Malware/Rootkit removal assistance request

[Source827]

I am currently having an issue where I cannot access update.microsoft.com or download.microsoft.com, or any variations of the two. Any attempt, even in safe mode is instantly redirected to google.com. Malwarebytes.org and safer-networking.org are also directed to Google. I am also getting popup adds on many sites, despite my best efforts to remove any form of spyware/adware/etc. I am currently using Symantec Anti-Virus, after having multiple issues with McAfee, so I am turning to the professionals.

GMER instantly pointed out gaopdxserv.sys, which is a fairly well known trojan, and I'm confident I could remove it on my own, but at this point I'd rather be aware of any and all threats currently on my computer, and remove them.


Thank you for any help you guys have to offer!

DDS.txt results:


DDS (Ver_09-02-01.01) - NTFSx86
Run by Luke at 20:00:15.03 on Sun 02/22/2009
Internet Explorer: 7.0.5730.13 BrowserJavaVersion: 1.6.0_11
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2047.1395 [GMT -7:00]

AV: Symantec AntiVirus Corporate Edition *On-access scanning enabled* (Updated)

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\CTsvcCDA.EXE
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\Documents and Settings\All Users\Application Data\EPSON\EPW!3 SSRP\E_S30RP1.EXE
C:\Program Files\Common Files\Intuit\Update Service\IntuitUpdateService.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\MySQL\bin\mysqld-nt.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\Creative\SBAudigy4\DVDAudio\CTDVDDET.EXE
C:\Program Files\Creative\SBAudigy4\Surround Mixer\CTSysVol.exe
C:\Program Files\Creative\Shared Files\Module Loader\DLLML.exe
C:\WINDOWS\CTHELPER.EXE
C:\Program Files\Microsoft IntelliType Pro\type32.exe
C:\Program Files\Microsoft IntelliPoint\point32.exe
C:\Program Files\Google\Google Talk\googletalk.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\PROGRA~1\SYMANT~1\VPTray.exe
C:\Program Files\Creative\MediaSource\Detector\CTDetect.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Common Files\supportsoft\bin\sprtlisten.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\Luke\Desktop\ProcessExplorer\procexp.exe
C:\Documents and Settings\Luke\Desktop\dds.scr

============== Pseudo HJT Report ===============

BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: Java(tm) Plug-In SSV Helper: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre6\bin\ssv.dll
BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: Veoh Browser Plug-in: {d0943516-5076-4020-a3b5-aefaf26ab263} - c:\program files\veoh networks\veoh\plugins\reg\VeohToolbar.dll
TB: Veoh Web Player Video Finder: {0fbb9689-d3d7-4f7a-a2e2-585b10099bfc} - c:\program files\veoh networks\veohwebplayer\VeohIEToolbar.dll
uRun: [Creative Detector] c:\program files\creative\mediasource\detector\CTDetect.exe /R
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
mRun: [SoundMan] SOUNDMAN.EXE
mRun: [QuickCare2.2] c:\program files\qwest\quickcare\bin\sprtcmd.exe /P QuickCare2.2
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [nwiz] nwiz.exe /install
mRun: [CTDVDDET] "c:\program files\creative\sbaudigy4\dvdaudio\CTDVDDET.EXE"
mRun: [CTSysVol] c:\program files\creative\sbaudigy4\surround mixer\CTSysVol.exe /r
mRun: [RCSystem] "c:\program files\creative\shared files\module loader\DLLML.exe" RCSystem * -Startup
mRun: [AudioDrvEmulator] "c:\program files\creative\shared files\module loader\dllml.exe" -1 audiodrvemulator "c:\program files\creative\shared files\module loader\audio emulator\AudDrvEm.dll"
mRun: [CTHelper] CTHELPER.EXE
mRun: [type32] "c:\program files\microsoft intellitype pro\type32.exe"
mRun: [IntelliPoint] "c:\program files\microsoft intellipoint\point32.exe"
mRun: [NeroFilterCheck] c:\windows\system32\NeroCheck.exe
mRun: [googletalk] c:\program files\google\google talk\googletalk.exe /autostart
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
mRun: [NvMediaCenter] RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInit
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
mRun: [ccApp] "c:\program files\common files\symantec shared\ccApp.exe"
mRun: [vptray] c:\progra~1\symant~1\VPTray.exe
mRun: [<NO NAME>]
mRun: [RoxWatchTray] "c:\program files\common files\roxio shared\9.0\sharedcom\RoxWatchTray9.exe"
mRun: [UpdReg] c:\windows\UpdReg.EXE
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~4\office11\REFIEBAR.DLL
DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://go.microsoft.com/fwlink/?linkid=39204
DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} - hxxp://cdn.scan.onecare.live.com/resource/download/scanner/wlscbase6662.cab
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1219591922890
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/ultrashim.cab
DPF: {CAFEEFAC-0016-0000-0011-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab
TCP: NameServer = 85.255.116.147,85.255.112.211
TCP: {8614C165-0AAB-4432-AECA-F172ACDCE83E} = 85.255.116.147
Notify: NavLogon - c:\windows\system32\NavLogon.dll

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\luke\applic~1\mozilla\firefox\profiles\2309xq7l.default\
FF - prefs.js: browser.startup.homepage - www.google.com/ig
FF - plugin: c:\program files\veoh networks\veoh\plugins\noreg\NPVeohVersion.dll
FF - plugin: c:\program files\veoh networks\veohwebplayer\NPVeohTVPlugin.dll
FF - plugin: c:\program files\veoh networks\veohwebplayer\npWebPlayerVideoPluginATL.dll

============= SERVICES / DRIVERS ===============

R1 mfehidk;McAfee Inc. mfehidk;c:\windows\system32\drivers\mfehidk.sys [2008-6-27 207656]
R1 SAVRT;SAVRT;c:\program files\symantec antivirus\savrt.sys [2006-9-6 337592]
R1 SAVRTPEL;SAVRTPEL;c:\program files\symantec antivirus\Savrtpel.sys [2006-9-6 54968]
R2 ccEvtMgr;Symantec Event Manager;c:\program files\common files\symantec shared\ccEvtMgr.exe [2007-5-29 192104]
R2 ccSetMgr;Symantec Settings Manager;c:\program files\common files\symantec shared\ccSetMgr.exe [2007-5-29 169576]
R2 IntuitUpdateService;Intuit Update Service;c:\program files\common files\intuit\update service\IntuitUpdateService.exe [2008-12-9 13088]
R2 sprtlisten;SupportSoft Listener Service;c:\program files\common files\supportsoft\bin\sprtlisten.exe [2008-1-8 1213728]
R2 Symantec AntiVirus;Symantec AntiVirus;c:\program files\symantec antivirus\Rtvscan.exe [2007-10-7 1822648]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\common files\symantec shared\eengine\EraserUtilRebootDrv.sys [2009-2-20 99376]
R3 NAVENG;NAVENG;c:\progra~1\common~1\symant~1\virusd~1\20090220.004\naveng.sys [2009-2-20 89104]
R3 NAVEX15;NAVEX15;c:\progra~1\common~1\symant~1\virusd~1\20090220.004\navex15.sys [2009-2-20 876144]
S2 McShield;McAfee Real-time Scanner;c:\progra~1\mcafee\viruss~1\mcshield.exe --> c:\progra~1\mcafee\viruss~1\mcshield.exe [?]
S3 mfeavfk;McAfee Inc. mfeavfk;c:\windows\system32\drivers\mfeavfk.sys [2008-10-12 79240]
S3 mfebopk;McAfee Inc. mfebopk;c:\windows\system32\drivers\mfebopk.sys [2008-10-12 35240]
S3 mferkdk;McAfee Inc. mferkdk;c:\windows\system32\drivers\mferkdk.sys [2008-10-12 34152]
S3 mfesmfk;McAfee Inc. mfesmfk;c:\windows\system32\drivers\mfesmfk.sys [2008-10-12 40488]
S3 SavRoam;SAVRoam;c:\program files\symantec antivirus\SavRoam.exe [2007-10-7 116664]
S4 McSysmon;McAfee SystemGuards;c:\progra~1\mcafee\viruss~1\mcsysmon.exe --> c:\progra~1\mcafee\viruss~1\mcsysmon.exe [?]

=============== Created Last 30 ================

2009-02-22 19:46 <DIR> --d----- c:\windows\system32\NtmsData
2009-02-22 19:13 <DIR> --d----- c:\program files\CCleaner
2009-02-22 19:02 250 a------- c:\windows\gmer.ini
2009-02-22 18:55 <DIR> --d----- c:\program files\Trend Micro
2009-02-22 18:29 <DIR> --d----- c:\program files\SpywareBlaster
2009-02-22 00:45 <DIR> --d----- c:\program files\Roxio
2009-02-22 00:45 <DIR> --d----- c:\program files\common files\Sonic Shared
2009-02-22 00:29 <DIR> --d----- c:\docume~1\luke\applic~1\Blackberry Desktop
2009-02-21 23:13 26,496 a----r-- c:\windows\system32\drivers\RimSerial.sys
2009-02-21 23:13 <DIR> --d----- c:\program files\Research In Motion
2009-02-21 23:13 <DIR> --d----- c:\program files\common files\Research In Motion
2009-02-21 12:29 <DIR> --d----- c:\program files\Pcsx2
2009-02-20 15:22 0 a------- c:\windows\vpc32.INI
2009-02-20 08:39 110,952 a------- c:\windows\system32\drivers\SYMEVENT.SYS
2009-02-20 08:39 48,768 a------- c:\windows\system32\S32EVNT1.DLL
2009-02-20 08:39 8,014 a------- c:\windows\system32\drivers\SYMEVENT.CAT
2009-02-20 08:39 805 a------- c:\windows\system32\drivers\SYMEVENT.INF
2009-02-20 08:37 <DIR> --d----- c:\program files\Symantec
2009-02-20 08:37 <DIR> --d----- c:\program files\Symantec AntiVirus
2009-02-20 08:37 <DIR> --d----- c:\program files\common files\Symantec Shared
2009-02-20 08:37 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Symantec
2009-02-20 08:35 <DIR> --d----- c:\program files\sav
2009-02-17 11:44 <DIR> --d----- c:\docume~1\luke\applic~1\GetRightToGo
2009-02-16 23:28 <DIR> --d----- c:\program files\National Instruments
2009-02-16 23:28 <DIR> --d----- c:\program files\SoD Spell Parser
2009-01-30 10:50 410,984 a------- c:\windows\system32\deploytk.dll
2009-01-30 10:50 73,728 a------- c:\windows\system32\javacpl.cpl
2009-01-28 20:48 328 ---shr-- C:\autorun.inf
2009-01-28 17:47 <DIR> --d----- c:\docume~1\alluse~1\applic~1\PC Drivers HeadQuarters
2009-01-25 01:04 <DIR> --d----- c:\windows\NV24962668.TMP

==================== Find3M ====================

2009-01-14 16:48 6 a------- c:\windows\fonts\wfonts.key
2009-01-07 11:28 453,152 a------- c:\windows\system32\NVUNINST.EXE
2008-12-05 17:17 4,608 ac------ c:\windows\system32\w95inf32.dll
2008-12-05 17:17 2,272 ac------ c:\windows\system32\w95inf16.dll

============= FINISH: 20:00:37.62 ===============


Also note that I have used Add/Remove Programs to uninstall McAfee, so I am not sure why the processes are still showing up in this report, as they are not currently running in Task Manager, or ProcessExplorer.

[sjb007]

Howdy there and welcome to TSF Forums

I'm Steve and I will be helping you thoughout this fix.

Before beginning the fix, read this post completely. If there's anything that you do not understand, kindly ask your questions before proceeding. It is IMPORTANT that you don't miss a step. Please perform everything in the correct order/sequence.

Please Subscribe to this Thread to get immediate notification of replies as soon as they are posted. To do this click Thread Tools, then click Subscribe to this Thread. Make sure it is set to Instant notification by email, then click Add Subscription

Please note that the forum is very busy and if I don't hear from you within three days from this initial post then thread will be closed.

Please follow these directions in the order they are set out for you.

We will begin with ComboFix.exe. Please visit this webpage for download links, and instructions for running the tool:

http://www.bleepingcomputer.com/comb...o-use-combofix

Ensure you have disabled all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

Please include the C:\ComboFix.txt in your next reply for further review.

[Source827]

Thanks for the reply Steve, heres the log file you requested:

ComboFix 09-02-24.02 - Luke 2009-02-24 19:41:01.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2047.1456 [GMT -7:00]
Running from: c:\documents and settings\Luke\Desktop\ComboFix.exe
AV: Symantec AntiVirus Corporate Edition *On-access scanning disabled* (Updated)
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Autorun.inf
c:\documents and settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat
c:\documents and settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat
c:\documents and settings\Luke\Local Settings\Temporary Internet Files\PLauncher.exe
c:\program files\SAV
c:\program files\SAV\0x0409.ini
c:\program files\SAV\Data1.cab
c:\program files\SAV\instmsiw.exe
c:\program files\SAV\LUSETUP.EXE
c:\program files\SAV\Setup.exe
c:\program files\SAV\Setup.ini
c:\program files\SAV\Symantec AntiVirus.msi
c:\program files\SAV\VDefHub.zip
c:\windows\system32\gaopdxcounter

----- BITS: Possible infected sites -----

hxxp://download.esd.intuit.com
.
((((((((((((((((((((((((( Files Created from 2009-01-25 to 2009-02-25 )))))))))))))))))))))))))))))))
.

2009-02-24 19:32 . 2009-02-24 19:32 <DIR> d-------- c:\windows\LastGood
2009-02-24 01:41 . 2008-04-30 19:28 1,654,869 --a------ c:\documents and settings\All Users\Application Data\DynuEncrypt.dll
2009-02-24 00:48 . 2009-02-24 00:48 <DIR> d-------- C:\ijji
2009-02-24 00:48 . 2009-02-24 00:48 <DIR> d-------- c:\documents and settings\Luke\Application Data\ijjigame
2009-02-24 00:03 . 2009-02-24 00:03 <DIR> d-------- c:\documents and settings\All Users\Application Data\IJJIGame
2009-02-23 19:01 . 2009-02-23 19:01 1,374 --a------ c:\windows\imsins.BAK
2009-02-23 19:00 . 2009-02-23 19:00 <DIR> d-------- c:\program files\MSXML 4.0
2009-02-23 09:15 . 2009-02-24 09:29 4,958,588 --a------ c:\windows\{00000002-00000000-00000001-00001102-00000008-10211102}.BAK
2009-02-22 23:54 . 2009-02-23 17:02 <DIR> d-------- c:\program files\Malwarebytes' Anti-Malware
2009-02-22 23:54 . 2009-02-22 23:54 <DIR> d-------- c:\documents and settings\Luke\Application Data\Malwarebytes
2009-02-22 23:54 . 2009-02-22 23:54 <DIR> d-------- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-02-22 23:54 . 2009-02-11 10:19 38,496 --a------ c:\windows\system32\drivers\mbamswissarmy.sys
2009-02-22 23:54 . 2009-02-11 10:19 15,504 --a------ c:\windows\system32\drivers\mbam.sys
2009-02-22 22:47 . 2009-02-22 22:47 <DIR> d-------- c:\windows\Logs
2009-02-22 19:46 . 2009-02-22 19:47 <DIR> d-------- c:\windows\system32\NtmsData
2009-02-22 19:13 . 2009-02-22 19:13 <DIR> d-------- c:\program files\CCleaner
2009-02-22 19:02 . 2009-02-22 20:25 250 --a------ c:\windows\gmer.ini
2009-02-22 18:55 . 2009-02-22 18:55 <DIR> d-------- c:\program files\Trend Micro
2009-02-22 18:29 . 2009-02-22 18:31 <DIR> d-------- c:\program files\SpywareBlaster
2009-02-22 18:29 . 2009-02-22 19:18 <DIR> d-a------ c:\documents and settings\All Users\Application Data\TEMP
2009-02-22 18:25 . 2009-02-22 18:28 <DIR> d-------- c:\program files\Windows Live Safety Center
2009-02-22 00:47 . 2009-02-22 00:47 <DIR> d-------- c:\documents and settings\All Users\Application Data\Sonic
2009-02-22 00:47 . 2009-02-22 00:47 <DIR> d-------- c:\documents and settings\All Users\Application Data\InstallShield
2009-02-22 00:45 . 2009-02-22 00:45 <DIR> d-------- c:\program files\Roxio
2009-02-22 00:45 . 2009-02-22 00:47 <DIR> d-------- c:\program files\Common Files\Sonic Shared
2009-02-22 00:45 . 2009-02-22 00:46 <DIR> d-------- c:\program files\Common Files\Roxio Shared
2009-02-22 00:45 . 2009-02-22 18:06 <DIR> d-------- c:\documents and settings\All Users\Application Data\Roxio
2009-02-22 00:29 . 2009-02-22 00:29 <DIR> d-------- c:\documents and settings\Luke\Application Data\Blackberry Desktop
2009-02-21 23:13 . 2009-02-21 23:13 <DIR> d-------- c:\program files\Research In Motion
2009-02-21 23:13 . 2009-02-22 00:39 <DIR> d-------- c:\program files\Common Files\Research In Motion
2009-02-21 23:13 . 2007-01-18 10:24 26,496 -ra------ c:\windows\system32\drivers\RimSerial.sys
2009-02-21 12:29 . 2009-02-22 23:35 <DIR> d-------- c:\program files\Pcsx2
2009-02-20 15:22 . 2009-02-20 15:22 0 --a------ c:\windows\vpc32.INI
2009-02-20 08:39 . 2009-02-20 08:40 110,952 --a------ c:\windows\system32\drivers\SYMEVENT.SYS
2009-02-20 08:39 . 2009-02-20 08:40 48,768 --a------ c:\windows\system32\S32EVNT1.DLL
2009-02-20 08:39 . 2009-02-20 08:40 8,014 --a------ c:\windows\system32\drivers\SYMEVENT.CAT
2009-02-20 08:39 . 2009-02-20 08:40 805 --a------ c:\windows\system32\drivers\SYMEVENT.INF
2009-02-20 08:37 . 2009-02-24 19:32 <DIR> d-------- c:\program files\Symantec AntiVirus
2009-02-20 08:37 . 2009-02-20 08:40 <DIR> d-------- c:\program files\Symantec
2009-02-20 08:37 . 2009-02-20 08:40 <DIR> d-------- c:\program files\Common Files\Symantec Shared
2009-02-20 08:37 . 2009-02-20 08:37 <DIR> d-------- c:\documents and settings\All Users\Application Data\Symantec
2009-02-17 11:44 . 2009-02-17 12:42 <DIR> d-------- c:\documents and settings\Luke\Application Data\GetRightToGo
2009-02-16 23:28 . 2009-02-16 23:29 <DIR> d-------- c:\program files\SoD Spell Parser
2009-02-16 23:28 . 2009-02-16 23:28 <DIR> d-------- c:\program files\National Instruments
2009-02-06 19:01 . 2009-02-06 19:01 <DIR> d-------- c:\documents and settings\Administrator
2009-02-04 21:37 . 2009-02-04 21:37 <DIR> d-------- c:\windows\Sun
2009-02-04 18:41 . 2009-02-20 08:35 <DIR> d-------- c:\documents and settings\All Users\Application Data\Lavasoft
2009-01-30 10:50 . 2009-01-30 10:50 <DIR> d-------- c:\program files\Java
2009-01-30 10:50 . 2009-01-30 10:50 410,984 --a------ c:\windows\system32\deploytk.dll
2009-01-30 10:50 . 2009-01-30 10:50 73,728 --a------ c:\windows\system32\javacpl.cpl
2009-01-28 17:47 . 2009-01-28 17:47 <DIR> d-------- c:\documents and settings\All Users\Application Data\PC Drivers HeadQuarters
2009-01-27 16:58 . 2009-01-27 16:58 <DIR> d-------- c:\documents and settings\Alan\Application Data\Intuit
2009-01-25 01:04 . 2009-01-25 01:08 <DIR> d-------- c:\windows\NV24962668.TMP

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-02-24 07:35 --------- d-----w c:\program files\SoD
2009-02-24 02:29 --------- d-----w c:\program files\mIRC
2009-02-24 02:29 --------- d-----w c:\documents and settings\Luke\Application Data\mIRC
2009-02-23 02:43 --------- d-----w c:\documents and settings\All Users\Application Data\McAfee
2009-02-22 07:45 --------- d-----w c:\program files\Common Files\InstallShield
2009-01-29 01:16 --------- d--h--w c:\program files\InstallShield Installation Information
2009-01-21 00:19 --------- d-----w c:\program files\Common Files\AnswerWorks 5.0
2009-01-21 00:17 --------- d-----w c:\program files\Common Files\Intuit
2009-01-21 00:17 --------- d-----w c:\documents and settings\All Users\Application Data\Intuit
2009-01-21 00:14 --------- d-----w c:\program files\TurboTax
2009-01-14 23:48 6 ----a-w c:\windows\Fonts\wfonts.key
2009-01-09 21:19 --------- d-----w c:\documents and settings\LocalService\Application Data\SACore
2009-01-09 05:32 --------- d-----w c:\program files\Half Life 2
2009-01-07 18:28 453,152 ----a-w c:\windows\system32\NVUNINST.EXE
2009-01-05 20:18 --------- d-----w c:\program files\Common Files\Blizzard Entertainment
2008-12-31 06:49 --------- d-----w c:\documents and settings\Luke\Application Data\DivX
2008-12-29 09:57 --------- d-----w c:\program files\Veoh Networks
2008-12-29 04:31 --------- d-----w c:\program files\DivX
2008-12-27 22:51 --------- d-----w c:\documents and settings\All Users\Application Data\Blizzard
2008-12-27 17:33 --------- d-----w c:\program files\WinEQ2
2008-12-20 23:15 826,368 ----a-w c:\windows\system32\wininet.dll
2008-12-06 00:17 4,608 -c--a-w c:\windows\system32\w95inf32.dll
2008-12-06 00:17 2,272 -c--a-w c:\windows\system32\w95inf16.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Creative Detector"="c:\program files\Creative\MediaSource\Detector\CTDetect.exe" [2004-12-02 102400]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"QuickCare2.2"="c:\program files\Qwest\QuickCare\bin\sprtcmd.exe" [2007-05-04 198184]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2009-01-15 13680640]
"CTDVDDET"="c:\program files\Creative\SBAudigy4\DVDAudio\CTDVDDET.EXE" [2003-06-18 45056]
"CTSysVol"="c:\program files\Creative\SBAudigy4\Surround Mixer\CTSysVol.exe" [2005-02-15 57344]
"RCSystem"="c:\program files\Creative\Shared Files\Module Loader\DLLML.exe" [2005-06-16 49152]
"AudioDrvEmulator"="c:\program files\Creative\Shared Files\Module Loader\DLLML.exe" [2005-06-16 49152]
"type32"="c:\program files\Microsoft IntelliType Pro\type32.exe" [2005-03-15 196608]
"IntelliPoint"="c:\program files\Microsoft IntelliPoint\point32.exe" [2005-03-23 217088]
"NeroFilterCheck"="c:\windows\system32\NeroCheck.exe" [2006-01-12 155648]
"googletalk"="c:\program files\Google\Google Talk\googletalk.exe" [2007-01-01 3739648]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2008-06-12 34672]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2009-01-15 86016]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-01-30 136600]
"ccApp"="c:\program files\Common Files\Symantec Shared\ccApp.exe" [2007-05-29 52840]
"vptray"="c:\progra~1\SYMANT~1\VPTray.exe" [2007-10-07 125368]
"RoxWatchTray"="c:\program files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatchTray9.exe" [2007-04-23 228088]
"UpdReg"="c:\windows\UpdReg.EXE" [2000-05-11 90112]
"SoundMan"="SOUNDMAN.EXE" [2004-11-15 c:\windows\SOUNDMAN.EXE]
"nwiz"="nwiz.exe" [2009-01-15 c:\windows\system32\nwiz.exe]
"CTHelper"="CTHELPER.EXE" [2005-06-17 c:\windows\CTHELPER.EXE]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\KernelFaultCheck]
c:\windows\system32\dumprep 0 -k [X]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NBJ]
--------- 2006-09-15 12:27 2048000 c:\program files\Ahead\Nero BackItUp\NBJ.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\VeohPlugin]
--a------ 2008-12-16 10:07 3528440 c:\program files\Veoh Networks\VeohWebPlayer\veohwebplayer.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\mIRC\\mirc.exe"=
"c:\\Program Files\\Google\\Google Talk\\googletalk.exe"=
"c:\\Program Files\\Veoh Networks\\Veoh\\VeohClient.exe"=
"c:\\Program Files\\Veoh Networks\\VeohWebPlayer\\veohwebplayer.exe"=
"c:\\WINDOWS\\Downloaded Program Files\\PurpleBean.exe"=

R2 IntuitUpdateService;Intuit Update Service;c:\program files\Common Files\Intuit\Update Service\IntuitUpdateService.exe [2008-12-09 13088]
R2 sprtlisten;SupportSoft Listener Service;c:\program files\Common Files\supportsoft\bin\sprtlisten.exe [2008-01-08 1213728]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [2009-02-20 99376]
S0 kdstqa;kdstqa;c:\windows\system32\drivers\kmeht.sys --> c:\windows\system32\drivers\kmeht.sys [?]
S3 SavRoam;SAVRoam;c:\program files\Symantec AntiVirus\SavRoam.exe [2007-10-07 116664]
.
Contents of the 'Scheduled Tasks' folder

2009-02-24 c:\windows\Tasks\Ad-Aware Update (Weekly).job
- c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe []
.
- - - - ORPHANS REMOVED - - - -

MSConfigStartUp-Ad-Watch - c:\program files\Lavasoft\Ad-Aware\AAWTray.exe
MSConfigStartUp-mcagent_exe - c:\program files\McAfee.com\Agent\mcagent.exe
MSConfigStartUp-McENUI - c:\progra~1\McAfee\MHN\McENUI.exe


.
------- Supplementary Scan -------
.
FF - ProfilePath - c:\documents and settings\Luke\Application Data\Mozilla\Firefox\Profiles\2309xq7l.default\
FF - prefs.js: browser.startup.homepage - www.google.com/ig
FF - plugin: c:\program files\Mozilla Firefox\plugins\npijjiCHPlugin.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npijjiFFPlugin1.dll
FF - plugin: c:\program files\Veoh Networks\Veoh\Plugins\noreg\NPVeohVersion.dll
FF - plugin: c:\program files\Veoh Networks\VeohWebPlayer\NPVeohTVPlugin.dll
FF - plugin: c:\program files\Veoh Networks\VeohWebPlayer\npWebPlayerVideoPluginATL.dll
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-02-24 19:44:03
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet003\Services\MySQL]
"ImagePath"="\"c:\mysql\bin\mysqld-nt\" --defaults-file=\"c:\mysql\my.ini\" MySQL"
.
Completion time: 2009-02-24 19:45:44
ComboFix-quarantined-files.txt 2009-02-25 02:45:41

Pre-Run: 33,240,518,656 bytes free
Post-Run: 34,003,898,368 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect

Current=3 Default=3 Failed=2 LastKnownGood=4 Sets=1,2,3,4
202 --- E O F --- 2009-02-24 02:08:43

[sjb007]

Howdy there Luke

Go to start menu - Select Run and in the command box type in notepad
Next - copy/paste the text in the code box below into it:

Quote:

File::
C:\WINDOWS\system32\drivers\gaopdxqdxrsyea.sys

Driver::
gaopdxqdxrsyea

- Save this to your desktop as CFScript.txt
- Drag the CFScript.txt over onto Combofix.exe and release.



Combofix will then execute the script and produce a fresh log

============================

Download and scan with CCleaner Slim
1.Double click the file and install ccleaner

2. Before first use, select Options > Advanced and UNCHECK "Only delete files in Windows Temp folder older than 48 hours"

3. Then select the items you wish to clean up.

In the Windows Tab:

• Clean all entries in the "Internet Explorer" section.
• Clean all the entries in the "Windows Explorer" section.
• Clean all entries in the "System" section.
• Clean all entries in the "Advanced" section.
• Clean any others that you choose.

In the Applications Tab:

• Clean all in the Firefox/Mozilla section if you use it.
• Clean all in the Opera section if you use it.
• Clean Sun Java in the Internet Section.
• Clean any others that you choose.

4. Click the "Run Cleaner" button.
5. A pop up box will appear advising this process will permanently delete files from your system.
6. Click "OK" and it will scan and clean your system.
7. Click "exit" when done.

============================

Establish an internet connection & perform an online scan with Internet Explorer at Kaspersky Online Scanner.

Click Accept, when prompted to download and install the program files and database of malware definitions.

• Click Run at the Security prompt.
• The program will then begin downloading and installing and will also update the database.
• Please be patient as this can take several minutes.
• Once the update is complete, click on My Computer under the green Scan bar to the left to start the scan.
• Once the scan is complete, it will display if your system has been infected. It does not provide an option to clean/disinfect. We only require a report from it.
• Do NOT be alarmed by what you see in the report. Many of the finds have likely been quarantined.
• Click View scan report at the bottom.
• Click the Save Report As... button.
• Click the Save as Text button to save the file to your desktop so that you may post it in your next reply.

This animation will guide you through the process:


**Note**

To optimize scanning time and produce a more sensible report for review:
Close any open programs
Turn off the real time scanner of any existing antivirus program while performing the online scan. You may disconnect from the internet once you begin the scan.

Note for Internet Explorer 7 users: If at any time you have trouble viewing the accept button of the license, click on the Zoom tool located at the bottom right of the IE window and set the zoom to 75 %. Once the license accepted, reset to 100%.

Please post back with the log from combofix and Kaspersky in your next reply

[Source827]

Here you go Steve:

Combofix

ComboFix 09-02-25.02 - Luke 2009-02-25 22:17:20.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2047.1399 [GMT -7:00]
Running from: c:\documents and settings\Luke\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Luke\Desktop\CFScript.txt
AV: Symantec AntiVirus Corporate Edition *On-access scanning enabled* (Updated)
* Created a new restore point

FILE ::
c:\windows\system32\drivers\gaopdxqdxrsyea.sys
.

((((((((((((((((((((((((( Files Created from 2009-01-26 to 2009-02-26 )))))))))))))))))))))))))))))))
.

2009-02-24 01:41 . 2008-04-30 19:28 1,654,869 --a------ c:\documents and settings\All Users\Application Data\DynuEncrypt.dll
2009-02-24 00:48 . 2009-02-24 00:48 <DIR> d-------- C:\ijji
2009-02-24 00:48 . 2009-02-24 00:48 <DIR> d-------- c:\documents and settings\Luke\Application Data\ijjigame
2009-02-24 00:03 . 2009-02-24 00:03 <DIR> d-------- c:\documents and settings\All Users\Application Data\IJJIGame
2009-02-23 19:00 . 2009-02-23 19:00 <DIR> d-------- c:\program files\MSXML 4.0
2009-02-22 23:54 . 2009-02-23 17:02 <DIR> d-------- c:\program files\Malwarebytes' Anti-Malware
2009-02-22 23:54 . 2009-02-22 23:54 <DIR> d-------- c:\documents and settings\Luke\Application Data\Malwarebytes
2009-02-22 23:54 . 2009-02-22 23:54 <DIR> d-------- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-02-22 23:54 . 2009-02-11 10:19 38,496 --a------ c:\windows\system32\drivers\mbamswissarmy.sys
2009-02-22 23:54 . 2009-02-11 10:19 15,504 --a------ c:\windows\system32\drivers\mbam.sys
2009-02-22 22:47 . 2009-02-22 22:47 <DIR> d-------- c:\windows\Logs
2009-02-22 19:46 . 2009-02-22 19:47 <DIR> d-------- c:\windows\system32\NtmsData
2009-02-22 19:13 . 2009-02-22 19:13 <DIR> d-------- c:\program files\CCleaner
2009-02-22 19:02 . 2009-02-22 20:25 250 --a------ c:\windows\gmer.ini
2009-02-22 18:55 . 2009-02-22 18:55 <DIR> d-------- c:\program files\Trend Micro
2009-02-22 18:29 . 2009-02-22 18:31 <DIR> d-------- c:\program files\SpywareBlaster
2009-02-22 18:29 . 2009-02-22 19:18 <DIR> d-a------ c:\documents and settings\All Users\Application Data\TEMP
2009-02-22 18:25 . 2009-02-22 18:28 <DIR> d-------- c:\program files\Windows Live Safety Center
2009-02-22 00:47 . 2009-02-22 00:47 <DIR> d-------- c:\documents and settings\All Users\Application Data\Sonic
2009-02-22 00:47 . 2009-02-22 00:47 <DIR> d-------- c:\documents and settings\All Users\Application Data\InstallShield
2009-02-22 00:45 . 2009-02-22 00:45 <DIR> d-------- c:\program files\Roxio
2009-02-22 00:45 . 2009-02-22 00:47 <DIR> d-------- c:\program files\Common Files\Sonic Shared
2009-02-22 00:45 . 2009-02-22 00:46 <DIR> d-------- c:\program files\Common Files\Roxio Shared
2009-02-22 00:45 . 2009-02-22 18:06 <DIR> d-------- c:\documents and settings\All Users\Application Data\Roxio
2009-02-22 00:29 . 2009-02-22 00:29 <DIR> d-------- c:\documents and settings\Luke\Application Data\Blackberry Desktop
2009-02-21 23:13 . 2009-02-21 23:13 <DIR> d-------- c:\program files\Research In Motion
2009-02-21 23:13 . 2009-02-22 00:39 <DIR> d-------- c:\program files\Common Files\Research In Motion
2009-02-21 23:13 . 2007-01-18 10:24 26,496 -ra------ c:\windows\system32\drivers\RimSerial.sys
2009-02-21 12:29 . 2009-02-22 23:35 <DIR> d-------- c:\program files\Pcsx2
2009-02-20 15:22 . 2009-02-20 15:22 0 --a------ c:\windows\vpc32.INI
2009-02-20 08:39 . 2009-02-20 08:40 110,952 --a------ c:\windows\system32\drivers\SYMEVENT.SYS
2009-02-20 08:39 . 2009-02-20 08:40 48,768 --a------ c:\windows\system32\S32EVNT1.DLL
2009-02-20 08:39 . 2009-02-20 08:40 8,014 --a------ c:\windows\system32\drivers\SYMEVENT.CAT
2009-02-20 08:39 . 2009-02-20 08:40 805 --a------ c:\windows\system32\drivers\SYMEVENT.INF
2009-02-20 08:37 . 2009-02-25 22:16 <DIR> d-------- c:\program files\Symantec AntiVirus
2009-02-20 08:37 . 2009-02-20 08:40 <DIR> d-------- c:\program files\Symantec
2009-02-20 08:37 . 2009-02-20 08:40 <DIR> d-------- c:\program files\Common Files\Symantec Shared
2009-02-20 08:37 . 2009-02-20 08:37 <DIR> d-------- c:\documents and settings\All Users\Application Data\Symantec
2009-02-17 11:44 . 2009-02-17 12:42 <DIR> d-------- c:\documents and settings\Luke\Application Data\GetRightToGo
2009-02-16 23:28 . 2009-02-16 23:29 <DIR> d-------- c:\program files\SoD Spell Parser
2009-02-16 23:28 . 2009-02-16 23:28 <DIR> d-------- c:\program files\National Instruments
2009-02-06 19:01 . 2009-02-06 19:01 <DIR> d-------- c:\documents and settings\Administrator
2009-02-04 21:37 . 2009-02-04 21:37 <DIR> d-------- c:\windows\Sun
2009-02-04 18:41 . 2009-02-20 08:35 <DIR> d-------- c:\documents and settings\All Users\Application Data\Lavasoft
2009-01-30 10:50 . 2009-01-30 10:50 <DIR> d-------- c:\program files\Java
2009-01-30 10:50 . 2009-01-30 10:50 410,984 --a------ c:\windows\system32\deploytk.dll
2009-01-30 10:50 . 2009-01-30 10:50 73,728 --a------ c:\windows\system32\javacpl.cpl
2009-01-28 17:47 . 2009-01-28 17:47 <DIR> d-------- c:\documents and settings\All Users\Application Data\PC Drivers HeadQuarters
2009-01-27 16:58 . 2009-01-27 16:58 <DIR> d-------- c:\documents and settings\Alan\Application Data\Intuit

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-02-26 01:21 --------- d-----w c:\documents and settings\Luke\Application Data\mIRC
2009-02-26 01:20 --------- d-----w c:\program files\mIRC
2009-02-24 07:35 --------- d-----w c:\program files\SoD
2009-02-23 02:43 --------- d-----w c:\documents and settings\All Users\Application Data\McAfee
2009-02-22 07:45 --------- d-----w c:\program files\Common Files\InstallShield
2009-01-29 01:16 --------- d--h--w c:\program files\InstallShield Installation Information
2009-01-21 00:19 --------- d-----w c:\program files\Common Files\AnswerWorks 5.0
2009-01-21 00:17 --------- d-----w c:\program files\Common Files\Intuit
2009-01-21 00:17 --------- d-----w c:\documents and settings\All Users\Application Data\Intuit
2009-01-21 00:14 --------- d-----w c:\program files\TurboTax
2009-01-14 23:48 6 ----a-w c:\windows\Fonts\wfonts.key
2009-01-09 21:19 --------- d-----w c:\documents and settings\LocalService\Application Data\SACore
2009-01-09 05:32 --------- d-----w c:\program files\Half Life 2
2009-01-07 18:28 453,152 ----a-w c:\windows\system32\NVUNINST.EXE
2009-01-05 20:18 --------- d-----w c:\program files\Common Files\Blizzard Entertainment
2008-12-31 06:49 --------- d-----w c:\documents and settings\Luke\Application Data\DivX
2008-12-29 09:57 --------- d-----w c:\program files\Veoh Networks
2008-12-29 04:31 --------- d-----w c:\program files\DivX
2008-12-27 22:51 --------- d-----w c:\documents and settings\All Users\Application Data\Blizzard
2008-12-27 17:33 --------- d-----w c:\program files\WinEQ2
2008-12-20 23:15 826,368 ----a-w c:\windows\system32\wininet.dll
2008-12-06 00:17 4,608 -c--a-w c:\windows\system32\w95inf32.dll
2008-12-06 00:17 2,272 -c--a-w c:\windows\system32\w95inf16.dll
.

((((((((((((((((((((((((((((( SnapShot@2009-02-24_19.44.46.15 )))))))))))))))))))))))))))))))))))))))))
.
- 2008-04-14 11:42:06 8,461,312 -c--a-w c:\windows\system32\dllcache\shell32.dll
+ 2008-06-17 19:02:19 8,461,312 -c--a-w c:\windows\system32\dllcache\shell32.dll
- 2008-04-14 11:42:06 8,461,312 ----a-w c:\windows\system32\shell32.dll
+ 2008-06-17 19:02:19 8,461,312 ----a-w c:\windows\system32\shell32.dll
- 2009-02-25 02:28:21 16,384 ----atw c:\windows\Temp\Perflib_Perfdata_4b8.dat
+ 2009-02-25 05:01:34 16,384 ------w c:\windows\Temp\Perflib_Perfdata_4b8.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Creative Detector"="c:\program files\Creative\MediaSource\Detector\CTDetect.exe" [2004-12-02 102400]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"QuickCare2.2"="c:\program files\Qwest\QuickCare\bin\sprtcmd.exe" [2007-05-04 198184]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2009-01-15 13680640]
"CTDVDDET"="c:\program files\Creative\SBAudigy4\DVDAudio\CTDVDDET.EXE" [2003-06-18 45056]
"CTSysVol"="c:\program files\Creative\SBAudigy4\Surround Mixer\CTSysVol.exe" [2005-02-15 57344]
"RCSystem"="c:\program files\Creative\Shared Files\Module Loader\DLLML.exe" [2005-06-16 49152]
"AudioDrvEmulator"="c:\program files\Creative\Shared Files\Module Loader\DLLML.exe" [2005-06-16 49152]
"type32"="c:\program files\Microsoft IntelliType Pro\type32.exe" [2005-03-15 196608]
"IntelliPoint"="c:\program files\Microsoft IntelliPoint\point32.exe" [2005-03-23 217088]
"NeroFilterCheck"="c:\windows\system32\NeroCheck.exe" [2006-01-12 155648]
"googletalk"="c:\program files\Google\Google Talk\googletalk.exe" [2007-01-01 3739648]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2008-06-12 34672]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2009-01-15 86016]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-01-30 136600]
"ccApp"="c:\program files\Common Files\Symantec Shared\ccApp.exe" [2007-05-29 52840]
"vptray"="c:\progra~1\SYMANT~1\VPTray.exe" [2007-10-07 125368]
"RoxWatchTray"="c:\program files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatchTray9.exe" [2007-04-23 228088]
"UpdReg"="c:\windows\UpdReg.EXE" [2000-05-11 90112]
"SoundMan"="SOUNDMAN.EXE" [2004-11-15 c:\windows\SOUNDMAN.EXE]
"nwiz"="nwiz.exe" [2009-01-15 c:\windows\system32\nwiz.exe]
"CTHelper"="CTHELPER.EXE" [2005-06-17 c:\windows\CTHELPER.EXE]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\KernelFaultCheck]
c:\windows\system32\dumprep 0 -k [X]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NBJ]
--------- 2006-09-15 12:27 2048000 c:\program files\Ahead\Nero BackItUp\NBJ.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\VeohPlugin]
--a------ 2008-12-16 10:07 3528440 c:\program files\Veoh Networks\VeohWebPlayer\veohwebplayer.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\mIRC\\mirc.exe"=
"c:\\Program Files\\Google\\Google Talk\\googletalk.exe"=
"c:\\Program Files\\Veoh Networks\\Veoh\\VeohClient.exe"=
"c:\\Program Files\\Veoh Networks\\VeohWebPlayer\\veohwebplayer.exe"=
"c:\\WINDOWS\\Downloaded Program Files\\PurpleBean.exe"=

R2 IntuitUpdateService;Intuit Update Service;c:\program files\Common Files\Intuit\Update Service\IntuitUpdateService.exe [2008-12-09 13088]
R2 sprtlisten;SupportSoft Listener Service;c:\program files\Common Files\supportsoft\bin\sprtlisten.exe [2008-01-08 1213728]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [2009-02-20 99376]
S0 kdstqa;kdstqa;c:\windows\system32\drivers\kmeht.sys --> c:\windows\system32\drivers\kmeht.sys [?]
S3 SavRoam;SAVRoam;c:\program files\Symantec AntiVirus\SavRoam.exe [2007-10-07 116664]
.
Contents of the 'Scheduled Tasks' folder

2009-02-26 c:\windows\Tasks\Ad-Aware Update (Weekly).job
- c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe []
.
.
------- Supplementary Scan -------
.
FF - ProfilePath - c:\documents and settings\Luke\Application Data\Mozilla\Firefox\Profiles\2309xq7l.default\
FF - prefs.js: browser.startup.homepage - www.google.com/ig
FF - plugin: c:\program files\Mozilla Firefox\plugins\npijjiCHPlugin.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npijjiFFPlugin1.dll
FF - plugin: c:\program files\Veoh Networks\Veoh\Plugins\noreg\NPVeohVersion.dll
FF - plugin: c:\program files\Veoh Networks\VeohWebPlayer\NPVeohTVPlugin.dll
FF - plugin: c:\program files\Veoh Networks\VeohWebPlayer\npWebPlayerVideoPluginATL.dll
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-02-25 22:20:54
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet003\Services\MySQL]
"ImagePath"="\"c:\mysql\bin\mysqld-nt\" --defaults-file=\"c:\mysql\my.ini\" MySQL"
.
Completion time: 2009-02-25 22:22:38
ComboFix-quarantined-files.txt 2009-02-26 05:22:35
ComboFix2.txt 2009-02-25 02:45:45

Pre-Run: 33,867,407,360 bytes free
Post-Run: 33,909,276,672 bytes free

Current=3 Default=3 Failed=2 LastKnownGood=4 Sets=1,2,3,4
181 --- E O F --- 2009-02-25 04:59:16


Kaspersky

--------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER 7 REPORT
Wednesday, February 25, 2009
Operating System: Microsoft Windows XP Professional Service Pack 3 (build 2600)
Kaspersky Online Scanner 7 version: 7.0.25.0
Program database last update: Thursday, February 26, 2009 02:07:10
Records in database: 1845575
--------------------------------------------------------------------------------

Scan settings:
Scan using the following database: extended
Scan archives: yes
Scan mail databases: yes

Scan area - My Computer:
A:\
C:\
D:\
E:\
F:\
G:\
I:\

Scan statistics:
Files scanned: 175634
Threat name: 1
Infected objects: 1
Suspicious objects: 0
Duration of the scan: 02:46:18


File name / Threat name / Threats count
C:\Documents and Settings\Luke\Desktop\epsxe\xB-Browser_2.0.0.17a.exe Infected: not-a-virus:RiskTool.Win32.FWDisabler.a 1

The selected area was scanned.

[sjb007]

Hi there

Just one file I would like more information about, I want you to scan it online for me.

We will need to unhide hidden files:
Open up your computer
From the tools menu select folder options
Click on the view tab
Scrol down to where it says hidden files and folder
Place a check in the box entitled show hidden files and folders
remove the check mark next to hide protected operating system files (recommended)
Click on apply
Click on ok

Please go to: VirusTotal

• In the middle of the page you'll find a "Browse" button.
  
  
  
  Click the "Browse" button and browse to this file in RED:
  
  c:\windows\system32\drivers\kmeht.sys
  
  
• Click "Open".
• Then click the "Send File" button at the bottom of the VirusTotal page.
• This will scan the file. Please be patient.
• If you get a message saying File has already been analysed: click Reanalyse file now
  
  
  
• Copy and then Paste the results in your next reply.

Also update me on how things are running now

[Source827]

Even after showing hidden files/folders and showing system files, khemt.sys does not show in my system32\drivers folder, and search yields nothing as well. Other than that, everything has been running great. I can update via Windows Update, or their website, and can view websites that the trojan was preventing me from viewing, and additional scans yield no suspicious results whatsoever, so I'm hoping it's gone, and for good.

[sjb007]

Hi Luke

All is looking good. Just Java to update...

Go to Start Menu> Control Panel (Classic View) > Java (looks like a coffee cup) > Update Tab > Update Now. An update should begin; follow the prompts

Lets tidy up after ourselves

The following will implement some cleanup procedures as well as reset System Restore points:

Click Start > Run and copy/paste the following bolded text into the Run box and click OK:

ComboFix /u

Now that you appear to be free from malware lets help you stay that way!

Update windows on a regular basis - If you do not have automatic updates enabled then

Visit Microsoft's Update Page and update your computer from there
Update your virus checker on a regular basis - It is no use having a virus checker with out of date definitions.
Keep an eye on your firewall. check what it wants to allow, do not simply allow everything, If there is any processes that you are unsure of then dont be afraid to ask for advice. For more information on firewalls read this article here

Make your Internet Explorer more secure - This can be done by following these simple instructions:

Open Internet Explorer, click on the Tools menu and then click on Options.
Click once on the Security tab
Click once on the Internet icon so it becomes highlighted.
Click once on the Custom Level button.

Change the Download signed ActiveX controls to Prompt
Change the Download unsigned ActiveX controls to Disable
Change the Initialise and script ActiveX controls not marked as safe to Disable
Change the Installation of desktop items to Prompt
Change the Launching programs and files in an IFRAME to Prompt
Change the Navigate sub-frames across different domains to Prompt
When all these settings have been made, click on the OK button.
If it prompts you as to whether or not you want to save the settings, press the Yes button.

Next press the Apply button and then the OK to exit the Internet Properties page.

Safer Browsing
Use software such as Trendprotect or Sitehound to help you stay away from unsuspecting sites that have malicious purposes.
Use Spywareblaster to help prevent the installation of unwanted BHO's (Browser Helper Objects)

Use an alternative browser
Other browsers tend to be more secure than IE as they do not make use of active x objects, active x objects can be used by spyware as an infection point on your computer. Safer non active x browsers include Opera browser and, more recently, Firefox browser.

Computer Maintenance
Malware can breed in temporary locations. Use a program such as ccleaner slim to clear out temporary files your computer on a regular basis.

Scan your computer regularly for malware
Scan on a regular basis to keep your computer clean, free software such as Spybot's Search & Destroy and Adaware 2007 Free by Lavasoft can help you keep clear. These products are scan on demand and do not have active back ground scanning. These two products can be installed together without any complications.

Other alternative software that runs under licience and monitors your computer continuously in the background for malware is Malwarebytes Anti-Malware (MBAM) - Please note that this product can also be run as free without a licience but the background protection will not be active.

Secure your router
Change your routers default username and password, do not leave it at factory preset, doing so makes it easy for unauthorised access.

Encrypt your network. Set your wireless network encryption to a minimum level of WPA-PSK [TKIP]. This will help prevent any unauthorised users "piggybacking" onto your network and stealing your bandwidth which you have rightly paid for.

I have included some security related articles that I advise you read through in your own time. These articles will give you tips and advice on preveting malware, and how to stay safe whilst browsing the internet.

-> So How Did I Get Infected In First Place - By TonyKlein
-> How to prevent Malware - By miekiemoes
-> I'm not pulling your leg, honest - By Sandi Hardmeie

**Kindly respond one more time and let me know if we may consider this thread resolved.

[Source827]

Thanks a ton for all the help and tips Steve, everything looks great on my end. You guys are doing an awesome thing here.

[sjb007]

Not a problem, only too glad to lend a hand

I will now discontinue monitoring this thread for replies. Should you require any further assistance please start a new topic in the relevant section of the forums

Good luck and happy safe surfing!