malware!

1

1l1l1l

New member
Hello,

I recently have been experiencing redirects to websites I don't want to visit. And, I cannot start spybot S&D (not even by using the .src file) anymore, although the "resident" does appear in the tray.

I backed up my Registry with ERUNT, and generated the hijackThis log below.

please help! thanks!

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 1:36:36 PM, on 4/18/2009
Platform: Windows Vista SP1 (WinNT 6.00.1905)
MSIE: Internet Explorer v7.00 (7.00.6001.18226)
Boot mode: Normal

Running processes:
C:\Windows\system32\Dwm.exe
C:\Windows\system32\taskeng.exe
C:\Windows\Explorer.EXE
C:\Program Files\Symantec\Symantec Endpoint Protection\SmcGui.exe
C:\Windows\System32\hkcmd.exe
C:\Windows\System32\igfxpers.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\PowerISO\PWRISOVM.EXE
C:\Program Files\Nitro PDF\Professional\NitroPDFPrinterMonitor.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Windows\system32\igfxsrvc.exe
C:\Program Files\DAEMON Tools Lite\daemon.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Dropbox\Dropbox.exe
C:\Windows\system32\wbem\unsecapp.exe
C:\Program Files\Symantec\Symantec Endpoint Protection\SymCorpUI.exe
C:\Program Files\Symantec\Symantec Endpoint Protection\SavUI.exe
C:\Windows\system32\Taskmgr.exe
C:\Windows\System32\mobsync.exe
C:\Program Files\Spybot - Search & Destroy\XEQKXVCQPGTGHFBT.scr
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Windows\system32\SearchFilterHost.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
F2 - REG:system.ini: Shell=
O1 - Hosts: ::1 localhost
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O4 - HKLM\..\Run: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
O4 - HKLM\..\Run: [IgfxTray] C:\Windows\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\Windows\system32\hkcmd.exe
O4 - HKLM\..\Run: [Persistence] C:\Windows\system32\igfxpers.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [PWRISOVM.EXE] C:\Program Files\PowerISO\PWRISOVM.EXE
O4 - HKLM\..\Run: [Nitro PDF Printer Monitor] "C:\Program Files\Nitro PDF\Professional\NitroPDFPrinterMonitor.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKCU\..\Run: [PeerGuardian] C:\Program Files\PeerGuardian2\pg2.exe
O4 - HKCU\..\Run: [DAEMON Tools Lite] "C:\Program Files\DAEMON Tools Lite\daemon.exe" -autorun
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKUS\S-1-5-19\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'NETWORK SERVICE')
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search && Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O13 - Gopher Prefix:
O17 - HKLM\System\CCS\Services\Tcpip\..\{61F9ED12-2F97-4978-AD7B-FCC6C95F2A52}: NameServer = 85.255.112.213,85.255.112.6
O17 - HKLM\System\CCS\Services\Tcpip\..\{B997C016-E533-4C5E-B3CB-97E7490668F1}: NameServer = 85.255.112.213,85.255.112.6
O17 - HKLM\System\CCS\Services\Tcpip\..\{D6CC5C08-F55C-4251-B3C4-4BCE262BE4A9}: NameServer = 85.255.112.213,85.255.112.6
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: NameServer = 85.255.112.213,85.255.112.6
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: NameServer = 85.255.112.213,85.255.112.6
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 85.255.112.213,85.255.112.6
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O22 - SharedTaskScheduler: Windows DreamScene - {E31004D1-A431-41B8-826F-E902F9D95C81} - C:\Windows\System32\DreamScene.dll
O23 - Service: ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762## (Bonjour Service) - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: Intuit Update Service (IntuitUpdateService) - Intuit Inc. - C:\Program Files\Common Files\Intuit\Update Service\IntuitUpdateService.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: SBSD Security Center Service (SBSDWSCService) - Safer Networking Ltd. - C:\Program Files\Spybot - Search & Destroy\SDWinSec.exe
O23 - Service: Symantec Management Client (SmcService) - Symantec Corporation - C:\Program Files\Symantec\Symantec Endpoint Protection\Smc.exe
O23 - Service: Symantec Network Access Control (SNAC) - Symantec Corporation - C:\Program Files\Symantec\Symantec Endpoint Protection\SNAC.EXE
O23 - Service: Sony SCSI Helper Service - Sony Corporation - C:\Program Files\Common Files\Sony Shared\Fsk\SonySCSIHelperService.exe
O23 - Service: SigmaTel Audio Service (STacSV) - SigmaTel, Inc. - C:\Windows\System32\STacSV.exe
O23 - Service: Symantec Endpoint Protection (Symantec AntiVirus) - Symantec Corporation - C:\Program Files\Symantec\Symantec Endpoint Protection\Rtvscan.exe
O23 - Service: @%SystemRoot%\System32\TuneUpDefragService.exe,-1 (TuneUp.Defrag) - TuneUp Software - C:\Windows\System32\TuneUpDefragService.exe
O23 - Service: @%SystemRoot%\System32\TUProgSt.exe,-1 (TuneUp.ProgramStatisticsSvc) - TuneUp Software - C:\Windows\System32\TUProgSt.exe
O23 - Service: VAIO Event Service - Sony Corporation - C:\Program Files\Sony\VAIO Event Service\VESMgr.exe

--
End of file - 7600 bytes
 
Hi there,


Disable Spybot's TeaTimer to make sure it won't interfere with fixes. You can re-enable it when you're clean again:
  • Run Spybot-S&D in Advanced Mode
  • If it is not already set to do this, go to the Mode menu
    select
    Advanced Mode
  • On the left hand side, click on Tools
  • Then click on the Resident icon in the list
  • Uncheck
    Resident TeaTimer
     and OK any prompts.
  • Restart your computer


Please visit this webpage for download links, and instructions for running ComboFix tool:

http://www.bleepingcomputer.com/combofix/how-to-use-combofix

Please ensure you read this guide carefully first.

Please continue as follows:

  1. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix, link
    Remember to re-enable them afterwards.

  2. Click Yes to allow ComboFix to continue scanning for malware.

When the tool is finished, it will produce a report for you.

Please include the following reports for further review, and so we may continue cleansing the system:

C:\ComboFix.txt
New HijackThis log.

A word of warning: Neither I nor sUBs are responsible for any damage you may have caused your machine by running ComboFix. This tool is not a toy and not for everyday use.
 
Thanks in advance for your help!

I have tried to do as you say, however I have run into the following problem:

I went to another computer (in my school's computer lab) and downloaded combofix on my USB drive. I then put it on my infected computer's desktop and tried to install it but it did open; it said something to the effect of:

"Alert! Combofix has been compromised! Download another copy at bleepingcomputer.com"

And then, combofix deleated iteslf and it was no longer on the desktop. I tried downloading it again on several computers (and then transfering it to my infected laptop) but had the same result each time.

I don't know what to do! Any help is greatly appreciated.

Thank you!
 
Hi

You have to be extremely careful with that USB stick since your system may carry bad infection which can infect the stick and when plugged in other system, infect that system as well. Please don't use it on any other systems now to minimize risk!

Is this log you posted taken from your personal system?
 
Yes, the log I posted is from my personal laptop, which is the computer that is having the problems.


How can I get combofix onto my laptop if I can't use a USB drive? I also don't want my laptop to access the internet.

Is there anything else I can do?

Thanks again for your help.
 
The reason why ComboFix didn't run is that you may have infection there that can't be removed successfully without reformat.

Kaspersky Online Scanner

Note: If you are using Windows Vista, open your browser by right-clicking on its icon and select 'Run as administrator' to perform this scan.


  • Read the requirements and privacy statement then click on the Accept button.

  • The program will launch and start to download the latest definition files.

  • You will be prompted to install an application from Kaspersky. Click Run

  • Make sure these boxes are checked (ticked). If they are not, please tick them and click on the Save button:
  • Spyware, Adware, Dialers, and other potentially dangerous programs
    Archives

  • Click on My Computer under Scan.

  • Once the scan is complete, it will display the results. Click on View Scan Report.

  • Click on Save Report As....

  • Change the Files of type to Text file (.txt) before clicking on the Save button.

  • Save this report to a convenient place.

  • Copy and paste that information into your topic.

  • The scan will take a while so be patient and let it run. As it scans your machine very deeply it could take hours to complete, Kaspersky suggests running it during a time of low activity.
If you need a tutorial, see here
 
I tried to do as you suggest but had the following problem:

The KAV program was unable to update the database. Here is what it said:

Program database is being updated. Please wait...
Update source selected: http://downloads5.kaspersky-labs.com/
Downloading file: index/master.xml.klz
Failed to connect to update source: downloads5.kaspersky-labs.com
Update source selected: ftp://downloads3.kaspersky-labs.com/
Downloading file: index/master.xml.klz
Update source selected: http://downloads2.kaspersky-labs.com/
Downloading file: index/master.xml.klz
Failed to connect to update source: downloads2.kaspersky-labs.com
Update source selected: ftp://downloads5.kaspersky-labs.com/
Downloading file: index/master.xml.klz
Update source selected: http://downloads3.kaspersky-labs.com/
Downloading file: index/master.xml.klz
Failed to connect to update source: downloads3.kaspersky-labs.com
Update source selected: ftp://downloads4.kaspersky-labs.com/
Downloading file: index/master.xml.klz
Update source selected: http://downloads1.kaspersky-labs.com/
Downloading file: index/master.xml.klz
Failed to connect to update source: downloads1.kaspersky-labs.com
Update source selected: ftp://downloads2.kaspersky-labs.com/
Downloading file: index/master.xml.klz

and eventually I got a pop up window that said:

"Update has failed. Program has failed to start. Close the Kaspersky Online Scanner 7.0 window and open it again to install the program.

You must be online to update the Kaspersky Online Scanner 7.0 database. With the latest database updates, you can find new viruses and other threats. Please go online to use Kaspersky Online Scanner 7.0. [ERROR: Failed to connect to update source]"

I suspect that whatever horrid virus I have is blocking downloads from the "kaspersky-labs.com" domain, but that is just a guess.

Thanks so much for your help... any other ideas?
 
Hi

Open notepad and then copy and paste the bolded lines below into it. Go to File > save as and name the file getHosts.bat, change the Save as type to all files and save it to your desktop.
@echo off
copy c:\windows\system32\drivers\etc\HOSTS c:\HOSTS.txt

Double-click on getHosts.bat file to execute it. After that, you should have c:\HOSTS.txt file. Please, attach the file to your reply.
 
Here is what the Hosts.txt file says:

# Copyright (c) 1993-2006 Microsoft Corp.
#
# This is a sample HOSTS file used by Microsoft TCP/IP for Windows.
#
# This file contains the mappings of IP addresses to host names. Each
# entry should be kept on an individual line. The IP address should
# be placed in the first column followed by the corresponding host name.
# The IP address and the host name should be separated by at least one
# space.
#
# Additionally, comments (such as these) may be inserted on individual
# lines or following the machine name denoted by a '#' symbol.
#
# For example:
#
# 102.54.94.97 rhino.acme.com # source server
# 38.25.63.10 x.acme.com # x client host

127.0.0.1 localhost
::1 localhost


Thanks again for all your help!
 
Hi again,

Please do following:

1. Download Flash_Disinfector and save it to your Desktop of clean system.
2. After downloading, double-click on Flash_Disinfector to run it.
3. Just follow the prompts and continue until it begin scanning.
4. If asked to insert your flash drive or any removable device including USB Pen Drive and Memory Stick, please do so.
5. It will scan removable drives, wait for the scan to finish. Done.

After that, download the latest version of Kaspersky Virus Removal Tool to your USB stick and copy it to infected system.

* Close all other applications and double-click and run the installer.
* When AVPTool starts, select all the scanable items except for CD-ROM drives and click the Scan button.
* If malware is detected, don't remove anything.
* After the scan finishes, don't neutralize anything.
* In the Scan window click the Reports button and select Save to file.
* Name the report AVPT.txt, and save it to the Desktop.
* Close AVPTool.
* You will be prompted if you want to uninstall the program; click Yes.
* You will then be prompted that to complete the uninstallation, the computer must be restarted. Select Yes to restart the system.
* Copy and paste the first part of the report (Detected) that you saved in your next reply. Do not include the longer list marked Events.
 
Hello,

I downloaded the files you suggested and then completed the scan which took several hours. Below is the portion of the report you requested.

One note:
"Hoax.Win32.BadJoke.InvertMouse.a" is actually a program I use to invert my touchpad mouse which due to a hardware error frequently reverses itself. I have used this program for a long time with no problems and I am pretty sure it is not causing any of my problems.

Thanks for your help!

Scan
----
Scanned: 679263
Detected: 14
Untreated: 14
Start time: 4/19/2009 12:22:50 PM
Duration: 04:53:18
Finish time: 4/19/2009 5:16:08 PM


Detected
--------
Status Object
------ ------
detected: malware Hoax.Win32.BadJoke.InvertMouse.a File: C:\ProgramData\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\089C0000\49BCB29F.VBN//CryptZ
detected: malware Hoax.Win32.BadJoke.InvertMouse.a File: C:\ProgramData\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0A780000\4B7E63FB.VBN//CryptZ
detected: malware Hoax.Win32.BadJoke.InvertMouse.a File: C:\ProgramData\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0A780001\4B7E6A77.VBN//CryptZ
detected: malware Hoax.Win32.BadJoke.InvertMouse.a File: C:\ProgramData\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0A780002\4B7E6B03.VBN//CryptZ
detected: malware Hoax.Win32.BadJoke.InvertMouse.a File: C:\ProgramData\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0C780000\4D7F8B4D.VBN//CryptZ
detected: Trojan program Backdoor.Win32.PcClient.jhu File: C:\ProgramData\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\146C0000\5DFD76AA.VBN//CryptZ
detected: malware Hoax.Win32.BadJoke.InvertMouse.a File: C:\Users\All Users\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\089C0000\49BCB29F.VBN//CryptZ
detected: malware Hoax.Win32.BadJoke.InvertMouse.a File: C:\Users\All Users\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0A780000\4B7E63FB.VBN//CryptZ
detected: malware Hoax.Win32.BadJoke.InvertMouse.a File: C:\Users\All Users\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0A780001\4B7E6A77.VBN//CryptZ
detected: malware Hoax.Win32.BadJoke.InvertMouse.a File: C:\Users\All Users\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0A780002\4B7E6B03.VBN//CryptZ
detected: malware Hoax.Win32.BadJoke.InvertMouse.a File: C:\Users\All Users\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0C780000\4D7F8B4D.VBN//CryptZ
detected: Trojan program Backdoor.Win32.PcClient.jhu File: C:\Users\All Users\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\146C0000\5DFD76AA.VBN//CryptZ
detected: malware Hoax.Win32.BadJoke.InvertMouse.a File: C:\Users\ben\Desktop\InvertMouse.exe
detected: malware Hoax.Win32.BadJoke.InvertMouse.a File: C:\Users\ben\Links\Downloads\InvertMouse.w32.zip/InvertMouse.exe
 
Hi

Please re-download ComboFix and run it like you did on first attempt. Post back its log and a fresh hjt log. There was an issue with it earlier causing the error you saw.
 
Ok, below are the hijackthis and combo fix logs.

Thanks so much for all your help!

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 2:04:32 PM, on 4/20/2009
Platform: Windows Vista SP1 (WinNT 6.00.1905)
MSIE: Internet Explorer v7.00 (7.00.6001.18226)
Boot mode: Normal

Running processes:
C:\Windows\system32\Dwm.exe
C:\Windows\system32\taskeng.exe
C:\Program Files\Symantec\Symantec Endpoint Protection\SmcGui.exe
C:\Windows\system32\taskeng.exe
C:\Windows\Explorer.exe
C:\Windows\system32\wbem\unsecapp.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O1 - Hosts: ::1 localhost
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O4 - HKLM\..\Run: [IgfxTray] C:\Windows\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\Windows\system32\hkcmd.exe
O4 - HKLM\..\Run: [Persistence] C:\Windows\system32\igfxpers.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [PWRISOVM.EXE] C:\Program Files\PowerISO\PWRISOVM.EXE
O4 - HKLM\..\Run: [Nitro PDF Printer Monitor] "C:\Program Files\Nitro PDF\Professional\NitroPDFPrinterMonitor.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKCU\..\Run: [PeerGuardian] C:\Program Files\PeerGuardian2\pg2.exe
O4 - HKCU\..\Run: [DAEMON Tools Lite] "C:\Program Files\DAEMON Tools Lite\daemon.exe" -autorun
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O13 - Gopher Prefix:
O17 - HKLM\System\CCS\Services\Tcpip\..\{61F9ED12-2F97-4978-AD7B-FCC6C95F2A52}: NameServer = 208.67.220.220,208.67.222.222
O17 - HKLM\System\CCS\Services\Tcpip\..\{B997C016-E533-4C5E-B3CB-97E7490668F1}: NameServer = 208.67.220.220,208.67.222.222
O17 - HKLM\System\CCS\Services\Tcpip\..\{D6CC5C08-F55C-4251-B3C4-4BCE262BE4A9}: NameServer = 208.67.220.220,208.67.222.222
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: NameServer = 208.67.220.220,208.67.222.222
O17 - HKLM\System\CS3\Services\Tcpip\Parameters: NameServer = 208.67.220.220,208.67.222.222
O17 - HKLM\System\CS4\Services\Tcpip\Parameters: NameServer = 208.67.220.220,208.67.222.222
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O22 - SharedTaskScheduler: Windows DreamScene - {E31004D1-A431-41B8-826F-E902F9D95C81} - C:\Windows\System32\DreamScene.dll
O23 - Service: ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762## (Bonjour Service) - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: Intuit Update Service (IntuitUpdateService) - Intuit Inc. - C:\Program Files\Common Files\Intuit\Update Service\IntuitUpdateService.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: SBSD Security Center Service (SBSDWSCService) - Safer Networking Ltd. - C:\Program Files\Spybot - Search & Destroy\SDWinSec.exe
O23 - Service: PC Tools Auxiliary Service (sdAuxService) - PC Tools - C:\Program Files\Spyware Doctor\pctsAuxs.exe
O23 - Service: PC Tools Security Service (sdCoreService) - PC Tools - C:\Program Files\Spyware Doctor\pctsSvc.exe
O23 - Service: Symantec Management Client (SmcService) - Symantec Corporation - C:\Program Files\Symantec\Symantec Endpoint Protection\Smc.exe
O23 - Service: Symantec Network Access Control (SNAC) - Symantec Corporation - C:\Program Files\Symantec\Symantec Endpoint Protection\SNAC.EXE
O23 - Service: Sony SCSI Helper Service - Sony Corporation - C:\Program Files\Common Files\Sony Shared\Fsk\SonySCSIHelperService.exe
O23 - Service: SigmaTel Audio Service (STacSV) - SigmaTel, Inc. - C:\Windows\System32\STacSV.exe
O23 - Service: Symantec Endpoint Protection (Symantec AntiVirus) - Symantec Corporation - C:\Program Files\Symantec\Symantec Endpoint Protection\Rtvscan.exe
O23 - Service: ThreatFire - PC Tools - C:\Program Files\Spyware Doctor\TFEngine\TFService.exe
O23 - Service: @%SystemRoot%\System32\TuneUpDefragService.exe,-1 (TuneUp.Defrag) - TuneUp Software - C:\Windows\System32\TuneUpDefragService.exe
O23 - Service: @%SystemRoot%\System32\TUProgSt.exe,-1 (TuneUp.ProgramStatisticsSvc) - TuneUp Software - C:\Windows\System32\TUProgSt.exe
O23 - Service: VAIO Event Service - Sony Corporation - C:\Program Files\Sony\VAIO Event Service\VESMgr.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Check Point Software Technologies LTD - C:\Windows\System32\ZoneLabs\vsmon.exe

--
End of file - 6506 bytes

COMBOFIX:


ComboFix 09-04-19.01 - ben 04/20/2009 13:51.1 - NTFSx86
Microsoft® Windows Vista™ Ultimate 6.0.6001.1.1252.1.1033.18.2037.1330 [GMT -4:00]
Running from: c:\users\ben\Desktop\ComboFix.exe
AV: Symantec Endpoint Protection *On-access scanning disabled* (Updated)
FW: Symantec Endpoint Protection *enabled*
FW: ZoneAlarm Pro Firewall *enabled*
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\system32\drivers\gxvxcuaximteiermvsvxtxsprwnfmvxooeoss.sys
c:\windows\system32\gxvxcbxmnpwyomqekkcjtmgjimqmtbnvepspr.dll
c:\windows\system32\gxvxccounter
c:\windows\system32\MabryObj.dll
c:\windows\system32\x64

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Service_GXVXCSERV.SYS
-------\Service_GXVXCSERV.SYS


((((((((((((((((((((((((( Files Created from 2009-03-20 to 2009-04-20 )))))))))))))))))))))))))))))))
.

2009-04-20 15:03 . 2009-04-20 14:50 39200 ----a-w c:\windows\system32\drivers\TfSysMon.sys
2009-04-20 15:03 . 2009-04-20 14:50 33056 ----a-w c:\windows\system32\drivers\TfNetMon.sys
2009-04-20 15:03 . 2009-04-20 14:50 51488 ----a-w c:\windows\system32\drivers\TfFsMon.sys
2009-04-20 15:03 . 2009-04-20 14:50 12576 ----a-w c:\windows\system32\drivers\TfKbMon.sys
2009-04-20 14:17 . 2009-02-16 03:10 1221512 ----a-w c:\windows\system32\zpeng25.dll
2009-04-20 14:17 . 2009-04-20 14:17 -------- d-----w c:\program files\Zone Labs
2009-04-20 14:17 . 2008-02-23 04:38 170496 ----a-w c:\windows\system32\tcpipcfg.dll
2009-04-20 14:17 . 2008-02-23 02:41 22528 ----a-w c:\windows\system32\netiougc.exe
2009-04-20 14:16 . 2009-04-20 17:47 350196 ---ha-w c:\windows\system32\drivers\vsconfig.xml
2009-04-20 14:16 . 2009-04-20 17:19 -------- d-----w c:\windows\system32\ZoneLabs
2009-04-20 14:16 . 2009-02-16 03:11 293528 ----a-w c:\windows\system32\drivers\vsdatant.sys
2009-04-20 14:16 . 2009-04-20 14:16 -------- d-----w c:\users\All Users\CheckPoint
2009-04-20 14:16 . 2009-04-20 14:16 -------- d-----w c:\programdata\CheckPoint
2009-04-20 14:16 . 2009-04-20 17:52 -------- d-----w c:\windows\Internet Logs
2009-04-20 14:06 . 2009-04-10 18:14 92488 ----a-w c:\windows\system32\drivers\SysPlant.sys
2009-04-20 01:51 . 2008-12-11 12:38 159600 ----a-w c:\windows\system32\drivers\pctgntdi.sys
2009-04-20 01:51 . 2009-04-20 14:50 130936 ----a-w c:\windows\system32\drivers\PCTCore.sys
2009-04-20 01:51 . 2008-12-18 16:16 73840 ----a-w c:\windows\system32\drivers\PCTAppEvent.sys
2009-04-20 01:51 . 2009-04-20 01:51 -------- d-----w c:\program files\Common Files\PC Tools
2009-04-20 01:51 . 2008-12-10 16:36 64392 ----a-w c:\windows\system32\drivers\pctplsg.sys
2009-04-20 01:50 . 2009-04-20 17:24 -------- d-----w c:\program files\Spyware Doctor
2009-04-20 01:50 . 2009-04-20 15:05 -------- d-----w c:\users\All Users\PC Tools
2009-04-20 01:50 . 2009-04-20 15:05 -------- d-----w c:\programdata\PC Tools
2009-04-20 00:34 . 2009-04-20 00:34 -------- d-----w c:\users\All Users\NortonInstaller
2009-04-20 00:34 . 2009-04-20 00:34 -------- d-----w c:\programdata\NortonInstaller
2009-04-19 16:22 . 2009-04-19 16:22 -------- d-----w c:\users\All Users\is-EL2AS
2009-04-19 16:22 . 2009-04-19 16:22 -------- d-----w c:\programdata\is-EL2AS
2009-04-19 16:21 . 2009-04-19 23:30 38348 --sha-w c:\windows\system32\drivers\fidbox.idx
2009-04-19 16:21 . 2009-04-19 23:30 3180576 --sha-w c:\windows\system32\drivers\fidbox.dat
2009-04-19 16:07 . 2009-04-19 16:07 -------- d-sha-r C:\autorun.inf
2009-04-18 17:58 . 2009-04-20 17:24 -------- d---a-w c:\users\All Users\TEMP
2009-04-18 17:58 . 2009-04-20 17:24 -------- d---a-w c:\programdata\TEMP
2009-04-18 17:39 . 2009-04-18 17:44 -------- d-----w c:\users\ben\.housecall6.6
2009-04-18 17:35 . 2009-04-18 17:35 -------- d-----w c:\program files\Trend Micro
2009-04-18 17:35 . 2009-04-20 12:37 -------- d-----w c:\program files\ERUNT
2009-04-18 16:26 . 2009-04-20 00:04 -------- d-----w c:\program files\Spybot - Search & Destroy
2009-04-18 16:26 . 2009-04-19 22:54 -------- d-----w c:\users\All Users\Spybot - Search & Destroy
2009-04-18 16:26 . 2009-04-19 22:54 -------- d-----w c:\programdata\Spybot - Search & Destroy
2009-04-11 22:20 . 2009-04-16 13:36 -------- d-----w c:\program files\calibre
2009-04-10 16:50 . 2009-04-10 16:50 -------- d-----w c:\users\All Users\Marlin
2009-04-10 16:50 . 2009-04-10 16:50 -------- d-----w c:\programdata\Marlin
2009-04-10 02:46 . 2009-04-10 02:46 -------- d-----w c:\program files\DIFX
2009-04-10 02:46 . 2009-04-10 02:46 -------- d-----w c:\users\All Users\kinoma
2009-04-10 02:46 . 2009-04-10 02:46 -------- d-----w c:\programdata\kinoma
2009-03-28 15:59 . 2009-03-28 15:59 -------- d-----w c:\program files\Common Files\DivX Shared

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-04-20 15:14 . 2009-04-20 17:20 439296 ----a-w c:\windows\Internet Logs\xDB5F03.tmp
2009-04-20 14:31 . 2006-11-02 10:25 86016 ----a-w c:\windows\Inf\infstrng.dat
2009-04-20 14:31 . 2006-11-02 10:25 51200 ----a-w c:\windows\Inf\infpub.dat
2009-04-20 14:31 . 2006-11-02 10:25 86016 ----a-w c:\windows\Inf\infstor.dat
2009-04-20 14:07 . 2008-08-09 18:22 -------- d-----w c:\programdata\Symantec
2009-04-20 14:05 . 2008-08-09 18:22 -------- d-----w c:\program files\Symantec
2009-04-20 14:05 . 2008-08-09 18:27 805 ----a-w c:\windows\system32\drivers\SYMEVENT.INF
2009-04-20 14:05 . 2008-08-09 18:27 123952 ----a-w c:\windows\system32\drivers\SYMEVENT.SYS
2009-04-20 14:05 . 2008-08-09 18:27 10563 ----a-w c:\windows\system32\drivers\SYMEVENT.CAT
2009-04-20 14:05 . 2008-08-09 18:22 -------- d-----w c:\program files\Common Files\Symantec Shared
2009-04-17 12:04 . 2006-11-02 11:18 -------- d-----w c:\program files\Windows Mail
2009-04-17 02:57 . 2008-08-10 14:14 -------- d-----w c:\programdata\Microsoft Help
2009-04-13 19:25 . 2009-04-13 19:25 202843 ----a-w c:\users\All Users\tmp326A.tmp
2009-04-13 19:25 . 2009-04-13 19:25 202843 ----a-w c:\programdata\tmp326A.tmp
2009-04-10 02:46 . 2008-08-09 15:11 -------- d-----w c:\program files\Sony
2009-04-10 02:45 . 2008-08-09 00:11 -------- d-----w c:\program files\Common Files\Sony Shared
2009-03-28 15:59 . 2008-09-27 17:39 -------- d-----w c:\program files\DivX
2009-03-26 12:45 . 2008-08-23 21:24 -------- d-----w c:\program files\Java
2009-03-19 15:48 . 2008-11-04 01:35 -------- d-----w c:\program files\Common Files\Adobe
2009-03-18 16:54 . 2009-03-18 16:54 -------- d-----w c:\programdata\Nitro PDF
2009-03-18 16:54 . 2009-03-18 16:54 -------- d-----w c:\program files\Nitro PDF
2009-03-18 16:54 . 2009-03-18 16:54 -------- d-----w c:\program files\Common Files\Nitro PDF
2009-03-18 16:54 . 2009-03-18 16:54 -------- d-----w c:\program files\Common Files\BCL Technologies
2009-03-17 03:38 . 2009-04-16 21:13 40960 ----a-w c:\windows\AppPatch\apihex86.dll
2009-03-17 03:38 . 2009-04-16 21:13 13824 ----a-w c:\windows\System32\apilogen.dll
2009-03-17 03:38 . 2009-04-16 21:13 24064 ----a-w c:\windows\System32\amxread.dll
2009-03-13 22:01 . 2009-04-10 18:14 149768 ----a-w c:\windows\system32\drivers\WpsHelper.sys
2009-03-13 20:39 . 2009-03-13 20:39 -------- d-----w c:\program files\Skype
2009-03-13 20:39 . 2008-08-09 18:25 -------- d-----w c:\programdata\Skype
2009-03-13 20:39 . 2009-03-13 20:39 -------- d-----w c:\program files\Common Files\Skype
2009-03-09 09:19 . 2008-12-18 19:20 410984 ----a-w c:\windows\System32\deploytk.dll
2009-03-04 20:43 . 2009-03-04 20:43 508200 ----a-w c:\windows\System32\ICCProfiles.dll
2009-03-03 21:13 . 2009-03-03 21:13 -------- d-----w c:\program files\Common Files\AnswerWorks 5.0
2009-03-03 21:09 . 2009-03-03 21:06 -------- d-----w c:\programdata\Intuit
2009-03-03 21:09 . 2009-03-03 21:06 -------- d-----w c:\program files\Common Files\Intuit
2009-03-03 21:05 . 2009-03-03 21:05 -------- d-----w c:\program files\TurboTax
2009-03-03 04:46 . 2009-04-16 21:13 3599328 ----a-w c:\windows\System32\ntkrnlpa.exe
2009-03-03 04:46 . 2009-04-16 21:13 3547632 ----a-w c:\windows\System32\ntoskrnl.exe
2009-03-03 04:40 . 2009-04-16 21:13 827392 ----a-w c:\windows\System32\wininet.dll
2009-03-03 04:39 . 2009-04-16 21:13 183296 ----a-w c:\windows\System32\sdohlp.dll
2009-03-03 04:39 . 2009-04-16 21:13 551424 ----a-w c:\windows\System32\rpcss.dll
2009-03-03 04:39 . 2009-04-16 21:13 26112 ----a-w c:\windows\System32\printfilterpipelineprxy.dll
2009-03-03 04:37 . 2009-04-16 21:13 78336 ----a-w c:\windows\System32\ieencode.dll
2009-03-03 04:37 . 2009-04-16 21:13 98304 ----a-w c:\windows\System32\iasrecst.dll
2009-03-03 04:37 . 2009-04-16 21:13 54784 ----a-w c:\windows\System32\iasads.dll
2009-03-03 04:37 . 2009-04-16 21:13 44032 ----a-w c:\windows\System32\iasdatastore.dll
2009-03-03 03:04 . 2009-04-16 21:13 666624 ----a-w c:\windows\System32\printfilterpipelinesvc.exe
2009-03-03 02:38 . 2009-04-16 21:13 17408 ----a-w c:\windows\System32\iashost.exe
2009-03-03 02:28 . 2009-04-16 21:13 26624 ----a-w c:\windows\System32\ieUnatt.exe
2009-02-13 08:49 . 2009-04-16 21:13 72704 ----a-w c:\windows\System32\secur32.dll
2009-02-13 08:49 . 2009-04-16 21:13 1255936 ----a-w c:\windows\System32\lsasrv.dll
2009-02-09 03:10 . 2009-03-11 11:14 2033152 ----a-w c:\windows\System32\win32k.sys
2009-01-21 13:15 . 2009-01-21 13:15 61954 ----a-w c:\users\All Users\tmp9EC4.tmp
2009-01-21 13:15 . 2009-01-21 13:15 61954 ----a-w c:\programdata\tmp9EC4.tmp
2008-12-18 17:41 . 2008-12-18 17:41 2482366 ----a-w c:\users\All Users\tmpDB66.tmp
2008-12-18 17:41 . 2008-12-18 17:41 2482366 ----a-w c:\programdata\tmpDB66.tmp
2008-12-18 17:26 . 2008-12-18 17:26 1234105 ----a-w c:\users\All Users\tmpECFE.tmp
2008-12-18 17:26 . 2008-12-18 17:26 1234105 ----a-w c:\programdata\tmpECFE.tmp
2008-12-02 22:34 . 2008-12-02 22:34 88995 ----a-w c:\users\All Users\tmpDEEF.tmp
2008-12-02 22:34 . 2008-12-02 22:34 88995 ----a-w c:\programdata\tmpDEEF.tmp
2008-08-19 00:54 . 2008-08-19 00:54 183531 ----a-w c:\users\All Users\tmp4935.tmp
2008-08-19 00:54 . 2008-08-19 00:54 183531 ----a-w c:\programdata\tmp4935.tmp
2008-08-09 23:34 . 2006-11-02 12:49 174 --sha-w c:\program files\desktop.ini
2008-08-09 18:40 . 2008-08-09 18:40 56 ---ha-w c:\users\All Users\ezsidmv.dat
2008-08-09 18:40 . 2008-08-09 18:40 56 ---ha-w c:\programdata\ezsidmv.dat
2009-01-27 01:2009-01-27 01:34 34:38 . c:\program files\mozilla firefox\plugins\libdivx.dll
2009-01-27 01:2009-01-27 01:34 34:38 . c:\program files\mozilla firefox\plugins\ssldivx.dll
2008-12-02 22:34 . 2008-12-02 22:34 32768 --sha-w c:\windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5\MSHist012008120220081203\index.dat
2007-05-18 04:34 . 2006-11-22 14:58 8192 --sha-w c:\windows\Users\Default\NTUSER.DAT
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt1]
@="{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}]
2008-09-07 07:20 143360 ----a-w c:\program files\Dropbox\DropboxExt.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt2]
@="{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}]
2008-09-07 07:20 143360 ----a-w c:\program files\Dropbox\DropboxExt.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt3]
@="{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}]
2008-09-07 07:20 143360 ----a-w c:\program files\Dropbox\DropboxExt.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"PeerGuardian"="c:\program files\PeerGuardian2\pg2.exe" [2007-06-02 1457152]
"DAEMON Tools Lite"="c:\program files\DAEMON Tools Lite\daemon.exe" [2008-12-10 216520]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2008-02-12 141848]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2008-02-12 166424]
"Persistence"="c:\windows\system32\igfxpers.exe" [2008-02-12 133656]
"ccApp"="c:\program files\Common Files\Symantec Shared\ccApp.exe" [2009-04-10 115560]
"PWRISOVM.EXE"="c:\program files\PowerISO\PWRISOVM.EXE" [2008-11-02 167936]
"Nitro PDF Printer Monitor"="c:\program files\Nitro PDF\Professional\NitroPDFPrinterMonitor.exe" [2009-03-04 209216]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-03-09 148888]
"ZoneAlarm Client"="c:\program files\Zone Labs\ZoneAlarm\zlclient.exe" [2009-02-16 981384]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableUIADesktopToggle"= 0 (0x0)
"HideFastUserSwitching"= 0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\VESWinlogon]
2007-01-11 17:20 98304 ----a-w c:\windows\System32\VESWinlogon.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\ccEvtMgr]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\ccSetMgr]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Symantec Antivirus]
@="Service"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" -atboottime

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\ZoneLabsFirewall]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Svc]
"AntiVirusOverride"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\DomainProfile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\FirewallRules]
"{E5654AF1-78AF-4E19-90CB-AEEAB817CFE3}"= UDP:c:\program files\Common Files\Symantec Shared\ccApp.exe:Symantec Email
"{0A30989F-4F81-4971-8C3C-D4C64093AF11}"= TCP:c:\program files\Common Files\Symantec Shared\ccApp.exe:Symantec Email
"TCP Query User{D6EC4C8A-68E9-4F8E-A0A7-D0BBFD5AC302}c:\\program files\\utorrent\\utorrent.exe"= UDP:c:\program files\utorrent\utorrent.exe:uTorrent
"UDP Query User{BC575FB6-6FA6-4F5E-AA78-3E9D92BBEE5B}c:\\program files\\utorrent\\utorrent.exe"= TCP:c:\program files\utorrent\utorrent.exe:uTorrent
"{49742C15-35FE-4240-9AA3-1AF7473D3665}"= UDP:c:\program files\Microsoft Office\Office12\ONENOTE.EXE:Microsoft Office OneNote
"{E83A7512-C70F-4886-AF40-2290941AFC72}"= TCP:c:\program files\Microsoft Office\Office12\ONENOTE.EXE:Microsoft Office OneNote
"{79EB92F3-E732-41E7-AB03-116C066E7608}"= UDP:c:\program files\uTorrent\uTorrent.exe:µTorrent (TCP-In)
"{0E7C2912-1284-471A-9A01-993EB7852207}"= TCP:c:\program files\uTorrent\uTorrent.exe:µTorrent (UDP-In)
"TCP Query User{62EB34AD-4B31-4EE4-B2AF-49E6C01C42B0}c:\\program files\\utorrent\\utorrent.exe"= UDP:c:\program files\utorrent\utorrent.exe:µTorrent
"UDP Query User{07AAF2CD-D941-4E4C-AF02-5E4AD37FD524}c:\\program files\\utorrent\\utorrent.exe"= TCP:c:\program files\utorrent\utorrent.exe:µTorrent
"{4E4CB060-45DA-400B-A7E8-F9F3926EC6FA}"= c:\program files\Skype\Phone\Skype.exe:Skype
"TCP Query User{CFF4D4FF-9C4E-4A97-9C72-357976D383DC}c:\\program files\\sony\\reader\\data\\bin\\ebook library.exe"= UDP:c:\program files\sony\reader\data\bin\ebook library.exe:eBook Library
"UDP Query User{49DD43A2-13ED-4DEC-8AAE-559BA33CE4CF}c:\\program files\\sony\\reader\\data\\bin\\ebook library.exe"= TCP:c:\program files\sony\reader\data\bin\ebook library.exe:eBook Library
"{982C99AB-9D80-4FE6-92F1-0D5C25E4D6CD}"= UDP:c:\users\ben\AppData\Local\Temp\WZSE0.TMP\SymNRT.exe:Norton Removal Tool
"{4A51AD8D-CBF9-4351-8FFF-DFDA8531C842}"= TCP:c:\users\ben\AppData\Local\Temp\WZSE0.TMP\SymNRT.exe:Norton Removal Tool
"{D4948176-4A9B-49B9-864C-4BEB4E1D23E8}"= UDP:c:\users\ben\AppData\Local\Temp\7zSB1F1.tmp\SymNRT.exe:Norton Removal Tool
"{BBC12E3B-6031-44C5-8C90-1E167CDF5ED1}"= TCP:c:\users\ben\AppData\Local\Temp\7zSB1F1.tmp\SymNRT.exe:Norton Removal Tool
"{FA9ED35D-5F4E-4BCE-BE17-1A503191460D}"= UDP:c:\users\ben\AppData\Local\Temp\7zSA356.tmp\SymNRT.exe:Norton Removal Tool
"{DAF8BD02-08DE-4F5F-86F7-B84EC304B3F1}"= TCP:c:\users\ben\AppData\Local\Temp\7zSA356.tmp\SymNRT.exe:Norton Removal Tool
"{B386F459-C4E0-4812-8C22-AE544AAC6CB0}"= UDP:c:\program files\Symantec\Symantec Endpoint Protection\Smc.exe:SMC Service
"{D2BAD6BB-4D17-44C9-AA7A-4EEBCAF0B254}"= TCP:c:\program files\Symantec\Symantec Endpoint Protection\Smc.exe:SMC Service
"{3E4D9798-8F45-47CD-ACF9-597C39C04266}"= UDP:c:\program files\Symantec\Symantec Endpoint Protection\SNAC.EXE:SNAC Service
"{D2210D4C-ACD2-4557-9330-62F7DCDCE73F}"= TCP:c:\program files\Symantec\Symantec Endpoint Protection\SNAC.EXE:SNAC Service

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\PublicProfile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\StandardProfile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\StandardProfile\AuthorizedApplications\List]
"c:\\Program Files\\ExamSoft\\SofTest\\SoftLnch.exe"= c:\program files\ExamSoft\SoftLnch.exe:*:Enabled:SofLaunch

"c:\\Program Files\\ExamSoft\\SofTest\\softest.exe"= c:\program files\ExamSoft\SofTest.exe:*:Enabled:SofTest

R3 COH_Mon;COH_Mon;c:\windows\system32\Drivers\COH_Mon.sys [2008-07-30 23888]
R3 pctplsg;pctplsg;c:\windows\System32\drivers\pctplsg.sys [2008-12-10 64392]
R3 sdAuxService;PC Tools Auxiliary Service;c:\program files\Spyware Doctor\pctsAuxs.exe [2009-01-07 348752]
R3 TfNetMon;TfNetMon;c:\windows\system32\drivers\TfNetMon.sys [2009-04-20 33056]
R3 ThreatFire;ThreatFire; [x]
S0 PCTCore;PCTools KDS;c:\windows\system32\drivers\PCTCore.sys [2009-04-20 130936]
S0 TfFsMon;TfFsMon;c:\windows\system32\drivers\TfFsMon.sys [2009-04-20 51488]
S0 TfSysMon;TfSysMon;c:\windows\system32\drivers\TfSysMon.sys [2009-04-20 39200]
S1 pctgntdi;pctgntdi;c:\windows\System32\drivers\pctgntdi.sys [2008-12-11 159600]
S2 IntuitUpdateService;Intuit Update Service;c:\program files\Common Files\Intuit\Update Service\IntuitUpdateService.exe [2008-10-10 13088]
S2 SBSDWSCService;SBSD Security Center Service;c:\program files\Spybot - Search & Destroy\SDWinSec.exe [2009-01-26 1153368]
S2 TuneUp.ProgramStatisticsSvc;TuneUp Program Statistics Service;c:\windows\System32\TUProgSt.exe [2008-12-21 603904]
S3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [2009-02-25 101936]
S3 SPI;Sony Programmable I/O Control Device;c:\windows\system32\DRIVERS\SonyPI.sys [2002-08-21 71961]
S3 ti21sony;ti21sony;c:\windows\system32\drivers\ti21sony.sys [2006-02-21 226304]


[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
bthsvcs REG_MULTI_SZ BthServ

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
UxTuneUp

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\F]
\shell\AutoRun\command - F:\Setup.exe -auto

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{792ce837-9240-11dd-8dab-0002c7f9c3d4}]
\shell\AutoRun\command - E:\vva0hc0p.cmd
\shell\explore\Command - E:\vva0hc0p.cmd
\shell\open\Command - E:\vva0hc0p.cmd

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{a456bbdb-d039-11dd-993e-0002c7f9c3d4}]
\shell\AutoRun\command - H:\SETUP.EXE

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{a540ce48-1895-11de-be64-0002c7f9c3d4}]
\shell\AutoRun\command - c:\windows\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL i:\presentation\Presentation-Columbia.pdf

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\Nitro PDF Professional]
cscript //B "c:\program files\Nitro PDF\Professional\RemoveOldAddins.vbs"
.
Contents of the 'Scheduled Tasks' folder

2009-04-20 c:\windows\Tasks\1-Click Maintenance.job
- c:\program files\TuneUp Utilities 2009\OneClickStarter.exe [2008-12-11 20:36]
.
- - - - ORPHANS REMOVED - - - -

SafeBoot-Symantec Antvirus


.
------- Supplementary Scan -------
.
uInternet Settings,ProxyOverride = *.local
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
LSP: c:\program files\Common Files\PC Tools\Lsp\PCTLsp.dll
TCP: {61F9ED12-2F97-4978-AD7B-FCC6C95F2A52} = 208.67.220.220,208.67.222.222
TCP: {B997C016-E533-4C5E-B3CB-97E7490668F1} = 208.67.220.220,208.67.222.222
TCP: {D6CC5C08-F55C-4251-B3C4-4BCE262BE4A9} = 208.67.220.220,208.67.222.222
FF - ProfilePath - c:\users\ben\AppData\Roaming\Mozilla\Firefox\Profiles\gsm81l3m.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/ig
FF - component: c:\users\ben\AppData\Roaming\Mozilla\Firefox\Profiles\gsm81l3m.default\extensions\{e23e1101-6cde-4b94-b415-508a7cde8628}\components\test.dll
FF - plugin: c:\users\ben\AppData\Roaming\Mozilla\Firefox\Profiles\gsm81l3m.default\extensions\moveplayer@movenetworks.com\platform\WINNT_x86-msvc\plugins\npmnqmp071303000006.dll

---- FIREFOX POLICIES ----
FF - user.js: yahoo.homepage.dontask - true.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-04-20 13:58
Windows 6.0.6001 Service Pack 1 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...


c:\users\ben\AppData\Local\Temp\gxvxc000 0 bytes

scan completed successfully
hidden files: 1

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\gxvxcserv.sys]
"imagepath"="\systemroot\system32\drivers\gxvxcnrrfmqlttilxlvisvvpypqbygekxrusl.sys"
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\System\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\gxvxcserv.sys]
@DACL=(02 0000)
"start"=dword:00000001
"type"=dword:00000001
"group"="file system"
"imagepath"=expand:"\\systemroot\\system32\\drivers\\gxvxcnrrfmqlttilxlvisvvpypqbygekxrusl.sys"
.
Completion time: 2009-04-20 14:00
ComboFix-quarantined-files.txt 2009-04-20 18:00

Pre-Run: 21,140,443,136 bytes free
Post-Run: 21,127,864,320 bytes free

Current=1 Default=1 Failed=0 LastKnownGood=4 Sets=1,2,3,4
306 --- E O F --- 2009-04-17 03:00
 
IMPORTANT I notice there are signs of one or more P2P (Peer to Peer) File Sharing Programs on your computer.

µTorrent


I'd like you to read this thread.

Please go to Control Panel > Programs and Features and uninstall the programs listed above (in red).


After that:

Please have your usb removable drive plugged in while doing steps listed in this post.

Open notepad and copy/paste the text in the quotebox below into it:

Code: 
Driver::
gxvxcserv.sys

File::
E:\vva0hc0p.cmd
c:\windows\system32\drivers\gxvxcnrrfmqlttilxlvisvvpypqbygekxrusl.sys

Folder::
c:\program files\utorrent

DDS::
TCP: {61F9ED12-2F97-4978-AD7B-FCC6C95F2A52} = 208.67.220.220,208.67.222.222
TCP: {B997C016-E533-4C5E-B3CB-97E7490668F1} = 208.67.220.220,208.67.222.222
TCP: {D6CC5C08-F55C-4251-B3C4-4BCE262BE4A9} = 208.67.220.220,208.67.222.222 

RegLock::
[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\gxvxcserv.sys]

Registry::
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=-

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\ZoneLabsFirewall]
"DisableMonitoring"=-

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\FirewallRules]
"TCP Query User{D6EC4C8A-68E9-4F8E-A0A7-D0BBFD5AC302}c:\\program files\\utorrent\\utorrent.exe"=-
"UDP Query User{BC575FB6-6FA6-4F5E-AA78-3E9D92BBEE5B}c:\\program files\\utorrent\\utorrent.exe"=-
"{79EB92F3-E732-41E7-AB03-116C066E7608}"=-
"{0E7C2912-1284-471A-9A01-993EB7852207}"=-
"TCP Query User{62EB34AD-4B31-4EE4-B2AF-49E6C01C42B0}c:\\program files\\utorrent\\utorrent.exe"=-
"UDP Query User{07AAF2CD-D941-4E4C-AF02-5E4AD37FD524}c:\\program files\\utorrent\\utorrent.exe"=-

[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{792ce837-9240-11dd-8dab-0002c7f9c3d4}]


Save this as
CFScript

A word of warning: Neither I nor sUBs are responsible for any damage you may have caused your machine. This tool is not a toy and not for everyday use.

CFScriptB-4.gif


Close all browser windows and refering to the picture above, drag CFScript into ComboFix.exe.
Then post the resultant log.


Combofix should never take more that 20 minutes including the reboot if malware is detected.
If it does, open Task Manager then Processes tab (press ctrl, alt and del at the same time) and end any processes of findstr, find, sed or swreg, then combofix should continue.
If that happened we want to know, and also what process you had to end.



Download ATF (Atribune Temp File) Cleaner© by Atribune to your desktop.

Double-click ATF Cleaner.exe to open it

Under Main choose:
Windows Temp
Current User Temp
All Users Temp
Cookies
Temporary Internet Files
Java Cache
*The other boxes are optional*
Then click the Empty Selected button.

If you use Firefox:
Click Firefox at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click NO at the prompt.

If you use Opera:
Click Opera at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click NO at the prompt.

Click Exit on the Main menu to close the program.


Please run an online scan with Kaspersky Online Scanner as instructed in the screenshot here. If you get a message that latest Java must be installed "enable" the Java add-ons in IE7. Do that using "manage add-ons" from the IE7 toolbar.


Post back its report, a fresh hjt log and above mentioned ComboFix resultant log.
 
Below are the reports. Initially I forgot to uninstall utorrent, but it looks like combo fix did; I hope that is ok.

Please let me know what to do now. And thank you so much for your help!


ComboFix 09-04-19.01 - ben 04/20/2009 18:26.2 - NTFSx86
Microsoft® Windows Vista™ Ultimate 6.0.6001.1.1252.1.1033.18.2037.1219 [GMT -4:00]
Running from: c:\users\ben\Desktop\ComboFix.exe
Command switches used :: c:\users\ben\Desktop\CFScript.txt
AV: Symantec Endpoint Protection *On-access scanning disabled* (Updated)
FW: Symantec Endpoint Protection *disabled*
FW: ZoneAlarm Pro Firewall *disabled*
* Created a new restore point

FILE ::
c:\windows\system32\drivers\gxvxcnrrfmqlttilxlvisvvpypqbygekxrusl.sys
E:\vva0hc0p.cmd
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\program files\utorrent
c:\program files\utorrent\uTorrent.exe

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Service_gxvxcserv.sys


((((((((((((((((((((((((( Files Created from 2009-03-20 to 2009-04-20 )))))))))))))))))))))))))))))))
.

2009-04-20 15:03 . 2009-04-20 14:50 39200 ----a-w c:\windows\system32\drivers\TfSysMon.sys
2009-04-20 15:03 . 2009-04-20 14:50 33056 ----a-w c:\windows\system32\drivers\TfNetMon.sys
2009-04-20 15:03 . 2009-04-20 14:50 51488 ----a-w c:\windows\system32\drivers\TfFsMon.sys
2009-04-20 15:03 . 2009-04-20 14:50 12576 ----a-w c:\windows\system32\drivers\TfKbMon.sys
2009-04-20 14:17 . 2009-02-16 03:10 1221512 ----a-w c:\windows\system32\zpeng25.dll
2009-04-20 14:17 . 2009-04-20 14:17 -------- d-----w c:\program files\Zone Labs
2009-04-20 14:17 . 2008-02-23 04:38 170496 ----a-w c:\windows\system32\tcpipcfg.dll
2009-04-20 14:17 . 2008-02-23 02:41 22528 ----a-w c:\windows\system32\netiougc.exe
2009-04-20 14:16 . 2009-04-20 22:34 350196 ---ha-w c:\windows\system32\drivers\vsconfig.xml
2009-04-20 14:16 . 2009-04-20 17:19 -------- d-----w c:\windows\system32\ZoneLabs
2009-04-20 14:16 . 2009-02-16 03:11 293528 ----a-w c:\windows\system32\drivers\vsdatant.sys
2009-04-20 14:16 . 2009-04-20 14:16 -------- d-----w c:\users\All Users\CheckPoint
2009-04-20 14:16 . 2009-04-20 14:16 -------- d-----w c:\programdata\CheckPoint
2009-04-20 14:16 . 2009-04-20 22:36 -------- d-----w c:\windows\Internet Logs
2009-04-20 14:06 . 2009-04-10 18:14 92488 ----a-w c:\windows\system32\drivers\SysPlant.sys
2009-04-20 01:51 . 2008-12-11 12:38 159600 ----a-w c:\windows\system32\drivers\pctgntdi.sys
2009-04-20 01:51 . 2009-04-20 14:50 130936 ----a-w c:\windows\system32\drivers\PCTCore.sys
2009-04-20 01:51 . 2008-12-18 16:16 73840 ----a-w c:\windows\system32\drivers\PCTAppEvent.sys
2009-04-20 01:51 . 2009-04-20 01:51 -------- d-----w c:\program files\Common Files\PC Tools
2009-04-20 01:51 . 2008-12-10 16:36 64392 ----a-w c:\windows\system32\drivers\pctplsg.sys
2009-04-20 01:50 . 2009-04-20 17:24 -------- d-----w c:\program files\Spyware Doctor
2009-04-20 01:50 . 2009-04-20 15:05 -------- d-----w c:\users\All Users\PC Tools
2009-04-20 01:50 . 2009-04-20 15:05 -------- d-----w c:\programdata\PC Tools
2009-04-20 00:34 . 2009-04-20 00:34 -------- d-----w c:\users\All Users\NortonInstaller
2009-04-20 00:34 . 2009-04-20 00:34 -------- d-----w c:\programdata\NortonInstaller
2009-04-19 16:22 . 2009-04-19 16:22 -------- d-----w c:\users\All Users\is-EL2AS
2009-04-19 16:22 . 2009-04-19 16:22 -------- d-----w c:\programdata\is-EL2AS
2009-04-19 16:21 . 2009-04-19 23:30 38348 --sha-w c:\windows\system32\drivers\fidbox.idx
2009-04-19 16:21 . 2009-04-19 23:30 3180576 --sha-w c:\windows\system32\drivers\fidbox.dat
2009-04-19 16:07 . 2009-04-19 16:07 -------- d-sha-r C:\autorun.inf
2009-04-18 17:58 . 2009-04-20 17:24 -------- d---a-w c:\users\All Users\TEMP
2009-04-18 17:58 . 2009-04-20 17:24 -------- d---a-w c:\programdata\TEMP
2009-04-18 17:39 . 2009-04-18 17:44 -------- d-----w c:\users\ben\.housecall6.6
2009-04-18 17:35 . 2009-04-18 17:35 -------- d-----w c:\program files\Trend Micro
2009-04-18 17:35 . 2009-04-20 12:37 -------- d-----w c:\program files\ERUNT
2009-04-18 16:26 . 2009-04-20 00:04 -------- d-----w c:\program files\Spybot - Search & Destroy
2009-04-18 16:26 . 2009-04-19 22:54 -------- d-----w c:\users\All Users\Spybot - Search & Destroy
2009-04-18 16:26 . 2009-04-19 22:54 -------- d-----w c:\programdata\Spybot - Search & Destroy
2009-04-11 22:20 . 2009-04-16 13:36 -------- d-----w c:\program files\calibre
2009-04-10 16:50 . 2009-04-10 16:50 -------- d-----w c:\users\All Users\Marlin
2009-04-10 16:50 . 2009-04-10 16:50 -------- d-----w c:\programdata\Marlin
2009-04-10 02:46 . 2009-04-10 02:46 -------- d-----w c:\program files\DIFX
2009-04-10 02:46 . 2009-04-10 02:46 -------- d-----w c:\users\All Users\kinoma
2009-04-10 02:46 . 2009-04-10 02:46 -------- d-----w c:\programdata\kinoma
2009-03-28 15:59 . 2009-03-28 15:59 -------- d-----w c:\program files\Common Files\DivX Shared

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-04-20 21:42 . 2009-04-20 21:42 32443115 ----a-w c:\windows\Internet Logs\vsmon_on_demand_crt_term_2009_04_20_17_29_49_full.dmp.zip
2009-04-20 21:42 . 2009-04-20 21:42 110709 ----a-w c:\windows\Internet Logs\vsmon_2nd_2009_04_20_17_29_45_small.dmp.zip
2009-04-20 15:14 . 2009-04-20 17:20 439296 ----a-w c:\windows\Internet Logs\xDB5F03.tmp
2009-04-20 14:31 . 2006-11-02 10:25 86016 ----a-w c:\windows\Inf\infstrng.dat
2009-04-20 14:31 . 2006-11-02 10:25 51200 ----a-w c:\windows\Inf\infpub.dat
2009-04-20 14:31 . 2006-11-02 10:25 86016 ----a-w c:\windows\Inf\infstor.dat
2009-04-20 14:07 . 2008-08-09 18:22 -------- d-----w c:\programdata\Symantec
2009-04-20 14:05 . 2008-08-09 18:22 -------- d-----w c:\program files\Symantec
2009-04-20 14:05 . 2008-08-09 18:27 805 ----a-w c:\windows\system32\drivers\SYMEVENT.INF
2009-04-20 14:05 . 2008-08-09 18:27 123952 ----a-w c:\windows\system32\drivers\SYMEVENT.SYS
2009-04-20 14:05 . 2008-08-09 18:27 10563 ----a-w c:\windows\system32\drivers\SYMEVENT.CAT
2009-04-20 14:05 . 2008-08-09 18:22 -------- d-----w c:\program files\Common Files\Symantec Shared
2009-04-17 12:04 . 2006-11-02 11:18 -------- d-----w c:\program files\Windows Mail
2009-04-17 02:57 . 2008-08-10 14:14 -------- d-----w c:\programdata\Microsoft Help
2009-04-13 19:25 . 2009-04-13 19:25 202843 ----a-w c:\users\All Users\tmp326A.tmp
2009-04-13 19:25 . 2009-04-13 19:25 202843 ----a-w c:\programdata\tmp326A.tmp
2009-04-10 02:46 . 2008-08-09 15:11 -------- d-----w c:\program files\Sony
2009-04-10 02:45 . 2008-08-09 00:11 -------- d-----w c:\program files\Common Files\Sony Shared
2009-03-28 15:59 . 2008-09-27 17:39 -------- d-----w c:\program files\DivX
2009-03-26 12:45 . 2008-08-23 21:24 -------- d-----w c:\program files\Java
2009-03-19 15:48 . 2008-11-04 01:35 -------- d-----w c:\program files\Common Files\Adobe
2009-03-18 16:54 . 2009-03-18 16:54 -------- d-----w c:\programdata\Nitro PDF
2009-03-18 16:54 . 2009-03-18 16:54 -------- d-----w c:\program files\Nitro PDF
2009-03-18 16:54 . 2009-03-18 16:54 -------- d-----w c:\program files\Common Files\Nitro PDF
2009-03-18 16:54 . 2009-03-18 16:54 -------- d-----w c:\program files\Common Files\BCL Technologies
2009-03-17 03:38 . 2009-04-16 21:13 40960 ----a-w c:\windows\AppPatch\apihex86.dll
2009-03-17 03:38 . 2009-04-16 21:13 13824 ----a-w c:\windows\System32\apilogen.dll
2009-03-17 03:38 . 2009-04-16 21:13 24064 ----a-w c:\windows\System32\amxread.dll
2009-03-13 22:01 . 2009-04-10 18:14 149768 ----a-w c:\windows\system32\drivers\WpsHelper.sys
2009-03-13 20:39 . 2009-03-13 20:39 -------- d-----w c:\program files\Skype
2009-03-13 20:39 . 2008-08-09 18:25 -------- d-----w c:\programdata\Skype
2009-03-13 20:39 . 2009-03-13 20:39 -------- d-----w c:\program files\Common Files\Skype
2009-03-09 09:19 . 2008-12-18 19:20 410984 ----a-w c:\windows\System32\deploytk.dll
2009-03-04 20:43 . 2009-03-04 20:43 508200 ----a-w c:\windows\System32\ICCProfiles.dll
2009-03-03 21:13 . 2009-03-03 21:13 -------- d-----w c:\program files\Common Files\AnswerWorks 5.0
2009-03-03 21:09 . 2009-03-03 21:06 -------- d-----w c:\programdata\Intuit
2009-03-03 21:09 . 2009-03-03 21:06 -------- d-----w c:\program files\Common Files\Intuit
2009-03-03 21:05 . 2009-03-03 21:05 -------- d-----w c:\program files\TurboTax
2009-03-03 04:46 . 2009-04-16 21:13 3599328 ----a-w c:\windows\System32\ntkrnlpa.exe
2009-03-03 04:46 . 2009-04-16 21:13 3547632 ----a-w c:\windows\System32\ntoskrnl.exe
2009-03-03 04:40 . 2009-04-16 21:13 827392 ----a-w c:\windows\System32\wininet.dll
2009-03-03 04:39 . 2009-04-16 21:13 183296 ----a-w c:\windows\System32\sdohlp.dll
2009-03-03 04:39 . 2009-04-16 21:13 551424 ----a-w c:\windows\System32\rpcss.dll
2009-03-03 04:39 . 2009-04-16 21:13 26112 ----a-w c:\windows\System32\printfilterpipelineprxy.dll
2009-03-03 04:37 . 2009-04-16 21:13 78336 ----a-w c:\windows\System32\ieencode.dll
2009-03-03 04:37 . 2009-04-16 21:13 98304 ----a-w c:\windows\System32\iasrecst.dll
2009-03-03 04:37 . 2009-04-16 21:13 54784 ----a-w c:\windows\System32\iasads.dll
2009-03-03 04:37 . 2009-04-16 21:13 44032 ----a-w c:\windows\System32\iasdatastore.dll
2009-03-03 03:04 . 2009-04-16 21:13 666624 ----a-w c:\windows\System32\printfilterpipelinesvc.exe
2009-03-03 02:38 . 2009-04-16 21:13 17408 ----a-w c:\windows\System32\iashost.exe
2009-03-03 02:28 . 2009-04-16 21:13 26624 ----a-w c:\windows\System32\ieUnatt.exe
2009-02-13 08:49 . 2009-04-16 21:13 72704 ----a-w c:\windows\System32\secur32.dll
2009-02-13 08:49 . 2009-04-16 21:13 1255936 ----a-w c:\windows\System32\lsasrv.dll
2009-02-09 03:10 . 2009-03-11 11:14 2033152 ----a-w c:\windows\System32\win32k.sys
2009-01-21 13:15 . 2009-01-21 13:15 61954 ----a-w c:\users\All Users\tmp9EC4.tmp
2009-01-21 13:15 . 2009-01-21 13:15 61954 ----a-w c:\programdata\tmp9EC4.tmp
2008-12-18 17:41 . 2008-12-18 17:41 2482366 ----a-w c:\users\All Users\tmpDB66.tmp
2008-12-18 17:41 . 2008-12-18 17:41 2482366 ----a-w c:\programdata\tmpDB66.tmp
2008-12-18 17:26 . 2008-12-18 17:26 1234105 ----a-w c:\users\All Users\tmpECFE.tmp
2008-12-18 17:26 . 2008-12-18 17:26 1234105 ----a-w c:\programdata\tmpECFE.tmp
2008-12-02 22:34 . 2008-12-02 22:34 88995 ----a-w c:\users\All Users\tmpDEEF.tmp
2008-12-02 22:34 . 2008-12-02 22:34 88995 ----a-w c:\programdata\tmpDEEF.tmp
2008-08-19 00:54 . 2008-08-19 00:54 183531 ----a-w c:\users\All Users\tmp4935.tmp
2008-08-19 00:54 . 2008-08-19 00:54 183531 ----a-w c:\programdata\tmp4935.tmp
2008-08-09 23:34 . 2006-11-02 12:49 174 --sha-w c:\program files\desktop.ini
2008-08-09 18:40 . 2008-08-09 18:40 56 ---ha-w c:\users\All Users\ezsidmv.dat
2008-08-09 18:40 . 2008-08-09 18:40 56 ---ha-w c:\programdata\ezsidmv.dat
2009-01-27 01:2009-01-27 01:34 34:38 . c:\program files\mozilla firefox\plugins\libdivx.dll
2009-01-27 01:2009-01-27 01:34 34:38 . c:\program files\mozilla firefox\plugins\ssldivx.dll
2008-12-02 22:34 . 2008-12-02 22:34 32768 --sha-w c:\windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5\MSHist012008120220081203\index.dat
2007-05-18 04:34 . 2006-11-22 14:58 8192 --sha-w c:\windows\Users\Default\NTUSER.DAT
.

((((((((((((((((((((((((((((( SnapShot@2009-04-20_17.58.43 )))))))))))))))))))))))))))))))))))))))))
.
+ 2006-11-02 13:00 . 2009-04-20 22:34 32768 c:\windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
- 2006-11-02 13:00 . 2009-04-20 17:47 32768 c:\windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
- 2006-11-02 13:00 . 2009-04-20 17:47 32768 c:\windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
+ 2006-11-02 13:00 . 2009-04-20 22:34 32768 c:\windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
- 2006-11-02 13:00 . 2009-04-20 17:47 32768 c:\windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
+ 2006-11-02 13:00 . 2009-04-20 22:34 32768 c:\windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
- 2009-04-20 17:47 . 2009-04-20 17:47 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.dat
+ 2009-04-20 22:34 . 2009-04-20 22:34 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.dat
+ 2009-04-20 22:34 . 2009-04-20 22:34 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.dat
- 2009-04-20 17:47 . 2009-04-20 17:47 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.dat
+ 2006-11-02 10:33 . 2009-04-20 22:24 595684 c:\windows\System32\perfh009.dat
- 2006-11-02 10:33 . 2009-04-20 15:10 595684 c:\windows\System32\perfh009.dat
+ 2006-11-02 10:33 . 2009-04-20 22:24 101350 c:\windows\System32\perfc009.dat
- 2006-11-02 10:33 . 2009-04-20 15:10 101350 c:\windows\System32\perfc009.dat
- 2006-11-02 12:46 . 2009-04-20 17:50 262144 c:\windows\ServiceProfiles\NetworkService\NTUSER.DAT
+ 2006-11-02 12:46 . 2009-04-20 22:37 262144 c:\windows\ServiceProfiles\NetworkService\NTUSER.DAT
- 2006-11-02 12:46 . 2009-04-20 17:50 262144 c:\windows\ServiceProfiles\LocalService\NTUSER.DAT
+ 2006-11-02 12:46 . 2009-04-20 22:37 262144 c:\windows\ServiceProfiles\LocalService\NTUSER.DAT
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt1]
@="{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}]
2008-09-07 07:20 143360 ----a-w c:\program files\Dropbox\DropboxExt.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt2]
@="{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}]
2008-09-07 07:20 143360 ----a-w c:\program files\Dropbox\DropboxExt.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt3]
@="{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}]
2008-09-07 07:20 143360 ----a-w c:\program files\Dropbox\DropboxExt.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"PeerGuardian"="c:\program files\PeerGuardian2\pg2.exe" [2007-06-02 1457152]
"DAEMON Tools Lite"="c:\program files\DAEMON Tools Lite\daemon.exe" [2008-12-10 216520]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2008-02-12 141848]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2008-02-12 166424]
"Persistence"="c:\windows\system32\igfxpers.exe" [2008-02-12 133656]
"ccApp"="c:\program files\Common Files\Symantec Shared\ccApp.exe" [2009-04-10 115560]
"PWRISOVM.EXE"="c:\program files\PowerISO\PWRISOVM.EXE" [2008-11-02 167936]
"Nitro PDF Printer Monitor"="c:\program files\Nitro PDF\Professional\NitroPDFPrinterMonitor.exe" [2009-03-04 209216]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-03-09 148888]
"ZoneAlarm Client"="c:\program files\Zone Labs\ZoneAlarm\zlclient.exe" [2009-02-16 981384]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableUIADesktopToggle"= 0 (0x0)
"HideFastUserSwitching"= 0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\VESWinlogon]
2007-01-11 17:20 98304 ----a-w c:\windows\System32\VESWinlogon.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\ccEvtMgr]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\ccSetMgr]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Symantec Antivirus]
@="Service"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" -atboottime

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Svc]
"AntiVirusOverride"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\DomainProfile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\FirewallRules]
"{E5654AF1-78AF-4E19-90CB-AEEAB817CFE3}"= UDP:c:\program files\Common Files\Symantec Shared\ccApp.exe:Symantec Email
"{0A30989F-4F81-4971-8C3C-D4C64093AF11}"= TCP:c:\program files\Common Files\Symantec Shared\ccApp.exe:Symantec Email
"{49742C15-35FE-4240-9AA3-1AF7473D3665}"= UDP:c:\program files\Microsoft Office\Office12\ONENOTE.EXE:Microsoft Office OneNote
"{E83A7512-C70F-4886-AF40-2290941AFC72}"= TCP:c:\program files\Microsoft Office\Office12\ONENOTE.EXE:Microsoft Office OneNote
"{4E4CB060-45DA-400B-A7E8-F9F3926EC6FA}"= c:\program files\Skype\Phone\Skype.exe:Skype
"TCP Query User{CFF4D4FF-9C4E-4A97-9C72-357976D383DC}c:\\program files\\sony\\reader\\data\\bin\\ebook library.exe"= UDP:c:\program files\sony\reader\data\bin\ebook library.exe:eBook Library
"UDP Query User{49DD43A2-13ED-4DEC-8AAE-559BA33CE4CF}c:\\program files\\sony\\reader\\data\\bin\\ebook library.exe"= TCP:c:\program files\sony\reader\data\bin\ebook library.exe:eBook Library
"{982C99AB-9D80-4FE6-92F1-0D5C25E4D6CD}"= UDP:c:\users\ben\AppData\Local\Temp\WZSE0.TMP\SymNRT.exe:Norton Removal Tool
"{4A51AD8D-CBF9-4351-8FFF-DFDA8531C842}"= TCP:c:\users\ben\AppData\Local\Temp\WZSE0.TMP\SymNRT.exe:Norton Removal Tool
"{D4948176-4A9B-49B9-864C-4BEB4E1D23E8}"= UDP:c:\users\ben\AppData\Local\Temp\7zSB1F1.tmp\SymNRT.exe:Norton Removal Tool
"{BBC12E3B-6031-44C5-8C90-1E167CDF5ED1}"= TCP:c:\users\ben\AppData\Local\Temp\7zSB1F1.tmp\SymNRT.exe:Norton Removal Tool
"{FA9ED35D-5F4E-4BCE-BE17-1A503191460D}"= UDP:c:\users\ben\AppData\Local\Temp\7zSA356.tmp\SymNRT.exe:Norton Removal Tool
"{DAF8BD02-08DE-4F5F-86F7-B84EC304B3F1}"= TCP:c:\users\ben\AppData\Local\Temp\7zSA356.tmp\SymNRT.exe:Norton Removal Tool
"{B386F459-C4E0-4812-8C22-AE544AAC6CB0}"= UDP:c:\program files\Symantec\Symantec Endpoint Protection\Smc.exe:SMC Service
"{D2BAD6BB-4D17-44C9-AA7A-4EEBCAF0B254}"= TCP:c:\program files\Symantec\Symantec Endpoint Protection\Smc.exe:SMC Service
"{3E4D9798-8F45-47CD-ACF9-597C39C04266}"= UDP:c:\program files\Symantec\Symantec Endpoint Protection\SNAC.EXE:SNAC Service
"{D2210D4C-ACD2-4557-9330-62F7DCDCE73F}"= TCP:c:\program files\Symantec\Symantec Endpoint Protection\SNAC.EXE:SNAC Service

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\PublicProfile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\StandardProfile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\StandardProfile\AuthorizedApplications\List]
"c:\\Program Files\\ExamSoft\\SofTest\\SoftLnch.exe"= c:\program files\ExamSoft\SoftLnch.exe:*:Enabled:SofLaunch

"c:\\Program Files\\ExamSoft\\SofTest\\softest.exe"= c:\program files\ExamSoft\SofTest.exe:*:Enabled:SofTest

R3 COH_Mon;COH_Mon;c:\windows\system32\Drivers\COH_Mon.sys [2008-07-30 23888]
R3 pctplsg;pctplsg;c:\windows\System32\drivers\pctplsg.sys [2008-12-10 64392]
R3 sdAuxService;PC Tools Auxiliary Service;c:\program files\Spyware Doctor\pctsAuxs.exe [2009-01-07 348752]
R3 TfNetMon;TfNetMon;c:\windows\system32\drivers\TfNetMon.sys [2009-04-20 33056]
R3 ThreatFire;ThreatFire; [x]
S0 PCTCore;PCTools KDS;c:\windows\system32\drivers\PCTCore.sys [2009-04-20 130936]
S0 TfFsMon;TfFsMon;c:\windows\system32\drivers\TfFsMon.sys [2009-04-20 51488]
S0 TfSysMon;TfSysMon;c:\windows\system32\drivers\TfSysMon.sys [2009-04-20 39200]
S1 pctgntdi;pctgntdi;c:\windows\System32\drivers\pctgntdi.sys [2008-12-11 159600]
S2 IntuitUpdateService;Intuit Update Service;c:\program files\Common Files\Intuit\Update Service\IntuitUpdateService.exe [2008-10-10 13088]
S2 SBSDWSCService;SBSD Security Center Service;c:\program files\Spybot - Search & Destroy\SDWinSec.exe [2009-01-26 1153368]
S2 TuneUp.ProgramStatisticsSvc;TuneUp Program Statistics Service;c:\windows\System32\TUProgSt.exe [2008-12-21 603904]
S3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [2009-02-25 101936]
S3 SPI;Sony Programmable I/O Control Device;c:\windows\system32\DRIVERS\SonyPI.sys [2002-08-21 71961]
S3 ti21sony;ti21sony;c:\windows\system32\drivers\ti21sony.sys [2006-02-21 226304]


[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
bthsvcs REG_MULTI_SZ BthServ

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
UxTuneUp

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\F]
\shell\AutoRun\command - F:\Setup.exe -auto

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{a456bbdb-d039-11dd-993e-0002c7f9c3d4}]
\shell\AutoRun\command - H:\SETUP.EXE

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{a540ce48-1895-11de-be64-0002c7f9c3d4}]
\shell\AutoRun\command - c:\windows\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL i:\presentation\Presentation-Columbia.pdf

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\Nitro PDF Professional]
cscript //B "c:\program files\Nitro PDF\Professional\RemoveOldAddins.vbs"
.
Contents of the 'Scheduled Tasks' folder

2009-04-20 c:\windows\Tasks\1-Click Maintenance.job
- c:\program files\TuneUp Utilities 2009\OneClickStarter.exe [2008-12-11 20:36]
.
.
------- Supplementary Scan -------
.
uInternet Settings,ProxyOverride = *.local
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
LSP: c:\program files\Common Files\PC Tools\Lsp\PCTLsp.dll
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\COMMON~1\Skype\SKYPE4~1.DLL
FF - ProfilePath - c:\users\ben\AppData\Roaming\Mozilla\Firefox\Profiles\gsm81l3m.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/ig
FF - component: c:\users\ben\AppData\Roaming\Mozilla\Firefox\Profiles\gsm81l3m.default\extensions\{e23e1101-6cde-4b94-b415-508a7cde8628}\components\test.dll
FF - plugin: c:\users\ben\AppData\Roaming\Mozilla\Firefox\Profiles\gsm81l3m.default\extensions\moveplayer@movenetworks.com\platform\WINNT_x86-msvc\plugins\npmnqmp071303000006.dll

---- FIREFOX POLICIES ----
FF - user.js: yahoo.homepage.dontask - true.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-04-20 18:37
Windows 6.0.6001 Service Pack 1 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...


c:\windows\TEMP\TMP0000003BDAE434AAF34F39BB 524288 bytes executable

scan completed successfully
hidden files: 1

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\System\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'Explorer.exe'(4264)
c:\program files\Dropbox\DropboxExt.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\System32\audiodg.exe
c:\program files\Symantec\Symantec Endpoint Protection\Smc.exe
c:\program files\Symantec\Symantec Endpoint Protection\SmcGui.exe
c:\program files\Common Files\Symantec Shared\ccSvcHst.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\windows\System32\stacsv.exe
c:\program files\Symantec\Symantec Endpoint Protection\Rtvscan.exe
c:\program files\Sony\VAIO Event Service\VESMgr.exe
c:\program files\Sony\VAIO Event Service\VESMgrSub.exe
c:\windows\System32\igfxext.exe
c:\windows\System32\igfxsrvc.exe
c:\windows\System32\WUDFHost.exe
c:\windows\System32\igfxsrvc.exe
c:\program files\Dropbox\Dropbox.exe
c:\windows\System32\wbem\unsecapp.exe
.
**************************************************************************
.
Completion time: 2009-04-20 18:43 - machine was rebooted
ComboFix-quarantined-files.txt 2009-04-20 22:43
ComboFix2.txt 2009-04-20 18:00

Pre-Run: 23,629,864,960 bytes free
Post-Run: 23,133,765,632 bytes free

Current=1 Default=1 Failed=0 LastKnownGood=4 Sets=1,2,3,4
328 --- E O F --- 2009-04-17 03:00



---------------------------------------------------













--------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER 7.0 REPORT
Monday, April 20, 2009
Operating System: Microsoft Windows Vista Ultimate Edition, 32-bit Service Pack 1 (build 6001)
Kaspersky Online Scanner version: 7.0.26.13
Program database last update: Tuesday, April 21, 2009 00:25:57
Records in database: 2064463
--------------------------------------------------------------------------------

Scan settings:
Scan using the following database: extended
Scan archives: yes
Scan mail databases: yes

Scan area - My Computer:
C:\
D:\
E:\
F:\
G:\
H:\
I:\

Scan statistics:
Files scanned: 126469
Threat name: 2
Infected objects: 3
Suspicious objects: 0
Duration of the scan: 02:40:20


File name / Threat name / Threats count
C:\Qoobox\Quarantine\C\Windows\System32\gxvxcbxmnpwyomqekkcjtmgjimqmtbnvepspr.dll.vir Infected: Trojan-Downloader.Win32.Agent.brpo 1
C:\Users\ben\Desktop\InvertMouse.exe Infected: Hoax.Win32.BadJoke.InvertMouse.a 1
C:\Users\ben\Links\Downloads\InvertMouse.w32.zip Infected: Hoax.Win32.BadJoke.InvertMouse.a 1

The selected area was scanned.













Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 9:47:46 PM, on 4/20/2009
Platform: Windows Vista SP1 (WinNT 6.00.1905)
MSIE: Internet Explorer v7.00 (7.00.6001.18226)
Boot mode: Normal

Running processes:
C:\Windows\system32\Dwm.exe
C:\Program Files\Symantec\Symantec Endpoint Protection\SmcGui.exe
C:\Windows\system32\taskeng.exe
C:\Windows\System32\hkcmd.exe
C:\Windows\System32\igfxpers.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Windows\system32\igfxsrvc.exe
C:\Program Files\PowerISO\PWRISOVM.EXE
C:\Program Files\Nitro PDF\Professional\NitroPDFPrinterMonitor.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\DAEMON Tools Lite\daemon.exe
C:\Program Files\Dropbox\Dropbox.exe
C:\Windows\system32\wbem\unsecapp.exe
C:\Windows\Explorer.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\PROGRA~1\Java\jre6\bin\jp2launcher.exe
C:\Program Files\Java\jre6\bin\java.exe
C:\Program Files\Internet Explorer\ieuser.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O4 - HKLM\..\Run: [IgfxTray] C:\Windows\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\Windows\system32\hkcmd.exe
O4 - HKLM\..\Run: [Persistence] C:\Windows\system32\igfxpers.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [PWRISOVM.EXE] C:\Program Files\PowerISO\PWRISOVM.EXE
O4 - HKLM\..\Run: [Nitro PDF Printer Monitor] "C:\Program Files\Nitro PDF\Professional\NitroPDFPrinterMonitor.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKCU\..\Run: [PeerGuardian] C:\Program Files\PeerGuardian2\pg2.exe
O4 - HKCU\..\Run: [DAEMON Tools Lite] "C:\Program Files\DAEMON Tools Lite\daemon.exe" -autorun
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O13 - Gopher Prefix:
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: NameServer = 208.67.220.220,208.67.222.222
O17 - HKLM\System\CS3\Services\Tcpip\Parameters: NameServer = 208.67.220.220,208.67.222.222
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O22 - SharedTaskScheduler: Windows DreamScene - {E31004D1-A431-41B8-826F-E902F9D95C81} - C:\Windows\System32\DreamScene.dll
O23 - Service: ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762## (Bonjour Service) - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: Intuit Update Service (IntuitUpdateService) - Intuit Inc. - C:\Program Files\Common Files\Intuit\Update Service\IntuitUpdateService.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: SBSD Security Center Service (SBSDWSCService) - Safer Networking Ltd. - C:\Program Files\Spybot - Search & Destroy\SDWinSec.exe
O23 - Service: PC Tools Auxiliary Service (sdAuxService) - PC Tools - C:\Program Files\Spyware Doctor\pctsAuxs.exe
O23 - Service: PC Tools Security Service (sdCoreService) - PC Tools - C:\Program Files\Spyware Doctor\pctsSvc.exe
O23 - Service: Symantec Management Client (SmcService) - Symantec Corporation - C:\Program Files\Symantec\Symantec Endpoint Protection\Smc.exe
O23 - Service: Symantec Network Access Control (SNAC) - Symantec Corporation - C:\Program Files\Symantec\Symantec Endpoint Protection\SNAC.EXE
O23 - Service: Sony SCSI Helper Service - Sony Corporation - C:\Program Files\Common Files\Sony Shared\Fsk\SonySCSIHelperService.exe
O23 - Service: SigmaTel Audio Service (STacSV) - SigmaTel, Inc. - C:\Windows\System32\STacSV.exe
O23 - Service: Symantec Endpoint Protection (Symantec AntiVirus) - Symantec Corporation - C:\Program Files\Symantec\Symantec Endpoint Protection\Rtvscan.exe
O23 - Service: ThreatFire - PC Tools - C:\Program Files\Spyware Doctor\TFEngine\TFService.exe
O23 - Service: @%SystemRoot%\System32\TuneUpDefragService.exe,-1 (TuneUp.Defrag) - TuneUp Software - C:\Windows\System32\TuneUpDefragService.exe
O23 - Service: @%SystemRoot%\System32\TUProgSt.exe,-1 (TuneUp.ProgramStatisticsSvc) - TuneUp Software - C:\Windows\System32\TUProgSt.exe
O23 - Service: VAIO Event Service - Sony Corporation - C:\Program Files\Sony\VAIO Event Service\VESMgr.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Check Point Software Technologies LTD - C:\Windows\System32\ZoneLabs\vsmon.exe

--
End of file - 6647 bytes
 
Hi again,

Yes, uTorrent removed by ComboFix is ok :)

Are you using these DNS IP addresses:208.67.220.220,208.67.222.222? How's the system running now?
 
System seems to be working great - no more redirects, spybot S&D can open, etc. Thanks so much for your help - I really appreciate it!

I am not sure what my DNS address is; if this is something I should find out let me know.

Thanks again!
 
Well congrats, it appears your system is all clean Are you still noticing any problems? If not, it's time to secure your system to prevent against further intrusions.


THESE STEPS ARE VERY IMPORTANT

Let's reset system restore
Reset and Re-enable your System Restore to remove infected files that have been backed up by Windows. The files in System Restore are protected to prevent any programs changing those files. This is the only way to clean these files: You will lose all previous restore points which are likely to be infected. Please note you need Administrator Access to do clean the restore points.

A To disable the System Restore feature:

1. Click on the Start button.
2. Hover over the Computer option, right click on it and then click Properties.
3. On the left hand side, click Advanced Settings.
4. If asked to permit the action, click on Allow.
5. Click on the System Protection tab.
6. Uncheck any checkboxes listed for your hard drives.
7. Press OK.


B. Reboot.

C Turn ON System Restore.
Follow the steps like you did when disabling system restore but on step 6. check any checkboxes listed for your hard drives.



Now lets uninstall ComboFix:
  • Click START then RUN
  • Now type "c:\users\ben\Desktop\ComboFix.exe" /u in the runbox and click OK


UPDATING WINDOWS AND INTERNET EXPLORER

IMPORTANT: You Need to Update Windows and Internet Explorer to protect your computer from the malware that is around on the Internet. Please go to the windows update site to get the critical updates.

If you are running Microsoft Office, or any portion thereof, go to the Microsoft's Office Update site and make sure you have at least all the critical updates installed (Free) Microsoft Office Update.

Make your Internet Explorer more secure

This can be done by following these simple instructions:
From within Internet Explorer click on the Tools menu and then click on Options.
Click once on the Security tab
Click once on the Internet icon so it becomes highlighted.
Click once on the Custom Level button.
Change the Download signed ActiveX controls to Prompt
Change the Download unsigned ActiveX controls to Disable
Change the Initialize and script ActiveX controls not marked as safe to Disable
Change the Installation of desktop items to Prompt
Change the Launching programs and files in an IFRAME to Prompt
Change the Navigate sub-frames across different domains to Prompt
When all these settings have been made, click on the OK button.
If it prompts you as to whether or not you want to save the settings, press the Yes button.
Next press the Apply button and then the OK to exit the Internet Properties page.



The following are recommended third party programs that are designed to keep your computer clean. A link as well as a brief description is included with each item.

  • hosts file:
    • Every version of windows has a hosts file as part of them.
    • In a very basic sense, they are used to locate webpages.
    • We can customize a hosts file so that it blocks certain webpages.
    • However, it can slow down certain computers.
    • This is why using a hosts file is optional!!
    Download it here. Make sure you read the instructions on how to install the hosts file. There is a good tutorial here
    If you decide to download the hosts file, the slowdown problems can usually be avoided by following these steps:
    1. [*]Click the start button (at the lower left hand corner of your screen) [*]Click run [*]In the dialog box, type services.msc [*]hit enter, then locate dns client [*]Highlight it, then double-click it. [*]On the dropdown box, change the setting from automatic to manual. [*]Click ok


Just a final reminder for you. I am trying to stress these two points.
UPDATE UPDATE UPDATE!!! Make sure you do this about every 1-2 weeks.
Make sure all of your security programs are up to date.
Visit Microsoft's Windows Update Site Frequently - It is important that you visit http://www.windowsupdate.com regularly. This will ensure your computer has always the latest security updates available installed on your computer. If there are new updates to install, install them immediately, reboot your computer, and revisit the site until there are no more critical updates.


Once again, please post and tell me how things are going with your system... problems etc.

Have a great day,
Blade :cool:
 
Since this issue appears to be resolved ... this Topic has been closed. Glad I could help. :)

Note:If it has been four days or more since your last post, and the helper assisting you posted a response to that post to which you did not reply, your topic will not be reopened. At that point, if you still require help, please start a new topic and include a fresh HijackThis log and a link to your previous thread.

If it has been less than four days since your last response and you need the thread re-opened, please send me or MOD a private message (pm). A valid, working link to the closed topic is required.
 
You must log in or register to reply here.
Back
Top