I persistently get this trojan on reboot. Its redirecting google searches, other than that the computer seems to work fine. I have posted the mbamlog below. Any help is appreciated! Thanks!

Malwarebytes' Anti-Malware 1.39
Database version: 2532
Windows 5.1.2600 Service Pack 3

30/07/2009 6:38:08 PM
mbam-log-2009-07-30 (18-38-05).txt

Scan type: Quick Scan
Objects scanned: 101118
Time elapsed: 6 minute(s), 40 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 1

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\WINDOWS\system32\ESQULzcounter (Trojan.Agent) -> No action taken.

Here's the HijackThis log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 8:32:27 PM, on 30/07/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\HPZipm12.exe
C:\Program Files\Symantec AntiVirus\SavRoam.exe
C:\Program Files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Sonic\DigitalMedia Plus v7\MyDVD Plus\USBDeviceService.exe
C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Windows Live\Messenger\msnmsgr.exe
C:\Program Files\Windows Live\Contacts\wlcomm.exe
C:\Program Files\Windows Live\Messenger\wlcsdk.exe
C:\WINDOWS\system32\msiexec.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Trend Micro\HijackThis\HJTapp.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn1\yt.dll
O4 - HKLM\..\Run: [High Definition Audio Property Page Shortcut] CHDAudPropShortcut.exe
O4 - HKLM\..\Run: [Logitech Hardware Abstraction Layer] KHALMNPR.EXE
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm
O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files\Yahoo!\Common/ycsms.htm
O14 - IERESET.INF: START_PAGE_URL=http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_CA&c=Q106&bd=pavilion&pf=laptop
O16 - DPF: {3EA4FA88-E0BE-419A-A732-9B79B87A6ED0} (CTVUAxCtrl Object) - http://dl.tvunetworks.com/TVUAx.cab
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...nt.cab56907.cab
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: HP WMI Interface (hpqwmi) - Hewlett-Packard Development Company, L.P. - C:\Program Files\HPQ\Shared\hpqwmi.exe
O23 - Service: hpqwmiex - Hewlett-Packard Development Company, L.P. - C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: SPBBCSvc - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe
O23 - Service: USBDeviceService - Unknown owner - C:\Program Files\Sonic\DigitalMedia Plus v7\MyDVD Plus\USBDeviceService.exe
O23 - Service: YPCService - Yahoo! Inc. - C:\WINDOWS\system32\YPCSER~1.EXE

--
End of file - 7571 bytes

Hello sansari,

You will want to print out or copy these instructions to Notepad for Safe Mode/offline reference!

If you are a casual viewer, do NOT try this on your system!
If you are not sansari and have a similar problem, do NOT post here; start your own topic

Do not run or start any other programs while these utilities and tools are in use!
Do NOT run any other tools on your own or do any fixes other than what is listed here.
If you have questions, please ask before you do something on your own.
But it is important that you get going on these following steps.
=
Close any of your open programs while you run these tools.

1. Go >> Here << and download ERUNT
(ERUNT (Emergency Recovery Utility NT) is a free program that allows you to keep a complete backup of your registry and restore it when needed.)
2. Install ERUNT by following the prompts
(use the default install settings but say no to the portion that asks you to add ERUNT to the start-up folder, if you like you can enable this option later)
3. Start ERUNT
(either by double clicking on the desktop icon or choosing to start the program at the end of the setup)
4. Choose a location for the backup
(the default location is C:\WINDOWS\ERDNT which is acceptable).
5. Make sure that at least the first two check boxes are ticked
6. Press OK
7. Press YES to create the folder.

=

1. Set Windows to show all files and all folders.
On your Desktop, double click My Computer, from the menu options, select tools, then Folder Options, and then select VIEW Tab and look at all of settings listed.

"CHECK" (turn on) Display the contents of system folders.

Under column, Hidden files and folders----choose ( *select* ) Show hidden files and folders.
Next, un-check Hide extensions for known file types.
Next un-check Hide protected operating system files.

2. Take out the trash (temporary files & temporary internet files)
Please download ATF Cleaner by Atribune, saving it to your desktop. It is used to cleanout temporary files & temp areas used by internet browsers.
Start ATF-Cleaner.exe to run the program.

Under Main choose: Select All

Click the Empty Selected button.

If you use Firefox browser, do this also:
Click Firefox at the top and choose: Select All

Click the Empty Selected button.

NOTE: If you would like to keep your saved passwords, please click No at the prompt.

If you use Opera browser, do this also:
Click Opera at the top and choose: Select All

Click the Empty Selected button.

NOTE: If you would like to keep your saved passwords, please click No at the prompt.

Click Exit on the Main menu to close the program.
ATF-Cleaner should be run per the above in every user-login account {User Profile}

=

Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools

If you have a prior copy of Combofix, delete it now !

Download Combofix from any of the links below. You must rename it before saving it. Save it to your Desktop.

Link 1
Link 2
Link 3







* IMPORTANT !!! SAVE AS Combo-Fix.exe to your Desktop
If your I.E. browser shows a warning message at the top, do a Right-Click on the bar and select Download, saving it to the Desktop.

• Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools
  
  
• Double click on Combo-Fix.exe & follow the prompts.
  
  
• As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  
  
• Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.

**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.





Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:




Click on Yes, to continue scanning for malware.

Please watch Combofix as it runs, as you may see messages which require your response, or the pressing of OK button.

IF you should see a message like this:

then, be sure to write down fully and also copy that into your next reply here and then await for my response.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply.
-------------------------------------------------------

A caution - Do not run Combofix more than once.
Do not touch your mouse/keyboard until the scan has completed, as this may cause the process to stall or your computer to lock.
The scan will temporarily disable your desktop, and if interrupted may leave your desktop disabled.
If this occurs, please reboot to restore the desktop.
Even when ComboFix appears to be doing nothing, look at your Drive light.
If it is flashing, Combofix is still at work.
=
Next, Start your MBAM MalwareBytes' Anti-Malware.
Click the Settings Tab. Make sure all option lines have a checkmark.

Next, Click the Update tab. Press the "Check for Updates" button.

When done, click the Scanner tab.
Do a Quick Scan.

When the scan is complete, click OK, then Show Results to view the results.
Make sure that everything is checked, and click Remove Selected.
When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.

=

RE-Enable your AntiVirus and AntiSpyware applications.

Reply with copy of C:\Combofix.txt
and the latest MBAM scan log

There will be much more to do later.

P.S. Always use the ADDReply button when starting a reply, and not use the other buttons.

Hi there,
I have followed the instructions. While running the ComboFix I got a message saying

'ComboFix has detected the presence of rootkit activity ..... We may need it later.'
The name of files were :
c:\windows\system32\ESQULmtynecwtaqgukhdrsflgwkrdarjurbyy.dll
c:\windows\system32\drivers\ESQULfndsxhldacxktuhyfrmoejbenvttordv.sys
c:\windows\system32\ESQULivtxmqpkfyioiajnvcjtpoivwplydcdp.dll

Combofix log:

ComboFix 09-07-29.04 - Sania Ansari 31/07/2009 1:14.9.2 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1014.728 [GMT -4:00]
Running from: c:\documents and settings\Sania Ansari\Desktop\Combo-Fix.exe
AV: Symantec AntiVirus Corporate Edition *On-access scanning enabled* (Updated) {FB06448E-52B8-493A-90F3-E43226D3305C}
FW: Norton Internet Worm Protection *disabled* {990F9400-4CEE-43EA-A83A-D013ADD8EA6E}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\Install.txt
c:\windows\Installer\3eace.msp
c:\windows\Installer\ee1c62f.msp
c:\windows\run.log
c:\windows\system32\drivers\ESQULfndsxhldacxktuhyfrmoejbenvttordv.sys
c:\windows\system32\drivers\ESQULwqxyiqhrxumeyxwmqpqjpwdvxowbnrbc.sys
c:\windows\system32\ESQULivtxmqpkfyioiajnvcjtpoivwplydcdp.dll
c:\windows\system32\ESQULmtynecwtaqgukhdrsflgwkrdarjurbyy.dll
c:\windows\system32\geyekrgyekxlbq.dll
c:\windows\system32\geyekrisdinawr.dat
c:\windows\system32\geyekrotrkjacp.dll
c:\windows\system32\Install.txt
c:\windows\system32\UACocukqpmapfqpkqude.db
c:\windows\system32\UACqnojuoougiburevnm.dat
c:\windows\system32\uactmp.db

c:\windows\system32\grpconv.exe was missing
Restored copy from - c:\windows\ServicePackFiles\i386\grpconv.exe

c:\windows\system32\proquota.exe was missing
Restored copy from - c:\windows\ServicePackFiles\i386\proquota.exe

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Service_ESQULserv.sys
-------\Service_ESQULserv.sys


((((((((((((((((((((((((( Files Created from 2009-06-28 to 2009-07-31 )))))))))))))))))))))))))))))))
.

2009-07-31 05:23 . 2008-04-14 00:12 50176 ----a-w- c:\windows\system32\proquota.exe
2009-07-31 05:23 . 2008-04-14 00:12 50176 ----a-w- c:\windows\system32\dllcache\proquota.exe
2009-07-31 05:22 . 2008-04-14 00:12 39424 ----a-w- c:\windows\system32\grpconv.exe
2009-07-31 05:22 . 2008-04-14 00:12 39424 ----a-w- c:\windows\system32\dllcache\grpconv.exe
2009-07-31 04:45 . 2009-07-31 04:45 -------- d-----w- c:\program files\ERUNT
2009-07-30 21:53 . 2009-07-13 17:36 38160 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-07-30 21:53 . 2009-07-30 21:54 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-07-30 21:53 . 2009-07-13 17:36 19096 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-07-30 20:06 . 2009-07-30 20:06 -------- d-----w- c:\documents and settings\Sania Ansari\DoctorWeb
2009-07-30 19:11 . 2009-07-30 19:11 -------- d-sh--w- c:\windows\system32\config\systemprofile\IETldCache
2009-07-30 19:10 . 2009-07-30 19:10 -------- d-sh--w- c:\windows\system32\config\systemprofile\PrivacIE
2009-07-23 01:04 . 2009-07-23 01:04 -------- d-----w- c:\documents and settings\Guest\Application Data\Malwarebytes
2009-07-21 06:10 . 2009-07-21 06:10 -------- d-----w- c:\program files\Common Files\DivX Shared
2009-07-17 04:59 . 2008-04-14 00:12 15360 ----a-w- c:\windows\system32\dllcache\ctfmon.exe
2009-07-17 04:59 . 2008-04-14 00:12 15360 ----a-w- c:\windows\system32\ctfmon.exe
2009-07-17 04:58 . 2004-08-04 13:00 4224 ----a-w- c:\windows\system32\dllcache\beep.sys
2009-07-17 04:58 . 2009-07-17 20:19 -------- d-----w- c:\docume~1\ALLUSE~1\APPLIC~1\16283284

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-07-31 05:06 . 2006-01-03 11:34 -------- d-----w- c:\program files\Common Files\Symantec Shared
2009-07-31 05:06 . 2009-01-22 16:05 -------- d-----w- c:\program files\Symantec AntiVirus
2009-07-31 05:06 . 2006-01-03 11:34 -------- d-----w- c:\docume~1\ALLUSE~1\APPLIC~1\Symantec
2009-07-31 00:48 . 2009-03-19 16:04 -------- d-----w- c:\program files\Microsoft Silverlight
2009-07-30 03:43 . 2008-09-02 20:25 -------- d---a-w- c:\docume~1\ALLUSE~1\APPLIC~1\TEMP
2009-07-30 03:43 . 2009-05-05 01:27 -------- d-----w- c:\program files\SpywareBlaster
2009-07-21 06:10 . 2007-05-05 22:32 -------- d-----w- c:\program files\DivX
2009-07-17 04:58 . 2009-07-17 04:59 0 ----a-w- c:\windows\system32\drivers\OLD18E.tmp
2009-07-03 17:09 . 2004-08-04 08:00 915456 ----a-w- c:\windows\system32\wininet.dll
2009-06-25 09:34 . 2007-07-30 03:20 -------- d-----w- c:\program files\Veoh
2009-06-20 02:10 . 2009-06-20 02:10 -------- d-----w- c:\docume~1\ALLUSE~1\APPLIC~1\{8CD7F5AF-ECFA-4793-BF40-D8F42DBFF906}
2009-06-20 02:10 . 2007-01-15 02:13 -------- d-----w- c:\program files\iTunes
2009-06-20 02:10 . 2009-06-20 02:10 -------- d-----w- c:\program files\iPod
2009-06-20 02:10 . 2008-11-25 01:14 -------- d-----w- c:\program files\Common Files\Apple
2009-06-20 02:08 . 2009-06-20 02:07 -------- d-----w- c:\program files\QuickTime
2009-06-16 14:36 . 2004-08-04 08:00 81920 ----a-w- c:\windows\system32\fontsub.dll
2009-06-16 14:36 . 2004-08-04 08:00 119808 ----a-w- c:\windows\system32\t2embed.dll
2009-06-03 19:09 . 2004-08-04 08:00 1291264 ----a-w- c:\windows\system32\quartz.dll
2009-05-21 01:22 . 2006-04-25 02:13 59 ----a-w- c:\windows\popcinfo.dat
2009-05-07 15:32 . 2004-08-04 08:00 345600 ----a-w- c:\windows\system32\localspl.dll
2009-05-06 20:32 . 2009-01-20 15:22 410984 ----a-w- c:\windows\system32\deploytk.dll
2009-05-06 20:31 . 2009-05-06 20:31 607640 ----a-w- C:\jre-6u13-windows-i586-p-iftw.exe
2009-05-04 19:03 . 2009-05-04 19:03 59904 ----a-w- c:\windows\system32\zlib1.dll
2009-05-04 18:53 . 2009-05-04 18:53 286720 ----a-w- c:\windows\system32\libcurl.dll
2009-05-04 18:53 . 2009-05-04 18:53 196608 ----a-w- c:\windows\system32\ssleay32.dll
2009-05-04 18:53 . 2009-05-04 18:53 1028096 ----a-w- c:\windows\system32\libeay32.dll
2009-05-04 18:53 . 2009-05-04 18:53 143360 ----a-w- c:\windows\system32\libexpatw.dll
2008-03-18 20:34 . 2008-03-18 20:32 6735008 ----a-w- c:\program files\Thunderbird Setup 2.0.0.12.exe
2007-07-17 22:33 . 2007-07-17 22:30 3753079 ----a-w- c:\program files\MSReaderSetup.exe
2009-07-23 21:30 . 2008-08-27 17:13 134648 ----a-w- c:\program files\mozilla firefox\components\brwsrcmp.dll
2009-05-01 21:02 . 2009-05-01 21:02 1044480 ----a-w- c:\program files\mozilla firefox\plugins\libdivx.dll
2009-05-01 21:02 . 2009-05-01 21:02 200704 ----a-w- c:\program files\mozilla firefox\plugins\ssldivx.dll
2006-04-23 12:45 . 2006-04-23 12:45 22 --sha-w- c:\windows\SMINST\HPCD.sys
.

------- Sigcheck -------


[7] 2004-08-04 13:00 4224 DA1F27D85E0D1525F6621372E7B685E9 c:\windows\system32\dllcache\beep.sys
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2007-05-13 185784]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-05-06 148888]
"High Definition Audio Property Page Shortcut"="CHDAudPropShortcut.exe" - c:\windows\system32\CHDAudPropShortcut.exe [2005-11-22 61952]
"Logitech Hardware Abstraction Layer"="KHALMNPR.EXE" - c:\windows\KHALMNPR.Exe [2005-07-23 28160]

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Acrobat Speed Launcher.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Adobe Acrobat Speed Launcher.lnk
backup=c:\windows\pss\Adobe Acrobat Speed Launcher.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
backup=c:\windows\pss\Adobe Reader Speed Launch.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Digital Imaging Monitor.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\HP Digital Imaging Monitor.lnk
backup=c:\windows\pss\HP Digital Imaging Monitor.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Logitech Desktop Messenger.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Logitech Desktop Messenger.lnk
backup=c:\windows\pss\Logitech Desktop Messenger.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Logitech SetPoint.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Logitech SetPoint.lnk
backup=c:\windows\pss\Logitech SetPoint.lnkCommon Startup

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"=
"c:\\Documents and Settings\\Sania Ansari\\Desktop\\drjava-stable-20060127-2145.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Logitech\\Desktop Messenger\\8876480\\Program\\LogitechDesktopMessenger.exe"=
"c:\\Program Files\\Google\\Google Talk\\googletalk.exe"=
"c:\\Program Files\\Veoh\\VeohClient.exe"=
"c:\\Program Files\\Yahoo!\\Yahoo! Music Jukebox\\YahooMusicEngine.exe"=
"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"c:\\Program Files\\eclipse-java-europa-winter-win32\\eclipse\\eclipse.exe"=
"c:\\Program Files\\Sony Ericsson\\Update Service\\Update Service.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\Windows Live\\Sync\\WindowsLiveSync.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\Veoh Networks\\VeohWebPlayer\\veohwebplayer.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Java\\jre6\\bin\\javaw.exe"=
"c:\\Documents and Settings\\Sania Ansari\\Application Data\\Macromedia\\Flash Player\\www.macromedia.com\\bin\\octoshape\\octoshape.exe"=
"%windir%\\system32\\drivers\\svchost.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"24303:TCP"= 24303:TCP:BitComet 24303 TCP
"24303:UDP"= 24303:UDP:BitComet 24303 UDP

R2 fssfltr;FssFltr;c:\windows\system32\drivers\fssfltr_tdi.sys [19/03/2009 12:03 PM 55152]
R2 ppsio2;PPDevice;c:\windows\system32\drivers\ppsio2.sys [12/08/2007 8:02 PM 23200]
S3 fsssvc;Windows Live Family Safety;c:\program files\Windows Live\Family Safety\fsssvc.exe [06/02/2009 6:08 PM 533360]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
vvdsvc REG_MULTI_SZ vvdsvc

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\>{60B49E34-C7CC-11D0-8953-00A0C90347FF}]
"c:\windows\system32\rundll32.exe" "c:\windows\system32\iedkcs32.dll",BrandIEActiveSetup SIGNUP
.
- - - - ORPHANS REMOVED - - - -

Notify-NavLogon - (no file)


.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com
uInternet Connection Wizard,ShellNext = iexplore
uInternet Settings,ProxyOverride = *.local
IE: &Yahoo! Search - file:///c:\program files\Yahoo!\Common/ycsrch.htm
IE: Convert link target to Adobe PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert link target to existing PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert selected links to Adobe PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert selected links to existing PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Convert selection to Adobe PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert selection to existing PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert to Adobe PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert to existing PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
IE: Yahoo! &Dictionary - file:///c:\program files\Yahoo!\Common/ycdict.htm
IE: Yahoo! &Maps - file:///c:\program files\Yahoo!\Common/ycmap.htm
IE: Yahoo! &SMS - file:///c:\program files\Yahoo!\Common/ycsms.htm
DPF: Microsoft XML Parser for Java - file:///C:/WINDOWS/Java/classes/xmldso.cab
FF - ProfilePath - c:\docume~1\SANIAA~1\APPLIC~1\Mozilla\Firefox\Profiles\m43pwysh.default\
FF - prefs.js: browser.search.defaulturl - hxxp://search.yahoo.com/search/?fr=ffsp1&p=
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - hxxp://www.msn.com/
FF - prefs.js: keyword.URL - hxxp://search.yahoo.com/search/?fr=ffds1&p=
FF - plugin: c:\program files\Microsoft\Office Live\npOLW.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\NPTURNMED.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npvlc.dll
FF - plugin: c:\program files\Veoh Networks\VeohWebPlayer\NPVeohTVPlugin.dll
FF - plugin: c:\program files\Veoh Networks\VeohWebPlayer\npWebPlayerVideoPluginATL.dll
FF - plugin: c:\program files\Veoh\Plugins\noreg\NPVeohVersion.dll
FF - plugin: c:\program files\Windows Live\Photo Gallery\NPWLPG.dll
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-07-31 01:25
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\.Default\Software\Microsoft\Internet Explorer\User Preferences]
@Denied: (2) (LocalSystem)
"88D7D0879DAB32E14DE5B3A805A34F98AFF34F5977"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,40,7c,ac,d7,1c,4a,2e,4a,bb,be,61,\
"2D53CFFC5C1A3DD2E97B7979AC2A92BD59BC839E81"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,40,7c,ac,d7,1c,4a,2e,4a,bb,be,61,\
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'explorer.exe'(2844)
c:\windows\system32\WININET.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\Common Files\LightScribe\LSSrvc.exe
c:\program files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
c:\windows\system32\HPZipm12.exe
c:\program files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe
c:\program files\Sonic\DigitalMedia Plus v7\MyDVD Plus\USBDeviceService.exe
c:\program files\Hewlett-Packard\Shared\hpqwmiex.exe
c:\windows\system32\wscntfy.exe
.
**************************************************************************
.
Completion time: 2009-07-31 1:31 - machine was rebooted
ComboFix-quarantined-files.txt 2009-07-31 05:31

Pre-Run: 40,695,238,656 bytes free
Post-Run: 40,608,067,584 bytes free

Current=3 Default=3 Failed=1 LastKnownGood=4 Sets=1,2,3,4
233 --- E O F --- 2009-07-31 00:00

_____________________________________

mbam log

Malwarebytes' Anti-Malware 1.39
Database version: 2534
Windows 5.1.2600 Service Pack 3

31/07/2009 1:39:56 AM
mbam-log-2009-07-31 (01-39-56).txt

Scan type: Quick Scan
Objects scanned: 98999
Time elapsed: 4 minute(s), 46 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

Hello sansari,

Good progress at this point. The rootkits have been removed by Combofix. There is more to do.

Close any of your open programs. Do no websurfing. Do not start any other programs while these are running.
And please have infinite patience while Sysclean and the Eset online scan run. They may each take an hour or more, depending on your system & how many files it has.

=

Download the Microsoft® Windows® Malicious Software Removal Tool from the Microsoft Download Center
http://www.microsoft.com/downloads/details...;displaylang=en
It is suggested that you rename mrt.exe to some other name, such as Omega.exe, then run it.

After a run of MSRT has finished, you will find the log at C:\WINDOWS\Debug\mrt.log or C:\WINNT\Debug\mrt.log
The file may be opened and viewed with Notepad or similar text editor.


Additional information Microsoft® Windows® Malicious Software Removal Tool is here http://support.microsoft.com/?kbid=890830

If no infections were found, you will see in your log


=

Please read and follow all these instructions very carefully.

1. Please download GooredFix and save it to your Desktop.
2. Double-click GooredFix.exe to run it.
3. A log will open, please post the contents of that log in your next reply (it can also be found on your desktop, called Goored.txt).

=

See this topic in the AumHa Security forum and get the latest Java run-time
http://aumha.net/viewtopic.php?f=26&t=41464

=

Please download and run the Trend Micro Sysclean Package on your computer.
NOTE! This scan will probably take a long time to run on your computer so be patient and don't use it while it's scanning.

Trend Micro Damage Cleanup Engine
• Make sure you read this document to understand how to use the program. Trend Micro Sysclean Package README 1st
• Basically there are 3 parts that need to be downloaded from these links:
  
  1. Sysclean Package
  2. Virus Pattern Files
  3. Spyware Pattern Files

• Create a brand new folder to copy these files to.
• As an example: C:\DCE
• Then open each of the zipped archive files and copy their contents to C:\DCE
• Copy the file sysclean.com to the new folder C:\DCE as well.
• Double-click on the file sysclean.com that is in the C:\DCE folder and follow the on-screen instructions.
  
  After doing all of this, please post back your results, including the log file sysclean.log that will be left behind by sysclean.

How To Use Compressed (Zipped) Folders in Windows XP
Compress and uncompress files (zip files) in Vista

=

Using Internet Explorer browser only, go to ESET Online Scanner website:
Vista users should start IE by Start (Vista Orb) >> Internet Explorer >> Right-Click and select Run As Administrator.

• Accept the Terms of Use and press Start button;
  
• Approve the install of the required ActiveX Control, then follow on-screen instructions;
  
• Enable (check) the Remove found threats option, and run the scan.
  
• After the scan completes, the Details tab in the Results window will display what was found and removed.
  • A logfile is created and located at C:\Program Files\EsetOnlineScanner\log.txt.
  Look at contents of this file using Notepad or Wordpad.
  
  The Frequently Asked Questions for ESET Online Scanner can be viewed here
  http://www.eset.com/onlinescan/cac4.php?page=faq
  
  
  • From ESET Tech Support: If you have ESET NOD32 installed, you should disable it prior to running this scanner.
    Otherwise the scan will take twice as long to do:
    everytime the ESET online scanner opens a file on your computer to scan it, NOD32 on your machine will rescan the file as a result.
  • It is emphasized to temporarily disable any pc-resident {active} antivirus program prior to any on-line scan by any on-line scanner.
    (And the prompt re-enabling when finished.)
  • If you use Firefox, you have to install IETab, an add-on. This is to enable ActiveX support.

=

Reply with copy of mrt.log
Goored.txt
Sysclean log
& ESET's Log.txt
and advise, How is your system now ?

hello again!
The logs are posted below. The system seems to be working fine.

mrt.log


---------------------------------------------------------------------------------------

Microsoft Windows Malicious Software Removal Tool v1.15, April 2006
Started On Sat Apr 22 19:12:48 2006

Results Summary:
----------------
No infection found.

Return code: 0
Microsoft Windows Malicious Software Removal Tool Finished On Sat Apr 22 19:13:00 2006


---------------------------------------------------------------------------------------

Microsoft Windows Malicious Software Removal Tool v1.16, May 2006
Started On Tue May 09 21:05:06 2006

Results Summary:
----------------
No infection found.

Return code: 0
Microsoft Windows Malicious Software Removal Tool Finished On Tue May 09 21:13:47 2006


---------------------------------------------------------------------------------------

Microsoft Windows Malicious Software Removal Tool v1.17, June 2006
Started On Fri Jun 16 21:01:12 2006

Results Summary:
----------------
No infection found.

Return code: 0
Microsoft Windows Malicious Software Removal Tool Finished On Fri Jun 16 21:01:29 2006


---------------------------------------------------------------------------------------

Microsoft Windows Malicious Software Removal Tool v1.18, July 2006
Started On Thu Jul 13 10:58:03 2006

Results Summary:
----------------
No infection found.

Return code: 0
Microsoft Windows Malicious Software Removal Tool Finished On Thu Jul 13 10:58:15 2006


---------------------------------------------------------------------------------------

Microsoft Windows Malicious Software Removal Tool v1.19, August 2006
Started On Sun Aug 13 19:34:02 2006

Results Summary:
----------------
No infection found.

Return code: 0
Microsoft Windows Malicious Software Removal Tool Finished On Sun Aug 13 19:34:23 2006


---------------------------------------------------------------------------------------

Microsoft Windows Malicious Software Removal Tool v1.20, September 2006
Started On Thu Sep 14 03:01:56 2006

Results Summary:
----------------
No infection found.

Return code: 0
Microsoft Windows Malicious Software Removal Tool Finished On Thu Sep 14 03:02:13 2006


---------------------------------------------------------------------------------------

Microsoft Windows Malicious Software Removal Tool v1.21, October 2006
Started On Thu Oct 12 21:00:20 2006

Results Summary:
----------------
No infection found.

Return code: 0
Microsoft Windows Malicious Software Removal Tool Finished On Thu Oct 12 21:00:37 2006


---------------------------------------------------------------------------------------

Microsoft Windows Malicious Software Removal Tool v1.22, November 2006
Started On Wed Nov 15 21:01:22 2006

Results Summary:
----------------
No infection found.

Return code: 0
Microsoft Windows Malicious Software Removal Tool Finished On Wed Nov 15 21:01:37 2006


---------------------------------------------------------------------------------------

Microsoft Windows Malicious Software Removal Tool v1.23, December 2006
Started On Fri Dec 15 22:33:07 2006

Results Summary:
----------------
No infection found.

Return code: 0
Microsoft Windows Malicious Software Removal Tool Finished On Fri Dec 15 22:33:29 2006


---------------------------------------------------------------------------------------

Microsoft Windows Malicious Software Removal Tool v1.23, December 2006
Started On Sat Dec 23 00:33:15 2006

Results Summary:
----------------
No infection found.

Return code: 0
Microsoft Windows Malicious Software Removal Tool Finished On Sat Dec 23 00:33:33 2006


---------------------------------------------------------------------------------------

Microsoft Windows Malicious Software Removal Tool v1.24, January 2007
Started On Sat Jan 13 03:04:39 2007

Results Summary:
----------------
No infection found.

Return code: 0
Microsoft Windows Malicious Software Removal Tool Finished On Sat Jan 13 03:05:09 2007


---------------------------------------------------------------------------------------

Microsoft Windows Malicious Software Removal Tool v1.25, February 2007
Started On Sun Feb 18 16:31:38 2007

Results Summary:
----------------
No infection found.

Return code: 0
Microsoft Windows Malicious Software Removal Tool Finished On Sun Feb 18 16:32:17 2007


---------------------------------------------------------------------------------------

Microsoft Windows Malicious Software Removal Tool v1.27, March 2007
Started On Sat Mar 31 03:02:38 2007

Results Summary:
----------------
No infection found.

Return code: 0
Microsoft Windows Malicious Software Removal Tool Finished On Sat Mar 31 03:03:05 2007


---------------------------------------------------------------------------------------

Microsoft Windows Malicious Software Removal Tool v1.28, April 2007
Started On Thu May 03 17:16:06 2007
->Sysclean WARNING: MemScanGetImagePathFromPid(2140) (Win32 Error Code: 0x00000057 (87):The parameter is incorrect.) [709]

Results Summary:
----------------
No infection found.

Return code: 0
Microsoft Windows Malicious Software Removal Tool Finished On Thu May 03 17:16:38 2007


---------------------------------------------------------------------------------------

Microsoft Windows Malicious Software Removal Tool v1.29, May 2007
Started On Thu May 24 12:20:03 2007
->Scan ERROR: resource file://C:\Program Files\DivX\DivX Web Player\npdivx32.dll (code 0x0000000B (11))

Results Summary:
----------------
No infection found.

Return code: 0
Microsoft Windows Malicious Software Removal Tool Finished On Thu May 24 12:21:14 2007


---------------------------------------------------------------------------------------

Microsoft Windows Malicious Software Removal Tool v1.30, June 2007
Started On Wed Jun 13 17:05:51 2007
->Scan ERROR: resource file://C:\Program Files\DivX\DivX Web Player\npdivx32.dll (code 0x0000000B (11))

Results Summary:
----------------
No infection found.

Return code: 0
Microsoft Windows Malicious Software Removal Tool Finished On Wed Jun 13 17:07:10 2007


---------------------------------------------------------------------------------------

Microsoft Windows Malicious Software Removal Tool v1.31, July 2007
Started On Wed Jul 11 09:13:55 2007
->Scan ERROR: resource file://C:\Program Files\DivX\DivX Web Player\npdivx32.dll (code 0x0000000B (11))

Results Summary:
----------------
No infection found.

Return code: 0
Microsoft Windows Malicious Software Removal Tool Finished On Wed Jul 11 09:15:24 2007


---------------------------------------------------------------------------------------

Microsoft Windows Malicious Software Removal Tool v1.32, August 2007
Started On Wed Aug 15 17:29:20 2007
->Scan ERROR: resource file://C:\Program Files\DivX\DivX Web Player\npdivx32.dll (code 0x0000000B (11))

Results Summary:
----------------
No infection found.

Return code: 0
Microsoft Windows Malicious Software Removal Tool Finished On Wed Aug 15 17:30:59 2007


---------------------------------------------------------------------------------------

Microsoft Windows Malicious Software Removal Tool v1.33, September 2007
Started On Thu Sep 13 21:02:36 2007
->Scan ERROR: resource file://C:\Program Files\DivX\DivX Web Player\npdivx32.dll (code 0x0000000B (11))

Results Summary:
----------------
No infection found.

Return code: 0
Microsoft Windows Malicious Software Removal Tool Finished On Thu Sep 13 21:04:05 2007


---------------------------------------------------------------------------------------

Microsoft Windows Malicious Software Removal Tool v1.34, October 2007
Started On Wed Oct 10 11:59:16 2007
->Scan ERROR: resource file://C:\Program Files\DivX\DivX Web Player\npdivx32.dll (code 0x0000000D (13))

Results Summary:
----------------
No infection found.

Return code: 0
Microsoft Windows Malicious Software Removal Tool Finished On Wed Oct 10 12:00:46 2007


---------------------------------------------------------------------------------------

Microsoft Windows Malicious Software Removal Tool v1.40, April 2008
Started On Thu Apr 24 01:40:07 2008
->Scan ERROR: resource file://C:\Program Files\DivX\DivX Web Player\npdivx32.dll (code 0x0000000D (13))

Results Summary:
----------------
No infection found.

Return code: 0
Microsoft Windows Malicious Software Removal Tool Finished On Thu Apr 24 01:41:42 2008


---------------------------------------------------------------------------------------

Microsoft Windows Malicious Software Removal Tool v2.1, August 2008
Started On Mon Sep 08 23:06:11 2008
->Scan ERROR: resource service://TDSSserv (code 0x0000054F (1359))
->Scan ERROR: resource service://TDSSserv (code 0x0000054F (1359))
->Scan ERROR: resource service://TDSSserv (code 0x0000054F (1359))

Results Summary:
----------------
No infection found.

Return code: 0
Microsoft Windows Malicious Software Removal Tool Finished On Mon Sep 08 23:08:16 2008


---------------------------------------------------------------------------------------

Microsoft Windows Malicious Software Removal Tool v2.2, September 2008
Started On Tue Sep 09 23:07:19 2008
->Scan ERROR: resource service://TDSSserv (code 0x0000054F (1359))
->Scan ERROR: resource service://TDSSserv (code 0x0000054F (1359))
->Scan ERROR: resource service://TDSSserv (code 0x0000054F (1359))

Results Summary:
----------------
No infection found.

Return code: 0
Microsoft Windows Malicious Software Removal Tool Finished On Tue Sep 09 23:09:01 2008


---------------------------------------------------------------------------------------

Microsoft Windows Malicious Software Removal Tool v2.3, October 2008
Started On Tue Oct 14 21:06:08 2008

Results Summary:
----------------
No infection found.

Return code: 0
Microsoft Windows Malicious Software Removal Tool Finished On Tue Oct 14 21:08:01 2008


---------------------------------------------------------------------------------------

Microsoft Windows Malicious Software Removal Tool v2.4, November 2008
Started On Wed Nov 12 20:04:53 2008
->Scan ERROR: resource service://TDSSserv.sys (code 0x0000054F (1359))

Results Summary:
----------------
No infection found.

Return code: 0
Microsoft Windows Malicious Software Removal Tool Finished On Wed Nov 12 20:06:52 2008


---------------------------------------------------------------------------------------

Microsoft Windows Malicious Software Removal Tool v2.5, December 2008
Started On Tue Dec 09 20:01:30 2008
->Scan ERROR: resource process://pid:1288 (code 0x00000057 (87))
->Scan ERROR: resource service://TDSSserv.sys (code 0x0000054F (1359))

Results Summary:
----------------
No infection found.

Return code: 0
Microsoft Windows Malicious Software Removal Tool Finished On Tue Dec 09 20:03:40 2008


---------------------------------------------------------------------------------------

Microsoft Windows Malicious Software Removal Tool v2.7, February 2009
Started On Mon Feb 16 20:04:09 2009

Results Summary:
----------------
No infection found.

Return code: 0
Microsoft Windows Malicious Software Removal Tool Finished On Mon Feb 16 20:08:08 2009


---------------------------------------------------------------------------------------

Microsoft Windows Malicious Software Removal Tool v2.8, March 2009
Started On Fri Mar 20 20:02:34 2009
->Scan ERROR: resource process://pid:5464 (code 0x00000057 (87))
->Scan ERROR: resource process://pid:3764 (code 0x00000005 (5))

Results Summary:
----------------
No infection found.

Return code: 0
Microsoft Windows Malicious Software Removal Tool Finished On Fri Mar 20 20:05:12 2009


---------------------------------------------------------------------------------------

Microsoft Windows Malicious Software Removal Tool v2.9, April 2009
Started On Wed Apr 15 20:05:32 2009
Security policy adjusted. Engine requests reboot and try again, ignoring.
Results Summary:
----------------
No infection found.

Return code: 0
Microsoft Windows Malicious Software Removal Tool Finished On Wed Apr 15 20:07:45 2009


---------------------------------------------------------------------------------------

Microsoft Windows Malicious Software Removal Tool v2.10, May 2009
Started On Wed May 13 21:27:22 2009
WARNING: Security policy doesn't allow for all actions MSRT may require.
Results Summary:
----------------
No infection found.

Return code: 0
Microsoft Windows Malicious Software Removal Tool Finished On Wed May 13 21:29:38 2009


---------------------------------------------------------------------------------------

Microsoft Windows Malicious Software Removal Tool v2.10, May 2009
Started On Mon Jun 08 13:35:23 2009
WARNING: Security policy doesn't allow for all actions MSRT may require.
Results Summary:
----------------
No infection found.

Return code: 0
Microsoft Windows Malicious Software Removal Tool Finished On Mon Jun 08 13:38:13 2009


---------------------------------------------------------------------------------------

Microsoft Windows Malicious Software Removal Tool v2.11, June 2009
Started On Thu Jun 11 20:02:20 2009
WARNING: Security policy doesn't allow for all actions MSRT may require.
Results Summary:
----------------
No infection found.

Return code: 0
Microsoft Windows Malicious Software Removal Tool Finished On Thu Jun 11 20:04:20 2009


---------------------------------------------------------------------------------------

Microsoft Windows Malicious Software Removal Tool v2.12, July 2009
Started On Wed Jul 15 20:01:38 2009
WARNING: Security policy doesn't allow for all actions MSRT may require.
Results Summary:
----------------
No infection found.

Return code: 0
Microsoft Windows Malicious Software Removal Tool Finished On Wed Jul 15 20:04:27 2009


---------------------------------------------------------------------------------------

Microsoft Windows Malicious Software Removal Tool v2.12, July 2009
Started On Fri Jul 31 14:58:06 2009

Results Summary:
----------------
No infection found.

Return code: 0
Microsoft Windows Malicious Software Removal Tool Finished On Fri Jul 31 15:01:22 2009


---------------------------------------------------------------------------------------

Microsoft Windows Malicious Software Removal Tool v2.12, July 2009
Started On Fri Jul 31 15:01:29 2009

Return code: 0
Microsoft Windows Malicious Software Removal Tool Finished On Fri Jul 31 15:01:47 2009



__________________________________________

GooredFix

GooredFix by jpshortstuff (12.07.09)
Log created at 15:04 on 31/07/2009 (Sania Ansari)
Firefox version 3.0.12 (en-US)

========== GooredScan ==========

C:\Program Files\Mozilla Firefox\extensions\
{972ce4c6-7e08-4474-a285-3208198ce6fd} [04:43 25/04/2006]
{CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA} [20:33 06/05/2009]

[HKEY_LOCAL_MACHINE\Software\Mozilla\Firefox\Extensions]
"jqs@sun.com"="C:\Program Files\Java\jre6\lib\deploy\jqs\ff" [20:32 06/05/2009]

-=E.O.F=-

___________________________________________

sysclean.log



/--------------------------------------------------------------\
| Trend Micro System Cleaner |
| Copyright 2009-2010, Trend Micro, Inc. |
| http://www.trendmicro.com |
\--------------------------------------------------------------/


2009-07-31, 15:36:16, Auto-clean mode specified.
2009-07-31, 15:36:17, Initialized Rootkit Driver version 2.2.0.1004.
2009-07-31, 15:36:17, Running scanner "C:\DCE\TSC.BIN"...
2009-07-31, 15:36:29, Scanner "C:\DCE\TSC.BIN" has finished running.
2009-07-31, 15:36:29, TSC Log:

ÿþD a m a g e C l e a n u p E n g i n e ( D C E ) 6 . 1 ( B u i l d 1 0 2 7 ) ( R C M : 2 . 2 . 0 - 1 0 0 4 )


W i n d o w s X P ( B u i l d 2 6 0 0 : S e r v i c e P a c k 3 )




S t a r t t i m e : F r i J u l 3 1 2 0 0 9 1 5 : 3 6 : 1 8





L o a d D a m a g e C l e a n u p T e m p l a t e ( D C T ) " C : \ D C E \ T M R D C T . p t n " ( v e r s i o n ) [ f a i l ]


L o a d D a m a g e C l e a n u p T e m p l a t e ( D C T ) " C : \ D C E \ t s c . p t n " ( v e r s i o n 1 0 5 2 ) [ s u c c e s s ]





C o m p l e t e t i m e : F r i J u l 3 1 2 0 0 9 1 5 : 3 6 : 2 9


E x e c u t e p a t t e r n c o u n t ( 3 0 6 1 ) , V i r u s f o u n d c o u n t ( 0 ) , V i r u s c l e a n c o u n t ( 0 ) , C l e a n f a i l e d c o u n t ( 0 )





2009-07-31, 15:36:29, Running scanner "C:\DCE\VSCANTM.BIN"...
2009-07-31, 17:04:56, Scanner "C:\DCE\VSCANTM.BIN" has finished running.
2009-07-31, 17:04:56, VSCANTM Log:

2009-07-31, 17:04:56, Files Detected:
Copyright © 1990 - 2006 Trend Micro Inc.
Report Date : 7/31/2009 15:36:30
VSAPI Engine Version : 8.950-1092
VSCANTM Version : 3.00-1018 (Official Build)

VSGetVirusPatternInformation is invoked

Virus Pattern Version : 335 (467962/467962 Patterns) (2009/07/30) (633500)

Command Line: C:\DCE\VSCANTM.BIN /NBPM /S /CLEANALL /LD /LC /LCF /NM /NB /DCEGENCLEAN /HIDEDCECONSOLE /C /ACTIVEACTION=5 /VSBKENC+ /BK /LR C:\*.* /P=C:\DCE\lpt$vpn.335

C:\Qoobox\Quarantine\C\WINDOWS\system32\drivers\ESQULfndsxhldacxktuhyfrmoejbenvttordv.sys.vir [BKDR_TDSS.Z]
C:\Qoobox\Quarantine\C\WINDOWS\system32\drivers\ESQULwqxyiqhrxumeyxwmqpqjpwdvxowbnrbc.sys.vir [BKDR_TDSS.Z]
126393 files have been read.
126393 files have been checked.
126194 files have been scanned.
466626 files have been scanned. (including files in archived)
2 files containing viruses.
Found 2 viruses totally.
Maybe 0 viruses totally.
Stop At: 7/31/2009 17:04:56 1 hour 28 minutes 25 seconds (5304.95 seconds) has elapsed.(41.972 msec/file)
---------*---------*---------*---------*---------*---------*---------*---------*
2009-07-31, 17:04:56, Files Clean:
Copyright © 1990 - 2006 Trend Micro Inc.
Report Date : 7/31/2009 15:36:30
VSAPI Engine Version : 8.950-1092
VSCANTM Version : 3.00-1018 (Official Build)

VSGetVirusPatternInformation is invoked

Virus Pattern Version : 335 (467962/467962 Patterns) (2009/07/30) (633500)

Command Line: C:\DCE\VSCANTM.BIN /NBPM /S /CLEANALL /LD /LC /LCF /NM /NB /DCEGENCLEAN /HIDEDCECONSOLE /C /ACTIVEACTION=5 /VSBKENC+ /BK /LR C:\*.* /P=C:\DCE\lpt$vpn.335

126393 files have been read.
126393 files have been checked.
126194 files have been scanned.
466626 files have been scanned. (including files in archived)
2 files containing viruses.
Found 2 viruses totally.
Maybe 0 viruses totally.
Stop At: 7/31/2009 17:04:56 1 hour 28 minutes 25 seconds (5304.95 seconds) has elapsed.(41.972 msec/file)
---------*---------*---------*---------*---------*---------*---------*---------*
2009-07-31, 17:04:56, Clean Fail:
Copyright © 1990 - 2006 Trend Micro Inc.
Report Date : 7/31/2009 15:36:30
VSAPI Engine Version : 8.950-1092
VSCANTM Version : 3.00-1018 (Official Build)

VSGetVirusPatternInformation is invoked

Virus Pattern Version : 335 (467962/467962 Patterns) (2009/07/30) (633500)

Command Line: C:\DCE\VSCANTM.BIN /NBPM /S /CLEANALL /LD /LC /LCF /NM /NB /DCEGENCLEAN /HIDEDCECONSOLE /C /ACTIVEACTION=5 /VSBKENC+ /BK /LR C:\*.* /P=C:\DCE\lpt$vpn.335

126393 files have been read.
126393 files have been checked.
126194 files have been scanned.
466626 files have been scanned. (including files in archived)
2 files containing viruses.
Found 2 viruses totally.
Maybe 0 viruses totally.
Stop At: 7/31/2009 17:04:56 1 hour 28 minutes 25 seconds (5304.95 seconds) has elapsed.(41.972 msec/file)
---------*---------*---------*---------*---------*---------*---------*---------*
2009-07-31, 17:04:56, Running scanner "C:\DCE\VSCANTM.BIN"...
2009-07-31, 17:05:25, Scanner "C:\DCE\VSCANTM.BIN" has finished running.
2009-07-31, 17:05:25, VSCANTM Log:

2009-07-31, 17:05:25, Files Detected:
Copyright © 1990 - 2006 Trend Micro Inc.
Report Date : 7/31/2009 17:04:56
VSAPI Engine Version : 8.950-1092
VSCANTM Version : 3.00-1018 (Official Build)

VSGetVirusPatternInformation is invoked

Virus Pattern Version : 335 (467962/467962 Patterns) (2009/07/30) (633500)

Command Line: C:\DCE\VSCANTM.BIN /NBPM /S /CLEANALL /LD /LC /LCF /NM /NB /DCEGENCLEAN /HIDEDCECONSOLE /C /ACTIVEACTION=5 /VSBKENC+ /BK /LR D:\*.* /P=C:\DCE\lpt$vpn.335

1820 files have been read.
1820 files have been checked.
1820 files have been scanned.
1934 files have been scanned. (including files in archived)
0 files containing viruses.
Found 0 viruses totally.
Maybe 0 viruses totally.
Stop At: 7/31/2009 17:05:25 28 seconds (27.61 seconds) has elapsed.(15.170 msec/file)
---------*---------*---------*---------*---------*---------*---------*---------*
2009-07-31, 17:05:25, Files Clean:
Copyright © 1990 - 2006 Trend Micro Inc.
Report Date : 7/31/2009 17:04:56
VSAPI Engine Version : 8.950-1092
VSCANTM Version : 3.00-1018 (Official Build)

VSGetVirusPatternInformation is invoked

Virus Pattern Version : 335 (467962/467962 Patterns) (2009/07/30) (633500)

Command Line: C:\DCE\VSCANTM.BIN /NBPM /S /CLEANALL /LD /LC /LCF /NM /NB /DCEGENCLEAN /HIDEDCECONSOLE /C /ACTIVEACTION=5 /VSBKENC+ /BK /LR D:\*.* /P=C:\DCE\lpt$vpn.335

1820 files have been read.
1820 files have been checked.
1820 files have been scanned.
1934 files have been scanned. (including files in archived)
0 files containing viruses.
Found 0 viruses totally.
Maybe 0 viruses totally.
Stop At: 7/31/2009 17:05:25 28 seconds (27.61 seconds) has elapsed.(15.170 msec/file)
---------*---------*---------*---------*---------*---------*---------*---------*
2009-07-31, 17:05:25, Clean Fail:
Copyright © 1990 - 2006 Trend Micro Inc.
Report Date : 7/31/2009 17:04:56
VSAPI Engine Version : 8.950-1092
VSCANTM Version : 3.00-1018 (Official Build)

VSGetVirusPatternInformation is invoked

Virus Pattern Version : 335 (467962/467962 Patterns) (2009/07/30) (633500)

Command Line: C:\DCE\VSCANTM.BIN /NBPM /S /CLEANALL /LD /LC /LCF /NM /NB /DCEGENCLEAN /HIDEDCECONSOLE /C /ACTIVEACTION=5 /VSBKENC+ /BK /LR D:\*.* /P=C:\DCE\lpt$vpn.335

1820 files have been read.
1820 files have been checked.
1820 files have been scanned.
1934 files have been scanned. (including files in archived)
0 files containing viruses.
Found 0 viruses totally.
Maybe 0 viruses totally.
Stop At: 7/31/2009 17:05:25 28 seconds (27.61 seconds) has elapsed.(15.170 msec/file)
---------*---------*---------*---------*---------*---------*---------*---------*

_____________________________________________
ESET's log

ESETSmartInstaller@High as downloader log:
all ok
# version=6
# OnlineScannerApp.exe=1.0.0.1
# OnlineScanner.ocx=1.0.0.5889
# api_version=3.0.2
# EOSSerial=3647bda78d118f4882ca5e5ce71719d8
# end=finished
# remove_checked=true
# archives_checked=false
# unwanted_checked=true
# unsafe_checked=false
# antistealth_checked=true
# utc_time=2009-07-31 10:23:28
# local_time=2009-07-31 06:23:28 (-0500, Eastern Daylight Time)
# country="Canada"
# lang=1033
# osver=5.1.2600 NT Service Pack 3
# scanned=129222
# found=6
# cleaned=6
# scan_time=3756
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\WildTangent23.zip Win32/Bagle.gen.zip worm (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\WildTangent39.zip Win32/Bagle.gen.zip worm (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\WildTangent69.zip Win32/Bagle.gen.zip worm (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\Program Files\HPQ\Default Settings\CpqsetVer.exe probably a variant of Win32/Agent trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\Qoobox\Quarantine\C\WINDOWS\system32\ESQULivtxmqpkfyioiajnvcjtpoivwplydcdp.dll.vir a variant of Win32/Kryptik.ZE trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\Qoobox\Quarantine\C\WINDOWS\system32\geyekrgyekxlbq.dll.vir Win32/Olmarik.JK trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C

Hello Sania,
Sysclean scan and Eset scan mostly found items already in quarantine.
The Combofix has squashed a multi-faceted cluster of rootkits. That is very very good.

BUT your MRT log (the MS Malicious Software Removal Tool) showed you had previous infections of the TDSS-rootkit in several months last year: August, September, November, & December.
You must take steps to harden this pc's defenses.

Unless you have purchased Malwarebytes' Anti Malware {MBAM}, you should to un-install it. Go to Control Panel and Add-or-Remove programs.
Look for it and click the line for it. Select Change/Remove to de-install it.
Also de-install Eset Online scan.
OK & Exit out of Control Panel

I see that you are clear of your original issues.
If you have a problem with these steps, or something does not quite work here, do let me know.

The following few steps will remove tools we used; followed by advice on staying safer.

We have to remove Combofix and all its associated folders.
By whichever name you named it, ( you had named it combo-fix ), put that name in the RUN box stated just below.
The "/u" in the Run line below is to start Combofix for it's cleanup & removal function.
Note the space after x and before the slash mark.
The utility must be removed to prevent any un-intentional or accidental usage, PLUS, to free up much space on your hard disk.

• Click Start, then click Run.
  
  In the command box that opens, type or copy/paste combo-fix /u and then click OK.

• Please double-click OTL.exe to run it.
• Click on the CleanUp! button at upper Right corner. When you do this a text file named cleanup.txt will be downloaded from the internet. If you get a warning from your firewall or other security programs regarding OTL attempting to contact the internet you should allow it to do so. After the list has been download you'll be asked if you want to Begin cleanup process? Select Yes.
• This step removes the files, folders, and shortcuts created by the tools I had you download and run.

• Delete the Sysclean downloads and the C:\DCE folder
  
• Run ATF Cleaner, and checkmark "Empty Recycle Bin", click "Empty Selected" and exit the program. You can delete or keep this utility as you wish.
  
• You may reset your Windows Explorer {My Computer} Folder Options > VIEW settings back to where they had been before. {under hidden files & folders to not show hidden or system files -and- to "hide protected operating system files" }
  
• Configure your Antivirus software to check for updates daily, at a time in which you are sure the computer will be on.
  
• Check in at Windows Update and install any Critical Updates offered.
  
• Download and Install Windows Defender by Microsoft (free) if you do not already have it:
  http://www.microsoft.com/downloads/details...A4-F7F14E605A0D
  
• Make certain that Automatic Updates is enabled.
  How to configure and use Automatic Updates in WinXP:
  http://support.microsoft.com/kb/306525
  
• Download, install, and keep updated Spyware Blaster (free): http://www.javacoolsoftware.com/spywareblaster.html (all Protections should be enabled at all times)
  
• I'd recommend that you get and use MVP Mike Burgess' custom hosts file http://mvps.org/winhelp2002/hosts.htm
  See the FAQ page http://mvps.org/winhelp2002/hostsfaq.htm
  That would help to keep your browser away from known spyware/malware sites.
  
• Make regular backups of your system to removable media: DVD, USB external hard drive, etc.
  
  On some regular schedule, it is a good idea to do an online scan for viruses and malware. Here is a very short list of sites where this may be done:
  Kaspersky Webscan Online Virus Scanner
  
  ESET Online Scanner
  
  Panda ActiveScan
  
  Trend Micro Housecall
  
  F-Secure Online Scanner
  
• Read Tony Klein's article How Did I Get Infected In The First Place
  
• Never, ever download free games, free tools, smileys, or anything free unless you can be absolutely sure the source is safe !
  
  Finally, spend some time reading about how to keep your computer safe on the Internet: http://www.bleepingcomputer.com/tutorials/tutorial82.html

We are finished here. Best regards.

Hi there,
I have a few questions.

1) Why do I need to uninstall mbam?
2) I couldn't uninstall Combo-Fix by typing Combo-Fix \u in the run command. Gives me an error saying file is not found. Any other way I can manually uninstall it?
2) Whats OTL.exe? I don't believe you instructed me to download it before.

Howdy Sania,

#1. If you have not purchased MBAM, I urge you to de-install it, so for sure the quarantine items are gone as well.
IF in future you need use of MBAM, you can do a new download.
The MBAM is continuously being updated. So a new download, get's you a more current one.

On the other hand, the purchase of MBAM is only a one-time fee, good forever on a 1 license/1 pc use. And that would offer real-time Protection module.

#2. It is very, very important that Combofix is de-installed properly.
I believe you used the wrong kind of "slash" when you typed the command.

Try this, copy the following code box to your clipboard (highlight the line and COPY)


Then, press Start button on taskbar, select RUN
In the text box of the Run dialog, place your cursor in the Run text box, and do a Paste (CTRL+V) into it of the codebox

and press OK or Enter to run it.


After Combofix is properly removed:

Download OTL by OldTimer to your desktop:http://oldtimer.geekstogo.com/OTL.exe

and please do all the steps I outlined, including the Cleanup! in OTL

I copy and pasted and I still get the following

Windows cannot find 'C:\Documents'. Make sure you typed the name correctly, and then try again. To search for a file, click the Start button, and then click Search.

Look on your Desktop. Do you see Combofix icon on there ? (red lion icon)

Yup it's there.

Click Start, then click Run.

In the command box that opens, type or copy/paste
combo-fix /u

and then click OK.

There is one forward slash before the U
There is one space betweeen x and the slash

Same message.

I tried ComboFix /u and that worked even though the file on my desktop is Combo-Fix.exe

Download OTL by OldTimer to your desktop:http://oldtimer.geekstogo.com/OTL.exe

and please do all the steps I outlined, including the Cleanup! in OTL
and the other steps that followed

And after that, look at your desktop. IF Combo-fix is still there, delete it.
and
in any event, do this also
Run Disk Cleanup with the System Restore Cleanup as outlined here by Bert Kinney, MS MVP
http://bertk.mvps.org/html/diskclean.html

Yours has a dash {hyphen} in between Combo ...... and ..... fix
combo-fix

a copy and paste of my directions would have worked

Thanks for the help!

You are welcome. I take it that all has been completed and taken care of.
This will be marked for closure.
Stay safe.