Spybot S&D and other AV Issues`

S

shintorg

New member
Running XP with Firefox. Noticed I had a couple odd redirects after doing a Google search. Reinstalled Spybot S&D and it wouldn't let me connect to www.safer-networking.org, other computer on the network could. Went to update Kaspersky, which detected nothing, and it wouldn't update. Uninstalled Kaspersk and went with AVG, AVG cannot update either, running it also found nothing. A friend suggested Norten, I could update their dtbase but it found nothing.

I've tried everything in Safe Mode, with and without networking. AVG detects nothing, no dose the Trend HouseCall. Spybot will not actually run on this machine, no connect to update. I cannot browse most anti-virus/malware site. Getting to the point where a reformat sounds good, but I figured I'd try the real tech forums first. Fairly computer and Internet literate, which these days seems to mean I am capable of being a danger to myself and my machine.

I mistakenly started this post in the wrong forums and was pointed here. Here's the HJT log as well.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 8:45:49 PM, on 3/24/2009
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Norton AntiVirus\Engine\16.5.0.134\ccSvcHst.exe
C:\Program Files\Norton AntiVirus\Engine\16.5.0.134\ccSvcHst.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\WINDOWS\system32\notepad.exe
C:\Documents and Settings\shintorg\My Documents\brad\real\HiJackThis.exe

O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: Symantec Intrusion Prevention - {6D53EC84-6AAE-4787-AEEE-F4628F01010C} - C:\Program Files\Norton AntiVirus\Engine\16.5.0.134\IPSBHO.DLL
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [AVGIDS] "C:\Program Files\AVG\AVG8\IdentityProtection\agent\bin\AVGIDSUI.exe"
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search && Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - https://fpdownload.macromedia.com/get/flashplayer/current/swflash.cab
O20 - Winlogon Notify: avgrsstarter - C:\WINDOWS\
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: Norton AntiVirus - Symantec Corporation - C:\Program Files\Norton AntiVirus\Engine\16.5.0.134\ccSvcHst.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe

--
End of file - 2485 bytes
 
Hi,

Download DDS and save it to your desktop from here or here or here.
Disable any script blocker, and then double click dds.scr to run the tool.
  • When done, DDS will open two (2) logs:
    1. DDS.txt
    2. Attach.txt
  • Save both reports to your desktop. Post them back to your topic.
 
Here they are. Thank you.


DDS (Ver_09-03-16.01) - NTFSx86
Run by shintorg at 14:16:37.53 on Fri 03/27/2009
Internet Explorer: 6.0.2900.2180 BrowserJavaVersion: 1.6.0_12
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.2046.403 [GMT -4:00]

AV: Norton AntiVirus *On-access scanning enabled* (Updated)

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Norton AntiVirus\Engine\16.5.0.134\ccSvcHst.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\Program Files\Norton AntiVirus\Engine\16.5.0.134\ccSvcHst.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Java\jre6\bin\jusched.exe
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Ventrilo\Ventrilo.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Program Files\uTorrent\uTorrent.exe
C:\Program Files\Windows Media Player\wmplayer.exe
C:\WINDOWS\system32\imapi.exe
C:\Documents and Settings\shintorg\Desktop\dds.scr

============== Pseudo HJT Report ===============

BHO: Symantec Intrusion Prevention: {6d53ec84-6aae-4787-aeee-f4628f01010c} - c:\program files\norton antivirus\engine\16.5.0.134\IPSBHO.DLL
uRunOnce: [DefaultP17MIDI] MIDIDEF.EXE
uRunOnce: [DefaultP17] P17Def.Exe
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
mRun: [AVGIDS] "c:\program files\avg\avg8\identityprotection\agent\bin\AVGIDSUI.exe"
mRun: [P17Helper] Rundll32 P17.dll,P17Helper
StartupFolder: c:\docume~1\shintorg\startm~1\programs\startup\adobeg~1.lnk - c:\program files\common files\adobe\calibration\Adobe Gamma Loader.exe
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_12-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0012-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_12-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_12-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxps://fpdownload.macromedia.com/get/flashplayer/current/swflash.cab
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\shintorg\applic~1\mozilla\firefox\profiles\d2zqdpon.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.expiation-guild.org/joomla/
FF - component: c:\documents and settings\all users\application data\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\norton\ipsffplgn\components\IPSFFPl.dll
FF - plugin: c:\program files\vlc\npvlc.dll

============= SERVICES / DRIVERS ===============

R0 SymEFA;Symantec Extended File Attributes;c:\windows\system32\drivers\nav\1005000.086\SymEFA.sys [2009-3-24 310320]
R1 BHDrvx86;Symantec Heuristics Driver;c:\windows\system32\drivers\nav\1005000.086\BHDrvx86.sys [2009-3-24 258608]
R1 ccHP;Symantec Hash Provider;c:\windows\system32\drivers\nav\1005000.086\cchpx86.sys [2009-3-24 482352]
R1 IDSxpx86;IDSxpx86;c:\documents and settings\all users\application data\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\norton\definitions\ipsdefs\20090318.001\IDSXpx86.sys

[2009-3-24 276344]
R2 Norton AntiVirus;Norton AntiVirus;c:\program files\norton antivirus\engine\16.5.0.134\ccSvcHst.exe [2009-3-24 115560]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\common files\symantec shared\eengine\EraserUtilRebootDrv.sys [2009-3-24 101936]
R3 NAVENG;NAVENG;c:\documents and settings\all users\application data\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\norton\definitions\virusdefs\20090327.005\NAVENG.SYS [2009-3

-27 89104]
R3 NAVEX15;NAVEX15;c:\documents and settings\all users\application data\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\norton\definitions\virusdefs\20090327.005\NAVEX15.SYS

[2009-3-27 876144]

=============== Created Last 30 ================

2009-03-25 16:02 53,248 a----r-- c:\windows\system32\P17CPI.dll
2009-03-25 16:02 1,389,056 a----r-- c:\windows\system32\drivers\P17.sys
2009-03-25 16:02 137,728 a----r-- c:\windows\system32\P17res.dll
2009-03-25 16:02 64,512 a----r-- c:\windows\system32\P17.dll
2009-03-25 16:02 2,167,684 a----r-- c:\windows\system32\ct2mgm.sf2
2009-03-25 16:02 138,752 a----r-- c:\windows\system32\drivers\ctsfm2k.sys
2009-03-25 16:02 115,200 a----r-- c:\windows\system32\sfms32.dll
2009-03-25 16:02 106,496 a----r-- c:\windows\system32\drivers\ctoss2k.sys
2009-03-25 16:02 20,992 a----r-- c:\windows\system32\sfman32.dll
2009-03-25 01:12 <DIR> --d----- c:\windows\system32\URTTemp
2009-03-25 00:52 <DIR> --d----- C:\Sid Meier's Civilization 4
2009-03-25 00:51 2,297,552 a------- c:\windows\system32\d3dx9_26.dll
2009-03-24 19:55 <DIR> --d--r-- c:\program files\Norton Support
2009-03-24 19:41 36,400 a----r-- c:\windows\system32\drivers\SymIM.sys
2009-03-24 19:41 124,464 a------- c:\windows\system32\drivers\SYMEVENT.SYS
2009-03-24 19:41 60,808 a------- c:\windows\system32\S32EVNT1.DLL
2009-03-24 19:41 7,386 a------- c:\windows\system32\drivers\SYMEVENT.CAT
2009-03-24 19:41 805 a------- c:\windows\system32\drivers\SYMEVENT.INF
2009-03-24 19:41 <DIR> --d----- c:\program files\Symantec
2009-03-24 19:41 <DIR> --d----- c:\program files\common files\Symantec Shared
2009-03-24 19:40 <DIR> --d----- c:\windows\system32\drivers\NAV
2009-03-24 19:40 <DIR> --d----- c:\program files\Norton AntiVirus
2009-03-24 19:40 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Symantec
2009-03-24 19:40 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Norton
2009-03-24 19:38 <DIR> --d----- c:\program files\NortonInstaller
2009-03-24 19:38 <DIR> --d----- c:\docume~1\alluse~1\applic~1\NortonInstaller
2009-03-24 18:14 <DIR> --d----- c:\program files\Spybot - Search & Destroy
2009-03-24 17:54 138,384 a------- c:\windows\system32\drivers\tmcomm.sys
2009-03-24 17:53 <DIR> --d----- c:\docume~1\shintorg\applic~1\HouseCall 6.6
2009-03-24 17:36 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Spybot - Search & Destroy
2009-03-24 16:46 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Downloaded Installations
2009-03-24 16:46 <DIR> --d----- c:\program files\AVG
2009-03-24 16:46 <DIR> --d----- c:\docume~1\alluse~1\applic~1\avg8
2009-03-24 14:05 347 a------- c:\windows\CTWave32.INI
2009-03-24 14:05 29 a------- c:\windows\sfbm.INI
2009-03-16 08:47 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Kaspersky Lab Setup Files
2009-03-10 12:04 <DIR> --d----- c:\program files\common files\Blizzard Entertainment
2009-03-09 16:09 13,463,552 ac------ c:\windows\system32\dllcache\hwxjpn.dll
2009-03-09 03:00 <DIR> --d----- c:\program files\MSXML 4.0
2009-03-08 02:48 <DIR> --d----- c:\program files\Elements
2009-03-08 02:48 20,016 -------- c:\windows\system32\drivers\pxhelp20.sys
2009-03-08 02:48 82,432 a------- c:\windows\system32\msxml4r.dll
2009-03-05 04:00 221,184 a------- c:\windows\system32\wmpns.dll
2009-03-05 02:04 410,984 a------- c:\windows\system32\deploytk.dll
2009-03-05 02:04 73,728 a------- c:\windows\system32\javacpl.cpl
2009-03-03 12:53 <DIR> --d----- C:\World of Warcraft
2009-03-03 12:42 <DIR> --d----- c:\program files\Windows Media Connect 2
2009-03-03 12:39 <DIR> --d----- c:\windows\system32\LogFiles
2009-03-03 12:37 13,646 a------- c:\windows\system32\wpa.bak
2009-03-03 12:32 <DIR> --d----- C:\World of Warcraft Public Test
2009-03-03 11:52 <DIR> --d----- C:\fsaua.data
2009-03-03 11:25 <DIR> --d----- c:\docume~1\shintorg\applic~1\Malwarebytes
2009-03-03 11:25 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Malwarebytes
2009-03-03 11:16 <DIR> --d----- c:\windows\system32\CatRoot_bak
2009-03-03 11:16 272,128 -c------ c:\windows\system32\dllcache\bthport.sys
2009-03-03 11:16 272,128 -------- c:\windows\system32\drivers\bthport.sys
2009-03-03 11:16 2,136,064 -c------ c:\windows\system32\dllcache\ntkrnlmp.exe
2009-03-03 11:16 2,180,352 -c------ c:\windows\system32\dllcache\ntoskrnl.exe
2009-03-03 11:16 2,057,728 -c------ c:\windows\system32\dllcache\ntkrnlpa.exe
2009-03-03 11:16 2,015,744 -c------ c:\windows\system32\dllcache\ntkrpamp.exe
2009-03-03 11:15 453,632 -c------ c:\windows\system32\dllcache\mrxsmb.sys
2009-03-03 11:12 26,488 a------- c:\windows\system32\spupdsvc.exe
2009-03-03 11:12 <DIR> --d----- c:\windows\system32\PreInstall
2009-03-03 11:12 <DIR> --d-h--- c:\windows\$hf_mig$
2009-03-03 11:06 1,072 a------- c:\windows\system32\settingsbkup.sfm
2009-03-03 11:06 1,072 a------- c:\windows\system32\settings.sfm
2009-03-03 11:06 <DIR> --dshr-- C:\autorun.inf
2009-03-03 10:50 647,872 -------- c:\windows\system32\Mscomct2.ocx
2009-03-03 10:50 41,984 -------- c:\windows\Ctregrun.exe
2009-03-03 10:47 183 a------- c:\windows\setuplog
2009-03-03 10:43 <DIR> --d----- c:\windows\RegisteredPackages
2009-03-03 10:43 <DIR> --d----- c:\program files\Creative
2009-03-03 10:21 446,464 a------- c:\windows\system32\CapabilityTable.exe
2009-03-03 10:21 <DIR> --d----- c:\windows\system32\SoftwareDistribution
2009-03-03 10:21 1,570 -------- c:\windows\system32\nvide.nvu
2009-03-03 10:21 363,008 a----r-- c:\windows\system32\idecoiins.dll
2009-03-03 10:21 363,008 a----r-- c:\windows\system32\idecoi.dll
2009-03-03 10:21 105,344 a----r-- c:\windows\system32\drivers\nvata.sys
2009-03-03 10:21 35,840 a----r-- c:\windows\system32\NVCOI.DLL
2009-03-03 10:21 <DIR> --d----- c:\windows\system32\ReinstallBackups
2009-03-03 10:21 356,352 -------- c:\windows\system32\nvuide.exe
2009-03-03 10:21 202,240 a----r-- c:\windows\system32\fdco1ins.dll
2009-03-03 10:21 52,736 a----r-- c:\windows\system32\drivers\NVENETFD.sys
2009-03-03 10:21 202,240 a------- c:\windows\system32\fdco1.dll
2009-03-03 10:20 110,080 a----r-- c:\windows\system32\drivers\nvtcp.sys
2009-03-03 10:20 208,896 a------- c:\windows\system32\nvunrm.exe
2009-03-03 10:20 3,903 a------- c:\windows\system32\nvnrm.nvu
2009-03-03 10:20 261,120 a----r-- c:\windows\system32\drivers\nvsnpu.sys
2009-03-03 10:20 35,840 a----r-- c:\windows\system32\nvconrm.dll
2009-03-03 10:20 10,240 a----r-- c:\windows\system32\bdco1ins.dll
2009-03-03 10:20 10,240 a----r-- c:\windows\system32\bdco1.dll
2009-03-03 10:20 <DIR> --d----- c:\windows\NV18361868.TMP
2009-03-03 10:20 1,104,896 a----r-- c:\windows\system32\drivers\nvnrm.sys
2009-03-03 10:20 208,896 a----r-- c:\windows\system32\nvusmb.exe
2009-03-03 10:20 18,944 a----r-- c:\windows\system32\drivers\nvnetbus.sys
2009-03-03 10:20 1,864 a----r-- c:\windows\system32\nvsmb.nvu
2009-03-03 10:15 <DIR> --d----- c:\program files\uTorrent
2009-03-03 10:15 <DIR> --d----- c:\docume~1\shintorg\applic~1\uTorrent
2009-03-03 10:14 <DIR> --d----- c:\program files\VLC
2009-03-03 10:13 <DIR> --d----- c:\program files\Ventrilo
2009-03-03 10:13 262 a------- c:\windows\{789289CA-F73A-4A16-A331-54D498CE069F}_WiseFW.ini
2009-03-03 10:13 <DIR> --d----- c:\program files\common files\Wise Installation Wizard
2009-03-03 10:13 <DIR> --d----- C:\Fraps
2009-03-03 10:11 94,610 a------- c:\windows\system32\nvapps.xml
2009-03-03 10:10 356,352 a------- c:\windows\system32\nvudisp.exe
2009-03-03 10:10 17,056 a------- c:\windows\system32\nvdisp.nvu
2009-03-03 10:10 <DIR> --d----- c:\windows\nview
2009-03-03 10:10 356,352 a------- c:\windows\system32\NVUNINST.EXE
2009-03-03 10:07 <DIR> --d----- c:\documents and settings\shintorg
2009-03-03 10:06 <DIR> --ds---- c:\windows\system32\Microsoft
2009-03-03 10:06 8,192 a------- c:\windows\REGLOCS.OLD
2009-03-03 10:04 92,416 ac------ c:\windows\system32\dllcache\mga.sys
2009-03-03 10:03 <DIR> --dsh--- c:\documents and settings\all users\DRM
2009-03-03 10:03 <DIR> --d--r-- c:\windows\Offline Web Pages
2009-03-03 10:03 488 a---hr-- c:\windows\system32\WindowsLogon.manifest
2009-03-03 10:03 488 a---hr-- c:\windows\system32\logonui.exe.manifest
2009-03-03 10:03 <DIR> --ds---- c:\windows\Downloaded Program Files
2009-03-03 10:03 749 a---hr-- c:\windows\WindowsShell.Manifest
2009-03-03 10:03 749 a---hr-- c:\windows\system32\wuaucpl.cpl.manifest
2009-03-03 10:03 749 a---hr-- c:\windows\system32\sapi.cpl.manifest
2009-03-03 10:03 749 a---hr-- c:\windows\system32\nwc.cpl.manifest
2009-03-03 10:03 749 a---hr-- c:\windows\system32\ncpa.cpl.manifest
2009-03-03 10:03 749 a---hr-- c:\windows\system32\cdplayer.exe.manifest
2009-03-03 10:03 <DIR> --d-h--- c:\program files\WindowsUpdate
2009-03-03 10:03 4,399,505 ac------ c:\windows\system32\dllcache\nls302en.lex
2009-03-03 10:03 <DIR> --d----- c:\windows\system32\DirectX
2009-03-03 10:02 <DIR> --d----- c:\program files\common files\MSSoap
2009-03-03 10:01 <DIR> --d----- c:\program files\Online Services
2009-03-03 10:01 <DIR> --d----- c:\program files\Messenger
2009-03-03 10:01 <DIR> --d----- c:\program files\MSN Gaming Zone
2009-03-03 10:01 <DIR> --d----- c:\program files\Windows NT
2009-03-03 00:35 <DIR> --d----- c:\program files\common files\ODBC
2009-03-03 00:35 <DIR> --d----- c:\program files\common files\SpeechEngines
2009-03-03 00:35 <DIR> --d--r-- c:\documents and settings\all users\Documents

==================== Find3M ====================

2009-03-25 01:46 163,644 a------- c:\windows\system32\drivers\secdrv.sys
2009-03-03 10:11 76,487 a------- c:\windows\pchealth\helpctr\offlinecache\index.dat
2009-03-03 10:02 21,640 a------- c:\windows\system32\emptyregdb.dat
2009-02-26 12:46 74,760 a------- c:\windows\system32\drivers\UniversalDD.sys
2009-02-26 12:46 25,608 a------- c:\windows\system32\drivers\AVGIDSErHr.sys
2009-02-09 06:19 1,846,272 a------- c:\windows\system32\win32k.sys
2009-01-03 07:24 81,920 a------- c:\windows\system32\frapsvid.dll

============= FINISH: 14:16:53.03 ===============


UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
IF REQUESTED, ZIP IT UP & ATTACH IT

DDS (Ver_09-03-16.01)

Microsoft Windows XP Home Edition
Boot Device: \Device\HarddiskVolume1
Install Date: 3/3/2009 9:05:23 AM
System Uptime: 3/25/2009 3:34:25 PM (47 hours ago)

Motherboard: EVGA | | NF68
Processor: Intel(R) Core(TM)2 CPU 6600 @ 2.40GHz | Socket 775 | 2400/342mhz
Processor: Intel(R) Core(TM)2 CPU 6600 @ 2.40GHz | Socket 775 | 2400/342mhz

==== Disk Partitions =========================

C: is FIXED (NTFS) - 298 GiB total, 134.044 GiB free.
D: is FIXED (FAT32) - 931 GiB total, 789.35 GiB free.
E: is CDROM (CDFS)

==== Disabled Device Manager Items =============

==== System Restore Points ===================

RP50: 3/25/2009 3:33:12 PM - System Checkpoint

==== Installed Programs ======================

µTorrent
Adobe Common File Installer
Adobe Flash Player 10 ActiveX
Adobe Flash Player 10 Plugin
Adobe Help Center 2.1
Adobe Premiere Elements 3.0
Adobe Premiere Elements 3.0 Templates
AVG Identity Protection
Creative System Information
Critical Update for Windows Media Player 11 (KB959772)
Fraps (remove only)
HijackThis 2.0.2
Hotfix for Windows Media Format 11 SDK (KB929399)
Hotfix for Windows Media Player 11 (KB939683)
Hotfix for Windows XP (KB926239)
Hotfix for Windows XP (KB952287)
HouseCall 6.6
Java(TM) 6 Update 12
Microsoft .NET Framework 1.1
Microsoft Compression Client Pack 1.0 for Windows XP
Microsoft User-Mode Driver Framework Feature Pack 1.0
Microsoft Visual C++ 2005 Redistributable
Mozilla Firefox (3.0.7)
MSXML 4.0 SP2 (KB954430)
Norton AntiVirus
NVIDIA Drivers
Security Update for Windows Media Player (KB952069)
Security Update for Windows Media Player 11 (KB936782)
Security Update for Windows Media Player 11 (KB954154)
Security Update for Windows XP (KB901190)
Security Update for Windows XP (KB923789)
Security Update for Windows XP (KB938464)
Security Update for Windows XP (KB941569)
Security Update for Windows XP (KB944338-v2)
Security Update for Windows XP (KB946648)
Security Update for Windows XP (KB950760)
Security Update for Windows XP (KB950762)
Security Update for Windows XP (KB950974)
Security Update for Windows XP (KB951066)
Security Update for Windows XP (KB951376-v2)
Security Update for Windows XP (KB951698)
Security Update for Windows XP (KB951748)
Security Update for Windows XP (KB952954)
Security Update for Windows XP (KB954211)
Security Update for Windows XP (KB954600)
Security Update for Windows XP (KB955069)
Security Update for Windows XP (KB956802)
Security Update for Windows XP (KB956803)
Security Update for Windows XP (KB956841)
Security Update for Windows XP (KB957097)
Security Update for Windows XP (KB958215)
Security Update for Windows XP (KB958644)
Security Update for Windows XP (KB958687)
Security Update for Windows XP (KB958690)
Security Update for Windows XP (KB960225)
Security Update for Windows XP (KB960714)
Security Update for Windows XP (KB960715)
Sid Meier's Civilization 4
Sid Meier's Civilization 4 - Beyond the Sword
Update for Windows XP (KB898461)
Update for Windows XP (KB955839)
Update for Windows XP (KB967715)
Ventrilo Client
VLC media player 0.9.8a
WebFldrs XP
Windows Media Format 11 runtime
Windows Media Player 11
Wow Web Stats Client v3.0

==== Event Viewer Messages From Past Week ========

3/24/2009 7:38:45 PM, error: sr [1] - The System Restore filter encountered the unexpected error '0xC0000001' while processing the

file '' on the volume 'HarddiskVolume2'. It has stopped monitoring the volume.
3/24/2009 6:41:02 PM, error: DCOM [10005] - DCOM got error "%1084" attempting to start the service EventSystem with arguments ""

in order to run the server: {1BE1F766-5536-11D1-B726-00C04FB926AF}
3/24/2009 6:40:10 PM, error: DCOM [10005] - DCOM got error "%1084" attempting to start the service upnphost with arguments "" in

order to run the server: {204810B9-73B2-11D4-BF42-00B0D0118B56}
3/24/2009 5:41:46 PM, error: Service Control Manager [7026] - The following boot-start or system-start driver(s) failed to load:

AFD AvgLdx86 AvgMfx86 AvgTdiX Fips intelppm IPSec MRxSmb NetBIOS NetBT RasAcd Rdbss Tcpip
3/24/2009 5:41:46 PM, error: Service Control Manager [7001] - The IPSEC Services service depends on the IPSEC driver service which

failed to start because of the following error: A device attached to the system is not functioning.
3/24/2009 5:41:46 PM, error: Service Control Manager [7001] - The TCP/IP NetBIOS Helper service depends on the AFD service which

failed to start because of the following error: A device attached to the system is not functioning.
3/24/2009 5:41:46 PM, error: Service Control Manager [7001] - The DNS Client service depends on the TCP/IP Protocol Driver service

which failed to start because of the following error: A device attached to the system is not functioning.
3/24/2009 5:41:46 PM, error: Service Control Manager [7001] - The DHCP Client service depends on the NetBios over Tcpip service

which failed to start because of the following error: A device attached to the system is not functioning.
3/24/2009 5:40:12 PM, error: DCOM [10005] - DCOM got error "%1084" attempting to start the service netman with arguments "" in

order to run the server: {BA126AE5-2166-11D1-B1D0-00805FC1270E}
3/24/2009 3:37:24 PM, error: Ntfs [55] - The file system structure on the disk is corrupt and unusable. Please run the chkdsk

utility on the volume C:.
3/24/2009 2:11:02 PM, error: Service Control Manager [7026] - The following boot-start or system-start driver(s) failed to load:

Fips intelppm
3/24/2009 1:38:33 PM, error: NetBT [4307] - Initialization failed because the transport refused to open initial Addresses.
3/24/2009 1:38:28 PM, error: Service Control Manager [7000] - The Kaspersky Internet Security service failed to start due to the

following error: The service did not respond to the start or control request in a timely fashion.
3/24/2009 1:38:28 PM, error: Service Control Manager [7009] - Timeout (30000 milliseconds) waiting for the Kaspersky Internet

Security service to connect.
3/24/2009 1:35:10 PM, error: Service Control Manager [7026] - The following boot-start or system-start driver(s) failed to load:

Fips intelppm kl1 klbg KLIF
3/23/2009 6:51:51 PM, error: Service Control Manager [7032] - The Service Control Manager tried to take a corrective action

(Restart the service) after the unexpected termination of the Windows Management Instrumentation service, but this action failed

with the following error: An instance of the service is already running.
3/24/2009 8:15:37 PM, error: sr [1] - The System Restore filter encountered the unexpected error '0xC0000369' while processing the

file 'wdlogo.ico' on the volume 'HarddiskVolume2'. It has stopped monitoring the volume.
3/25/2009 2:47:48 PM, error: sr [1] - The System Restore filter encountered the unexpected error '0xC0000369' while processing the

file 'Interface' on the volume 'HarddiskVolume2'. It has stopped monitoring the volume.
3/26/2009 12:06:14 PM, error: sr [1] - The System Restore filter encountered the unexpected error '0xC0000369' while processing

the file 'Lorrie Morgan' on the volume 'HarddiskVolume2'. It has stopped monitoring the volume.
3/25/2009 2:01:43 PM, information: Windows File Protection [64002] - File replacement was attempted on the protected system file

c:\windows\system32\a3d.dll. This file was restored to the original version to maintain system stability. The file version of the

system file is 80.0.0.3.

==== End Of File ===========================
 
Hi


IMPORTANT I notice there are signs of one or more P2P (Peer to Peer) File Sharing Programs on your computer.

µTorrent


I'd like you to read this thread.

Please go to Control Panel > Add/Remove Programs and uninstall the programs listed above (in red).

Delete these folders afterwards:

C:\Program Files\uTorrent

Empty Recycle Bin.

After that:


Please visit this webpage for download links, and instructions for running ComboFix tool:

http://www.bleepingcomputer.com/combofix/how-to-use-combofix

Please ensure you read this guide carefully and install the Recovery Console first.

The Windows Recovery Console will allow you to boot up into a special recovery (repair) mode. This allows us to more easily help you should your computer have a problem after an attempted removal of malware. It is a simple procedure that will only take a few moments of your time.

Once installed, you should see a blue screen prompt that says:

The Recovery Console was successfully installed.

Please continue as follows:

  1. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix, link
    Remember to re-enable them afterwards.

  2. Click Yes to allow ComboFix to continue scanning for malware.

When the tool is finished, it will produce a report for you.

Please include the following reports for further review, and so we may continue cleansing the system:

C:\ComboFix.txt
New dds.txt log.

A word of warning: Neither I nor sUBs are responsible for any damage you may have caused your machine by running ComboFix. This tool is not a toy and not for everyday use.
 
Removed teh torrent program and followed the combofix guide. Then reran dds after turning AVG backon. Here's the logs.

ComboFix 09-03-29.02 - shintorg 2009-03-29 16:44:52.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.2046.1698 [GMT -4:00]
Running from: c:\documents and settings\shintorg\Desktop\ComboFix.exe
AV: Norton AntiVirus *On-access scanning disabled* (Updated)
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\system32\drivers\gaopdxscthqrweabpfdibnriesmkbbbvpyxmta.sys
c:\windows\system32\gaopdxcounter
c:\windows\system32\gaopdxmejdnosecwsrsbwyksiquhxidctiqbow.dll

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Service_gaopdxserv.sys


((((((((((((((((((((((((( Files Created from 2009-02-28 to 2009-03-29 )))))))))))))))))))))))))))))))
.

2009-03-28 13:54 . 2005-07-06 20:14 1,389,056 -ra------ c:\windows\system32\drivers\P17.sys
2009-03-28 13:54 . 2003-10-01 22:48 53,248 -ra------ c:\windows\system32\P17CPI.dll
2009-03-28 13:53 . 1999-09-21 11:18 2,167,684 -ra------ c:\windows\system32\ct2mgm.sf2
2009-03-28 13:53 . 2005-01-09 22:15 138,752 -ra------ c:\windows\system32\drivers\ctsfm2k.sys
2009-03-28 13:53 . 2005-06-13 01:03 137,728 -ra------ c:\windows\system32\P17res.dll
2009-03-28 13:53 . 2005-01-09 22:15 115,200 -ra------ c:\windows\system32\sfms32.dll
2009-03-28 13:53 . 2005-01-09 22:15 106,496 -ra------ c:\windows\system32\drivers\ctoss2k.sys
2009-03-28 13:53 . 2005-01-09 22:15 20,992 -ra------ c:\windows\system32\sfman32.dll
2009-03-25 16:02 . 2005-05-02 23:38 64,512 -ra------ c:\windows\system32\P17.dll
2009-03-25 01:12 . 2009-03-25 01:12 <DIR> d-------- c:\windows\system32\URTTemp
2009-03-25 01:07 . 2009-03-25 01:07 <DIR> d-------- c:\documents and settings\shintorg\Application Data\InstallShield
2009-03-25 00:52 . 2009-03-25 01:13 <DIR> d-------- C:\Sid Meier's Civilization 4
2009-03-25 00:51 . 2005-05-26 15:34 2,297,552 --a------ c:\windows\system32\d3dx9_26.dll
2009-03-24 19:55 . 2009-03-24 19:55 <DIR> dr------- c:\program files\Norton Support
2009-03-24 19:41 . 2009-03-24 19:41 <DIR> d-------- c:\program files\Symantec
2009-03-24 19:41 . 2009-03-24 19:45 <DIR> d-------- c:\program files\Common Files\Symantec Shared
2009-03-24 19:41 . 2009-03-24 19:41 124,464 --a------ c:\windows\system32\drivers\SYMEVENT.SYS
2009-03-24 19:41 . 2009-03-24 19:41 60,808 --a------ c:\windows\system32\S32EVNT1.DLL
2009-03-24 19:41 . 2009-03-24 19:41 36,400 -ra------ c:\windows\system32\drivers\SymIM.sys
2009-03-24 19:41 . 2009-03-24 19:41 7,386 --a------ c:\windows\system32\drivers\SYMEVENT.CAT
2009-03-24 19:41 . 2009-03-24 19:41 805 --a------ c:\windows\system32\drivers\SYMEVENT.INF
2009-03-24 19:40 . 2009-03-24 19:40 <DIR> d-------- c:\windows\system32\drivers\NAV
2009-03-24 19:40 . 2009-03-24 19:40 <DIR> d-------- c:\program files\Windows Sidebar
2009-03-24 19:40 . 2009-03-24 19:41 <DIR> d-------- c:\program files\Norton AntiVirus
2009-03-24 19:40 . 2009-03-25 13:51 <DIR> d-------- c:\documents and settings\All Users\Application Data\Symantec
2009-03-24 19:40 . 2009-03-24 19:41 <DIR> d-------- c:\documents and settings\All Users\Application Data\Norton
2009-03-24 19:38 . 2009-03-24 19:38 <DIR> d-------- c:\program files\NortonInstaller
2009-03-24 19:38 . 2009-03-24 19:38 <DIR> d-------- c:\documents and settings\All Users\Application Data\NortonInstaller
2009-03-24 18:14 . 2009-03-25 15:34 <DIR> d-------- c:\program files\Spybot - Search & Destroy
2009-03-24 17:54 . 2007-12-24 17:37 138,384 --a------ c:\windows\system32\drivers\tmcomm.sys
2009-03-24 17:53 . 2009-03-24 18:21 <DIR> d-------- c:\documents and settings\shintorg\Application Data\HouseCall 6.6
2009-03-24 17:36 . 2009-03-25 15:31 <DIR> d-------- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2009-03-24 16:46 . 2009-03-24 16:46 <DIR> d-------- c:\program files\AVG
2009-03-24 16:46 . 2009-03-24 16:46 <DIR> d-------- c:\documents and settings\All Users\Application Data\Downloaded Installations
2009-03-24 16:46 . 2009-03-24 19:40 <DIR> d-------- c:\documents and settings\All Users\Application Data\avg8
2009-03-24 14:05 . 2009-03-25 15:33 347 --a------ c:\windows\CTWave32.INI
2009-03-24 14:05 . 2009-03-24 14:05 29 --a------ c:\windows\sfbm.INI
2009-03-17 12:19 . 2009-03-24 19:40 <DIR> d-------- c:\documents and settings\Administrator
2009-03-16 08:47 . 2009-03-24 13:53 <DIR> d-------- c:\documents and settings\All Users\Application Data\Kaspersky Lab Setup Files
2009-03-16 08:41 . 2009-03-16 08:41 <DIR> d-------- c:\windows\Sun
2009-03-10 12:04 . 2009-03-10 12:04 <DIR> d-------- c:\program files\Common Files\Blizzard Entertainment
2009-03-09 16:09 . 2004-08-04 08:00 13,463,552 --a--c--- c:\windows\system32\dllcache\hwxjpn.dll
2009-03-09 03:00 . 2009-03-09 03:00 <DIR> d-------- c:\program files\MSXML 4.0
2009-03-08 02:48 . 2009-03-08 02:50 <DIR> d-------- c:\program files\Elements
2009-03-08 02:48 . 2009-03-08 02:50 <DIR> d-------- c:\program files\Common Files\Adobe
2009-03-08 02:48 . 2009-03-08 02:48 82,432 --a------ c:\windows\system32\msxml4r.dll
2009-03-08 02:48 . 2009-03-08 02:46 20,016 --------- c:\windows\system32\drivers\pxhelp20.sys
2009-03-05 04:00 . 2004-08-04 08:00 221,184 --a------ c:\windows\system32\wmpns.dll
2009-03-05 02:04 . 2009-03-28 13:58 <DIR> d-------- c:\program files\Java
2009-03-05 02:04 . 2009-03-09 05:19 410,984 --a------ c:\windows\system32\deploytk.dll
2009-03-05 02:04 . 2009-03-09 02:53 73,728 --a------ c:\windows\system32\javacpl.cpl
2009-03-03 14:46 . 2009-03-29 01:24 <DIR> d-------- c:\documents and settings\shintorg\Application Data\dvdcss
2009-03-03 14:45 . 2009-03-17 15:26 <DIR> d-------- c:\documents and settings\shintorg\Application Data\vlc
2009-03-03 12:53 . 2009-03-14 02:39 <DIR> d-------- C:\World of Warcraft
2009-03-03 12:42 . 2009-03-03 12:43 <DIR> d-------- c:\program files\Windows Media Connect 2
2009-03-03 12:41 . 2009-03-03 15:44 <DIR> d-------- c:\documents and settings\shintorg\Application Data\Ventrilo
2009-03-03 12:39 . 2009-03-03 12:39 <DIR> d-------- c:\windows\system32\LogFiles
2009-03-03 12:39 . 2009-03-03 12:40 <DIR> d-------- c:\windows\system32\drivers\UMDF
2009-03-03 12:37 . 2009-03-03 12:37 13,646 --a------ c:\windows\system32\wpa.bak
2009-03-03 12:32 . 2009-03-24 01:20 <DIR> d-------- C:\World of Warcraft Public Test
2009-03-03 11:52 . 2009-03-03 11:52 <DIR> d-------- C:\fsaua.data
2009-03-03 11:25 . 2009-03-03 11:25 <DIR> d-------- c:\documents and settings\shintorg\Application Data\Malwarebytes
2009-03-03 11:25 . 2009-03-03 11:25 <DIR> d-------- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-03-03 11:16 . 2009-03-11 02:07 <DIR> d-------- c:\windows\system32\CatRoot_bak
2009-03-03 11:16 . 2008-08-14 06:00 2,180,352 -----c--- c:\windows\system32\dllcache\ntoskrnl.exe
2009-03-03 11:16 . 2008-08-14 05:58 2,136,064 -----c--- c:\windows\system32\dllcache\ntkrnlmp.exe
2009-03-03 11:16 . 2008-08-14 05:22 2,057,728 -----c--- c:\windows\system32\dllcache\ntkrnlpa.exe
2009-03-03 11:16 . 2008-08-14 05:22 2,015,744 -----c--- c:\windows\system32\dllcache\ntkrpamp.exe
2009-03-03 11:16 . 2008-06-13 09:10 272,128 --------- c:\windows\system32\drivers\bthport.sys
2009-03-03 11:16 . 2008-06-13 09:10 272,128 -----c--- c:\windows\system32\dllcache\bthport.sys
2009-03-03 11:15 . 2008-10-24 07:10 453,632 -----c--- c:\windows\system32\dllcache\mrxsmb.sys
2009-03-03 11:12 . 2009-03-10 17:51 <DIR> d--h----- c:\windows\$hf_mig$
2009-03-03 11:12 . 2007-07-27 09:41 26,488 --a------ c:\windows\system32\spupdsvc.exe
2009-03-03 11:06 . 2009-03-03 11:06 <DIR> d-------- c:\documents and settings\shintorg\Application Data\Creative
2009-03-03 11:06 . 2009-03-28 13:48 1,072 --a------ c:\windows\system32\settingsbkup.sfm
2009-03-03 11:06 . 2009-03-28 13:48 1,072 --a------ c:\windows\system32\settings.sfm

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-03-29 20:23 --------- d-----w c:\documents and settings\shintorg\Application Data\uTorrent
2009-03-25 19:33 --------- d-----w c:\program files\Creative
2009-03-25 05:46 163,644 ----a-w c:\windows\system32\drivers\secdrv.sys
2009-03-25 05:13 --------- d--h--w c:\program files\InstallShield Installation Information
2009-03-20 04:48 --------- d---a-w c:\documents and settings\All Users\Application Data\TEMP
2009-03-03 14:45 --------- d-----w c:\program files\Common Files\InstallShield
2009-03-03 14:18 --------- d-----w c:\documents and settings\All Users\Application Data\NVIDIA
2009-03-03 14:15 --------- d-----w c:\program files\VLC
2009-03-03 14:13 --------- d-----w c:\program files\Ventrilo
2009-03-03 14:13 --------- d-----w c:\program files\Common Files\Wise Installation Wizard
2009-03-03 14:04 --------- d-----w c:\program files\microsoft frontpage
2009-02-26 16:46 74,760 ----a-w c:\windows\system32\drivers\UniversalDD.sys
2009-02-26 16:46 25,608 ----a-w c:\windows\system32\drivers\AVGIDSErHr.sys
2009-02-09 10:19 1,846,272 ----a-w c:\windows\system32\win32k.sys
2009-01-03 11:24 81,920 ----a-w c:\windows\system32\frapsvid.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
"DefaultP17MIDI"="MIDIDEF.EXE" [2002-12-02 c:\windows\MIDIDEF.EXE]
"DefaultP17"="P17Def.Exe" [2005-05-02 c:\windows\P17DEF.EXE]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-03-09 148888]
"P17Helper"="P17.dll" [2005-05-02 c:\windows\system32\P17.dll]

c:\documents and settings\shintorg\Start Menu\Programs\Startup\
Adobe Gamma.lnk - c:\program files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2005-03-16 113664]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\SymEFA.sys]
@="FSFilter Activity Monitor"

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"FirewallOverride"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"enablefirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Ventrilo\\Ventrilo.exe"=
"c:\\World of Warcraft Public Test\\Launcher.exe"=
"c:\\World of Warcraft\\BackgroundDownloader.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3724:TCP"= 3724:TCP:Blizzard Downloader: 3724

R0 SymEFA;Symantec Extended File Attributes;c:\windows\system32\drivers\NAV\1005000.086\SymEFA.sys [2009-03-24 310320]
R1 BHDrvx86;Symantec Heuristics Driver;c:\windows\system32\drivers\NAV\1005000.086\BHDrvx86.sys [2009-03-24 258608]
R1 ccHP;Symantec Hash Provider;c:\windows\system32\drivers\NAV\1005000.086\cchpx86.sys [2009-03-24 482352]
R1 IDSxpx86;IDSxpx86;c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\IPSDefs\20090318.001\IDSXpx86.sys [2009-03-24 276344]
R2 Norton AntiVirus;Norton AntiVirus;c:\program files\Norton AntiVirus\Engine\16.5.0.134\ccSvcHst.exe [2009-03-24 115560]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [2009-03-24 101936]
.
- - - - ORPHANS REMOVED - - - -

HKLM-Run-AVGIDS - c:\program files\AVG\AVG8\IdentityProtection\agent\bin\AVGIDSUI.exe
Notify-avgrsstarter - (no file)


.
------- Supplementary Scan -------
.
FF - ProfilePath - c:\documents and settings\shintorg\Application Data\Mozilla\Firefox\Profiles\d2zqdpon.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.expiation-guild.org/joomla/
FF - component: c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\IPSFFPlgn\components\IPSFFPl.dll
FF - plugin: c:\program files\VLC\npvlc.dll
.

**************************************************************************

catchme 0.3.1375 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-03-29 16:46:20
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet002\Services\Norton AntiVirus]
"ImagePath"="\"c:\program files\Norton AntiVirus\Engine\16.5.0.134\ccSvcHst.exe\" /s \"Norton AntiVirus\" /m \"c:\program files\Norton AntiVirus\Engine\16.5.0.134\diMaster.dll\" /prefetch:1"
.
Completion time: 2009-03-29 16:47:02
ComboFix-quarantined-files.txt 2009-03-29 20:47:00

Pre-Run: 143,890,960,384 bytes free
Post-Run: 143,888,093,184 bytes free

WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Home Edition" /noexecute=optin /fastdetect

179 --- E O F --- 2009-03-11 06:07:32


DDS (Ver_09-03-16.01) - NTFSx86
Run by shintorg at 16:51:54.53 on Sun 03/29/2009
Internet Explorer: 6.0.2900.2180 BrowserJavaVersion: 1.6.0_13
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.2046.1554 [GMT -4:00]

AV: Norton AntiVirus *On-access scanning enabled* (Updated)

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Norton AntiVirus\Engine\16.5.0.134\ccSvcHst.exe
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\Program Files\Norton AntiVirus\Engine\16.5.0.134\ccSvcHst.exe
C:\WINDOWS\system32\notepad.exe
C:\WINDOWS\system32\imapi.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\shintorg\Desktop\dds.scr

============== Pseudo HJT Report ===============

BHO: Symantec Intrusion Prevention: {6d53ec84-6aae-4787-aeee-f4628f01010c} - c:\program files\norton antivirus\engine\16.5.0.134\IPSBHO.DLL
mRun: [P17Helper] Rundll32 P17.dll,P17Helper
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
StartupFolder: c:\docume~1\shintorg\startm~1\programs\startup\adobeg~1.lnk - c:\program files\common files\adobe\calibration\Adobe Gamma Loader.exe
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0016-0000-0013-ABCDEFFEDCBC} - c:\program files\java\jre6\bin\ssv.dll
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxps://fpdownload.macromedia.com/get/flashplayer/current/swflash.cab
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\shintorg\applic~1\mozilla\firefox\profiles\d2zqdpon.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.expiation-guild.org/joomla/
FF - component: c:\documents and settings\all users\application data\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\norton\ipsffplgn\components\IPSFFPl.dll
FF - plugin: c:\program files\vlc\npvlc.dll

============= SERVICES / DRIVERS ===============

R0 SymEFA;Symantec Extended File Attributes;c:\windows\system32\drivers\nav\1005000.086\SymEFA.sys [2009-3-24 310320]
R1 BHDrvx86;Symantec Heuristics Driver;c:\windows\system32\drivers\nav\1005000.086\BHDrvx86.sys [2009-3-24 258608]
R1 ccHP;Symantec Hash Provider;c:\windows\system32\drivers\nav\1005000.086\cchpx86.sys [2009-3-24 482352]
R1 IDSxpx86;IDSxpx86;c:\documents and settings\all users\application data\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\norton\definitions\ipsdefs\20090318.001\IDSXpx86.sys [2009-3-24 276344]
R2 Norton AntiVirus;Norton AntiVirus;c:\program files\norton antivirus\engine\16.5.0.134\ccSvcHst.exe [2009-3-24 115560]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\common files\symantec shared\eengine\EraserUtilRebootDrv.sys [2009-3-24 101936]
R3 NAVENG;NAVENG;c:\documents and settings\all users\application data\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\norton\definitions\virusdefs\20090329.003\NAVENG.SYS [2009-3-29 89104]
R3 NAVEX15;NAVEX15;c:\documents and settings\all users\application data\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\norton\definitions\virusdefs\20090329.003\NAVEX15.SYS [2009-3-29 876144]

=============== Created Last 30 ================

2009-03-29 16:35 <DIR> a-dshr-- C:\cmdcons
2009-03-29 16:34 161,792 a------- c:\windows\SWREG.exe
2009-03-29 16:34 98,816 a------- c:\windows\sed.exe
2009-03-29 16:34 <DIR> --d----- C:\ComboFix
2009-03-28 13:54 53,248 a----r-- c:\windows\system32\P17CPI.dll
2009-03-28 13:54 1,389,056 a----r-- c:\windows\system32\drivers\P17.sys
2009-03-28 13:53 137,728 a----r-- c:\windows\system32\P17res.dll
2009-03-28 13:53 2,167,684 a----r-- c:\windows\system32\ct2mgm.sf2
2009-03-28 13:53 115,200 a----r-- c:\windows\system32\sfms32.dll
2009-03-28 13:53 20,992 a----r-- c:\windows\system32\sfman32.dll
2009-03-28 13:53 138,752 a----r-- c:\windows\system32\drivers\ctsfm2k.sys
2009-03-28 13:53 106,496 a----r-- c:\windows\system32\drivers\ctoss2k.sys
2009-03-25 16:02 64,512 a----r-- c:\windows\system32\P17.dll
2009-03-25 01:12 <DIR> --d----- c:\windows\system32\URTTemp
2009-03-25 00:52 <DIR> --d----- C:\Sid Meier's Civilization 4
2009-03-25 00:51 2,297,552 a------- c:\windows\system32\d3dx9_26.dll
2009-03-24 19:55 <DIR> --d--r-- c:\program files\Norton Support
2009-03-24 19:41 36,400 a----r-- c:\windows\system32\drivers\SymIM.sys
2009-03-24 19:41 124,464 a------- c:\windows\system32\drivers\SYMEVENT.SYS
2009-03-24 19:41 60,808 a------- c:\windows\system32\S32EVNT1.DLL
2009-03-24 19:41 7,386 a------- c:\windows\system32\drivers\SYMEVENT.CAT
2009-03-24 19:41 805 a------- c:\windows\system32\drivers\SYMEVENT.INF
2009-03-24 19:41 <DIR> --d----- c:\program files\Symantec
2009-03-24 19:41 <DIR> --d----- c:\program files\common files\Symantec Shared
2009-03-24 19:40 <DIR> --d----- c:\windows\system32\drivers\NAV
2009-03-24 19:40 <DIR> --d----- c:\program files\Norton AntiVirus
2009-03-24 19:40 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Symantec
2009-03-24 19:40 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Norton
2009-03-24 19:38 <DIR> --d----- c:\program files\NortonInstaller
2009-03-24 19:38 <DIR> --d----- c:\docume~1\alluse~1\applic~1\NortonInstaller
2009-03-24 18:14 <DIR> --d----- c:\program files\Spybot - Search & Destroy
2009-03-24 17:54 138,384 a------- c:\windows\system32\drivers\tmcomm.sys
2009-03-24 17:53 <DIR> --d----- c:\docume~1\shintorg\applic~1\HouseCall 6.6
2009-03-24 17:36 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Spybot - Search & Destroy
2009-03-24 16:46 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Downloaded Installations
2009-03-24 16:46 <DIR> --d----- c:\program files\AVG
2009-03-24 16:46 <DIR> --d----- c:\docume~1\alluse~1\applic~1\avg8
2009-03-24 14:05 347 a------- c:\windows\CTWave32.INI
2009-03-24 14:05 29 a------- c:\windows\sfbm.INI
2009-03-16 08:47 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Kaspersky Lab Setup Files
2009-03-10 12:04 <DIR> --d----- c:\program files\common files\Blizzard Entertainment
2009-03-09 16:09 13,463,552 ac------ c:\windows\system32\dllcache\hwxjpn.dll
2009-03-09 03:00 <DIR> --d----- c:\program files\MSXML 4.0
2009-03-08 02:48 <DIR> --d----- c:\program files\Elements
2009-03-08 02:48 20,016 -------- c:\windows\system32\drivers\pxhelp20.sys
2009-03-08 02:48 82,432 a------- c:\windows\system32\msxml4r.dll
2009-03-05 04:00 221,184 a------- c:\windows\system32\wmpns.dll
2009-03-05 02:04 410,984 a------- c:\windows\system32\deploytk.dll
2009-03-05 02:04 73,728 a------- c:\windows\system32\javacpl.cpl
2009-03-03 12:53 <DIR> --d----- C:\World of Warcraft
2009-03-03 12:42 <DIR> --d----- c:\program files\Windows Media Connect 2
2009-03-03 12:39 <DIR> --d----- c:\windows\system32\LogFiles
2009-03-03 12:37 13,646 a------- c:\windows\system32\wpa.bak
2009-03-03 12:32 <DIR> --d----- C:\World of Warcraft Public Test
2009-03-03 11:52 <DIR> --d----- C:\fsaua.data
2009-03-03 11:25 <DIR> --d----- c:\docume~1\shintorg\applic~1\Malwarebytes
2009-03-03 11:25 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Malwarebytes
2009-03-03 11:16 <DIR> --d----- c:\windows\system32\CatRoot_bak
2009-03-03 11:16 272,128 -c------ c:\windows\system32\dllcache\bthport.sys
2009-03-03 11:16 272,128 -------- c:\windows\system32\drivers\bthport.sys
2009-03-03 11:16 2,136,064 -c------ c:\windows\system32\dllcache\ntkrnlmp.exe
2009-03-03 11:16 2,180,352 -c------ c:\windows\system32\dllcache\ntoskrnl.exe
2009-03-03 11:16 2,057,728 -c------ c:\windows\system32\dllcache\ntkrnlpa.exe
2009-03-03 11:16 2,015,744 -c------ c:\windows\system32\dllcache\ntkrpamp.exe
2009-03-03 11:15 453,632 -c------ c:\windows\system32\dllcache\mrxsmb.sys
2009-03-03 11:12 26,488 a------- c:\windows\system32\spupdsvc.exe
2009-03-03 11:12 <DIR> --d----- c:\windows\system32\PreInstall
2009-03-03 11:12 <DIR> --d-h--- c:\windows\$hf_mig$
2009-03-03 11:06 1,072 a------- c:\windows\system32\settingsbkup.sfm
2009-03-03 11:06 1,072 a------- c:\windows\system32\settings.sfm
2009-03-03 11:06 <DIR> --dshr-- C:\autorun.inf
2009-03-03 10:50 647,872 -------- c:\windows\system32\Mscomct2.ocx
2009-03-03 10:50 41,984 -------- c:\windows\Ctregrun.exe
2009-03-03 10:47 183 a------- c:\windows\setuplog
2009-03-03 10:43 <DIR> --d----- c:\windows\RegisteredPackages
2009-03-03 10:43 <DIR> --d----- c:\program files\Creative
2009-03-03 10:21 446,464 a------- c:\windows\system32\CapabilityTable.exe
2009-03-03 10:21 <DIR> --d----- c:\windows\system32\SoftwareDistribution
2009-03-03 10:21 1,570 -------- c:\windows\system32\nvide.nvu
2009-03-03 10:21 363,008 a----r-- c:\windows\system32\idecoiins.dll
2009-03-03 10:21 363,008 a----r-- c:\windows\system32\idecoi.dll
2009-03-03 10:21 105,344 a----r-- c:\windows\system32\drivers\nvata.sys
2009-03-03 10:21 35,840 a----r-- c:\windows\system32\NVCOI.DLL
2009-03-03 10:21 <DIR> --d----- c:\windows\system32\ReinstallBackups
2009-03-03 10:21 356,352 -------- c:\windows\system32\nvuide.exe
2009-03-03 10:21 202,240 a----r-- c:\windows\system32\fdco1ins.dll
2009-03-03 10:21 52,736 a----r-- c:\windows\system32\drivers\NVENETFD.sys
2009-03-03 10:21 202,240 a------- c:\windows\system32\fdco1.dll
2009-03-03 10:20 110,080 a----r-- c:\windows\system32\drivers\nvtcp.sys
2009-03-03 10:20 208,896 a------- c:\windows\system32\nvunrm.exe
2009-03-03 10:20 3,903 a------- c:\windows\system32\nvnrm.nvu
2009-03-03 10:20 261,120 a----r-- c:\windows\system32\drivers\nvsnpu.sys
2009-03-03 10:20 35,840 a----r-- c:\windows\system32\nvconrm.dll
2009-03-03 10:20 10,240 a----r-- c:\windows\system32\bdco1ins.dll
2009-03-03 10:20 10,240 a----r-- c:\windows\system32\bdco1.dll
2009-03-03 10:20 <DIR> --d----- c:\windows\NV18361868.TMP
2009-03-03 10:20 1,104,896 a----r-- c:\windows\system32\drivers\nvnrm.sys
2009-03-03 10:20 208,896 a----r-- c:\windows\system32\nvusmb.exe
2009-03-03 10:20 18,944 a----r-- c:\windows\system32\drivers\nvnetbus.sys
2009-03-03 10:20 1,864 a----r-- c:\windows\system32\nvsmb.nvu
2009-03-03 10:15 <DIR> --d----- c:\docume~1\shintorg\applic~1\uTorrent
2009-03-03 10:14 <DIR> --d----- c:\program files\VLC
2009-03-03 10:13 <DIR> --d----- c:\program files\Ventrilo
2009-03-03 10:13 262 a------- c:\windows\{789289CA-F73A-4A16-A331-54D498CE069F}_WiseFW.ini
2009-03-03 10:13 <DIR> --d----- c:\program files\common files\Wise Installation Wizard
2009-03-03 10:13 <DIR> --d----- C:\Fraps
2009-03-03 10:11 94,610 a------- c:\windows\system32\nvapps.xml
2009-03-03 10:10 356,352 a------- c:\windows\system32\nvudisp.exe
2009-03-03 10:10 17,056 a------- c:\windows\system32\nvdisp.nvu
2009-03-03 10:10 <DIR> --d----- c:\windows\nview
2009-03-03 10:10 356,352 a------- c:\windows\system32\NVUNINST.EXE
2009-03-03 10:07 <DIR> --d----- c:\documents and settings\shintorg
2009-03-03 10:06 <DIR> --ds---- c:\windows\system32\Microsoft
2009-03-03 10:06 8,192 a------- c:\windows\REGLOCS.OLD
2009-03-03 10:04 92,416 ac------ c:\windows\system32\dllcache\mga.sys
2009-03-03 10:03 <DIR> --dsh--- c:\documents and settings\all users\DRM
2009-03-03 10:03 <DIR> --d--r-- c:\windows\Offline Web Pages
2009-03-03 10:03 488 a---hr-- c:\windows\system32\WindowsLogon.manifest
2009-03-03 10:03 488 a---hr-- c:\windows\system32\logonui.exe.manifest
2009-03-03 10:03 <DIR> --ds---- c:\windows\Downloaded Program Files
2009-03-03 10:03 749 a---hr-- c:\windows\WindowsShell.Manifest
2009-03-03 10:03 749 a---hr-- c:\windows\system32\wuaucpl.cpl.manifest
2009-03-03 10:03 749 a---hr-- c:\windows\system32\sapi.cpl.manifest
2009-03-03 10:03 749 a---hr-- c:\windows\system32\nwc.cpl.manifest
2009-03-03 10:03 749 a---hr-- c:\windows\system32\ncpa.cpl.manifest
2009-03-03 10:03 749 a---hr-- c:\windows\system32\cdplayer.exe.manifest
2009-03-03 10:03 <DIR> --d-h--- c:\program files\WindowsUpdate
2009-03-03 10:03 4,399,505 ac------ c:\windows\system32\dllcache\nls302en.lex
2009-03-03 10:03 <DIR> --d----- c:\windows\system32\DirectX
2009-03-03 10:02 <DIR> --d----- c:\program files\common files\MSSoap
2009-03-03 10:01 <DIR> --d----- c:\program files\Online Services
2009-03-03 10:01 <DIR> --d----- c:\program files\Messenger
2009-03-03 10:01 <DIR> --d----- c:\program files\MSN Gaming Zone
2009-03-03 10:01 <DIR> --d----- c:\program files\Windows NT
2009-03-03 00:35 <DIR> --d----- c:\program files\common files\ODBC
2009-03-03 00:35 <DIR> --d----- c:\program files\common files\SpeechEngines
2009-03-03 00:35 <DIR> --d--r-- c:\documents and settings\all users\Documents

==================== Find3M ====================

2009-03-25 01:46 163,644 a------- c:\windows\system32\drivers\secdrv.sys
2009-03-03 10:11 76,487 a------- c:\windows\pchealth\helpctr\offlinecache\index.dat
2009-03-03 10:02 21,640 a------- c:\windows\system32\emptyregdb.dat
2009-02-26 12:46 74,760 a------- c:\windows\system32\drivers\UniversalDD.sys
2009-02-26 12:46 25,608 a------- c:\windows\system32\drivers\AVGIDSErHr.sys
2009-02-09 06:19 1,846,272 a------- c:\windows\system32\win32k.sys
2009-01-03 07:24 81,920 a------- c:\windows\system32\frapsvid.dll

============= FINISH: 16:52:06.87 ===============
 
Hi again



Open notepad and copy/paste the text in the quotebox below into it:

Code: 
Folder::
c:\documents and settings\shintorg\Application Data\uTorrent
C:\autorun.inf

Registry::
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"FirewallOverride"=-


Save this as
CFScript

A word of warning: Neither I nor sUBs are responsible for any damage you may have caused your machine. This tool is not a toy and not for everyday use.

CFScriptB-4.gif


Refering to the picture above, drag CFScript into ComboFix.exe
Then post the resultant log.


Combofix should never take more that 20 minutes including the reboot if malware is detected.
If it does, open Task Manager then Processes tab (press ctrl, alt and del at the same time) and end any processes of findstr, find, sed or swreg, then combofix should continue.
If that happened we want to know, and also what process you had to end.


Download ATF (Atribune Temp File) Cleaner© by Atribune to your desktop.

Double-click ATF Cleaner.exe to open it

Under Main choose:
Windows Temp
Current User Temp
All Users Temp
Cookies
Temporary Internet Files
Prefetch
Java Cache
*The other boxes are optional*
Then click the Empty Selected button.

If you use Firefox:
Click Firefox at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click NO at the prompt.

If you use Opera:
Click Opera at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click NO at the prompt.

Click Exit on the Main menu to close the program.


Please run an online scan with Kaspersky Online Scanner as instructed in the screenshot here.


Post back its report, a fresh dds.txt log and above mentioned ComboFix resultant log.
 
Here's te three reports:the Kaspersky, the DDS and the ComboFixer.

--------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER 7 REPORT
Monday, March 30, 2009
Operating System: Microsoft Windows XP Home Edition Service Pack 2 (build 2600)
Kaspersky Online Scanner 7 version: 7.0.25.0
Program database last update: Monday, March 30, 2009 14:35:03
Records in database: 1986635
--------------------------------------------------------------------------------

Scan settings:
Scan using the following database: extended
Scan archives: yes
Scan mail databases: yes

Scan area - My Computer:
C:\
D:\
E:\

Scan statistics:
Files scanned: 74819
Threat name: 1
Infected objects: 1
Suspicious objects: 0
Duration of the scan: 00:32:24


File name / Threat name / Threats count
C:\Qoobox\Quarantine\C\WINDOWS\system32\gaopdxmejdnosecwsrsbwyksiquhxidctiqbow.dll.vir Infected: Packed.Win32.Tdss.f 1

The selected area was scanned.


DDS (Ver_09-03-16.01) - NTFSx86
Run by shintorg at 13:41:30.50 on Mon 03/30/2009
Internet Explorer: 6.0.2900.2180 BrowserJavaVersion: 1.6.0_13
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.2046.1281 [GMT -4:00]

AV: Norton AntiVirus *On-access scanning disabled* (Updated)

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Norton AntiVirus\Engine\16.5.0.134\ccSvcHst.exe
C:\Program Files\Norton AntiVirus\Engine\16.5.0.134\ccSvcHst.exe
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\WINDOWS\system32\notepad.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Java\jre6\bin\java.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Documents and Settings\shintorg\Desktop\dds.scr

============== Pseudo HJT Report ===============

BHO: Symantec Intrusion Prevention: {6d53ec84-6aae-4787-aeee-f4628f01010c} - c:\program files\norton antivirus\engine\16.5.0.134\IPSBHO.DLL
mRun: [P17Helper] Rundll32 P17.dll,P17Helper
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
StartupFolder: c:\docume~1\shintorg\startm~1\programs\startup\adobeg~1.lnk - c:\program files\common files\adobe\calibration\Adobe Gamma Loader.exe
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0016-0000-0013-ABCDEFFEDCBC} - c:\program files\java\jre6\bin\ssv.dll
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxps://fpdownload.macromedia.com/get/flashplayer/current/swflash.cab
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\shintorg\applic~1\mozilla\firefox\profiles\d2zqdpon.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.expiation-guild.org/joomla/
FF - component: c:\documents and settings\all users\application data\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\norton\ipsffplgn\components\IPSFFPl.dll
FF - plugin: c:\program files\vlc\npvlc.dll

============= SERVICES / DRIVERS ===============

R0 SymEFA;Symantec Extended File Attributes;c:\windows\system32\drivers\nav\1005000.086\SymEFA.sys [2009-3-24 310320]
R1 BHDrvx86;Symantec Heuristics Driver;c:\windows\system32\drivers\nav\1005000.086\BHDrvx86.sys [2009-3-24 258608]
R1 ccHP;Symantec Hash Provider;c:\windows\system32\drivers\nav\1005000.086\cchpx86.sys [2009-3-24 482352]
R1 IDSxpx86;IDSxpx86;c:\documents and settings\all users\application data\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\norton\definitions\ipsdefs\20090318.001\IDSXpx86.sys [2009-3-24 276344]
R2 Norton AntiVirus;Norton AntiVirus;c:\program files\norton antivirus\engine\16.5.0.134\ccSvcHst.exe [2009-3-24 115560]
R3 NAVENG;NAVENG;c:\documents and settings\all users\application data\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\norton\definitions\virusdefs\20090330.002\NAVENG.SYS [2009-3-30 89104]
R3 NAVEX15;NAVEX15;c:\documents and settings\all users\application data\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\norton\definitions\virusdefs\20090330.002\NAVEX15.SYS [2009-3-30 876144]

=============== Created Last 30 ================

2009-03-30 12:39 <DIR> --d----- C:\ComboFix
2009-03-29 16:35 <DIR> a-dshr-- C:\cmdcons
2009-03-29 16:34 161,792 a------- c:\windows\SWREG.exe
2009-03-29 16:34 98,816 a------- c:\windows\sed.exe
2009-03-28 13:54 53,248 a----r-- c:\windows\system32\P17CPI.dll
2009-03-28 13:54 1,389,056 a----r-- c:\windows\system32\drivers\P17.sys
2009-03-28 13:53 137,728 a----r-- c:\windows\system32\P17res.dll
2009-03-28 13:53 2,167,684 a----r-- c:\windows\system32\ct2mgm.sf2
2009-03-28 13:53 115,200 a----r-- c:\windows\system32\sfms32.dll
2009-03-28 13:53 20,992 a----r-- c:\windows\system32\sfman32.dll
2009-03-28 13:53 138,752 a----r-- c:\windows\system32\drivers\ctsfm2k.sys
2009-03-28 13:53 106,496 a----r-- c:\windows\system32\drivers\ctoss2k.sys
2009-03-25 16:02 64,512 a----r-- c:\windows\system32\P17.dll
2009-03-25 01:12 <DIR> --d----- c:\windows\system32\URTTemp
2009-03-25 00:52 <DIR> --d----- C:\Sid Meier's Civilization 4
2009-03-25 00:51 2,297,552 a------- c:\windows\system32\d3dx9_26.dll
2009-03-24 19:55 <DIR> --d--r-- c:\program files\Norton Support
2009-03-24 19:41 36,400 a----r-- c:\windows\system32\drivers\SymIM.sys
2009-03-24 19:41 124,464 a------- c:\windows\system32\drivers\SYMEVENT.SYS
2009-03-24 19:41 60,808 a------- c:\windows\system32\S32EVNT1.DLL
2009-03-24 19:41 7,386 a------- c:\windows\system32\drivers\SYMEVENT.CAT
2009-03-24 19:41 805 a------- c:\windows\system32\drivers\SYMEVENT.INF
2009-03-24 19:41 <DIR> --d----- c:\program files\Symantec
2009-03-24 19:41 <DIR> --d----- c:\program files\common files\Symantec Shared
2009-03-24 19:40 <DIR> --d----- c:\windows\system32\drivers\NAV
2009-03-24 19:40 <DIR> --d----- c:\program files\Norton AntiVirus
2009-03-24 19:40 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Symantec
2009-03-24 19:40 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Norton
2009-03-24 19:38 <DIR> --d----- c:\program files\NortonInstaller
2009-03-24 19:38 <DIR> --d----- c:\docume~1\alluse~1\applic~1\NortonInstaller
2009-03-24 18:14 <DIR> --d----- c:\program files\Spybot - Search & Destroy
2009-03-24 17:54 138,384 a------- c:\windows\system32\drivers\tmcomm.sys
2009-03-24 17:53 <DIR> --d----- c:\docume~1\shintorg\applic~1\HouseCall 6.6
2009-03-24 17:36 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Spybot - Search & Destroy
2009-03-24 16:46 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Downloaded Installations
2009-03-24 16:46 <DIR> --d----- c:\program files\AVG
2009-03-24 16:46 <DIR> --d----- c:\docume~1\alluse~1\applic~1\avg8
2009-03-24 14:05 347 a------- c:\windows\CTWave32.INI
2009-03-24 14:05 29 a------- c:\windows\sfbm.INI
2009-03-16 08:47 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Kaspersky Lab Setup Files
2009-03-10 12:04 <DIR> --d----- c:\program files\common files\Blizzard Entertainment
2009-03-09 16:09 13,463,552 ac------ c:\windows\system32\dllcache\hwxjpn.dll
2009-03-09 03:00 <DIR> --d----- c:\program files\MSXML 4.0
2009-03-08 02:48 <DIR> --d----- c:\program files\Elements
2009-03-08 02:48 20,016 -------- c:\windows\system32\drivers\pxhelp20.sys
2009-03-08 02:48 82,432 a------- c:\windows\system32\msxml4r.dll
2009-03-05 04:00 221,184 a------- c:\windows\system32\wmpns.dll
2009-03-05 02:04 410,984 a------- c:\windows\system32\deploytk.dll
2009-03-05 02:04 73,728 a------- c:\windows\system32\javacpl.cpl
2009-03-03 12:53 <DIR> --d----- C:\World of Warcraft
2009-03-03 12:42 <DIR> --d----- c:\program files\Windows Media Connect 2
2009-03-03 12:39 <DIR> --d----- c:\windows\system32\LogFiles
2009-03-03 12:37 13,646 a------- c:\windows\system32\wpa.bak
2009-03-03 12:32 <DIR> --d----- C:\World of Warcraft Public Test
2009-03-03 11:52 <DIR> --d----- C:\fsaua.data
2009-03-03 11:25 <DIR> --d----- c:\docume~1\shintorg\applic~1\Malwarebytes
2009-03-03 11:25 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Malwarebytes
2009-03-03 11:16 <DIR> --d----- c:\windows\system32\CatRoot_bak
2009-03-03 11:16 272,128 -c------ c:\windows\system32\dllcache\bthport.sys
2009-03-03 11:16 272,128 -------- c:\windows\system32\drivers\bthport.sys
2009-03-03 11:16 2,136,064 -c------ c:\windows\system32\dllcache\ntkrnlmp.exe
2009-03-03 11:16 2,180,352 -c------ c:\windows\system32\dllcache\ntoskrnl.exe
2009-03-03 11:16 2,057,728 -c------ c:\windows\system32\dllcache\ntkrnlpa.exe
2009-03-03 11:16 2,015,744 -c------ c:\windows\system32\dllcache\ntkrpamp.exe
2009-03-03 11:15 453,632 -c------ c:\windows\system32\dllcache\mrxsmb.sys
2009-03-03 11:12 26,488 a------- c:\windows\system32\spupdsvc.exe
2009-03-03 11:12 <DIR> --d----- c:\windows\system32\PreInstall
2009-03-03 11:12 <DIR> --d-h--- c:\windows\$hf_mig$
2009-03-03 11:06 1,072 a------- c:\windows\system32\settingsbkup.sfm
2009-03-03 11:06 1,072 a------- c:\windows\system32\settings.sfm
2009-03-03 10:50 647,872 -------- c:\windows\system32\Mscomct2.ocx
2009-03-03 10:50 41,984 -------- c:\windows\Ctregrun.exe
2009-03-03 10:47 183 a------- c:\windows\setuplog
2009-03-03 10:43 <DIR> --d----- c:\windows\RegisteredPackages
2009-03-03 10:43 <DIR> --d----- c:\program files\Creative
2009-03-03 10:21 446,464 a------- c:\windows\system32\CapabilityTable.exe
2009-03-03 10:21 <DIR> --d----- c:\windows\system32\SoftwareDistribution
2009-03-03 10:21 1,570 -------- c:\windows\system32\nvide.nvu
2009-03-03 10:21 363,008 a----r-- c:\windows\system32\idecoiins.dll
2009-03-03 10:21 363,008 a----r-- c:\windows\system32\idecoi.dll
2009-03-03 10:21 105,344 a----r-- c:\windows\system32\drivers\nvata.sys
2009-03-03 10:21 35,840 a----r-- c:\windows\system32\NVCOI.DLL
2009-03-03 10:21 <DIR> --d----- c:\windows\system32\ReinstallBackups
2009-03-03 10:21 356,352 -------- c:\windows\system32\nvuide.exe
2009-03-03 10:21 202,240 a----r-- c:\windows\system32\fdco1ins.dll
2009-03-03 10:21 52,736 a----r-- c:\windows\system32\drivers\NVENETFD.sys
2009-03-03 10:21 202,240 a------- c:\windows\system32\fdco1.dll
2009-03-03 10:20 110,080 a----r-- c:\windows\system32\drivers\nvtcp.sys
2009-03-03 10:20 208,896 a------- c:\windows\system32\nvunrm.exe
2009-03-03 10:20 3,903 a------- c:\windows\system32\nvnrm.nvu
2009-03-03 10:20 261,120 a----r-- c:\windows\system32\drivers\nvsnpu.sys
2009-03-03 10:20 35,840 a----r-- c:\windows\system32\nvconrm.dll
2009-03-03 10:20 10,240 a----r-- c:\windows\system32\bdco1ins.dll
2009-03-03 10:20 10,240 a----r-- c:\windows\system32\bdco1.dll
2009-03-03 10:20 <DIR> --d----- c:\windows\NV18361868.TMP
2009-03-03 10:20 1,104,896 a----r-- c:\windows\system32\drivers\nvnrm.sys
2009-03-03 10:20 208,896 a----r-- c:\windows\system32\nvusmb.exe
2009-03-03 10:20 18,944 a----r-- c:\windows\system32\drivers\nvnetbus.sys
2009-03-03 10:20 1,864 a----r-- c:\windows\system32\nvsmb.nvu
2009-03-03 10:14 <DIR> --d----- c:\program files\VLC
2009-03-03 10:13 <DIR> --d----- c:\program files\Ventrilo
2009-03-03 10:13 262 a------- c:\windows\{789289CA-F73A-4A16-A331-54D498CE069F}_WiseFW.ini
2009-03-03 10:13 <DIR> --d----- c:\program files\common files\Wise Installation Wizard
2009-03-03 10:13 <DIR> --d----- C:\Fraps
2009-03-03 10:11 94,610 a------- c:\windows\system32\nvapps.xml
2009-03-03 10:10 356,352 a------- c:\windows\system32\nvudisp.exe
2009-03-03 10:10 17,056 a------- c:\windows\system32\nvdisp.nvu
2009-03-03 10:10 <DIR> --d----- c:\windows\nview
2009-03-03 10:10 356,352 a------- c:\windows\system32\NVUNINST.EXE
2009-03-03 10:07 <DIR> --d----- c:\documents and settings\shintorg
2009-03-03 10:06 <DIR> --ds---- c:\windows\system32\Microsoft
2009-03-03 10:06 8,192 a------- c:\windows\REGLOCS.OLD
2009-03-03 10:04 92,416 ac------ c:\windows\system32\dllcache\mga.sys
2009-03-03 10:03 <DIR> --dsh--- c:\documents and settings\all users\DRM
2009-03-03 10:03 <DIR> --d--r-- c:\windows\Offline Web Pages
2009-03-03 10:03 488 a---hr-- c:\windows\system32\WindowsLogon.manifest
2009-03-03 10:03 488 a---hr-- c:\windows\system32\logonui.exe.manifest
2009-03-03 10:03 <DIR> --ds---- c:\windows\Downloaded Program Files
2009-03-03 10:03 749 a---hr-- c:\windows\WindowsShell.Manifest
2009-03-03 10:03 749 a---hr-- c:\windows\system32\wuaucpl.cpl.manifest
2009-03-03 10:03 749 a---hr-- c:\windows\system32\sapi.cpl.manifest
2009-03-03 10:03 749 a---hr-- c:\windows\system32\nwc.cpl.manifest
2009-03-03 10:03 749 a---hr-- c:\windows\system32\ncpa.cpl.manifest
2009-03-03 10:03 749 a---hr-- c:\windows\system32\cdplayer.exe.manifest
2009-03-03 10:03 <DIR> --d-h--- c:\program files\WindowsUpdate
2009-03-03 10:03 4,399,505 ac------ c:\windows\system32\dllcache\nls302en.lex
2009-03-03 10:03 <DIR> --d----- c:\windows\system32\DirectX
2009-03-03 10:02 <DIR> --d----- c:\program files\common files\MSSoap
2009-03-03 10:01 <DIR> --d----- c:\program files\Online Services
2009-03-03 10:01 <DIR> --d----- c:\program files\Messenger
2009-03-03 10:01 <DIR> --d----- c:\program files\MSN Gaming Zone
2009-03-03 10:01 <DIR> --d----- c:\program files\Windows NT
2009-03-03 00:35 <DIR> --d----- c:\program files\common files\ODBC
2009-03-03 00:35 <DIR> --d----- c:\program files\common files\SpeechEngines
2009-03-03 00:35 <DIR> --d--r-- c:\documents and settings\all users\Documents

==================== Find3M ====================

2009-03-25 01:46 163,644 a------- c:\windows\system32\drivers\secdrv.sys
2009-03-03 10:11 76,487 a------- c:\windows\pchealth\helpctr\offlinecache\index.dat
2009-03-03 10:02 21,640 a------- c:\windows\system32\emptyregdb.dat
2009-02-26 12:46 74,760 a------- c:\windows\system32\drivers\UniversalDD.sys
2009-02-26 12:46 25,608 a------- c:\windows\system32\drivers\AVGIDSErHr.sys
2009-02-09 06:19 1,846,272 a------- c:\windows\system32\win32k.sys
2009-01-03 07:24 81,920 a------- c:\windows\system32\frapsvid.dll

============= FINISH: 13:41:40.45 ===============


ComboFix 09-03-29.04 - shintorg 2009-03-30 12:40:31.2 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.2046.1683 [GMT -4:00]
Running from: c:\documents and settings\shintorg\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\shintorg\Desktop\CFScript.txt
AV: Norton AntiVirus *On-access scanning disabled* (Updated)
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\autorun.inf
c:\autorun.inf\lpt3.This folder was created by Flash_Disinfector
c:\documents and settings\shintorg\Application Data\uTorrent
c:\documents and settings\shintorg\Application Data\uTorrent\Battlestar Galactica S04E19 HDTV XviD-0TV.torrent
c:\documents and settings\shintorg\Application Data\uTorrent\Battlestar.Galactica.S04E18.HDTV.XviD-0TV.avi.torrent
c:\documents and settings\shintorg\Application Data\uTorrent\Battlestar.Galactica.S04E19.HDTV.XviD-0TV.avi.torrent
c:\documents and settings\shintorg\Application Data\uTorrent\Battlestar.Galactica.S04E19.HDTV.XviD-0TV.torrent
c:\documents and settings\shintorg\Application Data\uTorrent\dht.dat
c:\documents and settings\shintorg\Application Data\uTorrent\dht.dat.old
c:\documents and settings\shintorg\Application Data\uTorrent\resume.dat
c:\documents and settings\shintorg\Application Data\uTorrent\resume.dat.old
c:\documents and settings\shintorg\Application Data\uTorrent\rss.dat
c:\documents and settings\shintorg\Application Data\uTorrent\rss.dat.old
c:\documents and settings\shintorg\Application Data\uTorrent\settings.dat
c:\documents and settings\shintorg\Application Data\uTorrent\settings.dat.old
c:\documents and settings\shintorg\Application Data\uTorrent\Sopranos Season 4.1.torrent
c:\documents and settings\shintorg\Application Data\uTorrent\Sopranos Season 4.torrent
c:\documents and settings\shintorg\Application Data\uTorrent\Sopranos Season 5.1.torrent
c:\documents and settings\shintorg\Application Data\uTorrent\Sopranos Season 5.torrent
c:\documents and settings\shintorg\Application Data\uTorrent\Sopranos Season 6 Part 1.torrent
c:\documents and settings\shintorg\Application Data\uTorrent\Sopranos Season 6 Part 2.torrent
c:\documents and settings\shintorg\Application Data\uTorrent\utorrent.lng

.
((((((((((((((((((((((((( Files Created from 2009-02-28 to 2009-03-30 )))))))))))))))))))))))))))))))
.

2009-03-28 13:54 . 2005-07-06 20:14 1,389,056 -ra------ c:\windows\system32\drivers\P17.sys
2009-03-28 13:54 . 2003-10-01 22:48 53,248 -ra------ c:\windows\system32\P17CPI.dll
2009-03-28 13:53 . 1999-09-21 11:18 2,167,684 -ra------ c:\windows\system32\ct2mgm.sf2
2009-03-28 13:53 . 2005-01-09 22:15 138,752 -ra------ c:\windows\system32\drivers\ctsfm2k.sys
2009-03-28 13:53 . 2005-06-13 01:03 137,728 -ra------ c:\windows\system32\P17res.dll
2009-03-28 13:53 . 2005-01-09 22:15 115,200 -ra------ c:\windows\system32\sfms32.dll
2009-03-28 13:53 . 2005-01-09 22:15 106,496 -ra------ c:\windows\system32\drivers\ctoss2k.sys
2009-03-28 13:53 . 2005-01-09 22:15 20,992 -ra------ c:\windows\system32\sfman32.dll
2009-03-25 16:02 . 2005-05-02 23:38 64,512 -ra------ c:\windows\system32\P17.dll
2009-03-25 01:12 . 2009-03-25 01:12 <DIR> d-------- c:\windows\system32\URTTemp
2009-03-25 01:07 . 2009-03-25 01:07 <DIR> d-------- c:\documents and settings\shintorg\Application Data\InstallShield
2009-03-25 00:52 . 2009-03-25 01:13 <DIR> d-------- C:\Sid Meier's Civilization 4
2009-03-25 00:51 . 2005-05-26 15:34 2,297,552 --a------ c:\windows\system32\d3dx9_26.dll
2009-03-24 19:55 . 2009-03-24 19:55 <DIR> dr------- c:\program files\Norton Support
2009-03-24 19:41 . 2009-03-24 19:41 <DIR> d-------- c:\program files\Symantec
2009-03-24 19:41 . 2009-03-24 19:45 <DIR> d-------- c:\program files\Common Files\Symantec Shared
2009-03-24 19:41 . 2009-03-24 19:41 124,464 --a------ c:\windows\system32\drivers\SYMEVENT.SYS
2009-03-24 19:41 . 2009-03-24 19:41 60,808 --a------ c:\windows\system32\S32EVNT1.DLL
2009-03-24 19:41 . 2009-03-24 19:41 36,400 -ra------ c:\windows\system32\drivers\SymIM.sys
2009-03-24 19:41 . 2009-03-24 19:41 7,386 --a------ c:\windows\system32\drivers\SYMEVENT.CAT
2009-03-24 19:41 . 2009-03-24 19:41 805 --a------ c:\windows\system32\drivers\SYMEVENT.INF
2009-03-24 19:40 . 2009-03-24 19:40 <DIR> d-------- c:\windows\system32\drivers\NAV
2009-03-24 19:40 . 2009-03-24 19:40 <DIR> d-------- c:\program files\Windows Sidebar
2009-03-24 19:40 . 2009-03-24 19:41 <DIR> d-------- c:\program files\Norton AntiVirus
2009-03-24 19:40 . 2009-03-25 13:51 <DIR> d-------- c:\documents and settings\All Users\Application Data\Symantec
2009-03-24 19:40 . 2009-03-24 19:41 <DIR> d-------- c:\documents and settings\All Users\Application Data\Norton
2009-03-24 19:38 . 2009-03-24 19:38 <DIR> d-------- c:\program files\NortonInstaller
2009-03-24 19:38 . 2009-03-24 19:38 <DIR> d-------- c:\documents and settings\All Users\Application Data\NortonInstaller
2009-03-24 18:14 . 2009-03-25 15:34 <DIR> d-------- c:\program files\Spybot - Search & Destroy
2009-03-24 17:54 . 2007-12-24 17:37 138,384 --a------ c:\windows\system32\drivers\tmcomm.sys
2009-03-24 17:53 . 2009-03-24 18:21 <DIR> d-------- c:\documents and settings\shintorg\Application Data\HouseCall 6.6
2009-03-24 17:36 . 2009-03-25 15:31 <DIR> d-------- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2009-03-24 16:46 . 2009-03-24 16:46 <DIR> d-------- c:\program files\AVG
2009-03-24 16:46 . 2009-03-24 16:46 <DIR> d-------- c:\documents and settings\All Users\Application Data\Downloaded Installations
2009-03-24 16:46 . 2009-03-24 19:40 <DIR> d-------- c:\documents and settings\All Users\Application Data\avg8
2009-03-24 14:05 . 2009-03-25 15:33 347 --a------ c:\windows\CTWave32.INI
2009-03-24 14:05 . 2009-03-24 14:05 29 --a------ c:\windows\sfbm.INI
2009-03-17 12:19 . 2009-03-24 19:40 <DIR> d-------- c:\documents and settings\Administrator
2009-03-16 08:47 . 2009-03-24 13:53 <DIR> d-------- c:\documents and settings\All Users\Application Data\Kaspersky Lab Setup Files
2009-03-16 08:41 . 2009-03-16 08:41 <DIR> d-------- c:\windows\Sun
2009-03-10 12:04 . 2009-03-10 12:04 <DIR> d-------- c:\program files\Common Files\Blizzard Entertainment
2009-03-09 16:09 . 2004-08-04 08:00 13,463,552 --a--c--- c:\windows\system32\dllcache\hwxjpn.dll
2009-03-09 03:00 . 2009-03-09 03:00 <DIR> d-------- c:\program files\MSXML 4.0
2009-03-08 02:48 . 2009-03-08 02:50 <DIR> d-------- c:\program files\Elements
2009-03-08 02:48 . 2009-03-08 02:50 <DIR> d-------- c:\program files\Common Files\Adobe
2009-03-08 02:48 . 2009-03-08 02:48 82,432 --a------ c:\windows\system32\msxml4r.dll
2009-03-08 02:48 . 2009-03-08 02:46 20,016 --------- c:\windows\system32\drivers\pxhelp20.sys
2009-03-05 04:00 . 2004-08-04 08:00 221,184 --a------ c:\windows\system32\wmpns.dll
2009-03-05 02:04 . 2009-03-28 13:58 <DIR> d-------- c:\program files\Java
2009-03-05 02:04 . 2009-03-09 05:19 410,984 --a------ c:\windows\system32\deploytk.dll
2009-03-05 02:04 . 2009-03-09 02:53 73,728 --a------ c:\windows\system32\javacpl.cpl
2009-03-03 14:46 . 2009-03-29 01:24 <DIR> d-------- c:\documents and settings\shintorg\Application Data\dvdcss
2009-03-03 14:45 . 2009-03-17 15:26 <DIR> d-------- c:\documents and settings\shintorg\Application Data\vlc
2009-03-03 12:53 . 2009-03-14 02:39 <DIR> d-------- C:\World of Warcraft
2009-03-03 12:42 . 2009-03-03 12:43 <DIR> d-------- c:\program files\Windows Media Connect 2
2009-03-03 12:41 . 2009-03-03 15:44 <DIR> d-------- c:\documents and settings\shintorg\Application Data\Ventrilo
2009-03-03 12:39 . 2009-03-03 12:39 <DIR> d-------- c:\windows\system32\LogFiles
2009-03-03 12:39 . 2009-03-03 12:40 <DIR> d-------- c:\windows\system32\drivers\UMDF
2009-03-03 12:37 . 2009-03-03 12:37 13,646 --a------ c:\windows\system32\wpa.bak
2009-03-03 12:32 . 2009-03-24 01:20 <DIR> d-------- C:\World of Warcraft Public Test
2009-03-03 11:52 . 2009-03-03 11:52 <DIR> d-------- C:\fsaua.data
2009-03-03 11:25 . 2009-03-03 11:25 <DIR> d-------- c:\documents and settings\shintorg\Application Data\Malwarebytes
2009-03-03 11:25 . 2009-03-03 11:25 <DIR> d-------- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-03-03 11:16 . 2009-03-11 02:07 <DIR> d-------- c:\windows\system32\CatRoot_bak
2009-03-03 11:16 . 2008-08-14 06:00 2,180,352 -----c--- c:\windows\system32\dllcache\ntoskrnl.exe
2009-03-03 11:16 . 2008-08-14 05:58 2,136,064 -----c--- c:\windows\system32\dllcache\ntkrnlmp.exe
2009-03-03 11:16 . 2008-08-14 05:22 2,057,728 -----c--- c:\windows\system32\dllcache\ntkrnlpa.exe
2009-03-03 11:16 . 2008-08-14 05:22 2,015,744 -----c--- c:\windows\system32\dllcache\ntkrpamp.exe
2009-03-03 11:16 . 2008-06-13 09:10 272,128 --------- c:\windows\system32\drivers\bthport.sys
2009-03-03 11:16 . 2008-06-13 09:10 272,128 -----c--- c:\windows\system32\dllcache\bthport.sys
2009-03-03 11:15 . 2008-10-24 07:10 453,632 -----c--- c:\windows\system32\dllcache\mrxsmb.sys
2009-03-03 11:12 . 2009-03-10 17:51 <DIR> d--h----- c:\windows\$hf_mig$
2009-03-03 11:12 . 2007-07-27 09:41 26,488 --a------ c:\windows\system32\spupdsvc.exe
2009-03-03 11:06 . 2009-03-03 11:06 <DIR> d-------- c:\documents and settings\shintorg\Application Data\Creative
2009-03-03 11:06 . 2009-03-28 13:48 1,072 --a------ c:\windows\system32\settingsbkup.sfm
2009-03-03 11:06 . 2009-03-28 13:48 1,072 --a------ c:\windows\system32\settings.sfm

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-03-25 19:33 --------- d-----w c:\program files\Creative
2009-03-25 05:46 163,644 ----a-w c:\windows\system32\drivers\secdrv.sys
2009-03-25 05:13 --------- d--h--w c:\program files\InstallShield Installation Information
2009-03-20 04:48 --------- d---a-w c:\documents and settings\All Users\Application Data\TEMP
2009-03-03 14:45 --------- d-----w c:\program files\Common Files\InstallShield
2009-03-03 14:18 --------- d-----w c:\documents and settings\All Users\Application Data\NVIDIA
2009-03-03 14:15 --------- d-----w c:\program files\VLC
2009-03-03 14:13 --------- d-----w c:\program files\Ventrilo
2009-03-03 14:13 --------- d-----w c:\program files\Common Files\Wise Installation Wizard
2009-03-03 14:04 --------- d-----w c:\program files\microsoft frontpage
2009-02-26 16:46 74,760 ----a-w c:\windows\system32\drivers\UniversalDD.sys
2009-02-26 16:46 25,608 ----a-w c:\windows\system32\drivers\AVGIDSErHr.sys
2009-02-09 10:19 1,846,272 ----a-w c:\windows\system32\win32k.sys
2009-01-03 11:24 81,920 ----a-w c:\windows\system32\frapsvid.dll
2008-12-05 07:12 144,896 ----a-w c:\windows\system32\schannel.dll
.

((((((((((((((((((((((((((((( SnapShot@2009-03-29_16.46.35.92 )))))))))))))))))))))))))))))))))))))))))
.
+ 2009-03-30 16:37:55 16,384 ----atw c:\windows\Temp\Perflib_Perfdata_448.dat
+ 2009-03-30 16:38:03 16,384 ----atw c:\windows\Temp\Perflib_Perfdata_464.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-03-09 148888]
"P17Helper"="P17.dll" [2005-05-02 c:\windows\system32\P17.dll]

c:\documents and settings\shintorg\Start Menu\Programs\Startup\
Adobe Gamma.lnk - c:\program files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2005-03-16 113664]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\SymEFA.sys]
@="FSFilter Activity Monitor"

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"enablefirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Ventrilo\\Ventrilo.exe"=
"c:\\World of Warcraft Public Test\\Launcher.exe"=
"c:\\World of Warcraft\\BackgroundDownloader.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3724:TCP"= 3724:TCP:Blizzard Downloader: 3724

R0 SymEFA;Symantec Extended File Attributes;c:\windows\system32\drivers\NAV\1005000.086\SymEFA.sys [2009-03-24 310320]
R1 BHDrvx86;Symantec Heuristics Driver;c:\windows\system32\drivers\NAV\1005000.086\BHDrvx86.sys [2009-03-24 258608]
R1 ccHP;Symantec Hash Provider;c:\windows\system32\drivers\NAV\1005000.086\cchpx86.sys [2009-03-24 482352]
R1 IDSxpx86;IDSxpx86;c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\IPSDefs\20090318.001\IDSXpx86.sys [2009-03-24 276344]
R2 Norton AntiVirus;Norton AntiVirus;c:\program files\Norton AntiVirus\Engine\16.5.0.134\ccSvcHst.exe [2009-03-24 115560]
.
.
------- Supplementary Scan -------
.
FF - ProfilePath - c:\documents and settings\shintorg\Application Data\Mozilla\Firefox\Profiles\d2zqdpon.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.expiation-guild.org/joomla/
FF - component: c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\IPSFFPlgn\components\IPSFFPl.dll
FF - plugin: c:\program files\VLC\npvlc.dll
.

**************************************************************************

catchme 0.3.1375 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-03-30 12:42:10
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet002\Services\Norton AntiVirus]
"ImagePath"="\"c:\program files\Norton AntiVirus\Engine\16.5.0.134\ccSvcHst.exe\" /s \"Norton AntiVirus\" /m \"c:\program files\Norton AntiVirus\Engine\16.5.0.134\diMaster.dll\" /prefetch:1"
.
Completion time: 2009-03-30 12:42:53
ComboFix-quarantined-files.txt 2009-03-30 16:42:51
ComboFix2.txt 2009-03-29 20:47:03

Pre-Run: 143,638,069,248 bytes free
Post-Run: 144,034,312,192 bytes free

187 --- E O F --- 2009-03-11 06:07:32
 
Well congrats, it appears your system is all clean Are you still noticing any problems? If not, it's time to secure your system to prevent against further intrusions.


THESE STEPS ARE VERY IMPORTANT

Let's reset system restore
Reset and Re-enable your System Restore to remove infected files that have been backed up by Windows. The files in System Restore are protected to prevent any programs changing those files. This is the only way to clean these files: You will lose all previous restore points which are likely to be infected. Please note you need Administrator Access to do clean the restore points.

1. Turn off System Restore.
On the Desktop, right-click My Computer.
Click Properties.
Click the System Restore tab.
Check Turn off System Restore.
Click Apply, and then click OK.

2. Reboot.

3. Turn ON System Restore.
On the Desktop, right-click My Computer.
Click Properties.
Click the System Restore tab.
UN-Check *Turn off System Restore*.
Click Apply, and then click OK.
NOTE: only do this ONCE,NOT on a regular basis



Now lets uninstall ComboFix:
  • Click START then RUN
  • Now type "c:\documents and settings\shintorg\Desktop\ComboFix.exe" /u in the runbox and click OK


Delete dds.scr file and related logs.


UPDATING WINDOWS AND INTERNET EXPLORER

IMPORTANT: You Need to Update Windows and Internet Explorer to protect your computer from the malware that is around on the Internet. Please go to the windows update site to get the critical updates.

If you are running Microsoft Office, or any portion thereof, go to the Microsoft's Office Update site and make sure you have at least all the critical updates installed (Free) Microsoft Office Update.


Make your Internet Explorer more secure

This can be done by following these simple instructions:
From within Internet Explorer click on the Tools menu and then click on Options.
Click once on the Security tab
Click once on the Internet icon so it becomes highlighted.
Click once on the Custom Level button.
Change the Download signed ActiveX controls to Prompt
Change the Download unsigned ActiveX controls to Disable
Change the Initialize and script ActiveX controls not marked as safe to Disable
Change the Installation of desktop items to Prompt
Change the Launching programs and files in an IFRAME to Prompt
Change the Navigate sub-frames across different domains to Prompt
When all these settings have been made, click on the OK button.
If it prompts you as to whether or not you want to save the settings, press the Yes button.
Next press the Apply button and then the OK to exit the Internet Properties page.



The following are recommended third party programs that are designed to keep your computer clean. A link as well as a brief description is included with each item.

  • hosts file:
    • Every version of windows has a hosts file as part of them.
    • In a very basic sense, they are used to locate webpages.
    • We can customize a hosts file so that it blocks certain webpages.
    • However, it can slow down certain computers.
    • This is why using a hosts file is optional!!
    Download it here. Make sure you read the instructions on how to install the hosts file. There is a good tutorial here
    If you decide to download the hosts file, the slowdown problems can usually be avoided by following these steps:
    1. [*]Click the start button (at the lower left hand corner of your screen) [*]Click run [*]In the dialog box, type services.msc [*]hit enter, then locate dns client [*]Highlight it, then double-click it. [*]On the dropdown box, change the setting from automatic to manual. [*]Click ok
  • Use a Firewall - I can not stress how important it is that you use a Firewall on your computer. Without a firewall your computer is susceptible to being hacked and taken over. Simply using a Firewall in its default configuration can lower your risk greatly. For more info, check this webpage out.
    If you don't have a 3rd party firewall or a router behind NAT then I recommend getting one. I recommend either Online Armor Free or Comodo Firewall Pro (If you choose Comodo: Uncheck during installation "Install Comodo SafeSurf..", Make Comodo my default search provider" and "Make Comodo Search my homepage" and install firewall ONLY!).


Just a final reminder for you. I am trying to stress these two points.
UPDATE UPDATE UPDATE!!! Make sure you do this about every 1-2 weeks.
Make sure all of your security programs are up to date.
Visit Microsoft's Windows Update Site Frequently - It is important that you visit http://www.windowsupdate.com regularly. This will ensure your computer has always the latest security updates available installed on your computer. If there are new updates to install, install them immediately, reboot your computer, and revisit the site until there are no more critical updates.



Once again, please post and tell me how things are going with your system... problems etc.

Have a great day,
Blade :cool:
 
Since this issue appears to be resolved ... this Topic has been closed. Glad I could help. :)

Note:If it has been four days or more since your last post, and the helper assisting you posted a response to that post to which you did not reply, your topic will not be reopened. At that point, if you still require help, please start a new topic and include a fresh HijackThis log and a link to your previous thread.

If it has been less than four days since your last response and you need the thread re-opened, please send me or MOD a private message (pm). A valid, working link to the closed topic is required.
 
You must log in or register to reply here.
Back
Top