Google results hijacked

dsweston · May 5, 2010

Recently whenever I do a google search, the results I get back look legitimate, but as soon as I click on any of the results, it takes me to the wrong site, usually some type of marketing site. It's happening in both IE and Firefox.

Please let me know what I can do to clear this up.

Thanks

Bobbye · May 5, 2010

Please follow the steps HERE.

When finished, leave the logs for review.

dsweston · May 5, 2010

Logs

The MBAM and GMER Log results below.

MBAM:

Malwarebytes' Anti-Malware 1.46
www.malwarebytes.org

Database version: 4067

Windows 6.0.6002 Service Pack 2
Internet Explorer 7.0.6002.18005

5/5/2010 12:53:06 AM
mbam-log-2010-05-05 (00-53-06).txt

Scan type: Quick scan
Objects scanned: 125872
Time elapsed: 7 minute(s), 21 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 3
Registry Values Infected: 1
Registry Data Items Infected: 4
Folders Infected: 0
Files Infected: 3

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CURRENT_USER\Software\YVIBBBHA8C (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\XML (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Software\WEK9EMDHI9 (Trojan.Agent) -> Quarantined and deleted successfully.

Registry Values Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\yvibbbha8c (Trojan.FakeAlert) -> Quarantined and deleted successfully.

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\NameServer (Trojan.DNSChanger) -> Data: 93.188.165.130,93.188.161.147 -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{33f77fed-7bcd-4c88-85d4-a9a3b9c087b5}\NameServer (Trojan.DNSChanger) -> Data: 93.188.165.130,93.188.161.147 -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{764e0aad-9534-4ea9-a702-f9b6f77c6b1d}\NameServer (Trojan.DNSChanger) -> Data: 93.188.165.130,93.188.161.147 -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{c8ca5605-47b7-462f-88ea-f929792fd21d}\NameServer (Trojan.DNSChanger) -> Data: 93.188.165.130,93.188.161.147 -> Quarantined and deleted successfully.

Folders Infected:
(No malicious items detected)

Files Infected:
C:\Windows\System32\spool\prtprocs\w32x86\00007ecf.tmp (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\Windows\Tasks\{66BA574B-1E11-49b8-909C-8CC9E0E8E015}.job (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\Windows\Tasks\{35DC3473-A719-4d14-B7C1-FD326CA84A0C}.job (Trojan.Downloader) -> Quarantined and deleted successfully.

GMER:

GMER 1.0.15.15281 - http://www.gmer.net
Rootkit scan 2010-05-05 09:45:35
Windows 6.0.6002 Service Pack 2
Running: 5zhhofd2.exe; Driver: C:\Users\DANW~1.INF\AppData\Local\Temp\pwlyipob.sys

---- System - GMER 1.0.15 ----

Code \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwCreateProcessEx [0x8DC214FE]
Code \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwCreateSection [0x8DC21322]
Code \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwLoadDriver [0x8DC2145C]
Code \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) NtCreateSection
Code \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ObInsertObject
Code \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ObMakeTemporaryObject

---- Kernel code sections - GMER 1.0.15 ----

PAGE ntkrnlpa.exe!ZwLoadDriver 82189DF0 7 Bytes JMP 8DC21460 \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software)
PAGE ntkrnlpa.exe!ObMakeTemporaryObject 821F528F 5 Bytes JMP 8DC1D4BA \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software)
PAGE ntkrnlpa.exe!ObInsertObject 8224DF78 5 Bytes JMP 8DC1E972 \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software)
PAGE ntkrnlpa.exe!NtCreateSection 8224F803 7 Bytes JMP 8DC21326 \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software)
PAGE ntkrnlpa.exe!ZwCreateProcessEx 822AF796 7 Bytes JMP 8DC21502 \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software)
? System32\drivers\uatpjoeh.sys The system cannot find the path specified. !
.rsrc C:\Windows\system32\drivers\iastor.sys entry point in ".rsrc" section [0x82766000]

---- User IAT/EAT - GMER 1.0.15 ----

IAT C:\Windows\system32\services.exe[640] @ C:\Windows\system32\services.exe [ADVAPI32.dll!CreateProcessAsUserW] 00070002
IAT C:\Windows\system32\services.exe[640] @ C:\Windows\system32\services.exe [KERNEL32.dll!CreateProcessW] 00070000
IAT C:\Windows\Explorer.EXE[776] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdiplusShutdown] [74AC7817] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18005_none_9e50b396ca17ae07\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[776] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipCloneImage] [74B1A86D] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18005_none_9e50b396ca17ae07\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[776] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipDrawImageRectI] [74ACBB22] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18005_none_9e50b396ca17ae07\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[776] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipSetInterpolationMode] [74ABF695] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18005_none_9e50b396ca17ae07\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[776] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdiplusStartup] [74AC75E9] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18005_none_9e50b396ca17ae07\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[776] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipCreateFromHDC] [74ABE7CA] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18005_none_9e50b396ca17ae07\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[776] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipCreateBitmapFromStreamICM] [74AF8395] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18005_none_9e50b396ca17ae07\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[776] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipCreateBitmapFromStream] [74ACDA60] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18005_none_9e50b396ca17ae07\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[776] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipGetImageHeight] [74ABFFFA] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18005_none_9e50b396ca17ae07\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[776] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipGetImageWidth] [74ABFF61] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18005_none_9e50b396ca17ae07\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[776] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipDisposeImage] [74AB71CF] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18005_none_9e50b396ca17ae07\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[776] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipLoadImageFromFileICM] [74B4CAE2] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18005_none_9e50b396ca17ae07\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[776] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipLoadImageFromFile] [74AEC8D8] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18005_none_9e50b396ca17ae07\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[776] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipDeleteGraphics] [74ABD968] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18005_none_9e50b396ca17ae07\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[776] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipFree] [74AB6853] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18005_none_9e50b396ca17ae07\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[776] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipAlloc] [74AB687E] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18005_none_9e50b396ca17ae07\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[776] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipSetCompositingMode] [74AC2AD1] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18005_none_9e50b396ca17ae07\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)

---- Devices - GMER 1.0.15 ----

Device \FileSystem\Ntfs \Ntfs aswSP.SYS (avast! self protection module/ALWIL Software)

AttachedDevice \Driver\tdx \Device\Tcp aswTdi.SYS (avast! TDI Filter Driver/ALWIL Software)

Device \Driver\iaStor \Device\Ide\iaStor0 [826E8D24] \SystemRoot\system32\drivers\iastor.sys[unknown section] {MOV EAX, [0xffdf0308]; JMP [EAX+0xac]}
Device \Driver\iaStor \Device\Ide\IAAStorageDevice-0 [826E8D24] \SystemRoot\system32\drivers\iastor.sys[unknown section] {MOV EAX, [0xffdf0308]; JMP [EAX+0xac]}

AttachedDevice \Driver\tdx \Device\Udp aswTdi.SYS (avast! TDI Filter Driver/ALWIL Software)
AttachedDevice \FileSystem\fastfat \Fat fltmgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)

---- Registry - GMER 1.0.15 ----

Reg HKLM\SYSTEM\CurrentControlSet\Services\BTHPORT\Parameters\Keys\001e37c4ec42
Reg HKLM\SYSTEM\CurrentControlSet\Services\BTHPORT\Parameters\Keys\001e37c4ec42@0023d4fc56cd 0x0E 0xA2 0x10 0x0F ...
Reg HKLM\SYSTEM\ControlSet003\Services\BTHPORT\Parameters\Keys\001e37c4ec42 (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet003\Services\BTHPORT\Parameters\Keys\001e37c4ec42@0023d4fc56cd 0x0E 0xA2 0x10 0x0F ...

---- Files - GMER 1.0.15 ----

File C:\Windows\system32\drivers\iastor.sys suspicious modification

---- EOF - GMER 1.0.15 ----

dsweston · May 5, 2010

More logs

DDS and Attach logs below.

DDS:

DDS (Ver_10-03-17.01) - NTFSx86
Run by danw at 9:49:50.67 on Wed 05/05/2010
Internet Explorer: 7.0.6002.18005 BrowserJavaVersion: 1.6.0_20
Microsoft® Windows Vista™ Business 6.0.6002.2.1252.1.1033.18.2037.612 [GMT -6:00]

AV: AVG Anti-Virus Free *On-access scanning enabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}
SP: AVG Anti-Virus Free *enabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}
SP: Windows Defender *disabled* (Updated) {D68DDC3A-831F-4FAE-9E44-DA132C1ACF46}

============== Running Processes ===============

C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\svchost.exe -k rpcss
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\svchost.exe -k GPSvcGroup
C:\Windows\system32\SLsvc.exe
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\System32\WLTRYSVC.EXE
C:\Windows\system32\WLANExt.exe
C:\Windows\System32\bcmwltry.exe
C:\Program Files\Alwil Software\Avast5\AvastSvc.exe
C:\Windows\System32\spoolsv.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Broadcom\ASFIPMon\AsfIpMon.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\CSR\Vista Profile Pack\BthFilterHelper.exe
C:\Windows\system32\svchost.exe -k bthsvcs
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\Program Files\AmeriVault Backup Solution\Agent\VVAgent.exe
C:\Program Files\AmeriVault Backup Solution\Agent\buagent.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\Iaantmon.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Windows\System32\svchost.exe -k HPZ12
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
C:\Windows\system32\STacSV.exe
C:\Windows\system32\svchost.exe -k imgsvc
C:\Windows\system32\dllhost.exe
C:\Windows\System32\svchost.exe -k WerSvcGroup
C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\DRIVERS\xaudio.exe
C:\Program Files\Dell\QuickSet\NicConfigSvc.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\system32\dllhost.exe
C:\Windows\System32\msdtc.exe
C:\Windows\system32\taskeng.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Program Files\Apoint\Apoint.exe
C:\Program Files\Apoint\ApMsgFwd.exe
C:\Program Files\Apoint\HidFind.exe
C:\Program Files\Apoint\Apntex.exe
C:\Windows\system32\igfxsrvc.exe
C:\Windows\System32\igfxpers.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\IAAnotif.exe
C:\Program Files\Wave Systems Corp\Services Manager\DocMgr\bin\WavXDocMgr.exe
C:\Program Files\CyberLink\PowerDVD DX\PDVDDXSrv.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\Program Files\Sigmatel\C-Major Audio\WDM\sttray.exe
C:\Program Files\Alwil Software\Avast5\AvastUI.exe
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Program Files\Gadwin Systems\PrintScreen\PrintScreen.exe
C:\Windows\system32\taskeng.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\Glance25\Glance.exe
C:\Program Files\Dell\QuickSet\quickset.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Alwil Software\Avast5\setup\avast.setup
C:\Windows\servicing\TrustedInstaller.exe
C:\Users\danw.INFOTRAX\Downloads\dds.scr
C:\Windows\system32\wbem\wmiprvse.exe

============== Pseudo HJT Report ===============

uStart Page = hxxp://espn.go.com/
uWindow Title = Internet Explorer provided by Dell
uDefault_Page_URL = hxxp://www.google.com/ig/dell?hl=en&client=dell-usuk-rel&channel=us&ibd=3080818
uInternet Settings,ProxyOverride = *.local
uURLSearchHooks: Zynga Toolbar: {7b13ec3e-999a-4b70-b9cb-2617b8323822} - c:\program files\zynga\tbZyng.dll
mURLSearchHooks: Zynga Toolbar: {7b13ec3e-999a-4b70-b9cb-2617b8323822} - c:\program files\zynga\tbZyng.dll
BHO: {02478D38-C3F9-4efb-9B51-7695ECA05670} - No File
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: Zynga Toolbar: {7b13ec3e-999a-4b70-b9cb-2617b8323822} - c:\program files\zynga\tbZyng.dll
BHO: CBrowserHelperObject Object: {ca6319c0-31b7-401e-a518-a07c3db8f777} - c:\program files\dell\bae\BAE.dll
BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
TB: Zynga Toolbar: {7b13ec3e-999a-4b70-b9cb-2617b8323822} - c:\program files\zynga\tbZyng.dll
uRun: [Sidebar] c:\program files\windows sidebar\sidebar.exe /autoRun
uRun: [Gadwin PrintScreen] c:\program files\gadwin systems\printscreen\PrintScreen.exe /nosplash
uRun: [ZimbraNotifier] "c:\\ZimbraNotifier.exe"
uRun: [Skype] "c:\program files\skype\phone\Skype.exe" /nosplash /minimized
mRun: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
mRun: [Apoint] c:\program files\apoint\Apoint.exe
mRun: [IgfxTray] c:\windows\system32\igfxtray.exe
mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
mRun: [Persistence] c:\windows\system32\igfxpers.exe
mRun: [IAAnotif] "c:\program files\intel\intel matrix storage manager\Iaanotif.exe"
mRun: [<NO NAME>]
mRun: [WavXMgr] c:\program files\wave systems corp\services manager\docmgr\bin\WavXDocMgr.exe
mRun: [SecureUpgrade] c:\program files\wave systems corp\SecureUpgrade.exe
mRun: [Broadcom Wireless Manager UI] c:\windows\system32\WLTRAY.exe
mRun: [AVG8_TRAY] c:\progra~1\avg\avg8\avgtray.exe
mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
mRun: [SigmatelSysTrayApp] %ProgramFiles%\SigmaTel\C-Major Audio\WDM\sttray.exe
mRun: [avast5] c:\progra~1\alwils~1\avast5\avastUI.exe /nogui
StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\digita~1.lnk - c:\program files\digital line detect\DLG.exe
StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\glance.lnk - c:\program files\glance25\Glance.exe
StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\quickset.lnk - c:\program files\dell\quickset\quickset.exe
mPolicies-explorer: BindDirectlyToPropertySetStorage = 0 (0x0)
mPolicies-system: EnableLUA = 0 (0x0)
mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
IE: E&xport to Microsoft Excel - c:\progra~1\micros~1\office11\EXCEL.EXE/3000
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~1\office11\REFIEBAR.DLL
DPF: Garmin Communicator Plug-In - hxxps://my.garmin.com/static/m/cab/2.7.1/GarminAxControl.CAB
DPF: {8100D56A-5661-482C-BEE8-AFECE305D968} - hxxp://upload.facebook.com/controls/2009.07.28_v5.5.8.1/FacebookPhotoUploader55.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/ultrashim.cab
DPF: {C7DEDA04-2FFF-4B81-AE66-0A0E0EF4AD2F} - hxxp://maceys.lifepics.com/net/Uploader/LPUploader57.cab
DPF: {CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL
Notify: gemsafe - c:\program files\gemplus\gemsafe libraries\bin\WLEventNotify.dll
Notify: igfxcui - igfxdev.dll
AppInit_DLLs: avgrsstx.dll
LSA: Authentication Packages = msv1_0 wvauth

================= FIREFOX ===================

FF - ProfilePath - c:\users\danw~1.inf\appdata\roaming\mozilla\firefox\profiles\1f7rpnzq.default\
FF - component: c:\users\danw.infotrax\appdata\roaming\mozilla\firefox\profiles\1f7rpnzq.default\extensions\{7b13ec3e-999a-4b70-b9cb-2617b8323822}\components\FFExternalAlert.dll
FF - component: c:\users\danw.infotrax\appdata\roaming\mozilla\firefox\profiles\1f7rpnzq.default\extensions\{7b13ec3e-999a-4b70-b9cb-2617b8323822}\components\RadioWMPCore.dll
FF - plugin: c:\program files\glance25\npglance.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npdeployJava1.dll
FF - plugin: c:\users\danw.infotrax\appdata\roaming\facebook\npfbplugin_1_0_1.dll
FF - plugin: c:\users\danw.infotrax\appdata\roaming\facebook\npfbplugin_1_0_3.dll
FF - plugin: c:\users\danw.infotrax\appdata\roaming\move networks\plugins\npqmp071705000014.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0015-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA}

---- FIREFOX POLICIES ----
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);

============= SERVICES / DRIVERS ===============

R1 aswSP;aswSP;c:\windows\system32\drivers\aswSP.sys [2010-4-13 162640]
R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [2008-10-19 335240]
R1 AvgMfx86;AVG Free On-access Scanner Minifilter Driver x86;c:\windows\system32\drivers\avgmfx86.sys [2008-10-19 27784]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [2010-4-13 19024]
R2 aswMonFlt;aswMonFlt;c:\windows\system32\drivers\aswMonFlt.sys [2010-4-13 51792]
R3 glancedrv;glancedrv;c:\windows\system32\drivers\glancedrv.sys [2010-2-18 34080]
S3 b57nd60x;Broadcom NetXtreme Gigabit Ethernet - NDIS 6.0;c:\windows\system32\drivers\b57nd60x.sys [2008-8-18 179712]
S3 BTHFILT;Bluetooth Command Filter;c:\windows\system32\drivers\BthFilt.sys [2008-8-18 13824]

=============== Created Last 30 ================

2010-05-05 06:44:34 0 d-----w- c:\users\danw~1.inf\appdata\roaming\Malwarebytes
2010-05-05 06:44:21 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-05-05 06:44:20 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-05-05 06:44:20 0 d-----w- c:\programdata\Malwarebytes
2010-05-05 06:44:20 0 d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-05-05 06:31:11 0 d-----w- c:\programdata\Sun
2010-05-05 06:30:54 411368 ----a-w- c:\windows\system32\deployJava1.dll
2010-04-19 04:37:47 0 d-----w- c:\program files\TrendMicro
2010-04-19 04:27:57 0 d-----w- C:\fixwareout
2010-04-14 05:19:02 51792 ----a-w- c:\windows\system32\drivers\aswMonFlt.sys
2010-04-14 05:17:51 0 d-----w- c:\programdata\Alwil Software

==================== Find3M ====================

2010-05-05 06:55:20 1779 ----a-w- c:\windows\bthservsdp.dat
2010-05-04 02:33:16 302 ----a-w- c:\users\danw.infotrax\jobq.dat
2010-03-09 16:25:21 78336 ----a-w- c:\windows\system32\ieencode.dll
2010-03-09 15:42:17 834048 ----a-w- c:\windows\system32\wininet.dll
2010-02-25 21:31:47 665600 ----a-w- c:\windows\inf\drvindex.dat
2010-02-25 21:31:47 51200 ----a-w- c:\windows\inf\infpub.dat
2010-02-25 21:31:47 143360 ----a-w- c:\windows\inf\infstor.dat
2010-02-25 21:31:46 143360 ----a-w- c:\windows\inf\infstrng.dat
2010-02-25 07:44:34 37665 ----a-w- c:\windows\fonts\GlobalUserInterface.CompositeFont
2010-02-24 16:16:06 181632 ------w- c:\windows\system32\MpSigStub.exe
2010-02-20 23:06:41 24064 ----a-w- c:\windows\system32\nshhttp.dll
2010-02-20 23:05:14 30720 ----a-w- c:\windows\system32\httpapi.dll
2008-09-23 23:40:32 174 --sha-w- c:\program files\desktop.ini
2006-11-02 12:42:07 30674 ----a-w- c:\windows\inf\perflib\0409\perfd.dat
2006-11-02 12:42:07 30674 ----a-w- c:\windows\inf\perflib\0409\perfc.dat
2006-11-02 12:42:07 287440 ----a-w- c:\windows\inf\perflib\0409\perfi.dat
2006-11-02 12:42:07 287440 ----a-w- c:\windows\inf\perflib\0409\perfh.dat
2006-11-02 09:20:21 287440 ----a-w- c:\windows\inf\perflib\0000\perfi.dat
2006-11-02 09:20:21 287440 ----a-w- c:\windows\inf\perflib\0000\perfh.dat
2006-11-02 09:20:19 30674 ----a-w- c:\windows\inf\perflib\0000\perfd.dat
2006-11-02 09:20:19 30674 ----a-w- c:\windows\inf\perflib\0000\perfc.dat
2008-08-18 18:24:08 8192 --sha-w- c:\windows\users\default\NTUSER.DAT

============= FINISH: 9:58:27.77 ===============

Attach:

DDS (Ver_10-03-17.01)

Microsoft® Windows Vista™ Business
Boot Device: \Device\HarddiskVolume3
Install Date: 8/18/2008 4:36:45 AM
System Uptime: 5/5/2010 12:55:55 AM (9 hours ago)

Motherboard: Dell Inc. | | 0HN341
Processor: Intel(R) Core(TM)2 Duo CPU T8300 @ 2.40GHz | Microprocessor | 2401/200mhz

==== Disk Partitions =========================

C: is FIXED (NTFS) - 110 GiB total, 52.677 GiB free.
D: is FIXED (NTFS) - 2 GiB total, 1.399 GiB free.
E: is CDROM ()

==== Disabled Device Manager Items =============

==== Installed Programs ======================

Acrobat.com
Adobe Flash Player 10 ActiveX
Adobe Flash Player 10 Plugin
Adobe Reader 9.3
AmeriVault Backup Solution Agent
Apple Application Support
Apple Mobile Device Support
Apple Software Update
AuthenTec Fingerprint Sensor Minimum Install
AutoUpdate
avast! Free Antivirus
AVG 8.5
biolsp patch
BlackBerry Desktop Software 4.0
Bonjour
Broadcom ASF Management Applications
Broadcom Management Programs
Browser Address Error Redirector
Cisco EAP-FAST Module
Cisco LEAP Module
Cisco PEAP Module
Compatibility Pack for the 2007 Office system
Conexant HDA D330 MDC V.92 Modem
Dell Drivers MSI
Dell Embassy Trust Suite by Wave Systems
Dell Getting Started Guide
Dell Touchpad
Dell Wireless WLAN Card
Digital Line Detect
Digsby
DivX Codec
DivX Version Checker
Document Manager Lite
EDocs
EMBASSY Security Center
EMBASSY Security Setup
EMBASSY Trust Suite by Wave Systems
ESC Home Page Plugin
Facebook Plug-In
FamilySearch Indexing
Gadwin PrintScreen
Garmin Training Center 3.4.3
Gemalto
GemSafe Standard Edition 5.1
Glance 2.5
HiJackThis
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595)
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB958484)
Intel(R) Matrix Storage Manager
iTunes
Java Auto Updater
Java(TM) 6 Update 20
Java(TM) SE Runtime Environment 6
Malwarebytes' Anti-Malware
Microsoft .NET Framework 3.5 SP1
Microsoft Office Small Business Edition 2003
Microsoft Visual C++ 2005 Redistributable
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148
Modem Diagnostic Tool
Move Media Player
Mozilla Firefox (3.5.9)
MSXML 4.0 SP2 (KB936181)
MSXML 4.0 SP2 (KB941833)
MSXML 4.0 SP2 (KB954430)
MSXML 4.0 SP2 (KB973688)
NetWaiting
NTRU TCG Software Stack
Octoshape add-in for Adobe Flash Player
PowerDVD
Preboot Manager
PrimoPDF
Private Information Manager
QuickSet
QuickTime
Roxio Activation Module
Roxio Creator Audio
Roxio Creator BDAV Plugin
Roxio Creator Copy
Roxio Creator Data
Roxio Creator DE
Roxio Creator Tools
Roxio Express Labeler 3
Roxio Update Manager
Secure Update
Security Wizards
Skype™ 4.0
Sonic CinePlayer Decoder Pack
Uninstall FamilySearch Indexing
Update for Microsoft .NET Framework 3.5 SP1 (KB963707)
upekmsi
VC80CRTRedist - 8.0.50727.762
Vista Profile Pack
Wave Infrastructure Installer
Wave Support Software
Windows Live OneCare safety scanner
Zynga Toolbar

==== End Of File ===========================

dsweston · May 5, 2010

MBAM and GMER logs

Doesn't look like my GMER and MBAM logs reply made it in. See below.

MBAM:

Malwarebytes' Anti-Malware 1.46
www.malwarebytes.org

Database version: 4067

Windows 6.0.6002 Service Pack 2
Internet Explorer 7.0.6002.18005

5/5/2010 12:53:06 AM
mbam-log-2010-05-05 (00-53-06).txt

Scan type: Quick scan
Objects scanned: 125872
Time elapsed: 7 minute(s), 21 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 3
Registry Values Infected: 1
Registry Data Items Infected: 4
Folders Infected: 0
Files Infected: 3

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CURRENT_USER\Software\YVIBBBHA8C (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\XML (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Software\WEK9EMDHI9 (Trojan.Agent) -> Quarantined and deleted successfully.

Registry Values Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\yvibbbha8c (Trojan.FakeAlert) -> Quarantined and deleted successfully.

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\NameServer (Trojan.DNSChanger) -> Data: 93.188.165.130,93.188.161.147 -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{33f77fed-7bcd-4c88-85d4-a9a3b9c087b5}\NameServer (Trojan.DNSChanger) -> Data: 93.188.165.130,93.188.161.147 -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{764e0aad-9534-4ea9-a702-f9b6f77c6b1d}\NameServer (Trojan.DNSChanger) -> Data: 93.188.165.130,93.188.161.147 -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{c8ca5605-47b7-462f-88ea-f929792fd21d}\NameServer (Trojan.DNSChanger) -> Data: 93.188.165.130,93.188.161.147 -> Quarantined and deleted successfully.

Folders Infected:
(No malicious items detected)

Files Infected:
C:\Windows\System32\spool\prtprocs\w32x86\00007ecf.tmp (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\Windows\Tasks\{66BA574B-1E11-49b8-909C-8CC9E0E8E015}.job (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\Windows\Tasks\{35DC3473-A719-4d14-B7C1-FD326CA84A0C}.job (Trojan.Downloader) -> Quarantined and deleted successfully.

GMER:

MER 1.0.15.15281 - http://www.gmer.net
Rootkit scan 2010-05-05 09:45:35
Windows 6.0.6002 Service Pack 2
Running: 5zhhofd2.exe; Driver: C:\Users\DANW~1.INF\AppData\Local\Temp\pwlyipob.sys

---- System - GMER 1.0.15 ----

Code \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwCreateProcessEx [0x8DC214FE]
Code \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwCreateSection [0x8DC21322]
Code \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwLoadDriver [0x8DC2145C]
Code \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) NtCreateSection
Code \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ObInsertObject
Code \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ObMakeTemporaryObject

---- Kernel code sections - GMER 1.0.15 ----

PAGE ntkrnlpa.exe!ZwLoadDriver 82189DF0 7 Bytes JMP 8DC21460 \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software)
PAGE ntkrnlpa.exe!ObMakeTemporaryObject 821F528F 5 Bytes JMP 8DC1D4BA \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software)
PAGE ntkrnlpa.exe!ObInsertObject 8224DF78 5 Bytes JMP 8DC1E972 \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software)
PAGE ntkrnlpa.exe!NtCreateSection 8224F803 7 Bytes JMP 8DC21326 \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software)
PAGE ntkrnlpa.exe!ZwCreateProcessEx 822AF796 7 Bytes JMP 8DC21502 \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software)
? System32\drivers\uatpjoeh.sys The system cannot find the path specified. !
.rsrc C:\Windows\system32\drivers\iastor.sys entry point in ".rsrc" section [0x82766000]

---- User IAT/EAT - GMER 1.0.15 ----

IAT C:\Windows\system32\services.exe[640] @ C:\Windows\system32\services.exe [ADVAPI32.dll!CreateProcessAsUserW] 00070002
IAT C:\Windows\system32\services.exe[640] @ C:\Windows\system32\services.exe [KERNEL32.dll!CreateProcessW] 00070000
IAT C:\Windows\Explorer.EXE[776] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdiplusShutdown] [74AC7817] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18005_none_9e50b396ca17ae07\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[776] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipCloneImage] [74B1A86D] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18005_none_9e50b396ca17ae07\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[776] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipDrawImageRectI] [74ACBB22] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18005_none_9e50b396ca17ae07\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[776] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipSetInterpolationMode] [74ABF695] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18005_none_9e50b396ca17ae07\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[776] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdiplusStartup] [74AC75E9] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18005_none_9e50b396ca17ae07\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[776] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipCreateFromHDC] [74ABE7CA] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18005_none_9e50b396ca17ae07\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[776] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipCreateBitmapFromStreamICM] [74AF8395] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18005_none_9e50b396ca17ae07\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[776] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipCreateBitmapFromStream] [74ACDA60] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18005_none_9e50b396ca17ae07\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[776] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipGetImageHeight] [74ABFFFA] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18005_none_9e50b396ca17ae07\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[776] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipGetImageWidth] [74ABFF61] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18005_none_9e50b396ca17ae07\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[776] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipDisposeImage] [74AB71CF] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18005_none_9e50b396ca17ae07\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[776] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipLoadImageFromFileICM] [74B4CAE2] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18005_none_9e50b396ca17ae07\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[776] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipLoadImageFromFile] [74AEC8D8] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18005_none_9e50b396ca17ae07\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[776] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipDeleteGraphics] [74ABD968] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18005_none_9e50b396ca17ae07\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[776] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipFree] [74AB6853] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18005_none_9e50b396ca17ae07\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[776] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipAlloc] [74AB687E] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18005_none_9e50b396ca17ae07\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[776] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipSetCompositingMode] [74AC2AD1] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18005_none_9e50b396ca17ae07\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)

---- Devices - GMER 1.0.15 ----

Device \FileSystem\Ntfs \Ntfs aswSP.SYS (avast! self protection module/ALWIL Software)

AttachedDevice \Driver\tdx \Device\Tcp aswTdi.SYS (avast! TDI Filter Driver/ALWIL Software)

Device \Driver\iaStor \Device\Ide\iaStor0 [826E8D24] \SystemRoot\system32\drivers\iastor.sys[unknown section] {MOV EAX, [0xffdf0308]; JMP [EAX+0xac]}
Device \Driver\iaStor \Device\Ide\IAAStorageDevice-0 [826E8D24] \SystemRoot\system32\drivers\iastor.sys[unknown section] {MOV EAX, [0xffdf0308]; JMP [EAX+0xac]}

AttachedDevice \Driver\tdx \Device\Udp aswTdi.SYS (avast! TDI Filter Driver/ALWIL Software)
AttachedDevice \FileSystem\fastfat \Fat fltmgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)

---- Registry - GMER 1.0.15 ----

Reg HKLM\SYSTEM\CurrentControlSet\Services\BTHPORT\Parameters\Keys\001e37c4ec42
Reg HKLM\SYSTEM\CurrentControlSet\Services\BTHPORT\Parameters\Keys\001e37c4ec42@0023d4fc56cd 0x0E 0xA2 0x10 0x0F ...
Reg HKLM\SYSTEM\ControlSet003\Services\BTHPORT\Parameters\Keys\001e37c4ec42 (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet003\Services\BTHPORT\Parameters\Keys\001e37c4ec42@0023d4fc56cd 0x0E 0xA2 0x10 0x0F ...

---- Files - GMER 1.0.15 ----

File C:\Windows\system32\drivers\iastor.sys suspicious modification

---- EOF - GMER 1.0.15 ----

Bobbye · May 6, 2010

Good job! All the logs made it in just fine. There is a Dell driver that needs attention.:

Please download SystemLook from one of the links below and save it to your Desktop:

Double-click SystemLook.exe to run it.
A blank Windows will open with the title "SystemLook v1.0-by Jpshortstuff".
Copy the content of the following codebox into the main textfield :
Code:
```
:filefind
iastor.*
```
Please Confirm everything is copied and Pasted as I have provided above
Click the Look button to start the scan.
When finished, a notepad window will open with the results of the scan, Please post this log in your next reply.

Note: The log can also be found on your Desktop entitled SystemLook.txt
====================================
Then download ComboFix from Here and save to your Desktop.

[1]. Do NOT rename Combofix unless instructed.
[2].Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
[3].Close any open browsers.
[4]. Double click combofix.exe & follow the prompts to run.
NOTE: Combofix will disconnect your machine from the Internet as soon as it starts. The connection is automatically restored before CF completes its run. If it does not, restart your computer to restore your connection.
[5]. If Combofix asks you to install Recovery Console, please allow it.
[6]. If Combofix asks you to update the program, always allow.
Please do not attempt to re-connect your machine back to the Internet until Combofix has completely finished.
[7]. A report will be generated after the scan. Please post the C:\ComboFix.txt in next reply.

Note: Do not mouseclick combofix's window while it's running. That may cause it to stall.
Note: Make sure you re-enable your security programs, when you're done with Combofix..

Give me the results of both when finished and I'll set up the next step.
If you have a problem with connecting to the internet before we finish, please let me know and I'll have you do a DNS Flush.

NOTE: You may get a reboot and/or notice when running Combofix that there is a Rootkit. Please let the program continue.

dsweston · May 6, 2010

Follow up

I've done that. Here are the results of the logs.

SystemLook:

SystemLook v1.0 by jpshortstuff (11.01.10)
Log created at 15:53 on 06/05/2010 by danw (Administrator - Elevation successful)

========== filefind ==========

Searching for "iastor.*"
C:\Drivers\storage\R154200\iastor.cat --a--- 11254 bytes [18:11 18/08/2008] [11:40 17/04/2007] 6F6F9F086E42A50A5EA9664AC11D9423
C:\Drivers\storage\R154200\iastor.inf --a--- 6451 bytes [18:11 18/08/2008] [11:40 17/04/2007] 17CF149196D14322C3775BDAE5CEDE60
C:\Drivers\storage\R154200\iastor.sys --a--- 277784 bytes [18:11 18/08/2008] [11:40 17/04/2007] FD7F9D74C2B35DBDA400804A3F5ED5D8
C:\Program Files\Intel\Intel Matrix Storage Manager\Driver64\iastor.cat --a--- 11254 bytes [10:54 18/08/2008] [09:07 23/02/2007] 2D429546C0C0A29C97A5039D14FB2D42
C:\Program Files\Intel\Intel Matrix Storage Manager\Driver64\iastor.inf --a--- 6451 bytes [10:54 18/08/2008] [17:36 12/02/2007] 17CF149196D14322C3775BDAE5CEDE60
C:\Program Files\Intel\Intel Matrix Storage Manager\Driver64\IaStor.sys --a--- 537368 bytes [10:54 18/08/2008] [18:37 12/02/2007] 2EE127D5407DA3957EE54711C9AED6EC
C:\Program Files\Intel\Intel Matrix Storage Manager\Driver\iastor.cat --a--- 11254 bytes [10:54 18/08/2008] [09:07 23/02/2007] 6F6F9F086E42A50A5EA9664AC11D9423
C:\Program Files\Intel\Intel Matrix Storage Manager\Driver\iastor.inf --a--- 6451 bytes [10:54 18/08/2008] [17:36 12/02/2007] 17CF149196D14322C3775BDAE5CEDE60
C:\Program Files\Intel\Intel Matrix Storage Manager\Driver\iaStor.sys --a--- 277784 bytes [10:54 18/08/2008] [18:36 12/02/2007] FD7F9D74C2B35DBDA400804A3F5ED5D8
C:\Windows\System32\DriverStore\FileRepository\iaahci.inf_1cb29a96\iaStor.sys --a--- 277784 bytes [18:29 18/08/2008] [11:40 17/04/2007] FD7F9D74C2B35DBDA400804A3F5ED5D8
C:\Windows\System32\DriverStore\FileRepository\iastor.inf_8f0cb06b\iaStor.cat --a--- 11254 bytes [18:29 18/08/2008] [11:40 17/04/2007] 6F6F9F086E42A50A5EA9664AC11D9423
C:\Windows\System32\DriverStore\FileRepository\iastor.inf_8f0cb06b\iastor.inf --a--- 6451 bytes [18:29 18/08/2008] [11:40 17/04/2007] 17CF149196D14322C3775BDAE5CEDE60
C:\Windows\System32\DriverStore\FileRepository\iastor.inf_8f0cb06b\iaStor.sys --a--- 277784 bytes [18:29 18/08/2008] [11:40 17/04/2007] FD7F9D74C2B35DBDA400804A3F5ED5D8
C:\Windows\System32\drivers\iaStor.sys --a--- 277784 bytes [18:29 18/08/2008] [11:40 17/04/2007] FD7F9D74C2B35DBDA400804A3F5ED5D8

-=End Of File=-

Combo Fix:

ComboFix 10-05-05.0D - danw 05/06/2010 16:25:11.1.2 - x86
Microsoft® Windows Vista™ Business 6.0.6002.2.1252.1.1033.18.2037.1236 [GMT -6:00]
Running from: c:\users\danw.INFOTRAX\Downloads\ComboFix.exe
AV: AVG Anti-Virus Free *On-access scanning enabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}
SP: AVG Anti-Virus Free *enabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}
SP: Windows Defender *disabled* (Updated) {D68DDC3A-831F-4FAE-9E44-DA132C1ACF46}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\$recycle.bin\S-1-5-21-1016304820-1602329189-69458350-500
c:\$recycle.bin\S-1-5-21-2826133206-2312993737-4083541239-500
c:\$recycle.bin\S-1-5-21-918056312-2952985149-2686913973-500

.
((((((((((((((((((((((((( Files Created from 2010-04-06 to 2010-05-06 )))))))))))))))))))))))))))))))
.

2010-05-06 22:35 . 2010-05-06 22:36 -------- d-----w- c:\users\danw.INFOTRAX\AppData\Local\temp
2010-05-06 22:35 . 2010-05-06 22:35 -------- d-----w- c:\users\Default\AppData\Local\temp
2010-05-06 22:35 . 2010-05-06 22:35 -------- d-----w- c:\users\danw\AppData\Local\temp
2010-05-06 13:52 . 2010-05-06 22:21 -------- d-----w- c:\windows\system32\MpEngineStore
2010-05-05 20:55 . 2010-02-23 11:10 79360 ----a-w- c:\windows\system32\drivers\mrxsmb20.sys
2010-05-05 20:55 . 2010-02-23 11:10 212992 ----a-w- c:\windows\system32\drivers\mrxsmb10.sys
2010-05-05 20:55 . 2010-02-23 11:10 106496 ----a-w- c:\windows\system32\drivers\mrxsmb.sys
2010-05-05 20:54 . 2010-03-04 17:33 430080 ----a-w- c:\windows\system32\vbscript.dll
2010-05-05 20:54 . 2010-02-18 14:07 904576 ----a-w- c:\windows\system32\drivers\tcpip.sys
2010-05-05 20:54 . 2010-02-18 13:30 200704 ----a-w- c:\windows\system32\iphlpsvc.dll
2010-05-05 20:54 . 2010-02-18 11:28 25088 ----a-w- c:\windows\system32\drivers\tunnel.sys
2010-05-05 20:54 . 2009-12-23 11:33 172032 ----a-w- c:\windows\system32\wintrust.dll
2010-05-05 20:53 . 2010-01-13 17:34 98304 ----a-w- c:\windows\system32\cabview.dll
2010-05-05 06:44 . 2010-05-05 06:44 -------- d-----w- c:\users\danw.INFOTRAX\AppData\Roaming\Malwarebytes
2010-05-05 06:44 . 2010-04-29 21:39 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-05-05 06:44 . 2010-05-05 06:44 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-05-05 06:44 . 2010-05-05 06:44 -------- d-----w- c:\programdata\Malwarebytes
2010-05-05 06:44 . 2010-04-29 21:39 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-05-05 06:36 . 2010-05-05 06:36 -------- d-----w- c:\program files\Common Files\Adobe
2010-05-05 06:30 . 2010-04-12 23:29 411368 ----a-w- c:\windows\system32\deployJava1.dll
2010-04-30 06:04 . 2010-03-29 15:59 52224 ----a-w- c:\users\danw.INFOTRAX\AppData\Roaming\Mozilla\Firefox\Profiles\1f7rpnzq.default\extensions\{7b13ec3e-999a-4b70-b9cb-2617b8323822}\components\FFExternalAlert.dll
2010-04-30 06:04 . 2010-03-29 15:59 101376 ----a-w- c:\users\danw.INFOTRAX\AppData\Roaming\Mozilla\Firefox\Profiles\1f7rpnzq.default\extensions\{7b13ec3e-999a-4b70-b9cb-2617b8323822}\components\RadioWMPCore.dll
2010-04-19 04:37 . 2010-04-19 04:37 388096 ----a-r- c:\users\danw.INFOTRAX\AppData\Roaming\Microsoft\Installer\{0761C9A8-8F3A-4216-B4A7-B7AFBF24A24A}\HiJackThis.exe
2010-04-19 04:37 . 2010-04-19 04:37 -------- d-----w- c:\program files\TrendMicro
2010-04-19 04:27 . 2010-04-19 04:27 -------- d-----w- C:\fixwareout
2010-04-14 05:19 . 2010-03-09 10:12 162640 ----a-w- c:\windows\system32\drivers\aswSP.sys
2010-04-14 05:19 . 2010-03-09 10:08 19024 ----a-w- c:\windows\system32\drivers\aswFsBlk.sys
2010-04-14 05:19 . 2010-03-09 10:12 46672 ----a-w- c:\windows\system32\drivers\aswTdi.sys
2010-04-14 05:19 . 2010-03-09 10:09 23376 ----a-w- c:\windows\system32\drivers\aswRdr.sys
2010-04-14 05:19 . 2010-03-09 10:08 51792 ----a-w- c:\windows\system32\drivers\aswMonFlt.sys
2010-04-14 05:18 . 2010-03-09 10:24 38848 ----a-w- c:\windows\system32\avastSS.scr
2010-04-14 05:18 . 2010-03-09 10:24 153184 ----a-w- c:\windows\system32\aswBoot.exe
2010-04-14 05:17 . 2010-04-14 05:17 -------- d-----w- c:\programdata\Alwil Software
2010-04-14 05:17 . 2010-04-14 05:17 -------- d-----w- c:\program files\Alwil Software

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-05-06 22:20 . 2008-08-18 10:58 1779 ----a-w- c:\windows\bthservsdp.dat
2010-05-06 22:01 . 2009-06-02 16:22 -------- d-----w- c:\users\danw.INFOTRAX\AppData\Roaming\Skype
2010-05-06 18:51 . 2008-09-25 21:39 0 ----a-w- c:\users\danw.INFOTRAX\AppData\Local\WavXMapDrive.bat
2010-05-06 13:44 . 2006-11-02 11:18 -------- d-----w- c:\program files\Windows Mail
2010-05-06 03:35 . 2009-11-23 01:40 302 ----a-w- c:\users\danw.INFOTRAX\jobq.dat
2010-05-05 06:31 . 2008-08-18 10:47 -------- d-----w- c:\program files\Common Files\Java
2010-05-05 06:30 . 2008-08-18 10:47 -------- d-----w- c:\program files\Java
2010-05-04 23:02 . 2008-10-18 14:43 5972 ----a-w- c:\users\danw.INFOTRAX\AppData\Local\d3d9caps.dat
2010-04-26 16:46 . 2008-09-30 15:50 -------- d-----w- c:\program files\Digsby
2010-03-29 04:41 . 2010-02-24 04:43 50354 ----a-w- c:\users\danw.INFOTRAX\AppData\Roaming\Facebook\uninstall.exe
2010-03-29 04:41 . 2010-02-24 04:43 -------- d-----w- c:\users\danw.INFOTRAX\AppData\Roaming\Facebook
2010-03-09 16:25 . 2010-03-30 20:41 78336 ----a-w- c:\windows\system32\ieencode.dll
2010-03-09 15:42 . 2010-03-30 20:41 834048 ----a-w- c:\windows\system32\wininet.dll
2010-03-06 05:30 . 2010-03-06 05:30 5582848 ----a-w- c:\users\danw.INFOTRAX\AppData\Roaming\Facebook\npfbplugin_1_0_3.dll
2010-02-25 21:31 . 2006-11-02 10:25 665600 ----a-w- c:\windows\inf\drvindex.dat
2010-02-24 16:16 . 2009-10-03 06:22 181632 ------w- c:\windows\system32\MpSigStub.exe
2010-02-24 15:38 . 2008-09-25 21:39 100432 ----a-w- c:\users\danw.INFOTRAX\AppData\Local\GDIPFONTCACHEV1.DAT
2010-02-20 23:06 . 2010-03-15 09:00 24064 ----a-w- c:\windows\system32\nshhttp.dll
2010-02-20 23:05 . 2010-03-15 09:00 30720 ----a-w- c:\windows\system32\httpapi.dll
2010-02-20 20:53 . 2010-03-15 09:00 411648 ----a-w- c:\windows\system32\drivers\http.sys
2008-08-18 18:24 . 2008-08-18 18:12 8192 --sha-w- c:\windows\Users\Default\NTUSER.DAT
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]
"{7b13ec3e-999a-4b70-b9cb-2617b8323822}"= "c:\program files\Zynga\tbZyng.dll" [2009-12-31 2349080]

[HKEY_CLASSES_ROOT\clsid\{7b13ec3e-999a-4b70-b9cb-2617b8323822}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{7b13ec3e-999a-4b70-b9cb-2617b8323822}]
2009-12-31 18:53 2349080 ----a-w- c:\program files\Zynga\tbZyng.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{7b13ec3e-999a-4b70-b9cb-2617b8323822}"= "c:\program files\Zynga\tbZyng.dll" [2009-12-31 2349080]

[HKEY_CLASSES_ROOT\clsid\{7b13ec3e-999a-4b70-b9cb-2617b8323822}]

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser]
"{7B13EC3E-999A-4B70-B9CB-2617B8323822}"= "c:\program files\Zynga\tbZyng.dll" [2009-12-31 2349080]

[HKEY_CLASSES_ROOT\clsid\{7b13ec3e-999a-4b70-b9cb-2617b8323822}]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Sidebar"="c:\program files\Windows Sidebar\sidebar.exe" [2009-04-11 1233920]
"Gadwin PrintScreen"="c:\program files\Gadwin Systems\PrintScreen\PrintScreen.exe" [2007-08-20 495616]
"ZimbraNotifier"="c:\\ZimbraNotifier.exe" [2009-02-12 159744]
"Skype"="c:\program files\Skype\Phone\Skype.exe" [2009-04-21 24264488]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Windows Defender"="c:\program files\Windows Defender\MSASCui.exe" [2008-01-19 1008184]
"Apoint"="c:\program files\Apoint\Apoint.exe" [2007-04-16 159744]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2008-03-31 141848]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2008-03-31 166424]
"Persistence"="c:\windows\system32\igfxpers.exe" [2008-03-31 133656]
"IAAnotif"="c:\program files\Intel\Intel Matrix Storage Manager\Iaanotif.exe" [2007-02-12 174872]
"WavXMgr"="c:\program files\Wave Systems Corp\Services Manager\Docmgr\bin\WavXDocMgr.exe" [2007-09-10 85504]
"SecureUpgrade"="c:\program files\Wave Systems Corp\SecureUpgrade.exe" [2007-09-14 218424]
"Broadcom Wireless Manager UI"="c:\windows\system32\WLTRAY.exe" [2007-12-08 3444736]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2009-09-05 417792]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2009-09-21 305440]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-02-18 248040]
"SigmatelSysTrayApp"="c:\program files\SigmaTel\C-Major Audio\WDM\sttray.exe" [2008-01-03 405504]
"avast5"="c:\progra~1\ALWILS~1\Avast5\avastUI.exe" [2010-03-09 2769336]

c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
Digital Line Detect.lnk - c:\program files\Digital Line Detect\DLG.exe [2008-8-18 50688]
Glance.lnk - c:\program files\Glance25\Glance.exe [2010-2-18 1737504]
QuickSet.lnk - c:\program files\Dell\QuickSet\quickset.exe [2008-2-22 1193240]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableLUA"= 0 (0x0)
"EnableUIADesktopToggle"= 0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\gemsafe]
2006-11-16 20:20 73728 ----a-w- c:\program files\Gemplus\GemSafe Libraries\BIN\WLEventNotify.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Authentication Packages REG_MULTI_SZ msv1_0 wvauth

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend]
@="Service"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe ARM]
2010-03-24 18:17 952768 ----a-w- c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
2009-12-22 07:57 35760 ----a-w- c:\program files\Adobe\Reader 9.0\Reader\reader_sl.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PDVDDXSrv]
2007-09-17 16:56 124200 ------w- c:\program files\CyberLink\PowerDVD DX\PDVDDXSrv.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
2009-09-05 07:54 417792 ----a-w- c:\program files\QuickTime\QTTask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Svc]
"VistaSp2"=hex(b):ab,3a,66,3a,f1,b5,ca,01

R3 b57nd60x;Broadcom NetXtreme Gigabit Ethernet - NDIS 6.0;c:\windows\system32\DRIVERS\b57nd60x.sys [2007-03-19 179712]
R3 BTHFILT;Bluetooth Command Filter;c:\windows\system32\DRIVERS\BthFilt.sys [2007-05-05 13824]
S1 aswSP;aswSP; [x]
S2 ASFIPmon;Broadcom ASF IP and SMBIOS Mailbox Monitor;c:\program files\Broadcom\ASFIPMon\AsfIpMon.exe [2006-12-19 79432]
S2 aswFsBlk;aswFsBlk; [x]
S2 aswMonFlt;aswMonFlt;c:\windows\system32\drivers\aswMonFlt.sys [2010-03-09 51792]
S2 BthFilterHelper;Bluetooth Feature Support;c:\program files\CSR\Vista Profile Pack\BthFilterHelper.exe [2006-11-07 127488]
S2 EVault InfoStage Agent;AmeriVault Backup Solution Agent;c:\program files\AmeriVault Backup Solution\Agent\VVAgent.exe [2009-03-28 3432448]
S2 EVault InfoStage BUAgent;AmeriVault Backup Solution BUAgent;c:\program files\AmeriVault Backup Solution\Agent\buagent.exe [2009-03-28 5492736]
S2 Wave UCSPlus;Wave UCSPlus;c:\windows\system32\dllhost.exe [2006-11-02 7168]
S3 glancedrv;glancedrv;c:\windows\system32\DRIVERS\glancedrv.sys [2009-05-13 34080]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
LocalServiceNoNetwork REG_MULTI_SZ PLA DPS BFE mpssvc
bthsvcs REG_MULTI_SZ BthServ
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
LocalServiceAndNoImpersonation REG_MULTI_SZ FontCache
.
Contents of the 'Scheduled Tasks' folder

2010-05-06 c:\windows\Tasks\User_Feed_Synchronization-{65A728E8-D674-4D7B-A17C-4848276ECB41}.job
- c:\windows\system32\msfeedssync.exe [2008-09-23 07:33]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://espn.go.com/
uInternet Settings,ProxyOverride = *.local
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~1\OFFICE11\EXCEL.EXE/3000
DPF: Garmin Communicator Plug-In - hxxps://my.garmin.com/static/m/cab/2.7.1/GarminAxControl.CAB
DPF: {C7DEDA04-2FFF-4B81-AE66-0A0E0EF4AD2F} - hxxp://maceys.lifepics.com/net/Uploader/LPUploader57.cab
FF - ProfilePath - c:\users\danw.INFOTRAX\AppData\Roaming\Mozilla\Firefox\Profiles\1f7rpnzq.default\
FF - component: c:\users\danw.INFOTRAX\AppData\Roaming\Mozilla\Firefox\Profiles\1f7rpnzq.default\extensions\{7b13ec3e-999a-4b70-b9cb-2617b8323822}\components\FFExternalAlert.dll
FF - component: c:\users\danw.INFOTRAX\AppData\Roaming\Mozilla\Firefox\Profiles\1f7rpnzq.default\extensions\{7b13ec3e-999a-4b70-b9cb-2617b8323822}\components\RadioWMPCore.dll
FF - plugin: c:\program files\Glance25\npglance.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npdeployJava1.dll
FF - plugin: c:\users\danw.INFOTRAX\AppData\Roaming\Facebook\npfbplugin_1_0_1.dll
FF - plugin: c:\users\danw.INFOTRAX\AppData\Roaming\Facebook\npfbplugin_1_0_3.dll
FF - plugin: c:\users\danw.INFOTRAX\AppData\Roaming\Move Networks\plugins\npqmp071705000014.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

---- FIREFOX POLICIES ----
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
.
- - - - ORPHANS REMOVED - - - -

AddRemove-Octoshape add-in for Adobe Flash Player - c:\users\danw.INFOTRAX\AppData\Roaming\Macromedia\Flash Player\

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-05-06 16:35
Windows 6.0.6002 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net

device: opened successfully
user: MBR read successfully
called modules: ntkrnlpa.exe CLASSPNP.SYS disk.sys iastor.sys >>UNKNOWN [0x86BC68C8]<<
kernel: MBR read successfully
detected MBR rootkit hooks:
\Driver\Disk -> CLASSPNP.SYS @ 0x883aad24
\Driver\ACPI -> acpi.sys @ 0x80691d68
\Driver\atapi -> ataport.SYS @ 0x82d6fa2c
\Driver\iaStor -> iastor.sys @ 0x82ce2d24
IoDeviceObjectType ->\Device\Harddisk0\DR0 ->user & kernel MBR OK

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000

[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0001\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'lsass.exe'(704)
c:\windows\system32\wvauth.dll
c:\windows\system32\biolsp.dll
c:\program files\Wave Systems Corp\Common\CryptoManager.dll
c:\windows\system32\tcg15.dll
c:\windows\system32\Tsp1.dll
c:\windows\system32\wclient14.dll
c:\program files\Bonjour\mdnsNSP.dll
.
Completion time: 2010-05-06 16:41:33
ComboFix-quarantined-files.txt 2010-05-06 22:41

Pre-Run: 56,894,017,536 bytes free
Post-Run: 56,777,719,808 bytes free

Current=1 Default=1 Failed=0 LastKnownGood=5 Sets=1,2,3,4,5
- - End Of File - - 733450698AA914877EC497DF508D0B59

Bobbye · May 7, 2010

You have processes loading for both Avast and AVG. Please remove one of them. Multiple antivirus programs can make a system more vulnerable and also slow it down. I may need to remove some drivers depending on which program you decide to keep. Here are tools to help with removal. Only download the one for the program you aren't keeping:
Avast Removal
AVG Removal: Note: You may have to reinstall AVG to uninstall it fully
=========================
NOTE: Please disable all of the security before you run the following. You already have Combofix on the desktop- just go Offline to run:

Custom CFScript

[1]. Close any open browsers.
[2]. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
[3]. Open notepad and copy/paste the text in the code below into it:

Code:

File::

Folder::
C:\fixwareout

Registry::
RegLock::
[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0001\AllUserSettings]

Driver::

FCopy::
C:\Drivers\storage\R154200\iastor.sys | C:\WINDOWS\system32\drivers\iaStor.sys

DDS::
uURLSearchHooks: Zynga Toolbar: {7b13ec3e-999a-4b70-b9cb-2617b8323822} - c:\program files\zynga\tbZyng.dll
mURLSearchHooks: Zynga Toolbar: {7b13ec3e-999a-4b70-b9cb-2617b8323822} - c:\program files\zynga\tbZyng.dll
BHO: Zynga Toolbar: {7b13ec3e-999a-4b70-b9cb-2617b8323822} - c:\program files\zynga\tbZyng.dll
TB: Zynga Toolbar: {7b13ec3e-999a-4b70-b9cb-2617b8323822} - c:\program files\zynga\tbZyng.dll
mRun: [<NO NAME>]

Save this as CFScript.txt, in the same location as ComboFix.exe

Referring to the picture above, drag CFScript into ComboFix.exe

When finished, it will produce a log for you at C:\ComboFix.txt . Please attach to your next reply.
====================
Please Run Eset NOD32 Online AntiVirus Scanner HERE

Tick the box next to YES, I accept the Terms of Use.
Click Start
When asked, allow the Active X control to install
Disable your current Antivirus software. You can usually do this with its Notification Tray icon near the clock.
Click Start
Make sure that the option "Remove found threats" is Unchecked, and the option "Scan unwanted applications" is checked
Click Scan
Wait for the scan to finish
Re-enable your Antivirus software.
A logfile is created and located at C:\Program Files\EsetOnlineScanner\log.txt. Please include this on your post.

Include both Combofix script report and Eset online scan in next reply.

dsweston · May 11, 2010

Results

I've removed Avast.

Went offline, created the text file and dragged it onto the combofix icon. It processed for a while, then a notification came back that it needed to reboot because of rootkit activity. I allowed it to reboot, and when it came back up, it continued to process and got to step/phase 5, then it shut down the computer abruptly. When I booted up, combofix was no longer running and it didn't created the log file in the C directory. There's a ComboFix file there dated today, but it's not a text file and can't be opened.

I've included the log from the ESET scan:

ESETSmartInstaller@High as CAB hook log:
OnlineScanner.ocx - registred OK
# version=7
# iexplore.exe=7.00.6000.16386 (vista_rtm.061101-2205)
# OnlineScanner.ocx=1.0.0.6211
# api_version=3.0.2
# EOSSerial=6012d412e6e08a4a898212954e4d5126
# end=finished
# remove_checked=false
# archives_checked=false
# unwanted_checked=true
# unsafe_checked=false
# antistealth_checked=false
# utc_time=2010-05-11 08:57:13
# local_time=2010-05-11 02:57:13 (-0700, Mountain Daylight Time)
# country="United States"
# lang=9
# osver=6.0.6002 NT Service Pack 2
# compatibility_mode=512 16777215 100 0 0 0 0 0
# compatibility_mode=768 16777215 100 0 0 0 0 0
# compatibility_mode=5892 16776574 100 100 2199216 110213687 0 0
# compatibility_mode=8192 67108863 100 0 0 0 0 0
# scanned=137213
# found=2
# cleaned=0
# scan_time=5247
C:\Users\danw.INFOTRAX\AppData\Local\temp\Av-test.txt Eicar test file 1195B64D237F57E6289D3CD105228D93 I
C:\ZimbraNotifier.exe probably unknown NewHeur_PE virus 5EB58E7F121749A296371B292E8A3DD0 I

Bobbye · May 11, 2010

Not a good sign. Before we go any further, I'd like you to do this scan:

Make sure to use Internet Explorer for this
Please go to VirSCAN.org FREE on-line scan service
Copy and paste the following file path into the "Suspicious files to scan" box on the top of the page:
- c:\windows\system32\userinit.exe
Click on the Upload button
If a pop-up appears saying the file has been scanned already, please select the ReScan button.
Once the Scan is completed, click on the "Copy to Clipboard" button. This will copy the link of the report into the Clipboard.
Paste the contents of the Clipboard in your next reply.

Also scan these,

C:\WINDOWS\explorer.exe
C:\WINDOWS\System32\svchost.exe

There is a chance you might have a Virut infection. IF that is the case, we recommend a reformat and reinstall. But check first and we'll go from the results.

Virut is a Polymorphic File Infector that infects ..exe, .scr, .rar, .zip, .htm, .html. Because there are a number of bugs in its code, it may create executable files that are corrupted beyond repair resulting in an inoperative machine.
It opens a Backdoor by connecting to a predefined IRC Server and waits for commands from the remote attacker

dsweston · May 12, 2010

New scans

I've run the virscan.org scanner. Here is the first log:

VirSCAN.org Scanned Report :
Scanned time : 2010/05/13 00:13:51 (CST)
Scanner results: Scanners did not find malware!
File Name : userinit.exe
File Size : 25088 byte
File Type : PE32 executable for MS Windows (GUI) Intel 80386 32-bit
MD5 : 0e135526e9785d085bcd9aede6fbcbf9
SHA1 : d15244d41efddbab08d53fe032aedff39091d3af
Online report : http://virscan.org/report/a00a2f455a9299116dadd13c084b9fe4.html

Scanner Engine Ver Sig Ver Sig Date Time Scan result
a-squared 4.5.0.8 20100508053127 2010-05-08 0.08 -
AhnLab V3 2010.05.12.06 2010.05.12 2010-05-12 0.08 -
AntiVir 8.2.1.236 7.10.7.95 2010-05-12 0.26 -
Antiy 2.0.18 20100512.4357690 2010-05-12 0.12 -
Arcavir 2009 201005120327 2010-05-12 0.03 -
Authentium 5.1.1 201005121449 2010-05-12 1.34 -
AVAST! 4.7.4 100512-1 2010-05-12 0.01 -
AVG 8.5.793 271.1.1/2869 2010-05-12 0.23 -
BitDefender 7.81008.5874445 7.31631 2010-05-12 3.75 -
ClamAV 0.95.3 10989 2010-05-12 0.01 -
Comodo 3.13.579 4828 2010-05-12 0.08 -
CP Secure 1.3.0.5 2010.05.12 2010-05-12 0.04 -
Dr.Web 5.0.2.3300 2010.05.12 2010-05-12 7.26 -
F-Prot 4.4.4.56 20100512 2010-05-12 1.36 -
F-Secure 7.02.73807 2010.05.12.05 2010-05-12 0.05 -
Fortinet 4.0.14 11.926 2010-05-10 0.08 -
GData 21.130/21.45 20100511 2010-05-11 0.08 -
ViRobot 20100510 2010.05.10 2010-05-10 0.08 -
Ikarus T3.1.01.84 2010.05.12.75844 2010-05-12 6.30 -
JiangMin 13.0.900 2010.05.11 2010-05-11 0.08 -
Kaspersky 5.5.10 2010.05.12 2010-05-12 0.09 -
KingSoft 2009.2.5.15 2010.5.12.19 2010-05-12 0.08 -
McAfee 5400.1158 5979 2010-05-11 0.02 -
Microsoft 1.5703 2010.05.11 2010-05-11 0.08 -
Norman 6.04.12 6.04.00 2010-05-12 6.01 -
Panda 9.05.01 2010.05.10 2010-05-10 0.08 -
Trend Micro 9.120-1004 7.162.11 2010-05-12 0.03 -
Quick Heal 10.00 2010.05.12 2010-05-12 0.08 -
Rising 20.0 22.47.02.04 2010-05-12 0.08 -
Sophos 3.07.1 4.53 2010-05-12 3.31 -
Sunbelt 3.9.2421.2 6288 2010-05-10 0.08 -
Symantec 1.3.0.24 20100511.003 2010-05-11 0.05 -
nProtect 20100512.01 8245011 2010-05-12 0.08 -
The Hacker 6.5.2.0 v00278 2010-05-09 0.08 -
VBA32 3.12.12.4 20100511.2022 2010-05-11 2.46 -
VirusBuster 4.5.11.10 10.126.27/1999201 2010-05-12 2.32 -

Second log:

VirSCAN.org Scanned Report :
Scanned time : 2010/05/13 00:17:52 (CST)
Scanner results: Scanners did not find malware!
File Name : explorer.exe
File Size : 2926592 byte
File Type : PE32 executable for MS Windows (GUI) Intel 80386 32-bit
MD5 : d07d4c3038f3578ffce1c0237f2a1253
SHA1 : 4b3bd605b63749ff255e048ca6f27aff95aec24a
Online report : http://virscan.org/report/7b3da17525723765d91c877b396a8b45.html

Scanner Engine Ver Sig Ver Sig Date Time Scan result
a-squared 4.5.0.8 20100508053127 2010-05-08 0.08 -
AhnLab V3 2010.05.12.06 2010.05.12 2010-05-12 0.08 -
AntiVir 8.2.1.236 7.10.7.95 2010-05-12 0.26 -
Antiy 2.0.18 20100512.4357690 2010-05-12 0.12 -
Arcavir 2009 201005120327 2010-05-12 0.09 -
Authentium 5.1.1 201005121449 2010-05-12 1.28 -
AVAST! 4.7.4 100512-1 2010-05-12 0.11 -
AVG 8.5.793 271.1.1/2869 2010-05-12 0.25 -
BitDefender 7.81008.5874445 7.31631 2010-05-12 3.74 -
ClamAV 0.95.3 10989 2010-05-12 0.35 -
Comodo 3.13.579 4828 2010-05-12 0.08 -
CP Secure 1.3.0.5 2010.05.12 2010-05-12 0.47 -
Dr.Web 5.0.2.3300 2010.05.12 2010-05-12 7.29 -
F-Prot 4.4.4.56 20100512 2010-05-12 1.30 -
F-Secure 7.02.73807 2010.05.12.05 2010-05-12 11.05 -
Fortinet 4.0.14 11.926 2010-05-10 0.08 -
GData 21.130/21.45 20100511 2010-05-11 0.08 -
ViRobot 20100510 2010.05.10 2010-05-10 0.08 -
Ikarus T3.1.01.84 2010.05.12.75844 2010-05-12 6.34 -
JiangMin 13.0.900 2010.05.11 2010-05-11 0.08 -
Kaspersky 5.5.10 2010.05.12 2010-05-12 0.08 -
KingSoft 2009.2.5.15 2010.5.12.19 2010-05-12 0.08 -
McAfee 5400.1158 5979 2010-05-11 0.02 -
Microsoft 1.5703 2010.05.11 2010-05-11 0.08 -
Norman 6.04.12 6.04.00 2010-05-12 6.01 -
Panda 9.05.01 2010.05.10 2010-05-10 0.08 -
Trend Micro 9.120-1004 7.162.11 2010-05-12 0.04 -
Quick Heal 10.00 2010.05.12 2010-05-12 0.08 -
Rising 20.0 22.47.02.04 2010-05-12 0.08 -
Sophos 3.07.1 4.53 2010-05-12 3.35 -
Sunbelt 3.9.2421.2 6288 2010-05-10 0.08 -
Symantec 1.3.0.24 20100511.003 2010-05-11 0.10 -
nProtect 20100512.01 8245011 2010-05-12 0.09 -
The Hacker 6.5.2.0 v00278 2010-05-09 0.09 -
VBA32 3.12.12.4 20100511.2022 2010-05-11 2.73 -
VirusBuster 4.5.11.10 10.126.27/1999201 2010-05-12 3.24 -

Third log:

VirSCAN.org Scanned Report :
Scanned time : 2010/05/13 00:20:25 (CST)
Scanner results: Scanners did not find malware!
File Name : svchost.exe
File Size : 21504 byte
File Type : PE32 executable for MS Windows (GUI) Intel 80386 32-bit
MD5 : 3794b461c45882e06856f282eef025af
SHA1 : bf15549a7ec01ac505ccac036aba5b9bae688135
Online report : http://virscan.org/report/20a95f3ab941f7055166b9d3f1832d23.html

Scanner Engine Ver Sig Ver Sig Date Time Scan result
a-squared 4.5.0.8 20100508053127 2010-05-08 0.08 -
AhnLab V3 2010.05.12.06 2010.05.12 2010-05-12 0.09 -
AntiVir 8.2.1.236 7.10.7.95 2010-05-12 0.27 -
Antiy 2.0.18 20100512.4357690 2010-05-12 0.12 -
Arcavir 2009 201005120327 2010-05-12 0.03 -
Authentium 5.1.1 201005121449 2010-05-12 1.42 -
AVAST! 4.7.4 100512-1 2010-05-12 0.01 -
AVG 8.5.793 271.1.1/2869 2010-05-12 0.23 -
BitDefender 7.81008.5874445 7.31631 2010-05-12 3.89 -
ClamAV 0.95.3 10989 2010-05-12 0.01 -
Comodo 3.13.579 4828 2010-05-12 0.10 -
CP Secure 1.3.0.5 2010.05.12 2010-05-12 0.04 -
Dr.Web 5.0.2.3300 2010.05.12 2010-05-12 7.22 -
F-Prot 4.4.4.56 20100512 2010-05-12 1.43 -
F-Secure 7.02.73807 2010.05.12.05 2010-05-12 0.05 -
Fortinet 4.0.14 11.926 2010-05-10 0.08 -
GData 21.130/21.45 20100511 2010-05-11 0.08 -
ViRobot 20100510 2010.05.10 2010-05-10 0.09 -
Ikarus T3.1.01.84 2010.05.12.75844 2010-05-12 6.35 -
JiangMin 13.0.900 2010.05.11 2010-05-11 0.08 -
Kaspersky 5.5.10 2010.05.12 2010-05-12 0.08 -
KingSoft 2009.2.5.15 2010.5.12.19 2010-05-12 0.08 -
McAfee 5400.1158 5979 2010-05-11 0.02 -
Microsoft 1.5703 2010.05.11 2010-05-11 0.08 -
Norman 6.04.12 6.04.00 2010-05-12 6.01 -
Panda 9.05.01 2010.05.10 2010-05-10 0.08 -
Trend Micro 9.120-1004 7.162.11 2010-05-12 0.03 -
Quick Heal 10.00 2010.05.12 2010-05-12 0.08 -
Rising 20.0 22.47.02.04 2010-05-12 0.10 -
Sophos 3.07.1 4.53 2010-05-12 3.39 -
Sunbelt 3.9.2421.2 6288 2010-05-10 0.08 -
Symantec 1.3.0.24 20100511.003 2010-05-11 0.05 -
nProtect 20100512.01 8245011 2010-05-12 0.08 -
The Hacker 6.5.2.0 v00278 2010-05-09 0.08 -
VBA32 3.12.12.4 20100511.2022 2010-05-11 2.50 -
VirusBuster 4.5.11.10 10.126.27/1999201 2010-05-12 2.31 -

Bobbye · May 12, 2010

Okay, that's good. doesn't look like Virut. I'm going to move the Eset finds and then I need for you to rerun Combofix and give me the log- I need to make sure the script did what it was suppose to:

Please download OTMovit by Old Timer and save to your desktop.

Double-click OTMoveIt3.exe to run it. (Vista users, please right click on OTMoveit3.exe and select "Run as an Administrator")

Copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy):

Code:

:Processes	

:Services
:Reg
:Files  
C:\Users\danw.INFOTRAX\AppData\Local\temp\Av-test.txt Eicar test file 1195B64D237F57E6289D3CD105228D93 I
C:\ZimbraNotifier.exe 

:Commands
[purity]
[emptytemp]
[start explorer]
[Reboot]

Return to OTMoveIt3, right click in the "Paste Instructions for Items to be Moved" window and choose Paste.
Click the red Moveit! button.
A log of files and folders moved will be created in the c:\_OTMoveIt\MovedFiles folder in the form of Date and Time (mmddyyyy_hhmmss.log). Please open this log in Notepad and post its contents in your next reply.
Close OTMoveIt3

If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes.
==============================
Download the HijackThis Installer HERE and save to the desktop:

Double-click on HJTInstall.exe to run the program.
By default it will install to C:\Program Files\Trend Micro\HijackThis.
Accept the license agreement by clicking the "I Accept" button.
Click on the "Do a system scan and save a log file" button. It will scan and then ask you to save the log.
Click "Save log" to save the log file and then the log will open in notepad.
Click on "Edit > Select All" then click on "Edit > Copy" to copy the entire contents of the log.
Come back here to this thread and paste (Ctrl+V) the log in your next reply.

NOTE: Do NOT have HijackThis fix anything yet! Most of what it finds will be harmless or even required.
============================
Please include OTMoveIt log. Combofix report and HijackThis log in next reply..

dsweston · May 13, 2010

More logs

OTMovit Log:

All processes killed
========== PROCESSES ==========
========== SERVICES/DRIVERS ==========
========== REGISTRY ==========
========== FILES ==========
File/Folder C:\Users\danw.INFOTRAX\AppData\Local\temp\Av-test.txt Eicar test file 1195B64D237F57E6289D3CD105228D93 I not found.
C:\ZimbraNotifier.exe moved successfully.
========== COMMANDS ==========

[EMPTYTEMP]

User: All Users

User: danw
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes
->Java cache emptied: 0 bytes
->Flash cache emptied: 0 bytes

User: danw.INFOTRAX
->Temp folder emptied: 1309721 bytes
->Temporary Internet Files folder emptied: 56078919 bytes
->Java cache emptied: 281909 bytes
->FireFox cache emptied: 93611998 bytes
->Flash cache emptied: 31684 bytes

User: Default
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes

User: Default User
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes

User: Public
->Temp folder emptied: 0 bytes

%systemdrive% .tmp files removed: 0 bytes
%systemroot% .tmp files removed: 0 bytes
%systemroot%\System32 .tmp files removed: 0 bytes
%systemroot%\System32\drivers .tmp files removed: 0 bytes
Windows Temp folder emptied: 2676 bytes
%systemroot%\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files folder emptied: 33170 bytes
RecycleBin emptied: 0 bytes

Total Files Cleaned = 144.00 mb

OTM by OldTimer - Version 3.1.12.0 log created on 05122010_202216

Files moved on Reboot...
File C:\Users\danw.INFOTRAX\AppData\Local\Temp\4C71.tmp not found!
File C:\Users\danw.INFOTRAX\AppData\Local\Temp\~DF7433.tmp not found!
File C:\Users\danw.INFOTRAX\AppData\Local\Temp\~DF77A1.tmp not found!

Registry entries deleted on Reboot...

HijackThis log:

Logfile of Trend Micro HijackThis v2.0.4
Scan saved at 8:35:23 PM, on 5/12/2010
Platform: Windows Vista SP2 (WinNT 6.00.1906)
MSIE: Internet Explorer v7.00 (7.00.6002.18005)
Boot mode: Normal

Running processes:
C:\Windows\system32\taskeng.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Windows\notepad.exe
C:\Program Files\Apoint\Apoint.exe
C:\Windows\System32\hkcmd.exe
C:\Windows\System32\igfxpers.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\IAAnotif.exe
C:\Program Files\Wave Systems Corp\Services Manager\DocMgr\bin\WavXDocMgr.exe
C:\Program Files\Wave Systems Corp\SecureUpgrade.exe
C:\Windows\System32\WLTRAY.EXE
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\Program Files\Sigmatel\C-Major Audio\WDM\sttray.exe
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Program Files\Gadwin Systems\PrintScreen\PrintScreen.exe
C:\Program Files\Skype\Phone\Skype.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\Glance25\Glance.exe
C:\Program Files\Dell\QuickSet\quickset.exe
C:\Windows\system32\igfxsrvc.exe
C:\Program Files\Apoint\ApMsgFwd.exe
C:\Program Files\Apoint\HidFind.exe
C:\Program Files\Apoint\Apntex.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Windows\system32\wuauclt.exe
C:\Windows\system32\SearchFilterHost.exe
C:\Program Files\Trend Micro\HiJackThis\HiJackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://espn.go.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O1 - Hosts: ::1 localhost
O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file)
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: Browser Address Error Redirector - {CA6319C0-31B7-401E-A518-A07C3DB8F777} - C:\Program Files\Dell\BAE\BAE.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O4 - HKLM\..\Run: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint\Apoint.exe
O4 - HKLM\..\Run: [IgfxTray] C:\Windows\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\Windows\system32\hkcmd.exe
O4 - HKLM\..\Run: [Persistence] C:\Windows\system32\igfxpers.exe
O4 - HKLM\..\Run: [IAAnotif] "C:\Program Files\Intel\Intel Matrix Storage Manager\Iaanotif.exe"
O4 - HKLM\..\Run: [WavXMgr] C:\Program Files\Wave Systems Corp\Services Manager\Docmgr\bin\WavXDocMgr.exe
O4 - HKLM\..\Run: [SecureUpgrade] C:\Program Files\Wave Systems Corp\SecureUpgrade.exe
O4 - HKLM\..\Run: [Broadcom Wireless Manager UI] C:\Windows\system32\WLTRAY.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Common Files\Java\Java Update\jusched.exe"
O4 - HKLM\..\Run: [SigmatelSysTrayApp] %ProgramFiles%\SigmaTel\C-Major Audio\WDM\sttray.exe
O4 - HKCU\..\Run: [Sidebar] C:\Program Files\Windows Sidebar\sidebar.exe /autoRun
O4 - HKCU\..\Run: [Gadwin PrintScreen] C:\Program Files\Gadwin Systems\PrintScreen\PrintScreen.exe /nosplash
O4 - HKCU\..\Run: [ZimbraNotifier] "C:\\ZimbraNotifier.exe"
O4 - HKCU\..\Run: [Skype] "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized
O4 - Global Startup: Digital Line Detect.lnk = C:\Program Files\Digital Line Detect\DLG.exe
O4 - Global Startup: Glance.lnk = C:\Program Files\Glance25\Glance.exe
O4 - Global Startup: QuickSet.lnk = C:\Program Files\Dell\QuickSet\quickset.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~1\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~1\OFFICE11\REFIEBAR.DLL
O16 - DPF: Garmin Communicator Plug-In - https://my.garmin.com/static/m/cab/2.7.1/GarminAxControl.CAB
O16 - DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} (OnlineScanner Control) - http://download.eset.com/special/eos/OnlineScanner.cab
O16 - DPF: {8100D56A-5661-482C-BEE8-AFECE305D968} (Facebook Photo Uploader 5 Control) - http://upload.facebook.com/controls/2009.07.28_v5.5.8.1/FacebookPhotoUploader55.cab
O16 - DPF: {C7DEDA04-2FFF-4B81-AE66-0A0E0EF4AD2F} (Image Uploader Control) - http://maceys.lifepics.com/net/Uploader/LPUploader57.cab
O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = infotraxsys.com
O17 - HKLM\Software\..\Telephony: DomainName = infotraxsys.com
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = infotraxsys.com
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O20 - Winlogon Notify: gemsafe - C:\Program Files\Gemplus\GemSafe Libraries\BIN\WLEventNotify.dll
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\Windows\system32\browseui.dll
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Broadcom ASF IP and SMBIOS Mailbox Monitor (ASFIPmon) - Broadcom Corporation - C:\Program Files\Broadcom\ASFIPMon\AsfIpMon.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Bluetooth Feature Support (BthFilterHelper) - CSR, plc - C:\Program Files\CSR\Vista Profile Pack\BthFilterHelper.exe
O23 - Service: AmeriVault Backup Solution Agent (EVault InfoStage Agent) - Unknown owner - C:\Program Files\AmeriVault Backup Solution\Agent\VVAgent.exe
O23 - Service: AmeriVault Backup Solution BUAgent (EVault InfoStage BUAgent) - Unknown owner - C:\Program Files\AmeriVault Backup Solution\Agent\buagent.exe
O23 - Service: Intel(R) Matrix Storage Event Monitor (IAANTMON) - Intel Corporation - C:\Program Files\Intel\Intel Matrix Storage Manager\Iaantmon.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Dell Internal Network Card Power Management (nicconfigsvc) - Dell Inc. - C:\Program Files\Dell\QuickSet\NicConfigSvc.exe
O23 - Service: SecureStorageService - Wave Systems Corp. - C:\Program Files\Wave Systems Corp\Secure Storage Manager\SecureStorageService.exe
O23 - Service: SigmaTel Audio Service (STacSV) - IDT, Inc. - C:\Windows\system32\STacSV.exe
O23 - Service: stllssvr - MicroVision Development, Inc. - C:\Program Files\Common Files\SureThing Shared\stllssvr.exe
O23 - Service: NTRU TSS v1.2.1.25 TCS (tcsd_win32.exe) - Unknown owner - C:\Program Files\NTRU Cryptosystems\NTRU TCG Software Stack\bin\tcsd_win32.exe
O23 - Service: WaveEnrollmentService - Wave Systems Corp. - C:\Program Files\Wave Systems Corp\Authentication Manager\WaveEnrollmentService.exe
O23 - Service: Dell Wireless WLAN Tray Service (wltrysvc) - Unknown owner - C:\Windows\System32\WLTRYSVC.EXE
O23 - Service: XAudioService - Conexant Systems, Inc. - C:\Windows\system32\DRIVERS\xaudio.exe

--
End of file - 7814 bytes

dsweston · May 13, 2010

combofix log

The combofix log didn't fit in the last comment, so here it is:

ComboFix 10-05-07.07 - danw 05/12/2010 20:53:29.5.2 - x86
Microsoft® Windows Vista™ Business 6.0.6002.2.1252.1.1033.18.2037.1295 [GMT -6:00]
Running from: c:\users\danw.INFOTRAX\Desktop\ComboFix.exe
Command switches used :: c:\users\danw.INFOTRAX\Desktop\CFScript.txt
SP: Windows Defender *disabled* (Updated) {D68DDC3A-831F-4FAE-9E44-DA132C1ACF46}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\fixwareout
c:\fixwareout\FindT\dumphive.exe
c:\fixwareout\FindT\FixWareOut.reg
c:\fixwareout\FindT\nircmd.exe
c:\fixwareout\FindT\patterns.txt
c:\fixwareout\FindT\rbot.bat
c:\fixwareout\FindT\RestartIt.exe
c:\fixwareout\FindT\runs.vbs
c:\fixwareout\FindT\swreg.exe
c:\fixwareout\FindT\vfind.exe
c:\fixwareout\FindT\XP-2K2.cmd
c:\fixwareout\FixIt.BAT

.
--------------- FCopy ---------------

.
((((((((((((((((((((((((( Files Created from 2010-04-13 to 2010-05-13 )))))))))))))))))))))))))))))))
.

2010-05-13 03:01 . 2010-05-13 03:04 -------- d-----w- c:\users\danw.INFOTRAX\AppData\Local\temp
2010-05-13 03:01 . 2010-05-13 03:01 -------- d-----w- c:\users\Public\AppData\Local\temp
2010-05-13 03:01 . 2010-05-13 03:01 -------- d-----w- c:\users\Default\AppData\Local\temp
2010-05-13 03:01 . 2010-05-13 03:01 -------- d-----w- c:\users\danw\AppData\Local\temp
2010-05-13 02:34 . 2010-05-13 02:34 -------- d-----w- c:\program files\Trend Micro
2010-05-13 02:22 . 2010-05-13 02:22 -------- d-----w- C:\_OTM
2010-05-08 08:39 . 2010-05-08 08:39 -------- d-----w- c:\program files\ESET
2010-05-06 13:52 . 2010-05-06 22:21 -------- d-----w- c:\windows\system32\MpEngineStore
2010-05-05 20:55 . 2010-02-23 11:10 79360 ----a-w- c:\windows\system32\drivers\mrxsmb20.sys
2010-05-05 20:55 . 2010-02-23 11:10 212992 ----a-w- c:\windows\system32\drivers\mrxsmb10.sys
2010-05-05 20:55 . 2010-02-23 11:10 106496 ----a-w- c:\windows\system32\drivers\mrxsmb.sys
2010-05-05 20:54 . 2010-03-04 17:33 430080 ----a-w- c:\windows\system32\vbscript.dll
2010-05-05 20:54 . 2010-02-18 14:07 904576 ----a-w- c:\windows\system32\drivers\tcpip.sys
2010-05-05 20:54 . 2010-02-18 13:30 200704 ----a-w- c:\windows\system32\iphlpsvc.dll
2010-05-05 20:54 . 2010-02-18 11:28 25088 ----a-w- c:\windows\system32\drivers\tunnel.sys
2010-05-05 20:54 . 2009-12-23 11:33 172032 ----a-w- c:\windows\system32\wintrust.dll
2010-05-05 20:53 . 2010-01-13 17:34 98304 ----a-w- c:\windows\system32\cabview.dll
2010-05-05 06:44 . 2010-05-05 06:44 -------- d-----w- c:\users\danw.INFOTRAX\AppData\Roaming\Malwarebytes
2010-05-05 06:44 . 2010-04-29 21:39 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-05-05 06:44 . 2010-05-05 06:44 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-05-05 06:44 . 2010-05-05 06:44 -------- d-----w- c:\programdata\Malwarebytes
2010-05-05 06:44 . 2010-04-29 21:39 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-05-05 06:36 . 2010-05-05 06:36 -------- d-----w- c:\program files\Common Files\Adobe
2010-05-05 06:30 . 2010-04-12 23:29 411368 ----a-w- c:\windows\system32\deployJava1.dll
2010-04-19 04:37 . 2010-04-19 04:37 -------- d-----w- c:\program files\TrendMicro
2010-04-14 05:17 . 2010-04-14 05:17 -------- d-----w- c:\programdata\Alwil Software
2010-04-14 05:17 . 2010-05-08 07:30 -------- d-----w- c:\program files\Alwil Software

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-05-13 03:07 . 2009-06-02 16:22 -------- d-----w- c:\users\danw.INFOTRAX\AppData\Roaming\Skype
2010-05-13 03:03 . 2008-09-25 21:39 0 ----a-w- c:\users\danw.INFOTRAX\AppData\Local\WavXMapDrive.bat
2010-05-13 03:01 . 2008-08-18 10:58 1779 ----a-w- c:\windows\bthservsdp.dat
2010-05-13 02:34 . 2010-05-13 02:34 388096 ----a-r- c:\users\danw.INFOTRAX\AppData\Roaming\Microsoft\Installer\{45A66726-69BC-466B-A7A4-12FCBA4883D7}\HiJackThis.exe
2010-05-11 15:57 . 2008-10-18 14:43 5972 ----a-w- c:\users\danw.INFOTRAX\AppData\Local\d3d9caps.dat
2010-05-11 04:17 . 2009-11-23 01:40 302 ----a-w- c:\users\danw.INFOTRAX\jobq.dat
2010-05-06 13:44 . 2006-11-02 11:18 -------- d-----w- c:\program files\Windows Mail
2010-05-05 06:31 . 2008-08-18 10:47 -------- d-----w- c:\program files\Common Files\Java
2010-05-05 06:30 . 2008-08-18 10:47 -------- d-----w- c:\program files\Java
2010-04-26 16:46 . 2008-09-30 15:50 -------- d-----w- c:\program files\Digsby
2010-03-29 15:59 . 2010-05-10 16:46 52224 ----a-w- c:\users\danw.INFOTRAX\AppData\Roaming\Mozilla\Firefox\Profiles\1f7rpnzq.default\extensions\{7b13ec3e-999a-4b70-b9cb-2617b8323822}\components\FFExternalAlert.dll
2010-03-29 15:59 . 2010-05-10 16:46 101376 ----a-w- c:\users\danw.INFOTRAX\AppData\Roaming\Mozilla\Firefox\Profiles\1f7rpnzq.default\extensions\{7b13ec3e-999a-4b70-b9cb-2617b8323822}\components\RadioWMPCore.dll
2010-03-29 04:41 . 2010-02-24 04:43 50354 ----a-w- c:\users\danw.INFOTRAX\AppData\Roaming\Facebook\uninstall.exe
2010-03-29 04:41 . 2010-02-24 04:43 -------- d-----w- c:\users\danw.INFOTRAX\AppData\Roaming\Facebook
2010-03-09 16:25 . 2010-03-30 20:41 78336 ----a-w- c:\windows\system32\ieencode.dll
2010-03-09 15:42 . 2010-03-30 20:41 834048 ----a-w- c:\windows\system32\wininet.dll
2010-03-06 05:30 . 2010-03-06 05:30 5582848 ----a-w- c:\users\danw.INFOTRAX\AppData\Roaming\Facebook\npfbplugin_1_0_3.dll
2010-02-24 16:16 . 2009-10-03 06:22 181632 ------w- c:\windows\system32\MpSigStub.exe
2010-02-24 15:38 . 2008-09-25 21:39 100432 ----a-w- c:\users\danw.INFOTRAX\AppData\Local\GDIPFONTCACHEV1.DAT
2010-02-20 23:06 . 2010-03-15 09:00 24064 ----a-w- c:\windows\system32\nshhttp.dll
2010-02-20 23:05 . 2010-03-15 09:00 30720 ----a-w- c:\windows\system32\httpapi.dll
2010-02-20 20:53 . 2010-03-15 09:00 411648 ----a-w- c:\windows\system32\drivers\http.sys
2008-08-18 18:24 . 2008-08-18 18:12 8192 --sha-w- c:\windows\Users\Default\NTUSER.DAT
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Sidebar"="c:\program files\Windows Sidebar\sidebar.exe" [2009-04-11 1233920]
"Gadwin PrintScreen"="c:\program files\Gadwin Systems\PrintScreen\PrintScreen.exe" [2007-08-20 495616]
"Skype"="c:\program files\Skype\Phone\Skype.exe" [2009-04-21 24264488]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Windows Defender"="c:\program files\Windows Defender\MSASCui.exe" [2008-01-19 1008184]
"Apoint"="c:\program files\Apoint\Apoint.exe" [2007-04-16 159744]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2008-03-31 141848]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2008-03-31 166424]
"Persistence"="c:\windows\system32\igfxpers.exe" [2008-03-31 133656]
"IAAnotif"="c:\program files\Intel\Intel Matrix Storage Manager\Iaanotif.exe" [2007-02-12 174872]
"WavXMgr"="c:\program files\Wave Systems Corp\Services Manager\Docmgr\bin\WavXDocMgr.exe" [2007-09-10 85504]
"SecureUpgrade"="c:\program files\Wave Systems Corp\SecureUpgrade.exe" [2007-09-14 218424]
"Broadcom Wireless Manager UI"="c:\windows\system32\WLTRAY.exe" [2007-12-08 3444736]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2009-09-05 417792]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2009-09-21 305440]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-02-18 248040]
"SigmatelSysTrayApp"="c:\program files\SigmaTel\C-Major Audio\WDM\sttray.exe" [2008-01-03 405504]

c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
Digital Line Detect.lnk - c:\program files\Digital Line Detect\DLG.exe [2008-8-18 50688]
Glance.lnk - c:\program files\Glance25\Glance.exe [2010-2-18 1737504]
QuickSet.lnk - c:\program files\Dell\QuickSet\quickset.exe [2008-2-22 1193240]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableLUA"= 0 (0x0)
"EnableUIADesktopToggle"= 0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\gemsafe]
2006-11-16 20:20 73728 ----a-w- c:\program files\Gemplus\GemSafe Libraries\BIN\WLEventNotify.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Authentication Packages REG_MULTI_SZ msv1_0 wvauth

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend]
@="Service"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe ARM]
2010-03-24 18:17 952768 ----a-w- c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
2009-12-22 07:57 35760 ----a-w- c:\program files\Adobe\Reader 9.0\Reader\reader_sl.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PDVDDXSrv]
2007-09-17 16:56 124200 ------w- c:\program files\CyberLink\PowerDVD DX\PDVDDXSrv.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
2009-09-05 07:54 417792 ----a-w- c:\program files\QuickTime\QTTask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Svc]
"VistaSp2"=hex(b):ab,3a,66,3a,f1,b5,ca,01

R3 b57nd60x;Broadcom NetXtreme Gigabit Ethernet - NDIS 6.0;c:\windows\system32\DRIVERS\b57nd60x.sys [2007-03-19 179712]
R3 BTHFILT;Bluetooth Command Filter;c:\windows\system32\DRIVERS\BthFilt.sys [2007-05-05 13824]
S2 ASFIPmon;Broadcom ASF IP and SMBIOS Mailbox Monitor;c:\program files\Broadcom\ASFIPMon\AsfIpMon.exe [2006-12-19 79432]
S2 BthFilterHelper;Bluetooth Feature Support;c:\program files\CSR\Vista Profile Pack\BthFilterHelper.exe [2006-11-07 127488]
S2 EVault InfoStage Agent;AmeriVault Backup Solution Agent;c:\program files\AmeriVault Backup Solution\Agent\VVAgent.exe [2009-03-28 3432448]
S2 EVault InfoStage BUAgent;AmeriVault Backup Solution BUAgent;c:\program files\AmeriVault Backup Solution\Agent\buagent.exe [2009-03-28 5492736]
S2 Wave UCSPlus;Wave UCSPlus;c:\windows\system32\dllhost.exe [2006-11-02 7168]
S3 glancedrv;glancedrv;c:\windows\system32\DRIVERS\glancedrv.sys [2009-05-13 34080]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
LocalServiceNoNetwork REG_MULTI_SZ PLA DPS BFE mpssvc
bthsvcs REG_MULTI_SZ BthServ
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
LocalServiceAndNoImpersonation REG_MULTI_SZ FontCache
.
Contents of the 'Scheduled Tasks' folder

2010-05-13 c:\windows\Tasks\User_Feed_Synchronization-{65A728E8-D674-4D7B-A17C-4848276ECB41}.job
- c:\windows\system32\msfeedssync.exe [2008-09-23 07:33]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://espn.go.com/
uInternet Settings,ProxyOverride = *.local
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~1\OFFICE11\EXCEL.EXE/3000
DPF: Garmin Communicator Plug-In - hxxps://my.garmin.com/static/m/cab/2.7.1/GarminAxControl.CAB
DPF: {C7DEDA04-2FFF-4B81-AE66-0A0E0EF4AD2F} - hxxp://maceys.lifepics.com/net/Uploader/LPUploader57.cab
FF - ProfilePath - c:\users\danw.INFOTRAX\AppData\Roaming\Mozilla\Firefox\Profiles\1f7rpnzq.default\
FF - component: c:\users\danw.INFOTRAX\AppData\Roaming\Mozilla\Firefox\Profiles\1f7rpnzq.default\extensions\{7b13ec3e-999a-4b70-b9cb-2617b8323822}\components\FFExternalAlert.dll
FF - component: c:\users\danw.INFOTRAX\AppData\Roaming\Mozilla\Firefox\Profiles\1f7rpnzq.default\extensions\{7b13ec3e-999a-4b70-b9cb-2617b8323822}\components\RadioWMPCore.dll
FF - plugin: c:\program files\Glance25\npglance.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npdeployJava1.dll
FF - plugin: c:\users\danw.INFOTRAX\AppData\Roaming\Facebook\npfbplugin_1_0_1.dll
FF - plugin: c:\users\danw.INFOTRAX\AppData\Roaming\Facebook\npfbplugin_1_0_3.dll
FF - plugin: c:\users\danw.INFOTRAX\AppData\Roaming\Move Networks\plugins\npqmp071705000014.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

---- FIREFOX POLICIES ----
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
.
- - - - ORPHANS REMOVED - - - -

HKCU-Run-ZimbraNotifier - c:\\ZimbraNotifier.exe

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-05-12 21:03
Windows 6.0.6002 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net

device: opened successfully
user: MBR read successfully
called modules: ntkrnlpa.exe CLASSPNP.SYS disk.sys iastor.sys >>UNKNOWN [0x869D68C8]<<
kernel: MBR read successfully
detected MBR rootkit hooks:
\Driver\Disk -> CLASSPNP.SYS @ 0x883acd24
\Driver\ACPI -> acpi.sys @ 0x80692d68
\Driver\atapi -> ataport.SYS @ 0x82d6da2c
\Driver\iaStor -> iastor.sys @ 0x82ce0d24
IoDeviceObjectType ->\Device\Harddisk0\DR0 ->user & kernel MBR OK

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'lsass.exe'(660)
c:\windows\system32\wvauth.dll
c:\windows\system32\biolsp.dll
c:\program files\Wave Systems Corp\Common\CryptoManager.dll
c:\windows\system32\tcg15.dll
c:\windows\system32\Tsp1.dll
c:\windows\system32\wclient14.dll
c:\program files\Bonjour\mdnsNSP.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\System32\WLTRYSVC.EXE
c:\windows\system32\WLANExt.exe
c:\windows\System32\bcmwltry.exe
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\Intel\Intel Matrix Storage Manager\Iaantmon.exe
c:\program files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
c:\windows\system32\STacSV.exe
c:\windows\system32\DRIVERS\xaudio.exe
c:\program files\Dell\QuickSet\NicConfigSvc.exe
c:\windows\System32\msdtc.exe
c:\windows\system32\igfxsrvc.exe
c:\program files\iPod\bin\iPodService.exe
c:\windows\servicing\TrustedInstaller.exe
.
**************************************************************************
.
Completion time: 2010-05-12 21:16:42 - machine was rebooted
ComboFix-quarantined-files.txt 2010-05-13 03:16
ComboFix2.txt 2010-05-06 22:41

Pre-Run: 58,337,968,128 bytes free
Post-Run: 58,245,971,968 bytes free

- - End Of File - - EDA719CE6E2A9F8EBA2DEDFDC06E296D

Bobbye · May 13, 2010

dsweston, who is your ISP? And is this system a work computer?

dsweston · May 13, 2010

ISP

My ISP is the local cable company. It is a computer I use at work as well as at home.

Bobbye · May 13, 2010

I am reluctant to continue support. This appears to be a system more adapted to the work environment as follows:

Microsoft® Windows Vista™ Business

Processes running:
EMBASSY Security Center
EMBASSY Security Setup
EMBASSY Trust Suite by Wave Systems
Wave Infrastructure Installer
Wave Support Software
Many of the entries are for authentication and encryption.> http://www.wave.com/
mRun: [WavXMgr] c:\program files\wave systems corp\services manager\docmgr\bin\WavXDocMgr.exe

Use of INFOTRAX for: DataTrax and/or Virtual Office and/or Commission Consulting .
http://infotraxsys.com/products/datatrax.cfm
http://infotraxsys.com/products/virtualoffice.cfm
http://infotraxsys.com/products/commission_consulting.cfm

And the presence of the following, some of which are restrictions. I have no way of knowing which are work related restrictions, which you may have put in place or which might be from malware:
ALL of the following are running at the same time:
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\svchost.exe -k GPSvcGroup
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted

I know that working with enterprise IT techs can sometimes be a hassle, but I am not going to take the responsibility of making any other changes, additions or deletions to this system.

Google results hijacked

dsweston

Posts: 10 +0

Bobbye

Posts: 16,313 +36

dsweston

Posts: 10 +0

dsweston

Posts: 10 +0

dsweston

Posts: 10 +0

Bobbye

Posts: 16,313 +36

dsweston

Posts: 10 +0

Bobbye

Posts: 16,313 +36

dsweston

Posts: 10 +0

Bobbye

Posts: 16,313 +36

dsweston

Posts: 10 +0

Bobbye

Posts: 16,313 +36

dsweston

Posts: 10 +0

dsweston

Posts: 10 +0

Bobbye

Posts: 16,313 +36

dsweston

Posts: 10 +0

Bobbye

Posts: 16,313 +36

Similar threads

Latest posts