Rootkit infection

HJT,

Initially, I found the Security Tool and Anti-virus Pro 2010 virus on my computer. I posted some logs and a tech determined that I had a Rootkit infection. I was informed to run the DDS tool and the RootRepeal tool. I have posted and attached the documents based on the instructions. Any help would be great and I appreciate all your hard work! Thank you!

DDS log:

DDS (Ver_09-10-26.01) - NTFSx86
Run by JPW at 8:10:53.10 on Fri 11/06/2009
Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_15
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2046.1462 [GMT -6:00]


============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
"C:\WINDOWS\system32\svchost.exe"
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\ehome\ehtray.exe
C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe
C:\Program Files\Analog Devices\SoundMAX\Smax4.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\system32\biosadmin.exe
C:\Program Files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe
C:\Program Files\Common Files\Research In Motion\Auto Update\RIMAutoUpdate.exe
C:\Program Files\Common Files\Nero\Lib\NMIndexStoreSvr.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe
svchost.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Nero\Nero8\Nero BackItUp\NBService.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\IoctlSvc.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\TVersity\Media Server\MediaServer.exe
C:\Program Files\Common Files\Nero\Lib\NMIndexingService.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\eHome\ehmsas.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\JPW\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://finance.yahoo.com/
uDefault_Page_URL = hxxp://www.msn.com
uInternet Settings,ProxyOverride = *.local
TB: Adobe PDF: {47833539-d0c5-4125-9fa8-0819e2eaac93} - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll
EB: Adobe PDF: {182ec0be-5110-49c8-a062-beb1d02a220b} - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll
uRun: [IndxStoreSvr_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "c:\program files\common files\nero\lib\NMIndexStoreSvr.exe" ASO-616B5711-6DAE-4795-A05F-39A1E5104020
uRun: [AdobeBridge]
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [Google Update] "c:\documents and settings\jpw\local settings\application data\google\update\GoogleUpdate.exe" /c
mRun: [ehTray] c:\windows\ehome\ehtray.exe
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [nwiz] nwiz.exe /install
mRun: [SoundMAXPnP] c:\program files\analog devices\soundmax\SMax4PNP.exe
mRun: [SoundMAX] "c:\program files\analog devices\soundmax\Smax4.exe" /tray
mRun: [NvMediaCenter] RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInit
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [NeroFilterCheck] c:\program files\common files\nero\lib\NeroCheck.exe
mRun: [NBKeyScan] "c:\program files\nero\nero8\nero backitup\NBKeyScan.exe"
mRun: [NetBIOS Admin Program] c:\windows\system32\biosadmin.exe
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
mRun: [Acrobat Assistant 7.0] "c:\program files\adobe\acrobat 7.0\distillr\Acrotray.exe"
mRun: [BlackBerryAutoUpdate] c:\program files\common files\research in motion\auto update\RIMAutoUpdate.exe /background
mRun: [Malwarebytes Anti-Malware (reboot)] "c:\program files\malwarebytes' anti-malware\mbam.exe" /runcleanupscript
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\adobea~1.lnk - c:\windows\installer\{ac76ba86-1033-0000-7760-100000000002}\SC_Acrobat.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\logite~1.lnk - c:\program files\logitech\desktop messenger\8876480\program\LogitechDesktopMessenger.exe
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
IE: Convert link target to Adobe PDF - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert link target to existing PDF - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert selected links to Adobe PDF - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert selected links to existing PDF - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Convert selection to Adobe PDF - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert selection to existing PDF - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert to Adobe PDF - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert to existing PDF - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office11\EXCEL.EXE/3000
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office11\REFIEBAR.DLL
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://www.update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1233609762281
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_15-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0015-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_15-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_15-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
Handler: bwfile-8876480 - {9462A756-7B47-47BC-8C80-C34B9B80B32B} - c:\program files\logitech\desktop messenger\8876480\program\GAPlugProtocol-8876480.dll
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\jpw\applic~1\mozilla\firefox\profiles\livbkemr.default\
FF - prefs.js: browser.search.defaulturl - hxxp://search.live.com/results.aspx?FORM=IEFM1&q=
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/
FF - prefs.js: keyword.URL - hxxp://search.live.com/results.aspx?FORM=IEFM1&q=
FF - plugin: c:\documents and settings\jpw\application data\mozilla\firefox\profiles\livbkemr.default\extensions\{e2883e8f-472f-4fb0-9522-ac9bf37916a7}\plugins\np_gp.dll
FF - plugin: c:\documents and settings\jpw\local settings\application data\google\update\1.2.183.13\npGoogleOneClick8.dll
FF - plugin: c:\program files\google\picasa3\npPicasa3.dll
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0012-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0015-ABCDEFFEDCBA}

============= SERVICES / DRIVERS ===============

S3 getPlusHelper;getPlus® Helper;c:\windows\system32\svchost.exe -k getPlusHelper [2006-3-15 14336]
S3 NPF;Netgroup Packet Filter;c:\windows\system32\drivers\npf.sys [2007-11-15 34064]

=============== Created Last 30 ================

2009-10-21 00:21:02 0 d-s---w- C:\ComboFix
2009-10-21 00:00:35 19663 ----a-w- c:\windows\jazime._dl
2009-10-21 00:00:35 18504 ----a-w- c:\windows\azebefuhik.exe
2009-10-21 00:00:35 16505 ----a-w- c:\windows\usodut.lib
2009-10-21 00:00:35 15520 ----a-w- c:\docume~1\jpw\applic~1\ogumudev.exe
2009-10-21 00:00:35 14404 ----a-w- c:\windows\uboc.bin
2009-10-21 00:00:35 14164 ----a-w- c:\windows\cokuwiby.dat
2009-10-21 00:00:35 12504 ----a-w- c:\windows\liwyxiraj.dll
2009-10-21 00:00:35 12320 ----a-w- c:\windows\bovacine.dll
2009-10-19 00:19:33 0 d-sha-r- C:\cmdcons
2009-10-19 00:18:27 98816 ----a-w- c:\windows\sed.exe
2009-10-19 00:18:27 236544 ----a-w- c:\windows\PEV.exe
2009-10-19 00:18:27 161792 ----a-w- c:\windows\SWREG.exe
2009-10-19 00:13:17 0 dc----w- c:\docume~1\alluse~1\applic~1\{CFBD8779-FAAB-4357-84F2-1EC8619FADA6}
2009-10-19 00:02:30 0 d-----w- c:\windows\pss
2009-10-18 20:59:11 664 ----a-w- c:\windows\system32\d3d9caps.dat
2009-10-18 20:50:49 0 d-----w- c:\program files\Trend Micro
2009-10-18 20:23:30 15535 ----a-w- c:\windows\zigihefo.scr
2009-10-18 20:23:30 12793 ----a-w- c:\docume~1\alluse~1\applic~1\ezopevo.sys
2009-10-18 20:23:29 19815 ----a-w- c:\windows\rawavox.vbs
2009-10-18 20:23:29 19396 ----a-w- c:\program files\common files\ferotule.scr
2009-10-18 20:23:29 15902 ----a-w- c:\docume~1\jpw\applic~1\ceme.exe
2009-10-18 20:23:29 13302 ----a-w- c:\windows\vibe.inf
2009-10-18 20:23:29 11481 ----a-w- c:\windows\system32\bidikic.db
2009-10-18 20:23:29 10799 ----a-w- c:\docume~1\alluse~1\applic~1\gufejad.exe
2009-10-18 19:57:45 0 d-----w- c:\program files\Spybot - Search & Destroy
2009-10-18 19:57:45 0 d-----w- c:\docume~1\alluse~1\applic~1\Spybot - Search & Destroy
2009-10-18 19:38:52 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-10-18 19:38:50 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-10-18 19:38:50 0 d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-10-18 08:08:49 0 d-----w- c:\windows\system32\schtml
2009-10-17 14:15:15 0 d-----w- C:\Nina
2009-10-16 12:57:47 32128 -c--a-w- c:\windows\system32\dllcache\usbccgp.sys
2009-10-16 12:57:47 32128 ----a-w- c:\windows\system32\drivers\usbccgp.sys
2009-10-16 04:44:39 0 ----a-w- c:\windows\system32\sck236jn.dat
2009-10-16 04:43:59 1 ----a-w- c:\windows\system32\perfc7683.dat
2009-10-16 04:43:52 26112 ----a-w- c:\windows\system32\stu2.exe
2009-10-16 03:07:49 256 ----a-w- c:\windows\system32\pool.bin
2009-10-16 03:07:41 0 d-----w- c:\docume~1\jpw\applic~1\Research In Motion
2009-10-16 03:05:40 27136 ----a-r- c:\windows\system32\drivers\RimSerial.sys
2009-10-16 03:03:43 0 d-----w- c:\program files\common files\Research In Motion
2009-10-16 03:03:40 0 d-----w- c:\program files\Research In Motion

==================== Find3M ====================

2009-10-18 20:23:30 16128 ----a-w- c:\program files\common files\ofakuq.ban
2009-10-16 09:27:11 43520 ----a-w- c:\windows\system32\userinit.exe
2009-08-27 03:52:16 64319 ----a-w- c:\windows\War3Unin.dat
2009-08-24 05:30:04 2829 ----a-w- c:\windows\War3Unin.pif
2009-08-24 05:30:03 139264 ----a-w- c:\windows\War3Unin.exe
2009-08-20 23:36:33 127034 ------r- c:\windows\bwUnin-8.1.1.50-8876480SL.exe
2009-02-02 23:43:23 486951 --sh--r- c:\windows\system32\biosadmin.exe

============= FINISH: 8:11:28.90 ===============

Hello!
My name is Sam and I will be helping you.

In order to see what's going on with your computer I'll ask for you to post various logs from the tools that we will use to resolve your issue. Please also share with me any information about how your computer is reacting and behaving each step of the way as we work through this process.

Please download ComboFix from one of these locations:

Link 1
Link 2
Link 3

Important!
You should NOT use Combofix unless you have been instructed to do so by a Malware Removal Expert.
It is intended by its creator to be used under the guidance and supervision of an Malware Removal Expert, not for private use.
Using this tool incorrectly could lead to disastrous problems with your operating system such as preventing it from ever starting again.


Make sure that you save ComboFix.exe to your Desktop

• Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools
  
  
• Double click on ComboFix.exe & follow the prompts.
  
  
• As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  
  
• Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.

**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.





Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:




Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply.

As there has been no response, this topic will now be closed.

If you need this topic reopened, please contact a member of the HJT Team and we will reopen it for you.
Include the address of this topic in your request.