Search Engine Redirect/Malware Removal Help Needed

[spoofdogg]

Extras.txt

OTL Extras logfile created on: 4/2/2010 10:41:30 PM - Run 1
OTL by OldTimer - Version 3.1.37.3 Folder = C:\Users\Jesse\Desktop
Windows Vista Ultimate Edition Service Pack 1 (Version = 6.0.6001) - Type = NTWorkstation
Internet Explorer (Version = 8.0.6001.18813)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

2.00 Gb Total Physical Memory | 1.00 Gb Available Physical Memory | 67.00% Memory free
4.00 Gb Paging File | 4.00 Gb Available in Paging File | 84.00% Paging File free
Paging file location(s): ?:\pagefile.sys [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\Windows | %ProgramFiles% = C:\Program Files
Drive C: | 111.79 Gb Total Space | 60.00 Gb Free Space | 53.67% Space Free | Partition Type: NTFS
Drive D: | 40.04 Gb Total Space | 29.43 Gb Free Space | 73.51% Space Free | Partition Type: NTFS
E: Drive not present or media not loaded
Drive F: | 3.68 Gb Total Space | 0.01 Gb Free Space | 0.16% Space Free | Partition Type: FAT32
G: Drive not present or media not loaded
H: Drive not present or media not loaded
I: Drive not present or media not loaded
Drive J: | 3.00 Gb Total Space | 2.22 Gb Free Space | 74.09% Space Free | Partition Type: NTFS

Computer Name: LAPTOP
Current User Name: Jesse
Logged in as Administrator.

Current Boot Mode: Normal
Scan Mode: Current user
Company Name Whitelist: Off
Skip Microsoft Files: Off
File Age = 30 Days
Output = Minimal

========== Extra Registry (SafeList) ==========


========== File Associations ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<extension>]
.hlp [@ = hlpfile] -- C:\Windows\winhlp32.exe (Microsoft Corporation)

[HKEY_CURRENT_USER\SOFTWARE\Classes\<extension>]
.html [@ = FirefoxHTML] -- C:\Program Files\Mozilla Firefox\firefox.exe (Mozilla Corporation)

========== Shell Spawning ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<key>\shell\[command]\command]
batfile [open] -- "%1" %*
cmdfile [open] -- "%1" %*
comfile [open] -- "%1" %*
exefile [open] -- "%1" %*
helpfile [open] -- Reg Error: Key error.
hlpfile [open] -- %SystemRoot%\winhlp32.exe %1 (Microsoft Corporation)
htmlfile [edit] -- "C:\Program Files\Microsoft Office\OFFICE11\msohtmed.exe" %1 (Microsoft Corporation)
piffile [open] -- "%1" %*
regfile [merge] -- Reg Error: Key error.
scrfile [config] -- "%1"
scrfile [install] -- rundll32.exe desk.cpl,InstallScreenSaver %l (Microsoft Corporation)
scrfile [open] -- "%1" /S
txtfile [edit] -- Reg Error: Key error.
Unknown [openas] -- %SystemRoot%\system32\rundll32.exe %SystemRoot%\system32\shell32.dll,OpenAs_RunDLL %1
Directory [cmd] -- cmd.exe /s /k pushd "%V" (Microsoft Corporation)
Directory [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
Folder [open] -- %SystemRoot%\Explorer.exe /separate,/idlist,%I,%L (Microsoft Corporation)
Folder [explore] -- %SystemRoot%\Explorer.exe /separate,/e,/idlist,%I,%L (Microsoft Corporation)
Drive [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)

========== Security Center Settings ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center]
"cval" = 1
"FirewallDisableNotify" = 0
"AntiVirusDisableNotify" = 0
"UpdatesDisableNotify" = 0

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Svc]
"AntiVirusOverride" = 1
"AntiSpywareOverride" = 0
"FirewallOverride" = 0
"VistaSp1" = Reg Error: Unknown registry data type -- File not found

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Svc\S-1-5-21-222641873-1350462184-214149500-1000]
"EnableNotifications" = 0
"EnableNotificationsRef" = 1

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Svc\Vol]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile]
"EnableFirewall" = 0
"DisableNotifications" = 0

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]
"EnableFirewall" = 0
"DisableNotifications" = 0

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts\List]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\PublicProfile]
"EnableFirewall" = 0
"DisableNotifications" = 0

========== Authorized Applications List ==========

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]


========== Vista Active Open Ports Exception List ==========

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules]
"{35D342C3-71C0-4287-8B3F-34105E47EFCA}" = lport=5353 | protocol=6 | dir=in | name=adobe csi cs4 |

========== Vista Active Application Exception List ==========

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules]
"{1FB30F2C-1890-465A-9F7B-56FC3DB19DBE}" = protocol=17 | dir=in | app=c:\users\jesse\appdata\local\google\google talk plugin\googletalkplugin.dll |
"{387601AA-E199-41E4-B6F4-013167202BC4}" = dir=in | app=c:\program files\rosetta stone\rosetta stone version 3\support\bin\win\rosettastoneltdservices.exe |
"{3EE635CC-DE56-4DA7-84EF-5DDF373EBDF5}" = protocol=17 | dir=in | app=c:\program files\itunes\itunes.exe |
"{4B72DB94-AA89-41F7-8FB1-E6B50700D494}" = protocol=6 | dir=in | app=c:\users\jesse\appdata\local\google\google talk plugin\googletalkplugin.dll |
"{4F4F634F-62A1-4366-BDCB-24D2907874FD}" = dir=in | app=c:\program files\rosetta stone\rosetta stone version 3\rosettastoneversion3.exe |
"{4F6C53F5-8FD2-458C-A9E5-36447FA7A311}" = protocol=6 | dir=in | app=c:\program files\common files\adobe\cs4servicemanager\cs4servicemanager.exe |
"{6B5DD9B8-6AC8-4DDC-845D-11687373C47A}" = protocol=17 | dir=in | app=c:\program files\common files\adobe\cs4servicemanager\cs4servicemanager.exe |
"{707F7482-3F30-4E83-A737-F0558AF22BB4}" = protocol=17 | dir=in | app=c:\program files\bonjour\mdnsresponder.exe |
"{72172EE1-F664-4083-930C-C3F88767218B}" = protocol=6 | dir=in | app=c:\users\jesse\appdata\local\google\google talk plugin\googletalkplugin.exe |
"{7E6697BF-C34C-489C-9EB3-43F0E0558D22}" = dir=in | app=c:\program files\avg\avg8\avgupd.exe |
"{98E9BC5A-1D7F-4720-945A-8D04394C792C}" = protocol=6 | dir=out | app=c:\program files\rosetta stone\rosetta stone version 3\support\bin\win\rosettastoneltdservices.exe |
"{9C3E91A4-53F1-4EC3-9E48-5E0D89C8DB26}" = protocol=17 | dir=in | app=c:\users\jesse\appdata\local\google\google talk plugin\googletalkplugin.exe |
"{A4D713B6-61D8-4649-B10A-B1ABADB6D352}" = protocol=6 | dir=in | app=c:\program files\itunes\itunes.exe |
"{B888F343-4EC1-4BC2-ABAF-B1E0C814E8AD}" = protocol=6 | dir=out | app=c:\program files\rosetta stone\rosetta stone version 3\rosettastoneversion3.exe |
"{C5C7D295-5C85-47D9-B22A-570B24A6AD2B}" = protocol=17 | dir=in | app=c:\program files\itunes\itunes.exe |
"{C89B893F-4FB5-4F83-83E1-DE1FC31BC25C}" = protocol=17 | dir=in | app=c:\users\jesse\appdata\local\google\google talk plugin\googletalkplugin.exe |
"{D8A6F686-A6C5-4DBD-A5E3-B3CECF02AB9C}" = protocol=6 | dir=in | app=c:\users\jesse\appdata\local\google\google talk plugin\googletalkplugin.dll |
"{DD646AC6-8282-4C0A-9F3D-7AF12953D022}" = protocol=6 | dir=in | app=c:\users\jesse\appdata\roaming\dropbox\bin\dropbox.exe |
"{E8B685E4-65C1-4F8F-A6DB-D1D58748237C}" = protocol=6 | dir=in | app=c:\program files\bonjour\mdnsresponder.exe |
"{E9A15687-F311-4E63-B748-988C048425A7}" = protocol=17 | dir=in | app=c:\users\jesse\appdata\local\google\google talk plugin\googletalkplugin.dll |
"{EACC2DE6-20FB-4400-B05B-8C1FB1728540}" = protocol=17 | dir=in | app=c:\users\jesse\appdata\roaming\dropbox\bin\dropbox.exe |
"{EB3A3A9D-7FF2-4815-A858-831217C70349}" = protocol=6 | dir=in | app=c:\program files\itunes\itunes.exe |
"{F2D99FDD-0637-42B2-A1A9-A76877A14801}" = protocol=6 | dir=in | app=c:\users\jesse\appdata\local\google\google talk plugin\googletalkplugin.exe |

========== HKEY_LOCAL_MACHINE Uninstall List ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"{00ADFB20-AE75-46F4-AD2C-F48B15AC3100}" = Adobe Color NA Recommended Settings CS4
"{05308C4E-7285-4066-BAE3-6B50DA6ED755}" = Adobe Update Manager CS4
"{054EFA56-2AC1-48F4-A883-0AB89874B972}" = Adobe Extension Manager CS4
"{07287123-B8AC-41CE-8346-3D777245C35B}" = Bonjour
"{098727E1-775A-4450-B573-3F441F1CA243}" = kuler
"{0D6013AB-A0C7-41DC-973C-E93129C9A29F}" = Adobe Color JA Extra Settings CS4
"{0D67A4E4-5BE0-4C9A-8AD8-AB552B433F23}" = Adobe Setup
"{0F723FC1-7606-4867-866C-CE80AD292DAF}" = Adobe CSI CS4
"{1451DE6B-ABE1-4F62-BE9A-B363A17588A2}" = QuickTime
"{148E08FF-D7C4-46ED-8D4D-601C67FE0AFD}" = Rosetta Stone Version 3
"{1618734A-3957-4ADD-8199-F973763109A8}" = Adobe Anchor Service CS4
"{16E16F01-2E2D-4248-A42F-76261C147B6C}" = Adobe Drive CS4
"{16E6D2C1-7C90-4309-8EC4-D2212690AAA4}" = AdobeColorCommonSetRGB
"{1A36CF15-DF66-4756-9482-A9ABF3DDACE6}_is1" = Driver Robot 1.1.0.5
"{26A24AE4-039D-4CA4-87B4-2F83216016FF}" = Java(TM) 6 Update 18
"{34D2AB40-150D-475D-AE32-BD23FB5EE355}" = HP Quick Launch Buttons 6.40 B2
"{35D94F92-1D3A-43C5-8605-EA268B1A7BD9}" = PDF Settings CS4
"{39F6E2B4-CFE8-C30A-66E8-489651F0F34C}" = Adobe Media Player
"{3A4E8896-C2E7-4084-A4A4-B8FD1894E739}" = Adobe XMP Panels CS4
"{3D2C9DE6-9ADE-4252-A241-E43723B0CE02}" = Adobe Color - Photoshop Specific CS4
"{3DA8DF9A-044E-46C4-8531-DEDBB0EE37FF}" = Adobe WinSoft Linguistics Plugin
"{3FA365DF-2D68-45ED-8F83-8C8A33E65143}" = Apple Application Support
"{4943EFF5-229F-435D-BEA9-BE3CAEA783A7}" = Adobe Service Manager Extension
"{4A03706F-666A-4037-7777-5F2748764D10}" = Java Auto Updater
"{5570C7F0-43D0-4916-8A9E-AEDD52FA86F4}" = Adobe Color EU Extra Settings CS4
"{59F6A514-9813-47A3-948C-8A155460CC2A}" = RICOH R5C83x/84x Flash Media Controller Driver Ver.3.52.02
"{5A3F6A80-7913-475E-8B96-477A952CFA43}" = SupportSoft Assisted Service
"{63C24A08-70F3-4C8E-B9FB-9F21A903801D}" = Adobe Color Video Profiles CS CS4
"{63E5CDBF-8214-4F03-84F8-CD3CE48639AD}" = Adobe Photoshop CS4 Support
"{67F0E67A-8E93-4C2C-B29D-47C48262738A}" = Adobe Device Central CS4
"{68243FF8-83CA-466B-B2B8-9F99DA5479C4}" = AdobeColorCommonSetCMYK
"{68658FCB-01BB-4980-A7C3-6ADB1E4E0C66}" = Browntech Image Plugin 2.02
"{6956856F-B6B3-4BE0-BA0B-8F495BE32033}" = Apple Software Update
"{69FDFBB6-351D-4B8C-89D8-867DC9D0A2A4}" = Windows Media Player Firefox Plugin
"{6D8D64BE-F500-55B6-705D-DFD08AFE0624}" = Acrobat.com
"{716E0306-8318-4364-8B8F-0CC4E9376BAC}" = MSXML 4.0 SP2 Parser and SDK
"{767CC44C-9BBC-438D-BAD3-FD4595DD148B}" = VC80CRTRedist - 8.0.50727.762
"{820D3F45-F6EE-4AAF-81EF-CE21FF21D230}" = Adobe Type Support CS4
"{837b34e3-7c30-493c-8f6a-2b0f04e2912c}" = Microsoft Visual C++ 2005 Redistributable
"{83877DB1-8B77-45BC-AB43-2BAC22E093E0}" = Adobe Bridge CS4
"{842B4B72-9E8F-4962-B3C1-1C422A5C4434}" = Suite Shared Configuration CS4
"{8833FFB6-5B0C-4764-81AA-06DFEED9A476}" = Realtek 8169, 8168, 8101E and 8102E Ethernet Network Card Driver for Windows Vista
"{8ECB8220-F422-4BEB-9596-97033C533702}" = QuickBooks Pro 2008
"{90110409-6000-11D3-8CFE-0150048383C9}" = Microsoft Office Professional Edition 2003
"{9068B2BE-D93A-4C0A-861C-5E35E2C0E09E}" = Intel® Matrix Storage Manager
"{931AB7EA-3656-4BB7-864D-022B09E3DD67}" = Adobe Linguistics CS4
"{94D398EB-D2FD-4FD1-B8C4-592635E8A191}" = Adobe CMaps CS4
"{A2BCA9F1-566C-4805-97D1-7FDC93386723}" = Adobe AIR
"{AADEA55D-C834-4BCB-98A3-4B8D1C18F4EE}" = Apple Mobile Device Support
"{AC76BA86-7AD7-1033-7B44-A93000000001}" = Adobe Reader 9.3.1
"{B29AD377-CC12-490A-A480-1452337C618D}" = Connect
"{B4092C6D-E886-4CB2-BA68-FE5A88D31DE6}_is1" = Spybot - Search & Destroy
"{B65BA85C-0A27-4BC0-A22D-A66F0E5B9494}" = Adobe Photoshop CS4
"{B7050CBDB2504B34BC2A9CA0A692CC29}" = DivX Web Player
"{BB4E33EC-8181-4685-96F7-8554293DEC6A}" = Adobe Output Module
"{BBF6D0CD-A081-369F-B0B8-F168594CBB6B}" = Google Talk Plugin
"{C49067A8-8212-4A82-A4D9-1519701644F0}" = Citrix Presentation Server Client - Web Only
"{C52E3EC1-048C-45E1-8D53-10B0C6509683}" = Adobe Default Language CS4
"{CC75AB5C-2110-4A7F-AF52-708680D22FE8}" = Photoshop Camera Raw
"{CD95F661-A5C4-44F5-A6AA-ECDD91C240B8}" = WinZip 12.1
"{CE2CDD62-0124-36CA-84D3-9F4DCF5C5BD9}" = Microsoft .NET Framework 3.5 SP1
"{E4848436-0345-47E2-B648-8B522FCDA623}" = Adobe Photoshop CS4
"{F0E64E2E-3A60-40D8-A55D-92F6831875DA}" = Adobe Search for Help
"{F132AF7F-7BCA-4EDE-8A7C-958108FE7DBC}" = Realtek High Definition Audio Driver
"{F439D7AF-03F3-4F8E-AEC4-571BFE977C61}" = iTunes
"{F8EF2B3F-C345-4F20-8FE4-791A20333CD5}" = Adobe ExtendScript Toolkit CS4
"{F93C84A6-0DC6-42AF-89FA-776F7C377353}" = Adobe PDF Library Files CS4
"{FCDD51BB-CAD0-4BB1-B7DF-CE86D1032794}" = Adobe Fonts All
"Active@ ISO Burner v 1.1" = Active@ ISO Burner v 1.1
"Adobe AIR" = Adobe AIR
"Adobe Flash Player ActiveX" = Adobe Flash Player 10 ActiveX
"Adobe_faf656ef605427ee2f42989c3ad31b8" = Adobe Photoshop CS4
"Broadcom 802.11b Network Adapter" = Broadcom 802.11 Wireless LAN Adapter
"CCleaner" = CCleaner
"com.adobe.amp.4875E02D9FB21EE389F73B8D1702B320485DF8CE.1" = Adobe Media Player
"com.adobe.mauby.4875E02D9FB21EE389F73B8D1702B320485DF8CE.1" = Acrobat.com
"CommView for WiFi" = CommView for WiFi
"EasyBCD" = EasyBCD 1.7.2
"ERUNT_is1" = ERUNT 1.1j
"ftp995" = ftp995
"HijackThis" = HijackThis 2.0.2
"iPhoneRingToneMaker" = iPhoneRingToneMaker 2.5.1
"Malwarebytes' Anti-Malware_is1" = Malwarebytes' Anti-Malware
"Microsoft .NET Framework 3.5 SP1" = Microsoft .NET Framework 3.5 SP1
"Mozilla Firefox (3.6.2)" = Mozilla Firefox (3.6.2)
"Mozilla Thunderbird (2.0.0.24)" = Mozilla Thunderbird (2.0.0.24)
"Network Stumbler" = Network Stumbler 0.4.0 (remove only)
"NVIDIA Drivers" = NVIDIA Drivers
"Pdf995" = Pdf995
"PdfEdit995" = PdfEdit995
"Ringtone Expressions" = Ringtone Expressions 1.5.0
"SearchWithin" = SearchWithin
"Signature995" = Signature995
"SMSERIAL" = Motorola SM56 Speakerphone Modem
"SpywareBlaster_is1" = SpywareBlaster 4.2
"SpywareGuard_is1" = SpywareGuard v2.2
"SynTPDeinstKey" = Synaptics Pointing Device Driver
"TightVNC_is1" = TightVNC 1.3.10
"TweakVI" = TweakVI
"UltraPdf" = UltraPdf
"UltSounds" = Windows Sound Schemes
"UltSounds2" = Ultimate Extras sounds from Microsoft® Tinker™
"Wubi" = Ubuntu
"Zip995" = Zip995

========== HKEY_CURRENT_USER Uninstall List ==========

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"Dropbox" = Dropbox
"Move Media Player" = Move Media Player

========== Last 10 Event Log Errors ==========

[ Application Events ]
Error - 4/1/2010 2:26:22 PM | Computer Name = Laptop | Source = WinMgmt | ID = 10
Description =

Error - 4/1/2010 2:40:03 PM | Computer Name = Laptop | Source = WinMgmt | ID = 10
Description =

Error - 4/1/2010 11:35:16 PM | Computer Name = Laptop | Source = WinMgmt | ID = 10
Description =

Error - 4/1/2010 11:53:18 PM | Computer Name = Laptop | Source = EventSystem | ID = 4609
Description =

Error - 4/1/2010 11:54:05 PM | Computer Name = Laptop | Source = WinMgmt | ID = 10
Description =

Error - 4/2/2010 12:06:44 AM | Computer Name = Laptop | Source = WinMgmt | ID = 10
Description =

Error - 4/2/2010 12:12:25 AM | Computer Name = Laptop | Source = Application Error | ID = 1000
Description = Faulting application gmer.exe, version 1.0.15.15281, time stamp 0x4b2763f0,
faulting module gmer.exe, version 1.0.15.15281, time stamp 0x4b2763f0, exception
code 0xc0000005, fault offset 0x0000c4b1, process id 0xfe0, application start time
0x01cad21aa69a9a21.

Error - 4/2/2010 12:35:59 AM | Computer Name = Laptop | Source = WinMgmt | ID = 10
Description =

Error - 4/2/2010 2:25:55 AM | Computer Name = Laptop | Source = WinMgmt | ID = 10
Description =

Error - 4/2/2010 10:32:54 PM | Computer Name = Laptop | Source = WinMgmt | ID = 10
Description =

[ System Events ]
Error - 1/22/2010 4:35:52 AM | Computer Name = Laptop | Source = Dhcp | ID = 1002
Description = The IP address lease 172.16.31.230 for the Network Card with network
address 001DE022B4B3 has been denied by the DHCP server 0.0.0.0 (The DHCP Server
sent a DHCPNACK message).

Error - 1/22/2010 6:52:34 AM | Computer Name = Laptop | Source = Tcpip | ID = 4199
Description = The system detected an address conflict for IP address 192.168.17.101
with the system having network hardware address 00-17-C5-0E-3E-C8. Network operations
on this system may be disrupted as a result.

Error - 1/22/2010 7:00:44 AM | Computer Name = Laptop | Source = Dhcp | ID = 1002
Description = The IP address lease 172.16.31.230 for the Network Card with network
address 001DE022B4B3 has been denied by the DHCP server 0.0.0.0 (The DHCP Server
sent a DHCPNACK message).

Error - 1/22/2010 7:01:47 AM | Computer Name = Laptop | Source = Tcpip | ID = 4199
Description = The system detected an address conflict for IP address 192.168.17.101
with the system having network hardware address 00-17-C5-0E-3E-C8. Network operations
on this system may be disrupted as a result.

Error - 1/23/2010 12:14:49 AM | Computer Name = Laptop | Source = Dhcp | ID = 1002
Description = The IP address lease 172.16.31.230 for the Network Card with network
address 001DE022B4B3 has been denied by the DHCP server 0.0.0.0 (The DHCP Server
sent a DHCPNACK message).

Error - 1/23/2010 12:14:47 AM | Computer Name = Laptop | Source = HTTP | ID = 15016
Description =

Error - 1/23/2010 12:14:54 AM | Computer Name = Laptop | Source = Service Control Manager | ID = 7000
Description =

Error - 1/23/2010 1:21:40 AM | Computer Name = Laptop | Source = Tcpip | ID = 4199
Description = The system detected an address conflict for IP address 192.168.17.100
with the system having network hardware address 00-17-C5-0E-3E-C8. Network operations
on this system may be disrupted as a result.

Error - 1/23/2010 1:27:28 AM | Computer Name = Laptop | Source = Dhcp | ID = 1002
Description = The IP address lease 172.16.31.230 for the Network Card with network
address 001DE022B4B3 has been denied by the DHCP server 0.0.0.0 (The DHCP Server
sent a DHCPNACK message).

Error - 1/26/2010 1:17:19 AM | Computer Name = Laptop | Source = HTTP | ID = 15016
Description =


< End of report >

 

[ken545]

Morning,

File C:\Windows\system32\drivers\iaStor.sys suspicious modification
This was from your GMER log, its the file that runs you Intel Chipset on your motherboard, it may be infected , but before we take action on it I want another expert to take a look.

Be back soon

 

[ken545]

This is what I need you to do.

ONLY if you connect to the internet via a router do this:

Let’s try to reset the router to its default configuration.

• This can be done by inserting something tiny like a paper clip end or pencil tip into a small hole labeled "reset" located on the back of the router.
• Press and hold down the small button inside until the lights on the front of the router blink off and then on again (usually about 10 seconds).
• If you don’t know the router's default password, you can look it up. HERE
• You also need to reconfigure any security settings you had in place prior to the reset.
• You may also need to consult with your Internet service provider to find out which DNS servers your network should be using.

• Go to Start > Run > type: cmd
• Press OK or Hit Enter.
• At the command prompt, type or copy/paste: ipconfig /flushdns (note the space between “..g /f…” it needs to be there)
• Hit Enter.
• You will get a confirmation that the flush was successful.
• Close the command box.

Open Notepad Go to Start> All Programs> Assessories> Notepad ( this will only work with Notepad )and copy all the text inside the Codebox by highlighting it all and pressing CTRL C on your keyboard, then paste it into Notepad, make sure there is no space before and above File::

File::
c:\windows\System32\drivers\rcsra.sys

Driver::
sqnauyl

Save this as CFScript to your desktop.

Then drag the CFScript into ComboFix.exe as you see in the screenshot below.

This will start ComboFix again. After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply

• Download TDSSKiller and save it to your Desktop.

Extract the file and run it.

Once completed it will create a log in your C:\ drive called TDSSKiller_* (* denotes version & date)

please post the content of that log TDSSKiller

 

[spoofdogg]

http://www.virustotal.com/analisis/...8aeffa7a94c54b4c424b67459d464b8aa8-1269659454

 

[spoofdogg]

here's the virus total report on iastore.sys

 

[ken545]

Hi,

I need you to follow the fixes that I posted earlier, this malware will send a clean file from backups to VirusTotal to check so that report does not mean much

 

[ken545]

Spoofdog,

I have run into this before, this is from the first log I worked for another user in relation to iastor.sys

From one of the leading Malware Removers around

the empty brackets () mean there is no Company name, so yes there is a problem, it should say Intel Corp if it was legit, so I would say you have a hijacked Iastor.sys there.
Don't bother sending it to Virscan to confirm as they always come back clean, the infected file protects itself by sending a legit copy to scan - sneaky.

 

[spoofdogg]

I had to run in safe mode for combifix to work....

ComboFix 10-04-03.02 - Jesse 04/04/2010 23:32:56.3.2 - x86 NETWORK
Microsoft® Windows Vista™ Ultimate 6.0.6001.1.1252.1.1033.18.2046.1653 [GMT -4:00]
Running from: c:\users\Jesse\Desktop\ComboFix.exe
Command switches used :: c:\users\Jesse\Desktop\CFScript.txt
SP: Spybot - Search and Destroy *disabled* (Updated) {ED588FAF-1B8F-43B4-ACA8-8E3C85DADBE9}
SP: Windows Defender *enabled* (Updated) {D68DDC3A-831F-4FAE-9E44-DA132C1ACF46}
* Created a new restore point

FILE ::
"c:\windows\System32\drivers\rcsra.sys"
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Service_sqnauyl


((((((((((((((((((((((((( Files Created from 2010-03-05 to 2010-04-05 )))))))))))))))))))))))))))))))
.

2010-04-05 03:42 . 2010-04-05 03:42 -------- d-----w- c:\users\Public\AppData\Local\temp
2010-04-05 03:42 . 2010-04-05 03:42 -------- d-----w- c:\users\Default\AppData\Local\temp
2010-04-05 03:23 . 2010-04-05 03:30 -------- d-----w- C:\32788R22FWJFW
2010-04-01 18:48 . 2010-04-01 18:48 -------- d-----w- c:\programdata\WindowsSearch
2010-03-31 07:42 . 2010-04-05 03:46 -------- d-----w- c:\users\Jesse\AppData\Local\temp
2010-03-30 07:32 . 2010-04-03 07:39 -------- d-----w- c:\users\Jesse\AppData\Local\Apple Computer
2010-03-30 07:31 . 2010-03-30 07:31 -------- d-----w- C:\ie-spyad_zo
2010-03-30 04:58 . 2010-03-31 22:38 -------- d-----w- c:\program files\SpywareGuard
2010-03-30 04:54 . 1999-12-21 11:58 21312 ----a-w- c:\windows\choice.exe
2010-03-30 04:54 . 2010-03-30 04:54 -------- d-----w- C:\ie-spyad
2010-03-30 04:47 . 2010-03-30 04:53 -------- d-----w- c:\program files\SpywareBlaster
2010-03-30 04:01 . 2010-03-30 04:01 -------- d-----w- c:\program files\Common Files\Java
2010-03-28 05:33 . 2010-04-01 04:23 -------- d-----w- c:\users\Jesse\AppData\Local\Adobe
2010-03-28 05:23 . 2010-03-28 05:23 -------- d-----w- C:\rsit
2010-03-28 05:12 . 2010-01-07 20:07 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-03-28 05:12 . 2010-01-07 20:07 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-03-28 05:12 . 2010-03-28 05:12 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-03-23 08:03 . 2010-03-23 08:03 -------- d-----w- c:\program files\Trend Micro
2010-03-23 08:02 . 2010-03-23 08:02 -------- d-----w- c:\program files\ERUNT
2010-03-23 05:06 . 2010-03-23 05:06 -------- d-----w- c:\users\Jesse\AppData\Roaming\Malwarebytes
2010-03-23 05:05 . 2010-03-23 05:05 -------- d-----w- c:\programdata\Malwarebytes
2010-03-23 04:14 . 2010-04-03 09:44 -------- d-----w- c:\program files\Spybot - Search & Destroy
2010-03-23 04:14 . 2010-03-31 22:23 -------- d-----w- c:\programdata\Spybot - Search & Destroy

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-04-05 03:45 . 2009-02-15 04:26 105973 ----a-w- c:\programdata\nvModes.dat
2010-04-04 23:16 . 2009-09-07 15:07 -------- d-----w- c:\programdata\pdf995
2010-04-03 10:15 . 2009-02-09 02:21 2055 ----a-w- c:\windows\bthservsdp.dat
2010-04-01 18:19 . 2010-01-06 08:02 -------- d-----w- c:\users\Jesse\AppData\Roaming\Dropbox
2010-03-31 08:39 . 2009-09-07 15:01 -------- d-----w- c:\program files\CCleaner
2010-03-31 07:14 . 2010-02-03 04:52 -------- d-----w- c:\programdata\avg9
2010-03-30 06:56 . 2010-01-29 06:39 -------- d-----w- c:\users\Jesse\AppData\Roaming\iPhoneRingToneMaker
2010-03-30 03:59 . 2009-09-23 01:46 -------- d-----w- c:\program files\Java
2010-03-17 05:04 . 2009-02-11 18:41 -------- d-----w- c:\program files\Mozilla Thunderbird
2010-03-10 10:54 . 2009-02-09 01:19 -------- d-----w- c:\program files\Common Files\PC Tools
2010-02-26 18:41 . 2010-01-06 08:02 91696 ----a-w- c:\users\Jesse\AppData\Roaming\Dropbox\bin\Uninstall.exe
2010-02-26 18:39 . 2010-02-26 18:39 13264416 ----a-w- c:\users\Jesse\AppData\Roaming\Dropbox\cache\Dropbox-update-0.7.110.exe
2010-02-26 05:10 . 2010-02-26 05:10 21979992 ----a-w- c:\users\Jesse\AppData\Roaming\Dropbox\bin\Dropbox.exe
2010-02-20 13:24 . 2010-02-02 08:03 2397 ----a-w- c:\programdata\Intuit\QuickBooks 2008\qbbackup.sys
2010-02-14 17:20 . 2010-02-14 17:20 -------- d-----w- c:\program files\TightVNC
2010-02-12 11:04 . 2009-10-08 21:44 -------- d-----w- c:\program files\iTunes
2010-02-12 11:03 . 2010-02-12 11:03 -------- d-----w- c:\program files\iPod
2010-02-12 11:03 . 2009-09-09 03:44 -------- d-----w- c:\program files\Common Files\Apple
2010-02-12 11:02 . 2010-02-12 11:01 -------- d-----w- c:\program files\QuickTime
2010-02-12 10:59 . 2010-02-12 10:59 72488 ----a-w- c:\programdata\Apple Computer\Installer Cache\iTunes 9.0.3.15\SetupAdmin.exe
2010-02-05 15:39 . 2010-02-05 15:39 251376 ----a-w- c:\users\Jesse\AppData\Roaming\Mozilla\plugins\npgoogletalk.dll
2010-02-05 06:45 . 2009-02-09 01:00 -------- d-----w- c:\programdata\NVIDIA
2010-02-05 04:35 . 2010-01-29 06:45 -------- d-----w- c:\users\Jesse\AppData\Roaming\Ringtone Expressions
2010-02-02 07:57 . 2010-02-02 08:01 849184 ----a-w- c:\programdata\Intuit\QuickBooks 2008\Components\DownloadQB18\Patch\qbpatch.exe
2010-02-02 07:56 . 2010-02-02 08:01 499712 ----a-w- c:\programdata\Intuit\QuickBooks 2008\Components\DownloadQB18\Patch\msvcp71.dll
2010-02-02 07:56 . 2010-02-02 08:01 348160 ----a-w- c:\programdata\Intuit\QuickBooks 2008\Components\DownloadQB18\Patch\msvcr71.dll
2010-02-01 02:53 . 2009-02-08 23:27 680 ----a-w- c:\users\Jesse\AppData\Local\d3d9caps.dat
2010-01-25 12:47 . 2010-02-03 04:44 3777816 ----a-w- c:\programdata\TEMP\AVG\setup.exe
2010-01-19 07:55 . 2010-01-19 07:55 86016 ----a-w- c:\programdata\NOS\Adobe_Downloads\arh.exe
2010-01-13 07:35 . 2009-09-08 00:27 55208 ----a-w- c:\windows\system32\drivers\pctNdis.sys
2010-01-13 07:35 . 2010-01-13 07:35 207792 ----a-w- c:\windows\system32\drivers\PCTCore.sys
2010-01-13 07:35 . 2010-01-13 07:35 87784 ----a-w- c:\windows\system32\drivers\PCTAppEvent.sys
2007-06-21 23:38 . 2007-06-21 23:38 30280 ----a-w- c:\program files\mozilla firefox\plugins\cgpcfg.dll
2007-06-21 23:38 . 2007-06-21 23:38 79432 ----a-w- c:\program files\mozilla firefox\plugins\CgpCore.dll
2007-06-21 23:38 . 2007-06-21 23:38 71240 ----a-w- c:\program files\mozilla firefox\plugins\confmgr.dll
2007-06-21 23:38 . 2007-06-21 23:38 140872 ----a-w- c:\program files\mozilla firefox\plugins\ctxmui.dll
2007-06-21 23:39 . 2007-06-21 23:39 38472 ----a-w- c:\program files\mozilla firefox\plugins\icafile.dll
2007-06-21 23:39 . 2007-06-21 23:39 46664 ----a-w- c:\program files\mozilla firefox\plugins\icalogon.dll
2009-05-01 21:02 . 2009-05-01 21:02 1044480 ----a-w- c:\program files\mozilla firefox\plugins\libdivx.dll
2007-06-21 23:39 . 2007-06-21 23:39 34376 ----a-w- c:\program files\mozilla firefox\plugins\logging.dll
2009-05-01 21:02 . 2009-05-01 21:02 200704 ----a-w- c:\program files\mozilla firefox\plugins\ssldivx.dll
2007-06-21 23:39 . 2007-06-21 23:39 685640 ----a-w- c:\program files\mozilla firefox\plugins\sslsdk_b.dll
2007-06-21 23:40 . 2007-06-21 23:40 30280 ----a-w- c:\program files\mozilla firefox\plugins\TcpPServ.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt1]
@="{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}]
2009-12-09 01:19 94208 ----a-w- c:\users\Jesse\AppData\Roaming\Dropbox\bin\DropboxExt.13.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt2]
@="{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}]
2009-12-09 01:19 94208 ----a-w- c:\users\Jesse\AppData\Roaming\Dropbox\bin\DropboxExt.13.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt3]
@="{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}]
2009-12-09 01:19 94208 ----a-w- c:\users\Jesse\AppData\Roaming\Dropbox\bin\DropboxExt.13.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Google Update"="c:\users\Jesse\AppData\Local\Google\Update\GoogleUpdate.exe" [2009-09-25 133104]
"WMPNSCFG"="c:\program files\Windows Media Player\WMPNSCFG.exe" [2008-01-21 202240]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SMSERIAL"="c:\program files\Motorola\SMSERIAL\sm56hlpr.exe" [2009-05-05 1466368]
"IAAnotif"="c:\program files\Intel\Intel Matrix Storage Manager\iaanotif.exe" [2008-04-15 178712]
"QlbCtrl"="c:\program files\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe" [2007-12-06 202032]
"RtHDVCpl"="c:\program files\Realtek\Audio\HDA\RtHDVCpl.exe" [2009-06-09 7539232]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2008-12-04 13556256]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2008-12-04 92704]
"AdobeCS4ServiceManager"="c:\program files\Common Files\Adobe\CS4ServiceManager\CS4ServiceManager.exe" [2008-08-14 611712]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2009-12-22 35760]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2009-12-11 948672]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-02-18 248040]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2009-11-11 417792]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2010-01-23 141608]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableLUA"= 0 (0x0)
"EnableUIADesktopToggle"= 0 (0x0)

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend]
@="Service"

[HKLM\~\startupfolder\C:^ProgramData^Microsoft^Windows^Start Menu^Programs^Startup^QuickBooks Update Agent.lnk]
path=c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\QuickBooks Update Agent.lnk
backup=c:\windows\pss\QuickBooks Update Agent.lnk.CommonStartup
backupExtension=.CommonStartup

[HKLM\~\startupfolder\C:^Users^Jesse^AppData^Roaming^Microsoft^Windows^Start Menu^Programs^Startup^SpywareGuard.lnk]
path=c:\users\Jesse\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\SpywareGuard.lnk
backup=c:\windows\pss\SpywareGuard.lnk.Startup
backupExtension=.Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SpybotSD TeaTimer]
2009-03-05 20:07 2260480 ------w- c:\program files\Spybot - Search & Destroy\TeaTimer.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SynTPEnh]
2008-03-28 06:05 1045800 ----a-w- c:\program files\Synaptics\SynTP\SynTPEnh.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SynTPStart]
2007-09-15 00:29 102400 ----a-w- c:\program files\Synaptics\SynTP\SynTPStart.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Windows Defender]
2008-01-21 02:21 1008184 ----a-w- c:\program files\Windows Defender\MSASCui.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
"SpybotSD TeaTimer"=c:\program files\Spybot - Search & Destroy\TeaTimer.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Svc]
"AntiVirusOverride"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Svc\S-1-5-21-222641873-1350462184-214149500-1000]
"EnableNotificationsRef"=dword:00000001

R3 Netaapl;Apple Mobile Device Ethernet Service;c:\windows\system32\DRIVERS\netaapl.sys [2009-07-09 17408]
R3 pctNDIS;PC Tools Driver;c:\windows\system32\DRIVERS\pctNdis.sys [2010-01-13 55208]
S1 TsLwWfF;WiFi Capture Driver;c:\windows\system32\DRIVERS\TsLwWfF.sys [2009-08-22 21032]
S2 SBSDWSCService;SBSD Security Center Service;c:\program files\Spybot - Search & Destroy\SDWinSec.exe [2009-01-26 1153368]
S3 NETw5v32;Intel(R) Wireless WiFi Link 5000 Series Adapter Driver for Windows Vista 32 Bit;c:\windows\system32\DRIVERS\NETw5v32.sys [2009-05-29 4233728]


[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
bthsvcs REG_MULTI_SZ BthServ

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{7070D8E0-650A-46b3-B03C-9497582E6A74}]
2008-04-11 21:23 38400 ----a-w- c:\windows\System32\SoundSchemes.exe

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{B3688A53-AB2A-4b1d-8CEF-8F93D8C51C24}]
2008-08-28 14:50 30720 ----a-w- c:\windows\System32\soundschemes2.exe
.
Contents of the 'Scheduled Tasks' folder

2009-10-13 c:\windows\Tasks\Driver Robot.job
- c:\program files\Driver Robot\1.1.0.5\DriverRobot.exe [2009-10-12 11:05]

2010-04-03 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-222641873-1350462184-214149500-1000Core.job
- c:\users\Jesse\AppData\Local\Google\Update\GoogleUpdate.exe [2009-09-25 20:44]

2010-04-05 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-222641873-1350462184-214149500-1000UA.job
- c:\users\Jesse\AppData\Local\Google\Update\GoogleUpdate.exe [2009-09-25 20:44]

2010-04-04 c:\windows\Tasks\User_Feed_Synchronization-{60FEB48D-87CA-4087-BDFD-1356451390D0}.job
- c:\windows\system32\msfeedssync.exe [2009-09-11 20:13]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://crewscheduler.cataldoambulance.com/LoginCompany.aspx?ReturnUrl=%2fdefault.aspx
uInternet Settings,ProxyOverride = *.local
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
FF - ProfilePath - c:\users\Jesse\AppData\Roaming\Mozilla\Firefox\Profiles\jmmzickc.default\
FF - prefs.js: browser.search.defaulturl - hxxp://www.fastbrowsersearch.com/results/results.aspx?s=DEF&v=18&q=
FF - prefs.js: browser.startup.homepage - hxxp://us.mc320.mail.yahoo.com/mc/welcome?.gx=1&.tm=1252331961&.rand=923qo01mu1hfi
FF - plugin: c:\program files\Mozilla Firefox\plugins\np-mswmp.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npicaN.dll
FF - plugin: c:\users\Jesse\AppData\Local\Google\Update\1.2.183.23\npGoogleOneClick8.dll
FF - plugin: c:\users\Jesse\AppData\Roaming\Move Networks\plugins\npqmp071503000010.dll
FF - plugin: c:\users\Jesse\AppData\Roaming\Mozilla\plugins\npgoogletalk.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

---- FIREFOX POLICIES ----
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_colors", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_popup_windows", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.enable_click_image_resizing", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("accessibility.browsewithcaret_shortcut.enabled", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("javascript.options.mem.high_water_mark", 32);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("javascript.options.mem.gc_frequency", 1600);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("svg.smil.enabled", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.trackpoint_hack.enabled", -1);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.debug", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.agedWeight", 2);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.bucketSize", 1);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.maxTimeGroupings", 25);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.timeGroupingSize", 604800);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.boundaryWeight", 25);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.prefixWeight", 5);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("html5.enable", false);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("app.update.download.backgroundInterval", 600);
c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("app.update.url.manual", "http://www.firefox.com");
c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-ja", "mozff");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add", "addons.mozilla.org");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add.36", "getpersonas.com");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("lightweightThemes.update.enabled", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.allTabs.previews", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.hide_infobar_for_outdated_plugin", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("toolbar.customization.usesheet", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.enable", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.max", 20);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.cachetime", 20);
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-04-04 23:45
Windows 6.0.6001 Service Pack 1 NTFS

scanning hidden processes ...

[0] 0x0000F045

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net

device: opened successfully
user: MBR read successfully
called modules: ntkrnlpa.exe CLASSPNP.SYS disk.sys acpi.sys hal.dll iaStor.sys >>UNKNOWN [0x867F98C8]<<
kernel: MBR read successfully
detected MBR rootkit hooks:
\Driver\Disk -> CLASSPNP.SYS @ 0x881c8322
\Driver\ACPI -> acpi.sys @ 0x80693d4c
\Driver\atapi -> ataport.SYS @ 0x828e59a8
\Driver\iaStor -> iaStor.sys @ 0x82850eae
IoDeviceObjectType ->\Device\Harddisk0\DR0 ->user & kernel MBR OK

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
"MSCurrentCountry"=dword:000000b5
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'Explorer.exe'(2908)
c:\users\Jesse\AppData\Roaming\Dropbox\bin\DropboxExt.13.dll
c:\program files\Common Files\Adobe\Adobe Drive CS4\AdobeDriveCS4_NP.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\nvvsvc.exe
c:\windows\system32\rundll32.exe
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\Intel\Intel Matrix Storage Manager\IAANTMon.exe
c:\program files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
c:\program files\Common Files\Intuit\QuickBooks\QBCFMonitorService.exe
c:\windows\system32\WUDFHost.exe
c:\windows\System32\rundll32.exe
c:\program files\Hewlett-Packard\Shared\hpqwmiex.exe
c:\program files\Windows Media Player\wmpnetwk.exe
c:\program files\iPod\bin\iPodService.exe
.
**************************************************************************
.
Completion time: 2010-04-04 23:59:42 - machine was rebooted
ComboFix-quarantined-files.txt 2010-04-05 03:59
ComboFix2.txt 2010-03-31 07:42

Pre-Run: 67,784,290,304 bytes free
Post-Run: 65,194,397,696 bytes free

- - End Of File - - D6F031E314E2B483F1634008060FBE36

 

[spoofdogg]

Working

I was working on getting Combofix to run.
Now that it has, here are the results from TDSSKiller:

00:05:21:091 3288 TDSS rootkit removing tool 2.2.8.1 Mar 22 2010 10:43:04
00:05:21:091 3288 ================================================================================
00:05:21:091 3288 SystemInfo:

00:05:21:091 3288 OS Version: 6.0.6001 ServicePack: 1.0
00:05:21:091 3288 Product type: Workstation
00:05:21:091 3288 ComputerName: LAPTOP
00:05:21:091 3288 UserName: Jesse
00:05:21:091 3288 Windows directory: C:\Windows
00:05:21:091 3288 Processor architecture: Intel x86
00:05:21:091 3288 Number of processors: 2
00:05:21:091 3288 Page size: 0x1000
00:05:21:091 3288 Boot type: Normal boot
00:05:21:091 3288 ================================================================================
00:05:21:091 3288 UnloadDriverW: NtUnloadDriver error 2
00:05:21:091 3288 ForceUnloadDriverW: UnloadDriverW(klmd21) error 2
00:05:21:138 3288 wfopen_ex: Trying to open file C:\Windows\system32\config\system
00:05:21:138 3288 wfopen_ex: MyNtCreateFileW error 32 (C0000043)
00:05:21:138 3288 wfopen_ex: Trying to KLMD file open
00:05:21:138 3288 wfopen_ex: File opened ok (Flags 2)
00:05:21:153 3288 wfopen_ex: Trying to open file C:\Windows\system32\config\software
00:05:21:153 3288 wfopen_ex: MyNtCreateFileW error 32 (C0000043)
00:05:21:153 3288 wfopen_ex: Trying to KLMD file open
00:05:21:153 3288 wfopen_ex: File opened ok (Flags 2)
00:05:21:153 3288 Initialize success
00:05:21:153 3288
00:05:21:153 3288 Scanning Services ...
00:05:22:183 3288 Raw services enum returned 443 services
00:05:22:199 3288
00:05:22:199 3288 Scanning Kernel memory ...
00:05:22:199 3288 Devices to scan: 2
00:05:22:199 3288
00:05:22:199 3288 Driver Name: iaStor
00:05:22:199 3288 IRP_MJ_CREATE : 82850EAE
00:05:22:199 3288 IRP_MJ_CREATE_NAMED_PIPE : 82850EAE
00:05:22:199 3288 IRP_MJ_CLOSE : 82850EAE
00:05:22:199 3288 IRP_MJ_READ : 82850EAE
00:05:22:199 3288 IRP_MJ_WRITE : 82850EAE
00:05:22:199 3288 IRP_MJ_QUERY_INFORMATION : 82850EAE
00:05:22:199 3288 IRP_MJ_SET_INFORMATION : 82850EAE
00:05:22:199 3288 IRP_MJ_QUERY_EA : 82850EAE
00:05:22:199 3288 IRP_MJ_SET_EA : 82850EAE
00:05:22:199 3288 IRP_MJ_FLUSH_BUFFERS : 82850EAE
00:05:22:199 3288 IRP_MJ_QUERY_VOLUME_INFORMATION : 82850EAE
00:05:22:199 3288 IRP_MJ_SET_VOLUME_INFORMATION : 82850EAE
00:05:22:199 3288 IRP_MJ_DIRECTORY_CONTROL : 82850EAE
00:05:22:199 3288 IRP_MJ_FILE_SYSTEM_CONTROL : 82850EAE
00:05:22:199 3288 IRP_MJ_DEVICE_CONTROL : 82850EAE
00:05:22:199 3288 IRP_MJ_INTERNAL_DEVICE_CONTROL : 82850EAE
00:05:22:199 3288 IRP_MJ_SHUTDOWN : 82850EAE
00:05:22:199 3288 IRP_MJ_LOCK_CONTROL : 82850EAE
00:05:22:199 3288 IRP_MJ_CLEANUP : 82850EAE
00:05:22:199 3288 IRP_MJ_CREATE_MAILSLOT : 82850EAE
00:05:22:199 3288 IRP_MJ_QUERY_SECURITY : 82850EAE
00:05:22:199 3288 IRP_MJ_SET_SECURITY : 82850EAE
00:05:22:199 3288 IRP_MJ_POWER : 82850EAE
00:05:22:199 3288 IRP_MJ_SYSTEM_CONTROL : 82850EAE
00:05:22:199 3288 IRP_MJ_DEVICE_CHANGE : 82850EAE
00:05:22:199 3288 IRP_MJ_QUERY_QUOTA : 82850EAE
00:05:22:199 3288 IRP_MJ_SET_QUOTA : 82850EAE
00:05:22:199 3288 Driver "iaStor" infected by TDSS rootkit!
00:05:22:230 3288 C:\Windows\system32\DRIVERS\iaStor.sys - Verdict: 1
00:05:22:230 3288 File "C:\Windows\system32\DRIVERS\iaStor.sys" infected by TDSS rootkit ... 00:05:22:230 3288 Processing driver file: C:\Windows\system32\DRIVERS\iaStor.sys
00:05:22:339 3288 vfvi6
00:05:22:433 3288 dsvbh1
00:05:22:526 3288 fdfb1
00:05:22:526 3288 Backup copy found, using it..
00:05:22:526 3288 will be cured on next reboot
00:05:22:526 3288
00:05:22:526 3288 Driver Name: iaStor
00:05:22:526 3288 IRP_MJ_CREATE : 82850EAE
00:05:22:526 3288 IRP_MJ_CREATE_NAMED_PIPE : 82850EAE
00:05:22:526 3288 IRP_MJ_CLOSE : 82850EAE
00:05:22:526 3288 IRP_MJ_READ : 82850EAE
00:05:22:526 3288 IRP_MJ_WRITE : 82850EAE
00:05:22:526 3288 IRP_MJ_QUERY_INFORMATION : 82850EAE
00:05:22:526 3288 IRP_MJ_SET_INFORMATION : 82850EAE
00:05:22:526 3288 IRP_MJ_QUERY_EA : 82850EAE
00:05:22:526 3288 IRP_MJ_SET_EA : 82850EAE
00:05:22:526 3288 IRP_MJ_FLUSH_BUFFERS : 82850EAE
00:05:22:526 3288 IRP_MJ_QUERY_VOLUME_INFORMATION : 82850EAE
00:05:22:526 3288 IRP_MJ_SET_VOLUME_INFORMATION : 82850EAE
00:05:22:526 3288 IRP_MJ_DIRECTORY_CONTROL : 82850EAE
00:05:22:526 3288 IRP_MJ_FILE_SYSTEM_CONTROL : 82850EAE
00:05:22:526 3288 IRP_MJ_DEVICE_CONTROL : 82850EAE
00:05:22:526 3288 IRP_MJ_INTERNAL_DEVICE_CONTROL : 82850EAE
00:05:22:526 3288 IRP_MJ_SHUTDOWN : 82850EAE
00:05:22:526 3288 IRP_MJ_LOCK_CONTROL : 82850EAE
00:05:22:526 3288 IRP_MJ_CLEANUP : 82850EAE
00:05:22:526 3288 IRP_MJ_CREATE_MAILSLOT : 82850EAE
00:05:22:526 3288 IRP_MJ_QUERY_SECURITY : 82850EAE
00:05:22:526 3288 IRP_MJ_SET_SECURITY : 82850EAE
00:05:22:526 3288 IRP_MJ_POWER : 82850EAE
00:05:22:526 3288 IRP_MJ_SYSTEM_CONTROL : 82850EAE
00:05:22:526 3288 IRP_MJ_DEVICE_CHANGE : 82850EAE
00:05:22:526 3288 IRP_MJ_QUERY_QUOTA : 82850EAE
00:05:22:526 3288 IRP_MJ_SET_QUOTA : 82850EAE
00:05:22:526 3288 Driver "iaStor" infected by TDSS rootkit!
00:05:22:526 3288 C:\Windows\system32\DRIVERS\iaStor.sys - Verdict: 3
00:05:22:526 3288 Reboot required for cure complete..
00:05:22:542 3288 Cure on reboot scheduled successfully
00:05:22:542 3288
00:05:22:542 3288 Completed
00:05:22:542 3288
00:05:22:542 3288 Results:
00:05:22:542 3288 Memory objects infected / cured / cured on reboot: 2 / 0 / 0
00:05:22:542 3288 Registry objects infected / cured / cured on reboot: 0 / 0 / 0
00:05:22:542 3288 File objects infected / cured / cured on reboot: 1 / 0 / 1
00:05:22:542 3288
00:05:22:542 3288 fclose_ex: Trying to close file C:\Windows\system32\config\system
00:05:22:542 3288 fclose_ex: Trying to close file C:\Windows\system32\config\software
00:05:22:542 3288 UnloadDriverW: NtUnloadDriver error 1
00:05:22:542 3288 KLMD(ARK) unloaded successfully

 

[ken545]

Good Morning Spoofdog,

Thanks for returning the info from the scan, there was a bad driver , malware related causing issues and CF fixed it. If you look at the TDSS Killer log at the very bottom, you will see that iastor.sys was indeed infected and TDSS Killer fixed that also , after a reboot, so hope you rebooted


How are things running now ?

 

[spoofdogg]

Hi Ken,

So far everything seems to be running fine, I haven't been re-directed yet, and all seems fine. I'll keep you posted but it looks good!

Thanks for all of your help, I appreciate it!

-Jesse

 

[ken545]

Great :bigthumb:

Lets update your Java to make your system more secure

Go to your Control Panel and click on the Java Icon ( looks like a little coffee cup ) click on About and you should have Version 6 Update 19, if not proceed with the instructions.

Download the latest version Here save it, do not install it yet.

Java SE Runtime Environment (JRE)JRE 6 Update 19 <--The wording is confusing but this is what you need

• Go to your Add Remove Programs in the Control Panel and uninstall any previous versions of Java
• Reboot your computer
• Install the latest version

You can verify the installation Here







Now to remove most of the tools that we have used in fixing your machine:

• Make sure you have an Internet Connection.
• Download OTC to your desktop and run it
• A list of tool components used in the cleanup of malware will be downloaded.
• If your Firewall or Real Time protection attempts to block OTC to reach the Internet, please allow the application to do so.
• Click Yes to begin the cleanup process and remove these components, including this application.
• You will be asked to reboot the machine to finish the cleanup process. If you are asked to reboot the machine choose Yes.

• 
  How did I get infected in the first place ?
  Read these links and find out how to prevent getting infected again.
• Tutorial for System Restore <-- Do this first to prevent yourself from being reinfected.
• WhattheTech
• Grinler BleepingComputer
• GeeksTo Go
• Dslreports

Keep in mind if you install some of these programs. Only ONE Anti Virus and only ONE Firewall is recommended, more is overkill and can cause you problems. You can install all the Spyware programs I have listed without any problems. If you install Spyware Blaster and Spyware Guard, they will conflict with the TeaTimer in Spybot , you can still install Spybot Search and Destroy but do not enable the TeaTimer .

Here are some free programs to install, all free and highly regarded by the fine people in the Malware Removal Community

• Spybot Search and Destroy 1.6
  Check for Updates/ Immunize and run a Full System Scan on a regular basis. If you install Spyware Blaster ( Recommended ) then do not enable the TeaTimer in Spybot Search and Destroy.
  
• Spyware Blaster It will prevent most spyware from ever being installed. No scan to run, just update about once a week and enable all protection.
  
• Spyware Guard It offers realtime protection from spyware installation attempts, again, no scan to run, just install it and let it do its thing.
  
• IE-Spyad
  IE-Spyad places over 6000 web sites and domains in the IE Restricted list which will severely impair attempts to infect your system. It basically prevents any downloads (cookies etc) from the sites listed, although you will still be able to connect to the sites.
  
• Firefox 3 It has more features and is a lot more secure than IE. It is a very easy and painless download and install, it will no way interfere with IE, you can use them both.

Safe Surfn
Ken

 

[spoofdogg]

All updated, removed, & immunized.

Thanks again for all of your help!

-Jesse

 

[ken545]

Your very welcome Jesse,

Take Care,

ken

 

[ken545]

Since this issue appears to be resolved ... this Topic has been closed. Glad I could help.