9 replies to this topic

[True North]

ROOTREPEAL © AD, 2007-2009
==================================================
Scan Start Time: 2009/07/30 10:13
Program Version: Version 1.3.3.0
Windows Version: Windows XP SP3
==================================================

Drivers
-------------------
Name: ABP480N5.SYS
Image Path: ABP480N5.SYS
Address: 0xF774F000 Size: 23552 File Visible: - Signed: -
Status: Hidden from the Windows API!

Name: adpu160m.sys
Image Path: adpu160m.sys
Address: 0xBAF47000 Size: 101888 File Visible: - Signed: -
Status: Hidden from the Windows API!

Name: aic78xx.sys
Image Path: aic78xx.sys
Address: 0xF7647000 Size: 56960 File Visible: - Signed: -
Status: Hidden from the Windows API!

Name: amsint.sys
Image Path: amsint.sys
Address: 0xF78B7000 Size: 12032 File Visible: - Signed: -
Status: Hidden from the Windows API!

Name: asc.sys
Image Path: asc.sys
Address: 0xF771F000 Size: 26496 File Visible: - Signed: -
Status: Hidden from the Windows API!

Name: atapi.sys
Image Path: atapi.sys
Address: 0xF7464000 Size: 96512 File Visible: - Signed: -
Status: Hidden from the Windows API!

Name: cbidf2k.sys
Image Path: cbidf2k.sys
Address: 0xF78C3000 Size: 13952 File Visible: - Signed: -
Status: Hidden from the Windows API!

Name: dac2w2k.sys
Image Path: dac2w2k.sys
Address: 0xBAF1B000 Size: 179584 File Visible: - Signed: -
Status: Hidden from the Windows API!

Name: dac960nt.sys
Image Path: dac960nt.sys
Address: 0xF78B3000 Size: 14720 File Visible: - Signed: -
Status: Hidden from the Windows API!

Name: dpti2o.sys
Image Path: dpti2o.sys
Address: 0xF775F000 Size: 20192 File Visible: - Signed: -
Status: Hidden from the Windows API!

Name: dump_iaStor.sys
Image Path: C:\WINDOWS\System32\Drivers\dump_iaStor.sys
Address: 0xBA5C7000 Size: 786432 File Visible: No Signed: -
Status: -

Name: ini910u.sys
Image Path: ini910u.sys
Address: 0xF78BF000 Size: 16000 File Visible: - Signed: -
Status: Hidden from the Windows API!

Name: mraid35x.sys
Image Path: mraid35x.sys
Address: 0xF7727000 Size: 17280 File Visible: - Signed: -
Status: Hidden from the Windows API!

Name: ql1080.sys
Image Path: ql1080.sys
Address: 0xF7697000 Size: 40320 File Visible: - Signed: -
Status: Hidden from the Windows API!

Name: ql12160.sys
Image Path: ql12160.sys
Address: 0xF76B7000 Size: 45312 File Visible: - Signed: -
Status: Hidden from the Windows API!

Name: rootrepeal.sys
Image Path: C:\WINDOWS\system32\drivers\rootrepeal.sys
Address: 0xBA8E2000 Size: 49152 File Visible: No Signed: -
Status: -

Name: sparrow.sys
Image Path: sparrow.sys
Address: 0xF7717000 Size: 19072 File Visible: - Signed: -
Status: Hidden from the Windows API!

Name: sym_hi.sys
Image Path: sym_hi.sys
Address: 0xF773F000 Size: 28384 File Visible: - Signed: -
Status: Hidden from the Windows API!

Name: ultra.sys
Image Path: ultra.sys
Address: 0xF7687000 Size: 36736 File Visible: - Signed: -
Status: Hidden from the Windows API!

==EOF==

[True North]

This is an issue i am experiencing with a remote computer I have been able to finally get into it to get a MBAM Log as well as a HJT Log

MBAM
Malwarebytes' Anti-Malware 1.39
Database version: 2530
Windows 5.1.2600 Service Pack 3

7/30/2009 1:49:17 PM
mbam-log-2009-07-30 (13-49-10).txt

Scan type: Quick Scan
Objects scanned: 97081
Time elapsed: 23 minute(s), 59 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 1

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\WINDOWS\system32\drivers\str.sys (Rootkit.Agent) -> No action taken.


-----------------------------------------------------------
HJT Log
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 1:17:23 PM, on 7/30/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Wave Systems Corp\Common\DataServer.exe
C:\Program Files\CA\SharedComponents\iTechnology\igateway.exe
C:\Program Files\CA\eTrustITM\InoRpc.exe
C:\Program Files\CA\eTrustITM\InoRT.exe
C:\Program Files\CA\eTrustITM\InoTask.exe
C:\Program Files\Common Files\Intuit\Update Service\IntuitUpdateService.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Kaseya\Agent\AgentMon.exe
C:\UPS\WSTD\MSSQL$UPSWSDBSERVER\Binn\sqlservr.exe
C:\Program Files\MSN\Toolbar\3.0.0983.0\mstbsvc.exe
C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
C:\Program Files\Pervasive Software\PSQL\bin\w3dbsmgr.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\NTRU Cryptosystems\NTRU Hybrid TSS v1.05\bin\tcsd_win32.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\DOCUME~1\Kbennett\LOCALS~1\Temp\winvnc4.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Hewlett-Packard\Toolbox2.0\Apache Tomcat 4.0\webapps\Toolbox\StatusClient\StatusClient.exe
C:\Program Files\ATI Technologies\ATI.ACE\CLI.EXE
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\UPS\WSTD\UPSNA1Msgr.exe
C:\Program Files\Microsoft IntelliType Pro\itype.exe
C:\Program Files\Microsoft IntelliPoint\ipoint.exe
C:\Program Files\Kaseya\Agent\KaUsrTsk.exe
C:\WINDOWS\system32\ctfmon.exe
C:\UPS\WSTD\WSTDMessaging.exe
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
c:\ktemp\KRlyCLis.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.wmur.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = :0
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.1.1309.15642\swg.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar.dll
O4 - HKLM\..\Run: [Recguard] %WINDIR%\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [ATICCC] "C:\Program Files\ATI Technologies\ATI.ACE\CLIStart.exe"
O4 - HKLM\..\Run: [StatusClient] C:\Program Files\Hewlett-Packard\Toolbox2.0\Apache Tomcat 4.0\webapps\Toolbox\StatusClient\StatusClient.exe /auto
O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [PeachtreePrefetcher.exe] "C:\PROGRA~1\PEACHT~1\PeachtreePrefetcher.exe" /configfile:peachtreeprefetcher.winstart.config
O4 - HKLM\..\Run: [NA1Messenger] C:\UPS\WSTD\UPSNA1Msgr.exe
O4 - HKLM\..\Run: [itype] "C:\Program Files\Microsoft IntelliType Pro\itype.exe"
O4 - HKLM\..\Run: [IntelliPoint] "C:\Program Files\Microsoft IntelliPoint\ipoint.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [Kaseya Agent Service Helper] "C:\Program Files\Kaseya\Agent\KaUsrTsk.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKUS\S-1-5-19\..\Run: [lenemewino] Rundll32.exe "C:\WINDOWS\system32\kabifoti.dll",s (User '?')
O4 - HKUS\S-1-5-20\..\Run: [lenemewino] Rundll32.exe "C:\WINDOWS\system32\kabifoti.dll",s (User '?')
O4 - HKUS\S-1-5-21-1606980848-839522115-725345543-1130\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe (User '?')
O4 - Global Startup: UPS WorldShip Messaging Utility.lnk = C:\UPS\WSTD\WSTDMessaging.exe
O4 - Global Startup: UPS WorldShip PLD Reminder Utility.lnk = C:\UPS\WSTD\wstdPldReminder.exe
O8 - Extra context menu item: Append to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office12\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} (Facebook Photo Uploader 5 Control) - http://upload.facebook.com/controls/2008.1...toUploader5.cab
O16 - DPF: {20CE7BA6-1131-433A-8751-4BC7A1A41845} (MyPhotoAlbum Upload Tool Combo Control) - http://kcarmichael1.myphotoalbum.com/MyPho...asyUploader.cab
O16 - DPF: {54BE6B6F-3056-470B-97E1-BB92E051B6C4} (DeviceEnum Class) - http://h30155.www3.hp.com/ediags/dd/instal...nosticsxp2k.cab
O16 - DPF: {6F15128C-E66A-490C-B848-5000B5ABEEAC} (HP Download Manager) - https://h20436.www2....re/HPDEXAXO.cab
O16 - DPF: {78AF2F24-A9C3-11D3-BF8C-0060B0FCC122} (AcDcToday Control) - file://C:\Program Files\AutoCAD LT 2002\AcDcToday.ocx
O16 - DPF: {8A0019EB-51FA-4AE5-A40B-C0496BBFC739} (Verizon Wireless Media Upload) - http://picture.vzw.com/activex/VerizonWire...loadControl.cab
O16 - DPF: {A90A5822-F108-45AD-8482-9BC8B12DD539} (Crucial cpcScan) - http://crucial.com/c.../cpcScanner.cab
O16 - DPF: {A9F8D9EC-3D0A-4A60-BD82-FBD64BAD370D} (DDRevision Class) - http://h20264.www2.hp.com/ediags/dd/instal...nosticsxp2k.cab
O16 - DPF: {AA299E98-6FB5-409F-99D3-D30D749F4864} (kasRmtHlp Class) - https://sc.securewor...c/kaxRemote.dll
O16 - DPF: {AB86CE53-AC9F-449F-9399-D8ABCA09EC09} (Get_ActiveX Control) - https://h17000.www1.hp.com/ewfrf-JAVA/Secur...loadManager.ocx
O16 - DPF: {AE563720-B4F5-11D4-A415-00108302FDFD} (NOXLATE-BANR) - file://C:\Program Files\AutoCAD LT 2002\InstBanr.ocx
O16 - DPF: {C6637286-300D-11D4-AE0A-0010830243BD} (InstaFred) - file://C:\Program Files\AutoCAD LT 2002\InstFred.ocx
O16 - DPF: {F281A59C-7B65-11D3-8617-0010830243BD} (AcPreview Control) - file://C:\Program Files\AutoCAD LT 2002\AcPreview.ocx
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = jcn.com
O17 - HKLM\Software\..\Telephony: DomainName = jcn.com
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = jcn.com
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = jcn.com
O17 - HKLM\System\CS3\Services\Tcpip\Parameters: Domain = jcn.com
O18 - Filter: x-sdch - {B1759355-3EEC-4C1E-B0F1-B719FE26E377} - C:\Program Files\Google\Google Toolbar\Component\fastsearch_A8904FB862BD9564.dll
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: DataSvr - Wave Systems Corp. - C:\Program Files\Wave Systems Corp\Common\DataServer.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: iTechnology iGateway 4.2 (iGateway) - CA, Inc. - C:\Program Files\CA\SharedComponents\iTechnology\igateway.exe
O23 - Service: eTrust ITM RPC Service (InoRPC) - CA - C:\Program Files\CA\eTrustITM\InoRpc.exe
O23 - Service: eTrust Antivirus Realtime Service (InoRT) - CA - C:\Program Files\CA\eTrustITM\InoRT.exe
O23 - Service: eTrust ITM Job Service (InoTask) - CA - C:\Program Files\CA\eTrustITM\InoTask.exe
O23 - Service: Intuit Update Service (IntuitUpdateService) - Intuit Inc. - C:\Program Files\Common Files\Intuit\Update Service\IntuitUpdateService.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: SecureWorkplace (KaseyaAgent) - Kaseya - C:\Program Files\Kaseya\Agent\AgentMon.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: PrismXL - New Boundary Technologies, Inc. - C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
O23 - Service: Pervasive PSQL Workgroup Engine (psqlWGE) - Pervasive Software Inc. - C:\Program Files\Pervasive Software\PSQL\bin\w3dbsmgr.exe
O23 - Service: Roxio UPnP Renderer 9 - Sonic Solutions - C:\Program Files\Roxio\Digital Home 9\RoxioUPnPRenderer9.exe
O23 - Service: Roxio Upnp Server 9 - Sonic Solutions - C:\Program Files\Roxio\Digital Home 9\RoxioUpnpService9.exe
O23 - Service: LiveShare P2P Server 9 (RoxLiveShare9) - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxLiveShare9.exe
O23 - Service: RoxMediaDB9 - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxMediaDB9.exe
O23 - Service: Roxio Hard Drive Watcher 9 (RoxWatch9) - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatch9.exe
O23 - Service: NTRU Hybrid TSS v1.05 TCSD (tcsd_win32.exe) - Unknown owner - C:\Program Files\NTRU Cryptosystems\NTRU Hybrid TSS v1.05\bin\tcsd_win32.exe
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe
O23 - Service: VNC Server Version 4 (WinVNC4) - RealVNC Ltd. - C:\DOCUME~1\Kbennett\LOCALS~1\Temp\winvnc4.exe

--
End of file - 11957 bytes

[True North]

Its been a couple of days since I first posted when i run malwarebytes it includes str.sys in it files to remove section and i let malwarebytes remove it but upon a restart i do another quick scan and the file reappears.

[Fatdcuk]

Hi True North and welcome to the MBAM forums,

Excuse the delay in attention but we have a massive workload(over 4days backlog at the mo) and can only deal with when we get to them first come,first served basis.

If someone bumps there own post it easy for it to be overlooked as at casual glance at the HJT forums that your session was already being attended too by the number of replies to your topic.

Your Rootrepeal log is only for the Drivers scan and i will need a more complete report to identify the underlying rootkit that is present.

Download the most recent Rootrepeal>>>
http://rootrepeal.googlepages.com/

Extract the file and run rootrepeal.exe

Click on report tab on the bottom right of the software then press scan

Put at check(Tick) in all box's except the 2 SSDT option's then press OK

Place a check(Tick) in drive to be scanned(Usually you will only have to select C).

Please save the logfile generated and copy and paste the contents of that log into your next reply.

Thanks in advance

[True North]

Thanks Fatdcuk,

Here is the root repeal scan with everything checked except SSDT

ROOTREPEAL © AD, 2007-2009
==================================================
Scan Start Time: 2009/08/05 17:13
Program Version: Version 1.3.3.0
Windows Version: Windows XP SP3
==================================================

Drivers
-------------------
Name: 0000087F
Image Path: 0000087F
Address: 0x896F7000 Size: 41214 File Visible: No Signed: -
Status: -

Name: 0000087F
Image Path: 0000087F
Address: 0xA37A9000 Size: 73216 File Visible: No Signed: -
Status: Hidden from the Windows API!

Name: dump_iaStor.sys
Image Path: C:\WINDOWS\System32\Drivers\dump_iaStor.sys
Address: 0xA592C000 Size: 786432 File Visible: No Signed: -
Status: -

Name: rootrepeal.sys
Image Path: C:\WINDOWS\system32\drivers\rootrepeal.sys
Address: 0xA274B000 Size: 49152 File Visible: No Signed: -
Status: -

Hidden/Locked Files
-------------------
Path: C:\hiberfil.sys
Status: Locked to the Windows API!

Path: C:\WINDOWS\system32\drivers\doitjnthfqy.sys
Status: Invisible to the Windows API!

Path: C:\WINDOWS\system32\drivers\str.sys
Status: Invisible to the Windows API!

Hidden Services
-------------------
Service Name: lywnfsqgwgl
Image Path: C:\WINDOWS\system32\drivers\doitjnthfqy.sys

==EOF==

[Fatdcuk]

Out pop the culprit

Please rerun Rootrepeal file scan only.

Highlight the following line then right click on it and select *wipe* file then immediately reboot.
Path: C:\WINDOWS\system32\drivers\doitjnthfqy.sys
Status: Invisible to the Windows API!

Please update and run MBAM quick scan and allow it to delete what it finds then reboot once again.

Rerun MBAM to confirm but the file should no longer be detected as the rootkit has been killed.

HJT is showing clear of infections but i would like 1 more log just to check all is well.

STEP 01
[indent]Please visit this webpage for instructions for downloading ComboFix to your DESKTOP : how-to-use-combofix
Please ensure you read this guide carefully and install the Recovery Console first.
NOTE!!: You must save and run ComboFix.exe on your DESKTOP and not from any other folder.
Also, DO NOT click the mouse or launch any other applications while this is running or it may stall the program

Additional links to download the tool:
ComboFix.exe
ComboFix.exe


Note: The Windows Recovery Console will allow you to boot up into a special recovery (repair) mode. This allows us to more easily help you should your computer have a problem after an attempted removal of malware. It is a simple procedure that will only take a few moments of your time.

Once installed, you should see a blue screen prompt that says:

The Recovery Console was successfully installed.

Please continue as follows:

• Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
  
• Click Yes to allow ComboFix to continue scanning for malware.
  
• When the tool is finished, it will produce a report for you.
  
• Please copy and paste the contents of C:\ComboFix.txt in your next reply

[/indent]

Thanks in advance

[True North]

Here are thlogs of everything i ran in order.



First MBAM Scan After Wipe/Restart Action action With Root Repeal

Malwarebytes' Anti-Malware 1.40
Database version: 2568
Windows 5.1.2600 Service Pack 3

8/6/2009 9:21:04 AM
mbam-log-2009-08-06 (09-21-04).txt

Scan type: Quick Scan
Objects scanned: 115606
Time elapsed: 4 minute(s), 7 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 2

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\WINDOWS\system32\drivers\str.sys (Rootkit.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\drivers\doitjnthfqy.sys (Rootkit.Rustock) -> Quarantined and deleted successfully.


================================================================================
======================
Second MBAM Scan After Removal of str.sys and doitjnthfqy.sys


Malwarebytes' Anti-Malware 1.40
Database version: 2568
Windows 5.1.2600 Service Pack 3

8/6/2009 9:31:06 AM
mbam-log-2009-08-06 (09-31-06).txt

Scan type: Quick Scan
Objects scanned: 115650
Time elapsed: 4 minute(s), 3 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

================================================================================
===========

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 9:31:50 AM, on 8/6/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Wave Systems Corp\Common\DataServer.exe
C:\Program Files\CA\SharedComponents\iTechnology\igateway.exe
C:\Program Files\CA\eTrustITM\InoRpc.exe
C:\Program Files\CA\eTrustITM\InoRT.exe
C:\Program Files\CA\eTrustITM\InoTask.exe
C:\Program Files\Common Files\Intuit\Update Service\IntuitUpdateService.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Kaseya\Agent\AgentMon.exe
C:\UPS\WSTD\MSSQL$UPSWSDBSERVER\Binn\sqlservr.exe
C:\Program Files\MSN\Toolbar\3.0.0983.0\mstbsvc.exe
C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
C:\Program Files\Pervasive Software\PSQL\bin\w3dbsmgr.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Hewlett-Packard\Toolbox2.0\Apache Tomcat 4.0\webapps\Toolbox\StatusClient\StatusClient.exe
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\UPS\WSTD\UPSNA1Msgr.exe
C:\Program Files\Microsoft IntelliType Pro\itype.exe
C:\Program Files\Microsoft IntelliPoint\ipoint.exe
C:\Program Files\Kaseya\Agent\KaUsrTsk.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\UPS\WSTD\WSTDMessaging.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\NTRU Cryptosystems\NTRU Hybrid TSS v1.05\bin\tcsd_win32.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\DOCUME~1\Kbennett\LOCALS~1\Temp\winvnc4.exe
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\Program Files\ATI Technologies\ATI.ACE\CLI.EXE
c:\ktemp\KRlyCLis.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.wmur.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = :0
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.1.1309.15642\swg.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar.dll
O4 - HKLM\..\Run: [Recguard] %WINDIR%\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [ATICCC] "C:\Program Files\ATI Technologies\ATI.ACE\CLIStart.exe"
O4 - HKLM\..\Run: [StatusClient] C:\Program Files\Hewlett-Packard\Toolbox2.0\Apache Tomcat 4.0\webapps\Toolbox\StatusClient\StatusClient.exe /auto
O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [PeachtreePrefetcher.exe] "C:\PROGRA~1\PEACHT~1\PeachtreePrefetcher.exe" /configfile:peachtreeprefetcher.winstart.config
O4 - HKLM\..\Run: [NA1Messenger] C:\UPS\WSTD\UPSNA1Msgr.exe
O4 - HKLM\..\Run: [itype] "C:\Program Files\Microsoft IntelliType Pro\itype.exe"
O4 - HKLM\..\Run: [IntelliPoint] "C:\Program Files\Microsoft IntelliPoint\ipoint.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [Kaseya Agent Service Helper] "C:\Program Files\Kaseya\Agent\KaUsrTsk.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKUS\S-1-5-19\..\Run: [lenemewino] Rundll32.exe "C:\WINDOWS\system32\kabifoti.dll",s (User '?')
O4 - HKUS\S-1-5-20\..\Run: [lenemewino] Rundll32.exe "C:\WINDOWS\system32\kabifoti.dll",s (User '?')
O4 - HKUS\S-1-5-21-1606980848-839522115-725345543-1130\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe (User '?')
O4 - Global Startup: UPS WorldShip Messaging Utility.lnk = C:\UPS\WSTD\WSTDMessaging.exe
O4 - Global Startup: UPS WorldShip PLD Reminder Utility.lnk = C:\UPS\WSTD\wstdPldReminder.exe
O8 - Extra context menu item: Append to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office12\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} (Facebook Photo Uploader 5 Control) - http://upload.facebook.com/controls/2008.1...toUploader5.cab
O16 - DPF: {20CE7BA6-1131-433A-8751-4BC7A1A41845} (MyPhotoAlbum Upload Tool Combo Control) - http://kcarmichael1.myphotoalbum.com/MyPho...asyUploader.cab
O16 - DPF: {54BE6B6F-3056-470B-97E1-BB92E051B6C4} (DeviceEnum Class) - http://h30155.www3.hp.com/ediags/dd/instal...nosticsxp2k.cab
O16 - DPF: {6F15128C-E66A-490C-B848-5000B5ABEEAC} (HP Download Manager) - https://h20436.www2....re/HPDEXAXO.cab
O16 - DPF: {78AF2F24-A9C3-11D3-BF8C-0060B0FCC122} (AcDcToday Control) - file://C:\Program Files\AutoCAD LT 2002\AcDcToday.ocx
O16 - DPF: {8A0019EB-51FA-4AE5-A40B-C0496BBFC739} (Verizon Wireless Media Upload) - http://picture.vzw.com/activex/VerizonWire...loadControl.cab
O16 - DPF: {A90A5822-F108-45AD-8482-9BC8B12DD539} (Crucial cpcScan) - http://crucial.com/c.../cpcScanner.cab
O16 - DPF: {A9F8D9EC-3D0A-4A60-BD82-FBD64BAD370D} (DDRevision Class) - http://h20264.www2.hp.com/ediags/dd/instal...nosticsxp2k.cab
O16 - DPF: {AA299E98-6FB5-409F-99D3-D30D749F4864} (kasRmtHlp Class) - https://sc.securewor...c/kaxRemote.dll
O16 - DPF: {AB86CE53-AC9F-449F-9399-D8ABCA09EC09} (Get_ActiveX Control) - https://h17000.www1.hp.com/ewfrf-JAVA/Secur...loadManager.ocx
O16 - DPF: {AE563720-B4F5-11D4-A415-00108302FDFD} (NOXLATE-BANR) - file://C:\Program Files\AutoCAD LT 2002\InstBanr.ocx
O16 - DPF: {C6637286-300D-11D4-AE0A-0010830243BD} (InstaFred) - file://C:\Program Files\AutoCAD LT 2002\InstFred.ocx
O16 - DPF: {F281A59C-7B65-11D3-8617-0010830243BD} (AcPreview Control) - file://C:\Program Files\AutoCAD LT 2002\AcPreview.ocx
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = jcn.com
O17 - HKLM\Software\..\Telephony: DomainName = jcn.com
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = jcn.com
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = jcn.com
O18 - Filter: x-sdch - {B1759355-3EEC-4C1E-B0F1-B719FE26E377} - C:\Program Files\Google\Google Toolbar\Component\fastsearch_A8904FB862BD9564.dll
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: DataSvr - Wave Systems Corp. - C:\Program Files\Wave Systems Corp\Common\DataServer.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: iTechnology iGateway 4.2 (iGateway) - CA, Inc. - C:\Program Files\CA\SharedComponents\iTechnology\igateway.exe
O23 - Service: eTrust ITM RPC Service (InoRPC) - CA - C:\Program Files\CA\eTrustITM\InoRpc.exe
O23 - Service: eTrust Antivirus Realtime Service (InoRT) - CA - C:\Program Files\CA\eTrustITM\InoRT.exe
O23 - Service: eTrust ITM Job Service (InoTask) - CA - C:\Program Files\CA\eTrustITM\InoTask.exe
O23 - Service: Intuit Update Service (IntuitUpdateService) - Intuit Inc. - C:\Program Files\Common Files\Intuit\Update Service\IntuitUpdateService.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: SecureWorkplace (KaseyaAgent) - Kaseya - C:\Program Files\Kaseya\Agent\AgentMon.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: PrismXL - New Boundary Technologies, Inc. - C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
O23 - Service: Pervasive PSQL Workgroup Engine (psqlWGE) - Pervasive Software Inc. - C:\Program Files\Pervasive Software\PSQL\bin\w3dbsmgr.exe
O23 - Service: Roxio UPnP Renderer 9 - Sonic Solutions - C:\Program Files\Roxio\Digital Home 9\RoxioUPnPRenderer9.exe
O23 - Service: Roxio Upnp Server 9 - Sonic Solutions - C:\Program Files\Roxio\Digital Home 9\RoxioUpnpService9.exe
O23 - Service: LiveShare P2P Server 9 (RoxLiveShare9) - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxLiveShare9.exe
O23 - Service: RoxMediaDB9 - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxMediaDB9.exe
O23 - Service: Roxio Hard Drive Watcher 9 (RoxWatch9) - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatch9.exe
O23 - Service: NTRU Hybrid TSS v1.05 TCSD (tcsd_win32.exe) - Unknown owner - C:\Program Files\NTRU Cryptosystems\NTRU Hybrid TSS v1.05\bin\tcsd_win32.exe
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe
O23 - Service: VNC Server Version 4 (WinVNC4) - RealVNC Ltd. - C:\DOCUME~1\Kbennett\LOCALS~1\Temp\winvnc4.exe

--
End of file - 11889 bytes

================================================================================
====================================

And Finally the Combo Fix Log

ComboFix 09-08-04.04 - kbennett 08/06/2009 9:39.1.2 - NTFSx86
Running from: c:\documents and settings\Kbennett\Desktop\ComboFix.exe
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\program files\Internet Explorer\msimg32.dll
c:\recycler\S-1-5-21-1268040478-1514594852-1095485430-500
c:\windows\system32\Drivers\xjydiu.sys
D:\Autorun.inf

c:\windows\system32\proquota.exe was missing
Restored copy from - c:\windows\ServicePackFiles\i386\proquota.exe

.
((((((((((((((((((((((((( Files Created from 2009-07-06 to 2009-08-06 )))))))))))))))))))))))))))))))
.

2009-08-06 13:41 . 2008-04-14 09:42 50176 -c--a-w- c:\windows\system32\dllcache\proquota.exe
2009-08-06 13:41 . 2008-04-14 09:42 50176 ----a-w- c:\windows\system32\proquota.exe
2009-07-30 17:17 . 2009-07-30 17:17 -------- d-----w- c:\program files\Trend Micro
2009-07-30 14:12 . 2009-07-30 14:12 0 ----a-w- c:\documents and settings\Kbennett\settings.dat
2009-07-20 19:54 . 2009-07-20 19:54 -------- d-----w- c:\documents and settings\Kbennett\Local Settings\Application Data\PCHealth
2009-07-15 17:46 . 2009-06-16 14:36 81920 -c----w- c:\windows\system32\dllcache\fontsub.dll
2009-07-15 17:46 . 2009-06-16 14:36 119808 -c----w- c:\windows\system32\dllcache\t2embed.dll
2009-07-15 12:39 . 2009-08-05 19:48 3942048 ----a-w- c:\documents and settings\All Users\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\mbam-setup.exe
2009-07-14 16:54 . 2009-07-14 16:54 19613 ----a-w- c:\program files\Common Files\imite.reg
2009-07-14 16:54 . 2009-07-14 16:54 18747 ----a-w- c:\windows\system32\ysuza.exe
2009-07-14 16:54 . 2009-07-14 16:54 17237 ----a-w- c:\windows\system32\zomib.sys
2009-07-14 16:54 . 2009-07-14 16:54 16110 ----a-w- c:\program files\Common Files\yzawez.bat
2009-07-14 16:54 . 2009-07-14 16:54 12177 ----a-w- c:\windows\system32\numuheluk.dat
2009-07-14 16:54 . 2009-07-14 16:54 12116 ----a-w- c:\documents and settings\All Users\Application Data\xybexemeki.exe
2009-07-14 16:54 . 2009-07-14 16:54 11907 ----a-w- c:\windows\oxotedife.bat
2009-07-14 16:54 . 2009-07-14 16:54 11230 ----a-w- c:\documents and settings\Kbennett\Local Settings\Application Data\unaxihok.bin
2009-07-14 16:54 . 2009-07-14 16:54 11009 ----a-w- c:\documents and settings\Kbennett\Application Data\cacin.com
2009-07-07 19:51 . 2009-07-07 19:51 -------- d-----w- C:\c1993d69b2257706bc42
2009-07-07 19:51 . 2008-04-14 09:41 21504 ----a-w- c:\windows\system32\drivers\hidserv.dll
2009-07-07 15:45 . 2008-04-11 00:08 212992 ----a-w- c:\windows\system32\stacsv.exe
2009-07-07 15:23 . 2009-07-07 15:23 -------- d-----w- c:\documents and settings\All Users\Application Data\PC Drivers HeadQuarters
2009-07-07 15:20 . 2009-07-07 15:20 -------- d-sh--w- c:\documents and settings\Kbennett\IECompatCache
2009-07-07 15:18 . 2009-07-07 15:18 -------- d-sh--w- c:\documents and settings\Kbennett\PrivacIE
2009-07-07 15:17 . 2009-07-07 15:18 -------- d-----w- C:\20f903efbc480001cc
2009-07-07 15:16 . 2009-07-07 15:16 -------- d-sh--w- c:\documents and settings\LocalService\IETldCache
2009-07-07 15:07 . 2009-07-07 15:07 -------- d-----w- C:\6892e8b48eb6eb6b09
2009-07-07 15:07 . 2009-07-07 15:13 -------- d-----w- C:\21f913dc4e1d3e76d194
2009-07-07 14:58 . 2009-06-02 10:12 102912 -c----w- c:\windows\system32\dllcache\iecompat.dll
2009-07-07 14:58 . 2009-07-07 14:58 -------- d-----w- c:\windows\ie8updates
2009-07-07 14:57 . 2009-07-03 17:09 12800 -c----w- c:\windows\system32\dllcache\xpshims.dll
2009-07-07 14:57 . 2009-07-03 17:09 246272 -c----w- c:\windows\system32\dllcache\ieproxy.dll
2009-07-07 14:55 . 2009-07-07 14:57 -------- dc-h--w- c:\windows\ie8
2009-07-07 14:07 . 2009-04-29 04:55 78336 -c----w- c:\windows\system32\dllcache\ieencode.dll
2009-07-07 14:07 . 2009-04-29 04:55 78336 ------w- c:\windows\system32\ieencode.dll
2009-07-07 14:00 . 2009-04-15 14:51 585216 -c----w- c:\windows\system32\dllcache\rpcrt4.dll
2009-07-07 13:59 . 2009-05-07 15:32 345600 -c----w- c:\windows\system32\dllcache\localspl.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-08-06 12:47 . 2007-01-24 14:45 -------- d-----w- c:\program files\Peachtree
2009-08-05 19:48 . 2009-04-20 19:58 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-08-03 17:36 . 2009-04-20 19:58 38160 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-08-03 17:36 . 2009-04-20 19:58 19096 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-07-31 14:46 . 2007-01-24 13:37 -------- d-----w- c:\program files\DesignPro
2009-07-30 13:02 . 2009-07-30 13:02 184 ----a-w- c:\program files\evovx.txt
2009-07-27 19:33 . 2007-04-19 14:47 -------- d-----w- c:\program files\Common Files\Autodesk Shared
2009-07-27 19:33 . 2007-04-19 14:47 -------- d-----w- c:\program files\AutoCAD LT 2002
2009-07-27 12:18 . 2009-05-21 14:25 256 ----a-w- c:\windows\system32\pool.bin
2009-07-24 19:57 . 2007-01-24 14:45 -------- d-----w- c:\program files\Common Files\Peach
2009-07-15 20:01 . 2007-11-29 18:15 -------- d-----w- c:\documents and settings\All Users\Application Data\Microsoft Help
2009-07-07 19:51 . 2009-07-07 19:51 0 ---ha-w- c:\windows\system32\drivers\Msft_Kernel_NuidFltr_01005.Wdf
2009-07-07 19:51 . 2009-07-07 19:51 0 ---ha-w- c:\windows\system32\drivers\MsftWdf_Kernel_01005_Coinstaller_Critical.Wdf
2009-07-07 15:15 . 2007-02-08 17:02 158448 ----a-w- c:\documents and settings\Kbennett\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-07-07 15:12 . 2009-07-07 15:12 -------- d-----w- c:\program files\MSBuild
2009-07-07 15:12 . 2009-07-07 15:12 -------- d-----w- c:\program files\Reference Assemblies
2009-07-07 15:04 . 2007-11-29 18:20 -------- d-----w- c:\program files\Microsoft Works
2009-07-03 17:09 . 2006-06-01 03:17 915456 ----a-w- c:\windows\system32\wininet.dll
2009-06-16 14:36 . 2006-06-01 03:17 119808 ----a-w- c:\windows\system32\t2embed.dll
2009-06-16 14:36 . 2006-06-01 03:16 81920 ----a-w- c:\windows\system32\fontsub.dll
2009-06-03 19:09 . 2006-06-01 03:16 1291264 ----a-w- c:\windows\system32\quartz.dll
2009-05-22 17:09 . 2009-05-22 17:09 10134 ----a-r- c:\documents and settings\Kbennett\Application Data\Microsoft\Installer\{F3CA9611-CD42-4562-ADAB-A554CF8E17F1}\ARPPRODUCTICON.exe
2009-05-22 15:29 . 2008-09-24 19:05 826 ----a-w- c:\windows\PSODBCEI.reg
2009-05-22 15:29 . 2008-09-24 19:05 826 ----a-w- c:\windows\PSODBCCI.reg
2009-05-22 15:29 . 2008-09-24 19:05 610 ----a-w- c:\windows\PSOA.reg
2009-05-22 15:29 . 2008-09-24 19:05 18232 ----a-w- c:\windows\PriorPervasive.reg
2009-05-21 16:08 . 2009-05-21 16:08 10134 ----a-r- c:\documents and settings\Kbennett\Application Data\Microsoft\Installer\{2877881B-0736-42AB-B312-D4457D57E56D}\ARPPRODUCTICON.exe
2009-05-09 05:14 . 2009-05-09 05:14 1418120 ----a-w- c:\windows\system32\wdfcoinstaller01005.dll
2009-05-09 05:14 . 2009-05-09 05:14 14736 ----a-w- c:\windows\system32\drivers\nuidfltr.sys
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-07-03 68856]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Recguard"="c:\windows\SMINST\RECGUARD.EXE" [2002-09-14 212992]
"ATICCC"="c:\program files\ATI Technologies\ATI.ACE\CLIStart.exe" [2006-05-10 90112]
"StatusClient"="c:\program files\Hewlett-Packard\Toolbox2.0\Apache Tomcat 4.0\webapps\Toolbox\StatusClient\StatusClient.exe" [2002-12-16 36864]
"HP Component Manager"="c:\program files\HP\hpcoretech\hpcmpmgr.exe" [2004-05-12 241664]
"PeachtreePrefetcher.exe"="c:\progra~1\PEACHT~1\PeachtreePrefetcher.exe" [2009-04-06 23040]
"NA1Messenger"="c:\ups\WSTD\UPSNA1Msgr.exe" [2007-12-13 20480]
"itype"="c:\program files\Microsoft IntelliType Pro\itype.exe" [2006-11-22 813912]
"IntelliPoint"="c:\program files\Microsoft IntelliPoint\ipoint.exe" [2007-02-05 849280]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2008-11-10 136600]
"Kaseya Agent Service Helper"="c:\program files\Kaseya\Agent\KaUsrTsk.exe" [2008-09-04 229376]

c:\documents and settings\Administrator\Start Menu\Programs\Startup\
Event Reminder.lnk - c:\program files\Mindscape\PrintMaster\PMREMIND.EXE [1998-6-6 325632]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
UPS WorldShip Messaging Utility.lnk - c:\ups\WSTD\WSTDMessaging.exe [2007-12-13 65536]
UPS WorldShip PLD Reminder Utility.lnk - c:\ups\WSTD\wstdPldReminder.exe [2007-12-12 31744]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableLinkedConnections"= 1 (0x1)

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Acrobat Speed Launcher.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Adobe Acrobat Speed Launcher.lnk
backup=c:\windows\pss\Adobe Acrobat Speed Launcher.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Acrobat Synchronizer.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Adobe Acrobat Synchronizer.lnk
backup=c:\windows\pss\Adobe Acrobat Synchronizer.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
backup=c:\windows\pss\Adobe Reader Speed Launch.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Synchronizer.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Adobe Reader Synchronizer.lnk
backup=c:\windows\pss\Adobe Reader Synchronizer.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Desktop Manager.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Desktop Manager.lnk
backup=c:\windows\pss\Desktop Manager.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HotSync Manager.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\HotSync Manager.lnk
backup=c:\windows\pss\HotSync Manager.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Digital Imaging Monitor.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\HP Digital Imaging Monitor.lnk
backup=c:\windows\pss\HP Digital Imaging Monitor.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Image Zone Fast Start.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\HP Image Zone Fast Start.lnk
backup=c:\windows\pss\HP Image Zone Fast Start.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Kodak EasyShare software.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Kodak EasyShare software.lnk
backup=c:\windows\pss\Kodak EasyShare software.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Service Manager.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Service Manager.lnk
backup=c:\windows\pss\Service Manager.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\ComputerAssociatesAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"c:\\Program Files\\Hewlett-Packard\\Toolbox2.0\\Javasoft\\JRE\\1.3.1\\bin\\javaw.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

R2 ASICIO;ASIC Driver;c:\windows\system32\Drivers\ASICIO.SYS [x]
R2 lywnfsqgwgl;lywnfsqgwgl;c:\windows\system32\drivers\doitjnthfqy.sys [x]
S2 IntuitUpdateService;Intuit Update Service;c:\program files\Common Files\Intuit\Update Service\IntuitUpdateService.exe [2008-10-10 13088]
S2 KaseyaAgent;SecureWorkplace;c:\program files\Kaseya\Agent\AgentMon.exe [2008-09-04 610304]
S2 MSSQL$UPSWSDBSERVER;MSSQL$UPSWSDBSERVER;c:\ups\WSTD\MSSQL$UPSWSDBSERVER\Binn\sqlservr.exe [2008-12-18 9158656]
S2 mstbsvc;MSN Toolbar Setup;c:\program files\MSN\Toolbar\3.0.0983.0\mstbsvc.exe [2008-11-08 100184]
S2 psqlWGE;Pervasive PSQL Workgroup Engine;c:\program files\Pervasive Software\PSQL\bin\w3dbsmgr.exe [2009-04-07 435496]
S3 IAMTXP;Driver for Intel® Active Management Technology - KCS;c:\windows\system32\DRIVERS\IAMTXP.sys [2005-11-29 40448]


[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\>{60B49E34-C7CC-11D0-8953-00A0C90347FF}]
"c:\windows\system32\rundll32.exe" "c:\windows\system32\iedkcs32.dll",BrandIEActiveSetup SIGNUP
.
Contents of the 'Scheduled Tasks' folder

2009-08-06 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 16:34]

2007-01-19 c:\windows\Tasks\ISP signup reminder 1.job
- c:\windows\system32\OOBE\oobebaln.exe [2006-06-01 09:42]

2007-01-19 c:\windows\Tasks\ISP signup reminder 3.job
- c:\windows\system32\OOBE\oobebaln.exe [2006-06-01 09:42]

2007-01-19 c:\windows\Tasks\Symantec NetDetect.job
- c:\program files\Symantec\LiveUpdate\NDETECT.EXE [2007-01-11 01:32]
.
- - - - ORPHANS REMOVED - - - -

Notify-NavLogon - (no file)


.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.wmur.com/
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
mStart Page = hxxp://www.google.com
uInternet Settings,ProxyOverride = *.local
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: &Search
IE: Append to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert link target to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert link target to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert selected links to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert selected links to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Convert selection to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert selection to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~3\Office12\EXCEL.EXE/3000
Trusted Zone: turbotax.com
DPF: {20CE7BA6-1131-433A-8751-4BC7A1A41845} - hxxp://kcarmichael1.myphotoalbum.com/MyPhotoAlbumEasyUploader.cab
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-08-06 09:41
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(756)
c:\windows\system32\Ati2evxx.dll

- - - - - - - > 'lsass.exe'(812)
c:\program files\Bonjour\mdnsNSP.dll
.
Completion time: 2009-08-06 9:43
ComboFix-quarantined-files.txt 2009-08-06 13:43

Pre-Run: 50,191,876,096 bytes free
Post-Run: 50,197,454,848 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect

222 --- E O F --- 2009-07-30 12:11

[Fatdcuk]

Hi ya,

Looking alot better,HJT and Combofix say your good to go so are there any more issue's on the PC ?

[True North]

Nothing seems to be wrong it is rebooting just fine now and performance its performance is better. Thanks for all you help!!!!!!

[Fatdcuk]

Ok that's great, i will close this topic as finished now

Here's some handy reading tho Prevention page with lots of info and tips how to prevent this in the future.
And if you want to improve speed/system performance after malware removal, take a look here.
Extra note: Make sure your programs are up to date - because older versions may contain Security Leaks. To find out what programs need to be updated, please run the Secunia Software Inspector Scan.


We hope our application has helped you eradicate this malicious Malware.
If your current anti-virus solution let this infection through please consider purchasing the PRO version of Malwarebytes' Anti-Malware for additional protection against these types of malware.


Safe surfing