Remote user has trojan/rootkit

1. Run GMER again and show us the log...
2. If it gives you a warning about rootkit activity and asks if you want to run a full scan...click on NO, then use the following settings for a more complete scan..
3. In the right panel, you will see several boxes that have been checked.

Make sure that the "Sections" box is checked.
Ensure the following are UNCHECKED ...
IAT/EAT
 Drives/Partition other than Systemdrive (typically C:\)
 Show All (don't miss this one)
 
If you scan with ComboFix make sure its updated or download a fresh copy.
ComboFix terminates connection during the scan but resumes connection straight after. Attach the log.
http://www.bleepingcomputer.com/combofix/how-to-use-combofix 

I was hoping to grab your attention - please allow for some time while I contact him in a different timezone.  Thanks

What about using DrWeb live CD?

http://www.freedrweb.com/livecd/

Download OTL by OldTimer
http://ottools.noahdfear.net/OTL.exe

OTL is a flexible, multipurpose, diagnostic, and malware removal tool. It also has some curative ability.

Once downloaded, Place OTL to desktop and run it from there, Make sure you select "Scan All Users" on middle top of the Program's UI then Click Run Scan.

When done 2 logs will be generated, Please attach them both here.

The McAfee false positive problem was a week and a half ago (approx) and it did delete svchost.exe.

http://mcafee.com/us/about/false_positive_response.html

@RPG

I asked him to do as you requested but he failed to attach the logfile (I've asked him again for it) - I have copied his email response below though in hopes that it will shed more light on the problem;

"Running GMER I found it said;

Windows\system32\drivers\iastor.sys – suspicious modification.

I believe this is the virus file. I have a good copy of this file in windows.old directory.  I tried to rename / delete the file but it automatically adds the file back when I do this, even in safe mode.  I even tried using autoruns to stop this driver from loading in the first place, but then windows wont start, again even in safe mode.

Tomorrow I will try to start the computer from the startup disk and hopefully then I can replace the virus file with the good copy.  If you have any other suggestions let me know."

Is iastor.sys the only file that Gmer finds as having "suspicious modification"?
Is there any line under "Kernel code sections" which says "entry point in..."
Usually Gmer also flag a driver that's only patched in memory but not the physical file... but if that is the only file it flags then replace that file.

It's active in safe mode also, but you should be able to via Recovery Console.

Is the user having ComboFix installed? ComboFix can fix it too using its script function which is easier.

It would be nice to see the whole Gmer log.

I would assume so as he appears so sure that its' the culprit, surely he would mention another 'suspicious modification' result.  Nevertheless I've asked him to attach the log, but am now fearful that he won't as he seems like the user that wants to 'do it all themselves'.  I hope to hear from him soon.  

I'm sorry he's complaining that GMER keeps crashing and he can't post the logs.  If it is just that one file could you please assist with the appropriate combo-fix script to restore a safe version?

If Gmers hangs, tell him to uncheck the "Files" box in Gmer often works.


ComboFix:
http://www.bleepingcomputer.com/combofix/how-to-use-combofix
If Gmer still hangs,
Let him download and run ComboFix... as it is not advisable to use CFscript as a frontliner when we have no idea what other infection is present in the system.
I'll post the script once he'd done the initial Combofix run.
It would be great if he can give you the ComboFix.txt.

OK - I've asked him to do so.  Unfortunately he's busy at the moment and there's little computer redundancy (none) so he needs to use it for work (it is isolated though), so there will be a delay for uanattended scan results.

There's little symptoms to speak of - McAfee gives him a prompt every 5 minutes that it's found a new virus pointing to a C:\windows\temp\***.tmp\ location of a svchost.exe file and that's all he notices.  It identifies it as a 'Downloader-CHF' virus, which was added to the McAfee database on April 10th 2010.  He's tried running CCleaner on his temporary files as well.  

Attached GMER log - doesn't appear to show much? He assures that all the things requested were checked/unchecked.  
GMERLog-28Apr2010-1-.log

In addition to the other great suggestions posted; if they all fail, try creating a bootable antivirus CD. If that doesn't fix it, then you've got some serious problems. It's always good to keep on hand at anytime:
https://www.experts-exchange.com/questions/25347695/anti-infection-CD-solution.html 
https://www.experts-exchange.com/articles/Storage/Misc/Creating-a-bootable-CD-USB.html 
What I like is that there are just some pesky items that can't be removed while in Windows. I run from a bootable source first, then go into Windows and see what's left over and then deal with it after. The bootable CD sometimes will take care of 80-100% of the infected items; making it that much easier. Best of luck to you.

Thanks for the Gmer log..... not what I was expecting to show up in the log, was expecting other entries there.
I'm not so sure that the iastor.sys file is patched, just patched in memory.
Try running ComboFix and well see what shows in the log....
I think what tzucker suggested(McAfee false positive) might be the culprit here....check out his link.
If not the McAfee then we can replace that iastor.sys file it can't hurt... but I really doubt iastor.sys needs replacing(but I could be wrong).

Thanks I had considered that (McAfee issue) but he's running Vista Pro and I think the problem started before that outbreak, which I should have mentioned earlier.  

I will ask him to run the combofix scan on Monday.  

After he run ComboFix we can use it to replace that iastor.sys file infected or not.

Also ask him to run OTL that moh10ly suggested, but use a custom scan to scan more locations in particular. OTL is a diagnostic scanner, it won't delete anything without a script.


Download OTL to your Desktop
http://oldtimer.geekstogo.com/OTL.exe 
• Double click on the icon to run it. Make sure all other windows are closed and to let it run uninterrupted.

• Under the "Custom Scan" box paste below bolded text in:
 
netsvcs
%SYSTEMDRIVE%\*.*
%systemroot%\*. /mp /s
CREATERESTOREPOINT
%systemroot%\system32\*.dll /lockedfiles
%systemroot%\Tasks\*.job /lockedfiles
%systemroot%\System32\config\*.sav
%systemroot%\system32\drivers\*.sys /90


•Click the Quick Scan button. Do not change any settings.
The scan wont take long.
¿When the scan completes, it will open two notepad windows. OTL.Txt and Extras.Txt. These are saved in the same location as OTL.

Sorry for the delay - attached OTL logs below.
OTL.Txt
Extras.Txt

Thanks so much for your help :)

No worries, :)

How's the pc going?

Yeah great - I had received an email from him with big bold lettering with the word 'SUCCESS' so it looks to be running fine for him.  I've attached the log - it looks like it found many things that the OTL scan didn't pick up as well as Malware Bytes and GMER.


combofixlog.txt

That sounds great.
Thanks for the log.

Yes, ComboFix is an excellent tool.. In this case it found and disinfected/replaced 3 patched files(iastor.sys, explorer.exe and autochk.exe).
This is the worst I've seen so far having 3 patched files, usually only one.

If everything's okay now, ask him to uninstall ComboFix.

To uninstall Combofix:
Go to Start > Run and 'copy and paste' next command in the field:

ComboFix /Uninstall

Or simply rename ComboFix.exe to Uninstall.exe and double click it.


Thank you for using Experts-Exchange!