Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Recurring Rootkits After clean installing Windows several times


  • This topic is locked This topic is locked
15 replies to this topic

#1 b2012

b2012

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:01:59 AM

Posted 04 July 2011 - 11:33 AM

I have had recurring rootkits appear after using the HP Recovery CD's provided directly from them to re-image my computer. I also used a Retail Windows Vista Ultimate CD to do a clean install, and got the same result. How can I remove these? I have to do a double install to install a clean copy of windows vista, then finally Windows 7 Pro, and I want to make sure It's completely clean before I go through that Trouble.

.
DDS (Ver_2011-06-23.01) - NTFSx86
Internet Explorer: 9.0.8112.16421 BrowserJavaVersion: 1.6.0_26
Run by Home at 14:52:09 on 2011-07-03
Microsoft® Windows Vista™ Home Premium 6.0.6002.2.1252.1.1033.18.2038.890 [GMT -5:00]
.
AV: Microsoft Security Essentials *Disabled/Updated* {108DAC43-C256-20B7-BB05-914135DA5160}
AV: Norton Internet Security *Disabled/Updated* {63DF5164-9100-186D-2187-8DC619EFD8BF}
SP: Microsoft Security Essentials *Disabled/Updated* {ABEC4DA7-E46C-2F39-81B5-AA334E5D1BDD}
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
SP: Norton Internet Security *Disabled/Updated* {D8BEB080-B73A-17E3-1B37-B6B462689202}
FW: Norton Internet Security *Disabled* {5BE4D041-DB6F-1935-0AD8-24F3E73C9FC4}
.
============== Running Processes ===============
.
C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\svchost.exe -k rpcss
c:\Program Files\Microsoft Security Client\Antimalware\MsMpEng.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\svchost.exe -k GPSvcGroup
C:\Windows\system32\SLsvc.exe
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\system32\WLANExt.exe
C:\Windows\System32\spoolsv.exe
C:\Program Files\DigitalPersona\Bin\DpHostW.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Program Files\Intel\Intel Matrix Storage Manager\IAANTMon.exe
C:\Program Files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe
C:\Program Files\Norton Internet Security\Engine\18.6.0.29\ccSvcHst.exe
C:\Windows\System32\svchost.exe -k HPZ12
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
C:\Program Files\HP\QuickPlay\Kernel\TV\QPCapSvc.exe
C:\Program Files\CyberLink\Shared Files\RichVideo.exe
C:\Windows\system32\svchost.exe -k imgsvc
C:\Windows\System32\svchost.exe -k WerSvcGroup
C:\Windows\system32\SearchIndexer.exe
C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe
C:\Program Files\HP\QuickPlay\Kernel\TV\QPSched.exe
C:\Windows\system32\taskeng.exe
C:\Windows\system32\DllHost.exe
C:\Program Files\Norton Internet Security\Engine\18.6.0.29\ccSvcHst.exe
C:\Windows\system32\taskeng.exe
C:\Windows\system32\Dwm.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Motorola\SMSERIAL\sm56hlpr.exe
C:\Program Files\Realtek\Audio\HDA\RtHDVCpl.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\IAAnotif.exe
C:\Program Files\HP\QuickPlay\QPService.exe
C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\QLBCTRL.exe
C:\Program Files\Hewlett-Packard\HP QuickTouch\HPKBDAPP.exe
C:\Program Files\HP\HP Software Update\hpwuSchd2.exe
C:\Program Files\Hewlett-Packard\HP Wireless Assistant\HPWAMain.exe
C:\Program Files\Hewlett-Packard\HP Wireless Assistant\WiFiMsg.exe
C:\Windows\System32\hkcmd.exe
C:\Windows\System32\igfxpers.exe
C:\Program Files\DigitalPersona\Bin\DpAgent.exe
C:\Program Files\Logitech\Logitech WebCam Software\LWS.exe
C:\Windows\system32\igfxsrvc.exe
C:\Program Files\Microsoft Security Client\msseces.exe
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\Windows\ehome\ehtray.exe
C:\Program Files\Windows Media Player\wmpnscfg.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\ehome\ehmsas.exe
C:\Program Files\Windows Media Player\wmpnetwk.exe
C:\Program Files\Hewlett-Packard\Shared\HpqToaster.exe
C:\Program Files\Common Files\Logishrd\LQCVFX\COCIManager.exe
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
c:\Program Files\Hewlett-Packard\HP Health Check\hphc_service.exe
C:\Windows\explorer.exe
C:\Windows\System32\svchost.exe -k swprv
C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe
C:\Windows\system32\wbem\wmiprvse.exe
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://www.google.com/
uDefault_Page_URL = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=en_us&c=81&bd=Pavilion&pf=laptop
mStart Page = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=en_us&c=81&bd=Pavilion&pf=laptop
mDefault_Page_URL = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=en_us&c=81&bd=Pavilion&pf=laptop
BHO: {02478D38-C3F9-4efb-9B51-7695ECA05670} - No File
BHO: RealPlayer Download and Record Plugin for Internet Explorer: {3049c3e9-b461-4bc5-8870-4c09146192ca} - c:\programdata\real\realplayer\browserrecordplugin\ie\rpbrowserrecordplugin.dll
BHO: DigitalPersona Personal Extension: {395610ae-c624-4f58-b89e-23733ea00f9a} - c:\program files\digitalpersona\bin\DpOtsPluginIe8.dll
BHO: Symantec NCO BHO: {602adb0e-4aff-4217-8aa1-95dac4dfa408} - c:\program files\norton internet security\engine\18.6.0.29\coIEPlg.dll
BHO: Symantec Intrusion Prevention: {6d53ec84-6aae-4787-aeee-f4628f01010c} - c:\program files\norton internet security\engine\18.6.0.29\ips\IPSBHO.DLL
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
TB: Norton Toolbar: {7febefe3-6b19-4349-98d2-ffb09d4b49ca} - c:\program files\norton internet security\engine\18.6.0.29\coIEPlg.dll
uRun: [ehTray.exe] c:\windows\ehome\ehTray.exe
uRun: [SUPERAntiSpyware] c:\program files\superantispyware\SUPERAntiSpyware.exe
uRun: [WMPNSCFG] c:\program files\windows media player\WMPNSCFG.exe
mRun: [SynTPEnh] %ProgramFiles%\Synaptics\SynTP\SynTPEnh.exe
mRun: [SMSERIAL] c:\program files\motorola\smserial\sm56hlpr.exe
mRun: [RtHDVCpl] c:\program files\realtek\audio\hda\RtHDVCpl.exe
mRun: [IAAnotif] c:\program files\intel\intel matrix storage manager\iaanotif.exe
mRun: [QPService] "c:\program files\hp\quickplay\QPService.exe"
mRun: [QlbCtrl] %ProgramFiles%\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe /Start
mRun: [OnScreenDisplay] c:\program files\hewlett-packard\hp quicktouch\HPKBDAPP.exe
mRun: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
mRun: [hpqSRMon]
mRun: [HP Health Check Scheduler] [ProgramFilesFolder]Hewlett-Packard\HP Health Check\HPHC_Scheduler.exe
mRun: [HP Software Update] c:\program files\hp\hp software update\HPWuSchd2.exe
mRun: [hpWirelessAssistant] c:\program files\hewlett-packard\hp wireless assistant\HPWAMain.exe
mRun: [WAWifiMessage] c:\program files\hewlett-packard\hp wireless assistant\WiFiMsg.exe
mRun: [IgfxTray] c:\windows\system32\igfxtray.exe
mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
mRun: [Persistence] c:\windows\system32\igfxpers.exe
mRun: [DpAgent] c:\program files\digitalpersona\bin\dpagent.exe
mRun: [LogitechQuickCamRibbon] "c:\program files\logitech\logitech webcam software\LWS.exe" /hide
mRun: [MegaPanel] "c:\program files\national consumer panel\ncp internet transporter\HSTrans.exe"
mRun: [MSC] "c:\program files\microsoft security client\msseces.exe" -hide -runkey
mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
mPolicies-explorer: BindDirectlyToPropertySetStorage = 0 (0x0)
mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
DPF: {233C1507-6A77-46A4-9443-F871F945D258} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
DPF: {72376E32-8AF2-473F-BE32-E5D0F39C865D} - hxxp://www.cyberlink.com/prog/win7/js/UpdateAdvisor.cab
DPF: {73ECB3AA-4717-450C-A2AB-D00DAD9EE203} - hxxp://h20270.www2.hp.com/ediags/gmn2/install/HPProductDetection2.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_26-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0026-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_26-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_26-windows-i586.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
TCP: DhcpNameServer = 192.168.0.1
TCP: Interfaces\{9B9F6FB3-F4B0-41F9-A8B1-C1CA661C0406} : DhcpNameServer = 192.168.0.1
Handler: belarc - {6318E0AB-2E93-11D1-B8ED-00608CC9A71F} - c:\program files\belarc\advisor\system\BAVoilaX.dll
Notify: igfxcui - igfxdev.dll
LSA: Notification Packages = scecli DPPWDFLT
.
================= FIREFOX ===================
.
FF - ProfilePath - c:\users\home\appdata\roaming\mozilla\firefox\profiles\dcdsd05g.default\
FF - component: c:\programdata\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\nis_18.1.0.37\coffplgn\components\coFFPlgn.dll
FF - component: c:\programdata\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\nis_18.1.0.37\ipsffplgn\components\IPSFFPl.dll
FF - component: c:\programdata\real\realplayer\browserrecordplugin\firefox\ext\components\nprpffbrowserrecordext.dll
FF - component: c:\programdata\real\realplayer\browserrecordplugin\firefox\ext\components\nprpffbrowserrecordlegacyext.dll
FF - plugin: c:\program files\foxit software\foxit reader\plugins\npFoxitReaderPlugin.dll
FF - plugin: c:\program files\java\jre6\bin\new_plugin\npdeployJava1.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npCouponPrinter.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npdeployJava1.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npMozCouponPrinter.dll
FF - plugin: c:\programdata\real\realplayer\browserrecordplugin\mozillaplugins\nprpchromebrowserrecordext.dll
FF - plugin: c:\programdata\real\realplayer\browserrecordplugin\mozillaplugins\nprphtml5videoshim.dll
.
============= SERVICES / DRIVERS ===============
.
R0 SymDS;Symantec Data Store;c:\windows\system32\drivers\nis\1206000.01d\symds.sys [2011-5-9 340088]
R0 SymEFA;Symantec Extended File Attributes;c:\windows\system32\drivers\nis\1206000.01d\symefa.sys [2011-5-9 744568]
R1 BHDrvx86;BHDrvx86;c:\programdata\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\nis_18.1.0.37\definitions\bashdefs\20110616.003\BHDrvx86.sys [2011-6-17 810616]
R1 IDSVix86;IDSVix86;c:\programdata\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\nis_18.1.0.37\definitions\ipsdefs\20110701.051\IDSvix86.sys [2011-7-2 367736]
R1 MpFilter;Microsoft Malware Protection Driver;c:\windows\system32\drivers\MpFilter.sys [2010-10-24 165264]
R1 MpKsl92be623d;MpKsl92be623d;c:\programdata\microsoft\microsoft antimalware\definition updates\{19bcfaeb-d046-47d3-a376-821e2b8d5f50}\MpKsl92be623d.sys [2011-7-3 28752]
R1 SASDIFSV;SASDIFSV;c:\program files\superantispyware\sasdifsv.sys [2010-2-17 12872]
R1 SymIRON;Symantec Iron Driver;c:\windows\system32\drivers\nis\1206000.01d\ironx86.sys [2011-5-9 136312]
R1 SYMTDIv;Symantec Vista Network Dispatch Driver;c:\windows\system32\drivers\nis\1206000.01d\symtdiv.sys [2011-5-9 331384]
R2 FontCache;Windows Font Cache Service;c:\windows\system32\svchost.exe -k LocalServiceAndNoImpersonation [2008-1-20 21504]
R2 NIS;Norton Internet Security;c:\program files\norton internet security\engine\18.6.0.29\ccsvchst.exe [2011-5-9 130008]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\common files\symantec shared\eengine\EraserUtilRebootDrv.sys [2011-5-10 105592]
R3 MpNWMon;Microsoft Malware Protection Network Driver;c:\windows\system32\drivers\MpNWMon.sys [2010-10-24 43392]
S3 NisDrv;Microsoft Network Inspection System;c:\windows\system32\drivers\NisDrvWFP.sys [2010-10-24 54144]
S3 NisSrv;Microsoft Network Inspection;c:\program files\microsoft security client\antimalware\NisSrv.exe [2010-11-11 206360]
.
=============== Created Last 30 ================
.
2011-07-03 18:23:22 -------- d-----w- c:\program files\Core Temp
2011-07-03 18:16:52 28752 ----a-w- c:\programdata\microsoft\microsoft antimalware\definition updates\{19bcfaeb-d046-47d3-a376-821e2b8d5f50}\MpKsl92be623d.sys
2011-07-03 18:16:19 7074640 ----a-w- c:\programdata\microsoft\microsoft antimalware\definition updates\{19bcfaeb-d046-47d3-a376-821e2b8d5f50}\mpengine.dll
2011-07-01 17:55:49 26600 ----a-r- c:\windows\system32\drivers\GEARAspiWDM.sys
2011-07-01 17:55:49 107368 ----a-r- c:\windows\system32\GEARAspi.dll
2011-07-01 17:54:57 -------- d-----w- c:\windows\system32\drivers\nbrtwizard\0305000.017
2011-07-01 17:54:57 -------- d-----w- c:\windows\system32\drivers\NBRTWizard
2011-07-01 17:54:55 -------- d-----w- c:\program files\Norton Bootable Recovery Tool Wizard
2011-07-01 07:12:59 -------- d-----w- c:\program files\CCleaner
2011-06-30 05:31:18 404640 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2011-06-30 05:30:30 2106216 ----a-w- c:\program files\mozilla firefox\D3DCompiler_43.dll
2011-06-30 05:30:30 1998168 ----a-w- c:\program files\mozilla firefox\d3dx9_43.dll
2011-06-30 05:29:04 276992 ----a-w- c:\windows\system32\schannel.dll
2011-06-21 03:21:31 652296 ----a-w- c:\programdata\microsoft\ehome\packages\sportstemplate\sportstemplatecore\Microsoft.MediaCenter.Sports.UI.dll
2011-06-21 03:20:45 749832 ----a-w- c:\programdata\microsoft\ehome\packages\mcespotlight\mcespotlight\SpotlightResources.dll
2011-06-21 03:20:32 416128 ----a-w- c:\programdata\microsoft\ehome\packages\nettv\browse\NetTVResources.dll
2011-06-14 21:52:19 2382848 ----a-w- c:\windows\system32\mshtml.tlb
2011-06-14 21:52:18 141104 ----a-w- c:\program files\internet explorer\sqmapi.dll
2011-06-14 21:52:17 1797632 ----a-w- c:\windows\system32\jscript9.dll
2011-06-14 21:46:41 75264 ----a-w- c:\windows\system32\drivers\dfsc.sys
2011-06-14 21:46:40 563712 ----a-w- c:\windows\system32\oleaut32.dll
2011-06-14 21:45:30 739328 ----a-w- c:\windows\system32\inetcomm.dll
2011-06-14 21:45:29 146432 ----a-w- c:\windows\system32\drivers\srv2.sys
2011-06-14 21:45:29 102400 ----a-w- c:\windows\system32\drivers\srvnet.sys
2011-06-14 21:45:08 214016 ----a-w- c:\windows\system32\drivers\mrxsmb10.sys
2011-06-14 21:45:07 79872 ----a-w- c:\windows\system32\drivers\mrxsmb20.sys
2011-06-14 21:45:07 106496 ----a-w- c:\windows\system32\drivers\mrxsmb.sys
2011-06-14 21:45:06 273408 ----a-w- c:\windows\system32\drivers\afd.sys
2011-06-09 00:30:17 -------- d-----w- c:\program files\Belarc
.
==================== Find3M ====================
.
2011-06-30 05:45:55 499712 ----a-w- c:\windows\system32\msvcp71.dll
2011-06-14 21:34:36 472808 ----a-w- c:\windows\system32\deployJava1.dll
2011-05-29 14:11:30 39984 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2011-05-29 14:11:20 22712 ----a-w- c:\windows\system32\drivers\mbam.sys
2011-05-09 22:52:34 126584 ----a-w- c:\windows\system32\drivers\SYMEVENT.SYS
2011-04-05 20:02:57 4096 ----a-w- c:\windows\system32\drivers\en-us\dxgkrnl.sys.mui
2011-04-05 20:02:56 519680 ----a-w- c:\windows\system32\d3d11.dll
2011-04-05 20:02:56 369664 ----a-w- c:\windows\system32\WMPhoto.dll
2011-04-05 20:02:56 252928 ----a-w- c:\windows\system32\dxdiag.exe
2011-04-05 20:02:56 195584 ----a-w- c:\windows\system32\dxdiagn.dll
2011-04-05 20:02:55 974848 ----a-w- c:\windows\system32\WindowsCodecs.dll
2011-04-05 20:02:55 321024 ----a-w- c:\windows\system32\PhotoMetadataHandler.dll
2011-04-05 20:02:55 189440 ----a-w- c:\windows\system32\WindowsCodecsExt.dll
.
============= FINISH: 14:52:27.81 ===============

Attached Files



BC AdBot (Login to Remove)

 


#2 rigacci

rigacci

    Fiorentino


  • Members
  • 2,604 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:03:59 AM

Posted 11 July 2011 - 07:44 AM

Hello and welcome to Bleeping Computer

We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here.

Please take note:

  • If you have since resolved the original problem you were having, we would appreciate you letting us know.
  • If you are unable to create a log because your computer cannot start up successfully please provide detailed information about your installed Windows Operating System including the Version, Edition and if it is a 32bit or a 64bit system.
    • If you are unsure about any of these characteristics just post what you can and we will guide you.
  • Please tell us if you have your original Windows CD/DVD available.
  • If you are unable to perform the steps we have recommended please try one more time and if unsuccessful alert us of such and we will design an alternate means of obtaining the necessary information.
  • If you have not done so, include a clear description of the problems you're having, along with any steps you may have performed so far.
  • Upon completing the steps below another staff member will review your topic an do their best to resolve your issues.
  • If you have already posted a DDS log, please do so again, as your situation may have changed.
  • Use the 'Add Reply' and add the new log to this thread.

We need to see some information about what is happening in your machine. Please perform the following scan again:

  • Download DDS by sUBs from one of the following links if you no longer have it available. Save it to your desktop.
  • Double click on the DDS icon, allow it to run.
  • A small box will open, with an explanation about the tool. No input is needed, the scan is running.
  • Notepad will open with the results.
  • Follow the instructions that pop up for posting the results.
  • Close the program window, and delete the program from your desktop.
Please note: You may have to disable any script protection running if the scan fails to run. After downloading the tool, disconnect from the internet and disable all antivirus protection. Run the scan, enable your A/V and reconnect to the internet.

Information on A/V control HERE


We also need a new log from the GMER anti-rootkit Scanner.

Please note that if you are running a 64-bit version of Windows you will not be able to run GMER and you may skip this step.

Please first disable any CD emulation programs using the steps found in this topic:

Why we request you disable CD Emulation when receiving Malware Removal Advice


Then create another GMER log and post it as an attachment to the reply where you post your new DDS log. Instructions on how to properly create a GMER log can be found here:

How to create a GMER log



Thanks and again sorry for the delay.

DR

#3 b2012

b2012
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:01:59 AM

Posted 11 July 2011 - 12:01 PM

I am currently running Windows Vista Home Premium SP2 32-bit.
I decided to "re-image" or restore the computer to factory state using the HP Recovery Discs provided with the laptop by HP. I currently have NIS 2011 installed, and Norton Power Eraser found some type of rootkit and said it removed it (this was months ago). After this, I decided to re-image again using HP recovery discs, and after running NPE, the same thing happened.

-To remedy this, I bought a Windows Vista Ultimate Retail copy (I have the Windows CD of Vista Ultimate 32-bit only). I clean installed this, and again NPE found the same thing. I dealt with it, until Windows Aero started draining my battery, and I re-imaged computer with HP Recovery discs one last time. (which still showed infection). I am currently still using this, which is again Windows Vista Home Premium 32-bit SP2.

Goal: I bought a Windows 7 Pro CD and plan to use the double install method (Vista Ultimate, then 7 Pro). Before I do all of that, I want to make sure that I don't get the message of being infected once I finish installing 7 Pro.


As the infection was "removed" multiple times months ago, I do not know the name.

-DDS and Trend Micro's RootkitBuster's log's posted below:- please note the hooked and hidden services.
---(arkD) is the GMER of D: -the recovery drive.

----------------------------------------------------------------------------------------------------------------------------------------------
.
DDS (Ver_2011-06-23.01) - NTFSx86
Internet Explorer: 9.0.8112.16421 BrowserJavaVersion: 1.6.0_26
Run by Home at 14:25:27 on 2011-07-11
Microsoft® Windows Vista™ Home Premium 6.0.6002.2.1252.1.1033.18.2038.795 [GMT -5:00]
.
AV: Microsoft Security Essentials *Disabled/Updated* {108DAC43-C256-20B7-BB05-914135DA5160}
AV: Norton Internet Security *Disabled/Updated* {63DF5164-9100-186D-2187-8DC619EFD8BF}
SP: Microsoft Security Essentials *Disabled/Updated* {ABEC4DA7-E46C-2F39-81B5-AA334E5D1BDD}
SP: Windows Defender *Disabled/Outdated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
SP: Norton Internet Security *Disabled/Updated* {D8BEB080-B73A-17E3-1B37-B6B462689202}
FW: Norton Internet Security *Disabled* {5BE4D041-DB6F-1935-0AD8-24F3E73C9FC4}
.
============== Running Processes ===============
.
C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\svchost.exe -k rpcss
c:\Program Files\Microsoft Security Client\Antimalware\MsMpEng.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\svchost.exe -k GPSvcGroup
C:\Windows\system32\SLsvc.exe
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\system32\WLANExt.exe
C:\Windows\System32\spoolsv.exe
C:\Program Files\DigitalPersona\Bin\DpHostW.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Program Files\Intel\Intel Matrix Storage Manager\IAANTMon.exe
C:\Program Files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe
C:\Program Files\Norton Internet Security\Engine\18.6.0.29\ccSvcHst.exe
C:\Windows\System32\svchost.exe -k HPZ12
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
C:\Program Files\HP\QuickPlay\Kernel\TV\QPCapSvc.exe
C:\Program Files\CyberLink\Shared Files\RichVideo.exe
C:\Windows\system32\svchost.exe -k imgsvc
C:\Windows\System32\svchost.exe -k WerSvcGroup
C:\Windows\system32\SearchIndexer.exe
C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe
C:\Program Files\HP\QuickPlay\Kernel\TV\QPSched.exe
C:\Windows\system32\DllHost.exe
C:\Program Files\Norton Internet Security\Engine\18.6.0.29\ccSvcHst.exe
C:\Windows\system32\taskeng.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Motorola\SMSERIAL\sm56hlpr.exe
C:\Program Files\Realtek\Audio\HDA\RtHDVCpl.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\IAAnotif.exe
C:\Program Files\HP\QuickPlay\QPService.exe
C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\QLBCTRL.exe
C:\Program Files\Hewlett-Packard\HP QuickTouch\HPKBDAPP.exe
C:\Program Files\HP\HP Software Update\hpwuSchd2.exe
C:\Program Files\Hewlett-Packard\HP Wireless Assistant\HPWAMain.exe
C:\Program Files\Hewlett-Packard\HP Wireless Assistant\WiFiMsg.exe
C:\Windows\System32\hkcmd.exe
C:\Windows\System32\igfxpers.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Program Files\DigitalPersona\Bin\DpAgent.exe
C:\Program Files\Logitech\Logitech WebCam Software\LWS.exe
C:\Windows\system32\igfxsrvc.exe
C:\Program Files\Microsoft Security Client\msseces.exe
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\Windows\ehome\ehtray.exe
C:\Windows\ehome\ehmsas.exe
C:\Program Files\Hewlett-Packard\Shared\HpqToaster.exe
C:\Program Files\Windows Media Player\wmpnscfg.exe
C:\Program Files\Windows Media Player\wmpnetwk.exe
C:\Program Files\Common Files\Logishrd\LQCVFX\COCIManager.exe
C:\Windows\system32\taskeng.exe
C:\Program Files\Synaptics\SynTP\SynTPHelper.exe
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
c:\Program Files\Hewlett-Packard\HP Health Check\hphc_service.exe
C:\Windows\system32\SearchProtocolHost.exe
C:\Windows\system32\SearchFilterHost.exe
C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe
C:\Windows\system32\wbem\wmiprvse.exe
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://www.google.com/
uDefault_Page_URL = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=en_us&c=81&bd=Pavilion&pf=laptop
mStart Page = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=en_us&c=81&bd=Pavilion&pf=laptop
mDefault_Page_URL = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=en_us&c=81&bd=Pavilion&pf=laptop
BHO: {02478D38-C3F9-4efb-9B51-7695ECA05670} - No File
BHO: RealPlayer Download and Record Plugin for Internet Explorer: {3049c3e9-b461-4bc5-8870-4c09146192ca} - c:\programdata\real\realplayer\browserrecordplugin\ie\rpbrowserrecordplugin.dll
BHO: DigitalPersona Personal Extension: {395610ae-c624-4f58-b89e-23733ea00f9a} - c:\program files\digitalpersona\bin\DpOtsPluginIe8.dll
BHO: Symantec NCO BHO: {602adb0e-4aff-4217-8aa1-95dac4dfa408} - c:\program files\norton internet security\engine\18.6.0.29\coIEPlg.dll
BHO: Symantec Intrusion Prevention: {6d53ec84-6aae-4787-aeee-f4628f01010c} - c:\program files\norton internet security\engine\18.6.0.29\ips\IPSBHO.DLL
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
TB: Norton Toolbar: {7febefe3-6b19-4349-98d2-ffb09d4b49ca} - c:\program files\norton internet security\engine\18.6.0.29\coIEPlg.dll
uRun: [ehTray.exe] c:\windows\ehome\ehTray.exe
uRun: [SUPERAntiSpyware] c:\program files\superantispyware\SUPERAntiSpyware.exe
uRun: [WMPNSCFG] c:\program files\windows media player\WMPNSCFG.exe
mRun: [SynTPEnh] %ProgramFiles%\Synaptics\SynTP\SynTPEnh.exe
mRun: [SMSERIAL] c:\program files\motorola\smserial\sm56hlpr.exe
mRun: [RtHDVCpl] c:\program files\realtek\audio\hda\RtHDVCpl.exe
mRun: [IAAnotif] c:\program files\intel\intel matrix storage manager\iaanotif.exe
mRun: [QPService] "c:\program files\hp\quickplay\QPService.exe"
mRun: [QlbCtrl] %ProgramFiles%\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe /Start
mRun: [OnScreenDisplay] c:\program files\hewlett-packard\hp quicktouch\HPKBDAPP.exe
mRun: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
mRun: [hpqSRMon]
mRun: [HP Health Check Scheduler] [ProgramFilesFolder]Hewlett-Packard\HP Health Check\HPHC_Scheduler.exe
mRun: [HP Software Update] c:\program files\hp\hp software update\HPWuSchd2.exe
mRun: [hpWirelessAssistant] c:\program files\hewlett-packard\hp wireless assistant\HPWAMain.exe
mRun: [WAWifiMessage] c:\program files\hewlett-packard\hp wireless assistant\WiFiMsg.exe
mRun: [IgfxTray] c:\windows\system32\igfxtray.exe
mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
mRun: [Persistence] c:\windows\system32\igfxpers.exe
mRun: [DpAgent] c:\program files\digitalpersona\bin\dpagent.exe
mRun: [LogitechQuickCamRibbon] "c:\program files\logitech\logitech webcam software\LWS.exe" /hide
mRun: [MegaPanel] "c:\program files\national consumer panel\ncp internet transporter\HSTrans.exe"
mRun: [MSC] "c:\program files\microsoft security client\msseces.exe" -hide -runkey
mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
mPolicies-explorer: BindDirectlyToPropertySetStorage = 0 (0x0)
mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
DPF: {233C1507-6A77-46A4-9443-F871F945D258} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
DPF: {72376E32-8AF2-473F-BE32-E5D0F39C865D} - hxxp://www.cyberlink.com/prog/win7/js/UpdateAdvisor.cab
DPF: {73ECB3AA-4717-450C-A2AB-D00DAD9EE203} - hxxp://h20270.www2.hp.com/ediags/gmn2/install/HPProductDetection2.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_26-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0026-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_26-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_26-windows-i586.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
TCP: DhcpNameServer = 192.168.0.1
TCP: Interfaces\{9B9F6FB3-F4B0-41F9-A8B1-C1CA661C0406} : DhcpNameServer = 192.168.0.1
Handler: belarc - {6318E0AB-2E93-11D1-B8ED-00608CC9A71F} - c:\program files\belarc\advisor\system\BAVoilaX.dll
Notify: igfxcui - igfxdev.dll
LSA: Notification Packages = scecli DPPWDFLT
.
================= FIREFOX ===================
.
FF - ProfilePath - c:\users\home\appdata\roaming\mozilla\firefox\profiles\dcdsd05g.default\
FF - component: c:\programdata\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\nis_18.1.0.37\coffplgn\components\coFFPlgn.dll
FF - component: c:\programdata\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\nis_18.1.0.37\ipsffplgn\components\IPSFFPl.dll
FF - component: c:\programdata\real\realplayer\browserrecordplugin\firefox\ext\components\nprpffbrowserrecordext.dll
FF - component: c:\programdata\real\realplayer\browserrecordplugin\firefox\ext\components\nprpffbrowserrecordlegacyext.dll
FF - plugin: c:\program files\foxit software\foxit reader\plugins\npFoxitReaderPlugin.dll
FF - plugin: c:\program files\java\jre6\bin\new_plugin\npdeployJava1.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npCouponPrinter.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npdeployJava1.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npMozCouponPrinter.dll
FF - plugin: c:\programdata\real\realplayer\browserrecordplugin\mozillaplugins\nprpchromebrowserrecordext.dll
FF - plugin: c:\programdata\real\realplayer\browserrecordplugin\mozillaplugins\nprphtml5videoshim.dll
.
============= SERVICES / DRIVERS ===============
.
R0 SymDS;Symantec Data Store;c:\windows\system32\drivers\nis\1206000.01d\symds.sys [2011-5-9 340088]
R0 SymEFA;Symantec Extended File Attributes;c:\windows\system32\drivers\nis\1206000.01d\symefa.sys [2011-5-9 744568]
R1 BHDrvx86;BHDrvx86;c:\programdata\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\nis_18.1.0.37\definitions\bashdefs\20110701.001\BHDrvx86.sys [2011-7-5 810616]
R1 IDSVix86;IDSVix86;c:\programdata\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\nis_18.1.0.37\definitions\ipsdefs\20110708.032\IDSvix86.sys [2011-7-8 367736]
R1 MpFilter;Microsoft Malware Protection Driver;c:\windows\system32\drivers\MpFilter.sys [2010-10-24 165264]
R1 MpKsl23b4b7e2;MpKsl23b4b7e2;c:\programdata\microsoft\microsoft antimalware\definition updates\{a041c790-6465-495a-acb6-bdfbdf4ca8ce}\MpKsl23b4b7e2.sys [2011-7-11 28752]
R1 SASDIFSV;SASDIFSV;c:\program files\superantispyware\sasdifsv.sys [2010-2-17 12872]
R1 SymIRON;Symantec Iron Driver;c:\windows\system32\drivers\nis\1206000.01d\ironx86.sys [2011-5-9 136312]
R1 SYMTDIv;Symantec Vista Network Dispatch Driver;c:\windows\system32\drivers\nis\1206000.01d\symtdiv.sys [2011-5-9 331384]
R2 FontCache;Windows Font Cache Service;c:\windows\system32\svchost.exe -k LocalServiceAndNoImpersonation [2008-1-20 21504]
R2 NIS;Norton Internet Security;c:\program files\norton internet security\engine\18.6.0.29\ccsvchst.exe [2011-5-9 130008]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\common files\symantec shared\eengine\EraserUtilRebootDrv.sys [2011-5-10 105592]
R3 MpNWMon;Microsoft Malware Protection Network Driver;c:\windows\system32\drivers\MpNWMon.sys [2010-10-24 43392]
S3 NisDrv;Microsoft Network Inspection System;c:\windows\system32\drivers\NisDrvWFP.sys [2010-10-24 54144]
S3 NisSrv;Microsoft Network Inspection;c:\program files\microsoft security client\antimalware\NisSrv.exe [2010-11-11 206360]
.
=============== Created Last 30 ================
.
2011-07-11 19:04:56 28752 ----a-w- c:\programdata\microsoft\microsoft antimalware\definition updates\{a041c790-6465-495a-acb6-bdfbdf4ca8ce}\MpKsl23b4b7e2.sys
2011-07-11 19:04:22 7074640 ----a-w- c:\programdata\microsoft\microsoft antimalware\definition updates\{a041c790-6465-495a-acb6-bdfbdf4ca8ce}\mpengine.dll
2011-07-03 18:23:22 -------- d-----w- c:\program files\Core Temp
2011-07-01 17:55:49 26600 ----a-r- c:\windows\system32\drivers\GEARAspiWDM.sys
2011-07-01 17:55:49 107368 ----a-r- c:\windows\system32\GEARAspi.dll
2011-07-01 17:54:57 -------- d-----w- c:\windows\system32\drivers\nbrtwizard\0305000.017
2011-07-01 17:54:57 -------- d-----w- c:\windows\system32\drivers\NBRTWizard
2011-07-01 17:54:55 -------- d-----w- c:\program files\Norton Bootable Recovery Tool Wizard
2011-07-01 07:12:59 -------- d-----w- c:\program files\CCleaner
2011-06-30 05:31:18 404640 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2011-06-30 05:30:30 2106216 ----a-w- c:\program files\mozilla firefox\D3DCompiler_43.dll
2011-06-30 05:30:30 1998168 ----a-w- c:\program files\mozilla firefox\d3dx9_43.dll
2011-06-30 05:29:04 276992 ----a-w- c:\windows\system32\schannel.dll
2011-06-21 03:21:31 652296 ----a-w- c:\programdata\microsoft\ehome\packages\sportstemplate\sportstemplatecore\Microsoft.MediaCenter.Sports.UI.dll
2011-06-21 03:20:45 749832 ----a-w- c:\programdata\microsoft\ehome\packages\mcespotlight\mcespotlight\SpotlightResources.dll
2011-06-21 03:20:32 416128 ----a-w- c:\programdata\microsoft\ehome\packages\nettv\browse\NetTVResources.dll
2011-06-14 21:52:19 2382848 ----a-w- c:\windows\system32\mshtml.tlb
2011-06-14 21:52:18 141104 ----a-w- c:\program files\internet explorer\sqmapi.dll
2011-06-14 21:52:17 1797632 ----a-w- c:\windows\system32\jscript9.dll
2011-06-14 21:46:41 75264 ----a-w- c:\windows\system32\drivers\dfsc.sys
2011-06-14 21:46:40 563712 ----a-w- c:\windows\system32\oleaut32.dll
2011-06-14 21:45:30 739328 ----a-w- c:\windows\system32\inetcomm.dll
2011-06-14 21:45:29 146432 ----a-w- c:\windows\system32\drivers\srv2.sys
2011-06-14 21:45:29 102400 ----a-w- c:\windows\system32\drivers\srvnet.sys
2011-06-14 21:45:08 214016 ----a-w- c:\windows\system32\drivers\mrxsmb10.sys
2011-06-14 21:45:07 79872 ----a-w- c:\windows\system32\drivers\mrxsmb20.sys
2011-06-14 21:45:07 106496 ----a-w- c:\windows\system32\drivers\mrxsmb.sys
2011-06-14 21:45:06 273408 ----a-w- c:\windows\system32\drivers\afd.sys
.
==================== Find3M ====================
.
2011-06-30 05:45:55 499712 ----a-w- c:\windows\system32\msvcp71.dll
2011-06-14 21:34:36 472808 ----a-w- c:\windows\system32\deployJava1.dll
2011-05-29 14:11:30 39984 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2011-05-29 14:11:20 22712 ----a-w- c:\windows\system32\drivers\mbam.sys
2011-05-09 22:52:34 126584 ----a-w- c:\windows\system32\drivers\SYMEVENT.SYS
.
============= FINISH: 14:25:51.12 ===============

--------------------------------------------------------------------------------------------------------------------------------

+----------------------------------------------------
| Trend Micro RootkitBuster
| Module version: 3.60.0.1016
| Computer Name: HOME-PC
| User Name: Home
+----------------------------------------------------


--== Dump Hidden MBR, Hidden Files and Alternate Data Streams on C:\ ==--
No hidden files found.

--== Dump Hidden Registry Value on HKLM ==--
[HIDDEN_REGISTRY][Hidden Reg Key]:
KeyPath : HKEY_LOCAL_MACHINE\SOFTWARE\DigitalPersona\DB\Cache\HOME-PC
SubKey : HOME-PC
FullLength: 0x3b
[HIDDEN_REGISTRY][Hidden Reg Key]:
KeyPath : HKEY_LOCAL_MACHINE\SOFTWARE\DigitalPersona\DB\Data\IdList
SubKey : IdList
FullLength: 0x39
[HIDDEN_REGISTRY][Hidden Reg Key]:
KeyPath : HKEY_LOCAL_MACHINE\SOFTWARE\DigitalPersona\DB\Data\Users
SubKey : Users
FullLength: 0x38
[HIDDEN_REGISTRY][Hidden Reg Key]:
KeyPath : HKEY_LOCAL_MACHINE\SOFTWARE\DigitalPersona\DB\MainDB\Users
SubKey : Users
FullLength: 0x3a
[HIDDEN_REGISTRY][Hidden Reg Value]:
KeyPath : HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Media Center\Service\Recording\Restricted
Root : 0
SubKey : Restricted
ValueName : ccc
Data : 48 E7 E 92 58 B3 13 E6 ...
ValueType : 3
AccessType: 0
FullLength: 0x66
DataSize : 0xc8
5 hidden registry entries found.


--== Dump Hidden Process ==--
No hidden processes found.

--== Dump Hidden Driver ==--
No hidden drivers found.

--== Service Win32 API Hook List ==--
[HOOKED_SERVICE_API]:
Service API : ZwAlertResumeThread
Image Path :
OriginalHandler : 0x820ab51d
CurrentHandler : 0x8730d9f8
ServiceNumber : 0xd
ModuleName :
SDTType : 0x0
[HOOKED_SERVICE_API]:
Service API : ZwAlertThread
Image Path :
OriginalHandler : 0x820241e5
CurrentHandler : 0x8730dad8
ServiceNumber : 0xe
ModuleName :
SDTType : 0x0
[HOOKED_SERVICE_API]:
Service API : ZwAllocateVirtualMemory
Image Path :
OriginalHandler : 0x820604ab
CurrentHandler : 0x875969d8
ServiceNumber : 0x12
ModuleName :
SDTType : 0x0
[HOOKED_SERVICE_API]:
Service API : ZwAlpcConnectPort
Image Path :
OriginalHandler : 0x8200281f
CurrentHandler : 0x86cffe38
ServiceNumber : 0x15
ModuleName :
SDTType : 0x0
[HOOKED_SERVICE_API]:
Service API : ZwAssignProcessToJobObject
Image Path :
OriginalHandler : 0x81fd5b13
CurrentHandler : 0x8774cdf0
ServiceNumber : 0x2a
ModuleName :
SDTType : 0x0
[HOOKED_SERVICE_API]:
Service API : ZwCreateMutant
Image Path :
OriginalHandler : 0x820387bc
CurrentHandler : 0x8730d748
ServiceNumber : 0x43
ModuleName :
SDTType : 0x0
[HOOKED_SERVICE_API]:
Service API : ZwCreateSymbolicLinkObject
Image Path :
OriginalHandler : 0x81fd832a
CurrentHandler : 0x8774cb10
ServiceNumber : 0x4d
ModuleName :
SDTType : 0x0
[HOOKED_SERVICE_API]:
Service API : ZwCreateThread
Image Path :
OriginalHandler : 0x820a9b98
CurrentHandler : 0x87596ec0
ServiceNumber : 0x4e
ModuleName :
SDTType : 0x0
[HOOKED_SERVICE_API]:
Service API : ZwDebugActiveProcess
Image Path :
OriginalHandler : 0x8207cce2
CurrentHandler : 0x8774ced0
ServiceNumber : 0x74
ModuleName :
SDTType : 0x0
[HOOKED_SERVICE_API]:
Service API : ZwDuplicateObject
Image Path :
OriginalHandler : 0x820104e1
CurrentHandler : 0x87596ba8
ServiceNumber : 0x81
ModuleName :
SDTType : 0x0
[HOOKED_SERVICE_API]:
Service API : ZwFreeVirtualMemory
Image Path :
OriginalHandler : 0x81e9cf5d
CurrentHandler : 0x875967f8
ServiceNumber : 0x93
ModuleName :
SDTType : 0x0
[HOOKED_SERVICE_API]:
Service API : ZwImpersonateAnonymousToken
Image Path :
OriginalHandler : 0x81fd2ee2
CurrentHandler : 0x8730d838
ServiceNumber : 0x9c
ModuleName :
SDTType : 0x0
[HOOKED_SERVICE_API]:
Service API : ZwImpersonateThread
Image Path :
OriginalHandler : 0x81fe84e4
CurrentHandler : 0x8730d918
ServiceNumber : 0x9e
ModuleName :
SDTType : 0x0
[HOOKED_SERVICE_API]:
Service API : ZwLoadDriver
Image Path :
OriginalHandler : 0x81f83dee
CurrentHandler : 0x86cffe00
ServiceNumber : 0xa5
ModuleName :
SDTType : 0x0
[HOOKED_SERVICE_API]:
Service API : ZwMapViewOfSection
Image Path :
OriginalHandler : 0x8202882a
CurrentHandler : 0x875966f8
ServiceNumber : 0xb1
ModuleName :
SDTType : 0x0
[HOOKED_SERVICE_API]:
Service API : ZwOpenEvent
Image Path :
OriginalHandler : 0x82011d5f
CurrentHandler : 0x8730d668
ServiceNumber : 0xb8
ModuleName :
SDTType : 0x0
[HOOKED_SERVICE_API]:
Service API : ZwOpenProcess
Image Path :
OriginalHandler : 0x82038f58
CurrentHandler : 0x87596d88
ServiceNumber : 0xc2
ModuleName :
SDTType : 0x0
[HOOKED_SERVICE_API]:
Service API : ZwOpenProcessToken
Image Path :
OriginalHandler : 0x820199be
CurrentHandler : 0x87596ac8
ServiceNumber : 0xc3
ModuleName :
SDTType : 0x0
[HOOKED_SERVICE_API]:
Service API : ZwOpenSection
Image Path :
OriginalHandler : 0x820295fd
CurrentHandler : 0x8730d4a8
ServiceNumber : 0xc5
ModuleName :
SDTType : 0x0
[HOOKED_SERVICE_API]:
Service API : ZwOpenThread
Image Path :
OriginalHandler : 0x820344aa
CurrentHandler : 0x87596c98
ServiceNumber : 0xc9
ModuleName :
SDTType : 0x0
[HOOKED_SERVICE_API]:
Service API : ZwProtectVirtualMemory
Image Path :
OriginalHandler : 0x8203228d
CurrentHandler : 0x8774cd00
ServiceNumber : 0xd2
ModuleName :
SDTType : 0x0
[HOOKED_SERVICE_API]:
Service API : ZwResumeThread
Image Path :
OriginalHandler : 0x82033af5
CurrentHandler : 0x8730dbb8
ServiceNumber : 0x11a
ModuleName :
SDTType : 0x0
[HOOKED_SERVICE_API]:
Service API : ZwSetContextThread
Image Path :
OriginalHandler : 0x820aa867
CurrentHandler : 0x8730de58
ServiceNumber : 0x121
ModuleName :
SDTType : 0x0
[HOOKED_SERVICE_API]:
Service API : ZwSetInformationProcess
Image Path :
OriginalHandler : 0x8202c858
CurrentHandler : 0x8730df38
ServiceNumber : 0x131
ModuleName :
SDTType : 0x0
[HOOKED_SERVICE_API]:
Service API : ZwSetSystemInformation
Image Path :
OriginalHandler : 0x81ffee83
CurrentHandler : 0x8774cf90
ServiceNumber : 0x13d
ModuleName :
SDTType : 0x0
[HOOKED_SERVICE_API]:
Service API : ZwSuspendProcess
Image Path :
OriginalHandler : 0x820ab457
CurrentHandler : 0x8730d588
ServiceNumber : 0x14a
ModuleName :
SDTType : 0x0
[HOOKED_SERVICE_API]:
Service API : ZwSuspendThread
Image Path :
OriginalHandler : 0x81fb292d
CurrentHandler : 0x8730dc98
ServiceNumber : 0x14b
ModuleName :
SDTType : 0x0
[HOOKED_SERVICE_API]:
Service API : ZwTerminateProcess
Image Path :
OriginalHandler : 0x820090d3
CurrentHandler : 0x87413c28
ServiceNumber : 0x14e
ModuleName :
SDTType : 0x0
[HOOKED_SERVICE_API]:
Service API : ZwTerminateThread
Image Path :
OriginalHandler : 0x820344df
CurrentHandler : 0x8730dd78
ServiceNumber : 0x14f
ModuleName :
SDTType : 0x0
[HOOKED_SERVICE_API]:
Service API : ZwUnmapViewOfSection
Image Path :
OriginalHandler : 0x82028aed
CurrentHandler : 0x87596618
ServiceNumber : 0x15c
ModuleName :
SDTType : 0x0
[HOOKED_SERVICE_API]:
Service API : ZwWriteVirtualMemory
Image Path :
OriginalHandler : 0x820258bd
CurrentHandler : 0x875968e8
ServiceNumber : 0x166
ModuleName :
SDTType : 0x0
[HOOKED_SERVICE_API]:
Service API : ZwCreateThreadEx
Image Path :
OriginalHandler : 0x82033f94
CurrentHandler : 0x8774cc00
ServiceNumber : 0x17e
ModuleName :
SDTType : 0x0


--== Dump Hidden Port ==--
No hidden ports found.

--== Dump Kernel Code Patching ==--
No kernel code patching detected.

--== Dump Hidden Services ==--
No hidden services found.

Attached File  Ark.txt   3.94KB   6 downloads
Attached File  arkD.txt   7.31KB   3 downloads
Attached File  Attach.txt   11.75KB   2 downloads
Attached File  DDS.txt   14.24KB   3 downloads

Thanks!

Edited by b2012, 11 July 2011 - 04:49 PM.


#4 rigacci

rigacci

    Fiorentino


  • Members
  • 2,604 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:03:59 AM

Posted 11 July 2011 - 02:54 PM

Can you plese run the DDS and post the DDS.txt log it creates? DDS always creates 2 logs, DDS.txt and Attach.txt. You have posted the attach.txt and not the DDS.txt.

Thanks.

DR

#5 b2012

b2012
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:01:59 AM

Posted 11 July 2011 - 04:48 PM

Attached File  DDS.txt   14.24KB   5 downloads

#6 oneof4

oneof4

  • Malware Response Team
  • 3,779 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Collective
  • Local time:03:59 AM

Posted 12 July 2011 - 01:17 PM

Hi,

Welcome to Bleeping Computer. My name is oneof4 and I will be helping you with your log.
Please subscribe to this topic, if you haven't already. You can subscribe by clicking the Watch Topic box to the right of your topic title and selecting Immediate Notification.


Please avoid installing/uninstalling or updating any programs and attempting any unsupervised fixes or scans. This can make helping you impossible.


Please reply to this post so I know you are there.

The forum is busy and we need to have replies as soon as possible. If I haven't had a reply after 3 days I will bump the topic and if you do not reply by the following day after that then I will close the topic.

Once I receive a reply then I will return with your first instructions.

Thanks :thumbup2:

Best Regards,
oneof4.


#7 b2012

b2012
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:01:59 AM

Posted 12 July 2011 - 01:30 PM

I'm here.

#8 oneof4

oneof4

  • Malware Response Team
  • 3,779 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Collective
  • Local time:03:59 AM

Posted 12 July 2011 - 02:55 PM

OK, give some time to look over your logs, and I'll get back to you ASAP. :thumbup2:

Best Regards,
oneof4.


#9 oneof4

oneof4

  • Malware Response Team
  • 3,779 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Collective
  • Local time:03:59 AM

Posted 14 July 2011 - 07:46 AM

Hey b2012, :)

I haven't forgotten you, I'm just waiting on approval of my instructions before posting them. Hopfully, it will be sometime later today.

Best Regards,
oneof4.


#10 oneof4

oneof4

  • Malware Response Team
  • 3,779 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Collective
  • Local time:03:59 AM

Posted 15 July 2011 - 05:52 AM

Hello b2012 :)

You may not have quite the rootkit problem that you think you do, but we'll determine that for sure after you perform the following:

I do not recommend that you have more than one anti virus product installed and running on your computer at a time. The reason for this is that if both products have their automatic (Real-Time) protection switched on, then those products which do not encrypt the virus strings within them can cause other anti virus products to cause "false alarms". It can also lead to a clash as both products fight for access to files which are opened again this is the resident/automatic protection. In general terms, the two programs may conflict and cause:
1) False Alarms: When the anti virus software tells you that your PC has a virus when it actually doesn't.
2) System Performance Problems: Your system may lock up due to both products attempting to access the same file at the same time.
Therefore please go to add/remove in the control panel and remove either Norton Internet Security or Microsoft Security Essentials.

==========

Next, please perform the following:

Open MBAM (MalwareBytes), update it, perform a "Quick Scan", post the log in your next reply.

==========

I'd like us to scan your machine with ESET OnlineScan
  • Hold down Control and click on this link to open ESET OnlineScan in a new window.
  • Click the Posted Image button.
  • For alternate browsers only: (Microsoft Internet Explorer users can skip these steps)
    • Click on esetsmartinstaller_enu.exe to download the ESET Smart Installer. Save it to your desktop.
    • Double click on the Posted Image
      icon on your desktop.
  • Check "YES, I accept the Terms of Use."
  • Click the Start button.
  • Accept any security warnings from your browser.
  • Under scan settings, check "Scan Archives" and "Remove found threats"
  • Click Advanced settings and select the following:
    • Scan potentially unwanted applications
    • Scan for potentially unsafe applications
    • Enable Anti-Stealth technology
  • ESET will then download updates for itself, install itself, and begin scanning your computer. Please be patient as this can take some time.
  • When the scan completes, click List Threats
  • Click Export, and save the file to your desktop using a unique name, such as ESETScan. Include the contents of this report in your next reply.
  • Click the Back button.
  • Click the Finish button.

==========

Things I need to see in your next reply:

  • MBAM log
  • ESET results
  • How is your system running?

Best Regards,
oneof4.


#11 b2012

b2012
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:01:59 AM

Posted 16 July 2011 - 11:39 PM

I ran the scans, MBAM was clean as was EDSET.

The original concern for the request was that back when I was using avast, it detected Win32:Kryptik-YK (Trj). It is since gone. I have previously noticed suspicious activity on several accounts. The accounts have been since closed. This virus has been removed, and is undetectable.

avast has also previously identified C:\HP\BIN\EndProcess.exe as a PUP, (Win32:KillApp-W). I do have an HP laptop, so it may be false positive.


Based on these results, can I assume my system is now clean? Only NIS 2011, and MBAM are now installed, so that should prevent them setting off each other.



Also, if my comp. is now clean, when I clean install Win 7 Pro, should I load NIS 2011, then let it run Windows Update?


Thanks!

Attached Files



#12 oneof4

oneof4

  • Malware Response Team
  • 3,779 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Collective
  • Local time:03:59 AM

Posted 18 July 2011 - 12:21 PM

Hey b2012 :)

Congratulations! You now appear clean! :cool:

**********

Addressing your initial concern with rootkits, it appears that there actually was never a rootkit present, or if there was at some earlier time, it is now no longer with you. Unfortunately, certain rootkit scanners can sometimes give false-positives due to a file that exhibits certain characteristics that cause the scanner to "think" it's malicious, even though it isn't.

If moving to Windows 7 is your goal, you should be free to do that at this point, as long as your system meets the minimum system requirements for Win7.

Here's a tutorial that will walk you through the process if you need it:

Upgrading from Vista to Win7

**********

Are things running okay? Do you have any more questions?

**********

Reset System Restore

  • Click Start and right click on My Computer. Then select Properties.
  • In the opened window, double-click on system and then System Protection.
  • Uncheck the box for Local Disk C:\ and confirm.
  • To reactivate system restore, you just have to check the box.
**********

Recommendations

Below are some recommendations to lower your chances of becoming infected.


  • Install an Anti-Spyware program, and update it regularly
    Malwarebytes' Anti-Malware is an excellent Anti-Spyware scanner. It's scan times are usually under ten minutes, and has excellent detection and removal rates.

    SUPERAntiSpyware is another good scanner with high detection and removal rates.
    Both programs are free for non commercial home use but provide a resident and do not nag if you purchase the paid versions.
  • Prevention article : To find out more information about how you got infected in the first place and some great guidelines to follow to prevent future infections please read the Prevention artice by Miekiemoes.
  • Keep Windows (and your other Microsoft software) up to date!
    I cannot stress how important this is. Often holes are found in Internet Explorer or Windows itself that require patching. Sometimes these holes will allow an attacker unrestricted access to your computer.
    http://www.techtalkz.com/windows-7/515869-windows-update-enable-disable-automatic-updates-windows-7-guide.html
  • Keep your other software up to date as well. Software does not need to be made by Microsoft to be insecure. Download Secunia Software Inspector to keep all your software up to date.
  • Consider Firefox as your primary browser. Its safer, fast and secure!
  • Install WOT. Never inadvertently surf to a dangerous website again.
  • Install NoScript. Pre-emptively blocks malicious scripts and allows JavaScript, Java and other potentially dangerous content only from sites you trust.
  • Stay up to date!
    The MOST IMPORTANT part of any security setup is keeping the software up to date. Malware writers release new variants every single day. If your software updates don't keep up, then the malware will always be one step ahead. Not a good thing . :(
**********

Safe Surfing!

Best Regards,
oneof4.


#13 oneof4

oneof4

  • Malware Response Team
  • 3,779 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Collective
  • Local time:03:59 AM

Posted 23 July 2011 - 08:40 PM

Hey b2012 :)

Just checking on you...did you follow my last instructions?

Best Regards,
oneof4.


#14 b2012

b2012
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:01:59 AM

Posted 25 July 2011 - 01:05 PM

I did,

-I use Firefox as my default browser, and try to keep the plugins (especially Flash) up to date, and installed NoScript. I did forego WOT b/c I already have Norton SafeWeb.
-Windows Update is set to automatic/Recommended settings.
-I use NIS 2011 and set up regular scanning
-Installed MBAM
-Installed Secunia.

Microsoft guided me through Windows 7 installation, and it's up and running. It is so much faster and responsive.

I REALLY appreciate your help.


Thanks!!!

#15 oneof4

oneof4

  • Malware Response Team
  • 3,779 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Collective
  • Local time:03:59 AM

Posted 25 July 2011 - 04:00 PM

You're very, very welcome! :thumbup2:

Best Regards,
oneof4.





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users