Trojans, Re-directed, .tmp files being created every minute and very confused

[chingon]

I'm very new to this superb forum of experts and I thank god I came here for help. I must have gotten re-directed to some site last week that calimed to be doing me a favor and scanned my hard drive and then telling me I was infected with trojans. After that my life was a living hell. It seemed that every time I wanted to go to any google site, I was redirected and that was not all. Trojans, Re-directed, .tmp files kept getting created every minute and I was very confused. I stumbled upon a free copy of your Malwarebytes' Anti-Malware application and gave that a shot with excellent results. Unfortunately the only problem was that it did not prevent these nightmares from hell to permanently go away, but it was still much better than anything else I had found by advice, or on the web. As I wiped the frustration from my forehead, I then decided to visit this forum and started reading for over an hour all this devine help from miekiemoes, some of it very similar to my nightmare. I pretty much wound up following the advice miekiemoes gave others and went down the combofix path. At first I was scared our of my mind with what this tool was doing, I thought for sure I would lose everything and have to spend all week rebuilding this laptop and all its idiocities by hand. I am very happy to say that everything miekiemoes advised was DEAD-ON-THE-MONEY and I no longer have these problems thanks to her and this wonderful forum. I am so impressed by this help that I will be purchasing Malwarebytes' Anti-Malware immediately after I post this. Just have a closing question, if you don't mind, I am including the Combofix output and I wonder if you could tell if I need to do anything else? (just to be safe).

ComboFix 09-10-27.08 - Alex 10/28/2009 16:17.1.2 - NTFSx86

Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.3071.2620 [GMT -7:00]

Running from: c:\a_recovery work\Windows XP SP3 ISO\ComboFix.exe

AV: Norton AntiVirus *On-access scanning disabled* (Updated) {E10A9785-9598-4754-B552-92431C1C35F8}

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.

c:\documents and settings\Alex\Application Data\inst.exe

c:\windows\AegisP.inf

c:\windows\emMON.exe

Infected copy of c:\windows\system32\drivers\iaStor.sys was found and disinfected

Restored copy from - Kitty ate it

.

((((((((((((((((((((((((( Files Created from 2009-09-28 to 2009-10-28 )))))))))))))))))))))))))))))))

.

2009-10-28 23:13 . 2008-04-14 07:10 96512 ----a-w- c:\windows\system32\drivers\atapi.sys

2009-10-28 22:32 . 2009-10-28 22:34 -------- d-----w- C:\A_recovery work

2009-10-28 19:21 . 2009-10-28 19:22 -------- d-----w- c:\documents and settings\All Users\Application Data\Yahoo! Companion

2009-10-28 19:21 . 2009-10-28 19:21 -------- d-----w- c:\documents and settings\Alex\Application Data\Yahoo!

2009-10-28 19:21 . 2009-10-28 19:21 -------- d-----w- c:\program files\Yahoo!

2009-10-28 19:21 . 2009-10-28 19:21 -------- d-----w- c:\program files\CCleaner

2009-10-28 01:25 . 2009-10-28 01:25 -------- d-----w- c:\program files\DVDFab 6

2009-10-26 09:43 . 2009-10-26 09:43 -------- d-----w- c:\documents and settings\LocalService\Local Settings\Application Data\ESET

2009-10-26 00:46 . 2009-10-26 01:28 -------- d-----w- C:\TDs

2009-10-25 21:26 . 2009-10-25 21:26 -------- d-----w- c:\documents and settings\All Users\Application Data\ESET

2009-10-25 20:35 . 2009-10-26 16:33 -------- d-----w- c:\program files\ESET

2009-10-25 18:57 . 2009-10-25 18:57 -------- d-----w- c:\program files\Trend Micro

2009-10-25 17:56 . 2009-10-25 18:02 -------- d-----w- c:\program files\TrojanDownloader.Win32.Agent.azg Removal Tool[1]

2009-10-25 10:41 . 2009-10-25 10:41 -------- d-sh--w- c:\windows\system32\config\systemprofile\IETldCache

2009-10-25 01:53 . 2009-10-25 03:57 -------- d-----w- c:\program files\Common Files\DistributeShield

2009-10-25 01:40 . 2009-10-25 03:57 -------- d-----w- c:\documents and settings\All Users\Application Data\DShield

2009-10-24 02:20 . 2009-10-24 02:20 -------- d-----w- c:\documents and settings\Alex\SametimeMeetings

2009-10-17 05:38 . 2009-10-17 05:38 -------- d-----w- c:\documents and settings\Alex\Application Data\FLEXnet

2009-10-17 05:35 . 2009-10-17 05:38 -------- d-----w- c:\documents and settings\Alex\Application Data\Nuance

2009-10-16 10:17 . 2009-10-28 15:17 -------- d-----w- c:\program files\MagicISO

2009-10-16 08:52 . 2009-10-16 08:52 -------- d-----w- c:\documents and settings\All Users\Application Data\TechSmith

2009-10-16 08:52 . 2009-10-16 08:52 -------- d-----w- c:\documents and settings\Alex\Local Settings\Application Data\TechSmith

2009-10-16 08:50 . 2009-10-16 08:50 -------- d-----w- c:\program files\Common Files\Wise Installation Wizard

2009-10-16 08:50 . 2009-10-23 07:18 -------- d-----w- c:\program files\RapidBIT

2009-10-16 08:02 . 2009-10-16 09:30 -------- d-----w- c:\program files\TechSmith

2009-10-10 06:56 . 2009-10-10 06:57 -------- dc-h--w- c:\windows\ie8

2009-10-03 20:04 . 2008-09-09 03:58 49904 ----a-r- c:\windows\system32\drivers\BVRPMPR5.SYS

2009-10-03 20:02 . 2009-10-03 20:05 -------- d-----w- C:\Netgear

2009-10-03 19:59 . 2009-10-03 19:59 -------- d-sh--w- c:\documents and settings\NetworkService\IETldCache

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2009-10-28 23:08 . 2009-05-30 08:23 -------- d-----w- c:\documents and settings\Alex\Application Data\Skype

2009-10-28 23:07 . 2009-09-07 06:07 -------- d-----w- c:\documents and settings\Alex\Application Data\.purple

2009-10-28 20:52 . 2007-11-30 18:51 -------- d-----w- c:\documents and settings\Alex\Application Data\webex

2009-10-28 17:43 . 2008-03-30 04:52 -------- d-----w- c:\documents and settings\Alex\Application Data\skypePM

2009-10-28 17:36 . 2007-12-01 03:29 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP

2009-10-28 15:35 . 2008-03-11 22:31 -------- d-----w- c:\program files\Common Files\Nero

2009-10-28 01:26 . 2007-12-03 04:32 -------- d-----w- c:\documents and settings\Alex\Application Data\Vso

2009-10-28 01:25 . 2007-12-03 04:32 47360 ----a-w- c:\windows\system32\drivers\pcouffin.sys

2009-10-28 01:25 . 2007-12-03 04:32 47360 ----a-w- c:\documents and settings\Alex\Application Data\pcouffin.sys

2009-10-25 11:01 . 2008-07-26 19:56 -------- d-----w- c:\documents and settings\Alex\Application Data\BitTyrant

2009-10-23 06:59 . 2009-10-23 06:59 137504 ----a-w- c:\windows\~GLC0000.TMP

2009-10-20 06:26 . 2009-09-07 06:05 -------- d-----w- c:\program files\Pidgin

2009-10-17 06:17 . 2008-10-25 22:53 145712 ----a-w- c:\windows\system32\GDIPFONTCACHEV1.DAT

2009-10-17 06:07 . 2008-07-27 02:21 878080 ----a-w- c:\windows\system32\iconv.dll

2009-10-17 06:07 . 2008-07-27 02:21 721920 ----a-w- c:\windows\system32\libxml2.dll

2009-10-17 06:07 . 2008-07-27 02:21 150016 ----a-w- c:\windows\system32\libxslt.dll

2009-10-17 06:07 . 2008-07-27 02:21 51200 ----a-w- c:\windows\system32\libexslt.dll

2009-10-17 05:35 . 2008-07-26 21:51 -------- d-----w- c:\documents and settings\All Users\Application Data\Nuance

2009-10-17 05:29 . 2008-07-26 21:51 -------- d-----w- c:\documents and settings\All Users\Application Data\ScanSoft

2009-10-17 05:27 . 2008-07-27 13:14 -------- d-----w- c:\program files\Common Files\ScanSoft Shared

2009-10-17 05:27 . 2008-07-27 13:14 -------- d-----w- c:\program files\Nuance

2009-10-17 05:27 . 2008-01-16 08:06 -------- d-----w- c:\documents and settings\All Users\Application Data\FLEXnet

2009-09-26 03:02 . 2009-09-26 03:02 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware

2009-09-17 07:28 . 2009-09-03 22:06 -------- d-----w- c:\program files\WebEx

2009-09-14 02:52 . 2009-09-13 20:18 -------- d-----w- c:\program files\Microsoft Works

2009-09-13 20:24 . 2009-09-13 20:24 -------- d-----w- c:\documents and settings\Alex\Application Data\1.0.0.0

2009-09-12 11:26 . 2008-01-16 07:50 -------- d-----w- c:\program files\Common Files\Adobe

2009-09-12 09:19 . 2008-08-01 19:19 -------- d-----w- c:\program files\MSECache

2009-09-11 14:18 . 2008-02-24 04:14 136192 ----a-w- c:\windows\system32\msv1_0.dll

2009-09-10 21:54 . 2009-09-26 03:02 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys

2009-09-10 21:53 . 2009-09-26 03:02 19160 ----a-w- c:\windows\system32\drivers\mbam.sys

2009-09-10 05:51 . 2009-09-07 06:22 -------- d-----w- c:\documents and settings\Alex\Application Data\gtk-2.0

2009-09-09 22:04 . 2009-09-09 22:01 -------- d-----w- c:\program files\Microsoft User Agent String Utility

2009-09-09 21:09 . 2008-10-01 00:53 -------- d-----w- c:\program files\Microsoft Silverlight

2009-09-07 06:07 . 2009-09-07 06:06 -------- d-----w- c:\program files\Aspell

2009-09-07 06:05 . 2009-09-07 06:05 -------- d-----w- c:\program files\Common Files\GTK

2009-09-04 21:03 . 2006-02-28 12:00 58880 ----a-w- c:\windows\system32\msasn1.dll

2009-09-03 13:24 . 2009-09-03 13:24 -------- d-----w- c:\documents and settings\Alex\Application Data\Office Genuine Advantage

2009-09-03 09:11 . 2009-09-03 09:11 -------- d-----w- c:\documents and settings\Alex\Application Data\Malwarebytes

2009-09-03 09:11 . 2009-09-03 09:11 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes

2009-09-03 07:26 . 2009-09-03 07:23 -------- d-----w- c:\program files\Protector Suite QL

2009-09-03 07:23 . 2009-09-03 07:23 -------- d-----w- c:\program files\RSA

2009-09-03 00:58 . 2009-09-03 00:19 -------- d-----w- c:\program files\Common Files\Uninstall

2009-08-29 08:08 . 2006-02-28 12:00 916480 ----a-w- c:\windows\system32\wininet.dll

2009-08-26 08:00 . 2006-02-28 12:00 247326 ----a-w- c:\windows\system32\strmdll.dll

2009-08-19 02:05 . 2008-10-09 05:13 60808 ----a-w- c:\windows\system32\S32EVNT1.DLL

2009-08-19 02:05 . 2008-10-09 05:13 124976 ----a-w- c:\windows\system32\drivers\SYMEVENT.SYS

2009-08-18 18:59 . 2008-12-11 15:31 36400 ----a-r- c:\windows\system32\drivers\SymIM.sys

2009-08-16 01:44 . 2009-06-20 22:44 1324 ----a-w- c:\windows\system32\d3d9caps.dat

2009-08-16 01:42 . 2009-06-20 21:27 8 ----a-w- c:\windows\system32\nvModes.dat

2009-08-07 02:24 . 2007-11-30 06:29 327896 ----a-w- c:\windows\system32\wucltui.dll

2009-08-07 02:24 . 2007-11-30 06:29 209632 ----a-w- c:\windows\system32\wuweb.dll

2009-08-07 02:24 . 2007-11-30 06:29 35552 ----a-w- c:\windows\system32\wups.dll

2009-08-07 02:24 . 2007-07-31 03:19 44768 ----a-w- c:\windows\system32\wups2.dll

2009-08-07 02:24 . 2007-11-30 06:29 53472 ----a-w- c:\windows\system32\wuauclt.exe

2009-08-07 02:24 . 2006-02-28 12:00 96480 ----a-w- c:\windows\system32\cdm.dll

2009-08-07 02:23 . 2007-11-30 06:29 575704 ----a-w- c:\windows\system32\wuapi.dll

2009-08-07 02:23 . 2008-05-10 21:12 274288 ----a-w- c:\windows\system32\mucltui.dll

2009-08-07 02:23 . 2007-11-30 06:29 1929952 ----a-w- c:\windows\system32\wuaueng.dll

2009-08-07 02:23 . 2007-07-31 02:18 215920 ----a-w- c:\windows\system32\muweb.dll

2009-08-05 09:01 . 2006-02-28 12:00 204800 ----a-w- c:\windows\system32\mswebdvd.dll

2009-08-05 02:52 . 2009-08-05 02:52 1193832 ----a-w- c:\windows\system32\FM20.DLL

2009-08-04 15:13 . 2008-02-24 04:14 2145280 ----a-w- c:\windows\system32\ntoskrnl.exe

2009-08-04 14:20 . 2008-02-24 04:14 2023936 ----a-w- c:\windows\system32\ntkrnlpa.exe

2009-08-03 22:07 . 2009-08-03 22:07 403816 ----a-w- c:\windows\system32\OGACheckControl.dll

2009-08-03 22:07 . 2009-08-03 22:07 322928 ----a-w- c:\windows\system32\OGAAddin.dll

2009-08-03 22:07 . 2009-08-03 22:07 230768 ----a-w- c:\windows\system32\OGAEXEC.exe

2007-12-10 23:02 . 2007-12-10 23:02 34384 ----a-w- c:\program files\mozilla firefox\plugins\atgpcdec.dll

2008-01-11 17:04 . 2007-12-10 23:02 93774 ----a-w- c:\program files\mozilla firefox\plugins\atgpcext.dll

2009-06-17 16:01 . 2009-06-17 16:01 100768 ----a-w- c:\program files\mozilla firefox\plugins\ieatgpc.dll

2008-06-19 09:16 . 2008-06-19 09:16 118784 ----a-w- c:\program files\mozilla firefox\plugins\MyCamera.dll

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\UEAFOverlay]

@="{F2F31467-B1AC-4df0-AE79-FD5FA085E22B}"

[HKEY_CLASSES_ROOT\CLSID\{F2F31467-B1AC-4df0-AE79-FD5FA085E22B}]

2007-11-14 19:22 3186440 ----a-w- c:\program files\Protector Suite QL\farchns.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\UEAFOverlayOpen]

@="{A3E208F7-0E3A-4182-A7A6-B169D5D691AA}"

[HKEY_CLASSES_ROOT\CLSID\{A3E208F7-0E3A-4182-A7A6-B169D5D691AA}]

2007-11-14 19:22 3186440 ----a-w- c:\program files\Protector Suite QL\farchns.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"TOSCDSPD"="c:\program files\TOSHIBA\TOSCDSPD\toscdspd.exe" [2004-12-30 65536]

"ISUSPM"="c:\documents and settings\All Users\Application Data\FLEXnet\Connect\11\ISUSPM.exe" [2008-11-18 210208]

"H/PC Connection Agent"="c:\program files\Microsoft ActiveSync\wcescomm.exe" [2006-11-13 1289000]

"cdloader"="c:\documents and settings\Alex\Application Data\mjusbsp\cdloader2.exe" [2008-08-22 50520]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"ThpSrv"="c:\windows\system32\thpsrv" [X]

"Nuance PDF Professional 6-reminder"="c:\program files\Nuance\PDF Professional 6\Ereg\Ereg.exe" [2008-11-03 54560]

"Malwarebytes Anti-Malware (reboot)"="c:\program files\Malwarebytes' Anti-Malware\mbam.exe" [2009-09-10 1312080]

"VSClientFinder"="c:\program files\vsclient\VSClientFinder.exe" [2004-11-12 45056]

"TrueImageMonitor.exe"="c:\program files\Acronis\TrueImageHome\TrueImageMonitor.exe" [2008-04-10 2595792]

"TosHKCW.exe"="c:\program files\TOSHIBA\Wireless Hotkey\TosHKCW.exe" [2007-10-05 172032]

"TAudEffect"="c:\program files\TOSHIBA\TAudEffect\TAudEff.exe" [2006-08-10 344144]

"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2009-05-27 413696]

"PSQLLauncher"="c:\program files\Protector Suite QL\launcher.exe" [2007-11-14 49416]

"PHIME2002ASync"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2006-02-28 455168]

"PHIME2002A"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2006-02-28 455168]

"PDFHook"="c:\program files\Nuance\PDF Professional 6\pdfpro6hook.exe" [2009-07-24 2080768]

"PDF6 Registry Controller"="c:\program files\Nuance\PDF Professional 6\RegistryController.exe" [2009-06-30 111904]

"Omnipage"="c:\program files\ScanSoft\TextBridgePro11.0\opware32.exe" [2002-05-15 49152]

"NVRotateSysTray"="c:\windows\system32\nvsysrot.dll" [2008-01-30 49152]

"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2008-01-30 8495104]

"LtMoh"="c:\program files\ltmoh\Ltmoh.exe" [2007-01-09 191552]

"IntelZeroConfig"="c:\program files\Intel\Wireless\bin\ZCfgSvc.exe" [2007-06-01 823296]

"IntelWireless"="c:\program files\Intel\Wireless\Bin\ifrmewrk.exe" [2007-06-01 974848]

"IMJPMIG8.1"="c:\windows\IME\imjp8_1\IMJPMIG.EXE" [2006-02-28 208952]

"IFXSPMGT"="c:\windows\system32\IFXSPMGT.exe" [2007-06-06 661024]

"IBM Lotus EasySync Pro"="c:\program files\Common Files\XCPCSync.OEM\Lotus.211.101\Translators\LtNts4\NtsAgnt.exe" [2006-08-17 61440]

"IAAnotif"="c:\program files\Intel\Intel Matrix Storage Manager\Iaanotif.exe" [2007-02-12 174872]

"HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2006-12-11 49152]

"DpUtil"="c:\program files\TOSHIBA\DualPointUtility\TEDTray.exe" [2005-06-29 155648]

"DDWMon"="c:\program files\TOSHIBA\TOSHIBA Direct Disc Writer\\ddwmon.exe" [2007-04-14 311296]

"Apoint"="c:\program files\Apoint2K\Apoint.exe" [2002-12-25 159744]

"AcronisTimounterMonitor"="c:\program files\Acronis\TrueImageHome\TimounterMonitor.exe" [2007-10-31 909208]

"Acronis Scheduler2 Service"="c:\program files\Common Files\Acronis\Schedule2\schedhlp.exe" [2008-04-10 136472]

"00THotkey"="c:\windows\system32\00THotkey.exe" [2006-07-05 258048]

"TFNF5"="TFNF5.exe" - c:\windows\system32\TFNF5.exe [2006-04-11 622592]

"TFncKy"="TFncKy.exe" [bU]

"RTHDCPL"="RTHDCPL.EXE" - c:\windows\RTHDCPL.exe [2007-04-13 16132608]

"nwiz"="nwiz.exe" - c:\windows\system32\nwiz.exe [2008-01-30 1626112]

"NDSTray.exe"="NDSTray.exe" [bU]

"000StTHK"="000StTHK.exe" - c:\windows\system32\000StTHK.exe [2001-06-23 24576]

c:\documents and settings\Alex\Start Menu\Programs\Startup\

ZoomIt.lnk - c:\tools and apps\Alt Zoom\ZoomIt.exe [2008-2-14 148520]

c:\documents and settings\All Users\Start Menu\Programs\Startup\

Bluetooth Manager.lnk - c:\program files\Toshiba\Bluetooth Toshiba Stack\TosBtMng.exe [2007-5-22 2756608]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\psfus]

2007-11-14 19:07 96008 ----a-w- c:\windows\system32\psqlpwd.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]

Notification Packages REG_MULTI_SZ scecli psqlpwd

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\SymEFA.sys]

@="FSFilter Activity Monitor"

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]

"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]

"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]

"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"%windir%\\system32\\sessmgr.exe"=

"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

"c:\program files\Microsoft ActiveSync\rapimgr.exe"= c:\program files\Microsoft ActiveSync\rapimgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync RAPI Manager

"c:\program files\Microsoft ActiveSync\wcescomm.exe"= c:\program files\Microsoft ActiveSync\wcescomm.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Connection Manager

"c:\program files\Microsoft ActiveSync\WCESMgr.exe"= c:\program files\Microsoft ActiveSync\WCESMgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Application

"c:\\Program Files\\Hewlett-Packard\\HP Install Network Printer Wizard\\hpjsi.exe"=

"c:\\Program Files\\Drobo\\Drobo Dashboard\\DroboDashboard.exe"=

"c:\\Program Files\\IBM\\Sametime Connect\\jre\\bin\\sametime75.exe"=

"c:\\TOSHIBA\\ivp\\NetInt\\Netint.exe"=

"c:\\TOSHIBA\\Ivp\\ISM\\pinger.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqtra08.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqste08.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpofxm08.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposfx08.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposid01.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqscnvw.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpzwiz01.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpoews01.exe"=

"c:\\Program Files\\NetMeeting\\conf.exe"=

"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=

"c:\\Documents and Settings\\Alex\\Application Data\\mjusbsp\\magicJack.exe"=

"c:\\Program Files\\BitTyrant\\Azureus.exe"=

"c:\\Program Files\\Logitech\\Desktop Messenger\\8876480\\Program\\LogitechDesktopMessenger.exe"=

"c:\\Program Files\\Logitech\\Logitech Harmony Remote Software 7\\HarmonyRemote.exe"=

"c:\\Program Files\\D-Link\\Installation Wizard\\InstallationWizard.exe"=

"c:\\Program Files\\Skype\\Phone\\Skype.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]

"26675:TCP"= 26675:TCP:169.254.2.0/255.255.255.0:Enabled:ActiveSync Service

"86:TCP"= 86:TCP:BroadCam Video Streaming Server TCP/IP Port

R0 SymEFA;Symantec Extended File Attributes;c:\windows\system32\drivers\NAV\1007020.00B\SymEFA.sys [8/31/2009 4:01 PM 310320]

R0 Thpdrv;TOSHIBA HDD Protection Driver;c:\windows\system32\drivers\thpdrv.sys [4/27/2007 11:19 AM 21120]

R0 Thpevm;TOSHIBA HDD Protection - Shock Sensor Driver;c:\windows\system32\drivers\Thpevm.sys [3/9/2007 4:23 PM 6528]

R1 BHDrvx86;Symantec Heuristics Driver;c:\windows\system32\drivers\NAV\1007020.00B\BHDrvx86.sys [8/31/2009 4:01 PM 259632]

R1 ccHP;Symantec Hash Provider;c:\windows\system32\drivers\NAV\1007020.00B\cchpx86.sys [8/31/2009 4:01 PM 482432]

R1 hwinterface;hwinterface;c:\windows\system32\drivers\hwinterface.sys [4/21/2009 5:28 PM 3026]

R1 IDSxpx86;IDSxpx86;c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\IPSDefs\20091021.001\IDSXpx86.sys [10/22/2009 12:05 PM 329080]

R1 PersonalSecureDrive;PersonalSecureDrive;c:\windows\system32\drivers\psd.sys [6/5/2007 5:07 PM 39080]

R2 DisplayLinkService;DisplayLink Service;c:\program files\DisplayLink Core Software\DisplayLinkService.exe [12/18/2008 9:27 AM 447848]

R2 FGR Service;FGR Service;c:\program files\744_Fiberlink\Fgrd.exe [3/3/2003 4:51 PM 57344]

R2 Norton AntiVirus;Norton AntiVirus;c:\program files\Norton AntiVirus\Norton AntiVirus\Engine\16.7.2.11\ccSvcHst.exe [8/31/2009 4:01 PM 117640]

R2 PDFProFiltSrv;PDFProFiltSrv;c:\program files\Nuance\PDF Professional 6\PDFProFiltSrv.exe [6/30/2009 4:49 PM 134944]

R2 PMEM ;PMEM ;c:\windows\system32\drivers\pmemnt.sys [8/17/2006 3:49 PM 7168]

R2 SlingAgentService;SlingAgentService;c:\program files\Sling Media\SlingAgent\SlingAgentService.exe [4/27/2009 6:09 PM 93960]

R2 tdudf;TOSHIBA UDF File System Driver;c:\windows\system32\drivers\tdudf.sys [3/26/2007 1:22 PM 105856]

R2 trudf;TOSHIBA DVD-RAM UDF File System Driver;c:\windows\system32\drivers\trudf.sys [2/19/2007 1:15 PM 134016]

R3 Eacfilt;Eacfilt Miniport;c:\windows\system32\drivers\eacfilt.sys [2/25/2008 11:10 AM 24521]

R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [8/26/2009 11:52 PM 102448]

R3 IFXTPM;IFXTPM;c:\windows\system32\drivers\ifxtpm.sys [6/5/2007 5:08 PM 36608]

R3 TEchoCan;Toshiba Audio Effect;c:\windows\system32\drivers\TEchoCan.sys [2/25/2008 2:43 AM 435072]

S2 FlexService;Remote Connections Service;"c:\program files\RapidBIT\cisvc.exe" --> c:\program files\RapidBIT\cisvc.exe [?]

S2 VnxTcp;VnxTcp;c:\windows\system32\drivers\vnxtcp.sys [2/25/2008 11:11 AM 159576]

S3 ASINDIS5;ASINDIS5 Protocol Driver;c:\windows\system32\ASINDIS5.sys [2/17/2008 1:43 AM 16302]

S3 DisplayLinkGA;DisplayLinkGA;c:\windows\system32\drivers\DisplayLinkGAport.sys [12/18/2008 9:27 AM 20736]

S3 DisplayLinkmirror;DisplayLinkmirror;c:\windows\system32\drivers\DisplayLinkmirrorport.sys [12/18/2008 9:27 AM 18944]

S3 DisplayLinkUsbPort;DisplayLink USB Device;c:\windows\system32\drivers\DisplayLinkUsbPort.sys [4/26/2009 8:22 PM 20992]

S3 ExtranetAccess;Contivity VPN Service;c:\program files\Nortel Networks\Extranet_serv.exe [2/25/2008 11:10 AM 811008]

S3 IPSECEXT;Nortel Extranet Access Protocol;c:\windows\system32\drivers\ipsecw2k.sys [2/25/2008 11:10 AM 155280]

S3 PCIUtil;PCI Utility;\??\c:\docume~1\Alex\LOCALS~1\Temp\PCIUtil.sys --> c:\docume~1\Alex\LOCALS~1\Temp\PCIUtil.sys [?]

S3 USB-100;Realtek RTL8150 USB 10/100 Fast Ethernet Adapter;c:\windows\system32\drivers\RTL8150.SYS [5/10/2006 4:22 PM 22842]

S3 WLRAWMp50x86;WLRAWMp50x86 NDIS Protocol Driver;c:\windows\system32\Drivers\WLRAWMp50x86.sys --> c:\windows\system32\Drivers\WLRAWMp50x86.sys [?]

S3 WLRAWSp50x86;WLRAWSp50x86 NDIS Protocol Driver;c:\windows\system32\Drivers\WLRAWSp50x86.sys --> c:\windows\system32\Drivers\WLRAWSp50x86.sys [?]

--- Other Services/Drivers In Memory ---

*Deregistered* - mbr

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]

HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12

HPService REG_MULTI_SZ HPSLPSVC

hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\Neat ADF Scanner 2008]

reg copy "HKLM\Software\The Neat Company\Neat ADF Scanner 2008" "HKCU\Software\The Neat Company\Neat ADF Scanner 2008" /s /f

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{1F92EBFD-3382-4747-BF58-B6B1BB2B996C}]

"c:\program files\UninstallScripts\IPSec 06_01.054\Install.wsf" //job:ActiveSetup

.

Contents of the 'Scheduled Tasks' folder

2009-10-28 c:\windows\Tasks\Security Platform Backup Schedule.job

- c:\program files\Infineon\Security Platform Software\SpBackupWz.exe [2007-06-06 00:07]

.

.

------- Supplementary Scan -------

.

uStart Page = hxxp://www.cnn.com/

IE: Append the content of the link to existing PDF file - c:\program files\Nuance\PDF Professional 6\Bin\ZeonIEFavClient.dll/ZeonIEAppend.HTML

IE: Append the content of the selected links to existing PDF file - c:\program files\Nuance\PDF Professional 6\Bin\ZeonIEFavClient.dll/ZeonIEAppendSelLinks.HTML

IE: Append to existing PDF file - c:\program files\Nuance\PDF Professional 6\Bin\ZeonIEFavClient.dll/ZeonIEAppend.HTML

IE: Create PDF file - c:\program files\Nuance\PDF Professional 6\Bin\ZeonIEFavClient.dll/ZeonIECapture.HTML

IE: Create PDF file from the content of the link - c:\program files\Nuance\PDF Professional 6\Bin\ZeonIEFavClient.dll/ZeonIECapture.HTML

IE: Create PDF files from the selected links - c:\program files\Nuance\PDF Professional 6\Bin\ZeonIEFavClient.dll/ZeonIECaptureSelLinks.HTML

IE: Open with Nuance PDF Converter 6.0 - c:\program files\Nuance\PDF Professional 6\cnvres_eng.dll /100

IE: Open with PDF Professional 6 - c:\program files\Nuance\PDF Professional 6\Bin\PlusIEContextMenu.dll/PlusIEContextMenu.htm

Trusted Zone: boeing.com

Trusted Zone: boeing.com\vtr2b.web

Trusted Zone: boeng.com\vtr2b.web

Handler: bwfile-8876480 - {9462A756-7B47-47BC-8C80-C34B9B80B32B} - c:\program files\Logitech\Desktop Messenger\8876480\Program\GAPlugProtocol-8876480.dll

DPF: vzTCPConfig - hxxp://www2.verizon.net/help/fios_settings_POTT20009/include/vzTCPConfig.CAB

DPF: {544E07A8-DFE4-4281-85DC-D54C3DFE398A} - hxxps://encryptemail.web.boeing.com/certweb/CertXCtrl/CertTool.CAB

FF - ProfilePath - c:\documents and settings\Alex\Application Data\Mozilla\Firefox\Profiles\0ajuudiw.default\

FF - prefs.js: browser.startup.homepage - hxxp://www.cnn.com/

FF - prefs.js: network.proxy.type - 4

FF - component: c:\documents and settings\Alex\Application Data\Mozilla\Firefox\Profiles\0ajuudiw.default\extensions\{6FF1D3C4-61BC-4021-89B7-AF8A8F784EBB}\components\snagitmozextension.dll

FF - component: c:\documents and settings\Alex\Application Data\Mozilla\Firefox\Profiles\0ajuudiw.default\extensions\passwordbank@upek.com\components\pbgk1_91.dll

FF - plugin: c:\program files\Mozilla Firefox\plugins\npatgpc.dll

FF - plugin: c:\program files\Mozilla Firefox\plugins\NPCIG.dll

FF - plugin: c:\program files\Mozilla Firefox\plugins\NPTURNMED.dll

FF - plugin: c:\program files\Nuance\PDF Professional 6\Bin\nppdf.dll

FF - plugin: c:\program files\Nuance\PDF Professional 6\bin\nppdf.dll

FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

.

- - - - ORPHANS REMOVED - - - -

Toolbar-Locked - (no file)

WebBrowser-{8FF5E180-ABDE-46EB-B09E-D2AAB95CABE3} - (no file)

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2009-10-28 16:24

Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully

hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet002\Services\Norton AntiVirus]

"ImagePath"="\"c:\program files\Norton AntiVirus\Norton AntiVirus\Engine\16.7.2.11\ccSvcHst.exe\" /s \"Norton AntiVirus\" /m \"c:\program files\Norton AntiVirus\Norton AntiVirus\Engine\16.7.2.11\diMaster.dll\" /prefetch:1"

.

--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(268)

c:\windows\system32\vrlogon.dll

c:\windows\system32\psqlpwd.dll

c:\program files\Protector Suite QL\homefus2.dll

c:\program files\Protector Suite QL\infql2.dll

c:\program files\Protector Suite QL\homepass.dll

c:\program files\Protector Suite QL\bio.dll

c:\program files\Protector Suite QL\qlbase.dll

c:\program files\Protector Suite QL\biokmd.dll

- - - - - - - > 'lsass.exe'(324)

c:\windows\system32\relog_ap.dll

c:\windows\system32\psqlpwd.dll

c:\program files\Protector Suite QL\homefus2.dll

c:\program files\Protector Suite QL\infql2.dll

.

Completion time: 2009-10-28 16:27

ComboFix-quarantined-files.txt 2009-10-28 23:27

Pre-Run: 185,198,817,280 bytes free

Post-Run: 185,945,796,608 bytes free

- - End Of File - - 14A89FAD2A91011DA26B2BA095F09439

[miekiemoes]

Hi,

Thank you for the kind words

This log looks OK again. I see Combofix found the infected iastor.sys and restored it with a clean copy.

* Go to start > run and copy and paste next command in the field:

ComboFix /Uninstall

Make sure there's a space between Combofix and /

Then hit enter.

This will uninstall Combofix, delete its related folders and files, reset your clock settings, hide file extensions, hide the system/hidden files and resets System Restore again.

Let me know in your next reply how things are now.

[miekiemoes]

Since there is no feedback anymore, I assume this issue is resolved ... so, this Topic is closed.

If you need this topic reopened for continuations of existing problems, please request this by sending me a PM with the address of the thread. This applies only to the original topic starter.

Everyone else please begin a New Topic.