need help with worm.win32.netsky Options

[wohsthere]

Hi, i've been looking around on the forum and it seems other people have the same problem as me, win32.netsky. any help would be much appriciated. i've fixed problems with my computer before, but this one has me stumped. thanks in advace to anyone who can help me out

[miekiemoes]

Hi,

Have you tried Malwarebytes already? Please post the log from Malwarebytes in your next reply.

In case Malwarebytes won't run/install, then Please try this version of malwarebytes: Click the link here
Save it on your desktop. You'll see it will have a random name, and will look similar like this:
Doubleclick on it, so it will extract the files and will start Malwarebytes automatically.
In case the installer (random named file) won't run either, rename it to EXPLORER.EXE and try again.

When Malwarebytes opens, click the "Update" tab FIRST and select to check for updates in order to get the latest updates.
In case Malwarebytes doesn't open, search for the folder mbam-installer on your desktop, open it and doubleclick the file winlogon.exe which will be present in there. This should launch Malwarebytes.

Then perform a scan and let it remove what it found. Reboot afterwards (important).
After reboot, post the malwarebytes log together with a new HijackThislog.

In case you're having problems with above instructions, let me know.

[wohsthere]

first time using the forum here so i guess i should have given a little more detail. First, yes i did have malwarebytes installed on my computer when this happened, however when i tried to run it it would not open. I shut my computer down and now I can only log back in through safe mode, any other way i get a blue screen i cant remember exactly what it says off the top of my head but i could find out if neccessary, so i dont beleive i will be able to connect to the internet to get the updates once i install that version of malwarebytes. I did also have spybot installed, i ran that and it picked up a few things and deleted them but that didnt fix anything except allowing me to be able to load my task manager as that had also been disabled. hopefully thats gives a little better background as to where i'm at. I do have another computer that im using to post on here and can download anything required and put on a usb to transfer to my infected computer. Again any help is much appreciated.

[miekiemoes]

Hi,

Please try above method with malwarebytes. You can get into safe mode with networking support either, that's one of the options to select when you select safe mode.
If you can't update, then don't worry, just run the malwarebytes scan without updates then.

[wohsthere]

sorry for the delay but here are the logs

Malwarebytes' Anti-Malware 1.44
Database version: 3510
Windows 5.1.2600 Service Pack 3 (Safe Mode)
Internet Explorer 8.0.6001.18702

2/2/2010 5:58:39 PM
mbam-log-2010-02-02 (17-58-39).txt

Scan type: Full Scan (C:\|)
Objects scanned: 211382
Time elapsed: 38 minute(s), 45 second(s)

Memory Processes Infected: 1
Memory Modules Infected: 3
Registry Keys Infected: 6
Registry Values Infected: 11
Registry Data Items Infected: 17
Folders Infected: 1
Files Infected: 37

Memory Processes Infected:
C:\WINDOWS\system32\smss32.exe (Trojan.FakeAlert) -> Unloaded process successfully.

Memory Modules Infected:
c:\WINDOWS\system32\rufimiwu.dll (Trojan.Vundo.H) -> Delete on reboot.
C:\WINDOWS\system32\velegevi.dll (Trojan.Vundo.H) -> Delete on reboot.
C:\WINDOWS\system32\wusabare.dll (Trojan.Vundo.H) -> Delete on reboot.

Registry Keys Infected:
HKEY_CLASSES_ROOT\CLSID\{08cdd41a-0ffa-4eb8-afb9-a1d673b387e5} (Trojan.Vundo.H) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Settings\{0ed403e8-470a-4a8a-85a4-d7688cfe39a3} (Adware.Gamevance) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\ias (Backdoor.Bot) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\6to4 (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\XML (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\System\CORE (Spyware.Passwords) -> Quarantined and deleted successfully.

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wolutuzay (Trojan.Vundo.H) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\appihbt_dlls (Spyware.Agent.H) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler\{08cdd41a-0ffa-4eb8-afb9-a1d673b387e5} (Trojan.Vundo.H) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\rikisamir (Trojan.Vundo.H) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\rthdbpl (Trojan.Inject) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\smss32.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\smss32.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Session Manager\AppCertDlls\appsecdll (Spyware.Passwords) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\idstrf (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\winid (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\asg984jgkfmgasi8ug98jgkfgfb (Trojan.Downloader) -> Quarantined and deleted successfully.

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\LSA\Notification Packages (Trojan.Vundo.H) -> Data: wusabare.dll -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\LSA\Notification Packages (Trojan.Vundo.H) -> Data: sipnet.dll -> Delete on reboot.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\AppInit_DLLs (Trojan.Vundo.H) -> Data: c:\windows\system32\rufimiwu.dll -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\AppInit_DLLs (Trojan.Vundo.H) -> Data: system32\rufimiwu.dll -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit (Trojan.FakeAlert) -> Data: c:\windows\system32\winlogon32.exe -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit (Trojan.FakeAlert) -> Data: system32\winlogon32.exe -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit (Hijack.UserInit) -> Bad: (C:\WINDOWS\system32\winlogon32.exe) Good: (userinit.exe) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\UpdatesDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\ActiveDesktop\NoChangingWallpaper (Hijack.DisplayProperties) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoActiveDesktopChanges (Hijack.DisplayProperties) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoSetActiveDesktop (Hijack.DisplayProperties) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\activedesktop\NoChangingWallpaper (Hijack.DisplayProperties) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoActiveDesktopChanges (Hijack.DisplayProperties) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoSetActiveDesktop (Hijack.DisplayProperties) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableTaskMgr (Hijack.TaskManager) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\AppInit_DLLs (Rootkit.Agent) -> Data: c:\windows\system32\kbdsock.dll -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\AppInit_DLLs (Rootkit.Agent) -> Data: system32\kbdsock.dll -> Quarantined and deleted successfully.

Folders Infected:
C:\Documents and Settings\Me\Application Data\AntiVirus Plus (Rogue.AntiVirusPlus) -> Quarantined and deleted successfully.

Files Infected:
C:\WINDOWS\system32\ledalihi.dll (Trojan.Vundo.H) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\rufimiwu.dll (Trojan.Vundo.H) -> Delete on reboot.
C:\WINDOWS\system32\velegevi.dll (Trojan.Vundo.H) -> Delete on reboot.
C:\WINDOWS\system32\wusabare.dll (Trojan.Vundo.H) -> Delete on reboot.
C:\WINDOWS\system32\yozipuji.dll (Trojan.Vundo.H) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\yulihofu.dll (Trojan.Vundo.H) -> Quarantined and deleted successfully.
C:\WINDOWS\sipnet.dll (Trojan.Vundo.H) -> Delete on reboot.
C:\WINDOWS\system32\nmklo.dll (Spyware.Agent.H) -> Quarantined and deleted successfully.
C:\Documents and Settings\Me\Application Data\SystemProc\lsass.exe (Trojan.Inject) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\core.dll (Spyware.Passwords) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\Iasex.dll (Backdoor.Bot) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\ndismgr.sys (Rootkit.Agent) -> Quarantined and deleted successfully.
C:\Documents and Settings\Me\Application Data\AntiVirus Plus\AntiVirus Plus.70700.dll (Rogue.AntiVirusPlus) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\smss32.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\helper32.dll (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\Winlogon32.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\Documents and Settings\Me\Local Settings\Temp\wmpscfgs.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Program Files\Internet Explorer\wmpscfgs.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Documents and Settings\Me\Application Data\avp.ico (Rogue.AntiVirusPlus) -> Quarantined and deleted successfully.
C:\WINDOWS\Tasks\{66BA574B-1E11-49b8-909C-8CC9E0E8E015}.job (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\6to4v32.dll (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\certstore.dat (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\cooper.mine (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\Documents and Settings\Me\Local Settings\Temp\services.exe (Password.Stealer) -> Quarantined and deleted successfully.
C:\Documents and Settings\Me\Local Settings\Temp\svchost.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Documents and Settings\Me\Local Settings\Temp\win32.exe (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\WINDOWS\mqcd.dbt (Malware.Trace) -> Quarantined and deleted successfully.
C:\WINDOWS\msa.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\Tasks\{35DC3473-A719-4d14-B7C1-FD326CA84A0C}.job (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\spool\prtprocs\w32x86\000043c3.tmp (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\Documents and Settings\Me\Local Settings\Temp\jisfije9fjoiee.tmp (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\Documents and Settings\Me\Local Settings\Temp\c.exe (Trojan.Dropper) -> Quarantined and deleted successfully.
C:\Program Files\Adobe\acrotray .exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\flags.ini (Malware.Trace) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\uses32.dat (Malware.Trace) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\kbdsock.dll (Rootkit.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\mshlps.dll (Rootkit.Agent) -> Quarantined and deleted successfully.


-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------



Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 6:04:15 PM, on 2/2/2010
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Safe mode with network support

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: C:\WINDOWS\system32\fib0oj.dll - {C4BF49A2-94F1-42BD-F034-3604811C807D} - C:\WINDOWS\system32\fib0oj.dll
O4 - HKLM\..\Run: [ccApp] "c:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [vptray] c:\PROGRA~1\SYMANT~1\\vptray.exe
O4 - HKLM\..\Run: [Dell AIO Printer A940] "C:\Program Files\Dell AIO Printer A940\dlbabmgr.exe"
O4 - HKLM\..\Run: [ATIPTA] "C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe"
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\Core\smax4pnp.exe
O4 - HKLM\..\Run: [GrooveMonitor] "C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe"
O4 - HKLM\..\Run: [LogitechCommunicationsManager] "C:\Program Files\Common Files\LogiShrd\LComMgr\Communications_Helper.exe"
O4 - HKLM\..\Run: [LogitechQuickCamRibbon] "C:\Program Files\Logitech\QuickCam\Quickcam.exe" /hide
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb10.exe
O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [hpqSRMon] C:\Program Files\HP\Digital Imaging\bin\hpqSRMon.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [Orb] "C:\Program Files\Orb Networks\Orb\bin\OrbLauncher.exe" /background
O4 - HKLM\..\Run: [Tnadenocopologoc] rundll32.exe "C:\WINDOWS\ucayijev.dll",Startup
O4 - HKLM\..\Run: [Malwarebytes Anti-Malware (reboot)] "C:\Documents and Settings\Me\Desktop\mbam-installer\explorer.exe" /runcleanupscript
O4 - HKLM\..\RunOnce: [Malwarebytes' Anti-Malware] C:\Program Files\Malwarebytes' Anti-Malware1\mbamgui.exe /install /silent
O4 - HKCU\..\Run: [Skype] "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized
O4 - HKCU\..\Run: [AlcoholAutomount] "C:\Program Files\Alcohol Soft\Alcohol 120\axcmd.exe" /automount
O4 - HKCU\..\Run: [updateMgr] "C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" AcRdB7_0_9 -reboot 1
O4 - HKCU\..\Run: [F5JMWNZTHI] C:\DOCUME~1\Me\LOCALS~1\Temp\Dp1.exe
O4 - HKCU\..\Run: [sefjhf98jfoidsfoishgoiusgdgfgd] C:\DOCUME~1\Me\LOCALS~1\Temp\upys56c.exe
O4 - HKCU\..\RunOnce: [FlashPlayerUpdate] C:\WINDOWS\system32\Macromed\Flash\NPSWF32_FlashUtil.exe -p
O4 - S-1-5-18 Startup: Boston.exe (User 'SYSTEM')
O4 - S-1-5-18 Startup: OneNote 2007 Screen Clipper and Launcher.lnk = C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE (User 'SYSTEM')
O4 - .DEFAULT Startup: Boston.exe (User 'Default user')
O4 - .DEFAULT Startup: OneNote 2007 Screen Clipper and Launcher.lnk = C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE (User 'Default user')
O4 - Startup: Boston.exe
O4 - Startup: OneNote 2007 Screen Clipper and Launcher.lnk = C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: InterVideo WinCinema Manager.lnk = C:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: HP Smart Select - {DDE87865-83C5-48c4-8357-2F5B1AA84522} - C:\Program Files\HP\Digital Imaging\Smart Web Printing\hpswp_BHO.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra button: (no name) - SolidConverterPDF - (no file) (HKCU)
O15 - Trusted Zone: http://*.buy-internet-security10.com
O15 - Trusted Zone: http://*.is-soft-download.com
O15 - Trusted Zone: http://*.is-software-download.com
O15 - Trusted Zone: http://*.is-software-download25.com
O15 - Trusted Zone: http://*.buy-internet-security10.com (HKLM)
O16 - DPF: {01A88BB1-1174-41EC-ACCB-963509EAE56B} (SysProWmi Class) - http://support.dell.com/systemprofiler/SysPro.CAB
O16 - DPF: {2EDF75C0-5ABD-49f9-BAB6-220476A32034} (System Requirements Lab) - http://ea-src-cdn.systemrequirementslab.co...reqlab_srlx.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shoc...ash/swflash.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{D8210776-F8E2-4517-BF07-26E07A25D3C6}: NameServer = 83.149.115.157,4.2.2.1,10.0.1.1
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: NameServer = 93.188.163.33,93.188.161.91
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 93.188.163.33,93.188.161.91
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\Program Files\Microsoft Office\Office12\GrooveSystemServices.dll
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O20 - AppInit_DLLs: velegevi.dll c:\windows\system32\rufimiwu.dll
O22 - SharedTaskScheduler: lkjah87hfijgnfasidofgysgiughnjfkgfgdfgf - {C4BF49A2-94F1-42BD-F034-3604811C807D} - C:\WINDOWS\system32\fib0oj.dll
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Canon Camera Access Library 8 (CCALib8) - Canon Inc. - C:\Program Files\Canon\CAL\CALMAIN.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - c:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: LVCOMSer - Logitech Inc. - C:\Program Files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe
O23 - Service: Process Monitor (LVPrcSrv) - Logitech Inc. - C:\Program Files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe
O23 - Service: LVSrvLauncher - Logitech Inc. - C:\Program Files\Common Files\LogiShrd\SrvLnch\SrvLnch.exe
O23 - Service: SAVRoam (SavRoam) - symantec - c:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: StarWind AE Service (StarWindServiceAE) - Unknown owner - C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe (file missing)
O23 - Service: Symantec AntiVirus - Symantec Corporation - c:\Program Files\Symantec AntiVirus\Rtvscan.exe
O23 - Service: WMP54GSVC - GEMTEKS - C:\Program Files\WMP54GS Wireless Network Monitor\WLService.exe

--
End of file - 9811 bytes

[miekiemoes]

Hi,

What a mess.... No wonder you are having so many problems. You are dealing with several different nasty infections.
Problem with these infections nowadays is, it causes a lot of damage. Even if we clean the malware off your system, I can't guarantee that your system will be clean afterwards, because these infections/bundles leave a lot of leftovers behind that most scanners won't even recognise and logs won't show.
Also, I can't promise you we can repair all the damage it caused... Even after cleaning the malware, you can still get errors afterwards because of the damage. Solving these is not always possible since it will be searching for a needle in a haystack to find the right cause and solution.
So, we can try to clean this up and do what we can, but keep in mind that we can't solve ALL problems this malware already caused.

In light of this it would be wise for you to back up any files and folders that you don't want to lose before we start. Reason I am telling this is because when a system is so terribly infected and we try to clean this up manually, the damage that is already present may interfere with our removal attempts.

Then,

* Start HijackThis, close all open windows leaving only HijackThis running. Place a check against each of the following:

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
O2 - BHO: C:\WINDOWS\system32\fib0oj.dll - {C4BF49A2-94F1-42BD-F034-3604811C807D} - C:\WINDOWS\system32\fib0oj.dll
O4 - HKLM\..\Run: [Tnadenocopologoc] rundll32.exe "C:\WINDOWS\ucayijev.dll",Startup
O4 - HKCU\..\Run: [F5JMWNZTHI] C:\DOCUME~1\Me\LOCALS~1\Temp\Dp1.exe
O4 - HKCU\..\Run: [sefjhf98jfoidsfoishgoiusgdgfgd] C:\DOCUME~1\Me\LOCALS~1\Temp\upys56c.exe
O4 - Startup: Boston.exe
O15 - Trusted Zone: http://*.buy-internet-security10.com
O15 - Trusted Zone: http://*.is-soft-download.com
O15 - Trusted Zone: http://*.is-software-download.com
O15 - Trusted Zone: http://*.is-software-download25.com
O15 - Trusted Zone: http://*.buy-internet-security10.com (HKLM)
O17 - HKLM\System\CCS\Services\Tcpip\..\{D8210776-F8E2-4517-BF07-26E07A25D3C6}: NameServer = 83.149.115.157,4.2.2.1,10.0.1.1
O20 - AppInit_DLLs: velegevi.dll c:\windows\system32\rufimiwu.dll
O22 - SharedTaskScheduler: lkjah87hfijgnfasidofgysgiughnjfkgfgdfgf - {C4BF49A2-94F1-42BD-F034-3604811C807D} - C:\WINDOWS\system32\fib0oj.dll

* Click on Fix Checked when finished and exit HijackThis.
Make sure your Internet Explorer is closed when you click Fix Checked!

In case you have not set these either, check and fix in HijackThis as well:

O17 - HKLM\System\CS2\Services\Tcpip\Parameters: NameServer = 93.188.163.33,93.188.161.91
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 93.188.163.33,93.188.161.91

Then,

* Please visit this webpage for instructions for downloading and running ComboFix:

http://www.bleepingcomputer.com/combofix/how-to-use-combofix

Make sure you use Safe mode with networking support, or even better, try to boot into normal mode to run Combofix...

Post the log from ComboFix in your next reply.

Please make sure you disable ALL of your Antivirus/Antispyware/Firewall before running ComboFix..This because Security Software may see some components ComboFix uses (prep.com for example) as suspicious and blocks the tool, or even deletes it. Please visit HERE if you don't know how.

[wohsthere]

i think i followed all the steps, here is the combofix log:

ComboFix 10-02-02.02 - Me 02/02/2010 20:42:35.1.1 - x86 NETWORK
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.510.352 [GMT -5:00]
Running from: F:\ComboFix.exe
AV: Symantec AntiVirus Corporate Edition *On-access scanning enabled* (Updated) {FB06448E-52B8-493A-90F3-E43226D3305C}
.
ADS - system32: deleted 40 bytes in 1 streams.
ADS - WINDOWS: deleted 24 bytes in 1 streams.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\docume~1\Me\LOCALS~1\Temp\lsass.exe
c:\documents and settings\Administrator\Local Settings\Application Data\{110B5B42-6E6B-4D79-A5D6-8E5CECABB0AD}
c:\documents and settings\Administrator\Local Settings\Application Data\{110B5B42-6E6B-4D79-A5D6-8E5CECABB0AD}\chrome.manifest
c:\documents and settings\Administrator\Local Settings\Application Data\{110B5B42-6E6B-4D79-A5D6-8E5CECABB0AD}\chrome\content\_cfg.js
c:\documents and settings\Administrator\Local Settings\Application Data\{110B5B42-6E6B-4D79-A5D6-8E5CECABB0AD}\chrome\content\overlay.xul
c:\documents and settings\Administrator\Local Settings\Application Data\{110B5B42-6E6B-4D79-A5D6-8E5CECABB0AD}\install.rdf
c:\documents and settings\Me\Application Data\inst.exe
c:\documents and settings\Me\Application Data\SystemProc
c:\windows\system32\fib0oj.dll
c:\windows\system32\IS15.exe
c:\windows\system32\rundll32 .exe
c:\windows\system32\smss32 .exe
c:\windows\system32\warning.html

c:\windows\system32\DRIVERS\iaStor.sys . . . is infected!!

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_6TO4
-------\Legacy_IAS


((((((((((((((((((((((((( Files Created from 2010-01-03 to 2010-02-03 )))))))))))))))))))))))))))))))
.

2010-02-02 23:03 . 2010-02-02 23:03 -------- d-----w- c:\program files\Trend Micro
2010-02-02 03:16 . 2010-01-07 21:07 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-02-02 03:16 . 2010-02-02 03:16 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware1
2010-02-02 03:16 . 2010-01-07 21:07 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-02-02 02:27 . 2010-02-02 03:17 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-02-01 23:13 . 2010-02-01 23:13 -------- d-sh--w- c:\windows\system32\config\systemprofile\IETldCache
2010-02-01 23:06 . 2010-02-01 23:06 69120 ----a-w- c:\windows\system32\app_dll.dll
2010-02-01 23:01 . 2010-02-02 22:17 0 ----a-w- c:\windows\Kjevafuxujab.bin
2010-02-01 23:01 . 2010-02-01 23:01 120 ----a-w- c:\windows\Xkemivodukeq.dat
2010-02-01 23:00 . 2010-02-01 23:00 -------- d-----w- c:\documents and settings\Me\Local Settings\Application Data\{25EDB92B-FB80-4BB4-BF96-C5E025E06217}
2010-02-01 22:56 . 2010-02-01 22:57 -------- d-----w- c:\windows\LastGood
2010-02-01 22:54 . 2010-02-01 22:54 69632 ----a-w- c:\windows\a.dll
2010-02-01 00:39 . 2010-02-01 00:39 -------- d-----w- c:\documents and settings\Me\Application Data\FileOpen
2010-02-01 00:39 . 2010-02-01 00:39 -------- d-----w- c:\documents and settings\All Users\Application Data\FileOpen
2010-02-01 00:38 . 2010-02-01 00:38 -------- d-----w- c:\program files\FileOpen
2010-01-24 21:09 . 2010-01-24 21:09 -------- d-----w- c:\documents and settings\All Users\Application Data\Office Genuine Advantage
2010-01-24 21:08 . 2010-01-24 21:08 -------- d-----w- c:\documents and settings\Me\Application Data\Office Genuine Advantage
2010-01-13 12:48 . 2009-11-21 15:51 471552 -c----w- c:\windows\system32\dllcache\aclayers.dll
2010-01-12 22:47 . 2010-01-12 22:49 -------- d-----w- c:\documents and settings\All Users\Application Data\OrbNetworks
2010-01-12 22:47 . 2010-01-12 22:47 -------- d-----w- c:\program files\Orb Networks

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-02-01 22:58 . 2009-11-29 15:52 -------- d-----w- c:\program files\iTunes
2010-02-01 22:58 . 2009-11-29 15:49 -------- d-----w- c:\program files\QuickTime
2010-02-01 22:57 . 2006-09-05 18:54 -------- d-----w- c:\program files\Dell AIO Printer A940
2010-02-01 22:57 . 2006-08-12 23:12 -------- d-----w- c:\program files\Symantec AntiVirus
2010-02-01 22:57 . 2006-08-12 23:12 -------- d-----w- c:\program files\Common Files\Symantec Shared
2010-02-01 22:57 . 2010-02-01 22:57 39424 ----a-w- c:\windows\system32\OLD29B.tmp
2010-02-01 22:56 . 2010-02-01 22:56 249856 ----a-w- c:\windows\Help\cSfBJpiU.dll
2010-02-01 22:56 . 2010-02-01 22:56 106496 ----a-w- c:\windows\Help\MVvJFhgl.dll
2010-02-01 22:56 . 2010-02-01 22:56 32768 ----a-w- c:\windows\Help\gAlUeBfY.dll
2010-02-01 22:52 . 2010-02-01 22:57 578560 ----a-w- c:\windows\system32\OLD298.tmp
2010-02-01 22:52 . 2010-02-01 22:57 1287168 ----a-w- c:\windows\system32\OLD295.tmp
2010-02-01 22:51 . 2010-02-01 22:51 42496 ----a-w- c:\windows\system32\info.tmp
2010-02-01 22:32 . 2009-04-25 23:32 -------- d-----w- c:\documents and settings\Me\Application Data\ZoomBrowser EX
2010-02-01 00:38 . 2010-02-01 00:38 14846 ----a-r- c:\documents and settings\Me\Application Data\Microsoft\Installer\{857CBF4A-192C-44B0-86A5-6281FCEFA1FE}\FileOpenNew.exe
2010-02-01 00:36 . 2009-04-15 18:54 -------- d-----w- c:\documents and settings\Me\Application Data\AdobeUM
2010-01-31 02:00 . 2006-08-12 23:45 -------- d-----w- c:\documents and settings\All Users\Application Data\DVD Shrink
2010-01-23 21:46 . 2009-01-05 23:31 -------- d-----w- c:\documents and settings\Me\Application Data\Skype
2010-01-23 21:45 . 2008-11-25 02:24 -------- d-----w- c:\program files\Microsoft Silverlight
2010-01-16 14:31 . 2009-01-05 23:33 -------- d-----w- c:\documents and settings\Me\Application Data\skypePM
2010-01-13 08:06 . 2008-11-22 18:00 -------- d-----w- c:\documents and settings\All Users\Application Data\Microsoft Help
2010-01-12 20:12 . 2009-11-11 15:06 79488 ----a-w- c:\documents and settings\Me\Application Data\Sun\Java\jre1.6.0_17\gtapi.dll
2009-12-27 17:55 . 2006-08-24 18:32 -------- d-----w- c:\documents and settings\Me\Application Data\Apple Computer
2009-12-27 17:54 . 2007-08-20 01:12 -------- d-----w- c:\documents and settings\All Users\Application Data\Apple
2009-12-21 19:14 . 2006-03-04 03:33 916480 ----a-w- c:\windows\system32\wininet.dll
2009-12-13 21:57 . 2009-12-13 21:57 56712 ---ha-w- c:\windows\system32\mlfcache.dat
2009-12-12 20:41 . 2008-11-28 23:08 -------- d-----w- c:\program files\DVDFab 5
2009-12-12 20:41 . 2009-12-12 00:36 -------- d-----w- c:\documents and settings\Me\Application Data\Vso
2009-12-12 20:41 . 2008-02-02 03:41 47360 ----a-w- c:\documents and settings\Me\Application Data\pcouffin.sys
2009-12-12 20:41 . 2008-02-02 03:41 47360 ----a-w- c:\documents and settings\Me\Application Data\pcouffin.sys
2009-12-12 00:36 . 2009-12-12 00:36 -------- d-----w- c:\program files\DVDFab 6
2009-12-12 00:27 . 2009-07-17 22:02 -------- d-----w- c:\documents and settings\All Users\Application Data\Norton
2009-12-12 00:27 . 2009-05-12 22:18 -------- d-----w- c:\program files\Norton Security Scan
2009-12-11 23:06 . 2009-07-17 22:01 -------- d-----w- c:\documents and settings\All Users\Application Data\NortonInstaller
2009-11-29 15:41 . 2009-11-29 15:41 79144 ----a-w- c:\documents and settings\All Users\Application Data\Apple Computer\Installer Cache\iTunes 9.0.2.25\SetupAdmin.exe
2009-11-21 15:51 . 2004-08-04 10:00 471552 ----a-w- c:\windows\AppPatch\aclayers.dll
2009-11-17 13:45 . 2006-08-12 21:11 69624 -c--a-w- c:\documents and settings\Me\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-09-25 16:41 . 2009-09-25 16:41 1044480 ----a-w- c:\program files\mozilla firefox\plugins\libdivx.dll
2009-09-25 16:41 . 2009-09-25 16:41 200704 ----a-w- c:\program files\mozilla firefox\plugins\ssldivx.dll
.

CODE

<pre>
c:\program files\Adobe\Acrobat 7.0\Reader\adobeupdatemanager .exe
c:\program files\Analog Devices\Core\smax4pnp .exe
c:\program files\ATI Technologies\ATI Control Panel\atiptaxx .exe
c:\program files\Common Files\LogiShrd\LComMgr\communications_helper .exe
c:\program files\Common Files\Symantec Shared\ccapp .exe
c:\program files\Dell AIO Printer A940\dlbabmgr .exe
c:\program files\Hewlett-Packard\HP Software Update\hpwuschd2 .exe
c:\program files\HP\Digital Imaging\bin\hpqsrmon .exe
c:\program files\HP\hpcoretech\hpcmpmgr .exe
c:\program files\iTunes\ituneshelper .exe
c:\program files\Java\jre6\bin\jusched .exe
c:\program files\Logitech\QuickCam\quickcam .exe
c:\program files\Microsoft Office\Office12\groovemonitor .exe
c:\program files\Orb Networks\Orb\bin\orblauncher .exe
c:\program files\QuickTime\qttask .exe
c:\program files\Skype\Phone\skype .exe
c:\program files\Symantec AntiVirus\vptray .exe
c:\windows\system32\spool\drivers\w32x86\3\hpztsb10 .exe
</pre>

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Skype"="c:\program files\Skype\Phone\Skype.exe" [2010-02-01 39424]
"AlcoholAutomount"="c:\program files\Alcohol Soft\Alcohol 120\axcmd.exe" [N/A]
"updateMgr"="c:\program files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" [2010-02-01 39424]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
"FlashPlayerUpdate"="c:\windows\system32\Macromed\Flash\NPSWF32_FlashUtil.exe" [2009-07-18 257440]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ccApp"="c:\program files\Common Files\Symantec Shared\ccApp.exe" [2010-02-01 39424]
"vptray"="c:\progra~1\SYMANT~1\\vptray.exe" [2010-02-01 39424]
"Dell AIO Printer A940"="c:\program files\Dell AIO Printer A940\dlbabmgr.exe" [2010-02-01 39424]
"ATIPTA"="c:\program files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2010-02-01 39424]
"SoundMAXPnP"="c:\program files\Analog Devices\Core\smax4pnp.exe" [2010-02-01 39424]
"GrooveMonitor"="c:\program files\Microsoft Office\Office12\GrooveMonitor.exe" [2010-02-01 39424]
"LogitechCommunicationsManager"="c:\program files\Common Files\LogiShrd\LComMgr\Communications_Helper.exe" [2010-02-01 39424]
"LogitechQuickCamRibbon"="c:\program files\Logitech\QuickCam\Quickcam.exe" [2010-02-01 39424]
"HPDJ Taskbar Utility"="c:\windows\system32\spool\drivers\w32x86\3\hpztsb10.exe" [2010-02-01 39424]
"HP Component Manager"="c:\program files\HP\hpcoretech\hpcmpmgr.exe" [2010-02-01 39424]
"HP Software Update"="c:\program files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe" [2010-02-01 39424]
"hpqSRMon"="c:\program files\HP\Digital Imaging\bin\hpqSRMon.exe" [2010-02-01 39424]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2010-02-01 39424]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2010-02-01 39424]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2010-02-01 39424]
"Orb"="c:\program files\Orb Networks\Orb\bin\OrbLauncher.exe" [2010-02-01 39424]
"Malwarebytes Anti-Malware (reboot)"="c:\documents and settings\Me\Desktop\mbam-installer\explorer.exe" [N/A]

c:\documents and settings\Me\Start Menu\Programs\Startup\
Boston.exe [2001-1-2 110592]
OneNote 2007 Screen Clipper and Launcher.lnk - c:\program files\Microsoft Office\Office12\ONENOTEM.EXE [2008-10-25 98696]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-9-23 29696]
HP Digital Imaging Monitor.lnk - c:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2007-10-14 214360]
InterVideo WinCinema Manager.lnk - c:\program files\InterVideo\Common\Bin\WinCinemaMgr.exe [2006-9-10 278528]

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\InterVideo\\DVD7\\WinDVD.exe"=
"c:\\Program Files\\AIM\\aim.exe"=
"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"c:\\Program Files\\AIM\\AIM95_c1\\aim.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"c:\\WINDOWS\\system32\\LEXPPS.EXE"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqtra08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqste08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposid01.exe"=
"c:\\Program Files\\Java\\jre6\\bin\\java.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Orb Networks\\Orb\\bin\\Orb.exe"=
"c:\\Program Files\\Orb Networks\\Orb\\bin\\OrbLauncher.exe"=
"c:\\Program Files\\Orb Networks\\Orb\\bin\\OrbSetupWizard.exe"=
"c:\\Program Files\\Orb Networks\\Orb\\bin\\OrbControlPanel.exe"=
"c:\\Program Files\\Orb Networks\\Orb\\bin\\OrbStreamerClient.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"5353:UDP"= 5353:UDP:Rendezvous
"3389:TCP"= 3389:TCP:@xpsp2res.dll,-22009

S0 sptd;sptd;c:\windows\system32\drivers\sptd.sys [10/24/2009 1:17 PM 721904]
S3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [8/28/2009 6:56 AM 102448]
S3 ndismgr;ndismgr;\??\c:\windows\system32\ndismgr.sys --> c:\windows\system32\ndismgr.sys [?]
S3 SavRoam;SAVRoam;c:\program files\Symantec AntiVirus\SavRoam.exe [6/15/2006 12:40 AM 115952]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc
.
Contents of the 'Scheduled Tasks' folder

2010-01-29 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 16:34]

2010-01-23 c:\windows\Tasks\OGALogon.job
- c:\windows\system32\OGAEXEC.exe [2009-08-03 20:07]

2010-01-31 c:\windows\Tasks\Orb Index when idle.job
- c:\program files\Orb Networks\Orb\bin\OrbLauncher.exe [2009-12-21 22:58]
.
.
------- Supplementary Scan -------
.
uInternet Connection Wizard,ShellNext = iexplore
uInternet Settings,ProxyOverride = *.local
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
FF - ProfilePath - c:\documents and settings\Me\Application Data\Mozilla\Firefox\Profiles\arbogjk8.default\
FF - prefs.js: browser.startup.homepage - www.espn.com
FF - plugin: c:\documents and settings\Me\Application Data\Mozilla\Firefox\Profiles\arbogjk8.default\extensions\moveplayer@movenetworks.com\platform\WINNT_x86-msvc\plugins\npmnqmp071303000006.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npCouponPrinter.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npunagi2.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\
FF - HiddenExtension: XULRunner: {25EDB92B-FB80-4BB4-BF96-C5E025E06217} - c:\documents and settings\Me\Local Settings\Application Data\{25EDB92B-FB80-4BB4-BF96-C5E025E06217}

---- FIREFOX POLICIES ----
FF - user.js: yahoo.homepage.dontask - true.
- - - - ORPHANS REMOVED - - - -

BHO-{C4BF49A2-94F1-42BD-F034-3604811C807D} - c:\windows\system32\fib0oj.dll
SharedTaskScheduler-{C4BF49A2-94F1-42BD-F034-3604811C807D} - c:\windows\system32\fib0oj.dll



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-02-02 20:57
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net

device: opened successfully
user: MBR read successfully
called modules: ntoskrnl.exe CLASSPNP.SYS disk.sys >>UNKNOWN [0x832F0856]<<
kernel: MBR read successfully
detected MBR rootkit hooks:
\Driver\Disk -> CLASSPNP.SYS @ 0xf887df28
\Driver\ACPI -> ACPI.sys @ 0xf86d7cb8
\Driver\atapi -> atapi.sys @ 0xf85a9852
\Driver\iaStor -> iaStor.sys @ 0xf85c3f18
IoDeviceObjectType -> DeleteProcedure -> ntoskrnl.exe @ 0x805a05a9
ParseProcedure -> ntoskrnl.exe @ 0x8056ea15
\Device\Harddisk0\DR0 -> DeleteProcedure -> ntoskrnl.exe @ 0x805a05a9
ParseProcedure -> ntoskrnl.exe @ 0x8056ea15
user & kernel MBR OK

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(272)
c:\windows\system32\WININET.dll

- - - - - - - > 'lsass.exe'(332)
c:\windows\system32\WININET.dll

- - - - - - - > 'explorer.exe'(1916)
c:\windows\system32\WININET.dll
c:\windows\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.4053_x-ww_e6967989\MSVCR80.dll
.
Completion time: 2010-02-02 21:11:12 - machine was rebooted
ComboFix-quarantined-files.txt 2010-02-03 02:11

Pre-Run: 65,859,330,048 bytes free
Post-Run: 68,138,917,888 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect

- - End Of File - - FDA1C0C5C97877F64A8728A27CF6781F

[miekiemoes]

Hi,

* Open notepad - don't use any other texteditor than notepad or the script will fail.
Copy/paste the text in the quotebox below into notepad:

CODE

File::
c:\windows\Kjevafuxujab.bin
c:\windows\Xkemivodukeq.dat
Collect::[8]
c:\windows\system32\app_dll.dll
c:\windows\a.dll
c:\windows\Help\cSfBJpiU.dll
c:\windows\Help\MVvJFhgl.dll
c:\windows\Help\gAlUeBfY.dll
c:\documents and settings\Me\Start Menu\Programs\Startup\Boston.exe
Folder::
c:\documents and settings\Me\Local Settings\Application Data\{25EDB92B-FB80-4BB4-BF96-C5E025E06217}
RenV::
c:\program files\Adobe\Acrobat 7.0\Reader\adobeupdatemanager .exe
c:\program files\Analog Devices\Core\smax4pnp .exe
c:\program files\ATI Technologies\ATI Control Panel\atiptaxx .exe
c:\program files\Common Files\LogiShrd\LComMgr\communications_helper .exe
c:\program files\Common Files\Symantec Shared\ccapp .exe
c:\program files\Dell AIO Printer A940\dlbabmgr .exe
c:\program files\Hewlett-Packard\HP Software Update\hpwuschd2 .exe
c:\program files\HP\Digital Imaging\bin\hpqsrmon .exe
c:\program files\HP\hpcoretech\hpcmpmgr .exe
c:\program files\iTunes\ituneshelper .exe
c:\program files\Java\jre6\bin\jusched .exe
c:\program files\Logitech\QuickCam\quickcam .exe
c:\program files\Microsoft Office\Office12\groovemonitor .exe
c:\program files\Orb Networks\Orb\bin\orblauncher .exe
c:\program files\QuickTime\qttask .exe
c:\program files\Skype\Phone\skype .exe
c:\program files\Symantec AntiVirus\vptray .exe
c:\windows\system32\spool\drivers\w32x86\3\hpztsb10 .exe
Driver::
ndismgr

Save this as txtfile CFScript

Then drag the CFScript into ComboFix.exe as you see in the screenshot below.



This will start ComboFix again.
Then, please visit this site:
http://www.bleepingcomputer.com/submit-malware.php?channel=8
Where it says: "Browse to the file you want to submit", use the Browse button to navigate to the following file: C:\Qoobox\Quarantine\[8]-Submit_date_time.zip (date_time will be replaced with the date and time when this file was created)
Then click the "Send File" button below in order to upload it.

After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply.


Also, Your iastor.sys file is infected and it looks like we have to replace the infected iastor.sys manually then...
This is a really important system file and there are always risks involved when we have to replace it manually, so that's why it's always a good idea to backup any important data you don't want to lose, this in case anything goes wrong. We will also use Hiren boot cd afterwards to replace it. There are other methods but I've seen too many cases already where it failed, or something went wrong in between, so with the hiren boot cd (instructions will follow afterwards), it's always a bit safer since, even though something goes wrong, you'll still be able to access your data.

Anyway,

Let's have a look first where we can find copies of that file on your system....

Please download SystemLook from one of the links below and save it to your Desktop.
Download Mirror #1
Download Mirror #2

• Double-click SystemLook.exe to run it.
• Copy the content of the following codebox into the main textfield:
  
  CODE
  :filefind
  *iastor.sys*
  
  
• Click the Look button to start the scan.
• When finished, a notepad window will open with the results of the scan. Please post this log in your next reply.

Note: The log can also be found on your Desktop entitled SystemLook.txt

[wohsthere]

ComboFix 10-02-02.02 - Me 02/03/2010 9:56.2.1 - x86 NETWORK
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.510.353 [GMT -5:00]
Running from: c:\documents and settings\Me\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Me\Desktop\CFScript.txt
AV: Symantec AntiVirus Corporate Edition *On-access scanning enabled* (Updated) {FB06448E-52B8-493A-90F3-E43226D3305C}

FILE ::
"c:\windows\Kjevafuxujab.bin"
"c:\windows\Xkemivodukeq.dat"

file zipped: c:\documents and settings\Me\Start Menu\Programs\Startup\Boston.exe
file zipped: c:\windows\a.dll
file zipped: c:\windows\Help\cSfBJpiU.dll
file zipped: c:\windows\Help\gAlUeBfY.dll
file zipped: c:\windows\Help\MVvJFhgl.dll
file zipped: c:\windows\system32\app_dll.dll
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\Me\Local Settings\Application Data\{25EDB92B-FB80-4BB4-BF96-C5E025E06217}
c:\documents and settings\Me\Local Settings\Application Data\{25EDB92B-FB80-4BB4-BF96-C5E025E06217}\chrome.manifest
c:\documents and settings\Me\Local Settings\Application Data\{25EDB92B-FB80-4BB4-BF96-C5E025E06217}\chrome\content\_cfg.js
c:\documents and settings\Me\Local Settings\Application Data\{25EDB92B-FB80-4BB4-BF96-C5E025E06217}\chrome\content\overlay.xul
c:\documents and settings\Me\Local Settings\Application Data\{25EDB92B-FB80-4BB4-BF96-C5E025E06217}\install.rdf
c:\documents and settings\Me\Start Menu\Programs\Startup\Boston.exe
c:\windows\a.dll
c:\windows\Help\cSfBJpiU.dll
c:\windows\Help\gAlUeBfY.dll
c:\windows\Help\MVvJFhgl.dll
c:\windows\Kjevafuxujab.bin
c:\windows\system32\app_dll.dll
c:\windows\Xkemivodukeq.dat

c:\windows\system32\DRIVERS\iaStor.sys . . . is infected!!

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_NDISMGR
-------\Service_ndismgr


((((((((((((((((((((((((( Files Created from 2010-01-03 to 2010-02-03 )))))))))))))))))))))))))))))))
.

2010-02-02 23:03 . 2010-02-02 23:03 -------- d-----w- c:\program files\Trend Micro
2010-02-02 03:16 . 2010-01-07 21:07 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-02-02 03:16 . 2010-02-02 03:16 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware1
2010-02-02 03:16 . 2010-01-07 21:07 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-02-02 02:27 . 2010-02-02 03:17 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-02-01 23:13 . 2010-02-01 23:13 -------- d-sh--w- c:\windows\system32\config\systemprofile\IETldCache
2010-02-01 22:56 . 2010-02-01 22:57 -------- d-----w- c:\windows\LastGood
2010-02-01 00:39 . 2010-02-01 00:39 -------- d-----w- c:\documents and settings\Me\Application Data\FileOpen
2010-02-01 00:39 . 2010-02-01 00:39 -------- d-----w- c:\documents and settings\All Users\Application Data\FileOpen
2010-02-01 00:38 . 2010-02-01 00:38 -------- d-----w- c:\program files\FileOpen
2010-01-24 21:09 . 2010-01-24 21:09 -------- d-----w- c:\documents and settings\All Users\Application Data\Office Genuine Advantage
2010-01-24 21:08 . 2010-01-24 21:08 -------- d-----w- c:\documents and settings\Me\Application Data\Office Genuine Advantage
2010-01-13 12:48 . 2009-11-21 15:51 471552 -c----w- c:\windows\system32\dllcache\aclayers.dll
2010-01-12 22:47 . 2010-01-12 22:49 -------- d-----w- c:\documents and settings\All Users\Application Data\OrbNetworks
2010-01-12 22:47 . 2010-01-12 22:47 -------- d-----w- c:\program files\Orb Networks

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-02-03 14:56 . 2006-08-12 23:12 -------- d-----w- c:\program files\Symantec AntiVirus
2010-02-03 14:56 . 2009-11-29 15:49 -------- d-----w- c:\program files\QuickTime
2010-02-03 14:55 . 2009-11-29 15:52 -------- d-----w- c:\program files\iTunes
2010-02-03 14:55 . 2006-09-05 18:54 -------- d-----w- c:\program files\Dell AIO Printer A940
2010-02-03 14:55 . 2006-08-12 23:12 -------- d-----w- c:\program files\Common Files\Symantec Shared
2010-02-01 22:57 . 2010-02-01 22:57 39424 ----a-w- c:\windows\system32\OLD29B.tmp
2010-02-01 22:52 . 2010-02-01 22:57 578560 ----a-w- c:\windows\system32\OLD298.tmp
2010-02-01 22:52 . 2010-02-01 22:57 1287168 ----a-w- c:\windows\system32\OLD295.tmp
2010-02-01 22:51 . 2010-02-01 22:51 42496 ----a-w- c:\windows\system32\info.tmp
2010-02-01 22:32 . 2009-04-25 23:32 -------- d-----w- c:\documents and settings\Me\Application Data\ZoomBrowser EX
2010-02-01 00:38 . 2010-02-01 00:38 14846 ----a-r- c:\documents and settings\Me\Application Data\Microsoft\Installer\{857CBF4A-192C-44B0-86A5-6281FCEFA1FE}\FileOpenNew.exe
2010-02-01 00:36 . 2009-04-15 18:54 -------- d-----w- c:\documents and settings\Me\Application Data\AdobeUM
2010-01-31 02:00 . 2006-08-12 23:45 -------- d-----w- c:\documents and settings\All Users\Application Data\DVD Shrink
2010-01-23 21:46 . 2009-01-05 23:31 -------- d-----w- c:\documents and settings\Me\Application Data\Skype
2010-01-23 21:45 . 2008-11-25 02:24 -------- d-----w- c:\program files\Microsoft Silverlight
2010-01-16 14:31 . 2009-01-05 23:33 -------- d-----w- c:\documents and settings\Me\Application Data\skypePM
2010-01-13 08:06 . 2008-11-22 18:00 -------- d-----w- c:\documents and settings\All Users\Application Data\Microsoft Help
2010-01-12 20:12 . 2009-11-11 15:06 79488 ----a-w- c:\documents and settings\Me\Application Data\Sun\Java\jre1.6.0_17\gtapi.dll
2009-12-27 17:55 . 2006-08-24 18:32 -------- d-----w- c:\documents and settings\Me\Application Data\Apple Computer
2009-12-27 17:54 . 2007-08-20 01:12 -------- d-----w- c:\documents and settings\All Users\Application Data\Apple
2009-12-21 19:14 . 2006-03-04 03:33 916480 ------w- c:\windows\system32\wininet.dll
2009-12-13 21:57 . 2009-12-13 21:57 56712 ---ha-w- c:\windows\system32\mlfcache.dat
2009-12-12 20:41 . 2008-11-28 23:08 -------- d-----w- c:\program files\DVDFab 5
2009-12-12 20:41 . 2009-12-12 00:36 -------- d-----w- c:\documents and settings\Me\Application Data\Vso
2009-12-12 20:41 . 2008-02-02 03:41 47360 ----a-w- c:\documents and settings\Me\Application Data\pcouffin.sys
2009-12-12 20:41 . 2008-02-02 03:41 47360 ----a-w- c:\documents and settings\Me\Application Data\pcouffin.sys
2009-12-12 00:36 . 2009-12-12 00:36 -------- d-----w- c:\program files\DVDFab 6
2009-12-12 00:27 . 2009-07-17 22:02 -------- d-----w- c:\documents and settings\All Users\Application Data\Norton
2009-12-12 00:27 . 2009-05-12 22:18 -------- d-----w- c:\program files\Norton Security Scan
2009-12-11 23:06 . 2009-07-17 22:01 -------- d-----w- c:\documents and settings\All Users\Application Data\NortonInstaller
2009-11-29 15:41 . 2009-11-29 15:41 79144 ----a-w- c:\documents and settings\All Users\Application Data\Apple Computer\Installer Cache\iTunes 9.0.2.25\SetupAdmin.exe
2009-11-21 15:51 . 2004-08-04 10:00 471552 ----a-w- c:\windows\AppPatch\aclayers.dll
2009-11-17 13:45 . 2006-08-12 21:11 69624 -c--a-w- c:\documents and settings\Me\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-09-25 16:41 . 2009-09-25 16:41 1044480 ----a-w- c:\program files\mozilla firefox\plugins\libdivx.dll
2009-09-25 16:41 . 2009-09-25 16:41 200704 ----a-w- c:\program files\mozilla firefox\plugins\ssldivx.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Skype"="c:\program files\Skype\Phone\Skype.exe" [2008-11-07 21633320]
"updateMgr"="c:\program files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" [2006-03-30 313472]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
"FlashPlayerUpdate"="c:\windows\system32\Macromed\Flash\NPSWF32_FlashUtil.exe" [2009-07-18 257440]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ccApp"="c:\program files\Common Files\Symantec Shared\ccApp.exe" [2006-03-24 53408]
"vptray"="c:\progra~1\SYMANT~1\\vptray.exe" [2006-06-15 124656]
"Dell AIO Printer A940"="c:\program files\Dell AIO Printer A940\dlbabmgr.exe" [2003-02-17 86102]
"ATIPTA"="c:\program files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2006-02-10 344064]
"SoundMAXPnP"="c:\program files\Analog Devices\Core\smax4pnp.exe" [2004-10-14 1404928]
"GrooveMonitor"="c:\program files\Microsoft Office\Office12\GrooveMonitor.exe" [2008-10-25 31072]
"LogitechCommunicationsManager"="c:\program files\Common Files\LogiShrd\LComMgr\Communications_Helper.exe" [2007-10-25 563984]
"LogitechQuickCamRibbon"="c:\program files\Logitech\QuickCam\Quickcam.exe" [2007-10-25 2178832]
"HPDJ Taskbar Utility"="c:\windows\system32\spool\drivers\w32x86\3\hpztsb10.exe" [2004-03-04 172032]
"HP Component Manager"="c:\program files\HP\hpcoretech\hpcmpmgr.exe" [2003-12-22 241664]
"HP Software Update"="c:\program files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe" [2007-05-08 54840]
"hpqSRMon"="c:\program files\HP\Digital Imaging\bin\hpqSRMon.exe" [2007-08-22 80896]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-08-06 148888]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2009-11-11 417792]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2009-11-12 141600]
"Orb"="c:\program files\Orb Networks\Orb\bin\OrbLauncher.exe" [2009-12-21 714192]

c:\documents and settings\Me\Start Menu\Programs\Startup\
OneNote 2007 Screen Clipper and Launcher.lnk - c:\program files\Microsoft Office\Office12\ONENOTEM.EXE [2008-10-25 98696]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-9-23 29696]
HP Digital Imaging Monitor.lnk - c:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2007-10-14 214360]
InterVideo WinCinema Manager.lnk - c:\program files\InterVideo\Common\Bin\WinCinemaMgr.exe [2006-9-10 278528]

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\InterVideo\\DVD7\\WinDVD.exe"=
"c:\\Program Files\\AIM\\aim.exe"=
"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"c:\\Program Files\\AIM\\AIM95_c1\\aim.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"c:\\WINDOWS\\system32\\LEXPPS.EXE"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqtra08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqste08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposid01.exe"=
"c:\\Program Files\\Java\\jre6\\bin\\java.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Orb Networks\\Orb\\bin\\Orb.exe"=
"c:\\Program Files\\Orb Networks\\Orb\\bin\\OrbLauncher.exe"=
"c:\\Program Files\\Orb Networks\\Orb\\bin\\OrbSetupWizard.exe"=
"c:\\Program Files\\Orb Networks\\Orb\\bin\\OrbControlPanel.exe"=
"c:\\Program Files\\Orb Networks\\Orb\\bin\\OrbStreamerClient.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"5353:UDP"= 5353:UDP:Rendezvous
"3389:TCP"= 3389:TCP:@xpsp2res.dll,-22009

S0 sptd;sptd;c:\windows\system32\drivers\sptd.sys [10/24/2009 1:17 PM 721904]
S3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [8/28/2009 6:56 AM 102448]
S3 SavRoam;SAVRoam;c:\program files\Symantec AntiVirus\SavRoam.exe [6/15/2006 12:40 AM 115952]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc
.
Contents of the 'Scheduled Tasks' folder

2010-01-29 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 16:34]

2010-01-23 c:\windows\Tasks\OGALogon.job
- c:\windows\system32\OGAEXEC.exe [2009-08-03 20:07]

2010-01-31 c:\windows\Tasks\Orb Index when idle.job
- c:\program files\Orb Networks\Orb\bin\OrbLauncher.exe [2009-12-21 23:04]
.
.
------- Supplementary Scan -------
.
uInternet Connection Wizard,ShellNext = iexplore
uInternet Settings,ProxyOverride = *.local
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
FF - ProfilePath - c:\documents and settings\Me\Application Data\Mozilla\Firefox\Profiles\arbogjk8.default\
FF - prefs.js: browser.startup.homepage - www.espn.com
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

---- FIREFOX POLICIES ----
FF - user.js: yahoo.homepage.dontask - true.
- - - - ORPHANS REMOVED - - - -

HKCU-Run-AlcoholAutomount - c:\program files\Alcohol Soft\Alcohol 120\axcmd.exe
HKLM-Run-Malwarebytes Anti-Malware (reboot) - c:\documents and settings\Me\Desktop\mbam-installer\explorer.exe



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-02-03 10:09
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net

device: opened successfully
user: MBR read successfully
called modules: ntoskrnl.exe CLASSPNP.SYS disk.sys >>UNKNOWN [0x832F0856]<<
kernel: MBR read successfully
detected MBR rootkit hooks:
\Driver\Disk -> CLASSPNP.SYS @ 0xf887df28
\Driver\ACPI -> ACPI.sys @ 0xf86d7cb8
\Driver\atapi -> atapi.sys @ 0xf85a9852
\Driver\iaStor -> iaStor.sys @ 0xf85c3f18
IoDeviceObjectType -> DeleteProcedure -> ntoskrnl.exe @ 0x805a05a9
ParseProcedure -> ntoskrnl.exe @ 0x8056ea15
\Device\Harddisk0\DR0 -> DeleteProcedure -> ntoskrnl.exe @ 0x805a05a9
ParseProcedure -> ntoskrnl.exe @ 0x8056ea15
NDIS: Linksys Wireless-G PCI Adapter with SpeedBooster -> SendCompleteHandler -> NDIS.sys @ 0xf84b5bb0
PacketIndicateHandler -> NDIS.sys @ 0xf84c2a21
SendHandler -> NDIS.sys @ 0xf84a087b
user & kernel MBR OK

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(624)
c:\windows\system32\WININET.dll

- - - - - - - > 'lsass.exe'(684)
c:\windows\system32\WININET.dll

- - - - - - - > 'explorer.exe'(2028)
c:\windows\system32\WININET.dll
c:\windows\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.4053_x-ww_e6967989\MSVCR80.dll
c:\windows\system32\ieframe.dll
.
Completion time: 2010-02-03 10:19:49 - machine was rebooted
ComboFix-quarantined-files.txt 2010-02-03 15:19
ComboFix2.txt 2010-02-03 02:11

Pre-Run: 68,154,507,264 bytes free
Post-Run: 68,098,879,488 bytes free

- - End Of File - - EEDAF90D79C5B3CEA3F6B3A0494D3E62


--------------------------------------------------------------------------------------


SystemLook v1.0 by jpshortstuff (11.01.10)
Log created at 10:25 on 03/02/2010 by Me (Administrator - Elevation successful)

========== filefind ==========

Searching for "*iastor.sys*"
C:\WINDOWS\dell\iastor\iastor.sys --a--c 250368 bytes [22:44 21/02/2006] [22:44 21/02/2006] 88B1943ECFF661F765228099138CF6AB
C:\WINDOWS\system32\drivers\iaStor.sys ------ 250368 bytes [22:44 21/02/2006] [22:44 21/02/2006] 88B1943ECFF661F765228099138CF6AB

-=End Of File=-

[miekiemoes]

Ok, now the big/risky work..

Let's see how this goes.....
Please visit the website to download the bootcd > http://www.hirensbootcd.net/details/10.0.html
Just extract everything into a folder & double click on "BurnToCD.cmd" in order to burn it to cd.

Then, Boot the computer using the Hiren CD which you just burned. When you get to this screen, select "Start Mini Windows Xp"



It will then look like this:



In the Hiren Boot "Mini Windows Xp"

1) Locate this file - C:\WINDOWS\SYSTEM32\DRIVERS\IASTOR.SYS

2) Rename it to IASTOR.SYS.BAD

3) Then copy the iastor.sys from the C:\WINDOWS\dell\iastor folder to the C:\WINDOWS\SYSTEM32\DRIVERS folder

When finsihed, restart the machine & boot back to your normal OS
Let me know how that went.

[wohsthere]

ok, i have gone through your last set of instructions and booted with my normal OS and i am able to do that now without getting the blue screen i mentioned a while back. Whats next?

[miekiemoes]

Great!

Now just to verify, please do this step again:

• Double-click SystemLook.exe to run it.
• Copy the content of the following codebox into the main textfield:
  
  CODE
  :filefind
  *iastor.sys*
  
  
• Click the Look button to start the scan.
• When finished, a notepad window will open with the results of the scan. Please post this log in your next reply.

Note: The log can also be found on your Desktop entitled SystemLook.txt


Btw, don't you love Hiren BootCD? It may always come in handy in case your Windows won't boot anymore.

[wohsthere]

SystemLook v1.0 by jpshortstuff (11.01.10)
Log created at 16:58 on 03/02/2010 by Me (Administrator - Elevation successful)

========== filefind ==========

Searching for "*iastor.sys*"
C:\WINDOWS\dell\iastor\iastor.sys --a--c 250368 bytes [22:44 21/02/2006] [22:44 21/02/2006] 88B1943ECFF661F765228099138CF6AB
C:\WINDOWS\system32\drivers\iastor.sys --a--- 250368 bytes [14:51 03/02/2010] [22:44 21/02/2006] 88B1943ECFF661F765228099138CF6AB
C:\WINDOWS\system32\drivers\iaStor.sys.bad --a--- 250368 bytes [22:44 21/02/2006] [22:44 21/02/2006] (Unable to calculate MD5)

-=End Of File=-

and yes hirens bootcd is pretty great, a handy tool

[miekiemoes]

Hi,

Please navigate to and delete the C:\WINDOWS\system32\drivers\iaStor.sys.bad file. (the bad one you renamed previously - make sure you don't try to delete the iastor.sys file ).

Then, * Go to start > run and copy and paste next command in the field:

ComboFix /Uninstall

Make sure there's a space between Combofix and /
Then hit enter.

This will uninstall Combofix, delete its related folders and files, reset your clock settings, hide file extensions, hide the system/hidden files and resets System Restore again.

Then, please delete the modified version of malwarebytes from your desktop and redownload and install it again from Here

Double Click mbam-setup.exe to install the application.

• Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
• If an update is found, it will download and install the latest version.
• In case you already used MBAM previously, please update it before proceeding with the scan. To do this, click the "Update" tab and click the "Check For updates" button.
• Once the program has loaded and updates were downloaded, select "Perform Quick Scan", then click Scan.
• The scan may take some time to finish,so please be patient.
• When the scan is complete, click OK, then Show Results to view the results.
• Make sure that everything is checked, and click Remove Selected.
• When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
• The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
• Copy&Paste the entire report in your next reply along with a fresh HijackThis log.

Extra Note:
If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process,if asked to restart the computer,please do so immediatly.

[wohsthere]

im having a little problem deleting the iastor.sys.bad file. everytime i try to delete it i am not allowed, i get an error saying: access is denied
make sure the disk is not is not full or write-protected and that the file is not currently in use

[wohsthere]

disregard that last comment, i was able to delete that and i am now moving on to the other steps you listed above

[wohsthere]

Malwarebytes' Anti-Malware 1.44
Database version: 3686
Windows 5.1.2600 Service Pack 3
Internet Explorer 8.0.6001.18702

2/3/2010 5:44:03 PM
mbam-log-2010-02-03 (17-44-03).txt

Scan type: Quick Scan
Objects scanned: 123517
Time elapsed: 6 minute(s), 17 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 2
Registry Values Infected: 1
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 3

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CURRENT_USER\SOFTWARE\F5JMWNZTHI (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\ROUA3O12PW (Trojan.FakeAlert) -> Quarantined and deleted successfully.

Registry Values Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Desktop\General\wallpaper (Hijack.Wallpaper) -> Quarantined and deleted successfully.

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\WINDOWS\system32\info.tmp (Trojan.Dropper) -> Quarantined and deleted successfully.
C:\Documents and Settings\NetworkService\Local Settings\temp\8.tmp (Backdoor.Bot) -> Quarantined and deleted successfully.
C:\WINDOWS\ucayijev.dll (Trojan.Hiloti) -> Quarantined and deleted successfully.




---------------------------------------------------------------------------------------------------------------------------------------------




Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 5:50:51 PM, on 2/3/2010
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
c:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
c:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
c:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
c:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\PROGRA~1\SYMANT~1\vptray.exe
C:\Program Files\Analog Devices\Core\smax4pnp.exe
C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
C:\Program Files\Common Files\LogiShrd\LComMgr\Communications_Helper.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe
C:\Program Files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\WINDOWS\system32\svchost.exe
c:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\Program Files\WMP54GS Wireless Network Monitor\WLService.exe
C:\Program Files\WMP54GS Wireless Network Monitor\WMP54G.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Canon\CAL\CALMAIN.exe
C:\Program Files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Common Files\Logishrd\LQCVFX\COCIManager.exe
C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
C:\Program Files\HP\Digital Imaging\bin\hpqbam08.exe
C:\Program Files\HP\Digital Imaging\bin\hpqgpc01.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O4 - HKLM\..\Run: [ccApp] "c:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [vptray] c:\PROGRA~1\SYMANT~1\\vptray.exe
O4 - HKLM\..\Run: [Dell AIO Printer A940] "C:\Program Files\Dell AIO Printer A940\dlbabmgr.exe"
O4 - HKLM\..\Run: [ATIPTA] "C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe"
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\Core\smax4pnp.exe
O4 - HKLM\..\Run: [GrooveMonitor] "C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe"
O4 - HKLM\..\Run: [LogitechCommunicationsManager] "C:\Program Files\Common Files\LogiShrd\LComMgr\Communications_Helper.exe"
O4 - HKLM\..\Run: [LogitechQuickCamRibbon] "C:\Program Files\Logitech\QuickCam\Quickcam.exe" /hide
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb10.exe
O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [hpqSRMon] C:\Program Files\HP\Digital Imaging\bin\hpqSRMon.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [Orb] "C:\Program Files\Orb Networks\Orb\bin\OrbLauncher.exe" /background
O4 - HKLM\..\Run: [combofix] "C:\ComboFix\CF2761.cfxxe" /c "C:\ComboFix\C.bat"
O4 - HKCU\..\Run: [Skype] "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized
O4 - HKCU\..\Run: [updateMgr] "C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" AcRdB7_0_9 -reboot 1
O4 - S-1-5-18 Startup: OneNote 2007 Screen Clipper and Launcher.lnk = C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE (User 'SYSTEM')
O4 - .DEFAULT Startup: OneNote 2007 Screen Clipper and Launcher.lnk = C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE (User 'Default user')
O4 - Startup: OneNote 2007 Screen Clipper and Launcher.lnk = C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: InterVideo WinCinema Manager.lnk = C:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: HP Smart Select - {DDE87865-83C5-48c4-8357-2F5B1AA84522} - C:\Program Files\HP\Digital Imaging\Smart Web Printing\hpswp_BHO.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra button: (no name) - SolidConverterPDF - (no file) (HKCU)
O16 - DPF: {01A88BB1-1174-41EC-ACCB-963509EAE56B} (SysProWmi Class) - http://support.dell.com/systemprofiler/SysPro.CAB
O16 - DPF: {2EDF75C0-5ABD-49f9-BAB6-220476A32034} (System Requirements Lab) - http://ea-src-cdn.systemrequirementslab.co...reqlab_srlx.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shoc...ash/swflash.cab
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\Program Files\Microsoft Office\Office12\GrooveSystemServices.dll
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Canon Camera Access Library 8 (CCALib8) - Canon Inc. - C:\Program Files\Canon\CAL\CALMAIN.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - c:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: LVCOMSer - Logitech Inc. - C:\Program Files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe
O23 - Service: Process Monitor (LVPrcSrv) - Logitech Inc. - C:\Program Files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe
O23 - Service: LVSrvLauncher - Logitech Inc. - C:\Program Files\Common Files\LogiShrd\SrvLnch\SrvLnch.exe
O23 - Service: SAVRoam (SavRoam) - symantec - c:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: StarWind AE Service (StarWindServiceAE) - Unknown owner - C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe (file missing)
O23 - Service: Symantec AntiVirus - Symantec Corporation - c:\Program Files\Symantec AntiVirus\Rtvscan.exe
O23 - Service: WMP54GSVC - GEMTEKS - C:\Program Files\WMP54GS Wireless Network Monitor\WLService.exe

--
End of file - 9889 bytes

[miekiemoes]

Hi,

Start HijackThis, click scan and check next entry in it:

O4 - HKLM\..\Run: [combofix] "C:\ComboFix\CF2761.cfxxe" /c "C:\ComboFix\C.bat"

Click the fix checked button below.

The rest looks OK again.

Let me know in your next reply how things are now.

[wohsthere]

ok i took out that entry with hijackthis and everything seems to be running ok. I ran spybot search and destroy and malwarebytes again and nothing came back to fix. Do we need to do anything else or does everything seem to be fixed for the most part? i really appreciate you walking me through all these steps by the way, i cant thank you enough.

[miekiemoes]

Hi,

Everything should be OK now though. However, there's one more and important thing, and that's to make sure this won't happen again, so Please read my Prevention page with lots of info and tips how to prevent this in the future.
And if you want to improve speed/system performance after malware removal, take a look here.
Extra note: Make sure your programs are up to date - because older versions may contain Security Leaks. To find out what programs need to be updated, please run the Secunia Software Inspector Scan.

Happy Surfing again!