NTOSKRNL-HOOK Problem

[Stinger926]

Hi,

I was hoping to get some assistance with a Virus issue I've come across on my laptop at work.

I believe the problem started yesterday. While visiting hxxp://www.channelsurfing.net, McAfee threw an alert that an intrusion had been detected. Although the notification surfaced then, I'm not 100% certain that's the site that did it. I've visited that site in the past, seemingly without issue.

Although the computer appears to be working okay for the most part (still able to boot into normal mode and not crashing), there are some anomalies:

- When using IE, I'm unable to access secure internal sites on the first attempt...but refreshing the page brings everything up correctly.
- When clicking on links from a Google search, I'm frequently redirected back to Google.
- I've noticed instances of "autochk.dll" listed in the msconfig start-up.
- Malwarebytes' and Spybot - S&D are both reporting trojans found.
- Running scans (McAfee, Malwarebytes, and Spybot) in Safe Mode report things have been cleaned, but the same findings are present in subsequent scans. All products were updated to the most recent versions.
- There are some "questionable" files in the WINDOWS\Temp directory which can't be removed (msb.dll and nsrbgxod.bak). I also see WFV1.tmp, WGAErrLog.txt, and WGANotify.settings, but those may be legit.

I think that pretty much covers everything. I'll copy/attach the requested scan logs as well. Thanks in advance for any help you can provide...this is a great service you provide.

Steve

DDS (Ver_09-03-16.01) - NTFSx86
Run by snichols at 15:34:11.89 on Tue 04/28/2009
Internet Explorer: 6.0.2900.2180
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.2046.1496 [GMT -7:00]

AV: VirusScan Enterprise + AntiSpyware Enterprise *On-access scanning enabled* (Updated)

============== Running Processes ===============

C:\WINDOWS\system32\ibmpmsvc.exe
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\LANDesk\Shared Files\residentagent.exe
C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
C:\WINDOWS\system32\enstart.exe
C:\Program Files\LANDesk\LDClient\LocalSch.EXE
C:\WINDOWS\system32\CBA\pds.exe
C:\Program Files\LANDesk\LDClient\tmcsvc.exe
C:\PROGRA~1\LANDesk\LDClient\collector.exe
C:\PROGRA~1\LANDesk\LDClient\issuser.exe
C:\Program Files\LANDesk\LDClient\policy.client.invoker.exe
C:\PROGRA~1\LANDesk\LDClient\rcgui.exe
C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
C:\Program Files\McAfee\VirusScan Enterprise\Mcshield.exe
C:\Program Files\McAfee\VirusScan Enterprise\VsTskMgr.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\LANDesk\LDClient\softmon.exe
C:\WINDOWS\System32\TPHDEXLG.EXE
C:\Program Files\Iomega\AutoDisk\ADService.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Network Associates\Common Framework\UdaterUI.exe
C:\Program Files\Network Associates\Common Framework\McTray.exe
\\?\globalroot\systemroot\system32\rundll32.exe
C:\WINDOWS\system32\TpShocks.exe
C:\Program Files\Iomega\AutoDisk\ADUserMon.exe
C:\Program Files\Iomega\DriveIcons\ImgIcon.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\Logitech\MouseWare\system\em_exec.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe
C:\Documents and Settings\snichols\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = about:blank
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
mRun: [McAfeeUpdaterUI] "c:\program files\network associates\common framework\udaterui.exe" /StartedFromRunKey
mRun: [SynTPLpr] c:\program files\synaptics\syntp\SynTPLpr.exe
mRun: [SynTPEnh] c:\program files\synaptics\syntp\SynTPEnh.exe
mRun: [ISUSPM Startup] c:\progra~1\common~1\instal~1\update~1\ISUSPM.exe -startup
mRun: [ISUSScheduler] "c:\program files\common files\installshield\updateservice\issch.exe" -start
mRun: [TpShocks] TpShocks.exe
mRun: [Logitech Utility] Logi_MwX.Exe
mRun: [ADUserMon] c:\program files\iomega\autodisk\ADUserMon.exe
mRun: [Iomega Drive Icons] c:\program files\iomega\driveicons\ImgIcon.exe
mRun: [Deskup] c:\program files\iomega\driveicons\deskup.exe /IMGSTART
mRun: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
mRun: [dla] c:\windows\system32\dla\tfswctrl.exe
mRun: [ShStatEXE] "c:\program files\mcafee\virusscan enterprise\SHSTAT.EXE" /STANDALONE
mRun: [MSConfig] c:\windows\pchealth\helpctr\binaries\MSConfig.exe /auto
mRun: [autochk] rundll32.exe c:\windows\system32\autochk.dll,_IWMPEvents@16
mRunOnce: [Malwarebytes Anti-Malware (reboot)] "c:\program files\malwarebytes' anti-malware\mbam.exe" /runcleanupscript
dRun: [Communicator] "c:\program files\microsoft office communicator\Communicator.exe"
dRun: [<NO NAME>] c:\windows\temp\hm3h8.exe
dRun: [Windows Resurections] c:\windows\temp\hm3h8.exe
dRun: [Diagnostic Manager] c:\windows\temp\1407433385.exe
StartupFolder: c:\documents and settings\snichols\start menu\programs\startup\ChkDisk.dll
StartupFolder: c:\docume~1\snichols\startm~1\programs\startup\chkdisk.lnk - c:\windows\system32\rundll32.exe
uPolicies-explorer: NoSMMyDocs = 01000000
uPolicies-explorer: NoSMMyPictures = 01000000
uPolicies-explorer: NoNetworkConnections = 01000000
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office11\EXCEL.EXE/3000
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0015-0000-0006-ABCDEFFEDCBC} - c:\program files\java\jre1.5.0_06\bin\ssv.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office11\REFIEBAR.DLL
DPF: {233C1507-6A77-46A4-9443-F871F945D258} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://www.update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1231460170968
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/polarbear/ultrashim.cab
Notify: AtiExtEvent - Ati2evxx.dll
Notify: PCANotify - PCANotify.dll

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\snichols\applic~1\mozilla\firefox\profiles\55plsh6l.default\
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - about:blank

---- FIREFOX POLICIES ----
c:\program files\mozilla firefox\greprefs\all.js - pref("network.cookie.p3plevel", 1); // 0=low, 1=medium, 2=high, 3=custom
c:\program files\mozilla firefox\greprefs\all.js - pref("network.enablePad", false); // Allow client to do proxy autodiscovery
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.search.param.Google.1.default", "chrome://branding/content/searchconfig.properties");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.search.param.Google.1.custom", "chrome://branding/content/searchconfig.properties");

============= SERVICES / DRIVERS ===============

R0 Shockprf;Shockprf;c:\windows\system32\drivers\shockprf.sys [2006-8-3 85760]
R1 AW_HOST;AW_HOST;c:\windows\system32\drivers\AW_HOST5.sys [2003-10-23 16984]
R1 awlegacy;awlegacy;c:\windows\system32\drivers\AWLEGACY.sys [2003-4-21 10901]
R1 enstart_;enstart_;c:\windows\system32\enstart_.sys [2009-1-27 56704]
R1 mferkdk;VSCore mferkdk;c:\program files\mcafee\virusscan enterprise\mferkdk.sys [2009-1-27 31848]
R1 ShockMgr;ShockMgr;c:\windows\system32\drivers\ShockMgr.sys [2006-8-3 4736]
R2 CBA8;LANDesk(R) Management Agent;c:\program files\landesk\shared files\residentAgent.exe [2008-6-2 155648]
R2 enstart;enstart;c:\windows\system32\enstart.exe [2009-1-27 786432]
R2 LANDesk Policy Invoker;LANDesk Policy Invoker;c:\program files\landesk\ldclient\policy.client.invoker.exe [2009-2-23 118784]
R2 McAfeeFramework;McAfee Framework Service;c:\program files\network associates\common framework\FrameworkService.exe [2008-3-14 103744]
R2 McShield;McAfee McShield;c:\program files\mcafee\virusscan enterprise\Mcshield.exe [2009-1-27 144704]
R2 McTaskManager;McAfee Task Manager;c:\program files\mcafee\virusscan enterprise\VsTskMgr.exe [2009-1-27 54608]
R2 Softmon;LANDesk(R) Software Monitoring Service;c:\program files\landesk\ldclient\SoftMon.exe [2009-2-23 331776]
R3 ldblank;Screen Blanking driver for Remote Control;c:\windows\system32\drivers\ldblank.sys [2006-10-16 11904]
R3 ldmirror;ldmirror;c:\windows\system32\drivers\ldmirror.sys [2006-10-16 3328]
R3 mfeavfk;McAfee Inc.;c:\windows\system32\drivers\mfeavfk.sys [2008-10-16 73512]
R3 mfebopk;McAfee Inc.;c:\windows\system32\drivers\mfebopk.sys [2008-10-16 34408]
R3 mfehidk;McAfee Inc.;c:\windows\system32\drivers\mfehidk.sys [2008-10-16 177864]
R3 mirrorflt;Mirror Filter Driver for Uninstall;c:\windows\system32\drivers\mirrorflt.sys [2006-10-16 3712]
R3 TPM11;NSC Integrated Trusted Platform Module 1.1;c:\windows\system32\drivers\nsctpm11.sys [2005-4-21 14336]
S2 qjsqdpimw;Center Monitor;c:\windows\system32\svchost.exe -k netsvcs [2004-8-4 14336]
S4 awhost32;pcAnywhere Host Service;c:\program files\symantec\pcanywhere\awhost32.exe [2003-10-31 106496]
S4 Viewpoint Service;Viewpoint Service;c:\program files\viewpoint\common\ViewpointService.exe [2009-3-31 30152]

=============== Created Last 30 ================

2009-04-28 14:55 61,440 a------- c:\windows\system32\drivers\fqsrbkc.sys
2009-04-28 14:40 61,440 a------- c:\windows\system32\drivers\nwzoq.sys
2009-04-28 14:06 24,064 a--sh--- c:\documents and settings\snichols\protect.dll
2009-04-28 14:06 24,064 -------- c:\windows\system32\autochk.dll
2009-04-27 17:11 29,696 a------- c:\windows\system32\loader49.exe
2009-03-31 12:12 <DIR> --d----- c:\program files\Viewpoint
2009-03-31 09:51 <DIR> --d----- c:\windows\system32\Adobe

==================== Find3M ====================

2009-04-06 15:32 38,496 a------- c:\windows\system32\drivers\mbamswissarmy.sys
2009-04-06 15:32 15,504 a------- c:\windows\system32\drivers\mbam.sys
2009-02-09 03:19 1,846,272 a------- c:\windows\system32\win32k.sys

============= FINISH: 15:34:41.04 ===============

[extremeboy]

Hi

Welcome to TSF

My name is Extremeboy (or EB for short), and I will be helping you with your log.

If you have since resolved the original problem you were having, we would appreciate you letting us know. If not please perform the following steps below so we can have a look at the current condition of your machine. If you have not done so, include a description of your problem, along with any steps you may have performed so far.

If you do not make a reply in 5 days, we will need to close your topic.

Please take note of some guidelines for this fix:

• Refrain from making any changes to your computer including installing/uninstall programs, deleting files, modifying the registry, and running scanners or tools.
• If you do not understand any step(s) provided, please do not hesitate to ask before continuing. I would much rather clarify instructions or explain them differently than have something important broken.
• Even if things appear to be better, it might not mean we are finished. Please continue to follow my instructions and reply back until I give you the "all clean". We do not want to clean you part-way, only to have the system re-infect itself.
• Old topics are closed after 3-5 days with no reply, and working topics are closed after 5-7 days. If for any reason you cannot complete instructions within that time, that's fine, just post back here so that we know you're still here.

Install Recovery Console and Run ComboFix

Download Combofix from any of the links below, and save it to your desktop.

Link 1
Link 2
Link 3

• Close/disable all anti-virus and anti-malware programs so they do not interfere with the running of ComboFix. Refer to this page if you are not sure how.
• Close any open windows, including this one.
• Double click on ComboFix.exe & follow the prompts.
• As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
• If you did not have it installed, you will see the prompt below. Choose YES.
• 
• Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.

**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

Note:The Windows Recovery Console will allow you to boot up into a special recovery (repair) mode. This allows us to more easily help youshould your computer have a problem after an attempted removal of malware. It is a simple procedure that will only take a few moments of your time.

• Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:
  
  
• Click on Yes, to continue scanning for malware.
• When finished, it will produce a report for you. Please post the contents of the log (C:\ComboFix.txt).

Leave your computer alone while ComboFix is running.
ComboFix will restart your computer if malware is found; allow it to do so.

Note: Please Do NOT mouseclick combofix's window while its running because it may call it to stall.

Post back with:
-Combofix log
-Description of any problem you still have

With Regards,
Extremeboy

[Stinger926]

Thanks for the prompt reply EB. I do have an update since my original post. It seemed like the problem was actually getting worse, with more and more anomalies surfacing. I finally ran the Avira Rootkit detection program to get a better idea of what was going on. The application identified a hidden .sys file in the \windows\system32\drivers directory, along with a few other .dll and .dat files (of the same prefix name) in \windows\system32. After relocating the files, I searched the registry for the same prefix...that resulted in two hidden entries which were calling the aforementioned .sys file as a startup service. After exporting the keys to a safe location, I removed them. After rebooting, I ran Malwarebytes' and Spybot - S&D again. Malwarebytes' identified a couple trojans, but appeared to remove them successfully.

After all that, things seem to be back to normal. I'm no longer seeing the browser redirects to Google, and secure internal websites are once again accessible via IE. A re-run of Avira doesn't indicate any problems.

That being said, I'm still very interested in getting a formal all-clear. I'd hate to have something still sitting in the system which would allow this to resurface. To that end, given the troubleshooting steps I went through, would you still recommend I run ComboFix? If so, I'll continue on with your recommended steps.

Thanks again for your continued help and support.

[Stinger926]

Quick correction to my last post...I actually scanned with RootRepeal and not Avira. Sorry about that :-/ .

[extremeboy]

Hello.

Yes, continue with Combofix please. I doubt everything was removed just simply via a registry script and an anti-rootkit tool.

Post the log once it's done.

Thanks. We'll make sure everything is clean and give you the "All-Clean" once we are done.

With Regards,
Extremeboy

[Stinger926]

Sorry to be a pain, but I had one more question :-/ . As mentioned in my original post, this is on a work computer. As such, I'm blocked from completely disabling McAfee. Combofix is picking-up that McAfee is active (VirusScan Enterprise + AntiSpyware Enterprise)...is it okay to proceed with the scan despite this? I'd rather be safe than sorry at this point.

Thanks again.

[extremeboy]

Hello.

Quote:

As such, I'm blocked from completely disabling McAfee.

Interesting...

Run this command for Combofix instead then...

Make sure Combofix.exe is on your DESKTOP and not anywhere else.

• Click on your Start Menu, then Run, In the run box type:
  
  Code:

  "%userprofile%\desktop\combofix.exe" /killall

• Combofix will now run
• When finished, it will produce a report for you. Please post the contents of the log (C:\ComboFix.txt).

Leave your computer alone while ComboFix is running.
ComboFix will restart your computer if malware is found; allow it to do so.

Note: Please Do NOT mouseclick combofix's window while its running because it may call it to stall.

With Regards,
Extremeboy

[Stinger926]

I'll include the log output below. I'll also note that Combofix indicated that I didn't have the Windows Recovery Console installed. Where my Internet connection had already been severed by the utility, I tried running the manual install as outlined at hxxp://www.bleepingcomputer.com/combofix/how-to-use-combofix#manual_recovery. However, Combofix still reported that the Console wasn't installed :-/ ...if there's anything more I should do to install that, just let me know. Anyway...on to the log output...

ComboFix 09-04-29.01 - snichols 04/29/2009 18:57.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.2046.1643 [GMT -7:00]
Running from: c:\documents and settings\snichols\desktop\combofix.exe
Command switches used :: /killall
AV: VirusScan Enterprise + AntiSpyware Enterprise *On-access scanning enabled* (Updated)

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\Downloaded Program Files\MyWebEx
c:\windows\Downloaded Program Files\MyWebEx\419\atarm.dll
c:\windows\Downloaded Program Files\MyWebEx\419\atas32.dll
c:\windows\Downloaded Program Files\MyWebEx\419\atasanot.exe
c:\windows\Downloaded Program Files\MyWebEx\419\atasctrl.dll
c:\windows\Downloaded Program Files\MyWebEx\419\atasnt40.dll
c:\windows\Downloaded Program Files\MyWebEx\419\atcarmcl.dll
c:\windows\Downloaded Program Files\MyWebEx\419\atdl2006.dll
c:\windows\Downloaded Program Files\MyWebEx\419\atjpeg60.dll
c:\windows\Downloaded Program Files\MyWebEx\419\atkbctl.dll
c:\windows\Downloaded Program Files\MyWebEx\419\atlchat.dll
c:\windows\Downloaded Program Files\MyWebEx\419\atmemmgr.dll
c:\windows\Downloaded Program Files\MyWebEx\419\atnetext.dll
c:\windows\Downloaded Program Files\MyWebEx\419\atpack.dll
c:\windows\Downloaded Program Files\MyWebEx\419\atres.dll
c:\windows\Downloaded Program Files\MyWebEx\419\attp.dll
c:\windows\Downloaded Program Files\MyWebEx\419\atwbxui6.dll
c:\windows\Downloaded Program Files\MyWebEx\419\h264dec.dll
c:\windows\Downloaded Program Files\MyWebEx\419\h264enc.dll
c:\windows\Downloaded Program Files\MyWebEx\419\mmssl32.dll
c:\windows\Downloaded Program Files\MyWebEx\419\msess.dll
c:\windows\Downloaded Program Files\MyWebEx\419\mticket.dll
c:\windows\Downloaded Program Files\MyWebEx\419\mutiltpd.dll
c:\windows\Downloaded Program Files\MyWebEx\419\mvc.dll
c:\windows\Downloaded Program Files\MyWebEx\419\mwm.ini
c:\windows\Downloaded Program Files\MyWebEx\419\mwmcliun.exe
c:\windows\Downloaded Program Files\MyWebEx\419\mwmproxy.dll
c:\windows\Downloaded Program Files\MyWebEx\419\mwmres.dll
c:\windows\Downloaded Program Files\MyWebEx\419\mwmupd.exe
c:\windows\Downloaded Program Files\MyWebEx\419\raurl.dll
c:\windows\Downloaded Program Files\MyWebEx\419\uilibres.dll
c:\windows\Downloaded Program Files\MyWebEx\419\wbxcrypt.dll
c:\windows\Downloaded Program Files\MyWebEx\419\webexmgr.dll

.
((((((((((((((((((((((((( Files Created from 2009-05-28 to 2009-4-30 )))))))))))))))))))))))))))))))
.

2009-04-29 16:27 . 2009-04-29 16:27 -------- d-----w C:\c9b9b3d705306535426c
2009-04-29 16:27 . 2009-04-29 17:02 -------- d-----w c:\windows\SxsCaPendDel
2009-04-29 01:35 . 2009-04-29 01:35 -------- d-----w c:\program files\Avira GmbH
2009-03-31 19:12 . 2009-03-31 19:12 -------- d-----w c:\program files\Viewpoint
2009-03-31 16:51 . 2009-03-31 16:51 -------- d-----w c:\windows\system32\Adobe

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-04-29 02:35 . 2006-04-20 22:55 -------- d--h--w c:\program files\InstallShield Installation Information
2009-04-22 21:50 . 2008-08-11 19:10 -------- d-----w c:\program files\Microsoft Silverlight
2009-04-07 16:51 . 2009-01-21 00:58 -------- d-----w c:\program files\Malwarebytes' Anti-Malware
2009-04-06 22:32 . 2009-01-21 00:58 38496 ----a-w c:\windows\system32\drivers\mbamswissarmy.sys
2009-04-06 22:32 . 2009-01-21 00:58 15504 ----a-w c:\windows\system32\drivers\mbam.sys
2009-03-20 16:28 . 2008-12-05 17:03 -------- d-----w c:\program files\CCleaner
2009-03-17 22:45 . 2006-10-20 19:46 -------- d-----w c:\program files\Spybot - Search & Destroy
2009-03-10 00:27 . 2006-10-19 01:00 -------- d-----w c:\program files\SecureCRT 3.0
2009-03-06 14:44 . 2004-08-04 07:56 283648 ----a-w c:\windows\system32\pdh.dll
2009-03-04 17:55 . 2007-06-15 18:09 -------- d-----w c:\program files\Pidgin
2009-02-20 08:30 . 2004-08-04 07:56 659456 ----a-w c:\windows\system32\wininet.dll
2009-02-20 08:30 . 2004-08-04 07:56 81920 ----a-w c:\windows\system32\ieencode.dll
2009-02-09 10:20 . 2004-08-04 07:56 399360 ----a-w c:\windows\system32\rpcss.dll
2009-02-09 10:20 . 2004-08-04 07:56 723456 ----a-w c:\windows\system32\lsasrv.dll
2009-02-09 10:20 . 2004-08-04 07:56 616960 ----a-w c:\windows\system32\advapi32.dll
2009-02-09 10:20 . 2004-08-04 07:56 714752 ----a-w c:\windows\system32\ntdll.dll
2009-02-09 10:19 . 2004-08-03 23:17 1846272 ----a-w c:\windows\system32\win32k.sys
2009-02-06 17:24 . 2004-08-03 23:20 2180480 ----a-w c:\windows\system32\ntoskrnl.exe
2009-02-06 17:14 . 2004-08-04 07:56 110592 ----a-w c:\windows\system32\services.exe
2009-02-06 16:54 . 2002-08-29 12:00 35328 ----a-w c:\windows\system32\sc.exe
2009-02-06 16:49 . 2004-08-03 22:59 2057728 ----a-w c:\windows\system32\ntkrnlpa.exe
2009-02-03 20:08 . 2004-08-04 07:56 55808 ----a-w c:\windows\system32\secur32.dll
2006-10-19 21:03 . 2006-10-19 21:03 60526 ----a-w c:\program files\mozilla firefox\components\jar50.dll
2006-10-19 21:03 . 2006-10-19 21:03 49256 ----a-w c:\program files\mozilla firefox\components\jsd3250.dll
2006-10-19 21:03 . 2006-10-19 21:03 166000 ----a-w c:\program files\mozilla firefox\components\xpinstal.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\P4EXPCheckoutOverlay]
@="{80E008A4-EAE7-4867-AEB0-1A245F070F25}"
[HKEY_CLASSES_ROOT\CLSID\{80E008A4-EAE7-4867-AEB0-1A245F070F25}]
2006-11-08 18:31 532480 ----a-w c:\program files\Perforce\p4exp.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\P4EXPSyncdOverlay]
@="{ADF262C1-E8FE-49BE-AD63-F77CD4A6CCD9}"
[HKEY_CLASSES_ROOT\CLSID\{ADF262C1-E8FE-49BE-AD63-F77CD4A6CCD9}]
2006-11-08 18:31 532480 ----a-w c:\program files\Perforce\p4exp.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\P4EXPUpdateOverlay]
@="{C550CDA2-37D7-4838-A9D7-65ECB1EB5AB2}"
[HKEY_CLASSES_ROOT\CLSID\{C550CDA2-37D7-4838-A9D7-65ECB1EB5AB2}]
2006-11-08 18:31 532480 ----a-w c:\program files\Perforce\p4exp.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2004-08-04 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"McAfeeUpdaterUI"="c:\program files\Network Associates\Common Framework\udaterui.exe" [2008-03-14 136512]
"SynTPLpr"="c:\program files\Synaptics\SynTP\SynTPLpr.exe" [2003-06-24 126976]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2003-06-24 561152]
"ISUSPM Startup"="c:\progra~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe" [2004-07-27 221184]
"ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2004-07-27 81920]
"ADUserMon"="c:\program files\Iomega\AutoDisk\ADUserMon.exe" [2002-09-24 147456]
"Iomega Drive Icons"="c:\program files\Iomega\DriveIcons\ImgIcon.exe" [2002-08-13 86016]
"Deskup"="c:\program files\Iomega\DriveIcons\deskup.exe" [2002-07-16 32768]
"dla"="c:\windows\system32\dla\tfswctrl.exe" [2005-05-31 122941]
"ShStatEXE"="c:\program files\McAfee\VirusScan Enterprise\SHSTAT.EXE" [2009-01-28 111952]
"TpShocks"="TpShocks.exe" - c:\windows\system32\TpShocks.exe [2005-11-07 106496]
"Logitech Utility"="Logi_MwX.Exe" - c:\windows\LOGI_MWX.EXE [2003-12-17 19968]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"Communicator"="c:\program files\Microsoft Office Communicator\Communicator.exe" [2007-12-06 3900936]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoSMMyDocs"= 01000000
"NoSMMyPictures"= 01000000
"NoNetworkConnections"= 01000000

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\PCANotify]
2003-10-31 18:01 8704 ----a-w c:\windows\system32\PCANotify.dll

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001
"AntiVirusOverride"=dword:00000001
"FirewallOverride"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Microsoft Office Communicator\\communicator.exe"=
"c:\\WINDOWS\\system32\\cba\\pds.exe"=
"c:\\Program Files\\LANDesk\\LDClient\\tmcsvc.exe"=
"c:\\Program Files\\LANDesk\\LDClient\\issuser.exe"=
"c:\\Program Files\\LANDesk\\Shared Files\\residentagent.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3389:TCP"= 3389:TCP:*:Disabled:@xpsp2res.dll,-22009

R4 Viewpoint Service;Viewpoint Service;c:\program files\Viewpoint\Common\ViewpointService.exe [2008-04-04 30152]
S0 Shockprf;Shockprf; [x]
S1 enstart_;enstart_;c:\windows\system32\enstart_.sys [2009-01-27 56704]
S1 ShockMgr;ShockMgr; [x]
S2 CBA8;LANDesk(R) Management Agent;c:\program files\LANDesk\Shared Files\residentagent.exe [2008-06-02 155648]
S2 enstart;enstart;c:\windows\system32\enstart.exe [2009-01-27 786432]
S2 LANDesk Policy Invoker;LANDesk Policy Invoker;c:\program files\LANDesk\LDClient\policy.client.invoker.exe [2008-03-11 118784]
S2 Softmon;LANDesk(R) Software Monitoring Service;c:\program files\LANDesk\LDClient\softmon.exe [2008-05-30 331776]
S3 ldblank;Screen Blanking driver for Remote Control;c:\windows\system32\DRIVERS\ldblank.sys [2005-08-01 11904]
S3 ldmirror;ldmirror;c:\windows\system32\DRIVERS\ldmirror.sys [2005-08-03 3328]
S3 mirrorflt;Mirror Filter Driver for Uninstall;c:\windows\system32\DRIVERS\mirrorflt.sys [2005-08-03 3712]
S3 TPM11;NSC Integrated Trusted Platform Module 1.1;c:\windows\system32\DRIVERS\nsctpm11.sys [2005-04-21 14336]

.
- - - - ORPHANS REMOVED - - - -

HKU-Default-Run-Diagnostic Manager - c:\windows\TEMP\1407433385.exe


.
------- Supplementary Scan -------
.
uStart Page = about:blank
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
FF - ProfilePath - c:\documents and settings\snichols\Application Data\Mozilla\Firefox\Profiles\55plsh6l.default\
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - about:blank
FF - component: c:\program files\Mozilla Firefox\components\xpinstal.dll

---- FIREFOX POLICIES ----
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.cookie.p3plevel", 1); // 0=low, 1=medium, 2=high, 3=custom
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.enablePad", false); // Allow client to do proxy autodiscovery
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.search.param.Google.1.default", "chrome://branding/content/searchconfig.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.search.param.Google.1.custom", "chrome://branding/content/searchconfig.properties");
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-04-29 19:01
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\software\Microsoft\Driver Signing]
@Denied: (2) (Administrators)
"Policy"=hex:00,00,00,00
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(1324)
c:\windows\system32\Ati2evxx.dll

- - - - - - - > 'explorer.exe'(2552)
c:\program files\Logitech\MouseWare\System\LgWndHk.dll
c:\program files\Perforce\p4exp.dll
c:\program files\Common Files\Logitech\Scrolling\LgMsgHk.dll
c:\program files\Iomega\DriveIcons\IMGHOOK.DLL
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\ibmpmsvc.exe
c:\program files\Cisco Systems\VPN Client\cvpnd.exe
c:\program files\LANDesk\LDClient\LocalSch.EXE
c:\windows\system32\cba\pds.exe
c:\program files\LANDesk\LDClient\tmcsvc.exe
c:\progra~1\LANDesk\LDClient\collector.exe
c:\progra~1\Iomega\System32\AppServices.exe
c:\progra~1\LANDesk\LDClient\issuser.exe
c:\progra~1\LANDesk\LDClient\rcgui.exe
c:\program files\Network Associates\Common Framework\FrameworkService.exe
c:\program files\McAfee\VirusScan Enterprise\Mcshield.exe
c:\program files\McAfee\VirusScan Enterprise\VsTskMgr.exe
c:\program files\Network Associates\Common Framework\naPrdMgr.exe
c:\program files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
c:\windows\system32\TPHDEXLG.exe
c:\program files\Iomega\AutoDisk\ADService.exe
c:\program files\Network Associates\Common Framework\McTray.exe
c:\program files\Logitech\MouseWare\system\EM_EXEC.EXE
.
**************************************************************************
.
Completion time: 2009-04-30 19:06 - machine was rebooted
ComboFix-quarantined-files.txt 2009-04-30 02:06

Pre-Run: 52,443,959,296 bytes free
Post-Run: 52,517,335,040 bytes free

216 --- E O F --- 2009-04-01 16:53

[extremeboy]

Hello again.

Regarding that IE problem, I have it too occasionally.

Regarding that "autochk.dll", yes it is a "bad" file and is related to the Trojan/Agent-IUK infection. The only thing is that, it does not appear in the Combofix log. It may have been removed but we'll make sure.

Please do the following.

Please delete Combofix.exe and re-download Combofix from one of those locations like last time, and save it to your desktop.

Now do the following.

Run ComboFix with CFScript

We will run ComboFix again. This time, the instructions are slightly different.

• Close any open browsers.
• Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix. Refer to this page if you are unsure how.
• Open notepad (Start>Run>"notepad") and copy/paste the text in the quotebox below into it:
  Code:

  RegLock::
  [HKEY_LOCAL_MACHINE\software\Microsoft\Driver Signing]
  Registry::
  [HKEY_LOCAL_MACHINE\software\microsoft\security center]
  "AntiVirusDisableNotify"=dword:00000000
  "AntiVirusOverride"=dword:00000000
  "FirewallOverride"=dword:00000000
  Driver::
  Shockprf
  ShockMgr

  Save this as CFScript.txt, in the same location as ComboFix.exe. (This should be your desktop.)
  
  Refering to the picture above, drag CFScript into ComboFix.exe.

When finished, it shall produce a log for you at "C:\ComboFix.txt". Post back with that log.

Do not mouseclick ComboFix's window while it's running. That may cause it to stall


Update and Scan with MalwareBytes Anti-Malware

• Launch Malwarebytes' Anti-Malware
• Go to the Update tab
• Select Check for Update and let MBAM download and install any available updates.
• After the update is complete go to the Scanner tab.
• Make sure the "Perform Quick Scan" option is selected.
• Then click on the Scan button.
• If asked to select the drives to scan, leave all the drives selected and click on the Start Scan button.
• The scan will begin and "Scan in progress" will show at the top. It may take some time to complete so please be patient.
• When the scan is finished, a message box will say "The scan completed successfully. Click 'Show Results' to display all objects found".
• Click OK to close the message box and continue with the removal process.
• Back at the main Scanner screen, click on the Show Results button to see a list of any malware that was found.
• Make sure that everything is checked, and click Remove Selected.
• When removal is completed, a log report will open in Notepad and you may be prompted to restart your computer. (see Note below)
• The log is automatically saved and can be viewed by clicking the Logs tab in MBAM.
• Copy and paste the contents of that report in your next reply and exit MBAM.

Note: If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts. Click OK to either and let MBAM proceed with the disinfection process. If asked to restart the computer, please do so immediately. Failure to reboot will prevent MBAM from removing all the malware.

After that is all done, please re-run DDS and post back with both logs.

Post back with:
-Combofix log
-MBAM log

Attach back with:
-New DDS log
-New Attach log

Thanks.

With Regards,
Extremeboy

[Stinger926]

Hi EB,

Unfortunately, things have taken a significant turn for the worse. I ran through the following:

- Re-downloaded Combofix to my desktop.
- Copied and pasted text into CFScript.txt file.
- Dragged-and-dropped CFScript.txt onto Combofix.exe.
- Combofix started and indicated that the Windows Recover Console wasn't installed. I clicked that it should be installed, and this time, everything appeared to work correctly (it downloaded the package from Microsoft and reported a successful install).
- Combofix started running through its Malware scan.
- Once scan was completed, Combofix reported that it needed to reboot the computer, which I let it do.

This is when the problems surfaced. The computer started to reboot, went to the XP loading screen (with the progress bar at the bottom), then immediately crashed to a bluescreen, then went back to the start-up window indicating that the previous start-up failed. I tried all Safe Mode options, but I can't get the computer to boot...it just goes into an endless loop of getting to the XP screen, then bluescreen, then back to start-up window.

For whatever it's worth, I did run full scans of MBAM, Spybot - S&D, and McAfee today (in Safe Mode, and normal boot mode), and everything came back clean...so I think things had been heading in the right direction.

Any help at this point is extremely appreciated.

Steve

[extremeboy]

Hello.

Okay, if the Recovery Console was installed, please do the following.

Boot into Recovery Console and Restore ERUNT backup

I suggest you print these instructions or save them somewhere so you can see or just make sure this computer is turned on when you perform the steps.

• Turn on your machine and as soon as the BIOS is loaded begin tapping the F8 key.
• Use your arrow keys to navigate and highlight Return to OS Choice Menu and Hit Enter.
• You should get 2 choices one is Windows XP and the other is Recovery Console.
• Again, use the arrow keys to select Microsoft's Recovery Console.
• Hit Enter.
• Once the Recovery Console is finish loading, please type in the number of the Windows installation you want to repair (usually 1), then press Enter.
• Type in the Administrator password (leave blank if you are unsure what it is or if you do not have one) and press Enter.
• At the C:\Windows prompt type without quotes "cd erdnt\subs" and hit Enter
• At the next prompt, please type in the following without the quotes: "batch erdnt.con"
• Hit Enter
• The erunt backups will begin copying.
• At the next prompt after it is complete, type the following without the quotes and press Enter: "exit"

Windows will reboot and should now begin loading.

Can you get your machine to start now, at least in Safe Mode?

With Regards,
Extremeboy

[Stinger926]

I was going through the boot options and finally selected to boot from last known good configuration...that actually worked. After XP loaded, Combofix came back up to finish its run.

How should I proceed from here?

Steve

[Stinger926]

Figured I'd include the Combofix log results as well. BTW...thanks again for the quick reply...very much appreciated :-) .

ComboFix 09-04-30.05 - snichols 04/30/2009 18:13.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.2046.1580 [GMT -7:00]
Running from: c:\documents and settings\snichols\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\snichols\Desktop\CFScript.txt
AV: VirusScan Enterprise + AntiSpyware Enterprise *On-access scanning enabled* (Updated)
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat
c:\documents and settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat

----- BITS: Possible infected sites -----

hxxp://eahq-wsus
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_SHOCKMGR
-------\Service_ShockMgr
-------\Service_Shockprf


((((((((((((((((((((((((( Files Created from 2009-04-01 to 2009-05-01 )))))))))))))))))))))))))))))))
.

2009-04-29 16:27 . 2009-04-29 16:27 -------- d-----w C:\c9b9b3d705306535426c
2009-04-29 16:27 . 2009-04-29 17:02 -------- d-----w c:\windows\SxsCaPendDel
2009-04-29 01:35 . 2009-04-29 01:35 -------- d-----w c:\program files\Avira GmbH

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-04-29 02:35 . 2006-04-20 22:55 -------- d--h--w c:\program files\InstallShield Installation Information
2009-04-22 21:50 . 2008-08-11 19:10 -------- d-----w c:\program files\Microsoft Silverlight
2009-04-07 16:51 . 2009-01-21 00:58 -------- d-----w c:\program files\Malwarebytes' Anti-Malware
2009-04-06 22:32 . 2009-01-21 00:58 38496 ----a-w c:\windows\system32\drivers\mbamswissarmy.sys
2009-04-06 22:32 . 2009-01-21 00:58 15504 ----a-w c:\windows\system32\drivers\mbam.sys
2009-03-31 19:12 . 2009-03-31 19:12 -------- d-----w c:\program files\Viewpoint
2009-03-20 16:28 . 2008-12-05 17:03 -------- d-----w c:\program files\CCleaner
2009-03-17 22:45 . 2006-10-20 19:46 -------- d-----w c:\program files\Spybot - Search & Destroy
2009-03-14 03:30 . 2008-07-31 00:39 81736 ----a-w c:\windows\system32\lmdimon8.dll
2009-03-10 00:27 . 2006-10-19 01:00 -------- d-----w c:\program files\SecureCRT 3.0
2009-03-06 14:44 . 2004-08-04 07:56 283648 ----a-w c:\windows\system32\pdh.dll
2009-03-04 17:55 . 2007-06-15 18:09 -------- d-----w c:\program files\Pidgin
2009-02-20 08:30 . 2004-08-04 07:56 659456 ----a-w c:\windows\system32\wininet.dll
2009-02-20 08:30 . 2004-08-04 07:56 81920 ----a-w c:\windows\system32\ieencode.dll
2009-02-09 10:20 . 2004-08-04 07:56 399360 ----a-w c:\windows\system32\rpcss.dll
2009-02-09 10:20 . 2004-08-04 07:56 723456 ----a-w c:\windows\system32\lsasrv.dll
2009-02-09 10:20 . 2004-08-04 07:56 616960 ----a-w c:\windows\system32\advapi32.dll
2009-02-09 10:20 . 2004-08-04 07:56 714752 ----a-w c:\windows\system32\ntdll.dll
2009-02-09 10:19 . 2004-08-03 23:17 1846272 ----a-w c:\windows\system32\win32k.sys
2009-02-06 17:24 . 2004-08-03 23:20 2180480 ----a-w c:\windows\system32\ntoskrnl.exe
2009-02-06 17:14 . 2004-08-04 07:56 110592 ----a-w c:\windows\system32\services.exe
2009-02-06 16:54 . 2002-08-29 12:00 35328 ----a-w c:\windows\system32\sc.exe
2009-02-06 16:49 . 2004-08-03 22:59 2057728 ----a-w c:\windows\system32\ntkrnlpa.exe
2009-02-03 20:08 . 2004-08-04 07:56 55808 ----a-w c:\windows\system32\secur32.dll
2006-10-19 21:03 . 2006-10-19 21:03 60526 ----a-w c:\program files\mozilla firefox\components\jar50.dll
2006-10-19 21:03 . 2006-10-19 21:03 49256 ----a-w c:\program files\mozilla firefox\components\jsd3250.dll
2006-10-19 21:03 . 2006-10-19 21:03 166000 ----a-w c:\program files\mozilla firefox\components\xpinstal.dll
.

((((((((((((((((((((((((((((( SnapShot@2009-04-30_02.01.56 )))))))))))))))))))))))))))))))))))))))))
.
+ 2008-07-31 00:39 . 2009-03-14 03:30 81240 c:\windows\system32\spool\prtprocs\w32x86\lmdippr8.dll
+ 2006-04-20 00:18 . 2007-11-30 11:18 17272 c:\windows\system32\spmsg.dll
- 2006-04-20 00:18 . 2008-07-09 07:38 17272 c:\windows\system32\spmsg.dll
+ 2009-04-30 16:50 . 2009-03-14 03:30 30032 c:\windows\system32\DRVSTORE\RoundTable_F29D632BDCC1844B9B7688A0A4B4DA9E716B76FF\RTYUV.dll
+ 2009-04-30 16:50 . 2009-03-14 03:30 159048 c:\windows\system32\spool\drivers\w32x86\3\lmdiui8.dll
+ 2009-04-30 16:50 . 2009-03-14 03:31 983384 c:\windows\system32\spool\drivers\w32x86\3\lmdigraph8.dll
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\P4EXPCheckoutOverlay]
@="{80E008A4-EAE7-4867-AEB0-1A245F070F25}"
[HKEY_CLASSES_ROOT\CLSID\{80E008A4-EAE7-4867-AEB0-1A245F070F25}]
2006-11-08 18:31 532480 ----a-w c:\program files\Perforce\p4exp.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\P4EXPSyncdOverlay]
@="{ADF262C1-E8FE-49BE-AD63-F77CD4A6CCD9}"
[HKEY_CLASSES_ROOT\CLSID\{ADF262C1-E8FE-49BE-AD63-F77CD4A6CCD9}]
2006-11-08 18:31 532480 ----a-w c:\program files\Perforce\p4exp.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\P4EXPUpdateOverlay]
@="{C550CDA2-37D7-4838-A9D7-65ECB1EB5AB2}"
[HKEY_CLASSES_ROOT\CLSID\{C550CDA2-37D7-4838-A9D7-65ECB1EB5AB2}]
2006-11-08 18:31 532480 ----a-w c:\program files\Perforce\p4exp.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2004-08-04 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"McAfeeUpdaterUI"="c:\program files\Network Associates\Common Framework\udaterui.exe" [2008-03-14 136512]
"SynTPLpr"="c:\program files\Synaptics\SynTP\SynTPLpr.exe" [2003-06-24 126976]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2003-06-24 561152]
"ISUSPM Startup"="c:\progra~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe" [2004-07-27 221184]
"ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2004-07-27 81920]
"ADUserMon"="c:\program files\Iomega\AutoDisk\ADUserMon.exe" [2002-09-24 147456]
"Iomega Drive Icons"="c:\program files\Iomega\DriveIcons\ImgIcon.exe" [2002-08-13 86016]
"Deskup"="c:\program files\Iomega\DriveIcons\deskup.exe" [2002-07-16 32768]
"dla"="c:\windows\system32\dla\tfswctrl.exe" [2005-05-31 122941]
"ShStatEXE"="c:\program files\McAfee\VirusScan Enterprise\SHSTAT.EXE" [2009-01-28 111952]
"TpShocks"="TpShocks.exe" - c:\windows\system32\TpShocks.exe [2005-11-07 106496]
"Logitech Utility"="Logi_MwX.Exe" - c:\windows\LOGI_MWX.EXE [2003-12-17 19968]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"Communicator"="c:\program files\Microsoft Office Communicator\Communicator.exe" [2007-12-06 3900936]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoSMMyDocs"= 01000000
"NoSMMyPictures"= 01000000
"NoNetworkConnections"= 01000000

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\PCANotify]
2003-10-31 18:01 8704 ----a-w c:\windows\system32\PCANotify.dll

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Microsoft Office Communicator\\communicator.exe"=
"c:\\WINDOWS\\system32\\cba\\pds.exe"=
"c:\\Program Files\\LANDesk\\LDClient\\tmcsvc.exe"=
"c:\\Program Files\\LANDesk\\LDClient\\issuser.exe"=
"c:\\Program Files\\LANDesk\\Shared Files\\residentagent.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3389:TCP"= 3389:TCP:*:Disabled:@xpsp2res.dll,-22009

S1 enstart_;enstart_;c:\windows\system32\enstart_.sys [2009-01-27 56704]
S2 CBA8;LANDesk(R) Management Agent;c:\program files\LANDesk\Shared Files\residentagent.exe [2008-06-02 155648]
S2 enstart;enstart;c:\windows\system32\enstart.exe [2009-01-27 786432]
S2 LANDesk Policy Invoker;LANDesk Policy Invoker;c:\program files\LANDesk\LDClient\policy.client.invoker.exe [2008-03-11 118784]
S3 ldblank;Screen Blanking driver for Remote Control;c:\windows\system32\DRIVERS\ldblank.sys [2005-08-01 11904]
S3 ldmirror;ldmirror;c:\windows\system32\DRIVERS\ldmirror.sys [2005-08-03 3328]
S3 mirrorflt;Mirror Filter Driver for Uninstall;c:\windows\system32\DRIVERS\mirrorflt.sys [2005-08-03 3712]

.
.
------- Supplementary Scan -------
.
uStart Page = about:blank
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
FF - ProfilePath - c:\documents and settings\snichols\Application Data\Mozilla\Firefox\Profiles\55plsh6l.default\
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - about:blank
FF - component: c:\program files\Mozilla Firefox\components\xpinstal.dll

---- FIREFOX POLICIES ----
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.cookie.p3plevel", 1); // 0=low, 1=medium, 2=high, 3=custom
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.enablePad", false); // Allow client to do proxy autodiscovery
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.search.param.Google.1.default", "chrome://branding/content/searchconfig.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.search.param.Google.1.custom", "chrome://branding/content/searchconfig.properties");
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-04-30 18:55
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(1320)
c:\windows\system32\Ati2evxx.dll

- - - - - - - > 'explorer.exe'(1488)
c:\program files\Logitech\MouseWare\System\LgWndHk.dll
c:\program files\Perforce\p4exp.dll
c:\program files\Common Files\Logitech\Scrolling\LgMsgHk.dll
c:\program files\Iomega\DriveIcons\IMGHOOK.DLL
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\ibmpmsvc.exe
c:\program files\Cisco Systems\VPN Client\cvpnd.exe
c:\program files\LANDesk\LDClient\LocalSch.EXE
c:\windows\system32\cba\pds.exe
c:\program files\LANDesk\LDClient\tmcsvc.exe
c:\progra~1\LANDesk\LDClient\collector.exe
c:\progra~1\Iomega\System32\AppServices.exe
c:\progra~1\LANDesk\LDClient\issuser.exe
c:\progra~1\LANDesk\LDClient\rcgui.exe
c:\program files\Network Associates\Common Framework\FrameworkService.exe
c:\program files\McAfee\VirusScan Enterprise\Mcshield.exe
c:\program files\McAfee\VirusScan Enterprise\VsTskMgr.exe
c:\program files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
c:\program files\Network Associates\Common Framework\naPrdMgr.exe
c:\program files\LANDesk\LDClient\SoftMon.exe
c:\windows\system32\TPHDEXLG.exe
c:\program files\Iomega\AutoDisk\ADService.exe
c:\program files\Network Associates\Common Framework\McTray.exe
c:\program files\Logitech\MouseWare\system\EM_EXEC.EXE
.
**************************************************************************
.
Completion time: 2009-05-01 18:58 - machine was rebooted
ComboFix-quarantined-files.txt 2009-05-01 01:58
ComboFix2.txt 2009-04-30 02:06

Pre-Run: 52,114,325,504 bytes free
Post-Run: 52,076,683,264 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect

193 --- E O F --- 2009-04-30 16:39

[Stinger926]

Okay...panic mode over...everything seems to be okay now. I went ahead and ran the remainder of the recommended scans (MBAM and DDS). The MBAM log is pasted below, and the DDS logs are attached.

Again, I can't thank you enough for your continued help and support. This is an absolutely fantastic service that's provided...kudos to everyone involved.

Malwarebytes' Anti-Malware 1.36
Database version: 2062
Windows 5.1.2600 Service Pack 2

4/30/2009 7:14:15 PM
mbam-log-2009-04-30 (19-14-15).txt

Scan type: Quick Scan
Objects scanned: 81518
Time elapsed: 2 minute(s), 54 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

[Stinger926]

Yet another update. Everything seemed to be fine...until I rebooted...then it went back into the splash screen / blue screen loop again. I ran through the Recovery Console steps you indicated, but no luck...I can't get in through normal boot mode, or safe mode. At this point, the only way the computer will boot is to load into "last known good configuration"...then everything loads up normally.

Steve

[Stinger926]

Sorry...one more update :-/ . On the last reboot, just before hitting the desktop, Windows reported that the c:\windows\system32\cf32720.exe file couldn't be found.

Steve

[Stinger926]

Alright...final update before I head out for the evening. After using the "last known good" configuration twice, I tried rebooting a couple more times. Now everything truly seems back to normal. Both restarts and cold boot-ups are working fine...and no more errors related to missing .exe's.

If you haven't tired of me already ;-) ... I'll await your next instructions, after digesting the information I've provided. Thanks for stiking with me through this.

Steve

[extremeboy]

Hello.

That was a quite of an adventure for you..

Glad it's working again.

Let's update your Java and run an online scan right now. Although BSOD's are bad, it helps diagonse information occasionally. Since you booted into LKGC and restored the registry, I wouldn't mind right now since everything was reverted back.

Update Java to Version 6 Update 13

Your Java is out of date. Older versions have vulnerabilities that malicious sites can use to exploit and infect your system. Please follow these steps to remove older version Java components and update:

• Download the latest version of Java Runtime Environment (JRE) Version 6 and save it to your desktop.
• Look for "Java Runtime Environment (JRE)" JRE 6 Update 13.
• Click the Download button to the right.
• Select your Platform: " Windows".
• Select your Language: " Multi-language".
• Read the License Agreement, and then check the box that says: " Accept License Agreement".
• Click Continue and the page will refresh.
• Under Required Files, check the box for Windows Offline Installation, click the link below it and save the file to your desktop.
• Close any programs you may have running - especially your web browser.

Go to Start > Settings > Control Panel, double-click on Add/Remove Programs and remove all older versions of Java.

• Check (highlight) any item with Java Runtime Environment (JRE or J2SE) in the name.
• Click the Remove or Change/Remove button and follow the onscreen instructions for the Java uninstaller.
  Repeat as many times as necessary to remove each Java versions.
• Reboot your computer once all Java components are removed.
• Then from your desktop double-click on jre-6u13-windows-i586-p.exe to install the newest version.

*If using Windows Vista and the installer refuses to launch due to insufficient user permissions, then Run As Administrator.
** If you choose to update via the Java applet in Control Panel, uncheck the option to install the Toolbar unless you want it.
*** The uninstaller incorporated in this release removes previous Updates 10 and above, but does not remove older versions, so they still need to be removed manually.

Update Windows Installation

Your Microsoft Windows installation is out of date.
Whenever a security problem in its software is found, Microsoft will usually create a patch for it. After the patch is installed, attackers can't use the vulnerability to install malicious software on your PC, so keeping up with these patches will help to prevent malicious software being installed on your PC

Go here to check for & install updates to Microsoft applications.

Note: The update process uses ActiveX, so you will need to use Internet Explorer for it, and allow the ActiveX control that it wants to install.

Please reboot and repeat the update process until there are no more updates to install.

Was there any problems while doing any of the updates, if there was any updates please specify in your next reply.

Run Scan with Kaspersky

Please do a scan with Kaspersky Online Scanner. Please note: Kaspersky requires Java Runtime Environment (JRE) be installed before scanning for malware, as ActiveX is no longer being used.)

If you are using Windows Vista, open your browser by right-clicking on its icon and select 'Run as administrator' to perform this scan.

• Open the Kaspersky WebScanner
  page.
• Click on the button on the main page.
• The program will launch and fill in the Information section on the left.
• Read the "Requirements and Limitations" then press the button.
• The program will begin downloading the latest program and definition files. It may take a while so please be patient and let it finish.
• Once the files have been downloaded, click on the ...button.
  In the scan settings make sure the following are selected:
  • Detect malicious programs of the following categories:
    Viruses, Worms, Trojan Horses, Rootkits
    Spyware, Adware, Dialers and other potentially dangerous programs
  • Scan compound files (doesn't apply to the File scan area):
    Archives
    Mail databases
    By default the above items should already be checked.
  • Click the button, if you made any changes.
• Now under the Scan section on the left:
  
  Select My Computer
  
• The program will now start and scan your system. This will run for a while, be patient and let it finish.
• Once the scan is complete, click on View scan report
• Now, click on the Save Report as button.
• Save the file to your desktop.
• Copy and paste that information in your next post.

You can refer to this animation by sundavis.

Post back with:
-Kaspersky log
-A new set of DDS logs (attach included).

Thanks.

With Regards,
Extremeboy

[Stinger926]

Yeah...it was a bit of a wild ride...glad it's seemingly over now ;-) .

I'm actually not going to be back in the office and in front of the computer until Monday. Hopefully we can keep the thread open until then, and I'll post the result information at that time.

Steve

[extremeboy]

Okay.

Thanks for letting me know then.

See you on Monday.

With regards,
Extremeboy