12 replies to this topic

[freaked]

I should note that I have been able to remove most of the infected files from my PC using MBAM and other manual means. Remaining now are only two components: 1 registry key and one infected file. These simply won't delete no matter what I try. Details are below. Thanks for your help.

As requested, I am posting the contents of the HiJackThis logfile and the MBAM logfile. The Hijack this log shows detection of the related undeletable registry key as a BHO item that points to a file called "catsrvu.dll". I was able to delete the target file using the XP Recovery Console. However, I have been unable to delete the referenced registry key shown in the Hijackthis log. The MBAM log shows detection of the other undeletable file "yvakqmkf.dat". Even using FileAssassin and XP Recovery Console, even in Safe Mode, that file remains.

Here is the full contents of the HIJACKTHIS.LOG:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:50:57 AM, on 3/29/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16791)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\PROGRA~1\SYMANT~1\VPTray.exe
C:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe
C:\Program Files\ScanSoft\OmniPageSE4.0\OpwareSE4.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACDaemon.exe
C:\Program Files\Common Files\LightScribe\LightScribeControlPanel.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
C:\Program Files\palmOne\HOTSYNC.EXE
C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACService.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\Program Files\Diskeeper\DkService.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\NVIDIA Corporation\nTune\nTuneService.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL =

http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL =

http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page =

http://go.microsoft....k/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =

http://go.microsoft....k/?LinkId=69157
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} -

C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Java™ Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} -

C:\Program Files\Java\jre6\bin\ssv.dll
O2 - BHO: Adobe PDF Conversion Toolbar Helper - {AE7CD045-E861-484f-8273-0445EE161910} -

C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll
O2 - BHO: (no name) - {D2A90FA5-3E05-4AAC-BED8-D167A0731151} -

C:\WINDOWS\system32\catsrvu.dll (file missing)
O2 - BHO: Java™ Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} -

C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program

Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program

Systems\AI RoboForm\roboform.dll
O4 - HKLM\..\Run: [SynTPStart] C:\Program Files\Synaptics\SynTP\SynTPStart.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE

C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTray.exe
O4 - HKLM\..\Run: [Acrobat Assistant 8.0] "C:\Program Files\Adobe\Acrobat

8.0\Acrobat\Acrotray.exe"
O4 - HKLM\..\Run: [SSBkgdUpdate] "C:\Program Files\Common Files\Scansoft

Shared\SSBkgdUpdate\SSBkgdupdate.exe" -Embedding -boot
O4 - HKLM\..\Run: [OpwareSE4] "C:\Program Files\ScanSoft\OmniPageSE4.0\OpwareSE4.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader

8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [ArcSoft Connection Service] C:\Program Files\Common

Files\ArcSoft\Connection Service\Bin\ACDaemon.exe
O4 - HKCU\..\Run: [LightScribe Control Panel] C:\Program Files\Common

Files\LightScribe\LightScribeControlPanel.exe -hidden
O4 - HKCU\..\Run: [NVIDIA nTune] "C:\Program Files\NVIDIA Corporation\nTune\nTuneCmd.exe"

clear
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Startup: HotSync Manager.lnk = C:\Program Files\palmOne\HOTSYNC.EXE
O4 - Global Startup: Kodak EasyShare software.lnk = C:\Program Files\Kodak\Kodak EasyShare

software\bin\EasyShare.exe
O8 - Extra context menu item: Append to existing PDF - res://C:\Program

Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program

Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program

Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program

Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program

Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program

Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program

Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Acrobat

8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: E&xport to Microsoft Excel -

res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Fill Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F46} - file://C:\Program

Files\Siber Systems\AI RoboForm\RoboFormComFillForms.html
O9 - Extra 'Tools' menuitem: Fill Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F46} -

file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComFillForms.html
O9 - Extra button: Save - {320AF880-6646-11D3-ABEE-C5DBF3571F49} - file://C:\Program

Files\Siber Systems\AI RoboForm\RoboFormComSavePass.html
O9 - Extra 'Tools' menuitem: Save Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F49} -

file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComSavePass.html
O9 - Extra button: RoboForm - {724d43aa-0d85-11d4-9908-00400523e39a} - file://C:\Program

Files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html
O9 - Extra 'Tools' menuitem: RoboForm Toolbar - {724d43aa-0d85-11d4-9908-00400523e39a} -

file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} -

C:\PROGRA~1\MICROS~1\version3.0\bin\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network

Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583}

- C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program

Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} -

C:\Program Files\Messenger\msmsgs.exe
O15 - Trusted Zone: *.gamls.com
O15 - Trusted Zone: *.rexplorer.net
O16 - DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} (Facebook Photo Uploader 5 Control) -

http://upload.facebook.com/controls/2008.1...toUploader5.cab
O16 - DPF: {4E330863-6A11-11D0-BFD8-006097237877} (InstallFromTheWeb ActiveX Control) -

http://support.rexpl...l//iftwclix.cab
O16 - DPF: {74DBCB52-F298-4110-951D-AD2FF67BC8AB} (NVIDIA Smart Scan) -

http://www.nvidia.com/content/DriverDownlo...iaSmartScan.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) -

http://fpdownload2.macromedia.com/get/shoc...ash/swflash.cab
O23 - Service: ArcSoft Connect Daemon (ACDaemon) - ArcSoft Inc. - C:\Program Files\Common

Files\ArcSoft\Connection Service\Bin\ACService.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program

Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program

Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program

Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation -

C:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: Diskeeper - Diskeeper Corporation - C:\Program

Files\Diskeeper\DkService.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program

Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. -

C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) -

Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: nTune Service (nTuneService) - NVIDIA - C:\Program Files\NVIDIA

Corporation\nTune\nTuneService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation -

C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec

AntiVirus\SavRoam.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation -

C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program

Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec

AntiVirus\Rtvscan.exe

--
End of file - 10706 bytes

Now the full contents of the MBAM log:

Malwarebytes' Anti-Malware 1.35
Database version: 1911
Windows 5.1.2600 Service Pack 3

3/28/2009 9:49:28 PM
mbam-log-2009-03-28 (21-49-28).txt

Scan type: Quick Scan
Objects scanned: 46
Time elapsed: 26 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 1

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
c:\documents and settings\lydia roper\local settings\temp\yvakqmkf.dat (Rootkit.Agent) -> Delete on reboot.

[miekiemoes]

Hi,

The current formatting of your log makes it difficult to read, so in notepad:
On top, click Format >uncheck Word Wrap

* Please visit this webpage for instructions for downloading and running ComboFix:

http://www.bleepingc...to-use-combofix

Post the log from ComboFix in your next reply.

Please make sure you disable ALL of your Antivirus/Antispyware/Firewall before running ComboFix..This because Security Software may see some components ComboFix uses (prep.com for example) as suspicious and blocks the tool, or even deletes it. Please visit HERE if you don't know how.

[freaked]

Reply to Miekiemoes: I have reposted the Hijackthis log and the MBAM log below, followed by the Combofix log with the Word Wrap turned off. Thanks for your help!!

Hijackthis log:
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:50:57 AM, on 3/29/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16791)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\PROGRA~1\SYMANT~1\VPTray.exe
C:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe
C:\Program Files\ScanSoft\OmniPageSE4.0\OpwareSE4.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACDaemon.exe
C:\Program Files\Common Files\LightScribe\LightScribeControlPanel.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
C:\Program Files\palmOne\HOTSYNC.EXE
C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACService.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\Program Files\Diskeeper\DkService.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\NVIDIA Corporation\nTune\nTuneService.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft....k/?LinkId=69157
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Java™ Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll
O2 - BHO: Adobe PDF Conversion Toolbar Helper - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll
O2 - BHO: (no name) - {D2A90FA5-3E05-4AAC-BED8-D167A0731151} - C:\WINDOWS\system32\catsrvu.dll (file missing)
O2 - BHO: Java™ Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: &RoboForm - {724d43a0-0d85-11d4-9908-00400523e39a} - C:\Program Files\Siber Systems\AI RoboForm\roboform.dll
O4 - HKLM\..\Run: [SynTPStart] C:\Program Files\Synaptics\SynTP\SynTPStart.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTray.exe
O4 - HKLM\..\Run: [Acrobat Assistant 8.0] "C:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe"
O4 - HKLM\..\Run: [SSBkgdUpdate] "C:\Program Files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" -Embedding -boot
O4 - HKLM\..\Run: [OpwareSE4] "C:\Program Files\ScanSoft\OmniPageSE4.0\OpwareSE4.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [ArcSoft Connection Service] C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACDaemon.exe
O4 - HKCU\..\Run: [LightScribe Control Panel] C:\Program Files\Common Files\LightScribe\LightScribeControlPanel.exe -hidden
O4 - HKCU\..\Run: [NVIDIA nTune] "C:\Program Files\NVIDIA Corporation\nTune\nTuneCmd.exe" clear
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Startup: HotSync Manager.lnk = C:\Program Files\palmOne\HOTSYNC.EXE
O4 - Global Startup: Kodak EasyShare software.lnk = C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
O8 - Extra context menu item: Append to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Fill Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F46} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComFillForms.html
O9 - Extra 'Tools' menuitem: Fill Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F46} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComFillForms.html
O9 - Extra button: Save - {320AF880-6646-11D3-ABEE-C5DBF3571F49} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComSavePass.html
O9 - Extra 'Tools' menuitem: Save Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F49} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComSavePass.html
O9 - Extra button: RoboForm - {724d43aa-0d85-11d4-9908-00400523e39a} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html
O9 - Extra 'Tools' menuitem: RoboForm Toolbar - {724d43aa-0d85-11d4-9908-00400523e39a} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~1\version3.0\bin\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - Trusted Zone: *.gamls.com
O15 - Trusted Zone: *.rexplorer.net
O16 - DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} (Facebook Photo Uploader 5 Control) - http://upload.facebook.com/controls/2008.1...toUploader5.cab
O16 - DPF: {4E330863-6A11-11D0-BFD8-006097237877} (InstallFromTheWeb ActiveX Control) - http://support.rexpl...l//iftwclix.cab
O16 - DPF: {74DBCB52-F298-4110-951D-AD2FF67BC8AB} (NVIDIA Smart Scan) - http://www.nvidia.com/content/DriverDownlo...iaSmartScan.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shoc...ash/swflash.cab
O23 - Service: ArcSoft Connect Daemon (ACDaemon) - ArcSoft Inc. - C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACService.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: Diskeeper - Diskeeper Corporation - C:\Program Files\Diskeeper\DkService.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: nTune Service (nTuneService) - NVIDIA - C:\Program Files\NVIDIA Corporation\nTune\nTuneService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe

--
End of file - 10706 bytes

MBAM log:
Malwarebytes' Anti-Malware 1.35
Database version: 1911
Windows 5.1.2600 Service Pack 3

3/28/2009 9:49:28 PM
mbam-log-2009-03-28 (21-49-28).txt

Scan type: Quick Scan
Objects scanned: 46
Time elapsed: 26 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 1

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
c:\documents and settings\lydia roper\local settings\temp\yvakqmkf.dat (Rootkit.Agent) -> Delete on reboot.


Here is the contents of the Combofix log:
ComboFix 09-03-28.02 - Lydia Roper 2009-03-28 22:16:43.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1983.1473 [GMT -4:00]
Running from: c:\documents and settings\Lydia Roper\Desktop\ComboFix.exe
AV: Symantec AntiVirus Corporate Edition *On-access scanning disabled* (Updated)
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

F:\autorun.inf
f:\recycler\S-1-6-21-2434476501-1644491937-600003330-1213
f:\recycler\S-1-6-21-2434476501-1644491937-600003330-1213\autorun.exe
f:\recycler\S-1-6-21-2434476501-1644491937-600003330-1213\Desktop.ini

.
((((((((((((((((((((((((( Files Created from 2009-02-28 to 2009-03-29 )))))))))))))))))))))))))))))))
.

2009-03-28 22:14 . 2009-03-28 22:14 <DIR> d-------- c:\program files\Common Files\Wise Installation Wizard
2009-03-28 18:58 . 2009-03-28 22:18 3,398 --a------ c:\windows\system32\PerfStringBackup.TMP
2009-03-28 18:54 . 2009-03-28 22:13 2,148 --a------ c:\windows\system32\wpa.dbl
2009-03-28 18:50 . 2009-03-28 18:52 <DIR> d-------- c:\windows\system32\HOLD
2009-03-28 18:13 . 2009-03-28 18:16 <DIR> d-------- c:\program files\Diskeeper
2009-03-28 18:13 . 2009-03-28 18:13 <DIR> d-------- c:\documents and settings\All Users\Application Data\Diskeeper Corporation
2009-03-28 02:03 . 2009-03-28 02:03 <DIR> d-------- c:\documents and settings\Lydia Roper\Application Data\Apple Computer
2009-03-26 20:02 . 2009-03-26 20:02 <DIR> d-------- c:\documents and settings\RRoper\Application Data\Skinux
2009-03-26 20:02 . 2009-03-26 20:02 <DIR> d-------- c:\documents and settings\RRoper\Application Data\ArcSoft
2009-03-26 20:01 . 2009-03-26 20:01 <DIR> d-------- c:\documents and settings\RRoper

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-03-29 02:15 --------- d-----w c:\program files\Symantec AntiVirus
2009-03-28 22:11 --------- d-----w c:\documents and settings\All Users\Application Data\RoboForm
2009-03-28 19:44 --------- d-----w c:\program files\Malwarebytes' Anti-Malware
2009-03-28 18:42 --------- d-----w c:\program files\Siber Systems
2009-03-26 20:49 38,496 ----a-w c:\windows\system32\drivers\mbamswissarmy.sys
2009-03-26 20:49 15,504 ----a-w c:\windows\system32\drivers\mbam.sys
2009-03-09 20:26 --------- d-----w c:\program files\LimeWire
2009-03-09 20:25 --------- d-----w c:\program files\Lavasoft
2009-03-09 15:32 --------- d-----w c:\documents and settings\Lydia Roper\Application Data\LimeWire
2009-02-23 22:45 --------- d-----w c:\documents and settings\Lydia Roper\Application Data\Move Networks
2009-02-09 11:13 1,846,784 ----a-w c:\windows\system32\win32k.sys
2009-02-06 15:14 --------- d-----w c:\program files\Registry Clean Expert
2009-02-06 14:24 --------- d-----w c:\documents and settings\Lydia Roper\Application Data\Malwarebytes
2009-02-06 14:24 --------- d-----w c:\documents and settings\All Users\Application Data\Malwarebytes
2009-02-06 14:12 --------- d-----w c:\documents and settings\Lydia Roper\Application Data\Business Logic
2008-12-29 16:51 410,984 ----a-w c:\windows\system32\deploytk.dll
2008-05-24 16:23 32,768 -csha-w c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\MSHist012008052420080525\index.dat
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"LightScribe Control Panel"="c:\program files\Common Files\LightScribe\LightScribeControlPanel.exe" [2007-08-23 455968]
"NVIDIA nTune"="c:\program files\NVIDIA Corporation\nTune\nTuneCmd.exe" [2007-07-20 81920]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SynTPStart"="c:\program files\Synaptics\SynTP\SynTPStart.exe" [2007-09-14 102400]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2007-08-23 8478720]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2007-08-23 81920]
"ccApp"="c:\program files\Common Files\Symantec Shared\ccApp.exe" [2005-10-04 48752]
"vptray"="c:\progra~1\SYMANT~1\VPTray.exe" [2005-11-15 85744]
"Acrobat Assistant 8.0"="c:\program files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe" [2008-10-14 623992]
"SSBkgdUpdate"="c:\program files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" [2003-09-30 155648]
"OpwareSE4"="c:\program files\ScanSoft\OmniPageSE4.0\OpwareSE4.exe" [2006-03-21 69632]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2008-12-29 136600]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2008-03-28 413696]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-10-15 39792]
"ArcSoft Connection Service"="c:\program files\Common Files\ArcSoft\Connection Service\Bin\ACDaemon.exe" [2008-11-20 178688]
"nwiz"="nwiz.exe" [2007-08-23 c:\windows\system32\nwiz.exe]

c:\documents and settings\Lydia Roper\Start Menu\Programs\Startup\
HotSync Manager.lnk - c:\program files\palmOne\HOTSYNC.EXE [2004-04-13 299008]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Kodak EasyShare software.lnk - c:\program files\Kodak\Kodak EasyShare software\bin\EasyShare.exe [2008-10-30 282624]

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\WINDOWS\\system32\\usmt\\migwiz.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\LimeWire\\LimeWire.exe"=
"c:\\Program Files\\Kodak\\Kodak EasyShare software\\bin\\EasyShare.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"19540:UDP"= 19540:UDP:SXUPTP

R0 dgigxzab;dgigxzab;c:\windows\system32\drivers\dgigxzab.sys [2004-08-04 23424]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [2009-03-27 101936]
R3 sxuptp;SXUPTP Driver;c:\windows\system32\drivers\sxuptp.sys [2008-05-24 81832]
S3 SavRoam;SAVRoam;c:\program files\Symantec AntiVirus\SavRoam.exe [2005-11-15 169200]

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{10880D85-AAD9-4558-ABDC-2AB1552D831F}]
"c:\program files\Common Files\LightScribe\LSRunOnce.exe"
.
Contents of the 'Scheduled Tasks' folder

2009-02-08 c:\windows\Tasks\EasyShare Registration Task.job
- c:\docume~1\ALLUSE~1\APPLIC~1\Kodak\EasyShareSetup\$REGIS~1\Registration_7.9.20.1.sxt _RegistrationOffer@16 []

2009-03-28 c:\windows\Tasks\User_Feed_Synchronization-{5DD6C2A6-4DA1-445A-AFC5-7D1C4850D0EF}.job
- c:\windows\system32\msfeedssync.exe [2007-08-13 18:36]
.
- - - - ORPHANS REMOVED - - - -

BHO-{D2A90FA5-3E05-4AAC-BED8-D167A0731151} - c:\windows\system32\catsrvu.dll
WebBrowser-{604BC32A-9680-40D1-9AC6-E06B23A1BA4C} - (no file)
HKCU-Run-Windows Generic Process Host - rundll77.exe
HKCU-RunServices-Windows Generic Process Host - rundll77.exe
HKLM-Run-Windows Generic Process Host - rundll77.exe


.
------- Supplementary Scan -------
.
uSearchMigratedDefaultURL = hxxp://search.yahoo.com/search?p={searchTerms}&ei=utf-8&fr=b1ie7
uStart Page = hxxp://www.yahoo.com/
IE: Append to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert link target to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert link target to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert selected links to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert selected links to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Convert selection to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert selection to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
Trusted Zone: gamls.com
Trusted Zone: rexplorer.net
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-03-28 22:19:14
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2009-03-28 22:20:21
ComboFix-quarantined-files.txt 2009-03-29 02:20:18

Pre-Run: 127,222,489,088 bytes free
Post-Run: 127,420,489,728 bytes free

134 --- E O F --- 2009-03-21 03:32:07

[miekiemoes]

Hi,

Your HijackThislog doesn't make sense since it's the one from before running Combofix.

Anyway, did you set these in HijackThis? (added to the trusted zone):

O15 - Trusted Zone: *.gamls.com
O15 - Trusted Zone: *.rexplorer.net

If not, check above entries in HijackThis and click the Fix checked button.

Then, * Open notepad - don't use any other texteditor than notepad or the script will fail.
Copy/paste the text in the quotebox below into notepad:

Quote

File::
c:\windows\system32\drivers\dgigxzab.sys
Driver::
dgigxzab

Save this as txtfile CFScript

Then drag the CFScript into ComboFix.exe as you see in the screenshot below.



This will start ComboFix again. After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply.

[freaked]

Thanks, Miekiemoes! I followed your instructions and the "yvakqmkf.dat" file was deleted. Also, I was finally able to delete the registry key referencing "catsrvu.dll". Everything is now back to normal and I cannot thank you enough! Since you asked for it, I have posted the text from the new Combofix log that you requested:

ComboFix 09-03-29.04 - Lydia Roper 2009-03-30 10:15:43.3 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1983.1457 [GMT -4:00]
Running from: c:\documents and settings\Lydia Roper\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Lydia Roper\Desktop\CFScript.txt
AV: Symantec AntiVirus Corporate Edition *On-access scanning disabled* (Updated)
* Created a new restore point

FILE ::
c:\windows\system32\drivers\dgigxzab.sys
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\system32\drivers\dgigxzab.sys

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_DGIGXZAB
-------\Service_dgigxzab


((((((((((((((((((((((((( Files Created from 2009-02-28 to 2009-03-30 )))))))))))))))))))))))))))))))
.

2009-03-29 11:50 . 2009-03-29 11:50 <DIR> d-------- c:\program files\Trend Micro
2009-03-28 23:57 . 2009-03-28 23:59 <DIR> d-------- c:\windows\$regcmp$
2009-03-28 23:33 . 2009-03-28 23:33 <DIR> d-------- c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com
2009-03-28 23:32 . 2009-03-28 23:42 <DIR> d-------- c:\program files\SUPERAntiSpyware
2009-03-28 23:32 . 2009-03-28 23:42 <DIR> d-------- c:\documents and settings\Lydia Roper\Application Data\SUPERAntiSpyware.com
2009-03-28 18:58 . 2009-03-30 10:15 3,398 --a------ c:\windows\system32\PerfStringBackup.TMP
2009-03-28 18:54 . 2009-03-30 10:19 2,148 --a------ c:\windows\system32\wpa.dbl
2009-03-28 18:50 . 2009-03-28 18:52 <DIR> d-------- c:\windows\system32\HOLD
2009-03-28 18:13 . 2009-03-28 18:16 <DIR> d-------- c:\program files\Diskeeper
2009-03-28 18:13 . 2009-03-28 18:13 <DIR> d-------- c:\documents and settings\All Users\Application Data\Diskeeper Corporation
2009-03-28 02:03 . 2009-03-28 02:03 <DIR> d-------- c:\documents and settings\Lydia Roper\Application Data\Apple Computer
2009-03-26 20:02 . 2009-03-26 20:02 <DIR> d-------- c:\documents and settings\RRoper\Application Data\Skinux
2009-03-26 20:02 . 2009-03-26 20:02 <DIR> d-------- c:\documents and settings\RRoper\Application Data\ArcSoft
2009-03-26 20:01 . 2009-03-26 20:01 <DIR> d-------- c:\documents and settings\RRoper
2009-02-06 11:14 . 2009-02-06 11:14 <DIR> d-------- c:\program files\Registry Clean Expert
2009-02-06 10:24 . 2009-03-28 15:44 <DIR> d-------- c:\program files\Malwarebytes' Anti-Malware
2009-02-06 10:24 . 2009-02-06 10:24 <DIR> d-------- c:\documents and settings\Lydia Roper\Application Data\Malwarebytes
2009-02-06 10:24 . 2009-02-06 10:24 <DIR> d-------- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-02-06 10:24 . 2009-03-26 16:49 38,496 --a------ c:\windows\system32\drivers\mbamswissarmy.sys
2009-02-06 10:24 . 2009-03-26 16:49 15,504 --a------ c:\windows\system32\drivers\mbam.sys
2009-02-06 10:12 . 2009-02-06 10:12 <DIR> d-------- c:\documents and settings\Lydia Roper\Application Data\Business Logic

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-03-30 14:20 --------- d-----w c:\program files\Symantec AntiVirus
2009-03-30 14:15 23,424 ----a-w c:\windows\system32\drivers\zdtmjvqi.sys
2009-03-28 22:11 --------- d-----w c:\documents and settings\All Users\Application Data\RoboForm
2009-03-28 18:42 --------- d-----w c:\program files\Siber Systems
2009-03-09 20:26 --------- d-----w c:\program files\LimeWire
2009-03-09 20:25 --------- d-----w c:\program files\Lavasoft
2009-03-09 15:32 --------- d-----w c:\documents and settings\Lydia Roper\Application Data\LimeWire
2009-02-23 22:45 --------- d-----w c:\documents and settings\Lydia Roper\Application Data\Move Networks
2008-05-24 16:23 32,768 -csha-w c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\MSHist012008052420080525\index.dat
.

((((((((((((((((((((((((((((( SnapShot@2009-03-28_22.19.42.28 )))))))))))))))))))))))))))))))))))))))))
.
+ 2005-10-21 00:02:28 163,328 ----a-w c:\windows\ERDNT\subs\ERDNT.EXE
- 2009-02-06 15:19:35 593,920 ----a-r c:\windows\Installer\{90110409-6000-11D3-8CFE-0150048383C9}\accicons.exe
+ 2009-03-29 03:22:45 593,920 ----a-r c:\windows\Installer\{90110409-6000-11D3-8CFE-0150048383C9}\accicons.exe
- 2009-02-06 15:19:35 12,288 ----a-r c:\windows\Installer\{90110409-6000-11D3-8CFE-0150048383C9}\cagicon.exe
+ 2009-03-29 03:22:45 12,288 ----a-r c:\windows\Installer\{90110409-6000-11D3-8CFE-0150048383C9}\cagicon.exe
- 2009-02-06 15:19:35 86,016 ----a-r c:\windows\Installer\{90110409-6000-11D3-8CFE-0150048383C9}\inficon.exe
+ 2009-03-29 03:22:45 86,016 ----a-r c:\windows\Installer\{90110409-6000-11D3-8CFE-0150048383C9}\inficon.exe
- 2009-02-06 15:19:35 135,168 ----a-r c:\windows\Installer\{90110409-6000-11D3-8CFE-0150048383C9}\misc.exe
+ 2009-03-29 03:22:45 135,168 ----a-r c:\windows\Installer\{90110409-6000-11D3-8CFE-0150048383C9}\misc.exe
- 2009-02-06 15:19:35 11,264 ----a-r c:\windows\Installer\{90110409-6000-11D3-8CFE-0150048383C9}\mspicons.exe
+ 2009-03-29 03:22:45 11,264 ----a-r c:\windows\Installer\{90110409-6000-11D3-8CFE-0150048383C9}\mspicons.exe
- 2009-02-06 15:19:35 27,136 ----a-r c:\windows\Installer\{90110409-6000-11D3-8CFE-0150048383C9}\oisicon.exe
+ 2009-03-29 03:22:45 27,136 ----a-r c:\windows\Installer\{90110409-6000-11D3-8CFE-0150048383C9}\oisicon.exe
- 2009-02-06 15:19:35 4,096 ----a-r c:\windows\Installer\{90110409-6000-11D3-8CFE-0150048383C9}\opwicon.exe
+ 2009-03-29 03:22:45 4,096 ----a-r c:\windows\Installer\{90110409-6000-11D3-8CFE-0150048383C9}\opwicon.exe
- 2009-02-06 15:19:35 794,624 ----a-r c:\windows\Installer\{90110409-6000-11D3-8CFE-0150048383C9}\outicon.exe
+ 2009-03-29 03:22:45 794,624 ----a-r c:\windows\Installer\{90110409-6000-11D3-8CFE-0150048383C9}\outicon.exe
- 2009-02-06 15:19:35 249,856 ----a-r c:\windows\Installer\{90110409-6000-11D3-8CFE-0150048383C9}\pptico.exe
+ 2009-03-29 03:22:45 249,856 ----a-r c:\windows\Installer\{90110409-6000-11D3-8CFE-0150048383C9}\pptico.exe
- 2009-02-06 15:19:35 61,440 ----a-r c:\windows\Installer\{90110409-6000-11D3-8CFE-0150048383C9}\pubs.exe
+ 2009-03-29 03:22:45 61,440 ----a-r c:\windows\Installer\{90110409-6000-11D3-8CFE-0150048383C9}\pubs.exe
- 2009-02-06 15:19:35 23,040 ----a-r c:\windows\Installer\{90110409-6000-11D3-8CFE-0150048383C9}\unbndico.exe
+ 2009-03-29 03:22:45 23,040 ----a-r c:\windows\Installer\{90110409-6000-11D3-8CFE-0150048383C9}\unbndico.exe
- 2009-02-06 15:19:35 286,720 ----a-r c:\windows\Installer\{90110409-6000-11D3-8CFE-0150048383C9}\wordicon.exe
+ 2009-03-29 03:22:45 286,720 ----a-r c:\windows\Installer\{90110409-6000-11D3-8CFE-0150048383C9}\wordicon.exe
- 2009-02-06 15:19:34 409,600 ----a-r c:\windows\Installer\{90110409-6000-11D3-8CFE-0150048383C9}\xlicons.exe
+ 2009-03-29 03:22:45 409,600 ----a-r c:\windows\Installer\{90110409-6000-11D3-8CFE-0150048383C9}\xlicons.exe
+ 2009-03-30 14:19:33 16,384 ----atw c:\windows\Temp\Perflib_Perfdata_34c.dat
+ 2009-03-30 14:19:20 16,384 ----atw c:\windows\Temp\Perflib_Perfdata_430.dat
+ 2009-03-30 14:19:27 16,384 ----atw c:\windows\Temp\Perflib_Perfdata_4f8.dat
.
-- Snapshot reset to current date --
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{D2A90FA5-3E05-4AAC-BED8-D167A0731151}]
c:\windows\system32\catsrvu.dll [BU]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"LightScribe Control Panel"="c:\program files\Common Files\LightScribe\LightScribeControlPanel.exe" [2007-08-23 455968]
"NVIDIA nTune"="c:\program files\NVIDIA Corporation\nTune\nTuneCmd.exe" [2007-07-20 81920]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SynTPStart"="c:\program files\Synaptics\SynTP\SynTPStart.exe" [2007-09-14 102400]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2007-08-23 8478720]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2007-08-23 81920]
"ccApp"="c:\program files\Common Files\Symantec Shared\ccApp.exe" [2005-10-04 48752]
"vptray"="c:\progra~1\SYMANT~1\VPTray.exe" [2005-11-15 85744]
"Acrobat Assistant 8.0"="c:\program files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe" [2008-10-14 623992]
"SSBkgdUpdate"="c:\program files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" [2003-09-30 155648]
"OpwareSE4"="c:\program files\ScanSoft\OmniPageSE4.0\OpwareSE4.exe" [2006-03-21 69632]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2008-12-29 136600]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2008-03-28 413696]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-10-15 39792]
"ArcSoft Connection Service"="c:\program files\Common Files\ArcSoft\Connection Service\Bin\ACDaemon.exe" [2008-11-20 178688]
"nwiz"="nwiz.exe" [2007-08-23 c:\windows\system32\nwiz.exe]

c:\documents and settings\Lydia Roper\Start Menu\Programs\Startup\
HotSync Manager.lnk - c:\program files\palmOne\HOTSYNC.EXE [2004-04-13 299008]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Kodak EasyShare software.lnk - c:\program files\Kodak\Kodak EasyShare software\bin\EasyShare.exe [2008-10-30 282624]

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\WINDOWS\\system32\\usmt\\migwiz.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\LimeWire\\LimeWire.exe"=
"c:\\Program Files\\Kodak\\Kodak EasyShare software\\bin\\EasyShare.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"19540:UDP"= 19540:UDP:SXUPTP

R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [2009-03-27 101936]
R3 sxuptp;SXUPTP Driver;c:\windows\system32\drivers\sxuptp.sys [2008-05-24 81832]
S3 SavRoam;SAVRoam;c:\program files\Symantec AntiVirus\SavRoam.exe [2005-11-15 169200]

--- Other Services/Drivers In Memory ---

*NewlyCreated* - DGIGXZAB

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{10880D85-AAD9-4558-ABDC-2AB1552D831F}]
"c:\program files\Common Files\LightScribe\LSRunOnce.exe"
.
Contents of the 'Scheduled Tasks' folder

2009-02-08 c:\windows\Tasks\EasyShare Registration Task.job
- c:\docume~1\ALLUSE~1\APPLIC~1\Kodak\EasyShareSetup\$REGIS~1\Registration_7.9.20.1.sxt _RegistrationOffer@16 []

2009-03-29 c:\windows\Tasks\User_Feed_Synchronization-{5DD6C2A6-4DA1-445A-AFC5-7D1C4850D0EF}.job
- c:\windows\system32\msfeedssync.exe [2007-08-13 18:36]
.
.
------- Supplementary Scan -------
.
uSearchMigratedDefaultURL = hxxp://search.yahoo.com/search?p={searchTerms}&ei=utf-8&fr=b1ie7
uStart Page = hxxp://www.yahoo.com/
IE: Append to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert link target to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert link target to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert selected links to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert selected links to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Convert selection to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert selection to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
Trusted Zone: gamls.com
Trusted Zone: rexplorer.net
.

**************************************************************************

catchme 0.3.1375 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-03-30 10:19:42
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Common Files\Symantec Shared\ccSetMgr.exe
c:\program files\Common Files\Symantec Shared\ccEvtMgr.exe
c:\program files\Synaptics\SynTP\SynTPEnh.exe
c:\windows\system32\rundll32.exe
c:\program files\Common Files\ArcSoft\Connection Service\Bin\ACService.exe
c:\program files\Symantec AntiVirus\DefWatch.exe
c:\program files\Diskeeper\DkService.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\Common Files\LightScribe\LSSrvc.exe
c:\program files\NVIDIA Corporation\nTune\nTuneService.exe
c:\windows\system32\nvsvc32.exe
c:\program files\Symantec AntiVirus\Rtvscan.exe
c:\program files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
.
**************************************************************************
.
Completion time: 2009-03-30 10:22:11 - machine was rebooted
ComboFix-quarantined-files.txt 2009-03-30 14:22:09
ComboFix2.txt 2009-03-29 02:54:46
ComboFix3.txt 2009-03-29 02:20:22

Pre-Run: 127,312,310,272 bytes free
Post-Run: 127,259,131,904 bytes free

195 --- E O F --- 2009-03-21 03:32:07

[miekiemoes]

Hi,

Can you run Malwarebytes again and post the latest log? Because something doesn't make sense here, even though everything appears to be resolved.
Also, after running MalwareBytes, rescan with Combofix again and post the latest log as well.

[freaked]

OK, here is the MBAM Log:
Malwarebytes' Anti-Malware 1.35
Database version: 1917
Windows 5.1.2600 Service Pack 3

3/30/2009 11:15:07 AM
mbam-log-2009-03-30 (11-15-07).txt

Scan type: Quick Scan
Objects scanned: 75648
Time elapsed: 2 minute(s), 10 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

Next, the Combofix log:

ComboFix 09-03-29.04 - Lydia Roper 2009-03-30 11:16:10.4 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1983.1444 [GMT -4:00]
Running from: c:\documents and settings\Lydia Roper\Desktop\ComboFix.exe
AV: Symantec AntiVirus Corporate Edition *On-access scanning disabled* (Updated)
.

((((((((((((((((((((((((( Files Created from 2009-02-28 to 2009-03-30 )))))))))))))))))))))))))))))))
.

2009-03-29 11:50 . 2009-03-29 11:50 <DIR> d-------- c:\program files\Trend Micro
2009-03-28 23:57 . 2009-03-28 23:59 <DIR> d-------- c:\windows\$regcmp$
2009-03-28 23:33 . 2009-03-28 23:33 <DIR> d-------- c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com
2009-03-28 23:32 . 2009-03-28 23:42 <DIR> d-------- c:\program files\SUPERAntiSpyware
2009-03-28 23:32 . 2009-03-28 23:42 <DIR> d-------- c:\documents and settings\Lydia Roper\Application Data\SUPERAntiSpyware.com
2009-03-28 18:58 . 2009-03-30 11:15 3,398 --a------ c:\windows\system32\PerfStringBackup.TMP
2009-03-28 18:54 . 2009-03-30 11:11 2,148 --a------ c:\windows\system32\wpa.dbl
2009-03-28 18:50 . 2009-03-28 18:52 <DIR> d-------- c:\windows\system32\HOLD
2009-03-28 18:13 . 2009-03-28 18:16 <DIR> d-------- c:\program files\Diskeeper
2009-03-28 18:13 . 2009-03-28 18:13 <DIR> d-------- c:\documents and settings\All Users\Application Data\Diskeeper Corporation
2009-03-28 02:03 . 2009-03-28 02:03 <DIR> d-------- c:\documents and settings\Lydia Roper\Application Data\Apple Computer
2009-03-26 20:02 . 2009-03-26 20:02 <DIR> d-------- c:\documents and settings\RRoper\Application Data\Skinux
2009-03-26 20:02 . 2009-03-26 20:02 <DIR> d-------- c:\documents and settings\RRoper\Application Data\ArcSoft
2009-03-26 20:01 . 2009-03-26 20:01 <DIR> d-------- c:\documents and settings\RRoper
2009-02-06 11:14 . 2009-02-06 11:14 <DIR> d-------- c:\program files\Registry Clean Expert
2009-02-06 10:24 . 2009-03-28 15:44 <DIR> d-------- c:\program files\Malwarebytes' Anti-Malware
2009-02-06 10:24 . 2009-02-06 10:24 <DIR> d-------- c:\documents and settings\Lydia Roper\Application Data\Malwarebytes
2009-02-06 10:24 . 2009-02-06 10:24 <DIR> d-------- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-02-06 10:24 . 2009-03-26 16:49 38,496 --a------ c:\windows\system32\drivers\mbamswissarmy.sys
2009-02-06 10:24 . 2009-03-26 16:49 15,504 --a------ c:\windows\system32\drivers\mbam.sys
2009-02-06 10:12 . 2009-02-06 10:12 <DIR> d-------- c:\documents and settings\Lydia Roper\Application Data\Business Logic

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-03-30 15:11 --------- d-----w c:\program files\Symantec AntiVirus
2009-03-30 14:15 23,424 ----a-w c:\windows\system32\drivers\zdtmjvqi.sys
2009-03-28 22:11 --------- d-----w c:\documents and settings\All Users\Application Data\RoboForm
2009-03-28 18:42 --------- d-----w c:\program files\Siber Systems
2009-03-09 20:26 --------- d-----w c:\program files\LimeWire
2009-03-09 20:25 --------- d-----w c:\program files\Lavasoft
2009-03-09 15:32 --------- d-----w c:\documents and settings\Lydia Roper\Application Data\LimeWire
2009-02-23 22:45 --------- d-----w c:\documents and settings\Lydia Roper\Application Data\Move Networks
2009-02-09 11:13 1,846,784 ----a-w c:\windows\system32\win32k.sys
2008-12-29 16:51 410,984 ----a-w c:\windows\system32\deploytk.dll
2008-12-20 23:15 826,368 ----a-w c:\windows\system32\wininet.dll
2008-12-05 06:54 144,896 ----a-w c:\windows\system32\schannel.dll
2008-05-24 16:23 32,768 -csha-w c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\MSHist012008052420080525\index.dat
.

((((((((((((((((((((((((((((( SnapShot_2009-03-30_10.21.38.60 )))))))))))))))))))))))))))))))))))))))))
.
+ 2009-03-30 15:11:10 16,384 ----atw c:\windows\Temp\Perflib_Perfdata_1e0.dat
+ 2009-03-30 15:11:03 16,384 ----atw c:\windows\Temp\Perflib_Perfdata_670.dat
+ 2009-03-30 15:10:58 16,384 ----atw c:\windows\Temp\Perflib_Perfdata_740.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"LightScribe Control Panel"="c:\program files\Common Files\LightScribe\LightScribeControlPanel.exe" [2007-08-23 455968]
"NVIDIA nTune"="c:\program files\NVIDIA Corporation\nTune\nTuneCmd.exe" [2007-07-20 81920]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SynTPStart"="c:\program files\Synaptics\SynTP\SynTPStart.exe" [2007-09-14 102400]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2007-08-23 8478720]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2007-08-23 81920]
"ccApp"="c:\program files\Common Files\Symantec Shared\ccApp.exe" [2005-10-04 48752]
"vptray"="c:\progra~1\SYMANT~1\VPTray.exe" [2005-11-15 85744]
"Acrobat Assistant 8.0"="c:\program files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe" [2008-10-14 623992]
"SSBkgdUpdate"="c:\program files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" [2003-09-30 155648]
"OpwareSE4"="c:\program files\ScanSoft\OmniPageSE4.0\OpwareSE4.exe" [2006-03-21 69632]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2008-12-29 136600]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2008-03-28 413696]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-10-15 39792]
"ArcSoft Connection Service"="c:\program files\Common Files\ArcSoft\Connection Service\Bin\ACDaemon.exe" [2008-11-20 178688]
"nwiz"="nwiz.exe" [2007-08-23 c:\windows\system32\nwiz.exe]

c:\documents and settings\Lydia Roper\Start Menu\Programs\Startup\
HotSync Manager.lnk - c:\program files\palmOne\HOTSYNC.EXE [2004-04-13 299008]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Kodak EasyShare software.lnk - c:\program files\Kodak\Kodak EasyShare software\bin\EasyShare.exe [2008-10-30 282624]

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\WINDOWS\\system32\\usmt\\migwiz.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\LimeWire\\LimeWire.exe"=
"c:\\Program Files\\Kodak\\Kodak EasyShare software\\bin\\EasyShare.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"19540:UDP"= 19540:UDP:SXUPTP

R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [2009-03-27 101936]
R3 sxuptp;SXUPTP Driver;c:\windows\system32\drivers\sxuptp.sys [2008-05-24 81832]
S3 SavRoam;SAVRoam;c:\program files\Symantec AntiVirus\SavRoam.exe [2005-11-15 169200]

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{10880D85-AAD9-4558-ABDC-2AB1552D831F}]
"c:\program files\Common Files\LightScribe\LSRunOnce.exe"
.
Contents of the 'Scheduled Tasks' folder

2009-02-08 c:\windows\Tasks\EasyShare Registration Task.job
- c:\docume~1\ALLUSE~1\APPLIC~1\Kodak\EasyShareSetup\$REGIS~1\Registration_7.9.20.1.sxt _RegistrationOffer@16 []

2009-03-29 c:\windows\Tasks\User_Feed_Synchronization-{5DD6C2A6-4DA1-445A-AFC5-7D1C4850D0EF}.job
- c:\windows\system32\msfeedssync.exe [2007-08-13 18:36]
.
- - - - ORPHANS REMOVED - - - -

BHO-{D2A90FA5-3E05-4AAC-BED8-D167A0731151} - (no file)


.
------- Supplementary Scan -------
.
uSearchMigratedDefaultURL = hxxp://search.yahoo.com/search?p={searchTerms}&ei=utf-8&fr=b1ie7
uStart Page = hxxp://www.yahoo.com/
IE: Append to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert link target to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert link target to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert selected links to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert selected links to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Convert selection to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert selection to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
.

**************************************************************************

catchme 0.3.1375 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-03-30 11:17:27
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2009-03-30 11:18:26
ComboFix-quarantined-files.txt 2009-03-30 15:18:23
ComboFix2.txt 2009-03-30 14:22:12
ComboFix3.txt 2009-03-29 02:54:46
ComboFix4.txt 2009-03-29 02:20:22

Pre-Run: 127,263,227,904 bytes free
Post-Run: 127,251,771,392 bytes free

137 --- E O F --- 2009-03-21 03:32:07

[miekiemoes]

Hi,

Malwarebytes should normally delete a file that is still present here. It doesnt look to be active, so that's why it's strange that MBAM doesn't detect it. That's why I need a sample first:

Go to this page.
Enter the url of this thread in the first field.
Where it says, browse to the file that you want to submit, click the browse button next to it and browse to next file:

c:\windows\system32\drivers\zdtmjvqi.sys

Select it and click ok:
Then click the Send File button below.

Let me know in this thread once you've uploaded the file.

[freaked]

Ok, Miekiemoes, the file you requested has been uploaded to the location you provided.

[miekiemoes]

Thank you for the file.

Please delete that file now: c:\windows\system32\drivers\zdtmjvqi.sys
Then, * Go to start > run and copy and paste next command in the field:

ComboFix /u

Make sure there's a space between Combofix and /
Then hit enter.

This will uninstall Combofix, delete its related folders and files, reset your clock settings, hide file extensions, hide the system/hidden files and resets System Restore again.

Let me know in your next reply how things are now.

[freaked]

All of your instructions have been completed. The file was deleted and ComboFix is uninstalled. Everything appears fine with the PC now!

Was this a new malware or variant as I thought? If it is known, what is its name?

Again, many thanks for your help in resolving this problem! -Freaked

[miekiemoes]

Yes, a new variant - family of the "Sentinel Rootkit"

Glad I could help.

Please read my Prevention page with lots of info and tips how to prevent this in the future.
And if you want to improve speed/system performance after malware removal, take a look here.
Extra note: Make sure your programs are up to date - because older versions may contain Security Leaks. To find out what programs need to be updated, please run the Secunia Software Inspector Scan.

Happy Surfing again!

[miekiemoes]

Since this issue appears resolved ... this Topic is closed.
If you need this topic reopened for continuations of existing problems, please request this by sending me a PM with the address of the thread. This applies only to the original topic starter.

Everyone else please begin a New Topic.