TechSpot

Google results hijacked

By dsweston
May 5, 2010
  1. Recently whenever I do a google search, the results I get back look legitimate, but as soon as I click on any of the results, it takes me to the wrong site, usually some type of marketing site. It's happening in both IE and Firefox.

    Please let me know what I can do to clear this up.

    Thanks
     
  2. Bobbye

    Bobbye Helper on the Fringe Posts: 16,335   +36

    Please follow the steps HERE.

    When finished, leave the logs for review.
     
  3. dsweston

    dsweston TS Rookie Topic Starter

    Logs

    The MBAM and GMER Log results below.

    MBAM:

    Malwarebytes' Anti-Malware 1.46
    www.malwarebytes.org

    Database version: 4067

    Windows 6.0.6002 Service Pack 2
    Internet Explorer 7.0.6002.18005

    5/5/2010 12:53:06 AM
    mbam-log-2010-05-05 (00-53-06).txt

    Scan type: Quick scan
    Objects scanned: 125872
    Time elapsed: 7 minute(s), 21 second(s)

    Memory Processes Infected: 0
    Memory Modules Infected: 0
    Registry Keys Infected: 3
    Registry Values Infected: 1
    Registry Data Items Infected: 4
    Folders Infected: 0
    Files Infected: 3

    Memory Processes Infected:
    (No malicious items detected)

    Memory Modules Infected:
    (No malicious items detected)

    Registry Keys Infected:
    HKEY_CURRENT_USER\Software\YVIBBBHA8C (Trojan.Agent) -> Quarantined and deleted successfully.
    HKEY_CURRENT_USER\SOFTWARE\XML (Trojan.FakeAlert) -> Quarantined and deleted successfully.
    HKEY_CURRENT_USER\Software\WEK9EMDHI9 (Trojan.Agent) -> Quarantined and deleted successfully.

    Registry Values Infected:
    HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\yvibbbha8c (Trojan.FakeAlert) -> Quarantined and deleted successfully.

    Registry Data Items Infected:
    HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\NameServer (Trojan.DNSChanger) -> Data: 93.188.165.130,93.188.161.147 -> Quarantined and deleted successfully.
    HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{33f77fed-7bcd-4c88-85d4-a9a3b9c087b5}\NameServer (Trojan.DNSChanger) -> Data: 93.188.165.130,93.188.161.147 -> Quarantined and deleted successfully.
    HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{764e0aad-9534-4ea9-a702-f9b6f77c6b1d}\NameServer (Trojan.DNSChanger) -> Data: 93.188.165.130,93.188.161.147 -> Quarantined and deleted successfully.
    HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{c8ca5605-47b7-462f-88ea-f929792fd21d}\NameServer (Trojan.DNSChanger) -> Data: 93.188.165.130,93.188.161.147 -> Quarantined and deleted successfully.

    Folders Infected:
    (No malicious items detected)

    Files Infected:
    C:\Windows\System32\spool\prtprocs\w32x86\00007ecf.tmp (Trojan.FakeAlert) -> Quarantined and deleted successfully.
    C:\Windows\Tasks\{66BA574B-1E11-49b8-909C-8CC9E0E8E015}.job (Trojan.Downloader) -> Quarantined and deleted successfully.
    C:\Windows\Tasks\{35DC3473-A719-4d14-B7C1-FD326CA84A0C}.job (Trojan.Downloader) -> Quarantined and deleted successfully.

    GMER:

    GMER 1.0.15.15281 - http://www.gmer.net
    Rootkit scan 2010-05-05 09:45:35
    Windows 6.0.6002 Service Pack 2
    Running: 5zhhofd2.exe; Driver: C:\Users\DANW~1.INF\AppData\Local\Temp\pwlyipob.sys


    ---- System - GMER 1.0.15 ----

    Code \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwCreateProcessEx [0x8DC214FE]
    Code \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwCreateSection [0x8DC21322]
    Code \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwLoadDriver [0x8DC2145C]
    Code \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) NtCreateSection
    Code \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ObInsertObject
    Code \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ObMakeTemporaryObject

    ---- Kernel code sections - GMER 1.0.15 ----

    PAGE ntkrnlpa.exe!ZwLoadDriver 82189DF0 7 Bytes JMP 8DC21460 \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software)
    PAGE ntkrnlpa.exe!ObMakeTemporaryObject 821F528F 5 Bytes JMP 8DC1D4BA \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software)
    PAGE ntkrnlpa.exe!ObInsertObject 8224DF78 5 Bytes JMP 8DC1E972 \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software)
    PAGE ntkrnlpa.exe!NtCreateSection 8224F803 7 Bytes JMP 8DC21326 \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software)
    PAGE ntkrnlpa.exe!ZwCreateProcessEx 822AF796 7 Bytes JMP 8DC21502 \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software)
    ? System32\drivers\uatpjoeh.sys The system cannot find the path specified. !
    .rsrc C:\Windows\system32\drivers\iastor.sys entry point in ".rsrc" section [0x82766000]

    ---- User IAT/EAT - GMER 1.0.15 ----

    IAT C:\Windows\system32\services.exe[640] @ C:\Windows\system32\services.exe [ADVAPI32.dll!CreateProcessAsUserW] 00070002
    IAT C:\Windows\system32\services.exe[640] @ C:\Windows\system32\services.exe [KERNEL32.dll!CreateProcessW] 00070000
    IAT C:\Windows\Explorer.EXE[776] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdiplusShutdown] [74AC7817] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18005_none_9e50b396ca17ae07\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
    IAT C:\Windows\Explorer.EXE[776] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipCloneImage] [74B1A86D] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18005_none_9e50b396ca17ae07\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
    IAT C:\Windows\Explorer.EXE[776] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipDrawImageRectI] [74ACBB22] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18005_none_9e50b396ca17ae07\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
    IAT C:\Windows\Explorer.EXE[776] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipSetInterpolationMode] [74ABF695] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18005_none_9e50b396ca17ae07\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
    IAT C:\Windows\Explorer.EXE[776] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdiplusStartup] [74AC75E9] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18005_none_9e50b396ca17ae07\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
    IAT C:\Windows\Explorer.EXE[776] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipCreateFromHDC] [74ABE7CA] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18005_none_9e50b396ca17ae07\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
    IAT C:\Windows\Explorer.EXE[776] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipCreateBitmapFromStreamICM] [74AF8395] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18005_none_9e50b396ca17ae07\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
    IAT C:\Windows\Explorer.EXE[776] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipCreateBitmapFromStream] [74ACDA60] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18005_none_9e50b396ca17ae07\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
    IAT C:\Windows\Explorer.EXE[776] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipGetImageHeight] [74ABFFFA] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18005_none_9e50b396ca17ae07\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
    IAT C:\Windows\Explorer.EXE[776] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipGetImageWidth] [74ABFF61] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18005_none_9e50b396ca17ae07\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
    IAT C:\Windows\Explorer.EXE[776] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipDisposeImage] [74AB71CF] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18005_none_9e50b396ca17ae07\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
    IAT C:\Windows\Explorer.EXE[776] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipLoadImageFromFileICM] [74B4CAE2] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18005_none_9e50b396ca17ae07\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
    IAT C:\Windows\Explorer.EXE[776] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipLoadImageFromFile] [74AEC8D8] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18005_none_9e50b396ca17ae07\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
    IAT C:\Windows\Explorer.EXE[776] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipDeleteGraphics] [74ABD968] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18005_none_9e50b396ca17ae07\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
    IAT C:\Windows\Explorer.EXE[776] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipFree] [74AB6853] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18005_none_9e50b396ca17ae07\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
    IAT C:\Windows\Explorer.EXE[776] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipAlloc] [74AB687E] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18005_none_9e50b396ca17ae07\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
    IAT C:\Windows\Explorer.EXE[776] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipSetCompositingMode] [74AC2AD1] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18005_none_9e50b396ca17ae07\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)

    ---- Devices - GMER 1.0.15 ----

    Device \FileSystem\Ntfs \Ntfs aswSP.SYS (avast! self protection module/ALWIL Software)

    AttachedDevice \Driver\tdx \Device\Tcp aswTdi.SYS (avast! TDI Filter Driver/ALWIL Software)

    Device \Driver\iaStor \Device\Ide\iaStor0 [826E8D24] \SystemRoot\system32\drivers\iastor.sys[unknown section] {MOV EAX, [0xffdf0308]; JMP [EAX+0xac]}
    Device \Driver\iaStor \Device\Ide\IAAStorageDevice-0 [826E8D24] \SystemRoot\system32\drivers\iastor.sys[unknown section] {MOV EAX, [0xffdf0308]; JMP [EAX+0xac]}

    AttachedDevice \Driver\tdx \Device\Udp aswTdi.SYS (avast! TDI Filter Driver/ALWIL Software)
    AttachedDevice \FileSystem\fastfat \Fat fltmgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)

    ---- Registry - GMER 1.0.15 ----

    Reg HKLM\SYSTEM\CurrentControlSet\Services\BTHPORT\Parameters\Keys\001e37c4ec42
    Reg HKLM\SYSTEM\CurrentControlSet\Services\BTHPORT\Parameters\Keys\001e37c4ec42@0023d4fc56cd 0x0E 0xA2 0x10 0x0F ...
    Reg HKLM\SYSTEM\ControlSet003\Services\BTHPORT\Parameters\Keys\001e37c4ec42 (not active ControlSet)
    Reg HKLM\SYSTEM\ControlSet003\Services\BTHPORT\Parameters\Keys\001e37c4ec42@0023d4fc56cd 0x0E 0xA2 0x10 0x0F ...

    ---- Files - GMER 1.0.15 ----

    File C:\Windows\system32\drivers\iastor.sys suspicious modification

    ---- EOF - GMER 1.0.15 ----
     
  4. dsweston

    dsweston TS Rookie Topic Starter

    More logs

    DDS and Attach logs below.

    DDS:


    DDS (Ver_10-03-17.01) - NTFSx86
    Run by danw at 9:49:50.67 on Wed 05/05/2010
    Internet Explorer: 7.0.6002.18005 BrowserJavaVersion: 1.6.0_20
    Microsoft® Windows Vista™ Business 6.0.6002.2.1252.1.1033.18.2037.612 [GMT -6:00]

    AV: AVG Anti-Virus Free *On-access scanning enabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}
    SP: AVG Anti-Virus Free *enabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}
    SP: Windows Defender *disabled* (Updated) {D68DDC3A-831F-4FAE-9E44-DA132C1ACF46}

    ============== Running Processes ===============

    C:\Windows\system32\wininit.exe
    C:\Windows\system32\lsm.exe
    C:\Windows\system32\svchost.exe -k DcomLaunch
    C:\Windows\system32\svchost.exe -k rpcss
    C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
    C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
    C:\Windows\system32\svchost.exe -k netsvcs
    C:\Windows\system32\svchost.exe -k GPSvcGroup
    C:\Windows\system32\SLsvc.exe
    C:\Windows\system32\svchost.exe -k LocalService
    C:\Windows\system32\svchost.exe -k NetworkService
    C:\Windows\System32\WLTRYSVC.EXE
    C:\Windows\system32\WLANExt.exe
    C:\Windows\System32\bcmwltry.exe
    C:\Program Files\Alwil Software\Avast5\AvastSvc.exe
    C:\Windows\System32\spoolsv.exe
    C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
    C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
    C:\Program Files\Broadcom\ASFIPMon\AsfIpMon.exe
    C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
    C:\Program Files\Bonjour\mDNSResponder.exe
    C:\Program Files\CSR\Vista Profile Pack\BthFilterHelper.exe
    C:\Windows\system32\svchost.exe -k bthsvcs
    C:\PROGRA~1\AVG\AVG8\avgrsx.exe
    C:\Program Files\AmeriVault Backup Solution\Agent\VVAgent.exe
    C:\Program Files\AmeriVault Backup Solution\Agent\buagent.exe
    C:\Program Files\Intel\Intel Matrix Storage Manager\Iaantmon.exe
    C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
    C:\Windows\System32\svchost.exe -k HPZ12
    C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
    C:\Windows\system32\STacSV.exe
    C:\Windows\system32\svchost.exe -k imgsvc
    C:\Windows\system32\dllhost.exe
    C:\Windows\System32\svchost.exe -k WerSvcGroup
    C:\Windows\system32\SearchIndexer.exe
    C:\Windows\system32\DRIVERS\xaudio.exe
    C:\Program Files\Dell\QuickSet\NicConfigSvc.exe
    C:\Windows\system32\wbem\wmiprvse.exe
    C:\Windows\system32\dllhost.exe
    C:\Windows\System32\msdtc.exe
    C:\Windows\system32\taskeng.exe
    C:\Windows\system32\Dwm.exe
    C:\Windows\Explorer.EXE
    C:\Program Files\Apoint\Apoint.exe
    C:\Program Files\Apoint\ApMsgFwd.exe
    C:\Program Files\Apoint\HidFind.exe
    C:\Program Files\Apoint\Apntex.exe
    C:\Windows\system32\igfxsrvc.exe
    C:\Windows\System32\igfxpers.exe
    C:\Program Files\Intel\Intel Matrix Storage Manager\IAAnotif.exe
    C:\Program Files\Wave Systems Corp\Services Manager\DocMgr\bin\WavXDocMgr.exe
    C:\Program Files\CyberLink\PowerDVD DX\PDVDDXSrv.exe
    C:\Program Files\iTunes\iTunesHelper.exe
    C:\Program Files\Common Files\Java\Java Update\jusched.exe
    C:\Program Files\Sigmatel\C-Major Audio\WDM\sttray.exe
    C:\Program Files\Alwil Software\Avast5\AvastUI.exe
    C:\Program Files\Windows Sidebar\sidebar.exe
    C:\Program Files\Gadwin Systems\PrintScreen\PrintScreen.exe
    C:\Windows\system32\taskeng.exe
    C:\Program Files\Digital Line Detect\DLG.exe
    C:\Program Files\Glance25\Glance.exe
    C:\Program Files\Dell\QuickSet\quickset.exe
    C:\Program Files\iPod\bin\iPodService.exe
    C:\Program Files\Mozilla Firefox\firefox.exe
    C:\Program Files\Alwil Software\Avast5\setup\avast.setup
    C:\Windows\servicing\TrustedInstaller.exe
    C:\Users\danw.INFOTRAX\Downloads\dds.scr
    C:\Windows\system32\wbem\wmiprvse.exe

    ============== Pseudo HJT Report ===============

    uStart Page = hxxp://espn.go.com/
    uWindow Title = Internet Explorer provided by Dell
    uDefault_Page_URL = hxxp://www.google.com/ig/dell?hl=en&client=dell-usuk-rel&channel=us&ibd=3080818
    uInternet Settings,ProxyOverride = *.local
    uURLSearchHooks: Zynga Toolbar: {7b13ec3e-999a-4b70-b9cb-2617b8323822} - c:\program files\zynga\tbZyng.dll
    mURLSearchHooks: Zynga Toolbar: {7b13ec3e-999a-4b70-b9cb-2617b8323822} - c:\program files\zynga\tbZyng.dll
    BHO: {02478D38-C3F9-4efb-9B51-7695ECA05670} - No File
    BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
    BHO: Zynga Toolbar: {7b13ec3e-999a-4b70-b9cb-2617b8323822} - c:\program files\zynga\tbZyng.dll
    BHO: CBrowserHelperObject Object: {ca6319c0-31b7-401e-a518-a07c3db8f777} - c:\program files\dell\bae\BAE.dll
    BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
    TB: Zynga Toolbar: {7b13ec3e-999a-4b70-b9cb-2617b8323822} - c:\program files\zynga\tbZyng.dll
    uRun: [Sidebar] c:\program files\windows sidebar\sidebar.exe /autoRun
    uRun: [Gadwin PrintScreen] c:\program files\gadwin systems\printscreen\PrintScreen.exe /nosplash
    uRun: [ZimbraNotifier] "c:\\ZimbraNotifier.exe"
    uRun: [Skype] "c:\program files\skype\phone\Skype.exe" /nosplash /minimized
    mRun: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
    mRun: [Apoint] c:\program files\apoint\Apoint.exe
    mRun: [IgfxTray] c:\windows\system32\igfxtray.exe
    mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
    mRun: [Persistence] c:\windows\system32\igfxpers.exe
    mRun: [IAAnotif] "c:\program files\intel\intel matrix storage manager\Iaanotif.exe"
    mRun: [<NO NAME>]
    mRun: [WavXMgr] c:\program files\wave systems corp\services manager\docmgr\bin\WavXDocMgr.exe
    mRun: [SecureUpgrade] c:\program files\wave systems corp\SecureUpgrade.exe
    mRun: [Broadcom Wireless Manager UI] c:\windows\system32\WLTRAY.exe
    mRun: [AVG8_TRAY] c:\progra~1\avg\avg8\avgtray.exe
    mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
    mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
    mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
    mRun: [SigmatelSysTrayApp] %ProgramFiles%\SigmaTel\C-Major Audio\WDM\sttray.exe
    mRun: [avast5] c:\progra~1\alwils~1\avast5\avastUI.exe /nogui
    StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\digita~1.lnk - c:\program files\digital line detect\DLG.exe
    StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\glance.lnk - c:\program files\glance25\Glance.exe
    StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\quickset.lnk - c:\program files\dell\quickset\quickset.exe
    mPolicies-explorer: BindDirectlyToPropertySetStorage = 0 (0x0)
    mPolicies-system: EnableLUA = 0 (0x0)
    mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
    IE: E&xport to Microsoft Excel - c:\progra~1\micros~1\office11\EXCEL.EXE/3000
    IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~1\office11\REFIEBAR.DLL
    DPF: Garmin Communicator Plug-In - hxxps://my.garmin.com/static/m/cab/2.7.1/GarminAxControl.CAB
    DPF: {8100D56A-5661-482C-BEE8-AFECE305D968} - hxxp://upload.facebook.com/controls/2009.07.28_v5.5.8.1/FacebookPhotoUploader55.cab
    DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab
    DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/ultrashim.cab
    DPF: {C7DEDA04-2FFF-4B81-AE66-0A0E0EF4AD2F} - hxxp://maceys.lifepics.com/net/Uploader/LPUploader57.cab
    DPF: {CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab
    DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab
    DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
    Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL
    Notify: gemsafe - c:\program files\gemplus\gemsafe libraries\bin\WLEventNotify.dll
    Notify: igfxcui - igfxdev.dll
    AppInit_DLLs: avgrsstx.dll
    LSA: Authentication Packages = msv1_0 wvauth

    ================= FIREFOX ===================

    FF - ProfilePath - c:\users\danw~1.inf\appdata\roaming\mozilla\firefox\profiles\1f7rpnzq.default\
    FF - component: c:\users\danw.infotrax\appdata\roaming\mozilla\firefox\profiles\1f7rpnzq.default\extensions\{7b13ec3e-999a-4b70-b9cb-2617b8323822}\components\FFExternalAlert.dll
    FF - component: c:\users\danw.infotrax\appdata\roaming\mozilla\firefox\profiles\1f7rpnzq.default\extensions\{7b13ec3e-999a-4b70-b9cb-2617b8323822}\components\RadioWMPCore.dll
    FF - plugin: c:\program files\glance25\npglance.dll
    FF - plugin: c:\program files\mozilla firefox\plugins\npdeployJava1.dll
    FF - plugin: c:\users\danw.infotrax\appdata\roaming\facebook\npfbplugin_1_0_1.dll
    FF - plugin: c:\users\danw.infotrax\appdata\roaming\facebook\npfbplugin_1_0_3.dll
    FF - plugin: c:\users\danw.infotrax\appdata\roaming\move networks\plugins\npqmp071705000014.dll
    FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\
    FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0015-ABCDEFFEDCBA}
    FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA}
    FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA}

    ---- FIREFOX POLICIES ----
    c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
    c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
    c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
    c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
    c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);

    ============= SERVICES / DRIVERS ===============

    R1 aswSP;aswSP;c:\windows\system32\drivers\aswSP.sys [2010-4-13 162640]
    R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [2008-10-19 335240]
    R1 AvgMfx86;AVG Free On-access Scanner Minifilter Driver x86;c:\windows\system32\drivers\avgmfx86.sys [2008-10-19 27784]
    R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [2010-4-13 19024]
    R2 aswMonFlt;aswMonFlt;c:\windows\system32\drivers\aswMonFlt.sys [2010-4-13 51792]
    R3 glancedrv;glancedrv;c:\windows\system32\drivers\glancedrv.sys [2010-2-18 34080]
    S3 b57nd60x;Broadcom NetXtreme Gigabit Ethernet - NDIS 6.0;c:\windows\system32\drivers\b57nd60x.sys [2008-8-18 179712]
    S3 BTHFILT;Bluetooth Command Filter;c:\windows\system32\drivers\BthFilt.sys [2008-8-18 13824]

    =============== Created Last 30 ================

    2010-05-05 06:44:34 0 d-----w- c:\users\danw~1.inf\appdata\roaming\Malwarebytes
    2010-05-05 06:44:21 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
    2010-05-05 06:44:20 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
    2010-05-05 06:44:20 0 d-----w- c:\programdata\Malwarebytes
    2010-05-05 06:44:20 0 d-----w- c:\program files\Malwarebytes' Anti-Malware
    2010-05-05 06:31:11 0 d-----w- c:\programdata\Sun
    2010-05-05 06:30:54 411368 ----a-w- c:\windows\system32\deployJava1.dll
    2010-04-19 04:37:47 0 d-----w- c:\program files\TrendMicro
    2010-04-19 04:27:57 0 d-----w- C:\fixwareout
    2010-04-14 05:19:02 51792 ----a-w- c:\windows\system32\drivers\aswMonFlt.sys
    2010-04-14 05:17:51 0 d-----w- c:\programdata\Alwil Software

    ==================== Find3M ====================

    2010-05-05 06:55:20 1779 ----a-w- c:\windows\bthservsdp.dat
    2010-05-04 02:33:16 302 ----a-w- c:\users\danw.infotrax\jobq.dat
    2010-03-09 16:25:21 78336 ----a-w- c:\windows\system32\ieencode.dll
    2010-03-09 15:42:17 834048 ----a-w- c:\windows\system32\wininet.dll
    2010-02-25 21:31:47 665600 ----a-w- c:\windows\inf\drvindex.dat
    2010-02-25 21:31:47 51200 ----a-w- c:\windows\inf\infpub.dat
    2010-02-25 21:31:47 143360 ----a-w- c:\windows\inf\infstor.dat
    2010-02-25 21:31:46 143360 ----a-w- c:\windows\inf\infstrng.dat
    2010-02-25 07:44:34 37665 ----a-w- c:\windows\fonts\GlobalUserInterface.CompositeFont
    2010-02-24 16:16:06 181632 ------w- c:\windows\system32\MpSigStub.exe
    2010-02-20 23:06:41 24064 ----a-w- c:\windows\system32\nshhttp.dll
    2010-02-20 23:05:14 30720 ----a-w- c:\windows\system32\httpapi.dll
    2008-09-23 23:40:32 174 --sha-w- c:\program files\desktop.ini
    2006-11-02 12:42:07 30674 ----a-w- c:\windows\inf\perflib\0409\perfd.dat
    2006-11-02 12:42:07 30674 ----a-w- c:\windows\inf\perflib\0409\perfc.dat
    2006-11-02 12:42:07 287440 ----a-w- c:\windows\inf\perflib\0409\perfi.dat
    2006-11-02 12:42:07 287440 ----a-w- c:\windows\inf\perflib\0409\perfh.dat
    2006-11-02 09:20:21 287440 ----a-w- c:\windows\inf\perflib\0000\perfi.dat
    2006-11-02 09:20:21 287440 ----a-w- c:\windows\inf\perflib\0000\perfh.dat
    2006-11-02 09:20:19 30674 ----a-w- c:\windows\inf\perflib\0000\perfd.dat
    2006-11-02 09:20:19 30674 ----a-w- c:\windows\inf\perflib\0000\perfc.dat
    2008-08-18 18:24:08 8192 --sha-w- c:\windows\users\default\NTUSER.DAT

    ============= FINISH: 9:58:27.77 ===============

    Attach:

    DDS (Ver_10-03-17.01)

    Microsoft® Windows Vista™ Business
    Boot Device: \Device\HarddiskVolume3
    Install Date: 8/18/2008 4:36:45 AM
    System Uptime: 5/5/2010 12:55:55 AM (9 hours ago)

    Motherboard: Dell Inc. | | 0HN341
    Processor: Intel(R) Core(TM)2 Duo CPU T8300 @ 2.40GHz | Microprocessor | 2401/200mhz

    ==== Disk Partitions =========================

    C: is FIXED (NTFS) - 110 GiB total, 52.677 GiB free.
    D: is FIXED (NTFS) - 2 GiB total, 1.399 GiB free.
    E: is CDROM ()

    ==== Disabled Device Manager Items =============

    ==== Installed Programs ======================

    Acrobat.com
    Adobe Flash Player 10 ActiveX
    Adobe Flash Player 10 Plugin
    Adobe Reader 9.3
    AmeriVault Backup Solution Agent
    Apple Application Support
    Apple Mobile Device Support
    Apple Software Update
    AuthenTec Fingerprint Sensor Minimum Install
    AutoUpdate
    avast! Free Antivirus
    AVG 8.5
    biolsp patch
    BlackBerry Desktop Software 4.0
    Bonjour
    Broadcom ASF Management Applications
    Broadcom Management Programs
    Browser Address Error Redirector
    Cisco EAP-FAST Module
    Cisco LEAP Module
    Cisco PEAP Module
    Compatibility Pack for the 2007 Office system
    Conexant HDA D330 MDC V.92 Modem
    Dell Drivers MSI
    Dell Embassy Trust Suite by Wave Systems
    Dell Getting Started Guide
    Dell Touchpad
    Dell Wireless WLAN Card
    Digital Line Detect
    Digsby
    DivX Codec
    DivX Version Checker
    Document Manager Lite
    EDocs
    EMBASSY Security Center
    EMBASSY Security Setup
    EMBASSY Trust Suite by Wave Systems
    ESC Home Page Plugin
    Facebook Plug-In
    FamilySearch Indexing
    Gadwin PrintScreen
    Garmin Training Center 3.4.3
    Gemalto
    GemSafe Standard Edition 5.1
    Glance 2.5
    HiJackThis
    Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595)
    Hotfix for Microsoft .NET Framework 3.5 SP1 (KB958484)
    Intel(R) Matrix Storage Manager
    iTunes
    Java Auto Updater
    Java(TM) 6 Update 20
    Java(TM) SE Runtime Environment 6
    Malwarebytes' Anti-Malware
    Microsoft .NET Framework 3.5 SP1
    Microsoft Office Small Business Edition 2003
    Microsoft Visual C++ 2005 Redistributable
    Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148
    Modem Diagnostic Tool
    Move Media Player
    Mozilla Firefox (3.5.9)
    MSXML 4.0 SP2 (KB936181)
    MSXML 4.0 SP2 (KB941833)
    MSXML 4.0 SP2 (KB954430)
    MSXML 4.0 SP2 (KB973688)
    NetWaiting
    NTRU TCG Software Stack
    Octoshape add-in for Adobe Flash Player
    PowerDVD
    Preboot Manager
    PrimoPDF
    Private Information Manager
    QuickSet
    QuickTime
    Roxio Activation Module
    Roxio Creator Audio
    Roxio Creator BDAV Plugin
    Roxio Creator Copy
    Roxio Creator Data
    Roxio Creator DE
    Roxio Creator Tools
    Roxio Express Labeler 3
    Roxio Update Manager
    Secure Update
    Security Wizards
    Skype™ 4.0
    Sonic CinePlayer Decoder Pack
    Uninstall FamilySearch Indexing
    Update for Microsoft .NET Framework 3.5 SP1 (KB963707)
    upekmsi
    VC80CRTRedist - 8.0.50727.762
    Vista Profile Pack
    Wave Infrastructure Installer
    Wave Support Software
    Windows Live OneCare safety scanner
    Zynga Toolbar

    ==== End Of File ===========================
     
  5. dsweston

    dsweston TS Rookie Topic Starter

    MBAM and GMER logs

    Doesn't look like my GMER and MBAM logs reply made it in. See below.

    MBAM:

    Malwarebytes' Anti-Malware 1.46
    www.malwarebytes.org

    Database version: 4067

    Windows 6.0.6002 Service Pack 2
    Internet Explorer 7.0.6002.18005

    5/5/2010 12:53:06 AM
    mbam-log-2010-05-05 (00-53-06).txt

    Scan type: Quick scan
    Objects scanned: 125872
    Time elapsed: 7 minute(s), 21 second(s)

    Memory Processes Infected: 0
    Memory Modules Infected: 0
    Registry Keys Infected: 3
    Registry Values Infected: 1
    Registry Data Items Infected: 4
    Folders Infected: 0
    Files Infected: 3

    Memory Processes Infected:
    (No malicious items detected)

    Memory Modules Infected:
    (No malicious items detected)

    Registry Keys Infected:
    HKEY_CURRENT_USER\Software\YVIBBBHA8C (Trojan.Agent) -> Quarantined and deleted successfully.
    HKEY_CURRENT_USER\SOFTWARE\XML (Trojan.FakeAlert) -> Quarantined and deleted successfully.
    HKEY_CURRENT_USER\Software\WEK9EMDHI9 (Trojan.Agent) -> Quarantined and deleted successfully.

    Registry Values Infected:
    HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\yvibbbha8c (Trojan.FakeAlert) -> Quarantined and deleted successfully.

    Registry Data Items Infected:
    HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\NameServer (Trojan.DNSChanger) -> Data: 93.188.165.130,93.188.161.147 -> Quarantined and deleted successfully.
    HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{33f77fed-7bcd-4c88-85d4-a9a3b9c087b5}\NameServer (Trojan.DNSChanger) -> Data: 93.188.165.130,93.188.161.147 -> Quarantined and deleted successfully.
    HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{764e0aad-9534-4ea9-a702-f9b6f77c6b1d}\NameServer (Trojan.DNSChanger) -> Data: 93.188.165.130,93.188.161.147 -> Quarantined and deleted successfully.
    HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{c8ca5605-47b7-462f-88ea-f929792fd21d}\NameServer (Trojan.DNSChanger) -> Data: 93.188.165.130,93.188.161.147 -> Quarantined and deleted successfully.

    Folders Infected:
    (No malicious items detected)

    Files Infected:
    C:\Windows\System32\spool\prtprocs\w32x86\00007ecf.tmp (Trojan.FakeAlert) -> Quarantined and deleted successfully.
    C:\Windows\Tasks\{66BA574B-1E11-49b8-909C-8CC9E0E8E015}.job (Trojan.Downloader) -> Quarantined and deleted successfully.
    C:\Windows\Tasks\{35DC3473-A719-4d14-B7C1-FD326CA84A0C}.job (Trojan.Downloader) -> Quarantined and deleted successfully.


    GMER:

    MER 1.0.15.15281 - http://www.gmer.net
    Rootkit scan 2010-05-05 09:45:35
    Windows 6.0.6002 Service Pack 2
    Running: 5zhhofd2.exe; Driver: C:\Users\DANW~1.INF\AppData\Local\Temp\pwlyipob.sys


    ---- System - GMER 1.0.15 ----

    Code \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwCreateProcessEx [0x8DC214FE]
    Code \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwCreateSection [0x8DC21322]
    Code \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwLoadDriver [0x8DC2145C]
    Code \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) NtCreateSection
    Code \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ObInsertObject
    Code \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ObMakeTemporaryObject

    ---- Kernel code sections - GMER 1.0.15 ----

    PAGE ntkrnlpa.exe!ZwLoadDriver 82189DF0 7 Bytes JMP 8DC21460 \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software)
    PAGE ntkrnlpa.exe!ObMakeTemporaryObject 821F528F 5 Bytes JMP 8DC1D4BA \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software)
    PAGE ntkrnlpa.exe!ObInsertObject 8224DF78 5 Bytes JMP 8DC1E972 \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software)
    PAGE ntkrnlpa.exe!NtCreateSection 8224F803 7 Bytes JMP 8DC21326 \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software)
    PAGE ntkrnlpa.exe!ZwCreateProcessEx 822AF796 7 Bytes JMP 8DC21502 \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software)
    ? System32\drivers\uatpjoeh.sys The system cannot find the path specified. !
    .rsrc C:\Windows\system32\drivers\iastor.sys entry point in ".rsrc" section [0x82766000]

    ---- User IAT/EAT - GMER 1.0.15 ----

    IAT C:\Windows\system32\services.exe[640] @ C:\Windows\system32\services.exe [ADVAPI32.dll!CreateProcessAsUserW] 00070002
    IAT C:\Windows\system32\services.exe[640] @ C:\Windows\system32\services.exe [KERNEL32.dll!CreateProcessW] 00070000
    IAT C:\Windows\Explorer.EXE[776] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdiplusShutdown] [74AC7817] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18005_none_9e50b396ca17ae07\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
    IAT C:\Windows\Explorer.EXE[776] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipCloneImage] [74B1A86D] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18005_none_9e50b396ca17ae07\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
    IAT C:\Windows\Explorer.EXE[776] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipDrawImageRectI] [74ACBB22] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18005_none_9e50b396ca17ae07\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
    IAT C:\Windows\Explorer.EXE[776] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipSetInterpolationMode] [74ABF695] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18005_none_9e50b396ca17ae07\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
    IAT C:\Windows\Explorer.EXE[776] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdiplusStartup] [74AC75E9] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18005_none_9e50b396ca17ae07\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
    IAT C:\Windows\Explorer.EXE[776] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipCreateFromHDC] [74ABE7CA] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18005_none_9e50b396ca17ae07\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
    IAT C:\Windows\Explorer.EXE[776] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipCreateBitmapFromStreamICM] [74AF8395] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18005_none_9e50b396ca17ae07\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
    IAT C:\Windows\Explorer.EXE[776] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipCreateBitmapFromStream] [74ACDA60] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18005_none_9e50b396ca17ae07\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
    IAT C:\Windows\Explorer.EXE[776] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipGetImageHeight] [74ABFFFA] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18005_none_9e50b396ca17ae07\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
    IAT C:\Windows\Explorer.EXE[776] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipGetImageWidth] [74ABFF61] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18005_none_9e50b396ca17ae07\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
    IAT C:\Windows\Explorer.EXE[776] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipDisposeImage] [74AB71CF] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18005_none_9e50b396ca17ae07\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
    IAT C:\Windows\Explorer.EXE[776] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipLoadImageFromFileICM] [74B4CAE2] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18005_none_9e50b396ca17ae07\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
    IAT C:\Windows\Explorer.EXE[776] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipLoadImageFromFile] [74AEC8D8] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18005_none_9e50b396ca17ae07\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
    IAT C:\Windows\Explorer.EXE[776] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipDeleteGraphics] [74ABD968] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18005_none_9e50b396ca17ae07\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
    IAT C:\Windows\Explorer.EXE[776] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipFree] [74AB6853] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18005_none_9e50b396ca17ae07\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
    IAT C:\Windows\Explorer.EXE[776] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipAlloc] [74AB687E] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18005_none_9e50b396ca17ae07\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
    IAT C:\Windows\Explorer.EXE[776] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipSetCompositingMode] [74AC2AD1] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18005_none_9e50b396ca17ae07\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)

    ---- Devices - GMER 1.0.15 ----

    Device \FileSystem\Ntfs \Ntfs aswSP.SYS (avast! self protection module/ALWIL Software)

    AttachedDevice \Driver\tdx \Device\Tcp aswTdi.SYS (avast! TDI Filter Driver/ALWIL Software)

    Device \Driver\iaStor \Device\Ide\iaStor0 [826E8D24] \SystemRoot\system32\drivers\iastor.sys[unknown section] {MOV EAX, [0xffdf0308]; JMP [EAX+0xac]}
    Device \Driver\iaStor \Device\Ide\IAAStorageDevice-0 [826E8D24] \SystemRoot\system32\drivers\iastor.sys[unknown section] {MOV EAX, [0xffdf0308]; JMP [EAX+0xac]}

    AttachedDevice \Driver\tdx \Device\Udp aswTdi.SYS (avast! TDI Filter Driver/ALWIL Software)
    AttachedDevice \FileSystem\fastfat \Fat fltmgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)

    ---- Registry - GMER 1.0.15 ----

    Reg HKLM\SYSTEM\CurrentControlSet\Services\BTHPORT\Parameters\Keys\001e37c4ec42
    Reg HKLM\SYSTEM\CurrentControlSet\Services\BTHPORT\Parameters\Keys\001e37c4ec42@0023d4fc56cd 0x0E 0xA2 0x10 0x0F ...
    Reg HKLM\SYSTEM\ControlSet003\Services\BTHPORT\Parameters\Keys\001e37c4ec42 (not active ControlSet)
    Reg HKLM\SYSTEM\ControlSet003\Services\BTHPORT\Parameters\Keys\001e37c4ec42@0023d4fc56cd 0x0E 0xA2 0x10 0x0F ...

    ---- Files - GMER 1.0.15 ----

    File C:\Windows\system32\drivers\iastor.sys suspicious modification

    ---- EOF - GMER 1.0.15 ----
     
  6. Bobbye

    Bobbye Helper on the Fringe Posts: 16,335   +36

    Good job! All the logs made it in just fine. There is a Dell driver that needs attention.:

    Please download SystemLook from one of the links below and save it to your Desktop:
    • Double-click SystemLook.exe to run it.
    • A blank Windows will open with the title "SystemLook v1.0-by Jpshortstuff".
    • Copy the content of the following codebox into the main textfield :
      Code:
      :filefind
      iastor.*
      
    • Please Confirm everything is copied and Pasted as I have provided above
    • Click the Look button to start the scan.
    • When finished, a notepad window will open with the results of the scan, Please post this log in your next reply.

    Note: The log can also be found on your Desktop entitled SystemLook.txt
    ====================================
    Then download ComboFix from Here and save to your Desktop.

    • [1]. Do NOT rename Combofix unless instructed.
      [2].Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
      [3].Close any open browsers.
      [4]. Double click combofix.exe & follow the prompts to run.
    • NOTE: Combofix will disconnect your machine from the Internet as soon as it starts. The connection is automatically restored before CF completes its run. If it does not, restart your computer to restore your connection.
      [5]. If Combofix asks you to install Recovery Console, please allow it.
      [6]. If Combofix asks you to update the program, always allow.
    • Please do not attempt to re-connect your machine back to the Internet until Combofix has completely finished.
      [7]. A report will be generated after the scan. Please post the C:\ComboFix.txt in next reply.
    Note: Do not mouseclick combofix's window while it's running. That may cause it to stall.
    Note: Make sure you re-enable your security programs, when you're done with Combofix..

    Give me the results of both when finished and I'll set up the next step.
    If you have a problem with connecting to the internet before we finish, please let me know and I'll have you do a DNS Flush.

    NOTE: You may get a reboot and/or notice when running Combofix that there is a Rootkit. Please let the program continue.
     
  7. dsweston

    dsweston TS Rookie Topic Starter

    Follow up

    I've done that. Here are the results of the logs.

    SystemLook:

    SystemLook v1.0 by jpshortstuff (11.01.10)
    Log created at 15:53 on 06/05/2010 by danw (Administrator - Elevation successful)

    ========== filefind ==========

    Searching for "iastor.*"
    C:\Drivers\storage\R154200\iastor.cat --a--- 11254 bytes [18:11 18/08/2008] [11:40 17/04/2007] 6F6F9F086E42A50A5EA9664AC11D9423
    C:\Drivers\storage\R154200\iastor.inf --a--- 6451 bytes [18:11 18/08/2008] [11:40 17/04/2007] 17CF149196D14322C3775BDAE5CEDE60
    C:\Drivers\storage\R154200\iastor.sys --a--- 277784 bytes [18:11 18/08/2008] [11:40 17/04/2007] FD7F9D74C2B35DBDA400804A3F5ED5D8
    C:\Program Files\Intel\Intel Matrix Storage Manager\Driver64\iastor.cat --a--- 11254 bytes [10:54 18/08/2008] [09:07 23/02/2007] 2D429546C0C0A29C97A5039D14FB2D42
    C:\Program Files\Intel\Intel Matrix Storage Manager\Driver64\iastor.inf --a--- 6451 bytes [10:54 18/08/2008] [17:36 12/02/2007] 17CF149196D14322C3775BDAE5CEDE60
    C:\Program Files\Intel\Intel Matrix Storage Manager\Driver64\IaStor.sys --a--- 537368 bytes [10:54 18/08/2008] [18:37 12/02/2007] 2EE127D5407DA3957EE54711C9AED6EC
    C:\Program Files\Intel\Intel Matrix Storage Manager\Driver\iastor.cat --a--- 11254 bytes [10:54 18/08/2008] [09:07 23/02/2007] 6F6F9F086E42A50A5EA9664AC11D9423
    C:\Program Files\Intel\Intel Matrix Storage Manager\Driver\iastor.inf --a--- 6451 bytes [10:54 18/08/2008] [17:36 12/02/2007] 17CF149196D14322C3775BDAE5CEDE60
    C:\Program Files\Intel\Intel Matrix Storage Manager\Driver\iaStor.sys --a--- 277784 bytes [10:54 18/08/2008] [18:36 12/02/2007] FD7F9D74C2B35DBDA400804A3F5ED5D8
    C:\Windows\System32\DriverStore\FileRepository\iaahci.inf_1cb29a96\iaStor.sys --a--- 277784 bytes [18:29 18/08/2008] [11:40 17/04/2007] FD7F9D74C2B35DBDA400804A3F5ED5D8
    C:\Windows\System32\DriverStore\FileRepository\iastor.inf_8f0cb06b\iaStor.cat --a--- 11254 bytes [18:29 18/08/2008] [11:40 17/04/2007] 6F6F9F086E42A50A5EA9664AC11D9423
    C:\Windows\System32\DriverStore\FileRepository\iastor.inf_8f0cb06b\iastor.inf --a--- 6451 bytes [18:29 18/08/2008] [11:40 17/04/2007] 17CF149196D14322C3775BDAE5CEDE60
    C:\Windows\System32\DriverStore\FileRepository\iastor.inf_8f0cb06b\iaStor.sys --a--- 277784 bytes [18:29 18/08/2008] [11:40 17/04/2007] FD7F9D74C2B35DBDA400804A3F5ED5D8
    C:\Windows\System32\drivers\iaStor.sys --a--- 277784 bytes [18:29 18/08/2008] [11:40 17/04/2007] FD7F9D74C2B35DBDA400804A3F5ED5D8

    -=End Of File=-

    Combo Fix:

    ComboFix 10-05-05.0D - danw 05/06/2010 16:25:11.1.2 - x86
    Microsoft® Windows Vista™ Business 6.0.6002.2.1252.1.1033.18.2037.1236 [GMT -6:00]
    Running from: c:\users\danw.INFOTRAX\Downloads\ComboFix.exe
    AV: AVG Anti-Virus Free *On-access scanning enabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}
    SP: AVG Anti-Virus Free *enabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}
    SP: Windows Defender *disabled* (Updated) {D68DDC3A-831F-4FAE-9E44-DA132C1ACF46}
    .

    ((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
    .

    c:\$recycle.bin\S-1-5-21-1016304820-1602329189-69458350-500
    c:\$recycle.bin\S-1-5-21-2826133206-2312993737-4083541239-500
    c:\$recycle.bin\S-1-5-21-918056312-2952985149-2686913973-500

    .
    ((((((((((((((((((((((((( Files Created from 2010-04-06 to 2010-05-06 )))))))))))))))))))))))))))))))
    .

    2010-05-06 22:35 . 2010-05-06 22:36 -------- d-----w- c:\users\danw.INFOTRAX\AppData\Local\temp
    2010-05-06 22:35 . 2010-05-06 22:35 -------- d-----w- c:\users\Default\AppData\Local\temp
    2010-05-06 22:35 . 2010-05-06 22:35 -------- d-----w- c:\users\danw\AppData\Local\temp
    2010-05-06 13:52 . 2010-05-06 22:21 -------- d-----w- c:\windows\system32\MpEngineStore
    2010-05-05 20:55 . 2010-02-23 11:10 79360 ----a-w- c:\windows\system32\drivers\mrxsmb20.sys
    2010-05-05 20:55 . 2010-02-23 11:10 212992 ----a-w- c:\windows\system32\drivers\mrxsmb10.sys
    2010-05-05 20:55 . 2010-02-23 11:10 106496 ----a-w- c:\windows\system32\drivers\mrxsmb.sys
    2010-05-05 20:54 . 2010-03-04 17:33 430080 ----a-w- c:\windows\system32\vbscript.dll
    2010-05-05 20:54 . 2010-02-18 14:07 904576 ----a-w- c:\windows\system32\drivers\tcpip.sys
    2010-05-05 20:54 . 2010-02-18 13:30 200704 ----a-w- c:\windows\system32\iphlpsvc.dll
    2010-05-05 20:54 . 2010-02-18 11:28 25088 ----a-w- c:\windows\system32\drivers\tunnel.sys
    2010-05-05 20:54 . 2009-12-23 11:33 172032 ----a-w- c:\windows\system32\wintrust.dll
    2010-05-05 20:53 . 2010-01-13 17:34 98304 ----a-w- c:\windows\system32\cabview.dll
    2010-05-05 06:44 . 2010-05-05 06:44 -------- d-----w- c:\users\danw.INFOTRAX\AppData\Roaming\Malwarebytes
    2010-05-05 06:44 . 2010-04-29 21:39 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
    2010-05-05 06:44 . 2010-05-05 06:44 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
    2010-05-05 06:44 . 2010-05-05 06:44 -------- d-----w- c:\programdata\Malwarebytes
    2010-05-05 06:44 . 2010-04-29 21:39 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
    2010-05-05 06:36 . 2010-05-05 06:36 -------- d-----w- c:\program files\Common Files\Adobe
    2010-05-05 06:30 . 2010-04-12 23:29 411368 ----a-w- c:\windows\system32\deployJava1.dll
    2010-04-30 06:04 . 2010-03-29 15:59 52224 ----a-w- c:\users\danw.INFOTRAX\AppData\Roaming\Mozilla\Firefox\Profiles\1f7rpnzq.default\extensions\{7b13ec3e-999a-4b70-b9cb-2617b8323822}\components\FFExternalAlert.dll
    2010-04-30 06:04 . 2010-03-29 15:59 101376 ----a-w- c:\users\danw.INFOTRAX\AppData\Roaming\Mozilla\Firefox\Profiles\1f7rpnzq.default\extensions\{7b13ec3e-999a-4b70-b9cb-2617b8323822}\components\RadioWMPCore.dll
    2010-04-19 04:37 . 2010-04-19 04:37 388096 ----a-r- c:\users\danw.INFOTRAX\AppData\Roaming\Microsoft\Installer\{0761C9A8-8F3A-4216-B4A7-B7AFBF24A24A}\HiJackThis.exe
    2010-04-19 04:37 . 2010-04-19 04:37 -------- d-----w- c:\program files\TrendMicro
    2010-04-19 04:27 . 2010-04-19 04:27 -------- d-----w- C:\fixwareout
    2010-04-14 05:19 . 2010-03-09 10:12 162640 ----a-w- c:\windows\system32\drivers\aswSP.sys
    2010-04-14 05:19 . 2010-03-09 10:08 19024 ----a-w- c:\windows\system32\drivers\aswFsBlk.sys
    2010-04-14 05:19 . 2010-03-09 10:12 46672 ----a-w- c:\windows\system32\drivers\aswTdi.sys
    2010-04-14 05:19 . 2010-03-09 10:09 23376 ----a-w- c:\windows\system32\drivers\aswRdr.sys
    2010-04-14 05:19 . 2010-03-09 10:08 51792 ----a-w- c:\windows\system32\drivers\aswMonFlt.sys
    2010-04-14 05:18 . 2010-03-09 10:24 38848 ----a-w- c:\windows\system32\avastSS.scr
    2010-04-14 05:18 . 2010-03-09 10:24 153184 ----a-w- c:\windows\system32\aswBoot.exe
    2010-04-14 05:17 . 2010-04-14 05:17 -------- d-----w- c:\programdata\Alwil Software
    2010-04-14 05:17 . 2010-04-14 05:17 -------- d-----w- c:\program files\Alwil Software

    .
    (((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    2010-05-06 22:20 . 2008-08-18 10:58 1779 ----a-w- c:\windows\bthservsdp.dat
    2010-05-06 22:01 . 2009-06-02 16:22 -------- d-----w- c:\users\danw.INFOTRAX\AppData\Roaming\Skype
    2010-05-06 18:51 . 2008-09-25 21:39 0 ----a-w- c:\users\danw.INFOTRAX\AppData\Local\WavXMapDrive.bat
    2010-05-06 13:44 . 2006-11-02 11:18 -------- d-----w- c:\program files\Windows Mail
    2010-05-06 03:35 . 2009-11-23 01:40 302 ----a-w- c:\users\danw.INFOTRAX\jobq.dat
    2010-05-05 06:31 . 2008-08-18 10:47 -------- d-----w- c:\program files\Common Files\Java
    2010-05-05 06:30 . 2008-08-18 10:47 -------- d-----w- c:\program files\Java
    2010-05-04 23:02 . 2008-10-18 14:43 5972 ----a-w- c:\users\danw.INFOTRAX\AppData\Local\d3d9caps.dat
    2010-04-26 16:46 . 2008-09-30 15:50 -------- d-----w- c:\program files\Digsby
    2010-03-29 04:41 . 2010-02-24 04:43 50354 ----a-w- c:\users\danw.INFOTRAX\AppData\Roaming\Facebook\uninstall.exe
    2010-03-29 04:41 . 2010-02-24 04:43 -------- d-----w- c:\users\danw.INFOTRAX\AppData\Roaming\Facebook
    2010-03-09 16:25 . 2010-03-30 20:41 78336 ----a-w- c:\windows\system32\ieencode.dll
    2010-03-09 15:42 . 2010-03-30 20:41 834048 ----a-w- c:\windows\system32\wininet.dll
    2010-03-06 05:30 . 2010-03-06 05:30 5582848 ----a-w- c:\users\danw.INFOTRAX\AppData\Roaming\Facebook\npfbplugin_1_0_3.dll
    2010-02-25 21:31 . 2006-11-02 10:25 665600 ----a-w- c:\windows\inf\drvindex.dat
    2010-02-24 16:16 . 2009-10-03 06:22 181632 ------w- c:\windows\system32\MpSigStub.exe
    2010-02-24 15:38 . 2008-09-25 21:39 100432 ----a-w- c:\users\danw.INFOTRAX\AppData\Local\GDIPFONTCACHEV1.DAT
    2010-02-20 23:06 . 2010-03-15 09:00 24064 ----a-w- c:\windows\system32\nshhttp.dll
    2010-02-20 23:05 . 2010-03-15 09:00 30720 ----a-w- c:\windows\system32\httpapi.dll
    2010-02-20 20:53 . 2010-03-15 09:00 411648 ----a-w- c:\windows\system32\drivers\http.sys
    2008-08-18 18:24 . 2008-08-18 18:12 8192 --sha-w- c:\windows\Users\Default\NTUSER.DAT
    .

    ((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    *Note* empty entries & legit default entries are not shown
    REGEDIT4

    [HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]
    "{7b13ec3e-999a-4b70-b9cb-2617b8323822}"= "c:\program files\Zynga\tbZyng.dll" [2009-12-31 2349080]

    [HKEY_CLASSES_ROOT\clsid\{7b13ec3e-999a-4b70-b9cb-2617b8323822}]

    [HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{7b13ec3e-999a-4b70-b9cb-2617b8323822}]
    2009-12-31 18:53 2349080 ----a-w- c:\program files\Zynga\tbZyng.dll

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
    "{7b13ec3e-999a-4b70-b9cb-2617b8323822}"= "c:\program files\Zynga\tbZyng.dll" [2009-12-31 2349080]

    [HKEY_CLASSES_ROOT\clsid\{7b13ec3e-999a-4b70-b9cb-2617b8323822}]

    [HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser]
    "{7B13EC3E-999A-4B70-B9CB-2617B8323822}"= "c:\program files\Zynga\tbZyng.dll" [2009-12-31 2349080]

    [HKEY_CLASSES_ROOT\clsid\{7b13ec3e-999a-4b70-b9cb-2617b8323822}]

    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "Sidebar"="c:\program files\Windows Sidebar\sidebar.exe" [2009-04-11 1233920]
    "Gadwin PrintScreen"="c:\program files\Gadwin Systems\PrintScreen\PrintScreen.exe" [2007-08-20 495616]
    "ZimbraNotifier"="c:\\ZimbraNotifier.exe" [2009-02-12 159744]
    "Skype"="c:\program files\Skype\Phone\Skype.exe" [2009-04-21 24264488]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "Windows Defender"="c:\program files\Windows Defender\MSASCui.exe" [2008-01-19 1008184]
    "Apoint"="c:\program files\Apoint\Apoint.exe" [2007-04-16 159744]
    "IgfxTray"="c:\windows\system32\igfxtray.exe" [2008-03-31 141848]
    "HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2008-03-31 166424]
    "Persistence"="c:\windows\system32\igfxpers.exe" [2008-03-31 133656]
    "IAAnotif"="c:\program files\Intel\Intel Matrix Storage Manager\Iaanotif.exe" [2007-02-12 174872]
    "WavXMgr"="c:\program files\Wave Systems Corp\Services Manager\Docmgr\bin\WavXDocMgr.exe" [2007-09-10 85504]
    "SecureUpgrade"="c:\program files\Wave Systems Corp\SecureUpgrade.exe" [2007-09-14 218424]
    "Broadcom Wireless Manager UI"="c:\windows\system32\WLTRAY.exe" [2007-12-08 3444736]
    "QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2009-09-05 417792]
    "iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2009-09-21 305440]
    "SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-02-18 248040]
    "SigmatelSysTrayApp"="c:\program files\SigmaTel\C-Major Audio\WDM\sttray.exe" [2008-01-03 405504]
    "avast5"="c:\progra~1\ALWILS~1\Avast5\avastUI.exe" [2010-03-09 2769336]

    c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
    Digital Line Detect.lnk - c:\program files\Digital Line Detect\DLG.exe [2008-8-18 50688]
    Glance.lnk - c:\program files\Glance25\Glance.exe [2010-2-18 1737504]
    QuickSet.lnk - c:\program files\Dell\QuickSet\quickset.exe [2008-2-22 1193240]

    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
    "EnableLUA"= 0 (0x0)
    "EnableUIADesktopToggle"= 0 (0x0)

    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\gemsafe]
    2006-11-16 20:20 73728 ----a-w- c:\program files\Gemplus\GemSafe Libraries\BIN\WLEventNotify.dll

    [HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
    Authentication Packages REG_MULTI_SZ msv1_0 wvauth

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend]
    @="Service"

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe ARM]
    2010-03-24 18:17 952768 ----a-w- c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
    2009-12-22 07:57 35760 ----a-w- c:\program files\Adobe\Reader 9.0\Reader\reader_sl.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PDVDDXSrv]
    2007-09-17 16:56 124200 ------w- c:\program files\CyberLink\PowerDVD DX\PDVDDXSrv.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
    2009-09-05 07:54 417792 ----a-w- c:\program files\QuickTime\QTTask.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\security center\Svc]
    "VistaSp2"=hex(b):ab,3a,66,3a,f1,b5,ca,01

    R3 b57nd60x;Broadcom NetXtreme Gigabit Ethernet - NDIS 6.0;c:\windows\system32\DRIVERS\b57nd60x.sys [2007-03-19 179712]
    R3 BTHFILT;Bluetooth Command Filter;c:\windows\system32\DRIVERS\BthFilt.sys [2007-05-05 13824]
    S1 aswSP;aswSP; [x]
    S2 ASFIPmon;Broadcom ASF IP and SMBIOS Mailbox Monitor;c:\program files\Broadcom\ASFIPMon\AsfIpMon.exe [2006-12-19 79432]
    S2 aswFsBlk;aswFsBlk; [x]
    S2 aswMonFlt;aswMonFlt;c:\windows\system32\drivers\aswMonFlt.sys [2010-03-09 51792]
    S2 BthFilterHelper;Bluetooth Feature Support;c:\program files\CSR\Vista Profile Pack\BthFilterHelper.exe [2006-11-07 127488]
    S2 EVault InfoStage Agent;AmeriVault Backup Solution Agent;c:\program files\AmeriVault Backup Solution\Agent\VVAgent.exe [2009-03-28 3432448]
    S2 EVault InfoStage BUAgent;AmeriVault Backup Solution BUAgent;c:\program files\AmeriVault Backup Solution\Agent\buagent.exe [2009-03-28 5492736]
    S2 Wave UCSPlus;Wave UCSPlus;c:\windows\system32\dllhost.exe [2006-11-02 7168]
    S3 glancedrv;glancedrv;c:\windows\system32\DRIVERS\glancedrv.sys [2009-05-13 34080]


    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
    LocalServiceNoNetwork REG_MULTI_SZ PLA DPS BFE mpssvc
    bthsvcs REG_MULTI_SZ BthServ
    HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
    LocalServiceAndNoImpersonation REG_MULTI_SZ FontCache
    .
    Contents of the 'Scheduled Tasks' folder

    2010-05-06 c:\windows\Tasks\User_Feed_Synchronization-{65A728E8-D674-4D7B-A17C-4848276ECB41}.job
    - c:\windows\system32\msfeedssync.exe [2008-09-23 07:33]
    .
    .
    ------- Supplementary Scan -------
    .
    uStart Page = hxxp://espn.go.com/
    uInternet Settings,ProxyOverride = *.local
    IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~1\OFFICE11\EXCEL.EXE/3000
    DPF: Garmin Communicator Plug-In - hxxps://my.garmin.com/static/m/cab/2.7.1/GarminAxControl.CAB
    DPF: {C7DEDA04-2FFF-4B81-AE66-0A0E0EF4AD2F} - hxxp://maceys.lifepics.com/net/Uploader/LPUploader57.cab
    FF - ProfilePath - c:\users\danw.INFOTRAX\AppData\Roaming\Mozilla\Firefox\Profiles\1f7rpnzq.default\
    FF - component: c:\users\danw.INFOTRAX\AppData\Roaming\Mozilla\Firefox\Profiles\1f7rpnzq.default\extensions\{7b13ec3e-999a-4b70-b9cb-2617b8323822}\components\FFExternalAlert.dll
    FF - component: c:\users\danw.INFOTRAX\AppData\Roaming\Mozilla\Firefox\Profiles\1f7rpnzq.default\extensions\{7b13ec3e-999a-4b70-b9cb-2617b8323822}\components\RadioWMPCore.dll
    FF - plugin: c:\program files\Glance25\npglance.dll
    FF - plugin: c:\program files\Mozilla Firefox\plugins\npdeployJava1.dll
    FF - plugin: c:\users\danw.INFOTRAX\AppData\Roaming\Facebook\npfbplugin_1_0_1.dll
    FF - plugin: c:\users\danw.INFOTRAX\AppData\Roaming\Facebook\npfbplugin_1_0_3.dll
    FF - plugin: c:\users\danw.INFOTRAX\AppData\Roaming\Move Networks\plugins\npqmp071705000014.dll
    FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

    ---- FIREFOX POLICIES ----
    c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
    c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
    c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
    c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
    .
    - - - - ORPHANS REMOVED - - - -

    AddRemove-Octoshape add-in for Adobe Flash Player - c:\users\danw.INFOTRAX\AppData\Roaming\Macromedia\Flash Player\www.macromedia.com\bin\octoshape\octoshape.exe



    **************************************************************************

    catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
    Rootkit scan 2010-05-06 16:35
    Windows 6.0.6002 Service Pack 2 NTFS

    scanning hidden processes ...

    scanning hidden autostart entries ...

    scanning hidden files ...

    scan completed successfully
    hidden files: 0

    **************************************************************************

    Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net

    device: opened successfully
    user: MBR read successfully
    called modules: ntkrnlpa.exe CLASSPNP.SYS disk.sys iastor.sys >>UNKNOWN [0x86BC68C8]<<
    kernel: MBR read successfully
    detected MBR rootkit hooks:
    \Driver\Disk -> CLASSPNP.SYS @ 0x883aad24
    \Driver\ACPI -> acpi.sys @ 0x80691d68
    \Driver\atapi -> ataport.SYS @ 0x82d6fa2c
    \Driver\iaStor -> iastor.sys @ 0x82ce2d24
    IoDeviceObjectType ->\Device\Harddisk0\DR0 ->user & kernel MBR OK

    **************************************************************************
    .
    --------------------- LOCKED REGISTRY KEYS ---------------------

    [HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
    @Denied: (A) (Users)
    @Denied: (A) (Everyone)
    @Allowed: (B 1 2 3 4 5) (S-1-5-20)
    "BlindDial"=dword:00000000

    [HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0001\AllUserSettings]
    @Denied: (A) (Users)
    @Denied: (A) (Everyone)
    @Allowed: (B 1 2 3 4 5) (S-1-5-20)
    "BlindDial"=dword:00000000
    .
    --------------------- DLLs Loaded Under Running Processes ---------------------

    - - - - - - - > 'lsass.exe'(704)
    c:\windows\system32\wvauth.dll
    c:\windows\system32\biolsp.dll
    c:\program files\Wave Systems Corp\Common\CryptoManager.dll
    c:\windows\system32\tcg15.dll
    c:\windows\system32\Tsp1.dll
    c:\windows\system32\wclient14.dll
    c:\program files\Bonjour\mdnsNSP.dll
    .
    Completion time: 2010-05-06 16:41:33
    ComboFix-quarantined-files.txt 2010-05-06 22:41

    Pre-Run: 56,894,017,536 bytes free
    Post-Run: 56,777,719,808 bytes free

    Current=1 Default=1 Failed=0 LastKnownGood=5 Sets=1,2,3,4,5
    - - End Of File - - 733450698AA914877EC497DF508D0B59
     
  8. Bobbye

    Bobbye Helper on the Fringe Posts: 16,335   +36

    You have processes loading for both Avast and AVG. Please remove one of them. Multiple antivirus programs can make a system more vulnerable and also slow it down. I may need to remove some drivers depending on which program you decide to keep. Here are tools to help with removal. Only download the one for the program you aren't keeping:
    Avast Removal
    AVG Removal: Note: You may have to reinstall AVG to uninstall it fully
    =========================
    NOTE: Please disable all of the security before you run the following. You already have Combofix on the desktop- just go Offline to run:

    Custom CFScript


    • [1]. Close any open browsers.
      [2]. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
      [3]. Open notepad and copy/paste the text in the code below into it:
    Code:
    File::
    
    Folder::
    C:\fixwareout
    
    Registry::
    RegLock::
    [HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
    [HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0001\AllUserSettings]
    
    Driver::
    
    FCopy::
    C:\Drivers\storage\R154200\iastor.sys | C:\WINDOWS\system32\drivers\iaStor.sys
    
    DDS::
    uURLSearchHooks: Zynga Toolbar: {7b13ec3e-999a-4b70-b9cb-2617b8323822} - c:\program files\zynga\tbZyng.dll
    mURLSearchHooks: Zynga Toolbar: {7b13ec3e-999a-4b70-b9cb-2617b8323822} - c:\program files\zynga\tbZyng.dll
    BHO: Zynga Toolbar: {7b13ec3e-999a-4b70-b9cb-2617b8323822} - c:\program files\zynga\tbZyng.dll
    TB: Zynga Toolbar: {7b13ec3e-999a-4b70-b9cb-2617b8323822} - c:\program files\zynga\tbZyng.dll
    mRun: [<NO NAME>] 
    
    
    Save this as CFScript.txt, in the same location as ComboFix.exe
    [​IMG]

    Referring to the picture above, drag CFScript into ComboFix.exe

    When finished, it will produce a log for you at C:\ComboFix.txt . Please attach to your next reply.
    ====================
    Please Run Eset NOD32 Online AntiVirus Scanner HERE
    • Tick the box next to YES, I accept the Terms of Use.
    • Click Start
    • When asked, allow the Active X control to install
    • Disable your current Antivirus software. You can usually do this with its Notification Tray icon near the clock.
    • Click Start
    • Make sure that the option "Remove found threats" is Unchecked, and the option "Scan unwanted applications" is checked
    • Click Scan
    • Wait for the scan to finish
    • Re-enable your Antivirus software.
    • A logfile is created and located at C:\Program Files\EsetOnlineScanner\log.txt. Please include this on your post.
    Include both Combofix script report and Eset online scan in next reply.
     
  9. dsweston

    dsweston TS Rookie Topic Starter

    Results

    I've removed Avast.

    Went offline, created the text file and dragged it onto the combofix icon. It processed for a while, then a notification came back that it needed to reboot because of rootkit activity. I allowed it to reboot, and when it came back up, it continued to process and got to step/phase 5, then it shut down the computer abruptly. When I booted up, combofix was no longer running and it didn't created the log file in the C directory. There's a ComboFix file there dated today, but it's not a text file and can't be opened.

    I've included the log from the ESET scan:

    ESETSmartInstaller@High as CAB hook log:
    OnlineScanner.ocx - registred OK
    # version=7
    # iexplore.exe=7.00.6000.16386 (vista_rtm.061101-2205)
    # OnlineScanner.ocx=1.0.0.6211
    # api_version=3.0.2
    # EOSSerial=6012d412e6e08a4a898212954e4d5126
    # end=finished
    # remove_checked=false
    # archives_checked=false
    # unwanted_checked=true
    # unsafe_checked=false
    # antistealth_checked=false
    # utc_time=2010-05-11 08:57:13
    # local_time=2010-05-11 02:57:13 (-0700, Mountain Daylight Time)
    # country="United States"
    # lang=9
    # osver=6.0.6002 NT Service Pack 2
    # compatibility_mode=512 16777215 100 0 0 0 0 0
    # compatibility_mode=768 16777215 100 0 0 0 0 0
    # compatibility_mode=5892 16776574 100 100 2199216 110213687 0 0
    # compatibility_mode=8192 67108863 100 0 0 0 0 0
    # scanned=137213
    # found=2
    # cleaned=0
    # scan_time=5247
    C:\Users\danw.INFOTRAX\AppData\Local\temp\Av-test.txt Eicar test file 1195B64D237F57E6289D3CD105228D93 I
    C:\ZimbraNotifier.exe probably unknown NewHeur_PE virus 5EB58E7F121749A296371B292E8A3DD0 I
     
  10. Bobbye

    Bobbye Helper on the Fringe Posts: 16,335   +36

    Not a good sign. Before we go any further, I'd like you to do this scan:

    • Make sure to use Internet Explorer for this
    • Please go to VirSCAN.org FREE on-line scan service
    • Copy and paste the following file path into the "Suspicious files to scan" box on the top of the page:
      • c:\windows\system32\userinit.exe
    • Click on the Upload button
    • If a pop-up appears saying the file has been scanned already, please select the ReScan button.
    • Once the Scan is completed, click on the "Copy to Clipboard" button. This will copy the link of the report into the Clipboard.
    • Paste the contents of the Clipboard in your next reply.
    Also scan these,

    C:\WINDOWS\explorer.exe
    C:\WINDOWS\System32\svchost.exe

    There is a chance you might have a Virut infection. IF that is the case, we recommend a reformat and reinstall. But check first and we'll go from the results.

    Virut is a Polymorphic File Infector that infects ..exe, .scr, .rar, .zip, .htm, .html. Because there are a number of bugs in its code, it may create executable files that are corrupted beyond repair resulting in an inoperative machine.
    It opens a Backdoor by connecting to a predefined IRC Server and waits for commands from the remote attacker
     
  11. dsweston

    dsweston TS Rookie Topic Starter

    New scans

    I've run the virscan.org scanner. Here is the first log:

    VirSCAN.org Scanned Report :
    Scanned time : 2010/05/13 00:13:51 (CST)
    Scanner results: Scanners did not find malware!
    File Name : userinit.exe
    File Size : 25088 byte
    File Type : PE32 executable for MS Windows (GUI) Intel 80386 32-bit
    MD5 : 0e135526e9785d085bcd9aede6fbcbf9
    SHA1 : d15244d41efddbab08d53fe032aedff39091d3af
    Online report : http://virscan.org/report/a00a2f455a9299116dadd13c084b9fe4.html

    Scanner Engine Ver Sig Ver Sig Date Time Scan result
    a-squared 4.5.0.8 20100508053127 2010-05-08 0.08 -
    AhnLab V3 2010.05.12.06 2010.05.12 2010-05-12 0.08 -
    AntiVir 8.2.1.236 7.10.7.95 2010-05-12 0.26 -
    Antiy 2.0.18 20100512.4357690 2010-05-12 0.12 -
    Arcavir 2009 201005120327 2010-05-12 0.03 -
    Authentium 5.1.1 201005121449 2010-05-12 1.34 -
    AVAST! 4.7.4 100512-1 2010-05-12 0.01 -
    AVG 8.5.793 271.1.1/2869 2010-05-12 0.23 -
    BitDefender 7.81008.5874445 7.31631 2010-05-12 3.75 -
    ClamAV 0.95.3 10989 2010-05-12 0.01 -
    Comodo 3.13.579 4828 2010-05-12 0.08 -
    CP Secure 1.3.0.5 2010.05.12 2010-05-12 0.04 -
    Dr.Web 5.0.2.3300 2010.05.12 2010-05-12 7.26 -
    F-Prot 4.4.4.56 20100512 2010-05-12 1.36 -
    F-Secure 7.02.73807 2010.05.12.05 2010-05-12 0.05 -
    Fortinet 4.0.14 11.926 2010-05-10 0.08 -
    GData 21.130/21.45 20100511 2010-05-11 0.08 -
    ViRobot 20100510 2010.05.10 2010-05-10 0.08 -
    Ikarus T3.1.01.84 2010.05.12.75844 2010-05-12 6.30 -
    JiangMin 13.0.900 2010.05.11 2010-05-11 0.08 -
    Kaspersky 5.5.10 2010.05.12 2010-05-12 0.09 -
    KingSoft 2009.2.5.15 2010.5.12.19 2010-05-12 0.08 -
    McAfee 5400.1158 5979 2010-05-11 0.02 -
    Microsoft 1.5703 2010.05.11 2010-05-11 0.08 -
    Norman 6.04.12 6.04.00 2010-05-12 6.01 -
    Panda 9.05.01 2010.05.10 2010-05-10 0.08 -
    Trend Micro 9.120-1004 7.162.11 2010-05-12 0.03 -
    Quick Heal 10.00 2010.05.12 2010-05-12 0.08 -
    Rising 20.0 22.47.02.04 2010-05-12 0.08 -
    Sophos 3.07.1 4.53 2010-05-12 3.31 -
    Sunbelt 3.9.2421.2 6288 2010-05-10 0.08 -
    Symantec 1.3.0.24 20100511.003 2010-05-11 0.05 -
    nProtect 20100512.01 8245011 2010-05-12 0.08 -
    The Hacker 6.5.2.0 v00278 2010-05-09 0.08 -
    VBA32 3.12.12.4 20100511.2022 2010-05-11 2.46 -
    VirusBuster 4.5.11.10 10.126.27/1999201 2010-05-12 2.32 -

    Second log:

    VirSCAN.org Scanned Report :
    Scanned time : 2010/05/13 00:17:52 (CST)
    Scanner results: Scanners did not find malware!
    File Name : explorer.exe
    File Size : 2926592 byte
    File Type : PE32 executable for MS Windows (GUI) Intel 80386 32-bit
    MD5 : d07d4c3038f3578ffce1c0237f2a1253
    SHA1 : 4b3bd605b63749ff255e048ca6f27aff95aec24a
    Online report : http://virscan.org/report/7b3da17525723765d91c877b396a8b45.html

    Scanner Engine Ver Sig Ver Sig Date Time Scan result
    a-squared 4.5.0.8 20100508053127 2010-05-08 0.08 -
    AhnLab V3 2010.05.12.06 2010.05.12 2010-05-12 0.08 -
    AntiVir 8.2.1.236 7.10.7.95 2010-05-12 0.26 -
    Antiy 2.0.18 20100512.4357690 2010-05-12 0.12 -
    Arcavir 2009 201005120327 2010-05-12 0.09 -
    Authentium 5.1.1 201005121449 2010-05-12 1.28 -
    AVAST! 4.7.4 100512-1 2010-05-12 0.11 -
    AVG 8.5.793 271.1.1/2869 2010-05-12 0.25 -
    BitDefender 7.81008.5874445 7.31631 2010-05-12 3.74 -
    ClamAV 0.95.3 10989 2010-05-12 0.35 -
    Comodo 3.13.579 4828 2010-05-12 0.08 -
    CP Secure 1.3.0.5 2010.05.12 2010-05-12 0.47 -
    Dr.Web 5.0.2.3300 2010.05.12 2010-05-12 7.29 -
    F-Prot 4.4.4.56 20100512 2010-05-12 1.30 -
    F-Secure 7.02.73807 2010.05.12.05 2010-05-12 11.05 -
    Fortinet 4.0.14 11.926 2010-05-10 0.08 -
    GData 21.130/21.45 20100511 2010-05-11 0.08 -
    ViRobot 20100510 2010.05.10 2010-05-10 0.08 -
    Ikarus T3.1.01.84 2010.05.12.75844 2010-05-12 6.34 -
    JiangMin 13.0.900 2010.05.11 2010-05-11 0.08 -
    Kaspersky 5.5.10 2010.05.12 2010-05-12 0.08 -
    KingSoft 2009.2.5.15 2010.5.12.19 2010-05-12 0.08 -
    McAfee 5400.1158 5979 2010-05-11 0.02 -
    Microsoft 1.5703 2010.05.11 2010-05-11 0.08 -
    Norman 6.04.12 6.04.00 2010-05-12 6.01 -
    Panda 9.05.01 2010.05.10 2010-05-10 0.08 -
    Trend Micro 9.120-1004 7.162.11 2010-05-12 0.04 -
    Quick Heal 10.00 2010.05.12 2010-05-12 0.08 -
    Rising 20.0 22.47.02.04 2010-05-12 0.08 -
    Sophos 3.07.1 4.53 2010-05-12 3.35 -
    Sunbelt 3.9.2421.2 6288 2010-05-10 0.08 -
    Symantec 1.3.0.24 20100511.003 2010-05-11 0.10 -
    nProtect 20100512.01 8245011 2010-05-12 0.09 -
    The Hacker 6.5.2.0 v00278 2010-05-09 0.09 -
    VBA32 3.12.12.4 20100511.2022 2010-05-11 2.73 -
    VirusBuster 4.5.11.10 10.126.27/1999201 2010-05-12 3.24 -

    Third log:

    VirSCAN.org Scanned Report :
    Scanned time : 2010/05/13 00:20:25 (CST)
    Scanner results: Scanners did not find malware!
    File Name : svchost.exe
    File Size : 21504 byte
    File Type : PE32 executable for MS Windows (GUI) Intel 80386 32-bit
    MD5 : 3794b461c45882e06856f282eef025af
    SHA1 : bf15549a7ec01ac505ccac036aba5b9bae688135
    Online report : http://virscan.org/report/20a95f3ab941f7055166b9d3f1832d23.html

    Scanner Engine Ver Sig Ver Sig Date Time Scan result
    a-squared 4.5.0.8 20100508053127 2010-05-08 0.08 -
    AhnLab V3 2010.05.12.06 2010.05.12 2010-05-12 0.09 -
    AntiVir 8.2.1.236 7.10.7.95 2010-05-12 0.27 -
    Antiy 2.0.18 20100512.4357690 2010-05-12 0.12 -
    Arcavir 2009 201005120327 2010-05-12 0.03 -
    Authentium 5.1.1 201005121449 2010-05-12 1.42 -
    AVAST! 4.7.4 100512-1 2010-05-12 0.01 -
    AVG 8.5.793 271.1.1/2869 2010-05-12 0.23 -
    BitDefender 7.81008.5874445 7.31631 2010-05-12 3.89 -
    ClamAV 0.95.3 10989 2010-05-12 0.01 -
    Comodo 3.13.579 4828 2010-05-12 0.10 -
    CP Secure 1.3.0.5 2010.05.12 2010-05-12 0.04 -
    Dr.Web 5.0.2.3300 2010.05.12 2010-05-12 7.22 -
    F-Prot 4.4.4.56 20100512 2010-05-12 1.43 -
    F-Secure 7.02.73807 2010.05.12.05 2010-05-12 0.05 -
    Fortinet 4.0.14 11.926 2010-05-10 0.08 -
    GData 21.130/21.45 20100511 2010-05-11 0.08 -
    ViRobot 20100510 2010.05.10 2010-05-10 0.09 -
    Ikarus T3.1.01.84 2010.05.12.75844 2010-05-12 6.35 -
    JiangMin 13.0.900 2010.05.11 2010-05-11 0.08 -
    Kaspersky 5.5.10 2010.05.12 2010-05-12 0.08 -
    KingSoft 2009.2.5.15 2010.5.12.19 2010-05-12 0.08 -
    McAfee 5400.1158 5979 2010-05-11 0.02 -
    Microsoft 1.5703 2010.05.11 2010-05-11 0.08 -
    Norman 6.04.12 6.04.00 2010-05-12 6.01 -
    Panda 9.05.01 2010.05.10 2010-05-10 0.08 -
    Trend Micro 9.120-1004 7.162.11 2010-05-12 0.03 -
    Quick Heal 10.00 2010.05.12 2010-05-12 0.08 -
    Rising 20.0 22.47.02.04 2010-05-12 0.10 -
    Sophos 3.07.1 4.53 2010-05-12 3.39 -
    Sunbelt 3.9.2421.2 6288 2010-05-10 0.08 -
    Symantec 1.3.0.24 20100511.003 2010-05-11 0.05 -
    nProtect 20100512.01 8245011 2010-05-12 0.08 -
    The Hacker 6.5.2.0 v00278 2010-05-09 0.08 -
    VBA32 3.12.12.4 20100511.2022 2010-05-11 2.50 -
    VirusBuster 4.5.11.10 10.126.27/1999201 2010-05-12 2.31 -
     
  12. Bobbye

    Bobbye Helper on the Fringe Posts: 16,335   +36

    Okay, that's good. doesn't look like Virut. I'm going to move the Eset finds and then I need for you to rerun Combofix and give me the log- I need to make sure the script did what it was suppose to:

    Please download OTMovit by Old Timer and save to your desktop.
    • Double-click OTMoveIt3.exe to run it. (Vista users, please right click on OTMoveit3.exe and select "Run as an Administrator")
    • Copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy):
      Code:
      :Processes	
      
      :Services
      :Reg
      :Files  
      C:\Users\danw.INFOTRAX\AppData\Local\temp\Av-test.txt Eicar test file 1195B64D237F57E6289D3CD105228D93 I
      C:\ZimbraNotifier.exe 
      
      :Commands
      [purity]
      [emptytemp]
      [start explorer]
      [Reboot]
    • Return to OTMoveIt3, right click in the "Paste Instructions for Items to be Moved" window and choose Paste.
    • Click the red Moveit! button.
    • A log of files and folders moved will be created in the c:\_OTMoveIt\MovedFiles folder in the form of Date and Time (mmddyyyy_hhmmss.log). Please open this log in Notepad and post its contents in your next reply.
    • Close OTMoveIt3
    If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes.
    ==============================
    Download the HijackThis Installer HERE and save to the desktop:
    1. Double-click on HJTInstall.exe to run the program.
    2. By default it will install to C:\Program Files\Trend Micro\HijackThis.
    3. Accept the license agreement by clicking the "I Accept" button.
    4. Click on the "Do a system scan and save a log file" button. It will scan and then ask you to save the log.
    5. Click "Save log" to save the log file and then the log will open in notepad.
    6. Click on "Edit > Select All" then click on "Edit > Copy" to copy the entire contents of the log.
    7. Come back here to this thread and paste (Ctrl+V) the log in your next reply.

    NOTE: Do NOT have HijackThis fix anything yet! Most of what it finds will be harmless or even required.
    ============================
    Please include OTMoveIt log. Combofix report and HijackThis log in next reply..
     
  13. dsweston

    dsweston TS Rookie Topic Starter

    More logs

    OTMovit Log:

    All processes killed
    ========== PROCESSES ==========
    ========== SERVICES/DRIVERS ==========
    ========== REGISTRY ==========
    ========== FILES ==========
    File/Folder C:\Users\danw.INFOTRAX\AppData\Local\temp\Av-test.txt Eicar test file 1195B64D237F57E6289D3CD105228D93 I not found.
    C:\ZimbraNotifier.exe moved successfully.
    ========== COMMANDS ==========

    [EMPTYTEMP]

    User: All Users

    User: danw
    ->Temp folder emptied: 0 bytes
    ->Temporary Internet Files folder emptied: 0 bytes
    ->Java cache emptied: 0 bytes
    ->Flash cache emptied: 0 bytes

    User: danw.INFOTRAX
    ->Temp folder emptied: 1309721 bytes
    ->Temporary Internet Files folder emptied: 56078919 bytes
    ->Java cache emptied: 281909 bytes
    ->FireFox cache emptied: 93611998 bytes
    ->Flash cache emptied: 31684 bytes

    User: Default
    ->Temp folder emptied: 0 bytes
    ->Temporary Internet Files folder emptied: 0 bytes

    User: Default User
    ->Temp folder emptied: 0 bytes
    ->Temporary Internet Files folder emptied: 0 bytes

    User: Public
    ->Temp folder emptied: 0 bytes

    %systemdrive% .tmp files removed: 0 bytes
    %systemroot% .tmp files removed: 0 bytes
    %systemroot%\System32 .tmp files removed: 0 bytes
    %systemroot%\System32\drivers .tmp files removed: 0 bytes
    Windows Temp folder emptied: 2676 bytes
    %systemroot%\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files folder emptied: 33170 bytes
    RecycleBin emptied: 0 bytes

    Total Files Cleaned = 144.00 mb


    OTM by OldTimer - Version 3.1.12.0 log created on 05122010_202216

    Files moved on Reboot...
    File C:\Users\danw.INFOTRAX\AppData\Local\Temp\4C71.tmp not found!
    File C:\Users\danw.INFOTRAX\AppData\Local\Temp\~DF7433.tmp not found!
    File C:\Users\danw.INFOTRAX\AppData\Local\Temp\~DF77A1.tmp not found!

    Registry entries deleted on Reboot...


    HijackThis log:

    Logfile of Trend Micro HijackThis v2.0.4
    Scan saved at 8:35:23 PM, on 5/12/2010
    Platform: Windows Vista SP2 (WinNT 6.00.1906)
    MSIE: Internet Explorer v7.00 (7.00.6002.18005)
    Boot mode: Normal

    Running processes:
    C:\Windows\system32\taskeng.exe
    C:\Windows\system32\Dwm.exe
    C:\Windows\Explorer.EXE
    C:\Windows\notepad.exe
    C:\Program Files\Apoint\Apoint.exe
    C:\Windows\System32\hkcmd.exe
    C:\Windows\System32\igfxpers.exe
    C:\Program Files\Intel\Intel Matrix Storage Manager\IAAnotif.exe
    C:\Program Files\Wave Systems Corp\Services Manager\DocMgr\bin\WavXDocMgr.exe
    C:\Program Files\Wave Systems Corp\SecureUpgrade.exe
    C:\Windows\System32\WLTRAY.EXE
    C:\Program Files\iTunes\iTunesHelper.exe
    C:\Program Files\Common Files\Java\Java Update\jusched.exe
    C:\Program Files\Sigmatel\C-Major Audio\WDM\sttray.exe
    C:\Program Files\Windows Sidebar\sidebar.exe
    C:\Program Files\Gadwin Systems\PrintScreen\PrintScreen.exe
    C:\Program Files\Skype\Phone\Skype.exe
    C:\Program Files\Digital Line Detect\DLG.exe
    C:\Program Files\Glance25\Glance.exe
    C:\Program Files\Dell\QuickSet\quickset.exe
    C:\Windows\system32\igfxsrvc.exe
    C:\Program Files\Apoint\ApMsgFwd.exe
    C:\Program Files\Apoint\HidFind.exe
    C:\Program Files\Apoint\Apntex.exe
    C:\Program Files\Mozilla Firefox\firefox.exe
    C:\Windows\system32\wuauclt.exe
    C:\Windows\system32\SearchFilterHost.exe
    C:\Program Files\Trend Micro\HiJackThis\HiJackThis.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://espn.go.com/
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
    R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
    O1 - Hosts: ::1 localhost
    O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file)
    O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
    O2 - BHO: Browser Address Error Redirector - {CA6319C0-31B7-401E-A518-A07C3DB8F777} - C:\Program Files\Dell\BAE\BAE.dll
    O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
    O4 - HKLM\..\Run: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
    O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint\Apoint.exe
    O4 - HKLM\..\Run: [IgfxTray] C:\Windows\system32\igfxtray.exe
    O4 - HKLM\..\Run: [HotKeysCmds] C:\Windows\system32\hkcmd.exe
    O4 - HKLM\..\Run: [Persistence] C:\Windows\system32\igfxpers.exe
    O4 - HKLM\..\Run: [IAAnotif] "C:\Program Files\Intel\Intel Matrix Storage Manager\Iaanotif.exe"
    O4 - HKLM\..\Run: [WavXMgr] C:\Program Files\Wave Systems Corp\Services Manager\Docmgr\bin\WavXDocMgr.exe
    O4 - HKLM\..\Run: [SecureUpgrade] C:\Program Files\Wave Systems Corp\SecureUpgrade.exe
    O4 - HKLM\..\Run: [Broadcom Wireless Manager UI] C:\Windows\system32\WLTRAY.exe
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
    O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
    O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Common Files\Java\Java Update\jusched.exe"
    O4 - HKLM\..\Run: [SigmatelSysTrayApp] %ProgramFiles%\SigmaTel\C-Major Audio\WDM\sttray.exe
    O4 - HKCU\..\Run: [Sidebar] C:\Program Files\Windows Sidebar\sidebar.exe /autoRun
    O4 - HKCU\..\Run: [Gadwin PrintScreen] C:\Program Files\Gadwin Systems\PrintScreen\PrintScreen.exe /nosplash
    O4 - HKCU\..\Run: [ZimbraNotifier] "C:\\ZimbraNotifier.exe"
    O4 - HKCU\..\Run: [Skype] "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized
    O4 - Global Startup: Digital Line Detect.lnk = C:\Program Files\Digital Line Detect\DLG.exe
    O4 - Global Startup: Glance.lnk = C:\Program Files\Glance25\Glance.exe
    O4 - Global Startup: QuickSet.lnk = C:\Program Files\Dell\QuickSet\quickset.exe
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~1\OFFICE11\EXCEL.EXE/3000
    O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~1\OFFICE11\REFIEBAR.DLL
    O16 - DPF: Garmin Communicator Plug-In - https://my.garmin.com/static/m/cab/2.7.1/GarminAxControl.CAB
    O16 - DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} (OnlineScanner Control) - http://download.eset.com/special/eos/OnlineScanner.cab
    O16 - DPF: {8100D56A-5661-482C-BEE8-AFECE305D968} (Facebook Photo Uploader 5 Control) - http://upload.facebook.com/controls/2009.07.28_v5.5.8.1/FacebookPhotoUploader55.cab
    O16 - DPF: {C7DEDA04-2FFF-4B81-AE66-0A0E0EF4AD2F} (Image Uploader Control) - http://maceys.lifepics.com/net/Uploader/LPUploader57.cab
    O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
    O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = infotraxsys.com
    O17 - HKLM\Software\..\Telephony: DomainName = infotraxsys.com
    O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = infotraxsys.com
    O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
    O20 - Winlogon Notify: gemsafe - C:\Program Files\Gemplus\GemSafe Libraries\BIN\WLEventNotify.dll
    O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\Windows\system32\browseui.dll
    O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
    O23 - Service: Broadcom ASF IP and SMBIOS Mailbox Monitor (ASFIPmon) - Broadcom Corporation - C:\Program Files\Broadcom\ASFIPMon\AsfIpMon.exe
    O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
    O23 - Service: Bluetooth Feature Support (BthFilterHelper) - CSR, plc - C:\Program Files\CSR\Vista Profile Pack\BthFilterHelper.exe
    O23 - Service: AmeriVault Backup Solution Agent (EVault InfoStage Agent) - Unknown owner - C:\Program Files\AmeriVault Backup Solution\Agent\VVAgent.exe
    O23 - Service: AmeriVault Backup Solution BUAgent (EVault InfoStage BUAgent) - Unknown owner - C:\Program Files\AmeriVault Backup Solution\Agent\buagent.exe
    O23 - Service: Intel(R) Matrix Storage Event Monitor (IAANTMON) - Intel Corporation - C:\Program Files\Intel\Intel Matrix Storage Manager\Iaantmon.exe
    O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
    O23 - Service: Dell Internal Network Card Power Management (nicconfigsvc) - Dell Inc. - C:\Program Files\Dell\QuickSet\NicConfigSvc.exe
    O23 - Service: SecureStorageService - Wave Systems Corp. - C:\Program Files\Wave Systems Corp\Secure Storage Manager\SecureStorageService.exe
    O23 - Service: SigmaTel Audio Service (STacSV) - IDT, Inc. - C:\Windows\system32\STacSV.exe
    O23 - Service: stllssvr - MicroVision Development, Inc. - C:\Program Files\Common Files\SureThing Shared\stllssvr.exe
    O23 - Service: NTRU TSS v1.2.1.25 TCS (tcsd_win32.exe) - Unknown owner - C:\Program Files\NTRU Cryptosystems\NTRU TCG Software Stack\bin\tcsd_win32.exe
    O23 - Service: WaveEnrollmentService - Wave Systems Corp. - C:\Program Files\Wave Systems Corp\Authentication Manager\WaveEnrollmentService.exe
    O23 - Service: Dell Wireless WLAN Tray Service (wltrysvc) - Unknown owner - C:\Windows\System32\WLTRYSVC.EXE
    O23 - Service: XAudioService - Conexant Systems, Inc. - C:\Windows\system32\DRIVERS\xaudio.exe

    --
    End of file - 7814 bytes
     
  14. dsweston

    dsweston TS Rookie Topic Starter

    combofix log

    The combofix log didn't fit in the last comment, so here it is:

    ComboFix 10-05-07.07 - danw 05/12/2010 20:53:29.5.2 - x86
    Microsoft® Windows Vista™ Business 6.0.6002.2.1252.1.1033.18.2037.1295 [GMT -6:00]
    Running from: c:\users\danw.INFOTRAX\Desktop\ComboFix.exe
    Command switches used :: c:\users\danw.INFOTRAX\Desktop\CFScript.txt
    SP: Windows Defender *disabled* (Updated) {D68DDC3A-831F-4FAE-9E44-DA132C1ACF46}
    .

    ((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
    .

    C:\fixwareout
    c:\fixwareout\FindT\dumphive.exe
    c:\fixwareout\FindT\FixWareOut.reg
    c:\fixwareout\FindT\nircmd.exe
    c:\fixwareout\FindT\patterns.txt
    c:\fixwareout\FindT\rbot.bat
    c:\fixwareout\FindT\RestartIt.exe
    c:\fixwareout\FindT\runs.vbs
    c:\fixwareout\FindT\swreg.exe
    c:\fixwareout\FindT\vfind.exe
    c:\fixwareout\FindT\XP-2K2.cmd
    c:\fixwareout\FixIt.BAT

    .
    --------------- FCopy ---------------

    .
    ((((((((((((((((((((((((( Files Created from 2010-04-13 to 2010-05-13 )))))))))))))))))))))))))))))))
    .

    2010-05-13 03:01 . 2010-05-13 03:04 -------- d-----w- c:\users\danw.INFOTRAX\AppData\Local\temp
    2010-05-13 03:01 . 2010-05-13 03:01 -------- d-----w- c:\users\Public\AppData\Local\temp
    2010-05-13 03:01 . 2010-05-13 03:01 -------- d-----w- c:\users\Default\AppData\Local\temp
    2010-05-13 03:01 . 2010-05-13 03:01 -------- d-----w- c:\users\danw\AppData\Local\temp
    2010-05-13 02:34 . 2010-05-13 02:34 -------- d-----w- c:\program files\Trend Micro
    2010-05-13 02:22 . 2010-05-13 02:22 -------- d-----w- C:\_OTM
    2010-05-08 08:39 . 2010-05-08 08:39 -------- d-----w- c:\program files\ESET
    2010-05-06 13:52 . 2010-05-06 22:21 -------- d-----w- c:\windows\system32\MpEngineStore
    2010-05-05 20:55 . 2010-02-23 11:10 79360 ----a-w- c:\windows\system32\drivers\mrxsmb20.sys
    2010-05-05 20:55 . 2010-02-23 11:10 212992 ----a-w- c:\windows\system32\drivers\mrxsmb10.sys
    2010-05-05 20:55 . 2010-02-23 11:10 106496 ----a-w- c:\windows\system32\drivers\mrxsmb.sys
    2010-05-05 20:54 . 2010-03-04 17:33 430080 ----a-w- c:\windows\system32\vbscript.dll
    2010-05-05 20:54 . 2010-02-18 14:07 904576 ----a-w- c:\windows\system32\drivers\tcpip.sys
    2010-05-05 20:54 . 2010-02-18 13:30 200704 ----a-w- c:\windows\system32\iphlpsvc.dll
    2010-05-05 20:54 . 2010-02-18 11:28 25088 ----a-w- c:\windows\system32\drivers\tunnel.sys
    2010-05-05 20:54 . 2009-12-23 11:33 172032 ----a-w- c:\windows\system32\wintrust.dll
    2010-05-05 20:53 . 2010-01-13 17:34 98304 ----a-w- c:\windows\system32\cabview.dll
    2010-05-05 06:44 . 2010-05-05 06:44 -------- d-----w- c:\users\danw.INFOTRAX\AppData\Roaming\Malwarebytes
    2010-05-05 06:44 . 2010-04-29 21:39 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
    2010-05-05 06:44 . 2010-05-05 06:44 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
    2010-05-05 06:44 . 2010-05-05 06:44 -------- d-----w- c:\programdata\Malwarebytes
    2010-05-05 06:44 . 2010-04-29 21:39 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
    2010-05-05 06:36 . 2010-05-05 06:36 -------- d-----w- c:\program files\Common Files\Adobe
    2010-05-05 06:30 . 2010-04-12 23:29 411368 ----a-w- c:\windows\system32\deployJava1.dll
    2010-04-19 04:37 . 2010-04-19 04:37 -------- d-----w- c:\program files\TrendMicro
    2010-04-14 05:17 . 2010-04-14 05:17 -------- d-----w- c:\programdata\Alwil Software
    2010-04-14 05:17 . 2010-05-08 07:30 -------- d-----w- c:\program files\Alwil Software

    .
    (((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    2010-05-13 03:07 . 2009-06-02 16:22 -------- d-----w- c:\users\danw.INFOTRAX\AppData\Roaming\Skype
    2010-05-13 03:03 . 2008-09-25 21:39 0 ----a-w- c:\users\danw.INFOTRAX\AppData\Local\WavXMapDrive.bat
    2010-05-13 03:01 . 2008-08-18 10:58 1779 ----a-w- c:\windows\bthservsdp.dat
    2010-05-13 02:34 . 2010-05-13 02:34 388096 ----a-r- c:\users\danw.INFOTRAX\AppData\Roaming\Microsoft\Installer\{45A66726-69BC-466B-A7A4-12FCBA4883D7}\HiJackThis.exe
    2010-05-11 15:57 . 2008-10-18 14:43 5972 ----a-w- c:\users\danw.INFOTRAX\AppData\Local\d3d9caps.dat
    2010-05-11 04:17 . 2009-11-23 01:40 302 ----a-w- c:\users\danw.INFOTRAX\jobq.dat
    2010-05-06 13:44 . 2006-11-02 11:18 -------- d-----w- c:\program files\Windows Mail
    2010-05-05 06:31 . 2008-08-18 10:47 -------- d-----w- c:\program files\Common Files\Java
    2010-05-05 06:30 . 2008-08-18 10:47 -------- d-----w- c:\program files\Java
    2010-04-26 16:46 . 2008-09-30 15:50 -------- d-----w- c:\program files\Digsby
    2010-03-29 15:59 . 2010-05-10 16:46 52224 ----a-w- c:\users\danw.INFOTRAX\AppData\Roaming\Mozilla\Firefox\Profiles\1f7rpnzq.default\extensions\{7b13ec3e-999a-4b70-b9cb-2617b8323822}\components\FFExternalAlert.dll
    2010-03-29 15:59 . 2010-05-10 16:46 101376 ----a-w- c:\users\danw.INFOTRAX\AppData\Roaming\Mozilla\Firefox\Profiles\1f7rpnzq.default\extensions\{7b13ec3e-999a-4b70-b9cb-2617b8323822}\components\RadioWMPCore.dll
    2010-03-29 04:41 . 2010-02-24 04:43 50354 ----a-w- c:\users\danw.INFOTRAX\AppData\Roaming\Facebook\uninstall.exe
    2010-03-29 04:41 . 2010-02-24 04:43 -------- d-----w- c:\users\danw.INFOTRAX\AppData\Roaming\Facebook
    2010-03-09 16:25 . 2010-03-30 20:41 78336 ----a-w- c:\windows\system32\ieencode.dll
    2010-03-09 15:42 . 2010-03-30 20:41 834048 ----a-w- c:\windows\system32\wininet.dll
    2010-03-06 05:30 . 2010-03-06 05:30 5582848 ----a-w- c:\users\danw.INFOTRAX\AppData\Roaming\Facebook\npfbplugin_1_0_3.dll
    2010-02-24 16:16 . 2009-10-03 06:22 181632 ------w- c:\windows\system32\MpSigStub.exe
    2010-02-24 15:38 . 2008-09-25 21:39 100432 ----a-w- c:\users\danw.INFOTRAX\AppData\Local\GDIPFONTCACHEV1.DAT
    2010-02-20 23:06 . 2010-03-15 09:00 24064 ----a-w- c:\windows\system32\nshhttp.dll
    2010-02-20 23:05 . 2010-03-15 09:00 30720 ----a-w- c:\windows\system32\httpapi.dll
    2010-02-20 20:53 . 2010-03-15 09:00 411648 ----a-w- c:\windows\system32\drivers\http.sys
    2008-08-18 18:24 . 2008-08-18 18:12 8192 --sha-w- c:\windows\Users\Default\NTUSER.DAT
    .

    ((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    *Note* empty entries & legit default entries are not shown
    REGEDIT4

    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "Sidebar"="c:\program files\Windows Sidebar\sidebar.exe" [2009-04-11 1233920]
    "Gadwin PrintScreen"="c:\program files\Gadwin Systems\PrintScreen\PrintScreen.exe" [2007-08-20 495616]
    "Skype"="c:\program files\Skype\Phone\Skype.exe" [2009-04-21 24264488]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "Windows Defender"="c:\program files\Windows Defender\MSASCui.exe" [2008-01-19 1008184]
    "Apoint"="c:\program files\Apoint\Apoint.exe" [2007-04-16 159744]
    "IgfxTray"="c:\windows\system32\igfxtray.exe" [2008-03-31 141848]
    "HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2008-03-31 166424]
    "Persistence"="c:\windows\system32\igfxpers.exe" [2008-03-31 133656]
    "IAAnotif"="c:\program files\Intel\Intel Matrix Storage Manager\Iaanotif.exe" [2007-02-12 174872]
    "WavXMgr"="c:\program files\Wave Systems Corp\Services Manager\Docmgr\bin\WavXDocMgr.exe" [2007-09-10 85504]
    "SecureUpgrade"="c:\program files\Wave Systems Corp\SecureUpgrade.exe" [2007-09-14 218424]
    "Broadcom Wireless Manager UI"="c:\windows\system32\WLTRAY.exe" [2007-12-08 3444736]
    "QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2009-09-05 417792]
    "iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2009-09-21 305440]
    "SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-02-18 248040]
    "SigmatelSysTrayApp"="c:\program files\SigmaTel\C-Major Audio\WDM\sttray.exe" [2008-01-03 405504]

    c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
    Digital Line Detect.lnk - c:\program files\Digital Line Detect\DLG.exe [2008-8-18 50688]
    Glance.lnk - c:\program files\Glance25\Glance.exe [2010-2-18 1737504]
    QuickSet.lnk - c:\program files\Dell\QuickSet\quickset.exe [2008-2-22 1193240]

    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
    "EnableLUA"= 0 (0x0)
    "EnableUIADesktopToggle"= 0 (0x0)

    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\gemsafe]
    2006-11-16 20:20 73728 ----a-w- c:\program files\Gemplus\GemSafe Libraries\BIN\WLEventNotify.dll

    [HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
    Authentication Packages REG_MULTI_SZ msv1_0 wvauth

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend]
    @="Service"

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe ARM]
    2010-03-24 18:17 952768 ----a-w- c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
    2009-12-22 07:57 35760 ----a-w- c:\program files\Adobe\Reader 9.0\Reader\reader_sl.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PDVDDXSrv]
    2007-09-17 16:56 124200 ------w- c:\program files\CyberLink\PowerDVD DX\PDVDDXSrv.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
    2009-09-05 07:54 417792 ----a-w- c:\program files\QuickTime\QTTask.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\security center\Svc]
    "VistaSp2"=hex(b):ab,3a,66,3a,f1,b5,ca,01

    R3 b57nd60x;Broadcom NetXtreme Gigabit Ethernet - NDIS 6.0;c:\windows\system32\DRIVERS\b57nd60x.sys [2007-03-19 179712]
    R3 BTHFILT;Bluetooth Command Filter;c:\windows\system32\DRIVERS\BthFilt.sys [2007-05-05 13824]
    S2 ASFIPmon;Broadcom ASF IP and SMBIOS Mailbox Monitor;c:\program files\Broadcom\ASFIPMon\AsfIpMon.exe [2006-12-19 79432]
    S2 BthFilterHelper;Bluetooth Feature Support;c:\program files\CSR\Vista Profile Pack\BthFilterHelper.exe [2006-11-07 127488]
    S2 EVault InfoStage Agent;AmeriVault Backup Solution Agent;c:\program files\AmeriVault Backup Solution\Agent\VVAgent.exe [2009-03-28 3432448]
    S2 EVault InfoStage BUAgent;AmeriVault Backup Solution BUAgent;c:\program files\AmeriVault Backup Solution\Agent\buagent.exe [2009-03-28 5492736]
    S2 Wave UCSPlus;Wave UCSPlus;c:\windows\system32\dllhost.exe [2006-11-02 7168]
    S3 glancedrv;glancedrv;c:\windows\system32\DRIVERS\glancedrv.sys [2009-05-13 34080]


    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
    LocalServiceNoNetwork REG_MULTI_SZ PLA DPS BFE mpssvc
    bthsvcs REG_MULTI_SZ BthServ
    HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
    LocalServiceAndNoImpersonation REG_MULTI_SZ FontCache
    .
    Contents of the 'Scheduled Tasks' folder

    2010-05-13 c:\windows\Tasks\User_Feed_Synchronization-{65A728E8-D674-4D7B-A17C-4848276ECB41}.job
    - c:\windows\system32\msfeedssync.exe [2008-09-23 07:33]
    .
    .
    ------- Supplementary Scan -------
    .
    uStart Page = hxxp://espn.go.com/
    uInternet Settings,ProxyOverride = *.local
    IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~1\OFFICE11\EXCEL.EXE/3000
    DPF: Garmin Communicator Plug-In - hxxps://my.garmin.com/static/m/cab/2.7.1/GarminAxControl.CAB
    DPF: {C7DEDA04-2FFF-4B81-AE66-0A0E0EF4AD2F} - hxxp://maceys.lifepics.com/net/Uploader/LPUploader57.cab
    FF - ProfilePath - c:\users\danw.INFOTRAX\AppData\Roaming\Mozilla\Firefox\Profiles\1f7rpnzq.default\
    FF - component: c:\users\danw.INFOTRAX\AppData\Roaming\Mozilla\Firefox\Profiles\1f7rpnzq.default\extensions\{7b13ec3e-999a-4b70-b9cb-2617b8323822}\components\FFExternalAlert.dll
    FF - component: c:\users\danw.INFOTRAX\AppData\Roaming\Mozilla\Firefox\Profiles\1f7rpnzq.default\extensions\{7b13ec3e-999a-4b70-b9cb-2617b8323822}\components\RadioWMPCore.dll
    FF - plugin: c:\program files\Glance25\npglance.dll
    FF - plugin: c:\program files\Mozilla Firefox\plugins\npdeployJava1.dll
    FF - plugin: c:\users\danw.INFOTRAX\AppData\Roaming\Facebook\npfbplugin_1_0_1.dll
    FF - plugin: c:\users\danw.INFOTRAX\AppData\Roaming\Facebook\npfbplugin_1_0_3.dll
    FF - plugin: c:\users\danw.INFOTRAX\AppData\Roaming\Move Networks\plugins\npqmp071705000014.dll
    FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

    ---- FIREFOX POLICIES ----
    c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
    c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
    c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
    c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
    .
    - - - - ORPHANS REMOVED - - - -

    HKCU-Run-ZimbraNotifier - c:\\ZimbraNotifier.exe



    **************************************************************************

    catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
    Rootkit scan 2010-05-12 21:03
    Windows 6.0.6002 Service Pack 2 NTFS

    scanning hidden processes ...

    scanning hidden autostart entries ...

    scanning hidden files ...

    scan completed successfully
    hidden files: 0

    **************************************************************************

    Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net

    device: opened successfully
    user: MBR read successfully
    called modules: ntkrnlpa.exe CLASSPNP.SYS disk.sys iastor.sys >>UNKNOWN [0x869D68C8]<<
    kernel: MBR read successfully
    detected MBR rootkit hooks:
    \Driver\Disk -> CLASSPNP.SYS @ 0x883acd24
    \Driver\ACPI -> acpi.sys @ 0x80692d68
    \Driver\atapi -> ataport.SYS @ 0x82d6da2c
    \Driver\iaStor -> iastor.sys @ 0x82ce0d24
    IoDeviceObjectType ->\Device\Harddisk0\DR0 ->user & kernel MBR OK

    **************************************************************************
    .
    --------------------- DLLs Loaded Under Running Processes ---------------------

    - - - - - - - > 'lsass.exe'(660)
    c:\windows\system32\wvauth.dll
    c:\windows\system32\biolsp.dll
    c:\program files\Wave Systems Corp\Common\CryptoManager.dll
    c:\windows\system32\tcg15.dll
    c:\windows\system32\Tsp1.dll
    c:\windows\system32\wclient14.dll
    c:\program files\Bonjour\mdnsNSP.dll
    .
    ------------------------ Other Running Processes ------------------------
    .
    c:\windows\System32\WLTRYSVC.EXE
    c:\windows\system32\WLANExt.exe
    c:\windows\System32\bcmwltry.exe
    c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
    c:\program files\Bonjour\mDNSResponder.exe
    c:\program files\Intel\Intel Matrix Storage Manager\Iaantmon.exe
    c:\program files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
    c:\windows\system32\STacSV.exe
    c:\windows\system32\DRIVERS\xaudio.exe
    c:\program files\Dell\QuickSet\NicConfigSvc.exe
    c:\windows\System32\msdtc.exe
    c:\windows\system32\igfxsrvc.exe
    c:\program files\iPod\bin\iPodService.exe
    c:\windows\servicing\TrustedInstaller.exe
    .
    **************************************************************************
    .
    Completion time: 2010-05-12 21:16:42 - machine was rebooted
    ComboFix-quarantined-files.txt 2010-05-13 03:16
    ComboFix2.txt 2010-05-06 22:41

    Pre-Run: 58,337,968,128 bytes free
    Post-Run: 58,245,971,968 bytes free

    - - End Of File - - EDA719CE6E2A9F8EBA2DEDFDC06E296D
     
  15. Bobbye

    Bobbye Helper on the Fringe Posts: 16,335   +36

    dsweston, who is your ISP? And is this system a work computer?
     
  16. dsweston

    dsweston TS Rookie Topic Starter

    ISP

    My ISP is the local cable company. It is a computer I use at work as well as at home.
     
  17. Bobbye

    Bobbye Helper on the Fringe Posts: 16,335   +36

    I am reluctant to continue support. This appears to be a system more adapted to the work environment as follows:

    Microsoft® Windows Vista™ Business

    Processes running:
    EMBASSY Security Center
    EMBASSY Security Setup
    EMBASSY Trust Suite by Wave Systems
    Wave Infrastructure Installer
    Wave Support Software
    Many of the entries are for authentication and encryption.> http://www.wave.com/
    mRun: [WavXMgr] c:\program files\wave systems corp\services manager\docmgr\bin\WavXDocMgr.exe

    Use of INFOTRAX for: DataTrax and/or Virtual Office and/or Commission Consulting .
    http://infotraxsys.com/products/datatrax.cfm
    http://infotraxsys.com/products/virtualoffice.cfm
    http://infotraxsys.com/products/commission_consulting.cfm

    And the presence of the following, some of which are restrictions. I have no way of knowing which are work related restrictions, which you may have put in place or which might be from malware:
    ALL of the following are running at the same time:
    C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
    C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
    C:\Windows\system32\svchost.exe -k netsvcs
    C:\Windows\system32\svchost.exe -k GPSvcGroup
    C:\Windows\system32\svchost.exe -k LocalService
    C:\Windows\system32\svchost.exe -k NetworkService
    C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
    C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted

    I know that working with enterprise IT techs can sometimes be a hassle, but I am not going to take the responsibility of making any other changes, additions or deletions to this system.
     
Topic Status:
Not open for further replies.

Similar Topics

Add New Comment

You need to be a member to leave a comment. Join thousands of tech enthusiasts and participate.
TechSpot Account You may also...