?src=ieb&appid=102&systemid=406&sr=0&q={searchTerms}
uURLSearchHooks: H - No File
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: {5C255C8A-E604-49b4-9D64-90988571CECB} - No File
BHO: Search Helper: {6ebf7485-159f-4bff-a14f-b9e3aac4465b} - c:\program files\microsoft\search enhancement pack\search helper\SearchHelper.dll
BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: Searchqu Toolbar: {99079a25-328f-4bd4-be04-00955acaa0a7} - c:\progra~1\wi371a~1\datamngr\toolbar\searchqudtx.dll
BHO: Adobe PDF Conversion Toolbar Helper: {ae7cd045-e861-484f-8273-0445ee161910} - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.2.4204.1700\swg.dll
BHO: Office Document Cache Handler: {b4f3a835-0e21-4959-ba22-42b3008e02ff} - c:\progra~1\mi1933~1\office14\URLREDIR.DLL
BHO: {f0f8800e-995a-4fcb-d504-de53820dc4bb}: {bb4cd028-35ed-405d-bcf4-a599e0088f0f} - c:\windows\system32\rajdmn.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: Windows Live Toolbar Helper: {e15a8dc0-8516-42a1-81ea-dc94ec1acf10} - c:\program files\windows live\toolbar\wltcore.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
BHO: SmartSelect Class: {f4971ee7-daa0-4053-9964-665d8ee6a077} - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll
TB: &Windows Live Toolbar: {21fa44ef-376d-4d53-9b0f-8a89d3229068} - c:\program files\windows live\toolbar\wltcore.dll
TB: Searchqu Toolbar: {99079a25-328f-4bd4-be04-00955acaa0a7} - c:\progra~1\wi371a~1\datamngr\toolbar\searchqudtx.dll
TB: Adobe PDF: {47833539-d0c5-4125-9fa8-0819e2eaac93} - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll
uRun: [ISUSPM] "c:\program files\common files\installshield\updateservice\ISUSPM.exe" -scheduler
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
mRun: [SoundMAXPnP] c:\program files\analog devices\core\smax4pnp.exe
mRun: [IgfxTray] c:\windows\system32\igfxtray.exe
mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
mRun: [Persistence] c:\windows\system32\igfxpers.exe
mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
mRun: [PDVDDXSrv] "c:\program files\cyberlink\powerdvd dx\PDVDDXSrv.exe"
mRun: [ccApp] "c:\program files\common files\symantec shared\ccApp.exe"
mRun: [FMStart] "c:\program files\gfi\faxmaker client\fmstart.exe"
mRun: [googletalk] c:\program files\google\google talk\googletalk.exe /autostart
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [Adobe Acrobat Speed Launcher] "c:\program files\adobe\acrobat 9.0\acrobat\Acrobat_sl.exe"
mRun: [<NO NAME>]
mRun: [Acrobat Assistant 8.0] "c:\program files\adobe\acrobat 9.0\acrobat\Acrotray.exe"
mRun: [AyBceCwcCVrA.exe] c:\documents and settings\all users\application data\AyBceCwcCVrA.exe
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
IE: Append Link Target to Existing PDF - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Append to Existing PDF - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert Link Target to Adobe PDF - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert to Adobe PDF - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll/AcroIECapture.html
IE: E&xport to Microsoft Excel - c:\progra~1\mi1933~1\office14\EXCEL.EXE/3000
IE: Se&nd to OneNote - c:\progra~1\mi1933~1\office14\ONBttnIE.dll/105
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - {5F7B1267-94A9-47F5-98DB-E99415F33AEC} - c:\program files\windows live\writer\WriterBrowserExtension.dll
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\program files\microsoft office\office14\ONBttnIE.dll
IE: {789FE86F-6FC4-46A1-9849-EDE0DB0C95CA} - {FFFDC614-B694-4AE6-AB38-5D6374584B52} - c:\program files\microsoft office\office14\ONBttnIELinkedNotes.dll
DPF: {00191E4B-49C2-48E2-A548-8F702D75622A} - hxxps://strtc.oracle.com/imtapp/res/jar/cnsload.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_24-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0024-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_24-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_24-windows-i586.cab
TCP: DhcpNameServer = 192.168.42.3
TCP: Interfaces\{B74B74FA-7FF9-46FF-8C01-B06BE72F400B} : DhcpNameServer = 192.168.42.3
Filter: text/xml - {807573E5-5146-11D5-A672-00B0D022E945} - c:\program files\common files\microsoft shared\office14\MSOXMLMF.DLL
Notify: igfxcui - igfxdev.dll
Notify: ljJYOeDV - ljJYOeDV.dll
SEH: Windows Desktop Search Namespace Manager: {56f9679e-7826-4c84-81f3-532071a8bcc5} - c:\program files\windows desktop search\MSNLNamespaceMgr.dll
SEH: {6c25997f-1dcd-3419-9d64-bc98c5e1cbaf}: {fabc1e5c-89cb-46d9-9143-dcd1f79952c6} - c:\windows\system32\rajdmn.dll
.
================= FIREFOX ===================
.
FF - ProfilePath - c:\documents and settings\andrewmarani.armdom\application data\mozilla\firefox\profiles\ilcp2wb0.default\
FF - prefs.js: network.proxy.type - 0
FF - plugin: c:\progra~1\mi1933~1\office14\NPAUTHZ.DLL
FF - plugin: c:\progra~1\mi1933~1\office14\NPSPWRAP.DLL
FF - plugin: c:\program files\adobe\reader 9.0\reader\air\nppdf32.dll
FF - plugin: c:\program files\google\google earth\plugin\npgeplugin.dll
FF - plugin: c:\program files\google\google updater\2.4.2432.1652\npCIDetect14.dll
FF - plugin: c:\program files\google\picasa3\npPicasa3.dll
FF - plugin: c:\program files\google\update\1.3.21.79\npGoogleUpdate3.dll
FF - plugin: c:\program files\java\jre6\bin\new_plugin\npdeployJava1.dll
FF - plugin: c:\program files\microsoft silverlight\2.0.31005.0\npctrlui.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npdeployJava1.dll
FF - plugin: c:\program files\windows live\photo gallery\NPWLPG.dll
.
============= SERVICES / DRIVERS ===============
.
R0 SFAUDIO;Sonic Focus DSP Driver;c:\windows\system32\drivers\sfaudio.sys [2009-3-27 24064]
R2 ASFAgent;ASF Agent;c:\program files\intel\asf agent\ASFAgent.exe [2007-4-19 133968]
R2 ccEvtMgr;Symantec Event Manager;c:\program files\common files\symantec shared\ccSvcHst.exe [2007-12-10 108392]
R2 ccSetMgr;Symantec Settings Manager;c:\program files\common files\symantec shared\ccSvcHst.exe [2007-12-10 108392]
R2 Symantec AntiVirus;Symantec Endpoint Protection;c:\program files\symantec\symantec endpoint protection\Rtvscan.exe [2007-12-10 2177464]
R3 e1kexpress;Intel® PRO/1000 PCI Express Network Connection Driver K;c:\windows\system32\drivers\e1k5132.sys [2009-3-27 144480]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\common files\symantec shared\eengine\EraserUtilRebootDrv.sys [2011-11-11 106104]
R3 NAVENG;NAVENG;c:\progra~1\common~1\symant~1\virusd~1\20111111.002\NAVENG.SYS [2011-11-11 86136]
R3 NAVEX15;NAVEX15;c:\progra~1\common~1\symant~1\virusd~1\20111111.002\NAVEX15.SYS [2011-11-11 1576312]
R3 osppsvc;Office Software Protection Platform;c:\program files\common files\microsoft shared\officesoftwareprotectionplatform\OSPPSVC.EXE [2010-1-9 4640000]
S2 gupdate1c9d00df1b131e6;Google Update Service (gupdate1c9d00df1b131e6);c:\program files\google\update\GoogleUpdate.exe [2009-5-8 133104]
S3 gupdatem;Google Update Service (gupdatem);c:\program files\google\update\GoogleUpdate.exe [2009-5-8 133104]
S4 vsdatant;vsdatant;a --> a [?]
UnknownUnknown dsload;dsload; [x]
.
=============== Created Last 30 ================
.
2011-11-21 18:01:30 -------- d-----w- c:\documents and settings\andrewmarani.armdom\application data\Malwarebytes
2011-11-21 17:59:59 -------- d-----w- c:\documents and settings\all users\application data\Malwarebytes
2011-11-21 17:59:52 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2011-11-21 17:33:56 -------- d-----w- c:\documents and settings\all users\application data\PC Tools
2011-11-21 17:04:22 -------- d--h--w- c:\windows\PIF
2011-11-17 16:17:49 -------- d-s---w- c:\documents and settings\andrewmarani.armdom\UserData
2011-11-09 12:44:31 134104 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll
2011-11-09 12:44:30 89048 ----a-w- c:\program files\mozilla firefox\libEGL.dll
2011-11-09 12:44:30 801752 ----a-w- c:\program files\mozilla firefox\mozsqlite3.dll
2011-11-09 12:44:30 478168 ----a-w- c:\program files\mozilla firefox\libGLESv2.dll
2011-11-09 12:44:30 2106216 ----a-w- c:\program files\mozilla firefox\D3DCompiler_43.dll
2011-11-09 12:44:30 1998168 ----a-w- c:\program files\mozilla firefox\d3dx9_43.dll
2011-11-09 12:44:30 1989592 ----a-w- c:\program files\mozilla firefox\mozjs.dll
2011-11-09 12:44:30 15832 ----a-w- c:\program files\mozilla firefox\mozalloc.dll
.
==================== Find3M ====================
.
2011-10-11 18:54:22 60304 ----a-w- c:\documents and settings\andrewmarani.armdom\g2mdlhlpx.exe
.
============= FINISH: 13:20:50.04 ===============

Hello fremen59,

• Welcome to Bleeping Computer.
  
  
• My name is fireman4it and I will be helping you with your Malware problem.
  
  Please take note of some guidelines for this fix:
  
  
• Refrain from making any changes to your computer including installing/uninstall programs, deleting files, modifying the registry, and running scanners or tools.
  
  
• If you do not understand any step(s) provided, please do not hesitate to ask before continuing.
  
  
• Even if things appear to be better, it might not mean we are finished. Please continue to follow my instructions and reply back until I give you the "all clean".
  
  
• In the upper right hand corner of the topic you will see a button called Watch Topic.I suggest you click it and select Immediate E-Mail notification and click on Proceed. This way you will be advised when we respond to your topic and facilitate the cleaning of your machine.
  
  
  
• Finally, please reply using the ADD REPLY button in the lower right hand corner of your screen. Do not start a new topic. The logs that you post should be pasted directly into the reply, unless they do not fit into the post.

1.
Install Recovery Console and Run ComboFix

This tool is not a toy. If used the wrong way you could trash your computer. Please use only under direction of a Helper. If you decide to do so anyway, please do not blame me or ComboFix.

Download Combofix from any of the links below, and save it to your desktop.

Link 1
Link 2

• Close/disable all anti-virus and anti-malware programs so they do not interfere with the running of ComboFix. Refer to this page if you are not sure how.
  
• Close any open windows, including this one.
  
• Double click on ComboFix.exe & follow the prompts.
  
• As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  
• If you did not have it installed, you will see the prompt below. Choose YES.
  
• 
  
• Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.

**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

Note:The Windows Recovery Console will allow you to boot up into a special recovery (repair) mode. This allows us to more easily help you
should your computer have a problem after an attempted removal of malware. It is a simple procedure that will only take a few moments of your time.

• Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:
  
  
  
• Click on Yes, to continue scanning for malware.
  
• When finished, it will produce a report for you. Please post the contents of the log (C:\ComboFix.txt).

Leave your computer alone while ComboFix is running.
ComboFix will restart your computer if malware is found; allow it to do so.

Note: Please Do NOT mouseclick combofix's window while its running because it may cause it to stall.


2.
Please download aswMBR ( 511KB ) to your desktop.

• Double click the aswMBR.exe icon to run it
  
• Click the Scan button to start the scan
  
• On completion of the scan, click the save log button, save it to your desktop and post it in your next reply.

Things to include in your next reply::
Combofix.txt
aswMBR log
How is your machine running now?

Hi Fireman4it, thanks for helping.

I got a blue screen saying Problem Detected Windows Shut Down. Plug and play detected error, Likely a Faulty Driver.

When I restarted the computer I got some error messages and took a screen shot and tried to attach it as a file to the blog but doesn't look like it worked.

Computer seems to be running slow, but does start work.


ComboFix completed step 7, but I wasn't watching when the computer shut down, so it may have made it farther. Do you want me to run combofix again?

Still have TDSS virus. Get a series of explorer error messages every half hour or so when it tries to do something. Every now and then it actually goes to a web site. Also starts up Itunes for some reason.

Hello,

Yes please run Combofix again this time in Safemode with Networking. Then post its log.

Now reboot into Safe Mode with Networking.
This can be done tapping the F8 key as soon as you start your computer
You will be brought to a menu where you can choose to boot into safe mode.
Make sure you choose the option with networking support.
Please see here for additional details.

Ran combofix again, in normal windows and it completed it's run. Log is posted below. I am now going to run aswMBR.

ComboFix 11-11-23.01 - andrewmarani 11/25/2011 8:14.1.2 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1996.1427 [GMT -5:00]
Running from: c:\documents and settings\andrewmarani.ARMDOM\Desktop\ComboFix.exe
AV: Symantec Endpoint Protection *Disabled/Updated* {FB06448E-52B8-493A-90F3-E43226D3305C}
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\documents and settings\All Users\Application Data\TEMP
c:\documents and settings\andrewmarani.ARMDOM\Application Data\Microsoft\Internet Explorer\Quick Launch\System Fix.lnk
c:\documents and settings\andrewmarani.ARMDOM\g2mdlhlpx.exe
c:\documents and settings\andrewmarani.ARMDOM\Start Menu\Programs\System Fix
c:\documents and settings\andrewmarani.ARMDOM\Start Menu\Programs\System Fix\System Fix.lnk
c:\documents and settings\andrewmarani.ARMDOM\Start Menu\Programs\System Fix\Uninstall System Fix.lnk
c:\documents and settings\AndrewMarani\cnsload_1290180956953.tmp
c:\windows\CSC\d6
c:\windows\system32\lfjdynpl.ini
c:\windows\system32\RutDdMoq.ini
c:\windows\system32\RutDdMoq.ini2
.
.
((((((((((((((((((((((((( Files Created from 2011-10-25 to 2011-11-25 )))))))))))))))))))))))))))))))
.
.
2011-11-25 12:46 . 2011-11-25 12:46 -------- d-----w- c:\windows\LastGood
2011-11-25 12:37 . 2011-11-25 12:37 -------- d-----w- c:\windows\ServicePackFiles
2011-11-25 12:37 . 2011-11-25 12:47 -------- d-----w- c:\windows\system32\KB905474
2011-11-23 15:03 . 2010-08-27 08:02 119808 -c----w- c:\windows\system32\dllcache\t2embed.dll
2011-11-23 15:03 . 2009-10-15 16:28 81920 -c----w- c:\windows\system32\dllcache\fontsub.dll
2011-11-23 14:57 . 2010-09-18 06:53 954368 -c----w- c:\windows\system32\dllcache\mfc40.dll
2011-11-23 14:57 . 2010-09-18 06:53 953856 -c----w- c:\windows\system32\dllcache\mfc40u.dll
2011-11-23 14:51 . 2010-11-02 15:17 40960 -c----w- c:\windows\system32\dllcache\ndproxy.sys
2011-11-23 14:51 . 2009-06-21 21:44 153088 -c----w- c:\windows\system32\dllcache\triedit.dll
2011-11-23 14:51 . 2011-06-24 14:10 139656 -c----w- c:\windows\system32\dllcache\rdpwd.sys
2011-11-23 14:51 . 2010-08-23 16:12 617472 -c----w- c:\windows\system32\dllcache\comctl32.dll
2011-11-23 14:51 . 2010-06-14 14:31 744448 -c----w- c:\windows\system32\dllcache\helpsvc.exe
2011-11-23 14:50 . 2011-04-21 13:37 105472 -c----w- c:\windows\system32\dllcache\mup.sys
2011-11-23 14:50 . 2009-11-21 15:51 471552 -c----w- c:\windows\system32\dllcache\aclayers.dll
2011-11-23 14:47 . 2010-06-18 13:36 3558912 -c----w- c:\windows\system32\dllcache\moviemk.exe
2011-11-23 14:46 . 2011-04-29 19:07 852480 -c----w- c:\windows\system32\dllcache\vgx.dll
2011-11-23 14:45 . 2011-07-08 14:02 10496 -c----w- c:\windows\system32\dllcache\ndistapi.sys
2011-11-23 14:45 . 2010-10-11 14:59 45568 -c----w- c:\windows\system32\dllcache\wab.exe
2011-11-23 14:44 . 2010-08-16 08:45 590848 -c----w- c:\windows\system32\dllcache\rpcrt4.dll
2011-11-21 18:01 . 2011-11-21 18:01 -------- d-----w- c:\documents and settings\andrewmarani.ARMDOM\Application Data\Malwarebytes
2011-11-21 17:59 . 2011-11-21 17:59 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2011-11-21 17:59 . 2011-11-21 20:31 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2011-11-21 17:33 . 2011-11-21 20:14 -------- d-----w- c:\documents and settings\All Users\Application Data\PC Tools
2011-11-21 17:04 . 2011-11-21 17:04 -------- d-----w- c:\windows\PIF
2011-11-17 16:17 . 2011-11-17 16:17 -------- d-s---w- c:\documents and settings\andrewmarani.ARMDOM\UserData
2011-11-09 12:44 . 2011-11-05 06:53 134104 ----a-w- c:\program files\Mozilla Firefox\components\browsercomps.dll
2011-11-09 12:44 . 2011-11-05 06:53 89048 ----a-w- c:\program files\Mozilla Firefox\libEGL.dll
2011-11-09 12:44 . 2011-11-05 06:53 801752 ----a-w- c:\program files\Mozilla Firefox\mozsqlite3.dll
2011-11-09 12:44 . 2011-11-05 06:53 478168 ----a-w- c:\program files\Mozilla Firefox\libGLESv2.dll
2011-11-09 12:44 . 2011-11-05 06:53 1989592 ----a-w- c:\program files\Mozilla Firefox\mozjs.dll
2011-11-09 12:44 . 2011-11-05 06:53 15832 ----a-w- c:\program files\Mozilla Firefox\mozalloc.dll
2011-11-09 12:44 . 2011-11-05 03:21 2106216 ----a-w- c:\program files\Mozilla Firefox\D3DCompiler_43.dll
2011-11-09 12:44 . 2011-11-05 03:21 1998168 ----a-w- c:\program files\Mozilla Firefox\d3dx9_43.dll
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-10-10 14:22 . 2008-04-25 21:27 692736 ----a-w- c:\windows\system32\inetcomm.dll
2011-09-28 07:06 . 2008-04-25 16:16 599040 ----a-w- c:\windows\system32\crypt32.dll
2011-09-26 16:41 . 2008-04-25 16:16 220160 ----a-w- c:\windows\system32\oleacc.dll
2011-09-26 16:41 . 2006-10-21 09:29 611328 ----a-w- c:\windows\system32\uiautomationcore.dll
2011-09-26 16:41 . 2008-04-25 16:16 20480 ----a-w- c:\windows\system32\oleaccrc.dll
2011-09-06 13:25 . 2008-04-25 16:16 1867904 ----a-w- c:\windows\system32\win32k.sys
2011-09-05 13:56 . 2008-04-25 16:16 667136 ----a-w- c:\windows\system32\wininet.dll
2011-09-05 13:56 . 2008-04-25 16:16 61952 ----a-w- c:\windows\system32\tdc.ocx
2011-09-05 13:56 . 2008-04-25 16:16 81920 ----a-w- c:\windows\system32\ieencode.dll
2011-09-05 12:35 . 2008-04-25 16:16 369664 ----a-w- c:\windows\system32\html.iec
2011-11-05 06:53 . 2011-11-09 12:44 134104 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ISUSPM"="c:\program files\Common Files\InstallShield\UpdateService\ISUSPM.exe" [2006-09-11 218032]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SoundMAXPnP"="c:\program files\Analog Devices\Core\smax4pnp.exe" [2008-09-01 1044480]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2009-01-11 141336]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2009-01-11 173592]
"Persistence"="c:\windows\system32\igfxpers.exe" [2009-01-11 141336]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-10-29 249064]
"PDVDDXSrv"="c:\program files\CyberLink\PowerDVD DX\PDVDDXSrv.exe" [2008-05-23 128296]
"ccApp"="c:\program files\Common Files\Symantec Shared\ccApp.exe" [2007-12-10 115560]
"FMStart"="c:\program files\GFI\FAXmaker Client\fmstart.exe" [2000-05-10 56832]
"googletalk"="c:\program files\Google\Google Talk\googletalk.exe" [2007-01-01 3739648]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2011-09-07 37296]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2011-03-30 937920]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2010-11-29 421888]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2011-06-07 421160]
"Adobe Acrobat Speed Launcher"="c:\program files\Adobe\Acrobat 9.0\Acrobat\Acrobat_sl.exe" [2009-10-03 38768]
"Acrobat Assistant 8.0"="c:\program files\Adobe\Acrobat 9.0\Acrobat\Acrotray.exe" [2009-10-03 640376]
.
c:\documents and settings\All Users\Start Menu\Programs\Startup\
APC UPS Status.lnk - c:\program files\APC\APC PowerChute Personal Edition\Display.exe [2010-12-28 221247]
MaxCommunicator.lnk - c:\program files\Altigen\MaxCommunicator\MaxCommunicator.exe [2009-10-23 2306048]
Windows Search.lnk - c:\program files\Windows Desktop Search\WindowsSearch.exe [2008-5-26 123904]
.
[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{56F9679E-7826-4C84-81F3-532071A8BCC5}"= "c:\program files\Windows Desktop Search\MSNLNamespaceMgr.dll" [2009-05-25 304128]
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\ccEvtMgr]
@="Service"
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\ccSetMgr]
@="Service"
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Symantec Antivirus]
@="Service"
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\Windows Live\\Sync\\WindowsLiveSync.exe"=
"c:\\Program Files\\Altigen\\JLIB15\\jre\\bin\\java.exe"=
"c:\\Program Files\\Altigen\\JLIB15\\jre\\bin\\javaw.exe"=
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3389:TCP"= 3389:TCP:@xpsp2res.dll,-22009
.
R0 SFAUDIO;Sonic Focus DSP Driver;c:\windows\system32\drivers\sfaudio.sys [3/27/2009 12:22 AM 24064]
R2 ASFAgent;ASF Agent;c:\program files\Intel\ASF Agent\ASFAgent.exe [4/19/2007 5:56 AM 133968]
R3 e1kexpress;Intel® PRO/1000 PCI Express Network Connection Driver K;c:\windows\system32\drivers\e1k5132.sys [3/27/2009 12:22 AM 144480]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [11/11/2011 3:53 PM 106104]
S2 gupdate1c9d00df1b131e6;Google Update Service (gupdate1c9d00df1b131e6);c:\program files\Google\Update\GoogleUpdate.exe [5/8/2009 1:51 PM 133104]
S3 gupdatem;Google Update Service (gupdatem);c:\program files\Google\Update\GoogleUpdate.exe [5/8/2009 1:51 PM 133104]
S3 osppsvc;Office Software Protection Platform;c:\program files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE [1/9/2010 8:37 PM 4640000]
UnknownUnknown dsload;dsload; [x]
.
--- Other Services/Drivers In Memory ---
.
*Deregistered* - dsgrab_01cb87ffb11b77ee
.
Contents of the 'Scheduled Tasks' folder
.
2011-11-25 c:\windows\Tasks\Google Software Updater.job
- c:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe [2009-05-08 05:04]
.
2011-11-25 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-05-08 18:51]
.
2011-11-23 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-05-08 18:51]
.
.
------- Supplementary Scan -------
.
mStart Page = hxxp://www.dell.com
uInternet Connection Wizard,ShellNext = hxxp://www.audiokarma.org/forums/login.php?a=pwd&u=80121&i=56535ea2a813af004c63730b6e67ead86293173e
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
IE: Append Link Target to Existing PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Append to Existing PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert Link Target to Adobe PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert to Adobe PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIECapture.html
IE: E&xport to Microsoft Excel - c:\progra~1\MI1933~1\Office14\EXCEL.EXE/3000
IE: Se&nd to OneNote - c:\progra~1\MI1933~1\Office14\ONBttnIE.dll/105
TCP: DhcpNameServer = 192.168.42.3
DPF: {00191E4B-49C2-48E2-A548-8F702D75622A} - hxxps://strtc.oracle.com/imtapp/res/jar/cnsload.cab
FF - ProfilePath - c:\documents and settings\andrewmarani.ARMDOM\Application Data\Mozilla\Firefox\Profiles\ilcp2wb0.default\
FF - prefs.js: network.proxy.type - 0
.
- - - - ORPHANS REMOVED - - - -
.
BHO-{bb4cd028-35ed-405d-bcf4-a599e0088f0f} - c:\windows\system32\rajdmn.dll
Toolbar-10 - (no file)
HKLM-Run-AyBceCwcCVrA.exe - c:\documents and settings\All Users\Application Data\AyBceCwcCVrA.exe
ShellExecuteHooks-{fabc1e5c-89cb-46d9-9143-dcd1f79952c6} - c:\windows\system32\rajdmn.dll
Notify-ljJYOeDV - ljJYOeDV.dll
SafeBoot-Symantec Antvirus
.
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2011-11-25 08:56
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\vsdatant]
"ImagePath"="a"
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'winlogon.exe'(744)
c:\program files\Symantec\Symantec Endpoint Protection\SnacNp.dll
.
Completion time: 2011-11-25 09:12:38
ComboFix-quarantined-files.txt 2011-11-25 14:12
.
Pre-Run: 43,049,041,920 bytes free
Post-Run: 47,863,492,608 bytes free
.
- - End Of File - - 0CD94E544CE336B9AD1AE1F4AB2C4A65

Downloaded aswMBR.exe but I cannot get it to run. I double click it and the hour glass shows for a second but nothing else happens.

Hello,

Try running Gmer in Safemode.

Please download GMER from one of the following locations and save it to your desktop:

• Main Mirror
  This version will download a randomly named file (Recommended)
  
• Zipped Mirror
  This version will download a zip file you will need to extract first. If you use this mirror, please extract the zip file to your desktop.

• Disconnect from the Internet and close all running programs.
  
• Temporarily disable any real-time active protection so your security programs will not conflict with gmer's driver.
  
• Double-click on the randomly named GMER file (i.e. n7gmo46c.exe) and allow the gmer.sys driver to load if asked.
  
• Note: If you downloaded the zipped version, extract the file to its own folder such as C:\gmer and then double-click on gmer.exe.
  
  
  
  
• GMER will open to the Rootkit/Malware tab and perform an automatic quick scan when first run. (do not use the computer while the scan is in progress)
  
• If you receive a WARNING!!! about rootkit activity and are asked to fully scan your system...click NO.
  
• Now click the Scan button. If you see a rootkit warning window, click OK.
  
• When the scan is finished, click the Save... button to save the scan results to your Desktop. Save the file as gmer.log.
  
• Click the Copy button and paste the results into your next reply.
  
• Exit GMER and re-enable all active protection when done.

-- If you encounter any problems, try running GMER in Safe Mode.

Hello.

Are you still there?

If you are please follow the instructions in my previous post.

If you still need help, follow the instructions I have given in my response. If you have since had your problem solved, we would appreciate you letting us know so we can close the topic.

Please reply back telling us so. If you don't reply within 3-5 days the topic will need to be closed.

Thanks for understanding

With Regards,
fireman4it

Still here. Tried starting GMER in safe mode. Had same issue as earlier with GMER and got same message, see below.


LoadDriver("C:DOCUME~1\ANDREW~1.ARM\LOCALS~1\Temp\fgrorpoc.sys")error 0xC000010E: Cannot create a stable subkey under a volatile parent key

If I click OK, GMER starts but most of the check boxes on the right are grayed out and when it finishes running there is nothing in the log.

Earlier on ComboFix installed the Recovery Console. We're going to use that now.

Reboot your machine and when the Boot Menu flashes up - select "Microsoft Windows Recovery Console"
(you need to be very fast with the arrow key as you only have a couple of seconds before it defaults to the windows XP bootup)






When you get to the above screen, take note of the number that references your operating system.

If it's '1' like the picture above, type 1 and press Enter


Next type FIXMBR



If it ask if you're sure you want to write a new MBR, answer 'Y'

Then type EXIT to reboot the machine.

With that done, please post back and let me know how things are now.

I've tried restarting a number of times. The screen flashes a couple of times but whatever is happening is to fast to even become visible, so I haven't been able to follow your directions for the boot menu.

I also tried using the F8 button to get the safe mode menu. On the safe mode menu screen there is an option to Return to the OS Choices Menu, which I tried. On the OS Choices menu there is a choice for Microsoft Windows Recovery Console, but under it is a note: Do Not Select This [debugger enabled].

I selected it anyway and got a note saying Recovery Console starting, but nothing happened for 10 minutes so I pressed control/alt/delete and the computer started up normally.

I think I need a different way to get to the Recovery Console, or some way to turn off the debugger.

Hello,

Are you able to Burn CD's and have access to a USB Flash Drive?

I can do either one. The USB drive is easier.

You will need a blank USB flash drive for this.

Download NTBR_USB.exe and save it to your desktop on your clean computer. Plug in the USB you want to use and double-click NTBR_USB.exe to run it.
Verify that the drive letter shown is the same as assigned by Windows, then click OK.
Once the image is written to the device, you will be prompted to reboot ~ do not reboot and instead remove the device.
Insert the bootable device in the infected computer and start it, then use the appropriate F key to access the boot menu where you can choose to boot from USB. (same as how it booted with xPud)
You should be presented with a boot screen - select usb and press Enter to boot to the device.
After a warning screen there is a keyboard language options screen - press Enter to leave it at EN-US.
You should now be at the Tool options screen.

First, let's back up your current MBR.

Type 1 and hit Enter to start MBRWORK
At Choose Option: type c and hit Enter ( C) Capture Sectors )
At Enter File Name: type mbr.bin and hit Enter
At LBA: 0 Leave at 0 and hit Enter
At Number of Sectors: 1 Leave at 1 and hit Enter
The screen will show:
Processing ...
Save completed - Press Enter
Hit Enter then at Choose Option: type e and hit Enter to exit MBRWORK

Now, we copy it to your USB drive:

Type 5 and hit Enter to go to an X:\> prompt
Type copy mbr.bin c:\ and hit Enter
You should see mbr.bin => c:\mbr.bin and return to the X:\> prompt
Type menu and hit Enter.



Next, let's replace your MBR:

At the menu type 1 to select MBRWORK then hit Enter

This screen will show the hard drive configuration.

Type 5 to Install standard MBR code then hit Enter
Type 1 to select Standard then hit Enter
Type Y then hit Enter to confirm
Type E then hit Enter to exit
Back at the menu, type 6 to Quit.
Press Ctrl+Alt+Del to restart the machine.
Pull out the USB drive at this point.

Did it properly boot into Windows?