Please Help - Browser hijacks & Viruses

AllanG · January 23, 2010

Good evening,

I have been suffering since this past Tuesday with some serious laptop nastiness. All of a sudden, when using FireFox 3.5.3 on my WinXP SP2 machine, I get random Google redirects to other strange websites like ResistryDefender, gcion, and others that offer to fix spyware. Sometimes, when I'm on a known good website, a new tab will open in FireFox all by itself and bring up one of these unwanted websites. FireFox has crashed several times as well. This is all behavior I have never seen in the past and I have always run Symantic AntiVirus and Symantic Client Firewall (both with newest rules/signatures).

The last 2 days, my Symantic AV was able to find and remove several viruses - JS.SecurityToolFraud.B , Bllodhound.Exploit.193, and Trojan.Pidief.G. MBAM was able to identify and remove Trojan.Vundo and Rootkit.TDSS.

I am attaching all the relevant details in the sincere desperate hope that you can help me. I have also disabled System Restore, ran Defogger, DDS and GMER

Thank you in advance....

First time I ran MBAM:

Malwarebytes' Anti-Malware 1.44

Database version: 3606

Windows 5.1.2600 Service Pack 2

Internet Explorer 6.0.2900.2180

01/20/10 9:58:44 PM

mbam-log-2010-01-20 (21-58-44).txt

Scan type: Full Scan (C:\|)

Objects scanned: 284672

Time elapsed: 1 hour(s), 13 minute(s), 3 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 0

Registry Values Infected: 0

Registry Data Items Infected: 3

Folders Infected: 0

Files Infected: 2

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

(No malicious items detected)

Registry Values Infected:

(No malicious items detected)

Registry Data Items Infected:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\AntiVirusDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Not selected for removal.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\FirewallDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Not selected for removal.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\UpdatesDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Not selected for removal.

Folders Infected:

(No malicious items detected)

Files Infected:

C:\Program Files\SQLLIB\bin\db2ccar.dll (Trojan.Vundo) -> Quarantined and deleted successfully.

C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\2DSP4XY3\z002102801r0409R0143fdeeXdac2d19aY9196a06aZ03003f3530dP000601080[1] (Rootkit.TDSS) -> Quarantined and deleted successfully.

*****************************************************

MBAM results from today:

Malwarebytes' Anti-Malware 1.44

Database version: 3619

Windows 5.1.2600 Service Pack 2

Internet Explorer 6.0.2900.2180

01/23/10 11:07:12 AM

mbam-log-2010-01-23 (11-07-12).txt

Scan type: Full Scan (C:\|)

Objects scanned: 282127

Time elapsed: 1 hour(s), 10 minute(s), 41 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 0

Registry Values Infected: 0

Registry Data Items Infected: 0

Folders Infected: 0

Files Infected: 0

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

(No malicious items detected)

Registry Values Infected:

(No malicious items detected)

Registry Data Items Infected:

(No malicious items detected)

Folders Infected:

(No malicious items detected)

Files Infected:

(No malicious items detected)

*********************************************

Defogger output:

defogger_disable by jpshortstuff (28.11.09.2)

Log created at 12:43 on 23/01/2010 (agunz)

Checking for autostart values...

HKCU\~\Run values retrieved.

HKLM\~\Run values retrieved.

Checking for services/drivers...

-=E.O.F=-

**********************************************

DDS.txt :

DDS (Ver_09-12-01.01) - NTFSx86

Run by agunz at 12:49:26.15 on 01/23/10

Internet Explorer: 6.0.2900.2180

Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.3062.2348 [GMT -5:00]

AV: Symantec AntiVirus Corporate Edition *On-access scanning enabled* (Updated) {FB06448E-52B8-493A-90F3-E43226D3305C}

FW: Symantec Client Firewall *enabled* {5CB76A43-5FAD-476B-B9FF-26FA61F13187}

============== Running Processes ===============

C:\WINDOWS\system32\ibmpmsvc.exe

C:\WINDOWS\system32\svchost -k DcomLaunch

svchost.exe

C:\WINDOWS\System32\svchost.exe -k netsvcs

svchost.exe

C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe

C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe

C:\Program Files\Common Files\Symantec Shared\ccProxy.exe

C:\Program Files\Symantec Client Security\Symantec Client Firewall\ISSVC.exe

C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe

C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe

C:\WINDOWS\system32\spoolsv.exe

C:\WINDOWS\system32\Drivers\trcboot.exe

C:\Program Files\IBM\Personal Communications\PCS_AGNT.EXE

C:\Program Files\ThinkPad\ConnectUtilities\AcPrfMgrSvc.exe

C:\WINDOWS\system32\acs.exe

C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe

C:\Program Files\Symantec Client Security\Symantec AntiVirus\DefWatch.exe

C:\Program Files\C4ebreg\c4ebreg.exe

c:\sdwork\issimsvc.exe

C:\notes\ntmulti.exe

C:\Program Files\AT&T Network Client\NetCfgSv.EXE

c:\Program Files\Symantec Client Security\Symantec AntiVirus\SavRoam.exe

C:\WINDOWS\system32\svchost.exe -k imgsvc

C:\Program Files\Symantec Client Security\Symantec AntiVirus\Rtvscan.exe

C:\Program Files\Symantec Client Security\Symantec Client Firewall\SymSPort.exe

C:\Program Files\Common Files\Lenovo\tvt_reg_monitor_svc.exe

C:\WINDOWS\System32\TPHDEXLG.exe

C:\WINDOWS\system32\TpKmpSVC.exe

C:\Program Files\Common Files\Lenovo\Scheduler\tvtsched.exe

C:\Program Files\Viewpoint\Common\ViewpointService.exe

C:\WINDOWS\system32\Drivers\ldlcserv.exe

C:\Program Files\ThinkPad\ConnectUtilities\AcSvc.exe

c:\program files\lenovo\system update\suservice.exe

C:\Program Files\ThinkPad\ConnectUtilities\SvcGuiHlpr.exe

C:\WINDOWS\Explorer.EXE

C:\Program Files\C4ebreg\isamtray.exe

C:\Program Files\Synaptics\SynTP\SynTPLpr.exe

C:\Program Files\Synaptics\SynTP\SynTPEnh.exe

C:\PROGRA~1\Lenovo\PkgMgr\HOTKEY\TPHKMGR.exe

C:\WINDOWS\system32\rundll32.exe

C:\WINDOWS\system32\TpShocks.exe

C:\WINDOWS\system32\dla\tfswctrl.exe

C:\Program Files\Lenovo\PkgMgr\HOTKEY\TPONSCR.exe

C:\WINDOWS\system32\wuauclt.exe

C:\Program Files\Lenovo\PkgMgr\HOTKEY_1\TpScrex.exe

C:\Program Files\Common Files\Symantec Shared\ccApp.exe

C:\PROGRA~1\SYMANT~2\SYMANT~2\VPTray.exe

C:\Program Files\Analog Devices\Core\smax4pnp.exe

C:\WINDOWS\system32\igfxtray.exe

C:\WINDOWS\system32\igfxpers.exe

C:\Program Files\Common Files\Lenovo\Scheduler\scheduler_proxy.exe

C:\WINDOWS\system32\igfxsrvc.exe

C:\Program Files\Lexmark 8300 Series\lxcjmon.exe

C:\Program Files\ThinkPad\ConnectUtilities\ACTray.exe

C:\Program Files\ThinkPad\ConnectUtilities\ACWLIcon.exe

C:\Program Files\IBM\Personal Communications\tpam.exe

C:\Program Files\QuickTime\qttask.exe

C:\Program Files\Belkin\F5D8011v1\Belkinwcui.exe

C:\Program Files\Lexmark 8300 Series\ezprint.exe

C:\Program Files\Quicken\bagent.exe

C:\Program Files\IBM\Infoprint Select\ipnotify.exe

C:\Documents and Settings\Administrator\Application Data\Dropbox\bin\Dropbox.exe

C:\WINDOWS\system32\lxcjcoms.exe

C:\Documents and Settings\Administrator\Desktop\malware\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://w3.watson.ibm.com/

mDefault_Page_URL = hxxp://w3.ibm.com

uInternet Connection Wizard,ShellNext = hxxp://w3.ibm.com/

uInternet Settings,ProxyOverride = <local>;*.local

BHO: DriveLetterAccess: {5ca3d70e-1895-11cf-8e15-001234567890} - c:\windows\system32\dla\tfswshx.dll

BHO: SSVHelper Class: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\ibm\java50\jre\bin\ssv.dll

uRun: [AWMON] "c:\program files\lavasoft\ad-aware se plus\Ad-Watch.exe"

uRun: [QuickenScheduledUpdates] c:\program files\quicken\bagent.exe

mRun: [iMJPMIG8.1] "c:\windows\ime\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32

mRun: [PHIME2002ASync] c:\windows\system32\ime\tintlgnt\TINTSETP.EXE /SYNC

mRun: [PHIME2002A] c:\windows\system32\ime\tintlgnt\TINTSETP.EXE /IMEName

mRun: [iSAMTray] "c:\program files\c4ebreg\isamtray.exe"

mRun: [stgclean] c:\sdwork\w32main2.exe /cleanup

mRun: [synTPLpr] c:\program files\synaptics\syntp\SynTPLpr.exe

mRun: [synTPEnh] c:\program files\synaptics\syntp\SynTPEnh.exe

mRun: [TPHOTKEY] c:\progra~1\lenovo\pkgmgr\hotkey\TPHKMGR.exe

mRun: [PWRMGRTR] rundll32 c:\progra~1\thinkpad\utilit~1\PWRMGRTR.DLL,PwrMgrBkGndMonitor

mRun: [bLOG] rundll32 c:\progra~1\thinkpad\utilit~1\BatLogEx.DLL,StartBattLog

mRun: [TpShocks] TpShocks.exe

mRun: [TP4EX] tp4ex.exe

mRun: [TPKMAPHELPER] c:\program files\thinkpad\utilities\TpKmapAp.exe -helper

mRun: [dla] c:\windows\system32\dla\tfswctrl.exe

mRun: [C4EBReg] "c:\program files\c4ebreg\c4ebreg.exe" /q

mRun: [soundMAX] c:\program files\analog devices\soundmax\Smax4.exe /tray

mRun: [ccApp] "c:\program files\common files\symantec shared\ccApp.exe"

mRun: [vptray] c:\progra~1\symant~2\symant~2\VPTray.exe

mRun: [<NO NAME>]

mRun: [soundMAXPnP] c:\program files\analog devices\core\smax4pnp.exe

mRun: [igfxTray] c:\windows\system32\igfxtray.exe

mRun: [igfxhkcmd] c:\windows\system32\hkcmd.exe

mRun: [igfxpers] c:\windows\system32\igfxpers.exe

mRun: [TVT Scheduler Proxy] c:\program files\common files\lenovo\scheduler\scheduler_proxy.exe

mRun: [lxcjmon.exe] "c:\program files\lexmark 8300 series\lxcjmon.exe"

mRun: [iSAM SMT Service] "c:\program files\c4ebreg\isamsmt.exe"

mRun: [RescueRecoverySetPW] c:\sdwork\Rescue&RecoverySetPW.lnk

mRun: [ACTray] c:\program files\thinkpad\connectutilities\ACTray.exe

mRun: [ACWLIcon] c:\program files\thinkpad\connectutilities\ACWLIcon.exe

mRun: [Tpam.exe] "c:\program files\ibm\personal communications\tpam.exe"

mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime

mRun: [F5D8011] c:\program files\belkin\f5d8011v1\Belkinwcui.exe

mRun: [MyHelpService] "c:\program files\ibm\my help\plugins\com.ibm.myhelp.installer\service\delayStart.exe"

mRun: [PSQLLauncher] "c:\program files\thinkvantage fingerprint software\launcher.exe" /startup

mRun: [pmonmh] c:\program files\ibm\my help\plugins\\com.ibm.myhelp.common_1.2.23/pmonmh.exe

mRun: [LXCJCATS] rundll32 c:\windows\system32\spool\drivers\w32x86\3\LXCJtime.dll,_RunDLLEntry@16

mRun: [EzPrint] "c:\program files\lexmark 8300 series\ezprint.exe"

mRun: [sansaDispatch] c:\program files\sandisk\sansa updater\SansaDispatch.exe

mRun: [iSSI Service] "c:\sdwork\issimsvc.exe"

StartupFolder: c:\docume~1\admini~1\startm~1\programs\startup\dropbox.lnk - c:\documents and settings\administrator\application data\dropbox\bin\Dropbox.exe

StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\infopr~1.lnk - c:\program files\ibm\infoprint select\ipnotify.exe

uPolicies-explorer: NoDevMgrUpdate = 1 (0x1)

IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office10\EXCEL.EXE/3000

IE: Send to &Bluetooth Device... - c:\program files\thinkpad\bluetooth software\btsendto_ie_ctx.htm

IE: {CCA281CA-C863-46ef-9331-5C8D4460577F} - c:\program files\thinkpad\bluetooth software\btsendto_ie.htm

IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0015-0000-0000-ABCDEFFEDCBC} - c:\program files\ibm\java50\jre\bin\ssv.dll

LSP: c:\windows\system32\hummingbird\connectivity\8.00\socks\\hclsock5.dll

Trusted Zone: turbotax.com

DPF: Microsoft XML Parser for Java - file://c:\windows\java\classes\xmldso.cab

DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} - hxxp://www.apple.com/qtactivex/qtplugin.cab

DPF: {1ACECAFE-0015-0000-0000-ABCDEFFEDCBA} - hxxp://

DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://

DPF: {8C28EFD7-767B-11D1-844B-0060972DC2AC} - hxxps://w3-03.ibm.com/Hyperion/zeroadmin/component/Brio.InsightNoHelp.en.cab

DPF: {9519B2A2-6592-4E41-8290-D0298459270C} - hxxp://w3.ibm.com/bluepages/scripts/lnwebassist.cab

DPF: {A4B28810-11A2-4956-82D1-B2DCBA4B2AFD} - hxxp://usbldprt05.boulder.ibm.com/tools/print/plugin/gpwsx.cab

DPF: {CAFEEFAC-0015-0000-0000-ABCDEFFEDCBA} - hxxp://

DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://

Handler: cdo - {CD00020A-8B95-11D1-82DB-00C04FB1625D} - c:\program files\common files\microsoft shared\web folders\PKMCDO.DLL

Handler: saphtmlp - {D1F8BD1E-7967-11D2-B43A-006094B9EADB} - c:\program files\sappc\sapgui\SAPHTMLP.DLL

Handler: sapr3 - {D1F8BD1E-7967-11D2-B43A-006094B9EADB} - c:\program files\sappc\sapgui\SAPHTMLP.DLL

Notify: ACNotify - ACNotify.dll

Notify: atmgrtok - atmgrtok.dll

Notify: igfxcui - igfxdev.dll

Notify: NavLogon - c:\windows\system32\NavLogon.dll

Notify: pcsinst - pcsinst.dll

Notify: tpfnf2 - notifyf2.dll

Notify: tphotkey - tphklock.dll

LSA: Notification Packages = scecli ACGina

mASetup: {3D82B0C3-AAFA-400E-B2D1-46B7AD38AB8C} - "c:\program files\hummingbird\connectivity\12.00\accessories\HumSettings.exe" INSTALL=ALL NoFreeWhenWOW64=1

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\admini~1\applic~1\mozilla\firefox\profiles\z8rf0hzz.default\

FF - prefs.js: browser.search.selectedEngine - IBM BluePages

FF - prefs.js: browser.startup.homepage - w3.ibm.com

FF - plugin: c:\program files\ibm\java50\jre\bin\NPJava11.dll

FF - plugin: c:\program files\ibm\java50\jre\bin\NPJava12.dll

FF - plugin: c:\program files\ibm\java50\jre\bin\NPJava13.dll

FF - plugin: c:\program files\ibm\java50\jre\bin\NPJava14.dll

FF - plugin: c:\program files\ibm\java50\jre\bin\NPJava32.dll

FF - plugin: c:\program files\ibm\java50\jre\bin\NPJPI150.dll

FF - plugin: c:\program files\ibm\java50\jre\bin\NPOJI610.dll

FF - plugin: c:\program files\ibm\java50\jre\bin\npwebscl.dll

FF - plugin: c:\program files\mozilla firefox\extensions\ibm-cck@firefox-extensions.ibm.com\platform\winnt_x86-msvc\plugins\npaddtonab.dll

FF - plugin: c:\program files\mozilla firefox\plugins\npaddtonab.dll

FF - plugin: c:\program files\mozilla firefox\plugins\npcpsweb.dll

FF - plugin: c:\program files\mozilla firefox\plugins\npstloader.dll

FF - plugin: c:\program files\mozilla firefox\plugins\npViewpoint.dll

FF - plugin: c:\program files\mozilla firefox\plugins\npwebscl.dll

FF - plugin: c:\program files\viewpoint\viewpoint media player\npViewpoint.dll

============= SERVICES / DRIVERS ===============

R0 TPDIGIMN;TPDIGIMN;c:\windows\system32\drivers\ApsHM86.sys [2007-9-28 19504]

R1 SAVRT;SAVRT;c:\program files\symantec client security\symantec antivirus\savrt.sys [2006-9-6 337592]

R1 SAVRTPEL;SAVRTPEL;c:\program files\symantec client security\symantec antivirus\Savrtpel.sys [2006-9-6 54968]

R2 ccEvtMgr;Symantec Event Manager;c:\program files\common files\symantec shared\ccEvtMgr.exe [2006-7-19 192160]

R2 ccProxy;Symantec Network Proxy;c:\program files\common files\symantec shared\ccProxy.exe [2006-7-19 202400]

R2 ccSetMgr;Symantec Settings Manager;c:\program files\common files\symantec shared\ccSetMgr.exe [2006-7-19 169632]

R2 SavRoam;SAVRoam;c:\program files\symantec client security\symantec antivirus\SavRoam.exe [2006-9-27 116464]

R2 Symantec AntiVirus;Symantec AntiVirus;c:\program files\symantec client security\symantec antivirus\Rtvscan.exe [2006-9-27 1813232]

R2 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\viewpoint\common\ViewpointService.exe [2008-4-1 24652]

R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\common files\symantec shared\eengine\EraserUtilRebootDrv.sys [2010-1-20 102448]

R3 NAVENG;NAVENG;c:\progra~1\common~1\symant~1\virusd~1\20100122.007\naveng.sys [2010-1-22 84912]

R3 NAVEX15;NAVEX15;c:\progra~1\common~1\symant~1\virusd~1\20100122.007\navex15.sys [2010-1-22 1323568]

S3 gwiopm;gwiopm;\??\c:\program files\wst\gwiopm.sys --> c:\program files\wst\gwiopm.sys [?]

S3 IsamFilter;IsamFilter;c:\windows\system32\drivers\isamfilter.sys [2009-10-9 6016]

S3 pf_usb;Kensington Digital Frame Service;c:\windows\system32\drivers\PF_USB.sys [2006-11-10 17036]

S3 XJCRNIFLTTK;XJCRNIFLTTK;c:\docume~1\admini~1\locals~1\temp\XJCRNIFLTTK.exe [2010-1-23 412544]

S3 XLoader;PLEXTOR EZ-USB FX2 FIRMWARE LOADER (XLoader.sys);c:\windows\system32\drivers\XLoader.sys [2004-11-26 13696]

=============== Created Last 30 ================

2010-01-23 17:43:04 0 ----a-w- c:\documents and settings\administrator\defogger_reenable

2010-01-22 23:24:46 0 d-----w- c:\program files\Trend Micro

2010-01-21 01:15:18 0 d-----w- c:\docume~1\admini~1\applic~1\Malwarebytes

2010-01-21 01:15:14 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys

2010-01-21 01:15:12 19160 ----a-w- c:\windows\system32\drivers\mbam.sys

2010-01-21 01:15:12 0 d-----w- c:\program files\Malwarebytes' Anti-Malware

2010-01-21 01:15:12 0 d-----w- c:\docume~1\alluse~1\applic~1\Malwarebytes

2010-01-21 00:56:54 0 d-----w- c:\temp\SpyDLLRemover

2010-01-19 22:09:15 0 d-----w- c:\program files\Spybot - Search & Destroy

2010-01-19 22:09:15 0 d-----w- c:\docume~1\alluse~1\applic~1\Spybot - Search & Destroy

2010-01-15 17:27:56 0 d-----w- c:\program files\My Company Name

2010-01-15 17:21:46 43627 ----a-w- c:\documents and settings\administrator\install.xml

2010-01-15 17:21:28 0 d-----w- C:\notes7bkp

==================== Find3M ====================

2010-01-21 13:59:10 874240 ----a-w- c:\windows\system32\drivers\iaStor.sys

2009-12-21 19:45:56 2256 ----a-w- c:\windows\current_settings.bin

2009-12-10 16:42:21 6016 ----a-w- c:\windows\system32\drivers\isamfilter.sys

2009-11-17 18:57:03 64792 ----a-w- c:\windows\isamunin.exe

2009-11-16 17:35:44 61520 ----a-w- c:\docume~1\admini~1\applic~1\GDIPFONTCACHEV1.DAT

2009-10-29 05:48:04 662016 ----a-w- c:\windows\system32\wininet.dll

2008-05-14 18:49:48 139 ----a-w- c:\program files\wsmjunk.txt

============= FINISH: 12:50:09.50 ===============

****************************************************************

Attach.zip includes ARK.txt and Attach.TXT

Attach.zip

Thank you again, Allan

miekiemoes · January 25, 2010

Hi,

* Please visit this webpage for instructions for downloading and running ComboFix:

http://www.bleepingcomputer.com/combofix/how-to-use-combofix

Post the log from ComboFix in your next reply.

Please make sure you disable ALL of your Antivirus/Antispyware/Firewall before running ComboFix..This because Security Software may see some components ComboFix uses (prep.com for example) as suspicious and blocks the tool, or even deletes it. Please visit HERE if you don't know how.

AllanG · January 25, 2010

Thank you for getting back to me :-)

Here is the log from ComboFix:

ComboFix 10-01-24.05 - agunz 01/25/10 13:38:58.1.1 - x86

Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.3062.2465 [GMT -5:00]

Running from: c:\documents and settings\Administrator\Desktop\ComboFix.exe

AV: Symantec AntiVirus Corporate Edition *On-access scanning disabled* (Updated) {FB06448E-52B8-493A-90F3-E43226D3305C}

FW: Symantec Client Firewall *disabled* {5CB76A43-5FAD-476B-B9FF-26FA61F13187}

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.

c:\documents and settings\All Users\Start Menu\Internet Explorer.lnk

c:\recycler\S-1-5-21-1202660629-2077806209-682003330-500

c:\recycler\S-1-5-21-3030458479-2410203345-1438871821-500

c:\windows\winhelp.ini

c:\windows\system32\Drivers\iaStor.sys . . . is infected!!

.

((((((((((((((((((((((((( Files Created from 2009-12-25 to 2010-01-25 )))))))))))))))))))))))))))))))

.

2010-01-22 23:50 . 2010-01-22 23:50 388096 ----a-r- c:\documents and settings\Administrator\Application Data\Microsoft\Installer\{0761C9A8-8F3A-4216-B4A7-B7AFBF24A24A}\HiJackThis.exe

2010-01-22 23:24 . 2010-01-22 23:24 -------- d-----w- c:\program files\Trend Micro

2010-01-21 01:15 . 2010-01-21 01:15 -------- d-----w- c:\documents and settings\Administrator\Application Data\Malwarebytes

2010-01-21 01:15 . 2010-01-07 21:07 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys

2010-01-21 01:15 . 2010-01-21 01:15 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware

2010-01-21 01:15 . 2010-01-21 01:15 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes

2010-01-21 01:15 . 2010-01-07 21:07 19160 ----a-w- c:\windows\system32\drivers\mbam.sys

2010-01-21 00:56 . 2010-01-21 00:56 -------- d-----w- c:\temp\SpyDLLRemover

2010-01-19 22:09 . 2010-01-22 12:13 -------- d-----w- c:\program files\Spybot - Search & Destroy

2010-01-19 22:09 . 2010-01-21 17:58 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy

2010-01-15 17:27 . 2010-01-15 17:27 -------- d-----w- c:\program files\My Company Name

2010-01-15 17:21 . 2010-01-15 17:21 -------- d-----w- C:\notes7bkp

2010-01-05 15:06 . 2010-01-05 15:06 84912 ----a-w- c:\documents and settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\I2_LDVP.VDB\vd304804.vdb\NAVENG.SYS

2010-01-05 15:06 . 2010-01-05 15:06 177520 ----a-w- c:\documents and settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\I2_LDVP.VDB\vd304804.vdb\NAVENG32.DLL

2010-01-05 15:06 . 2010-01-05 15:06 1647984 ----a-w- c:\documents and settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\I2_LDVP.VDB\vd304804.vdb\NAVEX32A.DLL

2010-01-05 15:06 . 2010-01-05 15:06 1323568 ----a-w- c:\documents and settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\I2_LDVP.VDB\vd304804.vdb\NAVEX15.SYS

2010-01-05 15:06 . 2010-01-05 15:06 371248 ----a-w- c:\documents and settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\I2_LDVP.VDB\vd304804.vdb\EECTRL.SYS

2010-01-05 15:06 . 2010-01-05 15:06 2747440 ----a-w- c:\documents and settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\I2_LDVP.VDB\vd304804.vdb\CCERASER.DLL

2010-01-05 15:06 . 2010-01-05 15:06 259440 ----a-w- c:\documents and settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\I2_LDVP.VDB\vd304804.vdb\ECMSVR32.DLL

2010-01-05 15:06 . 2010-01-05 15:06 102448 ----a-w- c:\documents and settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\I2_LDVP.VDB\vd304804.vdb\ERASER.SYS

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2010-01-25 18:51 . 2006-03-27 21:50 -------- d-----w- c:\program files\WST

2010-01-25 18:50 . 2009-09-04 14:42 -------- d-----w- c:\documents and settings\Administrator\Application Data\Dropbox

2010-01-25 18:48 . 2005-04-05 17:21 -------- d-----w- c:\program files\C4ebreg

2010-01-25 18:28 . 2006-11-10 17:32 -------- d-----w- c:\program files\Lx_cats

2010-01-25 16:50 . 2007-04-27 14:58 40 ----a-w- c:\windows\system32\profile.dat

2010-01-25 16:47 . 2006-01-24 00:45 -------- d-----w- c:\program files\Common Files\Symantec Shared

2010-01-25 14:39 . 2006-08-26 02:10 -------- d-----w- c:\program files\AT&T Network Client

2010-01-24 16:10 . 2006-02-13 10:24 874240 ------w- c:\windows\system32\drivers\iaStor.sys

2010-01-23 03:56 . 2006-04-12 02:08 -------- d-----w- c:\program files\Common Files\Adobe

2009-12-21 19:45 . 2007-04-17 14:02 2256 ----a-w- c:\windows\current_settings.bin

2009-12-21 12:51 . 2007-06-06 21:46 -------- d-----w- c:\program files\SanDisk

2009-12-21 12:50 . 2009-12-21 12:51 79872 ----a-w- c:\documents and settings\Administrator\Application Data\SanDisk\Sansa Updater\SansaDispatch.exe

2009-12-21 12:50 . 2009-12-21 12:50 574344 ----a-w- c:\documents and settings\Administrator\Application Data\SanDisk\Sansa Updater\SansaUpdater.exe

2009-12-21 12:50 . 2009-12-21 12:50 354744 ----a-w- c:\documents and settings\Administrator\Application Data\SanDisk\Sansa Updater\SansaUpdaterInstall.exe

2009-12-21 12:50 . 2009-12-21 12:50 -------- d-----w- c:\documents and settings\Administrator\Application Data\SanDisk

2009-12-10 16:42 . 2009-10-09 15:28 6016 ----a-w- c:\windows\system32\drivers\isamfilter.sys

2009-11-17 18:57 . 2005-07-29 18:05 64792 ----a-w- c:\windows\isamunin.exe

2009-11-05 20:05 . 2005-04-04 18:17 61520 ----a-w- c:\documents and settings\Administrator\Local Settings\Application Data\GDIPFONTCACHEV1.DAT

2009-10-29 05:48 . 2004-08-04 05:00 662016 ----a-w- c:\windows\system32\wininet.dll

2008-05-14 18:49 . 2008-05-14 18:49 139 ----a-w- c:\program files\wsmjunk.txt

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt1]

@="{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}"

[HKEY_CLASSES_ROOT\CLSID\{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}]

2009-09-02 23:45 77824 ----a-w- c:\documents and settings\Administrator\Application Data\Dropbox\bin\DropboxExt.3.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt2]

@="{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}"

[HKEY_CLASSES_ROOT\CLSID\{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}]

2009-09-02 23:45 77824 ----a-w- c:\documents and settings\Administrator\Application Data\Dropbox\bin\DropboxExt.3.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt3]

@="{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}"

[HKEY_CLASSES_ROOT\CLSID\{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}]

2009-09-02 23:45 77824 ----a-w- c:\documents and settings\Administrator\Application Data\Dropbox\bin\DropboxExt.3.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"QuickenScheduledUpdates"="c:\program files\Quicken\bagent.exe" [2007-05-07 87592]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"pmonmh"="c:\program files\IBM\My Help\plugins\\com.ibm.myhelp.common_1.2.23" [X]

"IMJPMIG8.1"="c:\windows\IME\imjp8_1\IMJPMIG.EXE" [2004-08-04 208952]

"PHIME2002ASync"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2004-08-04 455168]

"PHIME2002A"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2004-08-04 455168]

"ISAMTray"="c:\program files\C4ebreg\isamtray.exe" [2009-11-17 285976]

"stgclean"="c:\sdwork\w32main2.exe" [2009-11-24 297472]

"SynTPLpr"="c:\program files\Synaptics\SynTP\SynTPLpr.exe" [2006-08-26 110592]

"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2006-08-26 512000]

"TPHOTKEY"="c:\progra~1\Lenovo\PkgMgr\HOTKEY\TPHKMGR.exe" [2006-07-25 94208]

"PWRMGRTR"="c:\progra~1\ThinkPad\UTILIT~1\PWRMGRTR.DLL" [2007-09-21 200704]

"BLOG"="c:\progra~1\ThinkPad\UTILIT~1\BatLogEx.DLL" [2007-09-21 208896]

"TpShocks"="TpShocks.exe" [2007-09-28 181544]

"TP4EX"="tp4ex.exe" [2005-10-17 65536]

"TPKMAPHELPER"="c:\program files\ThinkPad\Utilities\TpKmapAp.exe" [2006-06-03 856064]

"dla"="c:\windows\system32\dla\tfswctrl.exe" [2004-11-16 127035]

"C4EBReg"="c:\program files\C4ebreg\c4ebreg.exe" [2009-11-17 478488]

"ccApp"="c:\program files\Common Files\Symantec Shared\ccApp.exe" [2006-07-19 52896]

"vptray"="c:\progra~1\SYMANT~2\SYMANT~2\VPTray.exe" [2006-09-28 125168]

"SoundMAXPnP"="c:\program files\Analog Devices\Core\smax4pnp.exe" [2005-05-20 925696]

"IgfxTray"="c:\windows\system32\igfxtray.exe" [2007-08-15 141848]

"igfxhkcmd"="c:\windows\system32\hkcmd.exe" [2007-08-15 162328]

"igfxpers"="c:\windows\system32\igfxpers.exe" [2007-08-15 137752]

"TVT Scheduler Proxy"="c:\program files\Common Files\Lenovo\Scheduler\scheduler_proxy.exe" [2008-03-04 487424]

"lxcjmon.exe"="c:\program files\Lexmark 8300 Series\lxcjmon.exe" [2005-09-30 200704]

"ACTray"="c:\program files\ThinkPad\ConnectUtilities\ACTray.exe" [2006-12-25 409600]

"ACWLIcon"="c:\program files\ThinkPad\ConnectUtilities\ACWLIcon.exe" [2006-12-25 110592]

"Tpam.exe"="c:\program files\IBM\Personal Communications\tpam.exe" [2005-09-06 28672]

"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2009-05-26 413696]

"F5D8011"="c:\program files\Belkin\F5D8011v1\Belkinwcui.exe" [2006-06-06 1613824]

"LXCJCATS"="c:\windows\System32\spool\DRIVERS\W32X86\3\LXCJtime.dll" [2005-09-08 73728]

"EzPrint"="c:\program files\Lexmark 8300 Series\ezprint.exe" [2005-08-01 94208]

"ISSI Service"="c:\sdwork\issimsvc.exe" [2009-12-10 241392]

"w32msgr"="c:\sdwork\w32maing.exe" [2010-01-25 266752]

c:\documents and settings\Administrator\Start Menu\Programs\Startup\

Dropbox.lnk - c:\documents and settings\Administrator\Application Data\Dropbox\bin\Dropbox.exe [2009-9-2 26785147]

c:\documents and settings\All Users\Start Menu\Programs\Startup\

Infoprint Select Notification.lnk - c:\program files\IBM\Infoprint Select\ipnotify.exe [2009-10-13 143360]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]

"NoDevMgrUpdate"= 1 (0x1)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\pcsinst]

2005-09-06 18:43 49152 ----a-w- c:\windows\system32\pcsinst.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\tpfnf2]

2005-07-06 04:45 28672 ----a-w- c:\windows\system32\notifyf2.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\tphotkey]

2006-08-26 01:43 24576 ------w- c:\windows\system32\tphklock.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\pmonmh]

c:\program files\IBM\My Help\plugins\\com.ibm.myhelp.common_1.2.23 [X]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\EzPrint]

2005-08-01 12:05 94208 ----a-w- c:\program files\Lexmark 8300 Series\ezprint.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\F5D8011]

2006-06-06 03:23 1613824 ----a-w- c:\program files\Belkin\F5D8011v1\Belkinwcui.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LXCJCATS]

2005-09-08 18:45 73728 ----a-w- c:\windows\system32\spool\drivers\w32x86\3\lxcjtime.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickenScheduledUpdates]

2007-05-07 18:17 87592 ----a-w- c:\program files\Quicken\bagent.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]

2009-05-26 21:18 413696 ----a-w- c:\program files\QuickTime\QTTask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center]

"AntiVirusOverride"=dword:00000001

"FirewallOverride"=dword:00000001

"IBMconfig"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]

"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]

"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]

"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"%windir%\\system32\\sessmgr.exe"=

"c:\\Program Files\\Hummingbird\\Connectivity\\12.00\\Exceed\\exceed.exe"=

"c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=

"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=

"c:\\Program Files\\iTunes\\iTunes.exe"=

R0 TPDIGIMN;TPDIGIMN;c:\windows\system32\drivers\ApsHM86.sys [09/28/07 4:28 PM 19504]

R2 SavRoam;SAVRoam;c:\program files\Symantec Client Security\Symantec AntiVirus\SavRoam.exe [09/27/06 7:33 PM 116464]

R2 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\Viewpoint\Common\ViewpointService.exe [04/01/08 9:00 AM 24652]

R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [01/20/10 7:21 AM 102448]

S3 gwiopm;gwiopm;\??\c:\program files\wst\gwiopm.sys --> c:\program files\wst\gwiopm.sys [?]

S3 IsamFilter;IsamFilter;c:\windows\system32\drivers\isamfilter.sys [10/09/09 10:28 AM 6016]

S3 pf_usb;Kensington Digital Frame Service;c:\windows\system32\drivers\PF_USB.sys [11/10/06 12:13 PM 17036]

S3 XJCRNIFLTTK;XJCRNIFLTTK;c:\docume~1\ADMINI~1\LOCALS~1\Temp\XJCRNIFLTTK.exe --> c:\docume~1\ADMINI~1\LOCALS~1\Temp\XJCRNIFLTTK.exe [?]

S3 XLoader;PLEXTOR EZ-USB FX2 FIRMWARE LOADER (XLoader.sys);c:\windows\system32\drivers\XLoader.sys [11/26/04 12:13 PM 13696]

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{3D82B0C3-AAFA-400E-B2D1-46B7AD38AB8C}]

2006-06-29 12:00 99920 ----a-w- c:\program files\Hummingbird\Connectivity\12.00\Accessories\HumSettings.exe

.

Contents of the 'Scheduled Tasks' folder

2010-01-25 c:\windows\Tasks\PMTask.job

- c:\progra~1\ThinkPad\UTILIT~1\PWMIDTSK.EXE [2006-08-26 06:19]

.

------- Supplementary Scan -------

.

uStart Page = hxxp://w3.watson.ibm.com/

uInternet Connection Wizard,ShellNext = hxxp://w3.ibm.com/

uInternet Settings,ProxyOverride = <local>;*.local

IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office10\EXCEL.EXE/3000

IE: Send to &Bluetooth Device... - c:\program files\ThinkPad\Bluetooth Software\btsendto_ie_ctx.htm

LSP: c:\windows\system32\Hummingbird\Connectivity\8.00\Socks\\hclsock5.dll

Trusted Zone: turbotax.com

DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab

DPF: {1ACECAFE-0015-0000-0000-ABCDEFFEDCBA} - hxxp://

DPF: {8C28EFD7-767B-11D1-844B-0060972DC2AC} - hxxps://w3-03.ibm.com/Hyperion/zeroadmin/component/Brio.InsightNoHelp.en.cab

DPF: {9519B2A2-6592-4E41-8290-D0298459270C} - hxxp://w3.ibm.com/bluepages/scripts/lnwebassist.cab

DPF: {A4B28810-11A2-4956-82D1-B2DCBA4B2AFD} - hxxp://usbldprt05.boulder.ibm.com/tools/print/plugin/gpwsx.cab

FF - ProfilePath - c:\documents and settings\Administrator\Application Data\Mozilla\Firefox\Profiles\z8rf0hzz.default\

FF - prefs.js: browser.search.selectedEngine - IBM BluePages

FF - prefs.js: browser.startup.homepage - w3.ibm.com

FF - plugin: c:\program files\IBM\Java50\jre\bin\NPJava11.dll

FF - plugin: c:\program files\IBM\Java50\jre\bin\NPJava12.dll

FF - plugin: c:\program files\IBM\Java50\jre\bin\NPJava13.dll

FF - plugin: c:\program files\IBM\Java50\jre\bin\NPJava14.dll

FF - plugin: c:\program files\IBM\Java50\jre\bin\NPJava32.dll

FF - plugin: c:\program files\IBM\Java50\jre\bin\NPJPI150.dll

FF - plugin: c:\program files\IBM\Java50\jre\bin\NPOJI610.dll

FF - plugin: c:\program files\IBM\Java50\jre\bin\npwebscl.dll

FF - plugin: c:\program files\Mozilla Firefox\extensions\IBM-cck@firefox-extensions.ibm.com\platform\WINNT_x86-msvc\plugins\npaddtonab.dll

FF - plugin: c:\program files\Mozilla Firefox\plugins\npaddtonab.dll

FF - plugin: c:\program files\Mozilla Firefox\plugins\npcpsweb.dll

FF - plugin: c:\program files\Mozilla Firefox\plugins\npstloader.dll

FF - plugin: c:\program files\Mozilla Firefox\plugins\npViewpoint.dll

FF - plugin: c:\program files\Mozilla Firefox\plugins\npwebscl.dll

FF - plugin: c:\program files\Viewpoint\Viewpoint Media Player\npViewpoint.dll

.

- - - - ORPHANS REMOVED - - - -

HKCU-Run-AWMON - c:\program files\Lavasoft\Ad-Aware SE Plus\Ad-Watch.exe

HKLM-Run-ISAM SMT Service - c:\program files\C4ebreg\isamsmt.exe

HKLM-Run-RescueRecoverySetPW - c:\sdwork\Rescue&RecoverySetPW.lnk

HKLM-Run-MyHelpService - c:\program files\IBM\My Help\plugins\com.ibm.myhelp.installer\service\delayStart.exe

HKLM-Run-PSQLLauncher - c:\program files\Thinkvantage Fingerprint Software\launcher.exe

HKLM-Run-SansaDispatch - c:\program files\SanDisk\Sansa Updater\SansaDispatch.exe

Notify-ACNotify - ACNotify.dll

Notify-atmgrtok - atmgrtok.dll

MSConfigStartUp-MyHelpService - c:\program files\IBM\My Help\plugins\com.ibm.myhelp.installer\service\delayStart.exe

MSConfigStartUp-PSQLLauncher - c:\program files\Thinkvantage Fingerprint Software\launcher.exe

AddRemove-InstallShield_{874E44F3-B9A7-4AA1-B4BA-83E5684ED9C6} - c:\program files\Common Files\InstallShield\Driver\8\Intel 32\IDriver.exe

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2010-01-25 13:49

Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully

hidden files: 0

**************************************************************************

Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net

device: opened successfully

user: MBR read successfully

called modules: ntoskrnl.exe CLASSPNP.SYS disk.sys ACPI.sys hal.dll >>UNKNOWN [0x8AA00856]<<

kernel: MBR read successfully

detected MBR rootkit hooks:

\Driver\Disk -> CLASSPNP.SYS @ 0xf763bfc3

\Driver\ACPI -> ACPI.sys @ 0xf75aecb8

\Driver\atapi -> atapi.sys @ 0xf74827b4

\Driver\iaStor -> iaStor.sys @ 0xf7b1bb58

IoDeviceObjectType -> DeleteProcedure -> ntoskrnl.exe @ 0x8059c876

ParseProcedure -> ntoskrnl.exe @ 0x8057016c

\Device\Harddisk0\DR0 -> DeleteProcedure -> ntoskrnl.exe @ 0x8059c876

ParseProcedure -> ntoskrnl.exe @ 0x8057016c

NDIS: 11a/b/g Wireless LAN Mini PCI Express Adapter -> SendCompleteHandler -> NDIS.sys @ 0xba75cbc3

PacketIndicateHandler -> NDIS.sys @ 0xba74aa0b

SendHandler -> NDIS.sys @ 0xba75eb31

user & kernel MBR OK

**************************************************************************

.

--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(1068)

c:\program files\ThinkPad\ConnectUtilities\ACNotify.dll

c:\program files\ThinkPad\ConnectUtilities\AcSvcStub.dll

c:\program files\ThinkPad\ConnectUtilities\AcLocSettings.dll

c:\program files\ThinkPad\ConnectUtilities\ACHelper.dll

c:\windows\system32\tphklock.dll

c:\program files\IBM\Personal Communications\atmgrtok.dll

c:\program files\IBM\Personal Communications\MILLUTIL.DLL

c:\windows\system32\pcsinst.dll

- - - - - - - > 'lsass.exe'(1124)

c:\windows\system32\Hummingbird\Connectivity\8.00\Socks\hclsock5.dll

- - - - - - - > 'explorer.exe'(4528)

c:\documents and settings\Administrator\Application Data\Dropbox\bin\DropboxExt.3.dll

.

------------------------ Other Running Processes ------------------------

.

c:\windows\system32\ibmpmsvc.exe

c:\program files\Common Files\Symantec Shared\ccSetMgr.exe

c:\program files\Common Files\Symantec Shared\ccEvtMgr.exe

c:\program files\Common Files\Symantec Shared\ccProxy.exe

c:\program files\Symantec Client Security\Symantec Client Firewall\ISSVC.exe

c:\program files\Common Files\Symantec Shared\SNDSrvc.exe

c:\program files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe

c:\windows\system32\Drivers\trcboot.exe

c:\program files\IBM\Personal Communications\PCS_AGNT.EXE

c:\program files\ThinkPad\ConnectUtilities\AcPrfMgrSvc.exe

c:\windows\system32\acs.exe

c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe

c:\program files\Symantec Client Security\Symantec AntiVirus\DefWatch.exe

c:\notes\ntmulti.exe

c:\program files\AT&T Network Client\NetCfgSv.EXE

c:\program files\Symantec Client Security\Symantec AntiVirus\Rtvscan.exe

c:\program files\Symantec Client Security\Symantec Client Firewall\SymSPort.exe

c:\program files\Common Files\Lenovo\tvt_reg_monitor_svc.exe

c:\windows\System32\TPHDEXLG.exe

c:\windows\system32\TpKmpSVC.exe

c:\program files\Common Files\Lenovo\Scheduler\tvtsched.exe

c:\windows\system32\wdfmgr.exe

c:\windows\system32\Drivers\ldlcserv.exe

c:\program files\ThinkPad\ConnectUtilities\AcSvc.exe

c:\program files\lenovo\system update\suservice.exe

c:\program files\ThinkPad\ConnectUtilities\SvcGuiHlpr.exe

c:\windows\system32\wscntfy.exe

c:\windows\system32\rundll32.exe

c:\windows\system32\TpShocks.exe

c:\program files\Lenovo\PkgMgr\HOTKEY\TPONSCR.exe

c:\program files\Lenovo\PkgMgr\HOTKEY_1\TpScrex.exe

c:\program files\ThinkPad\UltraNav Wizard\UNavTray.EXE

c:\windows\system32\igfxsrvc.exe

c:\windows\system32\rundll32.exe

c:\windows\system32\lxcjcoms.exe

.

**************************************************************************

.

Completion time: 2010-01-25 13:55:50 - machine was rebooted

ComboFix-quarantined-files.txt 2010-01-25 18:55

Pre-Run: 31,065,747,456 bytes free

Post-Run: 31,120,400,384 bytes free

- - End Of File - - FF28A4481E55A589A7CE126D36BAF6FF

miekiemoes · January 25, 2010

Hi,

Your iastor.sys file is infected and it looks like we have to replace the infected iastor.sys manually then...

This is a really important system file and there are always risks involved when we have to replace it manually, so that's why it's always a good idea to backup any important data you don't want to lose, this in case anything goes wrong. We will also use Hiren boot cd afterwards to replace it. There are other methods but I've seen too many cases already where it failed, or something went wrong in between, so with the hiren boot cd (instructions will follow afterwards), it's always a bit safer since, even though something goes wrong, you'll still be able to access your data.

Anyway,

Let's have a look first where we can find copies of that file on your system....

Please download SystemLook from one of the links below and save it to your Desktop.

Download Mirror #1

Download Mirror #2

Double-click SystemLook.exe to run it.
Copy the content of the following codebox into the main textfield:
```
:filefind
*iastor.sys*
```
Click the Look button to start the scan.
When finished, a notepad window will open with the results of the scan. Please post this log in your next reply.

Note: The log can also be found on your Desktop entitled SystemLook.txt

AllanG · January 25, 2010

Here are the results of SystemLook:

SystemLook v1.0 by jpshortstuff (11.01.10)

Log created at 14:15 on 25/01/2010 by agunz (Administrator - Elevation successful)

========== filefind ==========

Searching for "*iastor.sys*"

C:\pnp\001\IASTOR.SYS --a--- 874240 bytes [23:59 29/11/1979] [00:53 26/08/2006] 309C4D86D989FB1FCF64BD30DC81C51B

C:\WINDOWS\system32\drivers\iaStor.sys ------ 874240 bytes [10:24 13/02/2006] [16:10 24/01/2010] 309C4D86D989FB1FCF64BD30DC81C51B

-=End Of File=-

miekiemoes · January 25, 2010

Hi,

It looks like we can restore it with this copy:

C:\pnp\001\IASTOR.SYS

I suggest you create an extra copy first, just in case..

So, navigate to your C:\Windows folder and create a new folder in there called iabackup

Then, copy and paste the C:\pnp\001\IASTOR.SYS into the C:\Windows\iabackup folder (the folder you just created)

Please make sure you copy the IASTOR.SYS from the C:\pnp\001 folder into there and not the iastor.sys present in your C:\Windows\system32\drivers folder.

Then, to verify if you did right, run Systemlook again with exactly the same command you used before and paste the new log in your next reply.

AllanG · January 25, 2010

Here is the newest SystemLook log:

SystemLook v1.0 by jpshortstuff (11.01.10)

Log created at 14:30 on 25/01/2010 by agunz (Administrator - Elevation successful)

========== filefind ==========

Searching for "*iastor.sys*"

C:\pnp\001\IASTOR.SYS --a--- 874240 bytes [23:59 29/11/1979] [00:53 26/08/2006] 309C4D86D989FB1FCF64BD30DC81C51B

C:\WINDOWS\iabackup\IASTOR.SYS --a--- 874240 bytes [19:29 25/01/2010] [00:53 26/08/2006] 309C4D86D989FB1FCF64BD30DC81C51B

C:\WINDOWS\system32\drivers\iaStor.sys ------ 874240 bytes [10:24 13/02/2006] [16:10 24/01/2010] 309C4D86D989FB1FCF64BD30DC81C51B

-=End Of File=-

miekiemoes · January 25, 2010

Ok, now the big/risky work..

Let's see how this goes.....

Please visit the website to download the bootcd > http://www.hirensbootcd.net/details/10.0.html

Just extract everything into a folder & double click on "BurnToCD.cmd" in order to burn it to cd.

Then, Boot the computer using the Hiren CD which you just burned. When you get to this screen, select "Start Mini Windows Xp"

It will then look like this:

In the Hiren Boot "Mini Windows Xp"

1) Locate this file - C:\WINDOWS\SYSTEM32\DRIVERS\IASTOR.SYS

2) Rename it to IASTOR.SYS.BAD

3) Then copy the iastor.sys from the C:\pnp\001 folder to the C:\WINDOWS\SYSTEM32\DRIVERS folder

or you can also use the one from C:\WINDOWS\iabackup\IASTOR.SYS to copy to your C:\WINDOWS\SYSTEM32\DRIVERS folder.

When finsihed, restart the machine & boot back to your normal OS

Let me know how that went.

AllanG · January 25, 2010

I was able to boot off the Hiren CD and I swapped the iastor.sys file. Here is an updated SystemLook log:

SystemLook v1.0 by jpshortstuff (11.01.10)

Log created at 15:09 on 25/01/2010 by agunz (Administrator - Elevation successful)

========== filefind ==========

Searching for "*iastor.sys*"

C:\pnp\001\IASTOR.SYS --a--- 874240 bytes [23:59 29/11/1979] [00:53 26/08/2006] 309C4D86D989FB1FCF64BD30DC81C51B

C:\WINDOWS\iabackup\IASTOR.SYS --a--- 874240 bytes [19:29 25/01/2010] [00:53 26/08/2006] 309C4D86D989FB1FCF64BD30DC81C51B

C:\WINDOWS\system32\drivers\IASTOR.SYS --a--- 874240 bytes [15:04 25/01/2010] [00:53 26/08/2006] 309C4D86D989FB1FCF64BD30DC81C51B

C:\WINDOWS\system32\drivers\iaStor.sys.BAD --a--- 874240 bytes [10:24 13/02/2006] [16:10 24/01/2010] D8357FD6E769FB1263E27647EC0F3A2E

-=End Of File=-

miekiemoes · January 25, 2010

Well, it looks like that went well...

Now you can remove the C:\WINDOWS\system32\drivers\iaStor.sys.BAD (that's the bad one).

As you see in the log, it now displays another MD5 than the other legit ones. You couldn't see that when it was still active

Let me know in your next reply how things are now, if redirects have stopped.

AllanG · January 25, 2010

Well, there were multiple viruses/malware as shown in the logs posted earlier. And I suspect that Symantic AV and MBAM may have been compromised, as well as my firewall. What should I run now to fully check my system? I am concerned that there may still be Trojans or even keyloggers hiding. My Firewall logs showed suspicious inbound and outbound activity. What should my next step be?

Thank you, Allan.

miekiemoes · January 25, 2010

Hi,

You should be OK now though. It was the infected iastor.sys causing the main problems.

There are still some small steps to perform to get rid of some orhaned entries and an unwanted application..

I see you have Viewpoint installed...

Viewpoint Manager is considered as foistware instead of malware since it is installed without users approval but doesn't spy or do anything "bad". This will change from what we know in 2006 read this article: http://www.clickz.com/news/article.php/3561546

I suggest you remove the program now. Go to Start > Settings > Control Panel > Add/Remove Programs and remove the following programs if present.

Viewpoint
Viewpoint Manager
Viewpoint Media Player

Then, to deal with an orphaned entry, go to start > run and copy and paste next command in the field:

sc delete XJCRNIFLTTK hit enter

sc delete gwiopm hit enter

Then, * Go to start > run and copy and paste next command in the field:

ComboFix /Uninstall

Make sure there's a space between Combofix and /

Then hit enter.

This will uninstall Combofix, delete its related folders and files, reset your clock settings, hide file extensions, hide the system/hidden files and resets System Restore again.

Don't worry about your mbam and symantec compromised. This variant doesn't compromise it. I guess you think this because it didn't detect this infected system file? In a way it's normal; because most scanners have problems to detect this one since it uses advanced techniques to bypass detection. For example, when it's active, scanners see the legitimate iastor.sys since it has the legitimate MD5, but once unloaded, as you've seen in your latest systemlook log, the iastor.sys.bad has another MD5

Malwarebytes does prevent this infection though since the realtime scanner blocks its installer and the malicious pages where it was downloaded, so it won't be able to install in the first place.

You can have a latest check with Eset online scanner to see if there are any inactive leftovers present (from other infections you were dealing with):

* Go here to run an online scannner from ESET.

Note: You will need to use Internet explorer for this scan
Tick the box next to YES, I accept the Terms of Use.
Click Start
When asked, allow the activex control to install
Click Start
Check next options: Remove found threats and Scan unwanted applications.
Click Scan
Wait for the scan to finish
Use notepad to open the logfile located at C:\Program Files\EsetOnlineScanner\log.txt
Copy and paste that log in your next reply and also let me know how things are now.

AllanG · January 25, 2010

Well, looks like there are still problems. ESET found the following:

ESETSmartInstaller@High as CAB hook log:

OnlineScanner.ocx - registred OK

# version=7

# iexplore.exe=6.00.2900.2180 (xpsp_sp2_rtm.040803-2158)

# OnlineScanner.ocx=1.0.0.6211

# api_version=3.0.2

# EOSSerial=0c6d77a2179a1c4da2f2470feab1fecb

# end=finished

# remove_checked=true

# archives_checked=false

# unwanted_checked=true

# unsafe_checked=false

# antistealth_checked=true

# utc_time=2010-01-25 10:20:44

# local_time=2010-01-25 05:20:44 (-0500, Eastern Standard Time)

# country="United States"

# lang=9

# osver=5.1.2600 NT Service Pack 2

# compatibility_mode=512 16777215 100 0 168473 168473 0 0

# compatibility_mode=8192 67108863 100 0 0 0 0 0

# scanned=143833

# found=1

# cleaned=1

# scan_time=4084

C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\LUQYBXMP\i[2].js HTML/Iframe.B.Gen virus (deleted - quarantined) 00000000000000000000000000000000 C

I will now update and run MBAM, reboot and run MBAM again, then run Symantic AV, and post what I get.

AllanG · January 26, 2010

Hi, I ran a number of different scans.

First I ran MBAM, then rebooted, then ran MBAM again:

First time:

Malwarebytes' Anti-Malware 1.44

Database version: 3638

Windows 5.1.2600 Service Pack 2

Internet Explorer 6.0.2900.2180

01/25/10 5:29:50 PM

mbam-log-2010-01-25 (17-29-50).txt

Scan type: Quick Scan

Objects scanned: 129321

Time elapsed: 3 minute(s), 38 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 0

Registry Values Infected: 0

Registry Data Items Infected: 0

Folders Infected: 0

Files Infected: 0

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

(No malicious items detected)

Registry Values Infected:

(No malicious items detected)

Registry Data Items Infected:

(No malicious items detected)

Folders Infected:

(No malicious items detected)

Files Infected:

(No malicious items detected)

**************************************************************

Second time:

Malwarebytes' Anti-Malware 1.44

Database version: 3638

Windows 5.1.2600 Service Pack 2

Internet Explorer 6.0.2900.2180

01/25/10 5:39:30 PM

mbam-log-2010-01-25 (17-39-30).txt

Scan type: Quick Scan

Objects scanned: 129384

Time elapsed: 5 minute(s), 26 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 0

Registry Values Infected: 0

Registry Data Items Infected: 0

Folders Infected: 0

Files Infected: 0

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

(No malicious items detected)

Registry Values Infected:

(No malicious items detected)

Registry Data Items Infected:

(No malicious items detected)

Folders Infected:

(No malicious items detected)

Files Infected:

(No malicious items detected)

***************************************************************

Next I ran Symantic AV which was clean.

Then I ran GMER. Here is the ark.txt:

GMER 1.0.15.15281 - http://www.gmer.net

Rootkit scan 2010-01-25 20:40:34

Windows 5.1.2600 Service Pack 2

Running: df8ledyk.exe; Driver: C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\pgddrpog.sys

---- System - GMER 1.0.15 ----

SSDT 8A075500 ZwConnectPort

SSDT \??\C:\Program Files\Symantec\SYMEVENT.SYS (Symantec Event Library/Symantec Corporation) ZwDeleteValueKey [0x9DFC8350]

SSDT 8AB34008 ZwQueryValueKey

SSDT 8A0998C0 ZwResumeThread

SSDT \??\C:\Program Files\Symantec\SYMEVENT.SYS (Symantec Event Library/Symantec Corporation) ZwSetValueKey [0x9DFC8580]

---- Devices - GMER 1.0.15 ----

AttachedDevice \FileSystem\Ntfs \Ntfs SYMEVENT.SYS (Symantec Event Library/Symantec Corporation)

AttachedDevice \Driver\Tcpip \Device\Ip SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation)

AttachedDevice \Driver\Kbdclass \Device\KeyboardClass0 SynTP.sys (Synaptics Touchpad Driver/Synaptics, Inc.)

AttachedDevice \Driver\Kbdclass \Device\KeyboardClass0 mouclass.sys (Mouse Class Driver/Microsoft Corporation)

AttachedDevice \Driver\Kbdclass \Device\KeyboardClass1 SynTP.sys (Synaptics Touchpad Driver/Synaptics, Inc.)

AttachedDevice \Driver\Tcpip \Device\Tcp SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation)

AttachedDevice \Driver\Tcpip \Device\Udp SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation)

AttachedDevice \Driver\Tcpip \Device\RawIp SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation)

Device \FileSystem\Fs_Rec \FileSystem\UdfsCdRomRecognizer tfsnifs.sys (Drive Letter Access Component/Sonic Solutions)

Device \FileSystem\Fs_Rec \FileSystem\FatCdRomRecognizer tfsnifs.sys (Drive Letter Access Component/Sonic Solutions)

Device \FileSystem\Fs_Rec \FileSystem\CdfsRecognizer tfsnifs.sys (Drive Letter Access Component/Sonic Solutions)

Device \FileSystem\Fs_Rec \FileSystem\FatDiskRecognizer tfsnifs.sys (Drive Letter Access Component/Sonic Solutions)

Device \FileSystem\Fs_Rec \FileSystem\UdfsDiskRecognizer tfsnifs.sys (Drive Letter Access Component/Sonic Solutions)

Device \FileSystem\Cdfs \Cdfs tfsnifs.sys (Drive Letter Access Component/Sonic Solutions)

---- EOF - GMER 1.0.15 ----

***************************************************************8

Next I ran ComboFix, here is the log:

ComboFix 10-01-25.02 - agunz 01/25/10 21:12:35.2.1 - x86

Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.3062.2211 [GMT -5:00]

Running from: c:\documents and settings\Administrator\Desktop\ComboFix.exe

AV: Symantec AntiVirus Corporate Edition *On-access scanning disabled* (Updated) {FB06448E-52B8-493A-90F3-E43226D3305C}

FW: Symantec Client Firewall *disabled* {5CB76A43-5FAD-476B-B9FF-26FA61F13187}

.

((((((((((((((((((((((((( Files Created from 2009-12-26 to 2010-01-26 )))))))))))))))))))))))))))))))

.

2010-01-25 15:04 . 2006-08-26 00:53 874240 ----a-w- c:\windows\system32\drivers\IASTOR.SYS