# no user login screen



## iltos (Jun 13, 2004)

windows vista home premium
dell inspiron 1525
avast free version

i got home from running some errands to a blank screen with a working cursor....it's not a bsod

my daughter's boyfriend is real apologetic, said he downloaded a game ....then extracted it onto my desktop....tried the .exe file and nothing happened, so he tried the readme file

got a "notepad is not working" message and clicked on the "find a solution the web" link

got a "firefox is not working" message

at this point he panicked, i guess, and deleted the game folder and the zipped.rar file and shut down.

rebooted, entered the computer password (yes my daughter knows it), and everything seemed fine, 'cept he never got to the windows icon that precedes the user login prompt....it's just sittin on the dark screen with the working cursor....no harddrive activity whatsoever (near as i can tell, anyway)

so i shut down and booted into safe mode, and i see a lot of error messages in the event log surrounding this game. windows security/firewall is turned off and won't turn (i don't know if this normal for safe mode or not.....pretty much a technodope) tried a system restore to a time early this morning when i downloaded some updates, and rebooted....no difference

i logged in in safe mode again and changed to boot settings to safe mode with diagnostics (thinking that might help....remember, technodope).....booting up that was leaves me at the same screen as a normal boot.

i'm currently running a scan through avast, and plan on posting a hijack this log as soon as i can...

but i wanted to lay this out and see what sort of comments y'all got.


----------



## DaveBurnett (Nov 11, 2002)

Change the password.
Shoot the boyfriend.
This sounds like a nasty virus.
Get hold of Malwarebytes and SuperAntispyware and run them.


----------



## iltos (Jun 13, 2004)

DaveBurnett said:


> Change the password.
> Shoot the boyfriend.
> This sounds like a nasty virus.
> Get hold of Malwarebytes and SuperAntispyware and run them.


fwiw, here's the hijackthis log from safe mode

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:01:59 PM, on 10/18/2009
Platform: Windows Vista SP1 (WinNT 6.00.1905)
MSIE: Internet Explorer v7.00 (7.00.6001.18294)
Boot mode: Safe mode

Running processes:
C:\Windows\Explorer.EXE
G:\hijackthis\HiJackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = 
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = 
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Internet Explorer provided by Dell
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = 
O1 - Hosts: ::1 localhost
O2 - BHO: HP Print Clips - {053F9267-DC04-4294-A72C-58F732D338C0} - C:\Program Files\HP\Smart Web Printing\hpswp_framework.dll
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: RealPlayer Download and Record Plugin for Internet Explorer - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\Users\Bob\rpbrowserrecordplugin.dll
O2 - BHO: EmailBHO - {647FD14A-C4F1-46F4-8FC3-0B40F54226F7} - C:\Program Files\jZip\WebmailPlugin.dll
O2 - BHO: Adobe PDF Conversion Toolbar Helper - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.2.4204.1700\swg.dll
O2 - BHO: Browser Address Error Redirector - {CA6319C0-31B7-401E-A518-A07C3DB8F777} - C:\Program Files\Dell\BAE\BAE.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: SmartSelect - {F4971EE7-DAA0-4053-9964-665D8EE6A077} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll
O4 - HKUS\S-1-5-20\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User '?')
O4 - HKUS\S-1-5-20\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter (User '?')
O8 - Extra context menu item: Append Link Target to Existing PDF - res://C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Append to Existing PDF - res://C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert Link Target to Adobe PDF - res://C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIECapture.html
O9 - Extra button: HP Clipbook - {58ECB495-38F0-49cb-A538-10282ABF65E7} - C:\Program Files\HP\Smart Web Printing\hpswp_extensions.dll
O9 - Extra button: HP Smart Select - {700259D7-1666-479a-93B1-3250410481E8} - C:\Program Files\HP\Smart Web Printing\hpswp_extensions.dll
O13 - Gopher Prefix: 
O20 - AppInit_DLLs: C:\PROGRA~1\Google\GOOGLE~2\GOEC62~1.DLL
O20 - Winlogon Notify: GoToAssist - C:\Program Files\Citrix\GoToAssist\514\G2AWinLogon.dll

--
End of file - 4002 bytes


----------



## aka Brett (Nov 25, 2008)

Boot f8 menu and select
Last Known good configuration


----------



## iltos (Jun 13, 2004)

aka Brett said:


> Boot f8 menu and select
> Last Known good configuration


it's a good thought, but f8 isn't doing anything at the moment: i've restored back to a point before yesterday's updates with no difference, as well

other scans, as suggested, found nothing more than the usual adware i always collect

i think the only thing left to do is make a startup repair disk, and try that


----------



## Cookiegal (Aug 27, 2003)

The safe mode log doesn't tell us anything.

Are the deleted files still in the recycle bin? I'd like to know the name of that game's executable.

Can you post those error messages please?

Can you boot to safe mode with networking and get on-line?


----------



## aka Brett (Nov 25, 2008)

iltos said:


> i think the only thing left to do is make a startup repair disk, and try that


The windows dvd that came with your dell 1525 already has the files..boot the dvd.......you will see the options.
To boot that dvd you need to start tapping f12 after powering up then select boot the dvd....this is a one time boot option thus preventing you from having to change bios settings

For whats its worth..the memory that came out in these units are junk.Mine failed twice...and friend of mine has one of these units his also failed...you can have some very strange symptoms with failing ram...If you can boot to f12 and select diagnostics,,it will check the ram


----------



## iltos (Jun 13, 2004)

Cookiegal said:


> The safe mode log doesn't tell us anything.


i thought as much



> Are the deleted files still in the recycle bin?


 nope



> Can you boot to safe mode with networking and get on-line?


yes....i'm posting that way at the moment



> I'd like to know the name of that game's executable.
> Can you post those error messages please?


sure....in the interests of being thorough, here's the whole timeline....there are two about the game (in red)

1. this is an error that occured downloading the upgrades yesterday morning around 6:00am (10/18)


> + System
> 
> - Provider
> 
> ...


2. this is the error from the game that was downloaded


> + System
> 
> - Provider
> 
> ...


3. here is notepad's failure to open


> + System
> 
> - Provider
> 
> ...


4. another error message from the game (a few minutes later)


> + System
> 
> - Provider
> 
> ...


5. another notepad error


> + System
> 
> - Provider
> 
> ...


6.and another one, a few seconds later


> + System
> 
> - Provider
> 
> ...


7. then a firefox error


> + System
> 
> - Provider
> 
> ...


8. another error, 45 seconds later...i've no idea what this is


> + System
> 
> - Provider
> 
> ...


9. there's two of these, back to back, after firefox refused to open


> + System
> 
> - Provider
> 
> ...





> + System
> 
> - Provider
> 
> ...


10. then, about 9 minutes later, there this...i'm just guessing this is about the time the boyfriend tried to reboot


> + System
> 
> - Provider
> 
> ...


then this, seconds later


> + System
> 
> - Provider
> 
> ...


11. then this, a few hours later....pretty sure this is from the first time i tried a normal boot. 


> + System
> 
> - Provider
> 
> ...


12. and for reference, here's the error from a try at a normal boot this morning.


> + System
> 
> - Provider
> 
> ...


----------



## iltos (Jun 13, 2004)

aka Brett said:


> The windows dvd that came with your dell 1525 already has the files..boot the dvd.......you will see the options.


bingo!!!....right you are :up:



> For whats its worth..the memory that came out in these units are junk.Mine failed twice...and friend of mine has one of these units his also failed...you can have some very strange symptoms with failing ram...If you can boot to f12 and select diagnostics,,it will check the ram


NOW you tell me 
that might explain why CS3 started acting odd last week, tho


----------



## aka Brett (Nov 25, 2008)

You never asked


----------



## Cookiegal (Aug 27, 2003)

You have a TDSS rootkit infection. 

I trust you have backed up any important documents, photos, etc. If not, I suggest you do so now as the machine is unstable.

Please visit *Combofix Guide & Instructions * for instructions for installing the recovery console and downloading and running ComboFix.

The only thing different from the instructions there is that when downloading and saving the ComboFix.exe I would like you to rename it to puppy.exe please.

Post the log from ComboFix when you've accomplished that along with a new HijackThis log.

Important notes regarding ComboFix:

ComboFix may reset a number of Internet Explorer's settings, including making it the default browser. This can easily be changed once we're finished.

ComboFix also prevents autorun of ALL CDs, floppies and USB devices to assist with malware removal & increase security. If this is an issue or makes it difficult for you, please let me know. This can be undone manually when we're finished. Read  *HERE * for an article written by dvk01 on why we disable autoruns.


----------



## iltos (Jun 13, 2004)

Cookiegal said:


> You have a TDSS rootkit infection.
> 
> I trust you have backed up any important documents, photos, etc. If not, I suggest you do so now as the machne is unstable.
> 
> ...


yuck ....
ok....security's off, and puppy is on the desktop
one quick question....should i leave normal boot on (for the puppy.exe reboots), or set it to one of the safe mode options?


----------



## Cookiegal (Aug 27, 2003)

iltos said:


> yuck ....
> ok....security's off, and puppy is on the desktop
> one quick question....should i leave normal boot on (for the puppy.exe reboots), or set it to one of the safe mode options?


Leave it on normal boot. After puppy runs, it may be able to boot normally. You should never use the forced safe boot as that can backfire and result in an infinite reboot loop.


----------



## iltos (Jun 13, 2004)

Cookiegal said:


> Leave it on normal boot. After puppy runs, it may be able to boot normally. You should never use the forced safe boot as that can backfire and result in an infinite reboot loop.


got'cha 
thanks....
here's hoping


----------



## iltos (Jun 13, 2004)

that didn't take very long 
still in safe mode, tho.....so we're not done yet

here's the puppy log and a new hjt log
btw...combo fix tells me i've got super anti-spyware running....and it's not on my computer (i ran it remotely yesterday)

anyway....combo fix log here....hjt, next post.
ComboFix 09-10-18.06 - Bob 10/19/2009 12:33.1.2 - NTFSx86 NETWORK
Microsoft® Windows Vista Home Premium 6.0.6001.1.1252.1.1033.18.3573.3004 [GMT -7:00]
Running from: c:\users\Bob\Desktop\puppy.exe
SP: SUPERAntiSpyware *enabled* (Updated) {222A897C-5018-402e-943F-7E7AC8560DA7}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\$recycle.bin\S-1-5-21-2773397201-2855733099-4214572315-500
c:\$recycle.bin\S-1-5-21-308377154-4036065607-1672078067-1001
c:\$recycle.bin\S-1-5-21-308377154-4036065607-1672078067-1002
c:\$recycle.bin\S-1-5-21-308377154-4036065607-1672078067-1003
c:\$recycle.bin\S-1-5-21-308377154-4036065607-1672078067-500
C:\install.exe
c:\windows\system32\AutoRun.inf
c:\windows\system32\oem8.inf

.
((((((((((((((((((((((((( Files Created from 2009-09-19 to 2009-10-19 )))))))))))))))))))))))))))))))
.

2009-10-19 03:49 . 2009-10-19 03:49	--------	d-----w-	c:\users\Bob\AppData\Roaming\Malwarebytes
2009-10-19 03:49 . 2009-09-10 21:54	38224	----a-w-	c:\windows\system32\drivers\mbamswissarmy.sys
2009-10-19 03:49 . 2009-10-19 03:49	--------	d-----w-	c:\programdata\Malwarebytes
2009-10-19 03:49 . 2009-10-19 03:49	--------	d-----w-	c:\program files\Malwarebytes' Anti-Malware
2009-10-19 03:49 . 2009-09-10 21:53	19160	----a-w-	c:\windows\system32\drivers\mbam.sys
2009-10-19 03:04 . 2009-10-19 03:04	--------	d-----w-	c:\users\Bob\AppData\Roaming\SUPERAntiSpyware.com
2009-10-19 03:04 . 2009-10-19 03:04	--------	d-----w-	c:\programdata\SUPERAntiSpyware.com
2009-10-18 23:37 . 2009-10-19 13:40	--------	d-----w-	c:\windows\system32\wbem\repository
2009-10-15 13:26 . 2009-09-14 09:44	144896	----a-w-	c:\windows\system32\drivers\srv2.sys
2009-10-15 13:26 . 2009-09-10 17:30	213504	----a-w-	c:\windows\system32\msv1_0.dll
2009-10-15 13:26 . 2009-08-05 14:22	3597896	----a-w-	c:\windows\system32\ntkrnlpa.exe
2009-10-15 13:26 . 2009-08-05 14:22	3546184	----a-w-	c:\windows\system32\ntoskrnl.exe
2009-10-15 13:26 . 2009-09-04 12:24	61440	----a-w-	c:\windows\system32\msasn1.dll
2009-10-15 13:26 . 2009-04-02 12:37	604672	----a-w-	c:\windows\system32\WMSPDMOD.DLL
2009-10-03 12:00 . 2009-10-01 17:29	195440	----a-w-	c:\windows\system32\MpSigStub.exe

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-10-19 19:35 . 2009-05-05 14:25	6648	----a-w-	c:\users\Bob\AppData\Local\d3d9caps.dat
2009-10-18 23:59 . 2009-08-12 17:55	--------	d-----w-	c:\program files\Common Files\Wise Installation Wizard
2009-10-18 23:32 . 2009-03-05 16:51	--------	d-----w-	c:\programdata\HP Product Assistant
2009-09-10 16:48 . 2009-09-10 16:48	118784	----a-w-	C:\J3rhaO9w.exe
2009-09-10 16:48 . 2009-09-10 16:48	--------	d-----w-	c:\program files\Company
2009-09-10 16:48 . 2009-09-10 16:48	7984187	----a-w-	C:\ErosAdv03Full.exe
2009-09-04 21:09 . 2008-06-06 15:55	--------	d-----w-	c:\program files\Google
2009-09-04 21:08 . 2009-09-04 21:08	--------	d-----w-	c:\programdata\Google Updater
2009-09-04 21:08 . 2009-09-04 21:08	1246328	----a-w-	c:\program files\Google Updater.exe
2009-09-03 18:00 . 2009-09-03 18:00	--------	d-----w-	c:\program files\Microsoft Silverlight
2009-08-29 15:15 . 2009-03-05 14:13	--------	d-----w-	c:\program files\Java
2009-08-28 12:39 . 2009-09-02 13:38	28672	----a-w-	c:\windows\system32\Apphlpdm.dll
2009-08-28 10:15 . 2009-09-02 13:38	4240384	----a-w-	c:\windows\system32\GameUXLegacyGDFs.dll
2009-08-23 21:30 . 2008-08-25 18:20	60376	----a-w-	c:\users\Bob\AppData\Local\GDIPFONTCACHEV1.DAT
2009-08-21 16:52 . 2008-09-01 22:51	--------	d-----w-	c:\program files\Mozilla Thunderbird
2009-08-17 16:10 . 2008-08-26 01:28	1279456	----a-w-	c:\windows\system32\aswBoot.exe
2009-08-17 16:05 . 2008-08-26 01:28	114768	----a-w-	c:\windows\system32\drivers\aswSP.sys
2009-08-17 16:05 . 2008-08-26 01:28	20560	----a-w-	c:\windows\system32\drivers\aswFsBlk.sys
2009-08-17 16:05 . 2008-08-26 01:28	53328	----a-w-	c:\windows\system32\drivers\aswMonFlt.sys
2009-08-17 16:04 . 2008-08-26 01:28	51376	----a-w-	c:\windows\system32\drivers\aswTdi.sys
2009-08-17 16:04 . 2008-08-26 01:28	23152	----a-w-	c:\windows\system32\drivers\aswRdr.sys
2009-08-17 16:02 . 2008-08-26 01:28	97480	----a-w-	c:\windows\system32\AvastSS.scr
2009-08-14 17:07 . 2009-09-12 14:41	897608	----a-w-	c:\windows\system32\drivers\tcpip.sys
2009-08-14 16:29 . 2009-09-12 14:41	104960	----a-w-	c:\windows\system32\netiohlp.dll
2009-08-14 16:29 . 2009-09-12 14:41	17920	----a-w-	c:\windows\system32\netevent.dll
2009-08-14 14:16 . 2009-09-12 14:41	9728	----a-w-	c:\windows\system32\TCPSVCS.EXE
2009-08-14 14:16 . 2009-09-12 14:41	17920	----a-w-	c:\windows\system32\ROUTE.EXE
2009-08-14 14:16 . 2009-09-12 14:41	11264	----a-w-	c:\windows\system32\MRINFO.EXE
2009-08-14 14:16 . 2009-09-12 14:41	27136	----a-w-	c:\windows\system32\NETSTAT.EXE
2009-08-14 14:16 . 2009-09-12 14:41	19968	----a-w-	c:\windows\system32\ARP.EXE
2009-08-14 14:16 . 2009-09-12 14:41	8704	----a-w-	c:\windows\system32\HOSTNAME.EXE
2009-08-14 14:16 . 2009-09-12 14:41	10240	----a-w-	c:\windows\system32\finger.exe
2009-07-25 12:23 . 2008-12-14 16:42	411368	----a-w-	c:\windows\system32\deploytk.dll
2008-06-06 15:49 . 2008-06-06 15:49	76	--sh--r-	c:\windows\CT4CET.bin
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown 
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ehTray.exe"="c:\windows\ehome\ehTray.exe" [2008-01-21 125952]
"WMPNSCFG"="c:\program files\Windows Media Player\WMPNSCFG.exe" [2008-01-21 202240]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"avast!"="c:\progra~1\ALWILS~1\Avast4\ashDisp.exe" [2009-08-17 81000]
"Windows Defender"="c:\program files\Windows Defender\MSASCui.exe" [2008-01-21 1008184]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2008-11-23 185872]
"SigmatelSysTrayApp"="c:\program files\SigmaTel\C-Major Audio\WDM\sttray.exe" [2007-11-12 405504]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2009-01-05 413696]
"Persistence"="c:\windows\system32\igfxpers.exe" [2008-03-06 133656]
"OEM02Mon.exe"="c:\windows\OEM02Mon.exe" [2008-03-04 36864]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2008-03-06 141848]
"IAAnotif"="c:\program files\Intel\Intel Matrix Storage Manager\Iaanotif.exe" [2007-03-21 174872]
"HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2007-03-12 49152]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2008-03-06 166424]
"Google Desktop Search"="c:\program files\Google\Google Desktop Search\GoogleDesktop.exe" [2008-06-06 29744]
"dscactivate"="c:\program files\Dell Support Center\gs_agent\custom\dsca.exe" [2008-03-11 16384]
"DellSupportCenter"="c:\program files\Dell Support Center\bin\sprtcmd.exe" [2009-05-21 206064]
"DELL Webcam Manager"="c:\program files\Dell\Dell Webcam Manager\DellWMgr.exe" [2007-07-27 118784]
"Broadcom Wireless Manager UI"="c:\windows\system32\WLTRAY.exe" [2007-12-12 3444736]
"Apoint"="c:\program files\DellTPad\Apoint.exe" [2007-09-07 159744]
"Adobe Acrobat Speed Launcher"="c:\program files\Adobe\Acrobat 9.0\Acrobat\Acrobat_sl.exe" [2009-02-27 38768]
"Acrobat Assistant 8.0"="c:\program files\Adobe\Acrobat 9.0\Acrobat\Acrotray.exe" [2009-02-27 640376]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-07-25 149280]
"Malwarebytes Anti-Malware (reboot)"="c:\program files\Malwarebytes' Anti-Malware\mbam.exe" [2009-09-10 1312080]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
"GrpConv"="grpconv -o" [X]
"Malwarebytes' Anti-Malware"="c:\program files\Malwarebytes' Anti-Malware\mbamgui.exe" [2009-09-10 420176]

c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
Digital Line Detect.lnk - c:\program files\Digital Line Detect\DLG.exe [2008-6-6 50688]
HP Digital Imaging Monitor.lnk - c:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2007-3-11 210520]
QuickSet.lnk - c:\program files\Dell\QuickSet\quickset.exe [2007-9-7 1180952]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableUIADesktopToggle"= 0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\GoToAssist]
2008-06-06 16:02	10536	----a-w-	c:\program files\Citrix\GoToAssist\514\g2awinlogon.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=c:\progra~1\Google\GOOGLE~2\GOEC62~1.DLL

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend]
@="Service"

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Svc]
"AntiVirusOverride"=dword:00000001

S1 aswSP;avast! Self Protection;c:\windows\System32\drivers\aswSP.sys [8/25/2008 6:28 PM 114768]
S2 AESTFilters;Andrea ST Filters Service;c:\windows\System32\AEstSrv.exe [6/6/2008 3:34 AM 73728]
S2 aswFsBlk;aswFsBlk;c:\windows\System32\drivers\aswFsBlk.sys [8/25/2008 6:28 PM 20560]
S2 aswMonFlt;aswMonFlt;c:\windows\System32\drivers\aswMonFlt.sys [8/25/2008 6:28 PM 53328]
S2 gupdate1ca2da3ff288ddd;Google Update Service (gupdate1ca2da3ff288ddd);c:\program files\Google\Update\GoogleUpdate.exe [9/4/2009 2:09 PM 133104]
S3 IntcHdmiAddService;Intel(R) High Definition Audio HDMI Service;c:\windows\System32\drivers\IntcHdmi.sys [6/6/2008 11:31 AM 111616]
S3 OEM02Dev;Creative Camera OEM002 Driver;c:\windows\System32\drivers\OEM02Dev.sys [6/6/2008 11:30 AM 235648]
S3 OEM02Vfx;Creative Camera OEM002 Video VFX Driver;c:\windows\System32\drivers\OEM02Vfx.sys [6/6/2008 11:30 AM 7424]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12	REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
hpdevmgmt	REG_MULTI_SZ hpqcxs08 hpqddsvc
.
Contents of the 'Scheduled Tasks' folder

2009-10-17 c:\windows\Tasks\Google Software Updater.job
- c:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe [2009-09-04 21:08]

2009-10-17 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-09-04 21:09]

2009-10-17 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-09-04 21:09]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
uInternet Settings,ProxyOverride = *.local
IE: Append Link Target to Existing PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Append to Existing PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert Link Target to Adobe PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert to Adobe PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIECapture.html
FF - ProfilePath - c:\users\Bob\AppData\Roaming\Mozilla\Firefox\Profiles\l0d4t1gv.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com
FF - plugin: c:\program files\Google\Google Updater\2.4.1698.5652\npCIDetect13.dll
FF - plugin: c:\program files\Google\Update\1.2.183.7\npGoogleOneClick8.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\np-mswmp.dll
FF - plugin: c:\users\Bob\Netscape6\nppl3260.dll
FF - plugin: c:\users\Bob\Netscape6\nprjplug.dll
FF - plugin: c:\users\Bob\Netscape6\nprpjplug.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\
.
- - - - ORPHANS REMOVED - - - -

HKCU-Run-SUPERAntiSpyware - g:\superantispyware\SUPERAntiSpyware.exe
HKLM-RunOnce-<NO NAME> - (no file)

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-10-19 12:41
Windows 6.0.6001 Service Pack 1 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
Completion time: 2009-10-19 12:44
ComboFix-quarantined-files.txt 2009-10-19 19:44

Pre-Run: 171,291,848,704 bytes free
Post-Run: 173,635,080,192 bytes free

- - End Of File - - 66EEBF5B6B861961EB6404416368763E


----------



## iltos (Jun 13, 2004)

and the hijack log...at least it's longer than yesterdays....that must be good, huh?

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:55:10 PM, on 10/19/2009
Platform: Windows Vista SP1 (WinNT 6.00.1905)
MSIE: Internet Explorer v7.00 (7.00.6001.18294)
Boot mode: Safe mode with network support

Running processes:
C:\Program Files\Windows Media Player\wmpnscfg.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Windows\Explorer.exe
C:\Windows\system32\notepad.exe
C:\hjt\HiJackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = 
O1 - Hosts: ::1 localhost
O2 - BHO: HP Print Clips - {053F9267-DC04-4294-A72C-58F732D338C0} - C:\Program Files\HP\Smart Web Printing\hpswp_framework.dll
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: RealPlayer Download and Record Plugin for Internet Explorer - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\Users\Bob\rpbrowserrecordplugin.dll
O2 - BHO: EmailBHO - {647FD14A-C4F1-46F4-8FC3-0B40F54226F7} - C:\Program Files\jZip\WebmailPlugin.dll
O2 - BHO: Adobe PDF Conversion Toolbar Helper - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.2.4204.1700\swg.dll
O2 - BHO: Browser Address Error Redirector - {CA6319C0-31B7-401E-A518-A07C3DB8F777} - C:\Program Files\Dell\BAE\BAE.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: SmartSelect - {F4971EE7-DAA0-4053-9964-665D8EE6A077} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [SigmatelSysTrayApp] %ProgramFiles%\SigmaTel\C-Major Audio\WDM\sttray.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [Persistence] C:\Windows\system32\igfxpers.exe
O4 - HKLM\..\Run: [OEM02Mon.exe] C:\Windows\OEM02Mon.exe
O4 - HKLM\..\Run: [IgfxTray] C:\Windows\system32\igfxtray.exe
O4 - HKLM\..\Run: [IAAnotif] "C:\Program Files\Intel\Intel Matrix Storage Manager\Iaanotif.exe"
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\Windows\system32\hkcmd.exe
O4 - HKLM\..\Run: [Google Desktop Search] "C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" /startup
O4 - HKLM\..\Run: [dscactivate] "C:\Program Files\Dell Support Center\gs_agent\custom\dsca.exe"
O4 - HKLM\..\Run: [DellSupportCenter] "C:\Program Files\Dell Support Center\bin\sprtcmd.exe" /P DellSupportCenter
O4 - HKLM\..\Run: [DELL Webcam Manager] "C:\Program Files\Dell\Dell Webcam Manager\DellWMgr.exe" /s
O4 - HKLM\..\Run: [Broadcom Wireless Manager UI] C:\Windows\system32\WLTRAY.exe
O4 - HKLM\..\Run: [Apoint] C:\Program Files\DellTPad\Apoint.exe
O4 - HKLM\..\Run: [Adobe_ID0EYTHM] C:\PROGRA~1\COMMON~1\Adobe\ADOBEV~1\Server\bin\VERSIO~2.EXE
O4 - HKLM\..\Run: [Adobe Acrobat Speed Launcher] "C:\Program Files\Adobe\Acrobat 9.0\Acrobat\Acrobat_sl.exe"
O4 - HKLM\..\Run: [Acrobat Assistant 8.0] "C:\Program Files\Adobe\Acrobat 9.0\Acrobat\Acrotray.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [Malwarebytes Anti-Malware (reboot)] "C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe" /runcleanupscript
O4 - HKLM\..\RunOnce: [Malwarebytes' Anti-Malware] C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe /install /silent
O4 - HKLM\..\RunOnce: [GrpConv] grpconv -o
O4 - HKCU\..\Run: [ehTray.exe] C:\Windows\ehome\ehTray.exe
O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe
O4 - Global Startup: Digital Line Detect.lnk = C:\Program Files\Digital Line Detect\DLG.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: QuickSet.lnk = C:\Program Files\Dell\QuickSet\quickset.exe
O8 - Extra context menu item: Append Link Target to Existing PDF - res://C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Append to Existing PDF - res://C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert Link Target to Adobe PDF - res://C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIECapture.html
O9 - Extra button: HP Clipbook - {58ECB495-38F0-49cb-A538-10282ABF65E7} - C:\Program Files\HP\Smart Web Printing\hpswp_extensions.dll
O9 - Extra button: HP Smart Select - {700259D7-1666-479a-93B1-3250410481E8} - C:\Program Files\HP\Smart Web Printing\hpswp_extensions.dll
O20 - AppInit_DLLs: C:\PROGRA~1\Google\GOOGLE~2\GOEC62~1.DLL
O20 - Winlogon Notify: GoToAssist - C:\Program Files\Citrix\GoToAssist\514\G2AWinLogon.dll
O23 - Service: Adobe Version Cue CS3 - Adobe Systems Incorporated - C:\Program Files\Common Files\Adobe\Adobe Version Cue CS3\Server\bin\VersionCueCS3.exe
O23 - Service: Andrea ST Filters Service (AESTFilters) - Andrea Electronics Corporation - C:\Windows\system32\aestsrv.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762## (Bonjour Service) - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: Google Desktop Manager 5.7.801.7324 (GoogleDesktopManager-010708-104812) - Google - C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
O23 - Service: GoToAssist - Citrix Online, a division of Citrix Systems, Inc. - C:\Program Files\Citrix\GoToAssist\514\g2aservice.exe
O23 - Service: Google Update Service (gupdate1ca2da3ff288ddd) (gupdate1ca2da3ff288ddd) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe
O23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: Intel(R) Matrix Storage Event Monitor (IAANTMON) - Intel Corporation - C:\Program Files\Intel\Intel Matrix Storage Manager\Iaantmon.exe
O23 - Service: SupportSoft Sprocket Service (dellsupportcenter) (sprtsvc_dellsupportcenter) - SupportSoft, Inc. - C:\Program Files\Dell Support Center\bin\sprtsvc.exe
O23 - Service: SigmaTel Audio Service (STacSV) - IDT, Inc. - C:\Windows\system32\STacSV.exe
O23 - Service: Dell Wireless WLAN Tray Service (wltrysvc) - Unknown owner - C:\Windows\System32\WLTRYSVC.EXE
O23 - Service: XAudioService - Conexant Systems, Inc. - C:\Windows\system32\DRIVERS\xaudio.exe

--
End of file - 8358 bytes


----------



## Cookiegal (Aug 27, 2003)

Is this a folder you created intentionally?

c:\program files\Company


----------



## Cookiegal (Aug 27, 2003)

Also, please do this:

Go to the link below and upload the following file(s) for analysis and let me know what the results are please:

http://virusscan.jotti.org/

C:\J3rhaO9w.exe
C:\ErosAdv03Full.exe


----------



## iltos (Jun 13, 2004)

Cookiegal said:


> Is this a folder you created intentionally?
> 
> c:\program files\Company


never heard of it 
it contains something called spreadcryptic.exe, an uninstall.exe file and an uninstall.ini
from http://www.greatis.com/appdata/d/s/spread.exe.htm


> spread.exe - Dangerous
> spread.exe
> Spread.exe is Win32.Lioten.Z (a combination of the backdoor functionality of Win32.Sdbot).
> Related files:
> ...


----------



## Cookiegal (Aug 27, 2003)

You said the file name was spreadcryptic.exe not spread.exe. I can't find anything on spreadcryptic.exe.

Did you run those other files throough the Jotti analyzier? Please do the same with this one.


----------



## iltos (Jun 13, 2004)

Cookiegal said:


> Also, please do this:
> 
> Go to the link below and upload the following file(s) for analysis and let me know what the results are please:
> 
> ...


you have a keen eye, Cookiegal 
screen shots are attached, if you'd like to see the specific results from individual scans

for C:\J3rhaO9w.exe, the results are 6/21 scanners see it as nasty


> File size: 118784 bytes
> Filetype: PE32 executable for MS Windows (GUI) Intel 80386 32-bit
> MD5: ffd3a97a974f1cf7efa4930d8df3a492
> SHA1: 2a6c02cb18d0565bd5b94aec7cef70a0011f423e


for C:\ErosAdv03Full.exe, 3/21 see it as nasty...it's huge file and the title makes me wonder if it's another game 


> File size: 7984187 bytes
> Filetype: PE32 executable for MS Windows (GUI) Intel 80386 32-bit
> MD5: 00db96647cad26828269015645d53c1a
> SHA1: 244aa30e59bb4c4d1a6aff750a3fdeb819d25a8e
> Packer (Kaspersky): UPX


----------



## iltos (Jun 13, 2004)

Cookiegal said:


> You said the file name was spreadcryptic.exe not spread.exe. I can't find anything on spreadcryptic.exe.
> 
> Did you run those other files throough the Jotti analyzier? Please do the same with this one.


good call....but the results are about the same 
permalink to the spreadcryptic results
http://virusscan.jotti.org/en/scanresult/2dac5b62bf6eecc50aedb18ae9f7ef67e1144c3c


----------



## Cookiegal (Aug 27, 2003)

The second one is a game called Eros Adventure. Shall we nuke it?

I see you have MalwareBytes so I assume you did a scan. Did it detect anything? If so, can you post the log so I can see what it removed? Otherwise, please update it now and run a scan and post that log.


----------



## iltos (Jun 13, 2004)

Cookiegal said:


> The second one is a game called Eros Adventure. Shall we nuke it?


definitely...i don't do "eros" on the web 



> I see you have MalwareBytes so I assume you did a scan. Did it detect anything? If so, can you post the log so I can see what it removed? Otherwise, please update it now and run a scan and post that log.


now i see why you get paid the big bucks for working here :up:
i DID do a scan yesterday (log below).....one infected item 
buy you some ice cream if you can guess what it is 
all i saw was "Adware.Eshoper" 
says it was quarantined and deleted....why is it still there?

the log


> Malwarebytes' Anti-Malware 1.41
> Database version: 2982
> Windows 6.0.6001 Service Pack 1 (Safe Mode)
> 
> ...


----------



## Cookiegal (Aug 27, 2003)

iltos said:


> good call....but the results are about the same
> permalink to the spreadcryptic results
> http://virusscan.jotti.org/en/scanresult/2dac5b62bf6eecc50aedb18ae9f7ef67e1144c3c


I see no detections there.


----------



## Cookiegal (Aug 27, 2003)

iltos said:


> definitely...i don't do "eros" on the web


I didn't think so. Actually, it appears to be something about asteroids and space. I don't see the eros connection.


----------



## iltos (Jun 13, 2004)

Cookiegal said:


> I see no detections there.


6/21 scans called it malware....doesn't that mean it's bad?
did the permalink take you to the results?
do i even know what i'm talking about?


----------



## Cookiegal (Aug 27, 2003)

When I click on your link it says "no result available" for each scanner. I'm not sure what that means because it should say nothing found. Can you try running it through again?


----------



## iltos (Jun 13, 2004)

Cookiegal said:


> When I click on your link it says "no result available" for each scanner. I'm not sure what that means because it should say nothing found. Can you try running it through again?


it won't scan it again...says it's already been scanned, and dumps me back to the same page
here's the screen shot of the results, tho...
does that help?


----------



## Cookiegal (Aug 27, 2003)

OK, that's better. The one in the link wasn't the same.

Open Notepad and copy and paste the text in the code box below into it:


```
File::
C:\J3rhaO9w.exe
C:\ErosAdv03Full.exe
C:\Program Files\Company\NewProduct\ErosAdv03Full.exe

DirLook::
C:\Program Files\Company\NewProduct
C:\Program Files\Company
```
Save the file to your desktop and name it CFScript.txt

Referring to the picture below, drag CFScript.txt into ComboFix.exe

When finished, it shall produce a log for you. Post that log in your next reply.










This will start ComboFix again. It may ask to reboot. Post the contents of Combofix.txt in your next reply together with a new HijackThis log.

*Note: These instructions and script were created specifically for this user. If you are not this user, do NOT follow these instructions or use this script as it could damage the workings of your system.*

Then also do this please.

Download GMER from: http://gmer.net/index.php

Save it on your desktop and unzip it.

Double click the gmer.exe to run it and select the rootkit tab and press scan. When the scan is done, click *Copy*. This will copy the report to the clipboard. Paste it into Notepad and save it and also paste the log report back here please.


----------



## iltos (Jun 13, 2004)

Cookiegal said:


> Open Notepad and copy and paste the text in the code box below into it:
> Post the contents of Combofix.txt in your next reply together with a new HijackThis log.


combo fix log, after script drop....new hjt in next post

ComboFix 09-10-19.01 - Bob 10/19/2009 16:52.1.2 - NTFSx86 NETWORK
Microsoft® Windows Vista Home Premium 6.0.6001.1.1252.1.1033.18.3573.2886 [GMT -7:00]
Running from: c:\users\Bob\Desktop\puppy.exe
Command switches used :: c:\users\Bob\Desktop\CFScript.txt
SP: SUPERAntiSpyware *enabled* (Updated) {222A897C-5018-402e-943F-7E7AC8560DA7}

FILE ::
"C:\ErosAdv03Full.exe"
"C:\J3rhaO9w.exe"
"c:\program files\Company\NewProduct\ErosAdv03Full.exe"
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\ErosAdv03Full.exe
C:\J3rhaO9w.exe

.
((((((((((((((((((((((((( Files Created from 2009-09-19 to 2009-10-19 )))))))))))))))))))))))))))))))
.

2009-10-19 23:58 . 2009-10-19 23:58	--------	d-----w-	c:\users\Bob\AppData\Local\temp
2009-10-19 23:58 . 2009-10-19 23:58	--------	d-----w-	c:\users\Public\AppData\Local\temp
2009-10-19 23:58 . 2009-10-19 23:58	--------	d-----w-	c:\users\Default\AppData\Local\temp
2009-10-19 23:49 . 2009-10-19 23:50	--------	d-----w-	C:\puppy
2009-10-19 19:54 . 2009-10-19 19:56	--------	d-----w-	C:\hjt
2009-10-19 03:49 . 2009-10-19 03:49	--------	d-----w-	c:\users\Bob\AppData\Roaming\Malwarebytes
2009-10-19 03:49 . 2009-09-10 21:54	38224	----a-w-	c:\windows\system32\drivers\mbamswissarmy.sys
2009-10-19 03:49 . 2009-10-19 03:49	--------	d-----w-	c:\programdata\Malwarebytes
2009-10-19 03:49 . 2009-10-19 03:49	--------	d-----w-	c:\program files\Malwarebytes' Anti-Malware
2009-10-19 03:49 . 2009-09-10 21:53	19160	----a-w-	c:\windows\system32\drivers\mbam.sys
2009-10-19 03:04 . 2009-10-19 03:04	--------	d-----w-	c:\users\Bob\AppData\Roaming\SUPERAntiSpyware.com
2009-10-19 03:04 . 2009-10-19 03:04	--------	d-----w-	c:\programdata\SUPERAntiSpyware.com
2009-10-18 23:37 . 2009-10-19 13:40	--------	d-----w-	c:\windows\system32\wbem\repository
2009-10-15 13:26 . 2009-09-14 09:44	144896	----a-w-	c:\windows\system32\drivers\srv2.sys
2009-10-15 13:26 . 2009-09-10 17:30	213504	----a-w-	c:\windows\system32\msv1_0.dll
2009-10-15 13:26 . 2009-08-05 14:22	3597896	----a-w-	c:\windows\system32\ntkrnlpa.exe
2009-10-15 13:26 . 2009-08-05 14:22	3546184	----a-w-	c:\windows\system32\ntoskrnl.exe
2009-10-15 13:26 . 2009-09-04 12:24	61440	----a-w-	c:\windows\system32\msasn1.dll
2009-10-15 13:26 . 2009-04-02 12:37	604672	----a-w-	c:\windows\system32\WMSPDMOD.DLL
2009-10-03 12:00 . 2009-10-01 17:29	195440	----a-w-	c:\windows\system32\MpSigStub.exe

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-10-19 19:35 . 2009-05-05 14:25	6648	----a-w-	c:\users\Bob\AppData\Local\d3d9caps.dat
2009-10-18 23:59 . 2009-08-12 17:55	--------	d-----w-	c:\program files\Common Files\Wise Installation Wizard
2009-10-18 23:32 . 2009-03-05 16:51	--------	d-----w-	c:\programdata\HP Product Assistant
2009-09-10 16:48 . 2009-09-10 16:48	--------	d-----w-	c:\program files\Company
2009-09-04 21:09 . 2008-06-06 15:55	--------	d-----w-	c:\program files\Google
2009-09-04 21:08 . 2009-09-04 21:08	--------	d-----w-	c:\programdata\Google Updater
2009-09-04 21:08 . 2009-09-04 21:08	1246328	----a-w-	c:\program files\Google Updater.exe
2009-09-03 18:00 . 2009-09-03 18:00	--------	d-----w-	c:\program files\Microsoft Silverlight
2009-08-29 15:15 . 2009-03-05 14:13	--------	d-----w-	c:\program files\Java
2009-08-28 12:39 . 2009-09-02 13:38	28672	----a-w-	c:\windows\system32\Apphlpdm.dll
2009-08-28 10:15 . 2009-09-02 13:38	4240384	----a-w-	c:\windows\system32\GameUXLegacyGDFs.dll
2009-08-23 21:30 . 2008-08-25 18:20	60376	----a-w-	c:\users\Bob\AppData\Local\GDIPFONTCACHEV1.DAT
2009-08-21 16:52 . 2008-09-01 22:51	--------	d-----w-	c:\program files\Mozilla Thunderbird
2009-08-17 16:10 . 2008-08-26 01:28	1279456	----a-w-	c:\windows\system32\aswBoot.exe
2009-08-17 16:05 . 2008-08-26 01:28	114768	----a-w-	c:\windows\system32\drivers\aswSP.sys
2009-08-17 16:05 . 2008-08-26 01:28	20560	----a-w-	c:\windows\system32\drivers\aswFsBlk.sys
2009-08-17 16:05 . 2008-08-26 01:28	53328	----a-w-	c:\windows\system32\drivers\aswMonFlt.sys
2009-08-17 16:04 . 2008-08-26 01:28	51376	----a-w-	c:\windows\system32\drivers\aswTdi.sys
2009-08-17 16:04 . 2008-08-26 01:28	23152	----a-w-	c:\windows\system32\drivers\aswRdr.sys
2009-08-17 16:02 . 2008-08-26 01:28	97480	----a-w-	c:\windows\system32\AvastSS.scr
2009-08-14 17:07 . 2009-09-12 14:41	897608	----a-w-	c:\windows\system32\drivers\tcpip.sys
2009-08-14 16:29 . 2009-09-12 14:41	104960	----a-w-	c:\windows\system32\netiohlp.dll
2009-08-14 16:29 . 2009-09-12 14:41	17920	----a-w-	c:\windows\system32\netevent.dll
2009-08-14 14:16 . 2009-09-12 14:41	9728	----a-w-	c:\windows\system32\TCPSVCS.EXE
2009-08-14 14:16 . 2009-09-12 14:41	17920	----a-w-	c:\windows\system32\ROUTE.EXE
2009-08-14 14:16 . 2009-09-12 14:41	11264	----a-w-	c:\windows\system32\MRINFO.EXE
2009-08-14 14:16 . 2009-09-12 14:41	27136	----a-w-	c:\windows\system32\NETSTAT.EXE
2009-08-14 14:16 . 2009-09-12 14:41	19968	----a-w-	c:\windows\system32\ARP.EXE
2009-08-14 14:16 . 2009-09-12 14:41	8704	----a-w-	c:\windows\system32\HOSTNAME.EXE
2009-08-14 14:16 . 2009-09-12 14:41	10240	----a-w-	c:\windows\system32\finger.exe
2009-07-25 12:23 . 2008-12-14 16:42	411368	----a-w-	c:\windows\system32\deploytk.dll
2008-06-06 15:49 . 2008-06-06 15:49	76	--sh--r-	c:\windows\CT4CET.bin
.

(((((((((((((((((((((((((((((((((((((((((((( Look )))))))))))))))))))))))))))))))))))))))))))))))))))))))))
.
---- Directory of c:\program files\Company ----

2009-09-10 16:48 . 2009-09-10 16:48	1487	----a-w-	c:\program files\Company\NewProduct\Uninstall.ini
2009-08-22 06:42 . 2009-09-10 16:48	57395	----a-w-	c:\program files\Company\NewProduct\Uninstall.exe
2009-08-22 06:14 . 2009-08-22 06:14	77824	----a-w-	c:\program files\Company\NewProduct\spreadcrypted.exe

---- Directory of c:\program files\Company\NewProduct ----

2009-09-10 16:48 . 2009-09-10 16:48	1487	----a-w-	c:\program files\Company\NewProduct\Uninstall.ini
2009-08-22 06:42 . 2009-09-10 16:48	57395	----a-w-	c:\program files\Company\NewProduct\Uninstall.exe
2009-08-22 06:14 . 2009-08-22 06:14	77824	----a-w-	c:\program files\Company\NewProduct\spreadcrypted.exe

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown 
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ehTray.exe"="c:\windows\ehome\ehTray.exe" [2008-01-21 125952]
"WMPNSCFG"="c:\program files\Windows Media Player\WMPNSCFG.exe" [2008-01-21 202240]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"avast!"="c:\progra~1\ALWILS~1\Avast4\ashDisp.exe" [2009-08-17 81000]
"Windows Defender"="c:\program files\Windows Defender\MSASCui.exe" [2008-01-21 1008184]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2008-11-23 185872]
"SigmatelSysTrayApp"="c:\program files\SigmaTel\C-Major Audio\WDM\sttray.exe" [2007-11-12 405504]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2009-01-05 413696]
"Persistence"="c:\windows\system32\igfxpers.exe" [2008-03-06 133656]
"OEM02Mon.exe"="c:\windows\OEM02Mon.exe" [2008-03-04 36864]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2008-03-06 141848]
"IAAnotif"="c:\program files\Intel\Intel Matrix Storage Manager\Iaanotif.exe" [2007-03-21 174872]
"HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2007-03-12 49152]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2008-03-06 166424]
"Google Desktop Search"="c:\program files\Google\Google Desktop Search\GoogleDesktop.exe" [2008-06-06 29744]
"dscactivate"="c:\program files\Dell Support Center\gs_agent\custom\dsca.exe" [2008-03-11 16384]
"DellSupportCenter"="c:\program files\Dell Support Center\bin\sprtcmd.exe" [2009-05-21 206064]
"DELL Webcam Manager"="c:\program files\Dell\Dell Webcam Manager\DellWMgr.exe" [2007-07-27 118784]
"Broadcom Wireless Manager UI"="c:\windows\system32\WLTRAY.exe" [2007-12-12 3444736]
"Apoint"="c:\program files\DellTPad\Apoint.exe" [2007-09-07 159744]
"Adobe Acrobat Speed Launcher"="c:\program files\Adobe\Acrobat 9.0\Acrobat\Acrobat_sl.exe" [2009-02-27 38768]
"Acrobat Assistant 8.0"="c:\program files\Adobe\Acrobat 9.0\Acrobat\Acrotray.exe" [2009-02-27 640376]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-07-25 149280]
"Malwarebytes Anti-Malware (reboot)"="c:\program files\Malwarebytes' Anti-Malware\mbam.exe" [2009-09-10 1312080]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
"GrpConv"="grpconv -o" [X]
"Malwarebytes' Anti-Malware"="c:\program files\Malwarebytes' Anti-Malware\mbamgui.exe" [2009-09-10 420176]

c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
Digital Line Detect.lnk - c:\program files\Digital Line Detect\DLG.exe [2008-6-6 50688]
HP Digital Imaging Monitor.lnk - c:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2007-3-11 210520]
QuickSet.lnk - c:\program files\Dell\QuickSet\quickset.exe [2007-9-7 1180952]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableUIADesktopToggle"= 0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\GoToAssist]
2008-06-06 16:02	10536	----a-w-	c:\program files\Citrix\GoToAssist\514\g2awinlogon.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=c:\progra~1\Google\GOOGLE~2\GOEC62~1.DLL

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend]
@="Service"

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Svc]
"AntiVirusOverride"=dword:00000001

S1 aswSP;avast! Self Protection;c:\windows\System32\drivers\aswSP.sys [8/25/2008 6:28 PM 114768]
S2 AESTFilters;Andrea ST Filters Service;c:\windows\System32\AEstSrv.exe [6/6/2008 3:34 AM 73728]
S2 aswFsBlk;aswFsBlk;c:\windows\System32\drivers\aswFsBlk.sys [8/25/2008 6:28 PM 20560]
S2 aswMonFlt;aswMonFlt;c:\windows\System32\drivers\aswMonFlt.sys [8/25/2008 6:28 PM 53328]
S2 gupdate1ca2da3ff288ddd;Google Update Service (gupdate1ca2da3ff288ddd);c:\program files\Google\Update\GoogleUpdate.exe [9/4/2009 2:09 PM 133104]
S3 IntcHdmiAddService;Intel(R) High Definition Audio HDMI Service;c:\windows\System32\drivers\IntcHdmi.sys [6/6/2008 11:31 AM 111616]
S3 OEM02Dev;Creative Camera OEM002 Driver;c:\windows\System32\drivers\OEM02Dev.sys [6/6/2008 11:30 AM 235648]
S3 OEM02Vfx;Creative Camera OEM002 Video VFX Driver;c:\windows\System32\drivers\OEM02Vfx.sys [6/6/2008 11:30 AM 7424]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12	REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
hpdevmgmt	REG_MULTI_SZ hpqcxs08 hpqddsvc
.
Contents of the 'Scheduled Tasks' folder

2009-10-17 c:\windows\Tasks\Google Software Updater.job
- c:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe [2009-09-04 21:08]

2009-10-17 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-09-04 21:09]

2009-10-17 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-09-04 21:09]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
uInternet Settings,ProxyOverride = *.local
IE: Append Link Target to Existing PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Append to Existing PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert Link Target to Adobe PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert to Adobe PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIECapture.html
FF - ProfilePath - c:\users\Bob\AppData\Roaming\Mozilla\Firefox\Profiles\l0d4t1gv.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com
FF - plugin: c:\program files\Google\Google Updater\2.4.1698.5652\npCIDetect13.dll
FF - plugin: c:\program files\Google\Update\1.2.183.7\npGoogleOneClick8.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\np-mswmp.dll
FF - plugin: c:\users\Bob\Netscape6\nppl3260.dll
FF - plugin: c:\users\Bob\Netscape6\nprjplug.dll
FF - plugin: c:\users\Bob\Netscape6\nprpjplug.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\
.
- - - - ORPHANS REMOVED - - - -

HKLM-RunOnce-<NO NAME> - (no file)

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-10-19 16:58
Windows 6.0.6001 Service Pack 1 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

c:\users\Bob\AppData\Local\Temp\catchme.dll 53248 bytes executable

scan completed successfully
hidden files: 1

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
Completion time: 2009-10-19 17:01
ComboFix-quarantined-files.txt 2009-10-20 00:00
ComboFix2.txt 2009-10-19 19:44

Pre-Run: 175,589,691,392 bytes free
Post-Run: 175,566,180,352 bytes free

- - End Of File - - 52404E183D68857CB1B24B0FE0A8C47B


----------



## iltos (Jun 13, 2004)

new hijack log....will run GMER now

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 5:10:55 PM, on 10/19/2009
Platform: Windows Vista SP1 (WinNT 6.00.1905)
MSIE: Internet Explorer v7.00 (7.00.6001.18294)
Boot mode: Safe mode with network support

Running processes:
C:\Program Files\Windows Media Player\wmpnscfg.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Windows\Explorer.exe
C:\Windows\system32\notepad.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\hjt\HiJackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = 
O1 - Hosts: ::1 localhost
O2 - BHO: HP Print Clips - {053F9267-DC04-4294-A72C-58F732D338C0} - C:\Program Files\HP\Smart Web Printing\hpswp_framework.dll
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: RealPlayer Download and Record Plugin for Internet Explorer - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\Users\Bob\rpbrowserrecordplugin.dll
O2 - BHO: EmailBHO - {647FD14A-C4F1-46F4-8FC3-0B40F54226F7} - C:\Program Files\jZip\WebmailPlugin.dll
O2 - BHO: Adobe PDF Conversion Toolbar Helper - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.2.4204.1700\swg.dll
O2 - BHO: Browser Address Error Redirector - {CA6319C0-31B7-401E-A518-A07C3DB8F777} - C:\Program Files\Dell\BAE\BAE.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: SmartSelect - {F4971EE7-DAA0-4053-9964-665D8EE6A077} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [SigmatelSysTrayApp] %ProgramFiles%\SigmaTel\C-Major Audio\WDM\sttray.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [Persistence] C:\Windows\system32\igfxpers.exe
O4 - HKLM\..\Run: [OEM02Mon.exe] C:\Windows\OEM02Mon.exe
O4 - HKLM\..\Run: [IgfxTray] C:\Windows\system32\igfxtray.exe
O4 - HKLM\..\Run: [IAAnotif] "C:\Program Files\Intel\Intel Matrix Storage Manager\Iaanotif.exe"
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\Windows\system32\hkcmd.exe
O4 - HKLM\..\Run: [Google Desktop Search] "C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" /startup
O4 - HKLM\..\Run: [dscactivate] "C:\Program Files\Dell Support Center\gs_agent\custom\dsca.exe"
O4 - HKLM\..\Run: [DellSupportCenter] "C:\Program Files\Dell Support Center\bin\sprtcmd.exe" /P DellSupportCenter
O4 - HKLM\..\Run: [DELL Webcam Manager] "C:\Program Files\Dell\Dell Webcam Manager\DellWMgr.exe" /s
O4 - HKLM\..\Run: [Broadcom Wireless Manager UI] C:\Windows\system32\WLTRAY.exe
O4 - HKLM\..\Run: [Apoint] C:\Program Files\DellTPad\Apoint.exe
O4 - HKLM\..\Run: [Adobe_ID0EYTHM] C:\PROGRA~1\COMMON~1\Adobe\ADOBEV~1\Server\bin\VERSIO~2.EXE
O4 - HKLM\..\Run: [Adobe Acrobat Speed Launcher] "C:\Program Files\Adobe\Acrobat 9.0\Acrobat\Acrobat_sl.exe"
O4 - HKLM\..\Run: [Acrobat Assistant 8.0] "C:\Program Files\Adobe\Acrobat 9.0\Acrobat\Acrotray.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [Malwarebytes Anti-Malware (reboot)] "C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe" /runcleanupscript
O4 - HKLM\..\RunOnce: [Malwarebytes' Anti-Malware] C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe /install /silent
O4 - HKLM\..\RunOnce: [GrpConv] grpconv -o
O4 - HKCU\..\Run: [ehTray.exe] C:\Windows\ehome\ehTray.exe
O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe
O4 - Global Startup: Digital Line Detect.lnk = C:\Program Files\Digital Line Detect\DLG.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: QuickSet.lnk = C:\Program Files\Dell\QuickSet\quickset.exe
O8 - Extra context menu item: Append Link Target to Existing PDF - res://C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Append to Existing PDF - res://C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert Link Target to Adobe PDF - res://C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIECapture.html
O9 - Extra button: HP Clipbook - {58ECB495-38F0-49cb-A538-10282ABF65E7} - C:\Program Files\HP\Smart Web Printing\hpswp_extensions.dll
O9 - Extra button: HP Smart Select - {700259D7-1666-479a-93B1-3250410481E8} - C:\Program Files\HP\Smart Web Printing\hpswp_extensions.dll
O20 - AppInit_DLLs: C:\PROGRA~1\Google\GOOGLE~2\GOEC62~1.DLL
O20 - Winlogon Notify: GoToAssist - C:\Program Files\Citrix\GoToAssist\514\G2AWinLogon.dll
O23 - Service: Adobe Version Cue CS3 - Adobe Systems Incorporated - C:\Program Files\Common Files\Adobe\Adobe Version Cue CS3\Server\bin\VersionCueCS3.exe
O23 - Service: Andrea ST Filters Service (AESTFilters) - Andrea Electronics Corporation - C:\Windows\system32\aestsrv.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762## (Bonjour Service) - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: Google Desktop Manager 5.7.801.7324 (GoogleDesktopManager-010708-104812) - Google - C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
O23 - Service: GoToAssist - Citrix Online, a division of Citrix Systems, Inc. - C:\Program Files\Citrix\GoToAssist\514\g2aservice.exe
O23 - Service: Google Update Service (gupdate1ca2da3ff288ddd) (gupdate1ca2da3ff288ddd) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe
O23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: Intel(R) Matrix Storage Event Monitor (IAANTMON) - Intel Corporation - C:\Program Files\Intel\Intel Matrix Storage Manager\Iaantmon.exe
O23 - Service: SupportSoft Sprocket Service (dellsupportcenter) (sprtsvc_dellsupportcenter) - SupportSoft, Inc. - C:\Program Files\Dell Support Center\bin\sprtsvc.exe
O23 - Service: SigmaTel Audio Service (STacSV) - IDT, Inc. - C:\Windows\system32\STacSV.exe
O23 - Service: Dell Wireless WLAN Tray Service (wltrysvc) - Unknown owner - C:\Windows\System32\WLTRYSVC.EXE
O23 - Service: XAudioService - Conexant Systems, Inc. - C:\Windows\system32\DRIVERS\xaudio.exe

--
End of file - 8403 bytes


----------



## iltos (Jun 13, 2004)

the results of GMER....anything having to do with drivers MAY have something to do with me getting my external HD to work with my HP printer still connected...western digital had no solution, and HP didn't either...there's a tread here somewhere 'bout it. 

all i ended up doing tho was disabling one of the printer's drivers.

GMER 1.0.15.15163 - http://www.gmer.net
Rootkit scan 2009-10-19 17:39:05
Windows 6.0.6001 Service Pack 1
Running: gmer.exe; Driver: C:\Users\Bob\AppData\Local\Temp\pwldqpow.sys

---- Kernel code sections - GMER 1.0.15 ----

? C:\Windows\system32\Drivers\PROCEXP90.SYS The system cannot find the file specified. !
? C:\Users\Bob\AppData\Local\Temp\catchme.sys The system cannot find the file specified. !

---- User IAT/EAT - GMER 1.0.15 ----

IAT C:\Windows\Explorer.exe[1036] @ C:\Windows\Explorer.exe [gdiplus.dll!GdiplusShutdown] [741C88B4] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6001.18175_none_9e7bbe54c9c04bca\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.exe[1036] @ C:\Windows\Explorer.exe [gdiplus.dll!GdipCloneImage] [742098A5] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6001.18175_none_9e7bbe54c9c04bca\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.exe[1036] @ C:\Windows\Explorer.exe [gdiplus.dll!GdipDrawImageRectI] [741CB9D4] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6001.18175_none_9e7bbe54c9c04bca\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.exe[1036] @ C:\Windows\Explorer.exe [gdiplus.dll!GdipSetInterpolationMode] [741BFB47] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6001.18175_none_9e7bbe54c9c04bca\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.exe[1036] @ C:\Windows\Explorer.exe [gdiplus.dll!GdiplusStartup] [741C7A79] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6001.18175_none_9e7bbe54c9c04bca\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.exe[1036] @ C:\Windows\Explorer.exe [gdiplus.dll!GdipCreateFromHDC] [741BEA65] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6001.18175_none_9e7bbe54c9c04bca\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.exe[1036] @ C:\Windows\Explorer.exe [gdiplus.dll!GdipCreateBitmapFromStreamICM] [741FB17D] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6001.18175_none_9e7bbe54c9c04bca\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.exe[1036] @ C:\Windows\Explorer.exe [gdiplus.dll!GdipCreateBitmapFromStream] [741CBC9A] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6001.18175_none_9e7bbe54c9c04bca\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.exe[1036] @ C:\Windows\Explorer.exe [gdiplus.dll!GdipGetImageHeight] [741C074E] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6001.18175_none_9e7bbe54c9c04bca\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.exe[1036] @ C:\Windows\Explorer.exe [gdiplus.dll!GdipGetImageWidth] [741C06B5] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6001.18175_none_9e7bbe54c9c04bca\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.exe[1036] @ C:\Windows\Explorer.exe [gdiplus.dll!GdipDisposeImage] [741B71B3] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6001.18175_none_9e7bbe54c9c04bca\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.exe[1036] @ C:\Windows\Explorer.exe [gdiplus.dll!GdipLoadImageFromFileICM] [7424D848] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6001.18175_none_9e7bbe54c9c04bca\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.exe[1036] @ C:\Windows\Explorer.exe [gdiplus.dll!GdipLoadImageFromFile] [741E7379] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6001.18175_none_9e7bbe54c9c04bca\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.exe[1036] @ C:\Windows\Explorer.exe [gdiplus.dll!GdipDeleteGraphics] [741BE109] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6001.18175_none_9e7bbe54c9c04bca\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.exe[1036] @ C:\Windows\Explorer.exe [gdiplus.dll!GdipFree] [741B697E] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6001.18175_none_9e7bbe54c9c04bca\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.exe[1036] @ C:\Windows\Explorer.exe [gdiplus.dll!GdipAlloc] [741B69A9] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6001.18175_none_9e7bbe54c9c04bca\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.exe[1036] @ C:\Windows\Explorer.exe [gdiplus.dll!GdipSetCompositingMode] [741C2465] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6001.18175_none_9e7bbe54c9c04bca\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)

---- Devices - GMER 1.0.15 ----

AttachedDevice \Driver\tdx \Device\Tcp aswTdi.SYS (avast! TDI Filter Driver/ALWIL Software)

Device \Driver\iaStor \Device\Ide\iaStor0 [822496C8] \SystemRoot\system32\drivers\iastor.sys[unknown section] {MOV EAX, [0xffdf0308]; JMP [EAX+0xfc]}
Device \Driver\iaStor \Device\Ide\IAAStorageDevice-0 [822496C8] \SystemRoot\system32\drivers\iastor.sys[unknown section] {MOV EAX, [0xffdf0308]; JMP [EAX+0xfc]}

AttachedDevice \Driver\tdx \Device\Udp aswTdi.SYS (avast! TDI Filter Driver/ALWIL Software)
AttachedDevice \FileSystem\fastfat \Fat fltmgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)
AttachedDevice \FileSystem\fastfat \Fat fltmgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)

---- Files - GMER 1.0.15 ----

File C:\Windows\system32\drivers\iastor.sys suspicious modification

---- EOF - GMER 1.0.15 ----


----------



## Cookiegal (Aug 27, 2003)

Please do a search for the following file (showing hidden files) and let me know all of the locations and the size of each one.

*iastor.sys*


----------



## iltos (Jun 13, 2004)

Cookiegal said:


> Please do a search for the following file (showing hidden files) and let me know all of the locations and the size of each one.
> 
> *iastor.sys*


C>Windows>System32>drivers>iaStor.sys (297kb)
C>Windows>System32>drivers>iaStor(254).sys (297kb)
C>Windows>System32>drivers>iaStorV.sys (229kb)
C>Windows>System32>DriverStore>FileRepository>iaahci.inf_3a63e5a6>iaStor.sys (298kb)
C>Windows>System32>DriverStore>FileRepository>iastor.inf_5f6e7be5>iaStor.sys (298kb)...
also a iastor.inf and iaStor.cat file
C>Windows>System32>DriverStore>FileRepository>iastor.inf_37cdafa4>iaStorV.sys (226kb)...
also a iastor.inf file
C>Windows>System32>DriverStore>FileRepository>iastor.inf_c9df7691>iaStorV.sys (229kb)...
also a iastor.inf file
C>Drivers>storage>R16620>iastor.sys (297kb)...
also a iastor.inf and iastor.cat file
C>Program File>Intel>Intel Matrix Storage Manager>Driver64>IaStor.sys (373kb)...
also a iastor.inf and iastor.cat file
C>Windows>winsxs>x86_iastorv.inf_31bf3856ad364e35_6.06001.18000_none_af115278>iaStorV.sys
(229kb)...also a iastor.inf file
C>Program File>Intel>Intel Matrix Storage Manager>Driver>IaStor.sys (297kb)...
also a iastor.inf and iastor.cat file


----------



## iltos (Jun 13, 2004)

here's the latest
i tried a normal login and here i am ....on ie7 
beggars can't be choosers 
the shortcuts to firebox are still busted, but notepad works now !
avast seems a little wonky.....realtime protection is working, but the skins for the scanner aren't loading correctly

that's all i've found for the moment
except my printer will work in normal mode :up:


----------



## iltos (Jun 13, 2004)

here's a hijack log, in normal mode

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 9:39:58 PM, on 10/19/2009
Platform: Windows Vista SP1 (WinNT 6.00.1905)
MSIE: Internet Explorer v7.00 (7.00.6001.18294)
Boot mode: Normal

Running processes:
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Windows\system32\taskeng.exe
C:\Program Files\Alwil Software\Avast4\ashDisp.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Windows\System32\igfxpers.exe
C:\Windows\OEM02Mon.exe
C:\Windows\System32\igfxtray.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\IAAnotif.exe
C:\Program Files\HP\HP Software Update\hpwuSchd2.exe
C:\Windows\System32\hkcmd.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
C:\Program Files\Dell Support Center\bin\sprtcmd.exe
C:\Program Files\Dell\Dell Webcam Manager\DellWMgr.exe
C:\Windows\System32\WLTRAY.EXE
C:\Program Files\DellTPad\Apoint.exe
C:\Program Files\Adobe\Acrobat 9.0\Acrobat\acrotray.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Windows\system32\igfxsrvc.exe
C:\Windows\ehome\ehtray.exe
C:\Program Files\Windows Media Player\wmpnscfg.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\Dell\QuickSet\quickset.exe
C:\Windows\ehome\ehmsas.exe
C:\Program Files\DellTPad\ApMsgFwd.exe
C:\Program Files\DellTPad\HidFind.exe
C:\Program Files\DellTPad\Apntex.exe
C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
C:\Windows\system32\wuauclt.exe
C:\Windows\system32\rundll32.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Mozilla Thunderbird\thunderbird.exe
C:\Program Files\Internet Explorer\ieuser.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\HP\Smart Web Printing\hpswp_clipbook.exe
C:\Windows\system32\SearchFilterHost.exe
C:\Windows\system32\NOTEPAD.EXE
C:\hjt\HiJackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = 
O1 - Hosts: ::1 localhost
O2 - BHO: HP Print Clips - {053F9267-DC04-4294-A72C-58F732D338C0} - C:\Program Files\HP\Smart Web Printing\hpswp_framework.dll
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: RealPlayer Download and Record Plugin for Internet Explorer - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\Users\Bob\rpbrowserrecordplugin.dll
O2 - BHO: EmailBHO - {647FD14A-C4F1-46F4-8FC3-0B40F54226F7} - C:\Program Files\jZip\WebmailPlugin.dll
O2 - BHO: Adobe PDF Conversion Toolbar Helper - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.2.4204.1700\swg.dll
O2 - BHO: Browser Address Error Redirector - {CA6319C0-31B7-401E-A518-A07C3DB8F777} - C:\Program Files\Dell\BAE\BAE.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: SmartSelect - {F4971EE7-DAA0-4053-9964-665D8EE6A077} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [SigmatelSysTrayApp] %ProgramFiles%\SigmaTel\C-Major Audio\WDM\sttray.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [Persistence] C:\Windows\system32\igfxpers.exe
O4 - HKLM\..\Run: [OEM02Mon.exe] C:\Windows\OEM02Mon.exe
O4 - HKLM\..\Run: [IgfxTray] C:\Windows\system32\igfxtray.exe
O4 - HKLM\..\Run: [IAAnotif] "C:\Program Files\Intel\Intel Matrix Storage Manager\Iaanotif.exe"
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\Windows\system32\hkcmd.exe
O4 - HKLM\..\Run: [Google Desktop Search] "C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" /startup
O4 - HKLM\..\Run: [dscactivate] "C:\Program Files\Dell Support Center\gs_agent\custom\dsca.exe"
O4 - HKLM\..\Run: [DellSupportCenter] "C:\Program Files\Dell Support Center\bin\sprtcmd.exe" /P DellSupportCenter
O4 - HKLM\..\Run: [DELL Webcam Manager] "C:\Program Files\Dell\Dell Webcam Manager\DellWMgr.exe" /s
O4 - HKLM\..\Run: [Broadcom Wireless Manager UI] C:\Windows\system32\WLTRAY.exe
O4 - HKLM\..\Run: [Apoint] C:\Program Files\DellTPad\Apoint.exe
O4 - HKLM\..\Run: [Adobe_ID0EYTHM] C:\PROGRA~1\COMMON~1\Adobe\ADOBEV~1\Server\bin\VERSIO~2.EXE
O4 - HKLM\..\Run: [Adobe Acrobat Speed Launcher] "C:\Program Files\Adobe\Acrobat 9.0\Acrobat\Acrobat_sl.exe"
O4 - HKLM\..\Run: [Acrobat Assistant 8.0] "C:\Program Files\Adobe\Acrobat 9.0\Acrobat\Acrotray.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [Malwarebytes Anti-Malware (reboot)] "C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe" /runcleanupscript
O4 - HKCU\..\Run: [ehTray.exe] C:\Windows\ehome\ehTray.exe
O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe
O4 - Global Startup: Digital Line Detect.lnk = C:\Program Files\Digital Line Detect\DLG.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: QuickSet.lnk = C:\Program Files\Dell\QuickSet\quickset.exe
O8 - Extra context menu item: Append Link Target to Existing PDF - res://C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Append to Existing PDF - res://C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert Link Target to Adobe PDF - res://C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIECapture.html
O9 - Extra button: HP Clipbook - {58ECB495-38F0-49cb-A538-10282ABF65E7} - C:\Program Files\HP\Smart Web Printing\hpswp_extensions.dll
O9 - Extra button: HP Smart Select - {700259D7-1666-479a-93B1-3250410481E8} - C:\Program Files\HP\Smart Web Printing\hpswp_extensions.dll
O20 - AppInit_DLLs: C:\PROGRA~1\Google\GOOGLE~2\GOEC62~1.DLL
O20 - Winlogon Notify: GoToAssist - C:\Program Files\Citrix\GoToAssist\514\G2AWinLogon.dll
O23 - Service: Adobe Version Cue CS3 - Adobe Systems Incorporated - C:\Program Files\Common Files\Adobe\Adobe Version Cue CS3\Server\bin\VersionCueCS3.exe
O23 - Service: Andrea ST Filters Service (AESTFilters) - Andrea Electronics Corporation - C:\Windows\system32\aestsrv.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762## (Bonjour Service) - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: Google Desktop Manager 5.7.801.7324 (GoogleDesktopManager-010708-104812) - Google - C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
O23 - Service: GoToAssist - Citrix Online, a division of Citrix Systems, Inc. - C:\Program Files\Citrix\GoToAssist\514\g2aservice.exe
O23 - Service: Google Update Service (gupdate1ca2da3ff288ddd) (gupdate1ca2da3ff288ddd) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe
O23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: Intel(R) Matrix Storage Event Monitor (IAANTMON) - Intel Corporation - C:\Program Files\Intel\Intel Matrix Storage Manager\Iaantmon.exe
O23 - Service: SupportSoft Sprocket Service (dellsupportcenter) (sprtsvc_dellsupportcenter) - SupportSoft, Inc. - C:\Program Files\Dell Support Center\bin\sprtsvc.exe
O23 - Service: SigmaTel Audio Service (STacSV) - IDT, Inc. - C:\Windows\system32\STacSV.exe
O23 - Service: Dell Wireless WLAN Tray Service (wltrysvc) - Unknown owner - C:\Windows\System32\WLTRYSVC.EXE
O23 - Service: XAudioService - Conexant Systems, Inc. - C:\Windows\system32\DRIVERS\xaudio.exe

--
End of file - 9718 bytes


----------



## Cookiegal (Aug 27, 2003)

We need to replace the infected iastor.sys so I need to check for a clean one among the options we have. Please upload each of these to Jotti's and give me the full report back, including the top portion that gives what's called the MD5 checksum.

C:\Windows\system32\drivers\iastor.sys
C\Drivers\storage\R16620\iastor.sys
C\Program File\Intel\Intel Matrix Storage Manager\Driver\IaStor.sys


----------



## iltos (Jun 13, 2004)

here's C:\Windows\system32\drivers\iastor.sys....it's clean
and the second one C\Drivers\storage\R16620\iastor.sys came back as the having been scanned before....but here's the "additional info" with the MD5 for comparison to the attached screenshot


> File size: 304920 bytes
> Filetype: PE32 executable for MS Windows (native) Intel 80386 32-bit
> MD5: 997e8f5939f2d12cd9f2e6b395724c16
> SHA1: 31901f9ced1659e73d001ef9b729d7ed4e110797


----------



## Cookiegal (Aug 27, 2003)

Please do them all nevertheless.


----------



## iltos (Jun 13, 2004)

same with the file in the Intel folder


> File size: 304920 bytes
> Filetype: PE32 executable for MS Windows (native) Intel 80386 32-bit
> MD5: 997e8f5939f2d12cd9f2e6b395724c16
> SHA1: 31901f9ced1659e73d001ef9b729d7ed4e110797


----------



## iltos (Jun 13, 2004)

Cookiegal said:


> Please do them all nevertheless.


do you want me to include the iastorV.sys files, Cookiegal?


----------



## Cookiegal (Aug 27, 2003)

No, just those three please.


----------



## iltos (Jun 13, 2004)

this is the results of the whole list returned by the search last night

1. C>Windows>System32>drivers>iaStor.sys (297kb) CLEAN


> File size: 304920 bytes
> Filetype: PE32 executable for MS Windows (native) Intel 80386 32-bit
> MD5: 997e8f5939f2d12cd9f2e6b395724c16
> SHA1: 31901f9ced1659e73d001ef9b729d7ed4e110797


2. C>Windows>System32>drivers>iaStor(254).sys (297kb) CLEAN...same info as #1 

3. C>Windows>System32>drivers>iaStorV.sys (229kb) CLEAN


> File size: 235064 bytes
> Filetype: PE32 executable for MS Windows (native) Intel 80386 32-bit
> MD5: 54155ea1b0df185878e0fc9ec3ac3a14
> SHA1: 28b869c75f28bb6da1d062e35149c37b1e1e364c


4. C>Windows>System32>DriverStore>FileRepository>iaahci.inf_3a63e5a6>iaStor.sys (298kb) CLEAN....same info as #1

5. C>Windows>System32>DriverStore>FileRepository>iastor.inf_5f6e7be5>iaStor.sys (298kb)... CLEAN....same info as #1
also a iastor.inf and iaStor.cat file

6. C>Windows>System32>DriverStore>FileRepository>iastor.inf_37cdafa4>iaStorV.sys (226kb)...CLEAN


> File size: 232040 bytes
> Filetype: PE32 executable for MS Windows (native) Intel 80386 32-bit
> MD5: c957bf4b5d80b46c5017bf0101e6c906
> SHA1: 6d55e93d8befda104ba70aaad11bfc97e8e27095
> Packer (Kaspersky): PE_Patch


also a iastor.inf file

7. C>Windows>System32>DriverStore>FileRepository>iastor.inf_c9df7691>iaStorV.sys (229kb)...CLEAN...same info as #3
also a iastor.inf file

8. C>Drivers>storage>R16620>iastor.sys (297kb)...CLEAN...same info as #1
also a iastor.inf and iastor.cat file

9. C>Program File>Intel>Intel Matrix Storage Manager>Driver64>IaStor.sys (373kb)...
also a iastor.inf and iastor.cat file CLEAN with 20/21...the Norman scan timed out


> File size: 381720 bytes
> Filetype: PE32+ executable for MS Windows (native) Mono/.Net assembly
> MD5: 9d7ed4275702e2fc409f2cc563245740
> SHA1: 79ce0a9d9170f3bc940325f8c6ccccc851dd81ef


10. C>Windows>winsxs>x86_iastorv.inf_31bf3856ad364e35_6.06001.18000_none_af115278>iaStorV.sys
(229kb)...CLEAN...same info as #3...also a iastor.inf file

11.
C>Program File>Intel>Intel Matrix Storage Manager>Driver>IaStor.sys (297kb)...CLEAN...same info as #1
also a iastor.inf and iastor.cat file


----------



## iltos (Jun 13, 2004)

oops....guess i got a little carried away


----------



## Cookiegal (Aug 27, 2003)

It looks like we don't have a clean copy to use. Derek and I have been discussing the options at this point and it would probably be best to reinstall the Intel Matrix Storage Manager as this will overwrite all of the iastor.sys files.

Here's a link to it. You can follow the instructions in the ReadMe text file.

http://downloadcenter.intel.com/Detail_Desc.aspx?agr=Y&DwnldID=17882&lang=eng

Let us know how that goes please.


----------



## iltos (Jun 13, 2004)

Cookiegal said:


> It looks like we don't have a clean copy to use. Derek and I have been discussing the options at this point and it would probably be best to reinstall the Intel Matrix Storage Manager as this will overwrite all of the iastor.sys files.
> 
> Here's a link to it. You can follow the instructions in the ReadMe text file.
> 
> ...


ok....(and express my thanks to Derek for his time on this )
but first:
since i'm in WAY over my head now, help me take a big breath. 
first, my curiosity.....if all the iastor.sys files came back clean, how did you determine they're not? i'll understand if it's a matter of experience....'cause i certainly have none
i'm just interested in learning a smidgen more.

but i also want to verify something
in the read me file, these controllers are named


> AHCI Controllers:
> - Intel(R) PCH SATA AHCI Controller
> - Intel(R) PCHM SATA AHCI Controller 4 Port
> - Intel(R) PCHM SATA AHCI Controller 6 Port
> ...


my device manager says that the iastor.sys driver is used by this
Intel(R) 82801HEM/HBM SATA AHCI Controller

Intel makes a big deal about my controller being on the list....technically, it's not, even tho it seems clear it's an ahci controller

one reason i ask is that i've also got this controller
Intel(R) ICH8M Ultra ATA Storage Controllers - 2850
which uses other system files

it's the "ICH8M" that's hanging me up, even tho my brain knows that the two controllers are different animals.

just tell me i can go ahead with the download, based on the ahci controller i've got 

more.....
ok...i found the readme file on my computer for my controller :up:
and started reading more of the text


> 5.1 General Installation Notes
> 
> 1. If you are installing the operating system on a system
> configured for RAID or AHCI mode, you must pre-install
> ...


do either 1 or 2 apply?
or do i just install the download like 3 says?


----------



## Cookiegal (Aug 27, 2003)

It's indicated in the GMER log that this driver is infected and there are other indicators as well. This is the latest "TDSS du jour" and it's just not being detected yet.

Let's go through this in steps. We'll start with number 2 to be sure the Intel(R) Chipset Software Installation Utility is installed, which I'm sure it is as I believe it would have had to be from the start and it's what creates the .inf files. In any event, let's just check to be sure by exporting a registry key that will tell us.

Go to *Start *- *Run *and copy and paste the following:

*regedit /e C:\look.txt "HKEY_LOCAL_MACHINE\SOFTWARE\Intel\InfInst"*

You won't see anything happen and it will only take a second. You will find the report it creates at C:\look.txt. Please open it in Notepad and then copy and paste the report here.


----------



## iltos (Jun 13, 2004)

Cookiegal said:


> It's indicated in the GMER log that this driver is infected and there are other indicators as well. This is the latest "TDSS du jour" and it's just not being detected yet.
> 
> Let's go through this in steps.


i'd love to...but let me throw a wrench in the machine....
i just logged on normally....and this new icon popped up....something called "Security Tool" (08376024.exe in C>Program Data)....it started popping up windows about a worm here and a virus there....i shut down and logged in in safe mode w/networking....and here we are .....
jotti gives back this info


> File size: 1050658 bytes
> Filetype: PE32 executable for MS Windows (GUI) Intel 80386 32-bit
> MD5: badaa12a2208e71b71e683b5702990d2
> SHA1: 8f5fbae5477b62f841fde2b88b2ea4f0bcbd96ed


and the scan results attached below.

shall i run your procedure from safe mode/command prompt, or is this new development something you'd like to investigate first?


----------



## Cookiegal (Aug 27, 2003)

Please drag the puppy.exe (ComboFix) from your desktop to the recycle bin and download the latest version. Follow the same instructions as before to run a scan and post the new log.

Please visit *Combofix Guide & Instructions * for instructions for downloading and running ComboFix. Rename it to pupp.exe again, as before.

You can still do the export but not from the run box, not a command prompt.


----------



## iltos (Jun 13, 2004)

Cookiegal said:


> You can still do the export but not from the run box, not a command prompt.


i don't understand this 

puppy deleted the "security tool"....dare i try a normal boot? (oh...and i just realized i never nuked the "company" folder from program files....gone now 

puppy log:

ComboFix 09-10-20.03 - Bob 10/21/2009 7:24.1.2 - NTFSx86 NETWORK
Microsoft® Windows Vista™ Home Premium 6.0.6001.1.1252.1.1033.18.3573.3046 [GMT -7:00]
Running from: c:\users\Bob\Desktop\puppy.exe
SP: SUPERAntiSpyware *disabled* (Updated) {222A897C-5018-402e-943F-7E7AC8560DA7}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\programdata\08376024
c:\programdata\08376024\08376024.exe
c:\users\Bob\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Security Tool.lnk
c:\users\Bob\Desktop\Security Tool.lnk

.
((((((((((((((((((((((((( Files Created from 2009-09-21 to 2009-10-21 )))))))))))))))))))))))))))))))
.

2009-10-21 14:31 . 2009-10-21 14:31	--------	d-----w-	c:\users\Bob\AppData\Local\temp
2009-10-21 14:31 . 2009-10-21 14:31	--------	d-----w-	c:\users\Public\AppData\Local\temp
2009-10-21 14:31 . 2009-10-21 14:31	--------	d-----w-	c:\users\Default\AppData\Local\temp
2009-10-21 00:35 . 2009-10-21 00:35	--------	d-----w-	c:\program files\SystemRequirementsLab
2009-10-21 00:35 . 2009-10-21 00:35	--------	d-----w-	c:\users\Bob\AppData\Roaming\SystemRequirementsLab
2009-10-20 05:05 . 2009-10-20 05:05	--------	d-----w-	c:\program files\SUPERAntiSpyware
2009-10-19 23:49 . 2009-10-19 23:50	--------	d-----w-	C:\puppy
2009-10-19 19:54 . 2009-10-20 04:45	--------	d-----w-	C:\hjt
2009-10-19 03:49 . 2009-10-19 03:49	--------	d-----w-	c:\users\Bob\AppData\Roaming\Malwarebytes
2009-10-19 03:49 . 2009-09-10 21:54	38224	----a-w-	c:\windows\system32\drivers\mbamswissarmy.sys
2009-10-19 03:49 . 2009-10-19 03:49	--------	d-----w-	c:\programdata\Malwarebytes
2009-10-19 03:49 . 2009-10-21 14:09	--------	d-----w-	c:\program files\Malwarebytes' Anti-Malware
2009-10-19 03:49 . 2009-09-10 21:53	19160	----a-w-	c:\windows\system32\drivers\mbam.sys
2009-10-19 03:04 . 2009-10-19 03:04	--------	d-----w-	c:\users\Bob\AppData\Roaming\SUPERAntiSpyware.com
2009-10-19 03:04 . 2009-10-19 03:04	--------	d-----w-	c:\programdata\SUPERAntiSpyware.com
2009-10-18 23:37 . 2009-10-21 13:26	--------	d-----w-	c:\windows\system32\wbem\repository
2009-10-15 13:26 . 2009-09-14 09:44	144896	----a-w-	c:\windows\system32\drivers\srv2.sys
2009-10-15 13:26 . 2009-09-10 17:30	213504	----a-w-	c:\windows\system32\msv1_0.dll
2009-10-15 13:26 . 2009-08-05 14:22	3597896	----a-w-	c:\windows\system32\ntkrnlpa.exe
2009-10-15 13:26 . 2009-08-05 14:22	3546184	----a-w-	c:\windows\system32\ntoskrnl.exe
2009-10-15 13:26 . 2009-09-04 12:24	61440	----a-w-	c:\windows\system32\msasn1.dll
2009-10-15 13:26 . 2009-04-02 12:37	604672	----a-w-	c:\windows\system32\WMSPDMOD.DLL
2009-10-03 12:00 . 2009-10-01 17:29	195440	------w-	c:\windows\system32\MpSigStub.exe

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-10-19 19:35 . 2009-05-05 14:25	6648	----a-w-	c:\users\Bob\AppData\Local\d3d9caps.dat
2009-10-18 23:59 . 2009-08-12 17:55	--------	d-----w-	c:\program files\Common Files\Wise Installation Wizard
2009-10-18 23:32 . 2009-03-05 16:51	--------	d-----w-	c:\programdata\HP Product Assistant
2009-09-10 16:48 . 2009-09-10 16:48	--------	d-----w-	c:\program files\Company
2009-09-04 21:09 . 2008-06-06 15:55	--------	d-----w-	c:\program files\Google
2009-09-04 21:08 . 2009-09-04 21:08	--------	d-----w-	c:\programdata\Google Updater
2009-09-04 21:08 . 2009-09-04 21:08	1246328	----a-w-	c:\program files\Google Updater.exe
2009-09-03 18:00 . 2009-09-03 18:00	--------	d-----w-	c:\program files\Microsoft Silverlight
2009-08-29 15:15 . 2009-03-05 14:13	--------	d-----w-	c:\program files\Java
2009-08-28 12:39 . 2009-09-02 13:38	28672	----a-w-	c:\windows\system32\Apphlpdm.dll
2009-08-28 10:15 . 2009-09-02 13:38	4240384	----a-w-	c:\windows\system32\GameUXLegacyGDFs.dll
2009-08-23 21:30 . 2008-08-25 18:20	60376	----a-w-	c:\users\Bob\AppData\Local\GDIPFONTCACHEV1.DAT
2009-08-17 16:10 . 2008-08-26 01:28	1279456	----a-w-	c:\windows\system32\aswBoot.exe
2009-08-17 16:05 . 2008-08-26 01:28	114768	----a-w-	c:\windows\system32\drivers\aswSP.sys
2009-08-17 16:05 . 2008-08-26 01:28	20560	----a-w-	c:\windows\system32\drivers\aswFsBlk.sys
2009-08-17 16:05 . 2008-08-26 01:28	53328	----a-w-	c:\windows\system32\drivers\aswMonFlt.sys
2009-08-17 16:04 . 2008-08-26 01:28	51376	----a-w-	c:\windows\system32\drivers\aswTdi.sys
2009-08-17 16:04 . 2008-08-26 01:28	23152	----a-w-	c:\windows\system32\drivers\aswRdr.sys
2009-08-17 16:02 . 2008-08-26 01:28	97480	----a-w-	c:\windows\system32\AvastSS.scr
2009-08-14 17:07 . 2009-09-12 14:41	897608	----a-w-	c:\windows\system32\drivers\tcpip.sys
2009-08-14 16:29 . 2009-09-12 14:41	104960	----a-w-	c:\windows\system32\netiohlp.dll
2009-08-14 16:29 . 2009-09-12 14:41	17920	----a-w-	c:\windows\system32\netevent.dll
2009-08-14 14:16 . 2009-09-12 14:41	9728	----a-w-	c:\windows\system32\TCPSVCS.EXE
2009-08-14 14:16 . 2009-09-12 14:41	17920	----a-w-	c:\windows\system32\ROUTE.EXE
2009-08-14 14:16 . 2009-09-12 14:41	11264	----a-w-	c:\windows\system32\MRINFO.EXE
2009-08-14 14:16 . 2009-09-12 14:41	27136	----a-w-	c:\windows\system32\NETSTAT.EXE
2009-08-14 14:16 . 2009-09-12 14:41	19968	----a-w-	c:\windows\system32\ARP.EXE
2009-08-14 14:16 . 2009-09-12 14:41	8704	----a-w-	c:\windows\system32\HOSTNAME.EXE
2009-08-14 14:16 . 2009-09-12 14:41	10240	----a-w-	c:\windows\system32\finger.exe
2009-07-25 12:23 . 2008-12-14 16:42	411368	----a-w-	c:\windows\system32\deploytk.dll
2008-06-06 15:49 . 2008-06-06 15:49	76	--sh--r-	c:\windows\CT4CET.bin
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown 
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ehTray.exe"="c:\windows\ehome\ehTray.exe" [2008-01-21 125952]
"WMPNSCFG"="c:\program files\Windows Media Player\WMPNSCFG.exe" [2008-01-21 202240]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"avast!"="c:\progra~1\ALWILS~1\Avast4\ashDisp.exe" [2009-08-17 81000]
"Windows Defender"="c:\program files\Windows Defender\MSASCui.exe" [2008-01-21 1008184]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2008-11-23 185872]
"SigmatelSysTrayApp"="c:\program files\SigmaTel\C-Major Audio\WDM\sttray.exe" [2007-11-12 405504]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2009-01-05 413696]
"Persistence"="c:\windows\system32\igfxpers.exe" [2008-03-06 133656]
"OEM02Mon.exe"="c:\windows\OEM02Mon.exe" [2008-03-04 36864]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2008-03-06 141848]
"IAAnotif"="c:\program files\Intel\Intel Matrix Storage Manager\Iaanotif.exe" [2007-03-21 174872]
"HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2007-03-12 49152]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2008-03-06 166424]
"Google Desktop Search"="c:\program files\Google\Google Desktop Search\GoogleDesktop.exe" [2008-06-06 29744]
"dscactivate"="c:\program files\Dell Support Center\gs_agent\custom\dsca.exe" [2008-03-11 16384]
"DellSupportCenter"="c:\program files\Dell Support Center\bin\sprtcmd.exe" [2009-05-21 206064]
"DELL Webcam Manager"="c:\program files\Dell\Dell Webcam Manager\DellWMgr.exe" [2007-07-27 118784]
"Broadcom Wireless Manager UI"="c:\windows\system32\WLTRAY.exe" [2007-12-12 3444736]
"Apoint"="c:\program files\DellTPad\Apoint.exe" [2007-09-07 159744]
"Adobe Acrobat Speed Launcher"="c:\program files\Adobe\Acrobat 9.0\Acrobat\Acrobat_sl.exe" [2009-02-27 38768]
"Acrobat Assistant 8.0"="c:\program files\Adobe\Acrobat 9.0\Acrobat\Acrotray.exe" [2009-02-27 640376]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-07-25 149280]
"Malwarebytes Anti-Malware (reboot)"="c:\program files\Malwarebytes' Anti-Malware\mbam.exe" [2009-09-10 1312080]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
"GrpConv"="grpconv -o" [X]

c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
Digital Line Detect.lnk - c:\program files\Digital Line Detect\DLG.exe [2008-6-6 50688]
HP Digital Imaging Monitor.lnk - c:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2007-3-11 210520]
QuickSet.lnk - c:\program files\Dell\QuickSet\quickset.exe [2007-9-7 1180952]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableUIADesktopToggle"= 0 (0x0)

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2009-09-03 22:21	548352	----a-w-	c:\program files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\GoToAssist]
2008-06-06 16:02	10536	----a-w-	c:\program files\Citrix\GoToAssist\514\g2awinlogon.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=c:\progra~1\Google\GOOGLE~2\GOEC62~1.DLL

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend]
@="Service"

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Svc]
"AntiVirusOverride"=dword:00000001

S1 aswSP;avast! Self Protection;c:\windows\System32\drivers\aswSP.sys [8/25/2008 6:28 PM 114768]
S2 AESTFilters;Andrea ST Filters Service;c:\windows\System32\AEstSrv.exe [6/6/2008 3:34 AM 73728]
S2 aswFsBlk;aswFsBlk;c:\windows\System32\drivers\aswFsBlk.sys [8/25/2008 6:28 PM 20560]
S2 aswMonFlt;aswMonFlt;c:\windows\System32\drivers\aswMonFlt.sys [8/25/2008 6:28 PM 53328]
S2 gupdate1ca2da3ff288ddd;Google Update Service (gupdate1ca2da3ff288ddd);c:\program files\Google\Update\GoogleUpdate.exe [9/4/2009 2:09 PM 133104]
S3 IntcHdmiAddService;Intel(R) High Definition Audio HDMI Service;c:\windows\System32\drivers\IntcHdmi.sys [6/6/2008 11:31 AM 111616]
S3 OEM02Dev;Creative Camera OEM002 Driver;c:\windows\System32\drivers\OEM02Dev.sys [6/6/2008 11:30 AM 235648]
S3 OEM02Vfx;Creative Camera OEM002 Video VFX Driver;c:\windows\System32\drivers\OEM02Vfx.sys [6/6/2008 11:30 AM 7424]

--- Other Services/Drivers In Memory ---

*NewlyCreated* - ECACHE

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12	REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
hpdevmgmt	REG_MULTI_SZ hpqcxs08 hpqddsvc
.
Contents of the 'Scheduled Tasks' folder

2009-10-21 c:\windows\Tasks\Google Software Updater.job
- c:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe [2009-09-04 21:08]

2009-10-21 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-09-04 21:09]

2009-10-21 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-09-04 21:09]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
uInternet Settings,ProxyOverride = *.local
IE: Append Link Target to Existing PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Append to Existing PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert Link Target to Adobe PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert to Adobe PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIECapture.html
FF - ProfilePath - c:\users\Bob\AppData\Roaming\Mozilla\Firefox\Profiles\l0d4t1gv.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com
FF - plugin: c:\program files\Google\Google Updater\2.4.1698.5652\npCIDetect13.dll
FF - plugin: c:\program files\Google\Update\1.2.183.7\npGoogleOneClick8.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\np-mswmp.dll
FF - plugin: c:\users\Bob\Netscape6\nppl3260.dll
FF - plugin: c:\users\Bob\Netscape6\nprjplug.dll
FF - plugin: c:\users\Bob\Netscape6\nprpjplug.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\
.
- - - - ORPHANS REMOVED - - - -

HKCU-Run-08376024 - c:\programdata\08376024\08376024.exe
HKLM-Run-08376024 - c:\progra~2\08376024\08376024.exe
HKLM-RunOnce-<NO NAME> - (no file)

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-10-21 07:31
Windows 6.0.6001 Service Pack 1 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
Completion time: 2009-10-21 7:34
ComboFix-quarantined-files.txt 2009-10-21 14:34
ComboFix2.txt 2009-10-20 00:01
ComboFix3.txt 2009-10-19 19:44

Pre-Run: 176,080,945,152 bytes free
Post-Run: 176,047,648,768 bytes free

- - End Of File - - E8AF25A91F00B2CC8C60E3839FED6A51


----------



## Cookiegal (Aug 27, 2003)

iltos said:


> i don't understand this


See my post no. 48


----------



## iltos (Jun 13, 2004)

Cookiegal said:


> See my post no. 48


"Cannot export C:look.txt: Error opening file. There may be a disk error or a file system error."


----------



## Cookiegal (Aug 27, 2003)

Not sure what that error means. We're not trying to export it. Are you not able to open the C:\Look.txt file in Notepad by right-clicking on it and selecting Notepad?


----------



## iltos (Jun 13, 2004)

Cookiegal said:


> Not sure what that error means. We're not trying to export it. Are you not able to open the C:\Look.txt file in Notepad by right-clicking on it and selecting Notepad?


there is no C:\Look.txt file....so....no 
i'm still in safe mode....does that matter?

here's what i typed
regedit /e C\look.txt "HKEY_LOCAL_MACHINE\SOFTWARE\Intel\InfInst"
did i mess up the spaces/slashes?


----------



## Cookiegal (Aug 27, 2003)

You didn't put the : between the C and the \ but you should copy and paste it, not type to be sure it's correct.


----------



## iltos (Jun 13, 2004)

Cookiegal said:


> You didn't put the : between the C and the \ but you should copy and paste it, not type to be sure it's correct.


thanks ....i tried a c/p....it wouldn't take

but at least i typed it right this time


> Windows Registry Editor Version 5.00
> 
> [HKEY_LOCAL_MACHINE\SOFTWARE\Intel\InfInst]
> "Infver"="8.2.0"


----------



## Cookiegal (Aug 27, 2003)

Are you sure that's all that's in the Notepad file? There should be more lines below the last one there that look like this:

"reboot"="yes"
"install"="success"
"version"="8.1.1.1010"

Although your last one would probably be a different version.


----------



## iltos (Jun 13, 2004)

Cookiegal said:


> Are you sure that's all that's in the Notepad file? There should be more lines below the last one there that look like this:
> 
> "reboot"="yes"
> "install"="success"
> ...


i just ran it again, Karen, with the same results


----------



## Cookiegal (Aug 27, 2003)

Please update MalwareBytes and run a scan and post that log.


----------



## iltos (Jun 13, 2004)

i had run a scan earlier today: all it found was the file 80whatever from this morning: it was in combofix's quarantine.
i told malwarebytes to ignore it, updated mwb and ran another scan, as you requested

Malwarebytes' Anti-Malware 1.41
Database version: 3008
Windows 6.0.6001 Service Pack 1 (Safe Mode)

10/21/2009 4:37:15 PM
mbam-log-2009-10-21 (16-37-15).txt

Scan type: Full Scan (C:\|)
Objects scanned: 245673
Time elapsed: 32 minute(s), 32 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)


----------



## Cookiegal (Aug 27, 2003)

Please do an online scan with Kaspersky WebScanner

Kaspersky online scanner uses JAVA tecnology to perform the scan. If you do not have Java then you will need to go to the following link and download the latest version:

*JRE 6 Update 16 *

Instructions for Kaspersky scan:


Read through the requirements and privacy statement and click on *Accept* button.
It will start downloading and installing the scanner and virus definitions. You will be prompted to install an application from Kaspersky. Click *Run*.
When the downloads have finished, click on *Settings*.
Make sure the following is checked. 
*Spyware, Adware, Dialers, and other potentially dangerous programs 
Archives
Mail databases*

Click on *My Computer* under *Scan*.
Once the scan is complete, it will display the results. Click on *View Scan Report*.
You will see a list of infected items there. Click on *Save Report As...*.
Save this report to a convenient place. Change the *Files of type* to *Text file (.txt)* before clicking on the *Save* button.
Please post this log in your next reply.


----------



## iltos (Jun 13, 2004)

3 quarantined items found....is it unusual that none of them have definition on their site?

here's the report

--------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER 7.0: scan report
Wednesday, October 21, 2009
Operating system: Microsoft Windows Vista Home Premium Edition, 32-bit Service Pack 1 (build 6001)
Kaspersky Online Scanner version: 7.0.26.13
Last database update: Thursday, October 22, 2009 02:21:27
Records in database: 3043813
--------------------------------------------------------------------------------

Scan settings:
scan using the following database: extended
Scan archives: yes
Scan e-mail databases: yes

Scan area - My Computer:
C:\
D:\
E:\
F:\

Scan statistics:
Objects scanned: 154348
Threats found: 3
Infected objects found: 3
Suspicious objects found: 0
Scan duration: 01:54:13


File name / Threat / Threats count
C:\Qoobox\Quarantine\C\ErosAdv03Full.exe.vir	Infected: Trojan.Win32.Refroso.nxk	1
C:\Qoobox\Quarantine\C\J3rhaO9w.exe.vir	Infected: Trojan.Win32.Antavmu.eqk	1
C:\Qoobox\Quarantine\C\ProgramData\08376024\08376024.exe.vir	Infected: Packed.Win32.Krap.x	1

Selected area has been scanned.


----------



## Cookiegal (Aug 27, 2003)

Those are already quarantined by ComboFix so they are no longer threats.


----------



## Cookiegal (Aug 27, 2003)

Do you know what Intel chipset is in your notebook?


----------



## iltos (Jun 13, 2004)

back in normal mode this morning 

here's a hjt log

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 6:13:17 AM, on 10/22/2009
Platform: Windows Vista SP1 (WinNT 6.00.1905)
MSIE: Internet Explorer v7.00 (7.00.6001.18294)
Boot mode: Normal

Running processes:
C:\Windows\system32\taskeng.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Program Files\Alwil Software\Avast4\ashDisp.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Windows\System32\igfxpers.exe
C:\Windows\OEM02Mon.exe
C:\Windows\System32\igfxtray.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\IAAnotif.exe
C:\Program Files\HP\HP Software Update\hpwuSchd2.exe
C:\Windows\System32\hkcmd.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
C:\Program Files\Dell Support Center\bin\sprtcmd.exe
C:\Program Files\Dell\Dell Webcam Manager\DellWMgr.exe
C:\Windows\System32\WLTRAY.EXE
C:\Program Files\DellTPad\Apoint.exe
C:\Program Files\Adobe\Acrobat 9.0\Acrobat\acrotray.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Windows\system32\igfxsrvc.exe
C:\Program Files\Windows Media Player\wmpnscfg.exe
C:\Windows\ehome\ehtray.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\Dell\QuickSet\quickset.exe
C:\Windows\ehome\ehmsas.exe
C:\Program Files\DellTPad\ApMsgFwd.exe
C:\Program Files\DellTPad\Apntex.exe
C:\Program Files\DellTPad\HidFind.exe
C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Windows\system32\wuauclt.exe
C:\Program Files\Mozilla Thunderbird\thunderbird.exe
C:\hjt\HiJackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = 
O1 - Hosts: ::1 localhost
O2 - BHO: HP Print Clips - {053F9267-DC04-4294-A72C-58F732D338C0} - C:\Program Files\HP\Smart Web Printing\hpswp_framework.dll
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: RealPlayer Download and Record Plugin for Internet Explorer - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\Users\Bob\rpbrowserrecordplugin.dll
O2 - BHO: EmailBHO - {647FD14A-C4F1-46F4-8FC3-0B40F54226F7} - C:\Program Files\jZip\WebmailPlugin.dll
O2 - BHO: Adobe PDF Conversion Toolbar Helper - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.2.4204.1700\swg.dll
O2 - BHO: Browser Address Error Redirector - {CA6319C0-31B7-401E-A518-A07C3DB8F777} - C:\Program Files\Dell\BAE\BAE.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: SmartSelect - {F4971EE7-DAA0-4053-9964-665D8EE6A077} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [SigmatelSysTrayApp] %ProgramFiles%\SigmaTel\C-Major Audio\WDM\sttray.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [Persistence] C:\Windows\system32\igfxpers.exe
O4 - HKLM\..\Run: [OEM02Mon.exe] C:\Windows\OEM02Mon.exe
O4 - HKLM\..\Run: [IgfxTray] C:\Windows\system32\igfxtray.exe
O4 - HKLM\..\Run: [IAAnotif] "C:\Program Files\Intel\Intel Matrix Storage Manager\Iaanotif.exe"
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\Windows\system32\hkcmd.exe
O4 - HKLM\..\Run: [Google Desktop Search] "C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" /startup
O4 - HKLM\..\Run: [dscactivate] "C:\Program Files\Dell Support Center\gs_agent\custom\dsca.exe"
O4 - HKLM\..\Run: [DellSupportCenter] "C:\Program Files\Dell Support Center\bin\sprtcmd.exe" /P DellSupportCenter
O4 - HKLM\..\Run: [DELL Webcam Manager] "C:\Program Files\Dell\Dell Webcam Manager\DellWMgr.exe" /s
O4 - HKLM\..\Run: [Broadcom Wireless Manager UI] C:\Windows\system32\WLTRAY.exe
O4 - HKLM\..\Run: [Apoint] C:\Program Files\DellTPad\Apoint.exe
O4 - HKLM\..\Run: [Adobe_ID0EYTHM] C:\PROGRA~1\COMMON~1\Adobe\ADOBEV~1\Server\bin\VERSIO~2.EXE
O4 - HKLM\..\Run: [Adobe Acrobat Speed Launcher] "C:\Program Files\Adobe\Acrobat 9.0\Acrobat\Acrobat_sl.exe"
O4 - HKLM\..\Run: [Acrobat Assistant 8.0] "C:\Program Files\Adobe\Acrobat 9.0\Acrobat\Acrotray.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [Malwarebytes Anti-Malware (reboot)] "C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe" /runcleanupscript
O4 - HKLM\..\Run: [Adobe ARM] "C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
O4 - HKCU\..\Run: [ehTray.exe] C:\Windows\ehome\ehTray.exe
O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe
O4 - Global Startup: Digital Line Detect.lnk = C:\Program Files\Digital Line Detect\DLG.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: QuickSet.lnk = C:\Program Files\Dell\QuickSet\quickset.exe
O8 - Extra context menu item: Append Link Target to Existing PDF - res://C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Append to Existing PDF - res://C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert Link Target to Adobe PDF - res://C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIECapture.html
O9 - Extra button: HP Clipbook - {58ECB495-38F0-49cb-A538-10282ABF65E7} - C:\Program Files\HP\Smart Web Printing\hpswp_extensions.dll
O9 - Extra button: HP Smart Select - {700259D7-1666-479a-93B1-3250410481E8} - C:\Program Files\HP\Smart Web Printing\hpswp_extensions.dll
O20 - AppInit_DLLs: C:\PROGRA~1\Google\GOOGLE~2\GOEC62~1.DLL
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O20 - Winlogon Notify: GoToAssist - C:\Program Files\Citrix\GoToAssist\514\G2AWinLogon.dll
O23 - Service: Adobe Version Cue CS3 - Adobe Systems Incorporated - C:\Program Files\Common Files\Adobe\Adobe Version Cue CS3\Server\bin\VersionCueCS3.exe
O23 - Service: Andrea ST Filters Service (AESTFilters) - Andrea Electronics Corporation - C:\Windows\system32\aestsrv.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762## (Bonjour Service) - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: Google Desktop Manager 5.7.801.7324 (GoogleDesktopManager-010708-104812) - Google - C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
O23 - Service: GoToAssist - Citrix Online, a division of Citrix Systems, Inc. - C:\Program Files\Citrix\GoToAssist\514\g2aservice.exe
O23 - Service: Google Update Service (gupdate1ca2da3ff288ddd) (gupdate1ca2da3ff288ddd) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe
O23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: Intel(R) Matrix Storage Event Monitor (IAANTMON) - Intel Corporation - C:\Program Files\Intel\Intel Matrix Storage Manager\Iaantmon.exe
O23 - Service: SupportSoft Sprocket Service (dellsupportcenter) (sprtsvc_dellsupportcenter) - SupportSoft, Inc. - C:\Program Files\Dell Support Center\bin\sprtsvc.exe
O23 - Service: SigmaTel Audio Service (STacSV) - IDT, Inc. - C:\Windows\system32\STacSV.exe
O23 - Service: Dell Wireless WLAN Tray Service (wltrysvc) - Unknown owner - C:\Windows\System32\WLTRYSVC.EXE
O23 - Service: XAudioService - Conexant Systems, Inc. - C:\Windows\system32\DRIVERS\xaudio.exe

--
End of file - 9630 bytes


----------



## Cookiegal (Aug 27, 2003)

Please run another GMER rootkit scan and post the log.

Also, do you have an i386 folder on this machine?


----------



## iltos (Jun 13, 2004)

Cookiegal said:


> Do you know what Intel chipset is in your notebook?


according to my owner's manual, the system chipset is AMD M690T....but it looks like a lot of the 1525s were shipped with AMD processors
according to most places on the internet, it's a mobile Intel g65 express chipset

does that clear it up?


----------



## Cookiegal (Aug 27, 2003)

> Intel g65 express chipset


Are you sure that's not 965?


----------



## Cookiegal (Aug 27, 2003)

Also, do you know your way around the registry at all?


----------



## iltos (Jun 13, 2004)

Cookiegal said:


> Are you sure that's not 965?


it depends on your search terms 
search for "dell chipset 1525" and you get a ton of sites talking about the Intel 965 chipset family
but search for dell inspiron 1525 chipset and you get talk back about the Mobile Intel G65 express chipset



Cookiegal said:


> Also, do you know your way around the registry at all?


does that answer your question? 
seriously, i know enough to say i don't know anything....years ago i was directed to replace some registry values here, and apparently did it well....so i'd say i can follow directions 

if you want me to look around and try and find something....that could be a different story...but i'm smart (or stupid) enough to say "lay it on me"


----------



## Cookiegal (Aug 27, 2003)

Please do what's in post no. 67 before we go own so we can see if there's been no change there. If we can't find the right package to install I'm not sure what we can do.


----------



## iltos (Jun 13, 2004)

Cookiegal said:


> Please do what's in post no. 67 before we go own so we can see if there's been no change there. If we can't find the right package to install I'm not sure what we can do.


GMER just finished....takes much longer in normal mode...the log

GMER 1.0.15.15163 - http://www.gmer.net
Rootkit scan 2009-10-22 08:17:53
Windows 6.0.6001 Service Pack 1
Running: gmer.exe; Driver: C:\Users\Bob\AppData\Local\Temp\pwldqpow.sys

---- User code sections - GMER 1.0.15 ----

.text C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe[4228] kernel32.dll!ExitProcess 769A3B54 5 Bytes JMP 05051F3E C:\Program Files\Google\Google Desktop Search\GoogleServices.DLL (Google Desktop/Google)
.text C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe[4228] USER32.dll!MessageBoxA 76F8D619 5 Bytes JMP 05051EE8 C:\Program Files\Google\Google Desktop Search\GoogleServices.DLL (Google Desktop/Google)
.text C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe[4228] USER32.dll!MessageBoxW 76F8D667 5 Bytes JMP 05051F13 C:\Program Files\Google\Google Desktop Search\GoogleServices.DLL (Google Desktop/Google)

---- User IAT/EAT - GMER 1.0.15 ----

IAT C:\Windows\system32\services.exe[660] @ C:\Windows\system32\services.exe [ADVAPI32.dll!CreateProcessAsUserW] 00290002
IAT C:\Windows\system32\services.exe[660] @ C:\Windows\system32\services.exe [KERNEL32.dll!CreateProcessW] 00290000
IAT C:\Windows\Explorer.EXE[3036] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdiplusShutdown] [74D488B4] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6001.18175_none_9e7bbe54c9c04bca\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[3036] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipCloneImage] [74D898A5] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6001.18175_none_9e7bbe54c9c04bca\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[3036] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipDrawImageRectI] [74D4B9D4] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6001.18175_none_9e7bbe54c9c04bca\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[3036] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipSetInterpolationMode] [74D3FB47] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6001.18175_none_9e7bbe54c9c04bca\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[3036] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdiplusStartup] [74D47A79] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6001.18175_none_9e7bbe54c9c04bca\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[3036] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipCreateFromHDC] [74D3EA65] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6001.18175_none_9e7bbe54c9c04bca\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[3036] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipCreateBitmapFromStreamICM] [74D7B17D] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6001.18175_none_9e7bbe54c9c04bca\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[3036] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipCreateBitmapFromStream] [74D4BC9A] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6001.18175_none_9e7bbe54c9c04bca\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[3036] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipGetImageHeight]  [74D4074E] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6001.18175_none_9e7bbe54c9c04bca\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[3036] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipGetImageWidth] [74D406B5] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6001.18175_none_9e7bbe54c9c04bca\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[3036] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipDisposeImage] [74D371B3] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6001.18175_none_9e7bbe54c9c04bca\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[3036] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipLoadImageFromFileICM] [74DCD848] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6001.18175_none_9e7bbe54c9c04bca\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[3036] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipLoadImageFromFile] [74D67379] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6001.18175_none_9e7bbe54c9c04bca\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[3036] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipDeleteGraphics] [74D3E109] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6001.18175_none_9e7bbe54c9c04bca\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[3036] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipFree] [74D3697E] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6001.18175_none_9e7bbe54c9c04bca\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[3036] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipAlloc] [74D369A9] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6001.18175_none_9e7bbe54c9c04bca\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Windows\Explorer.EXE[3036] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipSetCompositingMode]  [74D42465] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6001.18175_none_9e7bbe54c9c04bca\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT C:\Program Files\Mozilla Thunderbird\thunderbird.exe[5696] @ C:\Windows\system32\ADVAPI32.dll [KERNEL32.dll!LoadLibraryA] [02237376] C:\Program Files\Mozilla Thunderbird\extensions\[email protected]\components\FULLSOFT.DLL (Talkback Library/Full Circle Software, Inc.)
IAT C:\Program Files\Mozilla Thunderbird\thunderbird.exe[5696] @ C:\Windows\system32\ADVAPI32.dll [KERNEL32.dll!SetUnhandledExceptionFilter] [022373CC] C:\Program Files\Mozilla Thunderbird\extensions\[email protected]\components\FULLSOFT.DLL (Talkback Library/Full Circle Software, Inc.)
IAT C:\Program Files\Mozilla Thunderbird\thunderbird.exe[5696] @ C:\Windows\system32\RPCRT4.dll [KERNEL32.dll!SetUnhandledExceptionFilter] [022373CC] C:\Program Files\Mozilla Thunderbird\extensions\[email protected]\components\FULLSOFT.DLL (Talkback Library/Full Circle Software, Inc.)
IAT C:\Program Files\Mozilla Thunderbird\thunderbird.exe[5696] @ C:\Windows\system32\RPCRT4.dll [KERNEL32.dll!LoadLibraryA] [02237376] C:\Program Files\Mozilla Thunderbird\extensions\[email protected]\components\FULLSOFT.DLL (Talkback Library/Full Circle Software, Inc.)
IAT C:\Program Files\Mozilla Thunderbird\thunderbird.exe[5696] @ C:\Windows\system32\WS2_32.dll [KERNEL32.dll!SetUnhandledExceptionFilter] [022373CC] C:\Program Files\Mozilla Thunderbird\extensions\[email protected]\components\FULLSOFT.DLL (Talkback Library/Full Circle Software, Inc.)
IAT C:\Program Files\Mozilla Thunderbird\thunderbird.exe[5696] @ C:\Windows\system32\WS2_32.dll [KERNEL32.dll!LoadLibraryA] [02237376] C:\Program Files\Mozilla Thunderbird\extensions\[email protected]\components\FULLSOFT.DLL (Talkback Library/Full Circle Software, Inc.)
IAT C:\Program Files\Mozilla Thunderbird\thunderbird.exe[5696] @ C:\Windows\system32\msvcrt.dll [KERNEL32.dll!LoadLibraryA] [02237376] C:\Program Files\Mozilla Thunderbird\extensions\[email protected]\components\FULLSOFT.DLL (Talkback Library/Full Circle Software, Inc.)
IAT C:\Program Files\Mozilla Thunderbird\thunderbird.exe[5696] @ C:\Windows\system32\msvcrt.dll [KERNEL32.dll!SetUnhandledExceptionFilter] [022373CC] C:\Program Files\Mozilla Thunderbird\extensions\[email protected]\components\FULLSOFT.DLL (Talkback Library/Full Circle Software, Inc.)
IAT C:\Program Files\Mozilla Thunderbird\thunderbird.exe[5696] @ C:\Windows\system32\USER32.dll [KERNEL32.dll!LoadLibraryA] [02237376] C:\Program Files\Mozilla Thunderbird\extensions\[email protected]\components\FULLSOFT.DLL (Talkback Library/Full Circle Software, Inc.)
IAT C:\Program Files\Mozilla Thunderbird\thunderbird.exe[5696] @ C:\Windows\system32\USER32.dll [KERNEL32.dll!SetUnhandledExceptionFilter] [022373CC] C:\Program Files\Mozilla Thunderbird\extensions\[email protected]\components\FULLSOFT.DLL (Talkback Library/Full Circle Software, Inc.)
IAT C:\Program Files\Mozilla Thunderbird\thunderbird.exe[5696] @ C:\Windows\system32\GDI32.dll [KERNEL32.dll!SetUnhandledExceptionFilter] [022373CC] C:\Program Files\Mozilla Thunderbird\extensions\[email protected]\components\FULLSOFT.DLL (Talkback Library/Full Circle Software, Inc.)
IAT C:\Program Files\Mozilla Thunderbird\thunderbird.exe[5696] @ C:\Windows\system32\GDI32.dll [KERNEL32.dll!LoadLibraryA] [02237376] C:\Program Files\Mozilla Thunderbird\extensions\[email protected]\components\FULLSOFT.DLL (Talkback Library/Full Circle Software, Inc.)
IAT C:\Program Files\Mozilla Thunderbird\thunderbird.exe[5696] @ C:\Windows\system32\ole32.dll [KERNEL32.dll!SetUnhandledExceptionFilter] [022373CC] C:\Program Files\Mozilla Thunderbird\extensions\[email protected]\components\FULLSOFT.DLL (Talkback Library/Full Circle Software, Inc.)
IAT C:\Program Files\Mozilla Thunderbird\thunderbird.exe[5696] @ C:\Windows\system32\ole32.dll [KERNEL32.dll!LoadLibraryA] [02237376] C:\Program Files\Mozilla Thunderbird\extensions\[email protected]\components\FULLSOFT.DLL (Talkback Library/Full Circle Software, Inc.)
IAT C:\Program Files\Mozilla Thunderbird\thunderbird.exe[5696] @ C:\Windows\system32\SHELL32.dll [KERNEL32.dll!SetUnhandledExceptionFilter] [022373CC] C:\Program Files\Mozilla Thunderbird\extensions\[email protected]\components\FULLSOFT.DLL (Talkback Library/Full Circle Software, Inc.)
IAT C:\Program Files\Mozilla Thunderbird\thunderbird.exe[5696] @ C:\Windows\system32\SHELL32.dll [KERNEL32.dll!LoadLibraryA] [02237376] C:\Program Files\Mozilla Thunderbird\extensions\[email protected]\components\FULLSOFT.DLL (Talkback Library/Full Circle Software, Inc.)
IAT C:\Program Files\Mozilla Thunderbird\thunderbird.exe[5696] @ C:\Windows\system32\SHLWAPI.dll [KERNEL32.dll!SetUnhandledExceptionFilter] [022373CC] C:\Program Files\Mozilla Thunderbird\extensions\[email protected]\components\FULLSOFT.DLL (Talkback Library/Full Circle Software, Inc.)
IAT C:\Program Files\Mozilla Thunderbird\thunderbird.exe[5696] @ C:\Windows\system32\SHLWAPI.dll [KERNEL32.dll!LoadLibraryA] [02237376] C:\Program Files\Mozilla Thunderbird\extensions\[email protected]\components\FULLSOFT.DLL (Talkback Library/Full Circle Software, Inc.)
IAT C:\Program Files\Mozilla Thunderbird\thunderbird.exe[5696] @ C:\Windows\system32\WININET.dll [KERNEL32.dll!SetUnhandledExceptionFilter] [022373CC] C:\Program Files\Mozilla Thunderbird\extensions\[email protected]\components\FULLSOFT.DLL (Talkback Library/Full Circle Software, Inc.)
IAT C:\Program Files\Mozilla Thunderbird\thunderbird.exe[5696] @ C:\Windows\system32\WININET.dll [KERNEL32.dll!LoadLibraryA] [02237376] C:\Program Files\Mozilla Thunderbird\extensions\[email protected]\components\FULLSOFT.DLL (Talkback Library/Full Circle Software, Inc.)
IAT C:\Program Files\Mozilla Thunderbird\thunderbird.exe[5696] @ C:\Windows\system32\USERENV.dll [KERNEL32.dll!LoadLibraryA] [02237376] C:\Program Files\Mozilla Thunderbird\extensions\[email protected]\components\FULLSOFT.DLL (Talkback Library/Full Circle Software, Inc.)
IAT C:\Program Files\Mozilla Thunderbird\thunderbird.exe[5696] @ C:\Windows\system32\USERENV.dll [KERNEL32.dll!SetUnhandledExceptionFilter] [022373CC] C:\Program Files\Mozilla Thunderbird\extensions\[email protected]\components\FULLSOFT.DLL (Talkback Library/Full Circle Software, Inc.)
IAT C:\Program Files\Mozilla Thunderbird\thunderbird.exe[5696] @ C:\Windows\system32\Secur32.dll [KERNEL32.dll!SetUnhandledExceptionFilter] [022373CC] C:\Program Files\Mozilla Thunderbird\extensions\[email protected]\components\FULLSOFT.DLL (Talkback Library/Full Circle Software, Inc.)
IAT C:\Program Files\Mozilla Thunderbird\thunderbird.exe[5696] @ C:\Windows\system32\Secur32.dll [KERNEL32.dll!LoadLibraryA] [02237376] C:\Program Files\Mozilla Thunderbird\extensions\[email protected]\components\FULLSOFT.DLL (Talkback Library/Full Circle Software, Inc.)
IAT C:\Program Files\Mozilla Thunderbird\thunderbird.exe[5696] @ C:\Windows\system32\iphlpapi.dll [KERNEL32.dll!SetUnhandledExceptionFilter] [022373CC] C:\Program Files\Mozilla Thunderbird\extensions\[email protected]\components\FULLSOFT.DLL (Talkback Library/Full Circle Software, Inc.)
IAT C:\Program Files\Mozilla Thunderbird\thunderbird.exe[5696] @ C:\Windows\system32\iphlpapi.dll [KERNEL32.dll!LoadLibraryA] [02237376] C:\Program Files\Mozilla Thunderbird\extensions\[email protected]\components\FULLSOFT.DLL (Talkback Library/Full Circle Software, Inc.)
IAT C:\Program Files\Mozilla Thunderbird\thunderbird.exe[5696] @ C:\Windows\system32\PSAPI.DLL [KERNEL32.dll!SetUnhandledExceptionFilter] [022373CC] C:\Program Files\Mozilla Thunderbird\extensions\[email protected]\components\FULLSOFT.DLL (Talkback Library/Full Circle Software, Inc.)

---- Devices - GMER 1.0.15 ----

AttachedDevice \Driver\tdx \Device\Tcp aswTdi.SYS (avast! TDI Filter Driver/ALWIL Software)

Device \Driver\iaStor \Device\Ide\iaStor0 [8224C6C8] \SystemRoot\system32\drivers\iastor.sys[unknown section] {MOV EAX, [0xffdf0308]; JMP [EAX+0xfc]}
Device \Driver\iaStor \Device\Ide\IAAStorageDevice-0 [8224C6C8] \SystemRoot\system32\drivers\iastor.sys[unknown section] {MOV EAX, [0xffdf0308]; JMP [EAX+0xfc]}

AttachedDevice \Driver\tdx \Device\Udp aswTdi.SYS (avast! TDI Filter Driver/ALWIL Software)
AttachedDevice \FileSystem\fastfat \Fat fltmgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)
AttachedDevice \FileSystem\fastfat \Fat fltmgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)

---- Files - GMER 1.0.15 ----

File C:\Users\Bob\AppData\Local\temp\plugtmp\plugin-language.xml 0 bytes
File C:\Users\Bob\AppData\Local\temp\plugtmp\plugin-tween-1.xml 0 bytes
File C:\Users\Bob\AppData\Local\temp\plugtmp\plugin-tween-2.xml 0 bytes
File C:\Users\Bob\AppData\Local\temp\plugtmp\plugin-tween-3.xml 0 bytes
File C:\Users\Bob\AppData\Local\temp\plugtmp\plugin-tween.xml 0 bytes
File C:\Windows\system32\drivers\iastor.sys suspicious modification

---- EOF - GMER 1.0.15 ----


----------



## Cookiegal (Aug 27, 2003)

So you don't have an i386 folder, right?


----------



## Cookiegal (Aug 27, 2003)

Now that we know we have the right driver package, I'm still a little concerned that the utility that is required first doesn't seem to be properly installed according to the registry key export I had you do. So let's take a look at that key manually.

Please expand the following keys by clicking on the + that appears to the left of each one as you open them.

HKEY_LOCAL_MACHINE
SOFTWARE
Intel

Under Intel, click on InfInst to highlight it and then look in the right-hand pane. Do you see only:

"Infver"="8.2.0"

Or do you see these listed as well?

"reboot"
"install"
"version"


----------



## iltos (Jun 13, 2004)

dell confirms that the storage matrix manager driver in your post 46
http://downloadcenter.intel.com/Deta...17882&lang=eng (v8.9.0.1023)
is the latest 

gotta run out for a bit, cookie....

i'm still unclear about the installation instructions.
looks like i'm in ACHI mode, and it looks like i need to do this


> 5. The 'Intel(R) Chipset Software Installation Utility'
> must be installed prior to installing the Intel(R) Matrix Storage Manager.


would that be this one?
http://downloadcenter.intel.com/Detail_Desc.aspx?agr=Y&ProdId=2800&DwnldID=17949&lang=eng


----------



## iltos (Jun 13, 2004)

Cookiegal said:


> So you don't have an i386 folder, right?


right


----------



## iltos (Jun 13, 2004)

Cookiegal said:


> Now that we know we have the right driver package, I'm still a little concerned that the utility that is required first doesn't seem to be properly installed according to the registry key export I had you do. So let's take a look at that key manually.
> 
> Please expand the following keys by clicking on the + that appears to the left of each one as you open them.
> 
> ...


let "pause" here 
i'll check this out when i get back

thanks again to you and Derek....TSG rocks!!!


----------



## Cookiegal (Aug 27, 2003)

OK but I'll post some more instructions for you to catch up on when you return. 

Go to *Start *- *Control Panel* - *System and Maintenance* - *Device Manager *and expand the *System *devices.

In the list you should see your chipset followed by what's written below (all on the same line)

".............................Processor to I/O Controller - 2580"

It should look something like this:

Intel® 915G/P/GV Processor to I/O Controller - 2580

Let me know if you see that and if the numbers for the chipset are the same or not.

Also, the link you posted for the utility is not the correct one. That's a different utility. But there's a chance that we may not need that.


----------



## iltos (Jun 13, 2004)

back for a bit....
it's a dell....nothing follows any conventions that you're familiar with 

as far as opening regedit, the attachment is all that Infver has got in the right pane

in the device manager>system, this looks to be what you're after
Mobile Intel(R) PM965/GM965/GL960 Express Processor to DRAM Controller - 2A00


----------



## iltos (Jun 13, 2004)

ok....out of curiosity, i took a look at "Intel Matrix Storage Manager" in regedit
the old kit version that Dell still has on its site is the LastKitInstalled, and there is a heading for "Install" with a value called "Success"

that help?
screen shot attached

sheesh.....just took another look...there is also something called an 'uninstaller' with a ton of entries in the right pane
the uninstall path is C:\Windows\System32\Imsmudlg.exe


----------



## Cookiegal (Aug 27, 2003)

Yeah, we know that's installed but that's what's harbouring the infected driver we're trying to replace. The problem is, before re-installing the Matrix Storage Manager, we have to be sure the Intel® Chipset Software Installation Utility is installed.

I'm not really sure how to proceed at this point since we're not receiving any help with this. It seems from Device Manager that the Software Installation Utility is installed but the registry doesn't reflect that as it should also have the "success" entry.

I don't know if you should go ahead and try re-installing the Matrix Storage Manager over top and see if it works.


----------



## Cookiegal (Aug 27, 2003)

Maybe you should start a new thread in the Vista forum and explain what we're trying to do and that is, re-install the Intel(R) Matrix Storage Manager but first we have to be sure the Intel® Chipset Software Installation Utility is indeed installed.


----------



## iltos (Jun 13, 2004)

Cookiegal said:


> Yeah, we know that's installed but that's what's harbouring the infected driver we're trying to replace. The problem is, before re-installing the Matrix Storage Manager, we have to be sure the Intel® Chipset Software Installation Utility is installed.
> 
> I'm not really sure how to proceed at this point since we're not receiving any help with this. It seems from Device Manager that the Software Installation Utility is installed but the registry doesn't reflect that as it should also have the "success" entry.
> 
> I don't know if you should go ahead and try re-installing the Matrix Storage Manager over top and see if it works.


which is the correct utility.....and
what's the downside if i blow it?


----------



## Cookiegal (Aug 27, 2003)

The correct one is the link Derek provided.

I have no idea what could happen and frankly I'm not comfortable having you try it blindly.


----------



## LauraMJ (Mar 18, 2004)

Cookiegal said:


> I have no idea what could happen


 Got a hazmat suit??


----------



## Cookiegal (Aug 27, 2003)

LauraMJ said:


> Got a hazmat suit??


A whozmit what? 

Where are all the hardware folks when you need them?


----------



## aka Brett (Nov 25, 2008)

Can he use the download at the dell site?
http://support.dell.com/support/dow...D=INS_PNT_PM_1525&os=WLH&osl=en&catid=&impid=

Expand sata and the first selection

The chipset is also there if needed listed under chipsets


----------



## Cookiegal (Aug 27, 2003)

Hi Brett,

We already know this is the correct download for the Matrix Storage Manager:

http://downloadcenter.intel.com/Detail_Desc.aspx?agr=Y&DwnldID=17882&lang=eng

Dell confirmed it.

But if you look at the ReadMe text file, it says the Software Installation Utility must be installed before installing the Matrix Storage Manager. And I found instructions on how to find out if the Software Installation Unitility is installed via the registry and the required entries were not there.  Yet it looks like it is installed in Device Manager, I think.


----------



## aka Brett (Nov 25, 2008)

I think the chipset has that software 
When I have reinstalled the os with the oem disk on my pc which is the same model as iltos...my drivers disk was needed for chipset etc as the windows was pretty bare..So I think the chipset has the basic software needed....then there is also the ricoh driver which is the mass storage controller driver.
So I would put on the chipset
Then Ricoh driver....then video...then the rest.

Some of the drivers on the dell are overgrown so to say...as the video driver,also takes care of the chipset in the event you forget to put it on first.

Anyway he cant hose it,in the event he did hose the sata drivers..there is a place in the bios to go into non ahci mode with a sata hard drive{I used this while using xp on my dell}The a person can install the needed files go back to ahci in bios and reboot.


----------



## iltos (Jun 13, 2004)

LauraMJ said:


> Got a hazmat suit??


are you thinking the debris from the explosion will reach all the way to kentucky?


----------



## iltos (Jun 13, 2004)

Cookiegal said:


> The correct one is the link Derek provided.


this is one of the things that confuses me.....from what i read on the intel site, that link is only the DRIVER download that Dell confirms is the latest
the chipset utility would appear to be the link i posted earlier.



> I have no idea what could happen and frankly I'm not comfortable having you try it blindly.


that would seem a little dumb, wouldn't it?


----------



## Cookiegal (Aug 27, 2003)

The link you posted was the chipset identification utility. It's just a tool to identify your actual chipset.


----------



## iltos (Jun 13, 2004)

aka Brett said:


> Can he use the download at the dell site?
> http://support.dell.com/support/dow...D=INS_PNT_PM_1525&os=WLH&osl=en&catid=&impid=
> 
> Expand sata and the first selection


thats the version 7.5.0.1017 from 2 years ago (it's on my machine)....the version Dell confirmed was Intel's latest is 8.9.0.1023, released in july....that's the one Derek linked to



> The chipset is also there if needed listed under chipsets


that's version 8.2.0.1014 (it's on my machine, too)....but i appreciate you posting it :up:
it gave me a template to find v8.6.0.1006, which looks like the latest version


> http://downloadcenter.intel.com/Detail_Desc.aspx?agr=Y&DwnldID=14839&lang=eng


....*.what do you think Cookiegal? if v8.2 is on my machine, isn't that sufficient?...the readme file is identical to v.8.6 *

from the readme file


> The Intel(R) Chipset Device Software installs Windows*
> INF files to the target system. These files outline to
> the operating system how to configure the Intel(R) chipset
> components in order to ensure that the following features
> ...


----------



## Cookiegal (Aug 27, 2003)

For the Intel® Chipset Software Installation Utility this seems to be the latest one.

http://downloadcenter.intel.com/Detail_Desc.aspx?agr=Y&ProdId=816&DwnldID=18052&lang=eng

But it doesn't list your chipset Mobile Intel(R) PM965/GM965/GL960 (I don't know why it lists three different ones).

I think you should call Dell again about this to be sure it's the right one.


----------



## iltos (Jun 13, 2004)

Cookiegal said:


> For the Intel® Chipset Software Installation Utility this seems to be the latest one.
> http://downloadcenter.intel.com/Detail_Desc.aspx?agr=Y&ProdId=816&DwnldID=18052&lang=eng
> But it doesn't list your chipset Mobile Intel(R) PM965/GM965/GL960 (I don't know why it lists three different ones).


'cause it's a dell 
the more i look into this, the more convinced i am that the 1525 used a variety of processors, chipsets, etc conforming to its general specs, depending on what dell had laying around at the time......

but i rejected v9.1.1.1019 last night for just that reason....went looking further, tho, after your post

from the v9.1.1.1019 release notes


> The Intel® Chipset Device Software contains support for the following Intel Chipsets:
> 
> * Intel® 5 Series Chipsets
> * Intel® 4 Series Chipsets
> ...


from the intel chipset software utility support page


> http://www.intel.com/support/chipsets/inf/sb/CS-009275.htm
> Intel® 900 Series Chipsets (among a bunch of others)
> * Mobile Intel® GL960 Express Chipset
> * Mobile Intel® GM965 Express Chipset
> * Mobile Intel® PM965 Express Chipset


so that seems A-OK 



> I think you should call Dell again about this to be sure it's the right one.


i'm willing....but what about these comments from intel chipset software support? (do we think that the chipset software is also corrupted) 


> http://www.intel.com/support/chipsets/inf/sb/CS-030865.htm
> Do I need to install the Intel Chipset Software Installation Utility then?
> The best rule of thumb is that, unless you are installing an operating system, you don't need to install the Intel Chipset Software Installation Utility. If you do install the Intel Chipset Software Installation Utility after installing the operating system, and the installation program recognizes that some or all of the product names in Device Manager match the product names in the included INF files, it just won't install those INF files.





> http://www.intel.com/support/chipsets/inf/sb/CS-009278.htm?iid=chipsets+infmain&
> Do I need to upgrade to the latest version?
> You do not need to upgrade to the latest version of the Intel® Chipset Software Installation Utility (also known as Intel® Chipset Device Software) unless you are experiencing an issue that is listed under the Issues Resolved section in the release notes for the latest version.
> *If you need to upgrade to the latest version, you will need to install the utility using the have-disk installation method. The setup.exe installation will not install the utility if another version is already installed on your system.*


if i do need to install the software, at least now i have a clue wrt installation method :up:

fwiw, here's the "Resolved Issues" in V9.1.1.1019s release notes 
1. Fixed issue introduced in 9.1.1.1016 that caused INFs not to be installed on x64 bit OSs
2. Fixed issue where 2008 Server R2 was pulling INF from "All" Directory. This was fixed to pull from "Win7" directory
3. Fixes yellow bang issues where NO DRV filter was removing INFs that needed to be loaded
4. Removed the "Vista" directory. The "All" directory contains all necessary INF for supported Oss
5. Fixed issues related to -overall switch
http://downloadmirror.intel.com/18052/eng/relnotes.htm

too much info?
or just enough?


----------



## Cookiegal (Aug 27, 2003)

Not the chipset software itself but the Intel® Chipset Software Installation Utility because it doesn't show "success" in the registry. So we don't know if it's installed properly or not.


----------



## iltos (Jun 13, 2004)

Cookiegal said:


> Not the chipset software itself but the Intel® Chipset Software Installation Utility because it doesn't show "success" in the registry. So we don't know if it's installed properly or not.


gotcha...i'll call


----------



## iltos (Jun 13, 2004)

while i'm on hold, i ran regedit /e C:\look.txt "HKEY_LOCAL_MACHINE\SOFTWARE\Intel\InfInst" again, just for kicks

it's a tad different this time around 



> Windows Registry Editor Version 5.00
> 
> [HKEY_LOCAL_MACHINE\SOFTWARE\Intel\InfInst]
> "Infver"="8.2.0"
> @=""


almost like something is trying to get out


----------



## iltos (Jun 13, 2004)

ok....
dell is no help on this, so far.....i talked to 2 people and they were both less coherant than i am on this.

the first guy just said that i could "install the chipset utility if i wanted to" (no kidding )
and the second said "if there's no error flag in the device manager, then you don't have to do anything"

but neither had the time or -i'm guessing- the knowledge to tell me if the v.9.1.1.1019 intel chipset utility was an upgrade from the version on my machine......

i'll try another route into dell support


----------



## iltos (Jun 13, 2004)

Cookiegal said:


> Not the chipset software itself but the Intel® Chipset Software Installation Utility because it doesn't show "success" in the registry. So we don't know if it's installed properly or not.


it doesn't look like confirmation from dell is going to happen 
i've been in normal mode for 4/5 days, without incident :up:
but something wierd popped up this morning

in a google search, links to legimate websites would get redirected to seemingly innocuous domains through one of these


> http://koti.reimari.net/search.php
> http://headstones.com/search.php
> http://securelinux.hackpcweek.com/search.php


avast warned me of the first few and blocked them, then stopped (tho they don't show up in the warning logs)....then the redirects stopped, as well, and google functioned normally.

started all over again with a new google search tab, tho

i've blocked all permissions for these sites in avast

i ran SuperAntiSpyware, without significant result....maybe it's a google thing


----------



## Cookiegal (Aug 27, 2003)

Let's try ComboFix again but drag the one you have to the recycle bin and redownload the latest version.

Please visit *Combofix Guide & Instructions * for instructions for downloading and running ComboFix.

The only thing different from the instructions there is that when downloading and saving the ComboFix.exe I would like you to rename it to puppy.exe please.

Post the log from ComboFix when you've accomplished that along with a new HijackThis log.


----------



## iltos (Jun 13, 2004)

downloaded new comfix and ran it
the log is below, but twice i got the error message that mbr.cfxxe had stopped working

here's the log....hjt in next post

ComboFix 09-10-26.01 - Bob 10/26/2009 15:26.1.2 - NTFSx86
Microsoft® Windows Vista Home Premium 6.0.6001.1.1252.1.1033.18.3573.2442 [GMT -7:00]
Running from: c:\users\Bob\Desktop\puppy.exe
SP: SUPERAntiSpyware *disabled* (Updated) {222A897C-5018-402e-943F-7E7AC8560DA7}
.

((((((((((((((((((((((((( Files Created from 2009-09-26 to 2009-10-26 )))))))))))))))))))))))))))))))
.

2009-10-26 22:36 . 2009-10-26 22:36	--------	d-----w-	c:\users\Public\AppData\Local\temp
2009-10-26 22:36 . 2009-10-26 22:36	--------	d-----w-	c:\users\Default\AppData\Local\temp
2009-10-26 22:15 . 2009-10-26 22:17	--------	d-----w-	C:\puppy27512p
2009-10-22 16:13 . 2009-10-22 16:13	--------	d-----w-	c:\programdata\Citrix
2009-10-22 00:57 . 2009-08-20 06:50	22872	----a-r-	c:\windows\system32\AdobePDFUI.dll
2009-10-21 16:32 . 2009-10-21 16:32	552	----a-w-	c:\users\Bob\AppData\Local\d3d8caps.dat
2009-10-21 16:32 . 2009-10-21 16:32	--------	d-----w-	c:\windows\Sun
2009-10-21 14:34 . 2009-10-26 22:36	--------	d-----w-	c:\users\Bob\AppData\Local\temp
2009-10-21 00:35 . 2009-10-21 00:35	--------	d-----w-	c:\program files\SystemRequirementsLab
2009-10-21 00:35 . 2009-10-23 14:57	--------	d-----w-	c:\users\Bob\AppData\Roaming\SystemRequirementsLab
2009-10-20 05:05 . 2009-10-20 05:05	--------	d-----w-	c:\program files\SUPERAntiSpyware
2009-10-19 23:49 . 2009-10-19 23:50	--------	d-----w-	C:\puppy
2009-10-19 19:54 . 2009-10-22 13:14	--------	d-----w-	C:\hjt
2009-10-19 03:49 . 2009-10-19 03:49	--------	d-----w-	c:\users\Bob\AppData\Roaming\Malwarebytes
2009-10-19 03:49 . 2009-09-10 21:54	38224	----a-w-	c:\windows\system32\drivers\mbamswissarmy.sys
2009-10-19 03:49 . 2009-10-19 03:49	--------	d-----w-	c:\programdata\Malwarebytes
2009-10-19 03:49 . 2009-10-21 14:09	--------	d-----w-	c:\program files\Malwarebytes' Anti-Malware
2009-10-19 03:49 . 2009-09-10 21:53	19160	----a-w-	c:\windows\system32\drivers\mbam.sys
2009-10-19 03:04 . 2009-10-19 03:04	--------	d-----w-	c:\users\Bob\AppData\Roaming\SUPERAntiSpyware.com
2009-10-19 03:04 . 2009-10-19 03:04	--------	d-----w-	c:\programdata\SUPERAntiSpyware.com
2009-10-18 23:37 . 2009-10-26 22:18	--------	d-----w-	c:\windows\system32\wbem\repository
2009-10-15 13:26 . 2009-09-14 09:44	144896	----a-w-	c:\windows\system32\drivers\srv2.sys
2009-10-15 13:26 . 2009-09-10 17:30	213504	----a-w-	c:\windows\system32\msv1_0.dll
2009-10-15 13:26 . 2009-08-05 14:22	3597896	----a-w-	c:\windows\system32\ntkrnlpa.exe
2009-10-15 13:26 . 2009-08-05 14:22	3546184	----a-w-	c:\windows\system32\ntoskrnl.exe
2009-10-15 13:26 . 2009-09-04 12:24	61440	----a-w-	c:\windows\system32\msasn1.dll
2009-10-15 13:26 . 2009-04-02 12:37	604672	----a-w-	c:\windows\system32\WMSPDMOD.DLL
2009-10-03 12:00 . 2009-10-01 17:29	195440	------w-	c:\windows\system32\MpSigStub.exe

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-10-22 16:13 . 2008-08-25 21:39	61224	----a-w-	c:\users\Bob\GoToAssistDownloadHelper.exe
2009-10-22 00:55 . 2008-06-06 15:54	--------	d-----w-	c:\program files\Common Files\Adobe
2009-10-21 16:32 . 2009-05-05 14:25	6648	----a-w-	c:\users\Bob\AppData\Local\d3d9caps.dat
2009-10-18 23:59 . 2009-08-12 17:55	--------	d-----w-	c:\program files\Common Files\Wise Installation Wizard
2009-10-18 23:32 . 2009-03-05 16:51	--------	d-----w-	c:\programdata\HP Product Assistant
2009-09-15 10:59 . 2008-08-26 01:28	1279968	----a-w-	c:\windows\system32\aswBoot.exe
2009-09-15 10:55 . 2008-08-26 01:28	114768	----a-w-	c:\windows\system32\drivers\aswSP.sys
2009-09-15 10:55 . 2008-08-26 01:28	20560	----a-w-	c:\windows\system32\drivers\aswFsBlk.sys
2009-09-15 10:55 . 2008-08-26 01:28	53328	----a-w-	c:\windows\system32\drivers\aswMonFlt.sys
2009-09-15 10:54 . 2008-08-26 01:28	52368	----a-w-	c:\windows\system32\drivers\aswTdi.sys
2009-09-15 10:54 . 2008-08-26 01:28	23152	----a-w-	c:\windows\system32\drivers\aswRdr.sys
2009-09-15 10:53 . 2008-08-26 01:28	97480	----a-w-	c:\windows\system32\AvastSS.scr
2009-09-04 21:09 . 2008-06-06 15:55	--------	d-----w-	c:\program files\Google
2009-09-04 21:08 . 2009-09-04 21:08	--------	d-----w-	c:\programdata\Google Updater
2009-09-04 21:08 . 2009-09-04 21:08	1246328	----a-w-	c:\program files\Google Updater.exe
2009-09-03 18:00 . 2009-09-03 18:00	--------	d-----w-	c:\program files\Microsoft Silverlight
2009-08-29 15:15 . 2009-03-05 14:13	--------	d-----w-	c:\program files\Java
2009-08-28 12:39 . 2009-09-02 13:38	28672	----a-w-	c:\windows\system32\Apphlpdm.dll
2009-08-28 10:15 . 2009-09-02 13:38	4240384	----a-w-	c:\windows\system32\GameUXLegacyGDFs.dll
2009-08-23 21:30 . 2008-08-25 18:20	60376	----a-w-	c:\users\Bob\AppData\Local\GDIPFONTCACHEV1.DAT
2009-08-20 06:50 . 2008-04-07 12:38	46928	----a-r-	c:\windows\system32\AdobePDF.dll
2009-08-14 17:07 . 2009-09-12 14:41	897608	----a-w-	c:\windows\system32\drivers\tcpip.sys
2009-08-14 16:29 . 2009-09-12 14:41	104960	----a-w-	c:\windows\system32\netiohlp.dll
2009-08-14 16:29 . 2009-09-12 14:41	17920	----a-w-	c:\windows\system32\netevent.dll
2009-08-14 14:16 . 2009-09-12 14:41	9728	----a-w-	c:\windows\system32\TCPSVCS.EXE
2009-08-14 14:16 . 2009-09-12 14:41	17920	----a-w-	c:\windows\system32\ROUTE.EXE
2009-08-14 14:16 . 2009-09-12 14:41	11264	----a-w-	c:\windows\system32\MRINFO.EXE
2009-08-14 14:16 . 2009-09-12 14:41	27136	----a-w-	c:\windows\system32\NETSTAT.EXE
2009-08-14 14:16 . 2009-09-12 14:41	19968	----a-w-	c:\windows\system32\ARP.EXE
2009-08-14 14:16 . 2009-09-12 14:41	8704	----a-w-	c:\windows\system32\HOSTNAME.EXE
2009-08-14 14:16 . 2009-09-12 14:41	10240	----a-w-	c:\windows\system32\finger.exe
2008-06-06 15:49 . 2008-06-06 15:49	76	--sh--r-	c:\windows\CT4CET.bin
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown 
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ehTray.exe"="c:\windows\ehome\ehTray.exe" [2008-01-21 125952]
"WMPNSCFG"="c:\program files\Windows Media Player\WMPNSCFG.exe" [2008-01-21 202240]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"avast!"="c:\progra~1\ALWILS~1\Avast4\ashDisp.exe" [2009-09-15 81000]
"Windows Defender"="c:\program files\Windows Defender\MSASCui.exe" [2008-01-21 1008184]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2008-11-23 185872]
"SigmatelSysTrayApp"="c:\program files\SigmaTel\C-Major Audio\WDM\sttray.exe" [2007-11-12 405504]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2009-01-05 413696]
"Persistence"="c:\windows\system32\igfxpers.exe" [2008-03-06 133656]
"OEM02Mon.exe"="c:\windows\OEM02Mon.exe" [2008-03-04 36864]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2008-03-06 141848]
"IAAnotif"="c:\program files\Intel\Intel Matrix Storage Manager\Iaanotif.exe" [2007-03-21 174872]
"HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2007-03-12 49152]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2008-03-06 166424]
"Google Desktop Search"="c:\program files\Google\Google Desktop Search\GoogleDesktop.exe" [2008-06-06 29744]
"dscactivate"="c:\program files\Dell Support Center\gs_agent\custom\dsca.exe" [2008-03-11 16384]
"DellSupportCenter"="c:\program files\Dell Support Center\bin\sprtcmd.exe" [2009-05-21 206064]
"DELL Webcam Manager"="c:\program files\Dell\Dell Webcam Manager\DellWMgr.exe" [2007-07-27 118784]
"Broadcom Wireless Manager UI"="c:\windows\system32\WLTRAY.exe" [2007-12-12 3444736]
"Apoint"="c:\program files\DellTPad\Apoint.exe" [2007-09-07 159744]
"Adobe Acrobat Speed Launcher"="c:\program files\Adobe\Acrobat 9.0\Acrobat\Acrobat_sl.exe" [2009-10-03 38768]
"Acrobat Assistant 8.0"="c:\program files\Adobe\Acrobat 9.0\Acrobat\Acrotray.exe" [2009-10-03 640376]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-07-25 149280]
"Malwarebytes Anti-Malware (reboot)"="c:\program files\Malwarebytes' Anti-Malware\mbam.exe" [2009-09-10 1312080]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2009-09-04 935288]

c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
Digital Line Detect.lnk - c:\program files\Digital Line Detect\DLG.exe [2008-6-6 50688]
HP Digital Imaging Monitor.lnk - c:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2007-3-11 210520]
QuickSet.lnk - c:\program files\Dell\QuickSet\quickset.exe [2007-9-7 1180952]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableUIADesktopToggle"= 0 (0x0)

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2009-09-03 22:21	548352	----a-w-	c:\program files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\GoToAssist]
2008-06-06 16:02	10536	----a-w-	c:\program files\Citrix\GoToAssist\514\g2awinlogon.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=c:\progra~1\Google\GOOGLE~2\GoogleDesktopNetwork3.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend]
@="Service"

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Svc]
"AntiVirusOverride"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Svc\S-1-5-21-308377154-4036065607-1672078067-1000]
"EnableNotifications"=dword:00000001
"EnableNotificationsRef"=dword:00000001

R1 aswSP;avast! Self Protection;c:\windows\System32\drivers\aswSP.sys [8/25/2008 6:28 PM 114768]
R2 AESTFilters;Andrea ST Filters Service;c:\windows\System32\AEstSrv.exe [6/6/2008 3:34 AM 73728]
R2 aswFsBlk;aswFsBlk;c:\windows\System32\drivers\aswFsBlk.sys [8/25/2008 6:28 PM 20560]
R2 aswMonFlt;aswMonFlt;c:\windows\System32\drivers\aswMonFlt.sys [8/25/2008 6:28 PM 53328]
R3 IntcHdmiAddService;Intel(R) High Definition Audio HDMI Service;c:\windows\System32\drivers\IntcHdmi.sys [6/6/2008 11:31 AM 111616]
R3 OEM02Dev;Creative Camera OEM002 Driver;c:\windows\System32\drivers\OEM02Dev.sys [6/6/2008 11:30 AM 235648]
R3 OEM02Vfx;Creative Camera OEM002 Video VFX Driver;c:\windows\System32\drivers\OEM02Vfx.sys [6/6/2008 11:30 AM 7424]
S2 gupdate1ca2da3ff288ddd;Google Update Service (gupdate1ca2da3ff288ddd);c:\program files\Google\Update\GoogleUpdate.exe [9/4/2009 2:09 PM 133104]

--- Other Services/Drivers In Memory ---

*Deregistered* - mbr

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12	REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
hpdevmgmt	REG_MULTI_SZ hpqcxs08 hpqddsvc
.
Contents of the 'Scheduled Tasks' folder

2009-10-26 c:\windows\Tasks\Google Software Updater.job
- c:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe [2009-09-04 21:08]

2009-10-26 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-09-04 21:09]

2009-10-26 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-09-04 21:09]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
uInternet Settings,ProxyOverride = *.local
IE: Append Link Target to Existing PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Append to Existing PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert Link Target to Adobe PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert to Adobe PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIECapture.html
FF - ProfilePath - c:\users\Bob\AppData\Roaming\Mozilla\Firefox\Profiles\l0d4t1gv.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com
FF - plugin: c:\program files\Google\Google Updater\2.4.1698.5652\npCIDetect13.dll
FF - plugin: c:\program files\Google\Update\1.2.183.7\npGoogleOneClick8.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\np-mswmp.dll
FF - plugin: c:\users\Bob\Netscape6\nppl3260.dll
FF - plugin: c:\users\Bob\Netscape6\nprjplug.dll
FF - plugin: c:\users\Bob\Netscape6\nprpjplug.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\
.
- - - - ORPHANS REMOVED - - - -

AddRemove-NewProduct 1.00 - c:\program files\Company\NewProduct\Uninstall.exe

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-10-26 15:36
Windows 6.0.6001 Service Pack 1 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
Completion time: 2009-10-26 15:39
ComboFix-quarantined-files.txt 2009-10-26 22:39
ComboFix2.txt 2009-10-21 14:34
ComboFix3.txt 2009-10-20 00:01
ComboFix4.txt 2009-10-19 19:44

Pre-Run: 174,670,790,656 bytes free
Post-Run: 174,740,205,568 bytes free

- - End Of File - - 374AD4FED886868BACC755B02209BB62


----------



## iltos (Jun 13, 2004)

the hijack log

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 3:55:04 PM, on 10/26/2009
Platform: Windows Vista SP1 (WinNT 6.00.1905)
MSIE: Internet Explorer v7.00 (7.00.6001.18294)
Boot mode: Normal

Running processes:
C:\Windows\system32\Dwm.exe
C:\Windows\system32\taskeng.exe
C:\Program Files\Alwil Software\Avast4\ashDisp.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Windows\System32\igfxpers.exe
C:\Windows\OEM02Mon.exe
C:\Windows\System32\igfxtray.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\IAAnotif.exe
C:\Program Files\HP\HP Software Update\hpwuSchd2.exe
C:\Windows\System32\hkcmd.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
C:\Program Files\Dell Support Center\bin\sprtcmd.exe
C:\Program Files\Dell\Dell Webcam Manager\DellWMgr.exe
C:\Windows\System32\WLTRAY.EXE
C:\Program Files\DellTPad\Apoint.exe
C:\Windows\system32\igfxsrvc.exe
C:\Windows\ehome\ehtray.exe
C:\Program Files\Windows Media Player\wmpnscfg.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\Dell\QuickSet\quickset.exe
C:\Windows\ehome\ehmsas.exe
C:\Program Files\DellTPad\HidFind.exe
C:\Program Files\DellTPad\Apntex.exe
C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
C:\Windows\system32\wuauclt.exe
C:\Windows\Explorer.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\hjt\HiJackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = 
O1 - Hosts: ::1 localhost
O2 - BHO: HP Print Clips - {053F9267-DC04-4294-A72C-58F732D338C0} - C:\Program Files\HP\Smart Web Printing\hpswp_framework.dll
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: RealPlayer Download and Record Plugin for Internet Explorer - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\Users\Bob\rpbrowserrecordplugin.dll
O2 - BHO: EmailBHO - {647FD14A-C4F1-46F4-8FC3-0B40F54226F7} - C:\Program Files\jZip\WebmailPlugin.dll
O2 - BHO: Adobe PDF Conversion Toolbar Helper - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.2.4204.1700\swg.dll
O2 - BHO: Browser Address Error Redirector - {CA6319C0-31B7-401E-A518-A07C3DB8F777} - C:\Program Files\Dell\BAE\BAE.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: SmartSelect - {F4971EE7-DAA0-4053-9964-665D8EE6A077} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [SigmatelSysTrayApp] %ProgramFiles%\SigmaTel\C-Major Audio\WDM\sttray.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [Persistence] C:\Windows\system32\igfxpers.exe
O4 - HKLM\..\Run: [OEM02Mon.exe] C:\Windows\OEM02Mon.exe
O4 - HKLM\..\Run: [IgfxTray] C:\Windows\system32\igfxtray.exe
O4 - HKLM\..\Run: [IAAnotif] "C:\Program Files\Intel\Intel Matrix Storage Manager\Iaanotif.exe"
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\Windows\system32\hkcmd.exe
O4 - HKLM\..\Run: [Google Desktop Search] "C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" /startup
O4 - HKLM\..\Run: [dscactivate] "C:\Program Files\Dell Support Center\gs_agent\custom\dsca.exe"
O4 - HKLM\..\Run: [DellSupportCenter] "C:\Program Files\Dell Support Center\bin\sprtcmd.exe" /P DellSupportCenter
O4 - HKLM\..\Run: [DELL Webcam Manager] "C:\Program Files\Dell\Dell Webcam Manager\DellWMgr.exe" /s
O4 - HKLM\..\Run: [Broadcom Wireless Manager UI] C:\Windows\system32\WLTRAY.exe
O4 - HKLM\..\Run: [Apoint] C:\Program Files\DellTPad\Apoint.exe
O4 - HKLM\..\Run: [Adobe_ID0EYTHM] C:\PROGRA~1\COMMON~1\Adobe\ADOBEV~1\Server\bin\VERSIO~2.EXE
O4 - HKLM\..\Run: [Adobe Acrobat Speed Launcher] "C:\Program Files\Adobe\Acrobat 9.0\Acrobat\Acrobat_sl.exe"
O4 - HKLM\..\Run: [Acrobat Assistant 8.0] "C:\Program Files\Adobe\Acrobat 9.0\Acrobat\Acrotray.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [Malwarebytes Anti-Malware (reboot)] "C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe" /runcleanupscript
O4 - HKLM\..\Run: [Adobe ARM] "C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
O4 - HKCU\..\Run: [ehTray.exe] C:\Windows\ehome\ehTray.exe
O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe
O4 - Global Startup: Digital Line Detect.lnk = C:\Program Files\Digital Line Detect\DLG.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: QuickSet.lnk = C:\Program Files\Dell\QuickSet\quickset.exe
O8 - Extra context menu item: Append Link Target to Existing PDF - res://C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Append to Existing PDF - res://C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert Link Target to Adobe PDF - res://C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIECapture.html
O9 - Extra button: HP Clipbook - {58ECB495-38F0-49cb-A538-10282ABF65E7} - C:\Program Files\HP\Smart Web Printing\hpswp_extensions.dll
O9 - Extra button: HP Smart Select - {700259D7-1666-479a-93B1-3250410481E8} - C:\Program Files\HP\Smart Web Printing\hpswp_extensions.dll
O20 - AppInit_DLLs: C:\PROGRA~1\Google\GOOGLE~2\GoogleDesktopNetwork3.dll
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O20 - Winlogon Notify: GoToAssist - C:\Program Files\Citrix\GoToAssist\514\G2AWinLogon.dll
O23 - Service: Adobe Version Cue CS3 - Adobe Systems Incorporated - C:\Program Files\Common Files\Adobe\Adobe Version Cue CS3\Server\bin\VersionCueCS3.exe
O23 - Service: Andrea ST Filters Service (AESTFilters) - Andrea Electronics Corporation - C:\Windows\system32\aestsrv.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762## (Bonjour Service) - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: Google Desktop Manager 5.7.801.7324 (GoogleDesktopManager-010708-104812) - Google - C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
O23 - Service: GoToAssist - Citrix Online, a division of Citrix Systems, Inc. - C:\Program Files\Citrix\GoToAssist\514\g2aservice.exe
O23 - Service: Google Update Service (gupdate1ca2da3ff288ddd) (gupdate1ca2da3ff288ddd) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe
O23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: Intel(R) Matrix Storage Event Monitor (IAANTMON) - Intel Corporation - C:\Program Files\Intel\Intel Matrix Storage Manager\Iaantmon.exe
O23 - Service: SupportSoft Sprocket Service (dellsupportcenter) (sprtsvc_dellsupportcenter) - SupportSoft, Inc. - C:\Program Files\Dell Support Center\bin\sprtsvc.exe
O23 - Service: SigmaTel Audio Service (STacSV) - IDT, Inc. - C:\Windows\system32\STacSV.exe
O23 - Service: Dell Wireless WLAN Tray Service (wltrysvc) - Unknown owner - C:\Windows\System32\WLTRYSVC.EXE
O23 - Service: XAudioService - Conexant Systems, Inc. - C:\Windows\system32\DRIVERS\xaudio.exe

--
End of file - 9331 bytes


----------



## Cookiegal (Aug 27, 2003)

I'm sorry but I don't know where to go from here since we have to replace that driver.


----------



## Cookiegal (Aug 27, 2003)

What's the status here Bob? Have you done a reformat?

If not, ComboFix may be able to handle this now.

Let's remove the old version by dragging puppy.exe to the recycle bin.

Then redownload ComboFix and run a new scan.

Please visit *Combofix Guide & Instructions * for instructions for downloading and running ComboFix.

I would like you to rename it to puppy.exe please as you did the last time.


----------



## iltos (Jun 13, 2004)

heh....guess i outta subscribe to my own thread, huh? 

it seems, however, the puppy and my computer are no longer on speaking terms 

ran it twice
the first time it set a restore point and began the scan.....a half hour later, it had not even completed stage 1. and there was no indication it was actually doing anything on my computer (tho the cursor was still blinking in the puppy's blue screen)

i closed the app and rebooted...doubled checked bleeping computer to make sure i'd done all the right things, and ran puppy again

the second time, it gathered all its info (the red and green bars in a separate window) but it DIDN'T tell me it was setting a restore point (and i thought "well....maybe that's because it already did" ).....

it just began the scan....got to stage 4 and a window popped up telling me it had stopped responding, asking if i wanted to close or find a solution online....i clicked find a solution....and it started scanning again!!

got as far as stage 6 before the screen flashed blue for a sec (with some message that was there and gone so fast i've no idea what it said), and the computer rebooted itself......

i selected "log on normally" from the "windows has shut down unexpectedly" window and all went well......here i am

ignorant as ever


----------



## Cookiegal (Aug 27, 2003)

Did you disable all your security programs before running it?


----------



## iltos (Jun 13, 2004)

Cookiegal said:


> Did you disable all your security programs before running it?


everything


----------



## Cookiegal (Aug 27, 2003)

Try running ComboFix in safe mode.


----------



## iltos (Jun 13, 2004)

Cookiegal said:


> Try running ComboFix in safe mode.


"Combofix has detected the presence of rootkit activity and needs to restart your computer"


----------



## Cookiegal (Aug 27, 2003)

Let it restart.


----------



## iltos (Jun 13, 2004)

Cookiegal said:


> Let it restart.


sorry....should have said that i clicked "ok" and allowed it to restart in normal mode.
the puppy goes back into its icon.....is it supposed to pick up where it left off?


----------



## Cookiegal (Aug 27, 2003)

It may have completed its processes. Is there a log at C:\combofix.txt?


----------



## iltos (Jun 13, 2004)

nothing quite that simple, i'm afraid

there is a folder at c:\puppy2672p -it's nearly 11megs- that was created about the same time that combofix rebooted the computer from safe mode
i've attached a screen shot of part of it's contents, to give you some idea what's in it

the c:\puppy2672p\N_ folder (upper right corner of the screenshot) has a lot of tiny files openable with notepad
i've attached the two largest of those, thinking it might help.


----------



## Cookiegal (Aug 27, 2003)

Try running ComboFix again and if it hangs, call up the Task Manager and end process of any of these if they're there:

FindStr
Vfind
SED
GREP


----------



## iltos (Jun 13, 2004)

in normal mode, it still hangs
can't find any of those processes

in safe mode it finds the rootkit and forces a reboot


----------



## Cookiegal (Aug 27, 2003)

Bob, I've asked for assistance from the developer of ComboFix, sUBS, on this. Please do the following:

You should have a folder in your C: root called Qoobox. Please open that and all of the others shown in the following path and let me know if you see the file name bolded below:

C:\Qoobox\Quarantine\C\Windows\System32\drivers\*iaStor.sys.vir*

If so, then:

Go to the link below and upload that file for analysis and post the results here please:

http://www.virustotal.com/

Also, please remove the version of GMER that you currently have by doing the following:

Go to *Start *- *Run *and copy/paste the following command and run it as administrator:

*C:\WINDOWS\gmer_uninstall.cmd*

Now download the latest version and run a new scan and post that please.

Download GMER from: http://gmer.net/index.php

Save it on your desktop and unzip it.

Double click the gmer.exe to run it and select the rootkit tab and press scan. When the scan is done, click *Copy*. This will copy the report to the clipboard. Paste it into Notepad and save it and also paste the log report back here please.


----------



## iltos (Jun 13, 2004)

Cookiegal said:


> Bob, I've asked for assistance from the developer of ComboFix, sUBS, on this. Please do the following:
> 
> You should have a folder in your C: root called Qoobox. Please open that and all of the others shown in the following path and let me know if you see the file name bolded below:
> 
> ...


found and uploaded to your link
the initial screen said it had already been scanned on 11/16 (not by me)
the results of that scan are below


> File iastor.sys received on 2009.11.16 15:49:38 (UTC)
> Current status: finished
> Result: 0/41 (0.00%)
> Compact Compact
> ...


there is also an atapi.sys.vir in that folder, which jotti identifies as


> Filename: AUQBCP1C.SYS
> Status:
> Scan finished. 0 out of 19 scanners reported malware.
> File size: 21560 bytes
> ...


would you like the Virustotal results on that, as well?

as to the rest, i'm on it


----------



## Cookiegal (Aug 27, 2003)

Yes, please run both through Virus Total. I originally posted Jotti (out of habit) but sUBs asked for Virus Total scans so I edited my post. Please post both Virus Total logs and the GMER scan log.


----------



## iltos (Jun 13, 2004)

the iastor log file is in #119
atapi.sys.vir had been run on 11/08
the log file of that run is


> File ag8buq5e.sys received on 2009.11.08 08:26:25 (UTC)
> Current status: finished
> Result: 0/40 (0.00%)
> Compact Compact
> ...


now, onto the dismal news
gmer responds in much the same fashion as combofix...it doesn't freeze, but it crashes about a minute into the scan, at a location ominiously (to me, anyway) called
"harddisk volume shadow copy 1"
thinking it might help, i save the problem details (the second time it happened)


> Problem signature:
> Problem Event Name:	APPCRASH
> Application Name:	al4edftg.exe _{the random name i gave gmer after the first crash}_
> Application Version:	1.0.15.15227
> ...


shall i give it a shot in safe mode?....the site literature says it's not nearly so effective
'course....it can't be any worse than crashing .


----------



## Cookiegal (Aug 27, 2003)

Try renaming GMER to something else, like DOG and see if it will then run.


----------



## iltos (Jun 13, 2004)

i'm sure it's got nothing to do with the name, but this time, windows shut it down with a reboot following that "blue screen message to fast to see"
the first time, a second after i click "allow"
the second, about 10 seconds into the scan.
let's see if third time is the charm.


----------



## iltos (Jun 13, 2004)

better....stopped working at the same place as last time, which is actually
\device\hardisk\volume shadow copy 1
it doesn't like something in there, it seems

does this look odd to you, karen?
another puppy folder popped up last night, after that last scan
it's not like the others: different icon, different contents....looks like a copy of the entire c\ drive


----------



## Cookiegal (Aug 27, 2003)

It's likely a backup that was created.

We need to confirm the MD5 of the iastor.sys file so please do this:

Highlight and copy the following command:


```
PEV -c##5#b#f# C:\Qoobox\Quarantine\C\Windows\System32\drivers\iaStor.sys.vir
```
Go to *Start *- *All Programs* - *Accessories *and right-click *Command Prompt*, and then click Run as administrator to open a Command Prompt.

Right-click the area where you normally type a command and the text you copied should appear and run the command. Post the results please.


----------



## Cookiegal (Aug 27, 2003)

I have to go out for a while so I'll check back later.


----------



## iltos (Jun 13, 2004)

> Microsoft Windows [Version 6.0.6001]
> Copyright (c) 2006 Microsoft Corporation. All rights reserved.
> 
> C:\Windows\system32>PEV -c##5#b#f# C:\Qoobox\Quarantine\C\Windows\System32\drivers\iaStor.sys.vir
> ...


the results are in blue, followed by a new prompt


----------



## Cookiegal (Aug 27, 2003)

OK that's good. I'm going to have further instructions for you when I get back.


----------



## iltos (Jun 13, 2004)

thing is about that puppy folder, it's nested endlessly in each puppy folder
how's that work when you run a scan?


----------



## Cookiegal (Aug 27, 2003)

I don't really understand what you mean about the puppy and scans. 

I'm attaching a Bob.zip file to this post. Save it to your desktop. Unzip it and double click the Bob.bat file it contains and run the batch file.

Then see if you can run a scan with ComboFix in normal mode and if so post the log.


----------



## Cookiegal (Aug 27, 2003)

Also, run a GMER scan please.


----------



## iltos (Jun 13, 2004)

combofix shut down as before, just a few seconds after posting the "this may take 10 minutes, etc" notice
this time, however, the "close the program" window didn't immediately close it....it took at least 5 minutes, and hung up everything in the meantime...not hung up, really....just slowed response time WAY down....at one point i had clicked "restart" without success...but when combofix finally closed, the computer immediately shut down.

restarted without a hitch....maybe even a little faster.

so....that happened twice....one before, and a second time after the GMER scan......which worked!!!:up:

here's the log


> GMER 1.0.15.15227 - http://www.gmer.net
> Rootkit scan 2009-11-19 16:00:17
> Windows 6.0.6001 Service Pack 1
> Running: dog.exe; Driver: C:\Users\Bob\AppData\Local\Temp\pwldqpow.sys
> ...


are those unfound files 'cause of the batch file....or something else?
and what's process W?
and iastor listings under devices are gone....i'm bettin that was planned


----------



## Cookiegal (Aug 27, 2003)

The GMER log looks good with no side of suspicious driver activity. :up:

Download *OTS.exe * to your Desktop and double-click on it to extract the files. It will create a folder named *OTS* on your desktop.

Close any open browsers.
If your Real protection or Antivirus interferes with OTS, allow it to run.
Open the *OTS* folder and double-click on *OTS.exe* to start the program.
In *Additional Scans *section put a check in Disabled MS Config Items and EventViewer logs
Now click the *Run Scan *button on the toolbar.
Let it run unhindered until it finishes.
When the scan is complete Notepad will open with the report file loaded in it.
Save that notepad file.
Use the *Reply* button, scroll down to the attachments section and attach the notepad file here.


----------



## iltos (Jun 13, 2004)

have i mentioned recently how much i admire, respect, and appreciate you hanging with this, Karen?.....thank you so much 

now THIS is a log!!! there's a part of me that's fascinated by what it all means, and what you're looking for.....and a part of me that gets fried just looking at it 

i did go through it though....looks like i've tried to download something called "sports schedule" three times since june 
never heard of it.....and i seriously doubt they are the result of the boyfriend 

also, what's with all the "files not found"?

anyway....the log

...................

heh....it's attached....twice the size of anything allowed in a post 
i wasn't supposed to scan JUST the event log and msconfig, was i?


----------



## Cookiegal (Aug 27, 2003)

Start *OTS*. Copy/Paste the information in the code box below into the pane where it says *"Paste fix here"* and then click the "Run Fix" button.

The fix should only take a very short time. When the fix is completed a message box will popup telling you that it is finished. CLick the OK button and Notepad will open with a log of actions taken during the fix. Post that information back here along with a new HijackThis log please.


```
[Kill All Processes]
[Unregister Dlls]
[Registry - Safe List]
< ShellExecuteHooks [HKEY_LOCAL_MACHINE] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks
YN -> "{AEB6717E-7E19-11d0-97EE-00C04FD91972}" [HKLM] -> Reg Error: Key error. []
< Standard Profile Authorized Applications List > -> HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List
YN -> "C:\\J3rhaO9w.exe" -> C:\J3rhaO9w.exe [C:\\J3rhaO9w.exe:*:Enabled:Windows Messanger]
YN -> "C:\Users\Bob\Desktop\ThePhoneCall.exe" -> C:\Users\Bob\Desktop\ThePhoneCall.exe [C:\Users\Bob\Desktop\ThePhoneCall.exe:*:Enabled:Windows Messanger]
[Files/Folders - Created Within 30 Days]
NY ->  1 C:\Windows\*.tmp files -> C:\Windows\*.tmp
[Files/Folders - Modified Within 30 Days]
NY ->  273 C:\Users\Bob\AppData\Local\temp\*.tmp files -> C:\Users\Bob\AppData\Local\temp\*.tmp
NY ->  1 C:\Windows\*.tmp files -> C:\Windows\*.tmp
[Empty Temp Folders]
[Start Explorer]
[Reboot]
```


----------



## Cookiegal (Aug 27, 2003)

The Sports Schedule thing you mentioned is actually Spont Schedule and there is a folder with that name on your desktop. Do you not recognize that? I see there's also a pdf file with that name in it as below:

So do you recognize all of these on your desktop? If not, open the ones that are folders and let me know the names of any files they contain please.

C:\Users\Bob\Desktop\spont festival - folder
C:\Users\Bob\Desktop\09-10 scoring - folder
C:\Users\Bob\Desktop\sycamore.ods - file
C:\Users\Bob\Desktop\spont_quick_challenges.pdf - file


----------



## iltos (Jun 13, 2004)

OTS log....took a while....lots of things in temp folders


> All Processes Killed
> [Registry - Safe List]
> Registry value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks\\{AEB6717E-7E19-11d0-97EE-00C04FD91972} deleted successfully.
> Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{AEB6717E-7E19-11d0-97EE-00C04FD91972}\ not found.
> ...


hijack log to follow


----------



## iltos (Jun 13, 2004)

hijack log


> Logfile of Trend Micro HijackThis v2.0.2
> Scan saved at 4:10:02 PM, on 11/20/2009
> Platform: Windows Vista SP1 (WinNT 6.00.1905)
> MSIE: Internet Explorer v7.00 (7.00.6001.18294)
> ...


----------



## iltos (Jun 13, 2004)

Cookiegal said:


> The Sports Schedule thing you mentioned is actually Spont Schedule and there is a folder with that name on your desktop. Do you not recognize that? I see there's also a pdf file with that name in it as below:


heh....i told you i get fried just looking at these logs 



> So do you recognize all of these on your desktop? If not, open the ones that are folders and let me know the names of any files they contain please.
> 
> C:\Users\Bob\Desktop\spont festival - folder
> C:\Users\Bob\Desktop\09-10 scoring - folder
> ...


yeah....they're all good...even the "sport schedule" ....part of that kids program i work with


----------



## Cookiegal (Aug 27, 2003)

Uninstall GMER using this method:

Go to Start - Run and copy/paste the following command and run it as administrator:

C:\WINDOWS\gmer_uninstall.cmd

*Then follow these steps to uninstall Combofix and all of its files and components.*

 Click *START* then *RUN*
 Now type *ComboFix /uninstall* in the runbox and click *OK*. Note the *space* between the *X* and the *U*, it needs to be there.









Then let's download the latest ComboFix again but this time rename is kitty.exe.

Please visit *Combofix Guide & Instructions * for instructions for downloading and running ComboFix.

Be sure to disable all security programs and close all browser windows before scanning.


----------



## iltos (Jun 13, 2004)

running either command gives back this big red X from windows

"windows cannot find -either gmer or combofix- please be sure you typed, yada yada"

i tried renaming them back to their originals without success


----------



## Cookiegal (Aug 27, 2003)

OK, please drag GMER (dog.exe) to the recycle bin.

Then download it again but this time don't download the zipped file but click on the "Download exe" button and download it to your desktop. There's no need to rename this one. Just double-click on it and run it.

http://www.gmer.net/

Make sure everything on the right side at the top is checked and just below only the C drive if there are others listed. The "show all" button should also be unchecked (it will likely be grayed out and not clickable though).

Then run a new scan and post the results please.


----------



## iltos (Jun 13, 2004)

arrrgh
the first time with GMer, windows shut down to prevent damage, etc....and i got that blue screen again, but it stuck around long enough to catch this
*pwlpqpow.sys*...but i'm guessing on the .sys part
that happened somewhere in the Drivers folder 

the second time GMer got all the way to the volume shadow copy before it stopped working


----------



## iltos (Jun 13, 2004)

here's the event log of that error


> - <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
> - <System>
> <Provider Name="Microsoft-Windows-CodeIntegrity" Guid="{4ee76bd8-3cf4-44a0-a0ac-3937643e37a3}" />
> <EventID>3001</EventID>
> ...


----------



## Cookiegal (Aug 27, 2003)

Let's see if we can get this one to run.


Download RootRepeal from the following location and save it to your desktop.
*Zip Mirrors*
Primary Mirror
Secondary Mirror
Secondary Mirror


Extract RootRepeal.exe from the archive.
Open RootRepeal on your desktop.
Click the Report tab.
Click the Scan button.
Check all seven boxes
Push Ok
Check the box for your main system drive (Usually C, and press Ok.
Allow RootRepeal to run a scan of your system. This may take some time.
Once the scan completes, push the Save Report button. Save the log to your desktop, using a distinctive name, such as RootRepeal.txt. Include this report in your next reply, please.


----------



## iltos (Jun 13, 2004)

the report's a tad too long to post
it's attached


----------



## Cookiegal (Aug 27, 2003)

Download *mbr.exe* and save it to the C: drive.

Double-click the mbr.exe and run it. It will produce a log locate at C:\mbr.log. Please copy and paste the contents.

Also, do this:

Please download *DDS* and save it to your desktop.

Disable any script blocking protection
 Double click dds.scr to run the tool.
When done, DDS.txt will open.
Click *Yes* at the next prompt for *Optional Scan*.
Save both reports to your desktop.
---------------------------------------------------

Please include the contents of the following in your next reply:

*DDS.txt*

Please attach the second file; _*Attach.txt*_.


----------



## iltos (Jun 13, 2004)

mbr.exe stops working, dumping this .txt file onto the desktop


> Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net
> 
> device: opened successfully
> user: MBR read successfully
> ...


there's nothing at C:\mbr.log
here's the error details


> Application Timestamp:	4add81e3
> Fault Module Name:	mbr.exe
> Fault Module Version:	0.0.0.0
> Fault Module Timestamp:	4add81e3
> ...


here's the DDS log
the ATTACH log is.....attached 



> DDS (Ver_09-10-26.01) - NTFSx86
> Run by Bob at 21:36:43.17 on Sat 11/21/2009
> Internet Explorer: 7.0.6001.18000 BrowserJavaVersion: 1.6.0_15
> Microsoft® Windows Vista Home Premium 6.0.6001.1.1252.1.1033.18.3573.2013 [GMT -8:00]
> ...


----------



## Cookiegal (Aug 27, 2003)

It seems the mbr.log file would be in the same directory as where you save the mbr.exe. But the result shows it's fine.

Download SysProt Antirootkit from the link below (you will find it at the bottom of the page under Attachments, or you can get it from one of the mirrors).

http://sites.google.com/site/sysprotantirootkit/

Unzip it into a folder on your desktop.

Start the Sysprot.exe program.


Click on the Log tab.
In the Write to log box select all items.
Click on the Create Log button on the bottom right.
After a few seconds a new Window should appear.
Make sure Scan all drives is selected and click on the Start button.
When it is complete a new Window will appear to indicate that the scan is finished.
The log will be created and saved automatically in the same folder. Open the text file and copy/paste the log here.


----------



## iltos (Jun 13, 2004)

let's see if it fits....
nope....it's attached 

question....one process listing is *dumb_iastor*
is that the result of the batch file you provided a day or so back?


----------



## Cookiegal (Aug 27, 2003)

It's actually "dump" not "dumb" LOL  and those are normal.

I don't see any malicious driver activity.

But something is amiss since you still can't run GMER and ComboFix.

Let's try clearing out all temporary stuff.

*Click here* to download ATF Cleaner by Atribune and save it to your desktop.
Double-click *ATF-Cleaner.exe* to run the program.
Under *Main* choose: *Select All*
Click the *Empty Selected* button.
*If you use Firefox:*
Click *Firefox* at the top and choose: *Select All*
Click the *Empty Selected* button.
*NOTE:* If you would like to keep your saved passwords, please click *No* at the prompt.


*If you use Opera:*
Click *Opera* at the top and choose: *Select All*
Click the *Empty Selected* button.
*
[*]NOTE:* If you would like to keep your saved passwords, please click *No* at the prompt.


Click *Exit* on the Main menu to close the program.

Then follow the instructions in this MS article to do a clean boot (just do step 1). Take note of the items that were checked under both tabs so you can put them back the way they were afterwards.

http://support.microsoft.com/kb/929135

Then reboot the computer.

Now see if you can get GMER to complete a full scan.


----------



## iltos (Jun 13, 2004)

Cookiegal said:


> It's actually "dump" not "dumb" LOL  and those are normal.


no...it's dumb 
trust me 

so i ran the cleaner, downloaded a fresh version of GMer, and gave it a shot
it stopped working at the shadow volume 

but i ran it again, and it got through the shadow volume....all 22 of them!!....what are they: restore points?

GMer bounce around inside them for a while and then continued on, completing the scan
here's the log


> GMER 1.0.15.15252 - http://www.gmer.net
> Rootkit scan 2009-11-22 19:51:07
> Windows 6.0.6001 Service Pack 1
> Running: irjgkgum.exe; Driver: C:\Users\Bob\AppData\Local\Temp\pwldqpow.sys
> ...


----------



## Cookiegal (Aug 27, 2003)

OK, that's better. 

Now, see if you can get ComboFix to run but as always, delete the current one and redownload it. CF gets updated frequently.


----------



## iltos (Jun 13, 2004)

this is odd
combofix "stopped working" after the notification about how long it takes to run
i clicked on "close the program" and it scanned the computer!!! 

the log is attached.....because
everything i click to open is "an illegal operation on a registry key marked for deletion"...if i run anything as an administrator, it will open (like firefox).....but i'm leaving this computer on until i hear from you.....


----------



## Cookiegal (Aug 27, 2003)

Bob, a reboot should take care of that error message.


----------



## iltos (Jun 13, 2004)

Cookiegal said:


> Bob, a reboot should take care of that error message.


duh ....thanks
i knew that ....combofix takes administrator rights
funny tho how much i learn about the paths available on this machine when i'm throughly confused....like last night
wish i remembered how i managed to turn avast and defender and the firewall back on...there wasn't a "security center" in the control panel

but i'm feelin' fuzzy...looks like i'm spending the holiday with the flu 

how's the log look?


----------



## Cookiegal (Aug 27, 2003)

It looks good but there's one thing I want to check. Did you just install RealPlayer SP Gold or un updates on it?


----------



## iltos (Jun 13, 2004)

Cookiegal said:


> It looks good but there's one thing I want to check. Did you just install RealPlayer SP Gold or un updates on it?


funny you should ask...somewhere in all of this (within the last couple of days) i was provided with a RealPlayer update window...

i checked "not now: remind me in 14 days", remembering that new entries in logs just confuse things

i assume anything called "gold" costs money......not even interested.


----------



## Cookiegal (Aug 27, 2003)

Open HijackThis and click on the *Open Misc Tools section* button. Click on the *Open Uninstall Manager* button. Click the *Save List* button. Save the list then copy and paste it here.


----------



## iltos (Jun 13, 2004)

32 Bit HP CIO Components Installer
Acrobat.com
Acrobat.com
Add or Remove Adobe Creative Suite 3 Design Standard
Adobe Acrobat 9 Pro - English, Français, Deutsch
Adobe Acrobat 9 Pro - English, Français, Deutsch
Adobe Acrobat 9.2.0 - CPSID_50026
Adobe AIR
Adobe Anchor Service CS3
Adobe Asset Services CS3
Adobe Bridge CS3
Adobe Bridge Start Meeting
Adobe BridgeTalk Plugin CS3
Adobe Camera Raw 4.0
Adobe CMaps
Adobe Color - Photoshop Specific
Adobe Color Common Settings
Adobe Color EU Extra Settings
Adobe Color JA Extra Settings
Adobe Color NA Recommended Settings
Adobe Creative Suite 3 Design Standard
Adobe Default Language CS3
Adobe Device Central CS3
Adobe ExtendScript Toolkit 2
Adobe Flash Player 10 ActiveX
Adobe Flash Player 10 Plugin
Adobe Fonts All
Adobe Help Viewer CS3
Adobe Illustrator CS3
Adobe InDesign CS3
Adobe InDesign CS3 Icon Handler
Adobe Linguistics CS3
Adobe MotionPicture Color Files
Adobe PDF Library Files
Adobe Photoshop CS3
Adobe Setup
Adobe Shockwave Player 11.5
Adobe SING CS3
Adobe Stock Photos CS3
Adobe Type Support
Adobe Update Manager CS3
Adobe Version Cue CS3 Client
Adobe Version Cue CS3 Server
Adobe WAS CS3
Adobe WinSoft Linguistics Plugin
Adobe XMP Panels CS3
ADRIFT
Advanced Audio FX Engine
Advanced Video FX Engine
AHV content for Acrobat and Flash
Apple Software Update
avast! Antivirus
Browser Address Error Redirector
Cisco EAP-FAST Module
Cisco LEAP Module
Cisco PEAP Module
Conexant HDA D330 MDC V.92 Modem
DAZ Studio 3
Dell DataSafe Online
Dell Getting Started Guide
Dell Support Center (Support Software)
Dell Webcam Center
Dell Webcam Manager
Digital Line Detect
EDocs
FastStone Capture 6.2
Google Desktop
Google Earth
Google Update Helper
Google Updater
GoToAssist 8.0.0.514
HijackThis 2.0.2
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595)
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB958484)
HP Customer Participation Program 9.0
HP Imaging Device Functions 9.0
HP OCR Software 9.0
HP Photosmart All-In-One Software 9.0
HP Photosmart Essential 2.01
HP Product Assistant
HP Smart Web Printing
HP Solution Center 9.0
HP Update
HPSSupply
Intel(R) Matrix Storage Manager
IrfanView (remove only)
Java(TM) 6 Update 15
jZip
Laptop Integrated Webcam Driver (1.04.01.1011) 
Live! Cam Avatar Creator
Live! Cam Avatar v1.0
Malwarebytes' Anti-Malware
MediaDirect
Microsoft .NET Framework 3.5 SP1
Microsoft .NET Framework 3.5 SP1
Microsoft Silverlight
Microsoft Visual C++ 2005 ATL Update kb973923 - x86 8.0.50727.4053
Microsoft Visual C++ 2005 Redistributable
Microsoft Visual C++ 2008 ATL Update kb973924 - x86 9.0.30729.4148
Microsoft Visual C++ 2008 Redistributable - x86 9.0.21022
Modem Diagnostic Tool
Mozilla Firefox (3.0.10)
Mozilla Thunderbird (2.0.0.23)
MSXML 4.0 SP2 (KB954430)
Music, Photos & Videos Launcher
NetWaiting
Odyssey Scoring 2009 v4
OpenOffice.org 3.1
OutlookAddinSetup
PDF Settings
Product Documentation Launcher
QuickSet
QuickTime
Roxio Creator Audio
Roxio Creator Copy
Roxio Creator Data
Roxio Creator DE
Roxio Creator DE
Roxio Creator Tools
Roxio Update Manager
SUPERAntiSpyware Free Edition
System Requirements Lab
Update for Microsoft .NET Framework 3.5 SP1 (KB963707)
Vista Shortcut Manager
WD Diagnostics
Windows Media Player Firefox Plugin
Windows Sidebar Styler
Yahoo! Messenger


----------



## Cookiegal (Aug 27, 2003)

OK, that RealPlayer stuff is free and gets installed with the Google stuff you have and you have the Google updater scheduled to run automatically so we'll leave those.

How are things with the system now?

Your *Java* is out of date. Older versions have vulnerabilities that malware can use to infect your system. Please follow these steps to remove older version of *Java* components and upgrade the application.

*Upgrading Java*:


Download the latest version of *Java Runtime Environment (JRE) 6 Update 17 *.
Click the "*Download*" button to the right.
Select your Platform and check the box that says: "*I agree to the Java SE Runtime Environment 17 License Agreement.*".
Click on *Continue*.
Click on the link to download Windows Offline Installation (jre-6u17-windows-i586.exe) and save it to your desktop. *Do NOT use the Sun Download Manager.*
Close any programs you may have running - especially your web browser.
Go to *Start* > *Control Panel*, double-click on *Add/Remove *programs and remove all older versions of Java.
Check any item with * Java Runtime Environment, JRE, J2SE or Java(TM)* in the name.
Click the Remove or Change/Remove button.
Repeat as many times as necessary to remove each Java version.
Reboot your computer once all Java components are removed.
Then from your desktop double-click on the download to install the newest version.

This is the only older version of Java that you need to remove:

*Java(TM) 6 Update 15*

Could you please post one last HijackThis log and I think we can wrap this up.


----------



## iltos (Jun 13, 2004)

Cookiegal said:


> OK, that RealPlayer stuff is free and gets installed with the Google stuff you have and you have the Google updater scheduled to run automatically so we'll leave those.
> 
> How are things with the system now?


aside from the problem that prompted this thread, the only evidence i've seen of anything wonky were the problems it had with combofix and GMer, and some redirects in firefox that only happened when they felt like it....rarely and irritatingly...they didn't hijack the browser: they were just insistant for a couple of clicks

the batch file you gave me has cleared all that up :up:
so i'll mark this solved 

thanks for the heads up on java and realplayer....i guess those settings have changed...my preference is always "notify me" 

thanks for hangin with me through this


----------



## Cookiegal (Aug 27, 2003)

This startup entry might be responsible as well as it's to run RealPlayer updates (TkBellExe).

You should trim down your startups as there are many showing in the last log posted that aren't required. I don't know if you've put them all back since doing the clean boot or not. Here are links where you can research them to see if they need to run at startup or not.

http://www.systemlookup.com/lists.php?list=2
http://www.bleepingcomputer.com/startups/
http://www.windowsstartup.com/wso/index.php

I suspect the clean boot and/or deleting temp file is what allowed those programs to run as something was interfering.

Here are some final instructions for you.

*Follow these steps to uninstall Combofix and all of its files and components.*

 Click *START* then *RUN*
 Now type *ComboFix /uninstall* in the runbox and click *OK*. Note the *space* between the *X* and the *U*, it needs to be there.

Now you should turn system restore off to flush out all previous system restore points, then turn it back on and create a new restore point:

Click on the Start button to open your Start Menu. 
Click on the Control Panel menu option.
Click on the System and Maintenance menu option.
Click on the System menu option.
Click on System Protection in the left-hand task list.

You will now be at the System Protection tab in the System control panel.

Clear the check box next to the disk to turn off System Protection, and then click OK. This will flush out all previous restore points.

Now select the check box next to the disk, and then click OK to turn system restore back on.

Now create a new restore point. Click on the Create button. When you press this button a prompt will appear asking you to provide a title for this manual restore point.

Type in a title for the manual restore point and press the Create button. Vista will now create a manual restore point, and when completed, display a notice saying that it was created successfully.

I also recommend downloading  *SPYWAREBLASTER* for added protection.


----------



## iltos (Jun 13, 2004)

that uninstall command doesn't work on my machine....i get a message saying "windows can't find the program"

i'm typing *Combofix(then a space)/uninstall*
is there any reason i can't delete the puppy folders that were created during the time Combofix wasn't completeing its scans?

thanks for the advice on startup....i hadn't really considered how much junk i've got running


----------



## Cookiegal (Aug 27, 2003)

Yes, delete all the puppy folders and the following one as well:

*C:\Qoobox*

Drag the puppy.exe from your desktop to the recycle bin.


----------



## iltos (Jun 13, 2004)

i just realized you asked for a final hjt log

haven't felt like dealing with the startup issues yet 

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 6:06:21 PM, on 11/26/2009
Platform: Windows Vista SP1 (WinNT 6.00.1905)
MSIE: Internet Explorer v7.00 (7.00.6001.18294)
Boot mode: Normal

Running processes:
C:\Windows\system32\taskeng.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Program Files\Alwil Software\Avast4\ashDisp.exe
C:\Windows\System32\igfxpers.exe
C:\Windows\OEM02Mon.exe
C:\Windows\System32\igfxtray.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\IAAnotif.exe
C:\Program Files\HP\HP Software Update\hpwuSchd2.exe
C:\Windows\system32\igfxsrvc.exe
C:\Windows\System32\hkcmd.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
C:\Program Files\Dell Support Center\bin\sprtcmd.exe
C:\Program Files\Dell\Dell Webcam Manager\DellWMgr.exe
C:\Windows\System32\WLTRAY.EXE
C:\Program Files\DellTPad\Apoint.exe
C:\Program Files\Adobe\Acrobat 9.0\Acrobat\acrotray.exe
C:\Program Files\Windows Media Player\wmpnscfg.exe
C:\Windows\ehome\ehtray.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Windows\ehome\ehmsas.exe
C:\Program Files\DellTPad\ApMsgFwd.exe
C:\Program Files\DellTPad\HidFind.exe
C:\Program Files\DellTPad\Apntex.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Windows\system32\wuauclt.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Mozilla Thunderbird\thunderbird.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\hjt\HiJackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = 
O1 - Hosts: ::1 localhost
O2 - BHO: HP Print Clips - {053F9267-DC04-4294-A72C-58F732D338C0} - C:\Program Files\HP\Smart Web Printing\hpswp_framework.dll
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: RealPlayer Download and Record Plugin for Internet Explorer - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\Users\Bob\rpbrowserrecordplugin.dll
O2 - BHO: EmailBHO - {647FD14A-C4F1-46F4-8FC3-0B40F54226F7} - C:\Program Files\jZip\WebmailPlugin.dll
O2 - BHO: Adobe PDF Conversion Toolbar Helper - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.2.4204.1700\swg.dll
O2 - BHO: Browser Address Error Redirector - {CA6319C0-31B7-401E-A518-A07C3DB8F777} - C:\Program Files\Dell\BAE\BAE.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: SmartSelect - {F4971EE7-DAA0-4053-9964-665D8EE6A077} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [SigmatelSysTrayApp] %ProgramFiles%\SigmaTel\C-Major Audio\WDM\sttray.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [Persistence] C:\Windows\system32\igfxpers.exe
O4 - HKLM\..\Run: [OEM02Mon.exe] C:\Windows\OEM02Mon.exe
O4 - HKLM\..\Run: [IgfxTray] C:\Windows\system32\igfxtray.exe
O4 - HKLM\..\Run: [IAAnotif] "C:\Program Files\Intel\Intel Matrix Storage Manager\Iaanotif.exe"
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\Windows\system32\hkcmd.exe
O4 - HKLM\..\Run: [Google Desktop Search] "C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" /startup
O4 - HKLM\..\Run: [dscactivate] "C:\Program Files\Dell Support Center\gs_agent\custom\dsca.exe"
O4 - HKLM\..\Run: [DellSupportCenter] "C:\Program Files\Dell Support Center\bin\sprtcmd.exe" /P DellSupportCenter
O4 - HKLM\..\Run: [DELL Webcam Manager] "C:\Program Files\Dell\Dell Webcam Manager\DellWMgr.exe" /s
O4 - HKLM\..\Run: [Broadcom Wireless Manager UI] C:\Windows\system32\WLTRAY.exe
O4 - HKLM\..\Run: [Apoint] C:\Program Files\DellTPad\Apoint.exe
O4 - HKLM\..\Run: [Adobe_ID0EYTHM] C:\PROGRA~1\COMMON~1\Adobe\ADOBEV~1\Server\bin\VERSIO~2.EXE
O4 - HKLM\..\Run: [Adobe ARM] "C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
O4 - HKLM\..\Run: [Adobe Acrobat Speed Launcher] "C:\Program Files\Adobe\Acrobat 9.0\Acrobat\Acrobat_sl.exe"
O4 - HKLM\..\Run: [Acrobat Assistant 8.0] "C:\Program Files\Adobe\Acrobat 9.0\Acrobat\Acrotray.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe
O4 - HKCU\..\Run: [ehTray.exe] C:\Windows\ehome\ehTray.exe
O4 - Global Startup: Digital Line Detect.lnk = C:\Program Files\Digital Line Detect\DLG.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: QuickSet.lnk = C:\Program Files\Dell\QuickSet\quickset.exe
O8 - Extra context menu item: Append Link Target to Existing PDF - res://C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Append to Existing PDF - res://C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert Link Target to Adobe PDF - res://C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIECapture.html
O9 - Extra button: HP Clipbook - {58ECB495-38F0-49cb-A538-10282ABF65E7} - C:\Program Files\HP\Smart Web Printing\hpswp_extensions.dll
O9 - Extra button: HP Smart Select - {700259D7-1666-479a-93B1-3250410481E8} - C:\Program Files\HP\Smart Web Printing\hpswp_extensions.dll
O20 - AppInit_DLLs: C:\PROGRA~1\Google\GOOGLE~2\GoogleDesktopNetwork3.dll
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O20 - Winlogon Notify: GoToAssist - C:\Program Files\Citrix\GoToAssist\514\G2AWinLogon.dll
O23 - Service: Adobe Version Cue CS3 - Adobe Systems Incorporated - C:\Program Files\Common Files\Adobe\Adobe Version Cue CS3\Server\bin\VersionCueCS3.exe
O23 - Service: Andrea ST Filters Service (AESTFilters) - Andrea Electronics Corporation - C:\Windows\system32\aestsrv.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762## (Bonjour Service) - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: Google Desktop Manager 5.7.801.7324 (GoogleDesktopManager-010708-104812) - Google - C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
O23 - Service: GoToAssist - Citrix Online, a division of Citrix Systems, Inc. - C:\Program Files\Citrix\GoToAssist\514\g2aservice.exe
O23 - Service: Google Update Service (gupdate1ca2da3ff288ddd) (gupdate1ca2da3ff288ddd) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe
O23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: Intel(R) Matrix Storage Event Monitor (IAANTMON) - Intel Corporation - C:\Program Files\Intel\Intel Matrix Storage Manager\Iaantmon.exe
O23 - Service: SupportSoft Sprocket Service (dellsupportcenter) (sprtsvc_dellsupportcenter) - SupportSoft, Inc. - C:\Program Files\Dell Support Center\bin\sprtsvc.exe
O23 - Service: SigmaTel Audio Service (STacSV) - IDT, Inc. - C:\Windows\system32\STacSV.exe
O23 - Service: Dell Wireless WLAN Tray Service (wltrysvc) - Unknown owner - C:\Windows\System32\WLTRYSVC.EXE
O23 - Service: XAudioService - Conexant Systems, Inc. - C:\Windows\system32\DRIVERS\xaudio.exe

--
End of file - 9517 bytes


----------



## Cookiegal (Aug 27, 2003)

That's OK. I had gone back and checked your last log posted and didn't think there would be any changes. This one looks fine as well.


----------

