Please help as I can't seem to remove this Trojan. Here is my hijackthis log file:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:26:28 AM, on 11/28/2008
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16735)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Ahead\InCD\InCDsrv.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Symantec\LiveUpdate\AluSchedulerSvc.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PifSvc.exe
C:\Program Files\Norton AntiVirus\Norton AntiVirus\Engine\16.1.0.33\ccSvcHst.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\WINDOWS\ALCWZRD.EXE
C:\Program Files\FarStone\RestoreIT!\RestoreIT!_XP\VBPTASK.EXE
C:\Program Files\ASUSTek\ASUSDVD\PDVDServ.exe
C:\Program Files\Ahead\InCD\InCD.exe
C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe
C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PifSvc.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\ccc.exe
C:\Documents and Settings\JSS\Local Settings\Application Data\Google\Update\GoogleUpdate.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
C:\Program Files\Norton AntiVirus\Norton AntiVirus\Engine\16.1.0.33\ccSvcHst.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Norton AntiVirus\Norton AntiVirus\Engine\16.1.0.33\MCUI32.EXE
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file)
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: RealPlayer Download and Record Plugin for Internet Explorer - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\Program Files\Real\RealPlayer\rpbrowserrecordplugin.dll
O2 - BHO: Symantec Intrusion Prevention - {6D53EC84-6AAE-4787-AEEE-F4628F01010C} - C:\Program Files\Norton AntiVirus\Norton AntiVirus\Engine\16.1.0.33\IPSBHO.DLL
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar3.dll
O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\3.1.807.1746\swg.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar3.dll
O4 - HKLM\..\Run: [High Definition Audio Property Page Shortcut] HDAudPropShortcut.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [AlcWzrd] ALCWZRD.EXE
O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE
O4 - HKLM\..\Run: [farstone] NULL
O4 - HKLM\..\Run: [RestoreIT!] "C:\Program Files\FarStone\RestoreIT!\RestoreIT!_XP\VBPTASK.EXE" VBStart
O4 - HKLM\..\Run: [SonicFocus] "C:\Program Files\Sonic Focus\SFIGUI\\SFIGUI.EXE" BOOT
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\ASUSTek\ASUSDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [InCD] C:\Program Files\Ahead\InCD\InCD.exe
O4 - HKLM\..\Run: [ATIPTA] "C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe"
O4 - HKLM\..\Run: [StartCCC] "C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" MSRun
O4 - HKLM\..\Run: [Symantec PIF AlertEng] "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PifSvc.exe" /a /m "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\AlertEng.dll"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKCU\..\Run: [VoipStunt] "C:\Program Files\VoipStunt.com\VoipStunt\VoipStunt.exe" -nosplash -minimized
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [Google Update] "C:\Documents and Settings\JSS\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" /c
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra button: Bonjour - {7F9DB11C-E358-4ca6-A83D-ACC663939424} - C:\Program Files\Bonjour\ExplorerPlugin.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0A5FD7C5-A45C-49FC-ADB5-9952547D5715} (Creative Software AutoUpdate) - http://www.creative.com/su/ocx/15015/CTSUEng.cab
O16 - DPF: {115B1886-2AE0-4259-9FE4-E32A5DEE5451} (Player Class) - http://www.wowweesupport.com/download/rovio/WebSee_4.0.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {38D63471-E630-4492-A986-B8C48B79F2F8} - http://update.videoegg.com/wintel/VideoEggPublisher.exe
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/...b?1130425169390
O16 - DPF: {680285A8-96D3-43DA-9D3D-51DD987D0B77} (NeroVersionCheckerControl Control) - http://www.nero.com/doc/NeroVersionCheckerControl.cab
O16 - DPF: {6A344D34-5231-452A-8A57-D064AC9B7862} (Symantec Download Manager) - https://webdl.symantec.com/activex/symdlmgr.cab
O16 - DPF: {6C269571-C6D7-4818-BCA4-32A035E8C884} (Creative Software AutoUpdate) - http://www.creative.com/softwareupdate/su/...101/CTSUEng.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftu...b?1188843039687
O16 - DPF: {F6ACF75C-C32C-447B-9BEF-46B766368D29} (Creative Software AutoUpdate Support Package) - http://www.creative.com/softwareupdate/su/...15102/CTPID.cab
O16 - DPF: {FD0B6769-6490-4A91-AA0A-B5AE0DC75AC9} (Performance Viewer Activex Control) - https://secure.logmein.com/activex/ractrl.cab?lmi=100
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\AluSchedulerSvc.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Intel® Desktop Utilities Service (iHCService) - Unknown owner - C:\Program Files\Intel\IDU\IDUServ.exe (file missing)
O23 - Service: InCD Helper (InCDsrv) - Ahead Software AG - C:\Program Files\Ahead\InCD\InCDsrv.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\LuComServer_3_4.EXE
O23 - Service: LiveUpdate Notice Service - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PifSvc.exe
O23 - Service: Norton AntiVirus - Symantec Corporation - C:\Program Files\Norton AntiVirus\Norton AntiVirus\Engine\16.1.0.33\ccSvcHst.exe
O23 - Service: Symantec RemoteAssist (symantec remoteassist) - Symantec, Inc. - C:\Program Files\Common Files\Symantec Shared\Support Controls\ssrc.exe

--
End of file - 10080 bytes

Thanks for your help

Hello LikeTelevision

welcome to geekstogo

reboot your machine and then:

Download ComboFix from one of these locations:

Link 1
Link 2
Link 3


* IMPORTANT !!! Save ComboFix.exe to your Desktop

• Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools
  
  
• Double click on ComboFix.exe & follow the prompts.
  
  
• As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  
  
• Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.

**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.





Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:




Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply.

and could you post a new hijackthis log.

andrewuk

Hi Andrewuk:

Here is the combofix log:

ComboFix 08-11-28.02 - JSS 2008-11-28 18:16:24.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.619 [GMT -5:00]
Running from: c:\documents and settings\JSS\Desktop\ComboFix.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\system32\au3305adc.dll
c:\windows\system32\rs32net.exe
c:\windows\system32\TDSSdxcp.dll
c:\windows\system32\TDSSkkai.log
c:\windows\system32\TDSSmtve.dat
c:\windows\system32\twain_32
c:\windows\system32\twain_32\local.ds
c:\windows\system32\twain_32\user.ds
c:\windows\system32\twext.exe
F:\Autorun.inf

.
((((((((((((((((((((((((( Files Created from 2008-10-28 to 2008-11-28 )))))))))))))))))))))))))))))))
.

2008-11-28 00:26 . 2008-11-28 00:26 <DIR> d-------- c:\program files\Trend Micro
2008-11-27 20:41 . 2008-11-27 20:41 <DIR> d-------- c:\windows\Google Earth Pro 4.2
2008-11-27 20:41 . 2008-11-27 20:42 <DIR> d-------- c:\program files\Google Earth Pro 4.2
2008-11-27 12:00 . 2008-11-27 12:00 <DIR> d-------- c:\program files\Norton Support
2008-11-27 11:12 . 2008-11-28 18:25 102,632 --a------ c:\windows\system32\drivers\96a1f491.sys
2008-11-27 11:11 . 2008-11-27 11:11 104,448 --a------ C:\qthqdso.exe
2008-11-27 11:11 . 2008-11-27 11:11 69,120 --a------ C:\xobqv.exe
2008-11-27 11:11 . 2008-11-27 11:11 705 --a------ C:\mguvbfr.exe
2008-11-27 11:11 . 2008-11-27 11:11 2 --a------ C:\1760142603
2008-11-27 11:00 . 2008-11-27 11:00 <DIR> d-------- c:\program files\Common Files\xing shared
2008-11-27 00:11 . 2008-11-27 00:11 <DIR> d-------- c:\program files\Opera
2008-11-27 00:10 . 2008-11-27 00:10 <DIR> d-------- c:\program files\Safari
2008-11-27 00:07 . 2008-11-27 00:07 <DIR> d-------- c:\program files\Common Files\Apple
2008-11-27 00:07 . 2008-11-27 00:07 54,156 --ah----- c:\windows\QTFont.qfn
2008-11-27 00:07 . 2008-11-27 00:07 1,409 --a------ c:\windows\QTFont.for
2008-11-27 00:05 . 2008-11-27 00:06 <DIR> d-------- c:\program files\Apple Software Update
2008-11-27 00:05 . 2008-11-27 00:05 <DIR> d-------- c:\documents and settings\All Users\Application Data\Apple
2008-11-26 14:55 . 2008-11-26 14:55 144 --a------ c:\windows\VBFACE.INI
2008-11-16 14:14 . 2008-11-16 14:14 <DIR> d-------- c:\documents and settings\JSS\Application Data\Thinstall
2008-11-16 13:33 . 2008-11-16 13:33 <DIR> d-------- c:\program files\LSoft Technologies
2008-11-16 13:21 . 2008-11-16 13:21 <DIR> d-------- C:\finalburner
2008-11-16 11:05 . 2008-11-22 10:20 <DIR> d-------- c:\program files\MagicISO
2008-11-15 20:22 . 2008-11-27 00:09 <DIR> d-------- c:\program files\Bonjour
2008-11-15 13:44 . 2008-11-15 13:44 <DIR> d-------- C:\greenappx
2008-11-15 09:38 . 2008-11-15 09:38 <DIR> d-------- c:\documents and settings\AAS\Application Data\Downloaded Installations
2008-11-12 11:11 . 2008-10-24 06:21 455,296 -----c--- c:\windows\system32\dllcache\mrxsmb.sys
2008-11-12 11:10 . 2008-09-04 12:15 1,106,944 -----c--- c:\windows\system32\dllcache\msxml3.dll
2008-11-10 23:26 . 2008-11-10 23:26 <DIR> d-------- c:\documents and settings\All Users\Application Data\FLEXnet
2008-11-10 23:09 . 2008-11-10 23:09 <DIR> d-------- c:\program files\Common Files\Macrovision Shared
2008-11-10 22:57 . 2008-11-10 22:59 <DIR> d-------- c:\documents and settings\JSS\Application Data\ImgBurn
2008-11-10 22:52 . 2008-11-10 22:52 <DIR> d-------- c:\program files\ImgBurn
2008-11-08 19:20 . 2008-11-08 19:20 <DIR> d-------- c:\program files\uTorrent
2008-11-08 19:20 . 2008-11-27 21:27 <DIR> d-------- c:\documents and settings\JSS\Application Data\uTorrent
2008-11-08 18:27 . 2008-11-12 22:50 <DIR> d-------- c:\documents and settings\JSS\Application Data\LimeWire
2008-11-02 10:06 . 2008-11-02 10:16 <DIR> d-------- c:\documents and settings\Guest\Application Data\Move Networks
2008-10-29 17:20 . 2008-10-29 17:20 <DIR> d-------- c:\program files\Common Files\eSellerate
2008-10-29 17:20 . 2008-10-29 17:20 216,576 --a------ c:\windows\system32\SpoonUninstall.exe
2008-10-29 17:13 . 2008-10-29 17:57 <DIR> d-------- c:\documents and settings\JSS\Application Data\gtk-2.0
2008-10-29 17:13 . 2008-10-29 17:13 <DIR> d-------- c:\documents and settings\JSS\.thumbnails
2008-10-29 17:12 . 2008-10-29 18:27 <DIR> d-------- c:\documents and settings\JSS\.gimp-2.6
2008-10-29 17:12 . 2008-10-29 17:12 <DIR> d-------- c:\documents and settings\JSS\.gegl-0.0

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-11-28 05:07 --------- d-----w c:\program files\Common Files\Symantec Shared
2008-11-28 05:07 --------- d-----w c:\documents and settings\All Users\Application Data\Symantec
2008-11-27 16:00 --------- d-----w c:\program files\Common Files\Real
2008-11-27 15:59 499,712 ----a-w c:\windows\system32\msvcp71.dll
2008-11-27 15:59 348,160 ----a-w c:\windows\system32\msvcr71.dll
2008-11-27 05:12 --------- d-----w c:\documents and settings\JSS\Application Data\Apple Computer
2008-11-27 05:07 --------- d-----w c:\program files\QuickTime
2008-11-27 05:07 --------- d-----w c:\documents and settings\All Users\Application Data\Apple Computer
2008-11-27 04:35 --------- d-----w c:\documents and settings\JSS\Application Data\FileZilla
2008-11-24 12:41 --------- d-----w c:\program files\Microsoft ActiveSync
2008-11-16 16:16 --------- d-----w c:\program files\Common Files\Adobe
2008-11-16 11:30 --------- d-----w c:\documents and settings\JSS\Application Data\AdobeUM
2008-11-13 04:18 --------- d--h--w c:\program files\InstallShield Installation Information
2008-11-11 19:15 --------- d-----w c:\program files\NewTech Infosystems
2008-11-11 19:14 --------- d-----w c:\documents and settings\All Users\Application Data\Ulead Systems
2008-11-03 14:55 --------- d-----w c:\program files\Audible
2008-10-27 19:01 --------- d-----w c:\program files\FileZilla FTP Client
2008-10-24 11:21 455,296 ----a-w c:\windows\system32\drivers\mrxsmb.sys
2008-10-16 19:13 202,776 ----a-w c:\windows\system32\wuweb.dll
2008-10-16 19:13 1,809,944 ----a-w c:\windows\system32\wuaueng.dll
2008-10-16 19:12 561,688 ----a-w c:\windows\system32\wuapi.dll
2008-10-16 19:12 323,608 ----a-w c:\windows\system32\wucltui.dll
2008-10-16 19:09 92,696 ----a-w c:\windows\system32\cdm.dll
2008-10-16 19:09 51,224 ----a-w c:\windows\system32\wuauclt.exe
2008-10-16 19:09 43,544 ----a-w c:\windows\system32\wups2.dll
2008-10-16 19:08 34,328 ----a-w c:\windows\system32\wups.dll
2008-10-16 19:06 268,648 ----a-w c:\windows\system32\mucltui.dll
2008-10-16 19:06 208,744 ----a-w c:\windows\system32\muweb.dll
2008-10-15 12:59 --------- d-----w c:\documents and settings\All Users\Application Data\Norton
2008-10-15 12:58 806 ----a-w c:\windows\system32\drivers\SYMEVENT.INF
2008-10-15 12:58 60,808 ----a-w c:\windows\system32\S32EVNT1.DLL
2008-10-15 12:58 35,888 ----a-r c:\windows\system32\drivers\SymIM.sys
2008-10-15 12:58 124,464 ----a-w c:\windows\system32\drivers\SYMEVENT.SYS
2008-10-15 12:58 10,635 ----a-w c:\windows\system32\drivers\SYMEVENT.CAT
2008-10-15 12:58 --------- d-----w c:\program files\Windows Sidebar
2008-10-15 12:58 --------- d-----w c:\program files\Symantec
2008-10-15 12:58 --------- d-----w c:\program files\Norton AntiVirus
2008-10-15 12:34 --------- d-----w c:\program files\NortonInstaller
2008-10-15 12:34 --------- d-----w c:\documents and settings\All Users\Application Data\PCSettings
2008-10-12 23:22 --------- d--h--w c:\documents and settings\AAS\Application Data\Move Networks
2008-10-12 00:58 --------- d-----w c:\program files\Yahoo!
2008-10-12 00:22 --------- d-----w c:\documents and settings\JSS\Application Data\Yahoo!
2008-10-12 00:20 --------- d--h--r c:\documents and settings\All Users\Application Data\yahoo!
2008-10-11 22:24 --------- d-----w c:\documents and settings\All Users\Application Data\NortonInstaller
2008-09-30 21:43 1,286,152 ----a-w c:\windows\system32\msxml4.dll
2008-09-15 12:12 1,846,400 ----a-w c:\windows\system32\win32k.sys
2008-09-10 01:14 1,307,648 ------w c:\windows\system32\msxml6.dll
2008-09-04 17:15 1,106,944 ----a-w c:\windows\system32\msxml3.dll
2008-08-29 15:18 87,336 ----a-w c:\windows\system32\dns-sd.exe
2008-08-29 14:53 65,536 ----a-w c:\windows\system32\jdns_sd.dll
2008-08-29 14:53 61,440 ----a-w c:\windows\system32\dnssd.dll
2008-07-11 02:09 81,920 ----a-w c:\documents and settings\JSS\Application Data\ezpinst.exe
2008-07-11 02:09 47,360 ----a-w c:\documents and settings\JSS\Application Data\pcouffin.sys
2008-05-31 03:06 32,768 --sha-w c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\MSHist012008053020080531\index.dat
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-13 15360]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-06-02 68856]
"Google Update"="c:\documents and settings\JSS\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" [2008-11-26 133104]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"farstone"="NULL" [X]
"RestoreIT!"="c:\program files\FarStone\RestoreIT!\RestoreIT!_XP\VBPTASK.EXE" [2003-01-10 122880]
"SonicFocus"="c:\program files\Sonic Focus\SFIGUI\\SFIGUI.EXE" [2004-06-13 1224704]
"RemoteControl"="c:\program files\ASUSTek\ASUSDVD\PDVDServ.exe" [2003-10-31 32768]
"NeroFilterCheck"="c:\windows\system32\NeroCheck.exe" [2001-07-09 155648]
"InCD"="c:\program files\Ahead\InCD\InCD.exe" [2004-06-22 1409136]
"ATIPTA"="c:\program files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2005-06-28 344064]
"SunJavaUpdateSched"="c:\program files\Java\jre1.6.0_07\bin\jusched.exe" [2008-06-10 144784]
"StartCCC"="c:\program files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [2008-01-21 61440]
"Symantec PIF AlertEng"="c:\program files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PifSvc.exe" [2007-11-28 583048]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2008-09-06 413696]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2008-11-27 185872]
"High Definition Audio Property Page Shortcut"="HDAudPropShortcut.exe" [2004-03-17 c:\windows\system32\Hdaudpropshortcut.exe]
"SoundMan"="SOUNDMAN.EXE" [2004-09-23 c:\windows\SOUNDMAN.EXE]
"AlcWzrd"="ALCWZRD.EXE" [2004-09-24 c:\windows\ALCWZRD.EXE]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Acrobat Assistant.lnk - c:\program files\Adobe\Acrobat 6.0\Distillr\acrotray.exe [2003-05-15 217193]
Microsoft Office.lnk - c:\program files\Microsoft Office\Office\OSA9.EXE [2000-01-21 65588]

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\Real\\RealPlayer\\realplay.exe"=
"c:\\Program Files\\AIM\\aim.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\FileZilla FTP Client\\filezilla.exe"=
"c:\\Program Files\\uTorrent\\uTorrent.exe"=
"c:\\Program Files\\Norton AntiVirus\\Norton AntiVirus\\Engine\\16.1.0.33\\ccSvcHst.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3389:TCP"= 3389:TCP:@xpsp2res.dll,-22009
"67:UDP"= 67:UDP:0.0.0.0/255.255.255.255:Enabled:DHCP Discovery Service

R0 SymEFA;Symantec Extended File Attributes;\SystemRoot\\SystemRoot\System32\Drivers\NAV\1001000.021\SYMEFA.SYS []
R0 VVBackd5;VVBackd5;c:\windows\system32\drivers\VVBackd5.sys [2005-10-27 180074]
R1 BHDrvx86;Symantec Heuristics Driver;c:\windows\system32\Drivers\NAV\1001000.021\BHDrvx86.sys [2008-11-12 255536]
R1 ccHP;Symantec Hash Provider;c:\windows\system32\Drivers\NAV\1001000.021\ccHPx86.sys [2008-11-12 362544]
R1 IDSxpx86;IDSxpx86;\??\c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\ipsdefs\20081126.002\IDSxpx86.sys [2008-11-26 274808]
R1 OsaFsLoc;OsaFsLoc;c:\windows\system32\drivers\OsaFsLoc.sys [2005-10-27 11018]
R2 Norton AntiVirus;Norton AntiVirus;"c:\program files\Norton AntiVirus\Norton AntiVirus\Engine\16.1.0.33\ccSvcHst.exe" /s "Norton AntiVirus" /m "c:\program files\Norton AntiVirus\Norton AntiVirus\Engine\16.1.0.33\diMaster.dll" /prefetch:1 []
R2 osaio;osaio;c:\windows\system32\drivers\osaio.sys [2004-06-01 10386]
S3 ASPI;Advanced SCSI Programming Interface Driver;\??\c:\windows\System32\DRIVERS\ASPI32.sys [2008-07-04 16512]

*Newly Created Service* - catchme
.
Contents of the 'Scheduled Tasks' folder

2008-11-27 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 12:34]

2008-11-28 c:\windows\Tasks\GoogleUpdateTaskUser.job
- c:\documents and settings\JSS\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2008-11-26 23:59]
.
- - - - ORPHANS REMOVED - - - -

HKCU-Run-VoipStunt - c:\program files\VoipStunt.com\VoipStunt\VoipStunt.exe
SafeBoot-ati8lnxx.sys


.
------- Supplementary Scan -------
.
FireFox -: Profile - c:\documents and settings\JSS\Application Data\Mozilla\Firefox\Profiles\2zrtvqnr.default\
FireFox -: prefs.js - STARTUP.HOMEPAGE - hxxp://www.google.com
FF -: plugin - c:\documents and settings\JSS\Local Settings\Application Data\Google\Update\1.2.131.27\npGoogleOneClick6.dll
FF -: plugin - c:\program files\Adobe\Acrobat 6.0\Acrobat\browser\nppdf32.dll
FF -: plugin - c:\program files\Mozilla Firefox\plugins\npvideoegg-publisherloader.dll
FF -: plugin - c:\program files\Mozilla Firefox\plugins\npvideoegg-updaterloader.dll
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-11-28 18:24:46
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\system\ControlSet001\Services\Norton AntiVirus]
"ImagePath"="\"c:\program files\Norton AntiVirus\Norton AntiVirus\Engine\16.1.0.33\ccSvcHst.exe\" /s \"Norton AntiVirus\" /m \"c:\program files\Norton AntiVirus\Norton AntiVirus\Engine\16.1.0.33\diMaster.dll\" /prefetch:1"

[HKEY_LOCAL_MACHINE\system\ControlSet001\Services\96a1f491]
"ImagePath"="\SystemRoot\System32\drivers\96a1f491.sys"
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(964)
c:\windows\system32\Ati2evxx.dll
.
Completion time: 2008-11-28 18:26:15
ComboFix-quarantined-files.txt 2008-11-28 23:26:03

Pre-Run: 58,849,898,496 bytes free
Post-Run: 64,867,557,376 bytes free

222 --- E O F --- 2008-11-13 03:55:50


Here is the Hijackthis log:

2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar3.dll
O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\3.1.807.1746\swg.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar3.dll
O4 - HKLM\..\Run: [High Definition Audio Property Page Shortcut] HDAudPropShortcut.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [AlcWzrd] ALCWZRD.EXE
O4 - HKLM\..\Run: [farstone] NULL
O4 - HKLM\..\Run: [RestoreIT!] "C:\Program Files\FarStone\RestoreIT!\RestoreIT!_XP\VBPTASK.EXE" VBStart
O4 - HKLM\..\Run: [SonicFocus] "C:\Program Files\Sonic Focus\SFIGUI\\SFIGUI.EXE" BOOT
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\ASUSTek\ASUSDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [InCD] C:\Program Files\Ahead\InCD\InCD.exe
O4 - HKLM\..\Run: [ATIPTA] "C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe"
O4 - HKLM\..\Run: [StartCCC] "C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" MSRun
O4 - HKLM\..\Run: [Symantec PIF AlertEng] "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PifSvc.exe" /a /m "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\AlertEng.dll"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [Google Update] "C:\Documents and Settings\JSS\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" /c
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra button: Bonjour - {7F9DB11C-E358-4ca6-A83D-ACC663939424} - C:\Program Files\Bonjour\ExplorerPlugin.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0A5FD7C5-A45C-49FC-ADB5-9952547D5715} (Creative Software AutoUpdate) - http://www.creative.com/su/ocx/15015/CTSUEng.cab
O16 - DPF: {115B1886-2AE0-4259-9FE4-E32A5DEE5451} (Player Class) - http://www.wowweesupport.com/download/rovio/WebSee_4.0.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {38D63471-E630-4492-A986-B8C48B79F2F8} - http://update.videoegg.com/wintel/VideoEggPublisher.exe
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/...b?1130425169390
O16 - DPF: {680285A8-96D3-43DA-9D3D-51DD987D0B77} (NeroVersionCheckerControl Control) - http://www.nero.com/doc/NeroVersionCheckerControl.cab
O16 - DPF: {6A344D34-5231-452A-8A57-D064AC9B7862} (Symantec Download Manager) - https://webdl.symantec.com/activex/symdlmgr.cab
O16 - DPF: {6C269571-C6D7-4818-BCA4-32A035E8C884} (Creative Software AutoUpdate) - http://www.creative.com/softwareupdate/su/...101/CTSUEng.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftu...b?1188843039687
O16 - DPF: {F6ACF75C-C32C-447B-9BEF-46B766368D29} (Creative Software AutoUpdate Support Package) - http://www.creative.com/softwareupdate/su/...15102/CTPID.cab
O16 - DPF: {FD0B6769-6490-4A91-AA0A-B5AE0DC75AC9} (Performance Viewer Activex Control) - https://secure.logmein.com/activex/ractrl.cab?lmi=100
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\AluSchedulerSvc.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Intel® Desktop Utilities Service (iHCService) - Unknown owner - C:\Program Files\Intel\IDU\IDUServ.exe (file missing)
O23 - Service: InCD Helper (InCDsrv) - Ahead Software AG - C:\Program Files\Ahead\InCD\InCDsrv.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\LuComServer_3_4.EXE
O23 - Service: LiveUpdate Notice Service - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PifSvc.exe
O23 - Service: Norton AntiVirus - Symantec Corporation - C:\Program Files\Norton AntiVirus\Norton AntiVirus\Engine\16.1.0.33\ccSvcHst.exe
O23 - Service: Symantec RemoteAssist (symantec remoteassist) - Symantec, Inc. - C:\Program Files\Common Files\Symantec Shared\Support Controls\ssrc.exe

--
End of file - 9826 bytes


I'm still getting the same message from Norton. Is this normal?

Thanks so much. Patiently awaiting your reply.

LikeTelevision

we are not finished yet, the last post cleaned a different infection that was on your machine.

and now:

reboot your machine and then:

1. Close any open browsers.

2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

3. Open notepad and copy/paste the text in the quotebox below into it:




Save this as CFScript.txt, in the same location as ComboFix.exe




Refering to the picture above, drag CFScript into ComboFix.exe

When finished, it shall produce a log for you at C:\ComboFix.txt which I will require in your next reply.

and could you also post a new hijackthis log please.

andrewuk

This post has been edited by andrewuk: Nov 28 2008, 06:15 PM

Hi Andrewuk:

Here is the latest combofix log:

ComboFix 08-11-28.02 - JSS 2008-11-28 20:50:47.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.562 [GMT -5:00]
Running from: c:\documents and settings\JSS\Desktop\Malware\ComboFix.exe
Command switches used :: c:\documents and settings\JSS\Desktop\Malware\CFScript.txt
* Created a new restore point

FILE ::
C:\mguvbfr.exe
C:\qthqdso.exe
c:\windows\system32\drivers\96a1f491.sys
C:\xobqv.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\mguvbfr.exe
C:\qthqdso.exe
c:\windows\system32\drivers\96a1f491.sys
C:\xobqv.exe

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Service_96a1f491


((((((((((((((((((((((((( Files Created from 2008-10-28 to 2008-11-29 )))))))))))))))))))))))))))))))
.

2008-11-28 00:26 . 2008-11-28 00:26 <DIR> d-------- c:\program files\Trend Micro
2008-11-27 20:41 . 2008-11-27 20:41 <DIR> d-------- c:\windows\Google Earth Pro 4.2
2008-11-27 20:41 . 2008-11-27 20:42 <DIR> d-------- c:\program files\Google Earth Pro 4.2
2008-11-27 12:00 . 2008-11-27 12:00 <DIR> d-------- c:\program files\Norton Support
2008-11-27 11:11 . 2008-11-27 11:11 2 --a------ C:\1760142603
2008-11-27 11:00 . 2008-11-27 11:00 <DIR> d-------- c:\program files\Common Files\xing shared
2008-11-27 00:11 . 2008-11-27 00:11 <DIR> d-------- c:\program files\Opera
2008-11-27 00:10 . 2008-11-27 00:10 <DIR> d-------- c:\program files\Safari
2008-11-27 00:07 . 2008-11-27 00:07 <DIR> d-------- c:\program files\Common Files\Apple
2008-11-27 00:07 . 2008-11-27 00:07 54,156 --ah----- c:\windows\QTFont.qfn
2008-11-27 00:07 . 2008-11-27 00:07 1,409 --a------ c:\windows\QTFont.for
2008-11-27 00:05 . 2008-11-27 00:06 <DIR> d-------- c:\program files\Apple Software Update
2008-11-27 00:05 . 2008-11-27 00:05 <DIR> d-------- c:\documents and settings\All Users\Application Data\Apple
2008-11-26 14:55 . 2008-11-26 14:55 144 --a------ c:\windows\VBFACE.INI
2008-11-16 14:14 . 2008-11-16 14:14 <DIR> d-------- c:\documents and settings\JSS\Application Data\Thinstall
2008-11-16 13:33 . 2008-11-16 13:33 <DIR> d-------- c:\program files\LSoft Technologies
2008-11-16 13:21 . 2008-11-16 13:21 <DIR> d-------- C:\finalburner
2008-11-16 11:05 . 2008-11-22 10:20 <DIR> d-------- c:\program files\MagicISO
2008-11-15 20:22 . 2008-11-27 00:09 <DIR> d-------- c:\program files\Bonjour
2008-11-15 13:44 . 2008-11-15 13:44 <DIR> d-------- C:\greenappx
2008-11-15 09:38 . 2008-11-15 09:38 <DIR> d-------- c:\documents and settings\AAS\Application Data\Downloaded Installations
2008-11-12 11:11 . 2008-10-24 06:21 455,296 -----c--- c:\windows\system32\dllcache\mrxsmb.sys
2008-11-12 11:10 . 2008-09-04 12:15 1,106,944 -----c--- c:\windows\system32\dllcache\msxml3.dll
2008-11-10 23:26 . 2008-11-10 23:26 <DIR> d-------- c:\documents and settings\All Users\Application Data\FLEXnet
2008-11-10 23:09 . 2008-11-10 23:09 <DIR> d-------- c:\program files\Common Files\Macrovision Shared
2008-11-10 22:57 . 2008-11-10 22:59 <DIR> d-------- c:\documents and settings\JSS\Application Data\ImgBurn
2008-11-10 22:52 . 2008-11-10 22:52 <DIR> d-------- c:\program files\ImgBurn
2008-11-08 19:20 . 2008-11-08 19:20 <DIR> d-------- c:\program files\uTorrent
2008-11-08 19:20 . 2008-11-27 21:27 <DIR> d-------- c:\documents and settings\JSS\Application Data\uTorrent
2008-11-08 18:27 . 2008-11-12 22:50 <DIR> d-------- c:\documents and settings\JSS\Application Data\LimeWire
2008-11-02 10:06 . 2008-11-02 10:16 <DIR> d-------- c:\documents and settings\Guest\Application Data\Move Networks
2008-10-29 17:20 . 2008-10-29 17:20 <DIR> d-------- c:\program files\Common Files\eSellerate
2008-10-29 17:20 . 2008-10-29 17:20 216,576 --a------ c:\windows\system32\SpoonUninstall.exe
2008-10-29 17:13 . 2008-10-29 17:57 <DIR> d-------- c:\documents and settings\JSS\Application Data\gtk-2.0
2008-10-29 17:13 . 2008-10-29 17:13 <DIR> d-------- c:\documents and settings\JSS\.thumbnails
2008-10-29 17:12 . 2008-10-29 18:27 <DIR> d-------- c:\documents and settings\JSS\.gimp-2.6
2008-10-29 17:12 . 2008-10-29 17:12 <DIR> d-------- c:\documents and settings\JSS\.gegl-0.0

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-11-28 05:07 --------- d-----w c:\program files\Common Files\Symantec Shared
2008-11-28 05:07 --------- d-----w c:\documents and settings\All Users\Application Data\Symantec
2008-11-27 16:00 --------- d-----w c:\program files\Common Files\Real
2008-11-27 05:12 --------- d-----w c:\documents and settings\JSS\Application Data\Apple Computer
2008-11-27 05:07 --------- d-----w c:\program files\QuickTime
2008-11-27 05:07 --------- d-----w c:\documents and settings\All Users\Application Data\Apple Computer
2008-11-27 04:35 --------- d-----w c:\documents and settings\JSS\Application Data\FileZilla
2008-11-24 12:41 --------- d-----w c:\program files\Microsoft ActiveSync
2008-11-16 16:16 --------- d-----w c:\program files\Common Files\Adobe
2008-11-16 11:30 --------- d-----w c:\documents and settings\JSS\Application Data\AdobeUM
2008-11-13 04:18 --------- d--h--w c:\program files\InstallShield Installation Information
2008-11-11 19:15 --------- d-----w c:\program files\NewTech Infosystems
2008-11-11 19:14 --------- d-----w c:\documents and settings\All Users\Application Data\Ulead Systems
2008-11-03 14:55 --------- d-----w c:\program files\Audible
2008-10-27 19:01 --------- d-----w c:\program files\FileZilla FTP Client
2008-10-24 11:21 455,296 ----a-w c:\windows\system32\drivers\mrxsmb.sys
2008-10-15 12:59 --------- d-----w c:\documents and settings\All Users\Application Data\Norton
2008-10-15 12:58 806 ----a-w c:\windows\system32\drivers\SYMEVENT.INF
2008-10-15 12:58 35,888 ----a-r c:\windows\system32\drivers\SymIM.sys
2008-10-15 12:58 124,464 ----a-w c:\windows\system32\drivers\SYMEVENT.SYS
2008-10-15 12:58 10,635 ----a-w c:\windows\system32\drivers\SYMEVENT.CAT
2008-10-15 12:58 --------- d-----w c:\program files\Windows Sidebar
2008-10-15 12:58 --------- d-----w c:\program files\Symantec
2008-10-15 12:58 --------- d-----w c:\program files\Norton AntiVirus
2008-10-15 12:34 --------- d-----w c:\program files\NortonInstaller
2008-10-15 12:34 --------- d-----w c:\documents and settings\All Users\Application Data\PCSettings
2008-10-12 23:22 --------- d--h--w c:\documents and settings\AAS\Application Data\Move Networks
2008-10-12 00:58 --------- d-----w c:\program files\Yahoo!
2008-10-12 00:22 --------- d-----w c:\documents and settings\JSS\Application Data\Yahoo!
2008-10-12 00:20 --------- d--h--r c:\documents and settings\All Users\Application Data\yahoo!
2008-10-11 22:24 --------- d-----w c:\documents and settings\All Users\Application Data\NortonInstaller
2008-07-11 02:09 81,920 ----a-w c:\documents and settings\JSS\Application Data\ezpinst.exe
2008-07-11 02:09 47,360 ----a-w c:\documents and settings\JSS\Application Data\pcouffin.sys
2008-05-31 03:06 32,768 --sha-w c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\MSHist012008053020080531\index.dat
.

(((((((((((((((((((((((((((((((((((((((((((( Look )))))))))))))))))))))))))))))))))))))))))))))))))))))))))
.

---- Directory of C:\1760142603 ----

c:\1760142603\


((((((((((((((((((((((((((((( snapshot@2008-11-28_18.25.44.64 )))))))))))))))))))))))))))))))))))))))))
.
+ 2005-10-21 01:02:28 163,328 ----a-w c:\windows\ERDNT\subs\ERDNT.EXE
+ 2008-11-29 01:58:39 16,384 ----atw c:\windows\Temp\Perflib_Perfdata_758.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-13 15360]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-06-02 68856]
"Google Update"="c:\documents and settings\JSS\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" [2008-11-26 133104]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"farstone"="NULL" [X]
"RestoreIT!"="c:\program files\FarStone\RestoreIT!\RestoreIT!_XP\VBPTASK.EXE" [2003-01-10 122880]
"SonicFocus"="c:\program files\Sonic Focus\SFIGUI\\SFIGUI.EXE" [2004-06-13 1224704]
"RemoteControl"="c:\program files\ASUSTek\ASUSDVD\PDVDServ.exe" [2003-10-31 32768]
"NeroFilterCheck"="c:\windows\system32\NeroCheck.exe" [2001-07-09 155648]
"InCD"="c:\program files\Ahead\InCD\InCD.exe" [2004-06-22 1409136]
"ATIPTA"="c:\program files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2005-06-28 344064]
"SunJavaUpdateSched"="c:\program files\Java\jre1.6.0_07\bin\jusched.exe" [2008-06-10 144784]
"StartCCC"="c:\program files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [2008-01-21 61440]
"Symantec PIF AlertEng"="c:\program files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PifSvc.exe" [2007-11-28 583048]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2008-09-06 413696]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2008-11-27 185872]
"High Definition Audio Property Page Shortcut"="HDAudPropShortcut.exe" [2004-03-17 c:\windows\system32\Hdaudpropshortcut.exe]
"SoundMan"="SOUNDMAN.EXE" [2004-09-23 c:\windows\SOUNDMAN.EXE]
"AlcWzrd"="ALCWZRD.EXE" [2004-09-24 c:\windows\ALCWZRD.EXE]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Acrobat Assistant.lnk - c:\program files\Adobe\Acrobat 6.0\Distillr\acrotray.exe [2003-05-15 217193]
Microsoft Office.lnk - c:\program files\Microsoft Office\Office\OSA9.EXE [2000-01-21 65588]

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\Real\\RealPlayer\\realplay.exe"=
"c:\\Program Files\\AIM\\aim.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\FileZilla FTP Client\\filezilla.exe"=
"c:\\Program Files\\uTorrent\\uTorrent.exe"=
"c:\\Program Files\\Norton AntiVirus\\Norton AntiVirus\\Engine\\16.1.0.33\\ccSvcHst.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3389:TCP"= 3389:TCP:@xpsp2res.dll,-22009
"67:UDP"= 67:UDP:0.0.0.0/255.255.255.255:Enabled:DHCP Discovery Service

R0 SymEFA;Symantec Extended File Attributes;\SystemRoot\\SystemRoot\System32\Drivers\NAV\1001000.021\SYMEFA.SYS []
R0 VVBackd5;VVBackd5;c:\windows\system32\drivers\VVBackd5.sys [2005-10-27 180074]
R1 BHDrvx86;Symantec Heuristics Driver;c:\windows\system32\Drivers\NAV\1001000.021\BHDrvx86.sys [2008-11-12 255536]
R1 ccHP;Symantec Hash Provider;c:\windows\system32\Drivers\NAV\1001000.021\ccHPx86.sys [2008-11-12 362544]
R1 IDSxpx86;IDSxpx86;\??\c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\ipsdefs\20081127.002\IDSxpx86.sys [2008-11-28 274808]
R1 OsaFsLoc;OsaFsLoc;c:\windows\system32\drivers\OsaFsLoc.sys [2005-10-27 11018]
R2 Norton AntiVirus;Norton AntiVirus;"c:\program files\Norton AntiVirus\Norton AntiVirus\Engine\16.1.0.33\ccSvcHst.exe" /s "Norton AntiVirus" /m "c:\program files\Norton AntiVirus\Norton AntiVirus\Engine\16.1.0.33\diMaster.dll" /prefetch:1 []
R2 osaio;osaio;c:\windows\system32\drivers\osaio.sys [2004-06-01 10386]
S3 ASPI;Advanced SCSI Programming Interface Driver;\??\c:\windows\System32\DRIVERS\ASPI32.sys [2008-07-04 16512]
.
Contents of the 'Scheduled Tasks' folder

2008-11-27 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 12:34]

2008-11-29 c:\windows\Tasks\GoogleUpdateTaskUser.job
- c:\documents and settings\JSS\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2008-11-26 23:59]
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-11-28 20:58:38
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Norton AntiVirus]
"ImagePath"="\"c:\program files\Norton AntiVirus\Norton AntiVirus\Engine\16.1.0.33\ccSvcHst.exe\" /s \"Norton AntiVirus\" /m \"c:\program files\Norton AntiVirus\Norton AntiVirus\Engine\16.1.0.33\diMaster.dll\" /prefetch:1"
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(960)
c:\windows\system32\Ati2evxx.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\ati2evxx.exe
c:\program files\Ahead\InCD\InCDsrv.exe
c:\windows\system32\ati2evxx.exe
c:\program files\Symantec\LiveUpdate\AluSchedulerSvc.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\Norton AntiVirus\Norton AntiVirus\Engine\16.1.0.33\ccSvcHst.exe
c:\program files\Norton AntiVirus\Norton AntiVirus\Engine\16.1.0.33\ccSvcHst.exe
c:\program files\ATI Technologies\ATI.ACE\Core-Static\MOM.exe
c:\program files\ATI Technologies\ATI.ACE\Core-Static\CCC.exe
.
**************************************************************************
.
Completion time: 2008-11-28 21:04:14 - machine was rebooted
ComboFix-quarantined-files.txt 2008-11-29 02:04:11
ComboFix2.txt 2008-11-28 23:26:16

Pre-Run: 65,020,452,864 bytes free
Post-Run: 64,945,283,072 bytes free

210 --- E O F --- 2008-11-13 03:55:50


And here is the latest hijackthis log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 9:09:08 PM, on 11/28/2008
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16735)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Ahead\InCD\InCDsrv.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Symantec\LiveUpdate\AluSchedulerSvc.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PifSvc.exe
C:\Program Files\Norton AntiVirus\Norton AntiVirus\Engine\16.1.0.33\ccSvcHst.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Norton AntiVirus\Norton AntiVirus\Engine\16.1.0.33\ccSvcHst.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\WINDOWS\ALCWZRD.EXE
C:\Program Files\FarStone\RestoreIT!\RestoreIT!_XP\VBPTASK.EXE
C:\Program Files\ASUSTek\ASUSDVD\PDVDServ.exe
C:\Program Files\Ahead\InCD\InCD.exe
C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe
C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PifSvc.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Documents and Settings\JSS\Local Settings\Application Data\Google\Update\GoogleUpdate.exe
C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\ccc.exe
C:\WINDOWS\explorer.exe
C:\Program Files\internet explorer\iexplore.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file)
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: RealPlayer Download and Record Plugin for Internet Explorer - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\Program Files\Real\RealPlayer\rpbrowserrecordplugin.dll
O2 - BHO: Symantec Intrusion Prevention - {6D53EC84-6AAE-4787-AEEE-F4628F01010C} - C:\Program Files\Norton AntiVirus\Norton AntiVirus\Engine\16.1.0.33\IPSBHO.DLL
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar3.dll
O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\3.1.807.1746\swg.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar3.dll
O4 - HKLM\..\Run: [High Definition Audio Property Page Shortcut] HDAudPropShortcut.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [AlcWzrd] ALCWZRD.EXE
O4 - HKLM\..\Run: [farstone] NULL
O4 - HKLM\..\Run: [RestoreIT!] "C:\Program Files\FarStone\RestoreIT!\RestoreIT!_XP\VBPTASK.EXE" VBStart
O4 - HKLM\..\Run: [SonicFocus] "C:\Program Files\Sonic Focus\SFIGUI\\SFIGUI.EXE" BOOT
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\ASUSTek\ASUSDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [InCD] C:\Program Files\Ahead\InCD\InCD.exe
O4 - HKLM\..\Run: [ATIPTA] "C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe"
O4 - HKLM\..\Run: [StartCCC] "C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" MSRun
O4 - HKLM\..\Run: [Symantec PIF AlertEng] "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PifSvc.exe" /a /m "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\AlertEng.dll"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [Google Update] "C:\Documents and Settings\JSS\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" /c
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra button: Bonjour - {7F9DB11C-E358-4ca6-A83D-ACC663939424} - C:\Program Files\Bonjour\ExplorerPlugin.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0A5FD7C5-A45C-49FC-ADB5-9952547D5715} (Creative Software AutoUpdate) - http://www.creative.com/su/ocx/15015/CTSUEng.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {38D63471-E630-4492-A986-B8C48B79F2F8} - http://update.videoegg.com/wintel/VideoEggPublisher.exe
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/...b?1130425169390
O16 - DPF: {680285A8-96D3-43DA-9D3D-51DD987D0B77} (NeroVersionCheckerControl Control) - http://www.nero.com/doc/NeroVersionCheckerControl.cab
O16 - DPF: {6A344D34-5231-452A-8A57-D064AC9B7862} (Symantec Download Manager) - https://webdl.symantec.com/activex/symdlmgr.cab
O16 - DPF: {6C269571-C6D7-4818-BCA4-32A035E8C884} (Creative Software AutoUpdate) - http://www.creative.com/softwareupdate/su/...101/CTSUEng.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftu...b?1188843039687
O16 - DPF: {F6ACF75C-C32C-447B-9BEF-46B766368D29} (Creative Software AutoUpdate Support Package) - http://www.creative.com/softwareupdate/su/...15102/CTPID.cab
O16 - DPF: {FD0B6769-6490-4A91-AA0A-B5AE0DC75AC9} (Performance Viewer Activex Control) - https://secure.logmein.com/activex/ractrl.cab?lmi=100
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\AluSchedulerSvc.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Intel® Desktop Utilities Service (iHCService) - Unknown owner - C:\Program Files\Intel\IDU\IDUServ.exe (file missing)
O23 - Service: InCD Helper (InCDsrv) - Ahead Software AG - C:\Program Files\Ahead\InCD\InCDsrv.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\LuComServer_3_4.EXE
O23 - Service: LiveUpdate Notice Service - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PifSvc.exe
O23 - Service: Norton AntiVirus - Symantec Corporation - C:\Program Files\Norton AntiVirus\Norton AntiVirus\Engine\16.1.0.33\ccSvcHst.exe
O23 - Service: Symantec RemoteAssist (symantec remoteassist) - Symantec, Inc. - C:\Program Files\Common Files\Symantec Shared\Support Controls\ssrc.exe

--
End of file - 9724 bytes

How does it look now? Norton has now removed the notification.

Thanks very much for your help so far!

LikeTelevision

the logs are looking good now.

in this post we will do a couple of scans to clear away any remnants and ensure nothing else has sneaked onto your mahcine.

the scans will likely take 3 hours, quite possibly much longer. so just let them run.

====STEP 1====
this folder C:\1760142603 seems to be empty but i suspect was part of the infection. therefore, could you move it to the recycle bin and then empty the recycle bin.



====STEP 2====
Please download ATF Cleaner by Atribune.

Caution: This program is for Windows 2000, XP and Vista only

Double-click ATF-Cleaner.exe to run the program.
Under Main choose: Select All
Click the Empty Selected button.

If you use Firefox browser

Click Firefox at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.

If you use Opera browser

Click Opera at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.

Click Exit on the Main menu to close the program.
For Technical Support, double-click the e-mail address located at the bottom of each menu.



====STEP 3====
Please download Malwarebytes' Anti-Malware from Here or Here

Double Click mbam-setup.exe to install the application.

• Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
• If an update is found, it will download and install the latest version.
• Once the program has loaded, select "Perform Full Scan", then click Scan.
• The scan may take some time to finish,so please be patient.
• When the scan is complete, click OK, then Show Results to view the results.
• Make sure that everything is checked, and click Remove Selected.
• When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
• The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
• Copy&Paste the entire report in your next reply.

Extra Note:
If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process,if asked to restart the computer,please do so immediatly.



====STEP 4====
Please do an online scan with Kaspersky WebScanner (this will identify any issues, we will clear them in the following post)

1. Read through the requirements and privacy statement and click on Accept button.
2. It will start downloading and installing the scanner and virus definitions. You will be prompted to install an application from Kaspersky. Click Run.
3. When the downloads have finished, click on Settings.
4. Make sure the following is checked.
   
   Spyware, Adware, Dialers, and other potentially dangerous programs
   Archives
   Mail databases
5. Click on My Computer under Scan.
6. Once the scan is complete, it will display the results. Click on View Scan Report.
7. You will see a list of infected items there. Click on Save Report As....
8. Save this report to a convenient place. Change the Files of type to Text file (.txt) before clicking on the Save button.
9. Please post this log in your next reply.

In your next reply could i see:
1. the malwarebytes log
2. the kaspersky log
3. and some idea of how your machine is running now

The text from these files may exceed the maximum post length for this forum. Hence, you may need to post the information over 2 or more posts.

andrewuk

Hi Andrewuk:

Here is the malwarebytes log:

Malwarebytes' Anti-Malware 1.30
Database version: 1434
Windows 5.1.2600 Service Pack 3

11/29/2008 12:41:08 PM
mbam-log-2008-11-29 (12-41-08).txt

Scan type: Full Scan (C:\|F:\|)
Objects scanned: 167016
Time elapsed: 1 hour(s), 4 minute(s), 50 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 4
Registry Values Infected: 1
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 5

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CLASSES_ROOT\minibugtransporter.minibugtransporterx (Adware.Minibug) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\minibugtransporter.minibugtransporterx.1 (Adware.Minibug) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{04a38f6b-006f-4247-ba4c-02a139d5531c} (Adware.Minibug) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Typelib\{3c2d2a1e-031f-4397-9614-87c932a848e0} (Adware.Minibug) -> Quarantined and deleted successfully.

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\SharedDLLs\C:\Program Files\Common Files\Real\WeatherBug\MiniBugTransporter.dll (Adware.Minibug) -> Quarantined and deleted successfully.

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\Program Files\Common Files\Real\WeatherBug\MiniBugTransporter.dll (Adware.Minibug) -> Quarantined and deleted successfully.
C:\Qoobox\Quarantine\C\mguvbfr.exe.vir (Trojan.TinyDownloader705) -> Quarantined and deleted successfully.
C:\Qoobox\Quarantine\C\WINDOWS\system32\drivers\96a1f491.sys.vir (Rootkit.Rustock) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{702D6CE7-599F-4886-B34E-50A6E3C5724F}\RP3\A0000147.exe (Trojan.TinyDownloader705) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{702D6CE7-599F-4886-B34E-50A6E3C5724F}\RP3\A0000157.sys (Rootkit.Rustock) -> Quarantined and deleted successfully.

Sending the kaspersky log in the following post.

Thanks,

LikeTelevision

Hi Andreuk:

Here is the kaspersky log:

--------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER 7 REPORT
Saturday, November 29, 2008
Operating System: Microsoft Windows XP Professional Service Pack 3 (build 2600)
Kaspersky Online Scanner 7 version: 7.0.25.0
Program database last update: Saturday, November 29, 2008 13:42:04
Records in database: 1426726
--------------------------------------------------------------------------------

Scan settings:
Scan using the following database: extended
Scan archives: yes
Scan mail databases: yes

Scan area - My Computer:
A:\
C:\
D:\
E:\
F:\

Scan statistics:
Files scanned: 119886
Threat name: 1
Infected objects: 1
Suspicious objects: 0
Duration of the scan: 02:22:43


File name / Threat name / Threats count
C:\Qoobox\Quarantine\C\WINDOWS\system32\drivers\_96a1f491_.sys.zip Infected: Rootkit.Win32.Agent.fbs 1

The selected area was scanned.

Machine seems to run ok if not just a little bit sluggish. Will defrag when we're done to see if that speeds things up a bit. A few questions:

The best way (in addition to Norton) to perform on-going protection - especially if using torrents

The best way to clean up the registry on an on-going basis (especially to delete references to applications long since uninstalled)

I have one more machine on my home network that may have the same issues. Unfortunately, it is a Vista machine

Any other additional on-going protective measures I should be incorporating.

How's the weather in the UK?

Thanks for your help and patience!

LikeTelevision

Hello LikeTelevision

congratulations, your logs are clean and another fix is in the can

the malwarebytes scan only found remnants and safely quarantined items, and the kaspersky scan only found items already safely quarantined.

i have included additional items below to help speed up your machine.

see below as well, you only need one antivirus program and norton is good enough. using torrents does very much increase the chances of infection despite any protective measures you take.

unlikely to speed up your machine and more likely to do damage trying.

start a new post for this one, say it is a difference machine and say i told you to do so. being a vista machine is no problem.

see below as well....


in this post we will clear away the fix tools (this is so that should you ever be re-infected, you will download updated versions and it will also remove the quarantined Malware from your computer), reset your restore points (there will be infections lurking in there) and i will leave you with some ideas on how to enhance the protection of your machine against future infection.

====STEP 1====
Follow these steps to uninstall Combofix, the tools used in the removal of malware and to flush your system restore points

• Click START then RUN
• Now type Combofix /u in the runbox and click OK. Note the space between the X and the U, it needs to be there.
  

you can remove the malwarebytes via the add/remove programs in your control panel



====IDEAS TO SPEED UP YOUR MACHINE====
this page http://users.telenet.be/bluepatchy/miekiem...owcomputer.html gives some good ideas on how to improve the efficiency of your machine and has one or two useful links to help your further.


====AND FINALLY====
The following is a list of tools and utilities that I like to suggest to people. This list is full of great tools and utilities to help you understand how you got infected and how to keep from getting infected again.

1. Spybot Search & Destroy - Uber powerful tool which can search and annhilate nasties that make it onto your system. Now with an Immunize section that will help prevent future infections.
   
2. AdAware - Another very powerful tool which searches and kills nasties that infect your system. AdAware and Spybot Search & Destroy compliment each other very well.
   
3. SpywareBlaster - Great prevention tool to keep nasties from installing on your system.
   
4. SpywareGuard - Works as a Spyware "Shield" to protect your computer from getting malware in the first place.
   
5. IE-SpyAd - puts over 5000 sites in your restricted zone so you'll be protected when you visit innocent-looking sites that aren't actually innocent at all.
   
6. ATF Cleaner - Cleans temporary files from IE and Windows, empties the recycle bin and more. Great tool to help speed up your computer and knock out those nasties that like to reside in the temp folders.
   
7. Windows Updates - It is very important to make sure that both Internet Explorer and Windows are kept current with the latest critical security patches from Microsoft. To do this just start Internet Explorer and select Tools > Windows Update, and follow the online instructions from there.
   
8. Google Toolbar - Free google toolbar that allows you to use the powerful Google search engine from the bar, but also blocks pop up windows.
   
9. Trillian or Miranda-IM - These are Malware free Instant Messenger programs which allow you to connect to multiple IM services in one program! (AOL, Yahoo, ICQ, IRC, MSN)

To find out more information about how you got infected in the first place and some great guidelines to follow to prevent future infections you can read this article by Tony Klein

best wishes

andrewuk

Thanks Andrewuk:

Three last questions:

Would you use all the tools mentioned on a regular basis or just pick one in each category?

I ran a quick scan with Norton that found (and "resolved") a Trojan Horse Virus"
should I worry about that now? I had Norton disabled while I was running Kaspersky.

Should I continue to run Norton (will it hurt) as an adjunct to the other tools? I just re-subscribed
for a nother year!

I will take you up on your offer to post for the Vista machine.

Thanks you so very much for your help and guidance. Outstanding support!

LikeTelevision

use them all. personally, i update all my security tools on a weekly basis and do a full scan with each of them.

that is a concern. reboot your machine and do another scan - if it picks up another infection, let me know what it was and where it was located. i am thinking that it was perhaps already quarantined by on of the tools we used.

norton is good, keep on using it. it is your antivirus protection and should be enabled at all times.

andrewuk

Hi Andrewuk:

Greyknight answered my initial post regarding my second machine not seeing anything suspicious in the hijackthis log. He next requested a combofix log (attached) to look for hidden issues. Never heard back ftom him yesterday. Can you take a quick look? If it's clean I'll follow your last recommendations to keep my machine clean.

Many thanks,

LikeTelevision

Hi Greyknight:

Here is the log file from ComboFix:

ComboFix 08-11-30.01 - JS 2008-11-30 11:47:21.1 - NTFSx86
Microsoft® Windows Vista™ Home Premium 6.0.6001.1.1252.1.1033.18.320 [GMT -5:00]
Running from: c:\users\JS\Desktop\ComboFix.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\system32\x64

.
((((((((((((((((((((((((( Files Created from 2008-10-28 to 2008-11-30 )))))))))))))))))))))))))))))))
.

2008-11-30 11:14 . 2008-11-30 11:14 <DIR> d-------- c:\program files\Trend Micro
2008-11-26 06:13 . 2008-10-21 00:25 1,645,568 --a------ c:\windows\System32\connect.dll
2008-11-26 06:13 . 2008-08-27 22:40 712,704 --a------ c:\windows\System32\WindowsCodecs.dll
2008-11-26 06:13 . 2008-08-27 22:40 425,472 --a------ c:\windows\System32\PhotoMetadataHandler.dll
2008-11-26 06:13 . 2008-08-27 22:40 347,136 --a------ c:\windows\System32\WindowsCodecsExt.dll
2008-11-26 06:13 . 2008-10-21 22:57 241,152 --a------ c:\windows\System32\PortableDeviceApi.dll
2008-11-21 14:48 . 2008-10-16 16:13 1,809,944 --a------ c:\windows\System32\wuaueng.dll
2008-11-21 14:48 . 2008-10-16 15:56 1,524,736 --a------ c:\windows\System32\wucltux.dll
2008-11-21 14:48 . 2008-10-16 16:12 561,688 --a------ c:\windows\System32\wuapi.dll
2008-11-21 14:48 . 2008-10-16 15:55 83,456 --a------ c:\windows\System32\wudriver.dll
2008-11-21 14:48 . 2008-10-16 16:09 51,224 --a------ c:\windows\System32\wuauclt.exe
2008-11-21 14:48 . 2008-10-16 16:09 43,544 --a------ c:\windows\System32\wups2.dll
2008-11-21 14:48 . 2008-10-16 16:08 34,328 --a------ c:\windows\System32\wups.dll
2008-11-21 14:47 . 2008-10-16 14:08 162,064 --a------ c:\windows\System32\wuwebv.dll
2008-11-21 14:47 . 2008-10-16 13:56 31,232 --a------ c:\windows\System32\wuapp.exe
2008-11-21 08:25 . 2008-11-21 08:25 <DIR> d-------- c:\users\All Users\Apple Computer
2008-11-21 08:25 . 2008-11-21 08:25 <DIR> d-------- c:\programdata\Apple Computer
2008-11-21 08:25 . 2008-11-21 08:27 <DIR> d-------- c:\program files\QuickTime
2008-11-21 08:25 . 2008-11-21 08:25 <DIR> d-------- c:\program files\Common Files\Apple
2008-11-20 20:34 . 2008-11-20 20:34 <DIR> d-------- c:\users\JS\AppData\Roaming\HP
2008-11-20 20:34 . 2008-11-20 20:34 <DIR> d-------- c:\users\JS\AppData\Roaming\CyberLink
2008-11-17 20:12 . 2008-11-17 20:12 <DIR> d-------- c:\program files\Bonjour
2008-11-16 16:19 . 2008-11-16 16:19 <DIR> d-------- c:\users\All Users\WindowsSearch
2008-11-16 16:19 . 2008-11-16 16:19 <DIR> d-------- c:\programdata\WindowsSearch
2008-11-13 12:34 . 2008-11-13 12:34 <DIR> d-------- c:\users\All Users\Symantec
2008-11-13 12:34 . 2008-11-13 12:34 <DIR> d-------- c:\programdata\Symantec
2008-11-12 07:24 . 2008-11-12 07:24 <DIR> d-------- c:\users\JS\AppData\Roaming\Creative
2008-11-11 22:39 . 2008-09-09 22:40 1,334,272 --a------ c:\windows\System32\msxml6.dll
2008-11-11 22:39 . 2008-09-05 00:14 1,191,936 --a------ c:\windows\System32\msxml3.dll
2008-11-11 22:39 . 2008-08-26 20:05 212,480 --a------ c:\windows\System32\drivers\mrxsmb10.sys
2008-11-11 18:36 . 2008-11-11 18:37 <DIR> d-------- c:\program files\DNA
2008-11-11 18:36 . 2008-11-11 18:37 <DIR> d-------- c:\program files\BitTorrent
2008-11-11 18:26 . 2008-11-11 18:26 <DIR> d-------- c:\users\JS\AppData\Roaming\Uniblue
2008-11-11 13:19 . 2008-11-11 13:19 <DIR> d-------- c:\users\All Users\FLEXnet
2008-11-11 13:19 . 2008-11-11 13:19 <DIR> d-------- c:\programdata\FLEXnet
2008-11-11 13:01 . 2008-11-11 13:01 <DIR> d-------- c:\program files\Common Files\Macrovision Shared
2008-11-10 15:03 . 2008-11-10 15:03 <DIR> d--hs---- c:\windows\ftpcache
2008-11-10 15:03 . 2008-11-10 15:03 <DIR> d-------- c:\users\JS\AppData\Roaming\Blumentals
2008-11-10 14:45 . 2008-11-10 14:45 <DIR> d-------- c:\users\All Users\engadven
2008-11-10 14:45 . 2008-11-10 14:45 <DIR> d-------- c:\programdata\engadven
2008-11-10 14:45 . 2008-11-10 14:51 <DIR> d-------- c:\program files\EngAdven
2008-11-10 14:45 . 2008-11-10 14:45 24 -rah----- c:\windows\wcpx_.dat
2008-11-09 20:19 . 2008-11-09 20:19 <DIR> d-------- c:\program files\Symantec
2008-11-09 20:19 . 2008-11-09 20:19 124,464 --a------ c:\windows\System32\drivers\SYMEVENT.SYS
2008-11-09 20:19 . 2008-11-09 20:19 25,136 -ra------ c:\windows\System32\drivers\SymIMV.sys
2008-11-09 20:18 . 2008-11-13 14:17 <DIR> d-------- c:\windows\System32\drivers\NIS
2008-11-09 20:18 . 2008-11-09 20:18 <DIR> d-------- c:\program files\Norton Internet Security
2008-11-09 20:11 . 2008-11-09 20:11 <DIR> d-------- c:\users\All Users\PCSettings
2008-11-09 20:11 . 2008-11-09 20:11 <DIR> d-------- c:\users\All Users\NortonInstaller
2008-11-09 20:11 . 2008-11-09 20:20 <DIR> d-------- c:\users\All Users\Norton
2008-11-09 20:11 . 2008-11-09 20:11 <DIR> d-------- c:\programdata\PCSettings
2008-11-09 20:11 . 2008-11-09 20:11 <DIR> d-------- c:\programdata\NortonInstaller
2008-11-09 20:11 . 2008-11-09 20:20 <DIR> d-------- c:\programdata\Norton
2008-11-09 20:11 . 2008-11-09 20:11 <DIR> d-------- c:\program files\NortonInstaller
2008-11-07 09:33 . 2008-11-07 09:35 <DIR> d-------- c:\users\JS\AppData\Roaming\ooVoo Details
2008-11-07 09:33 . 2008-11-07 09:33 <DIR> d-------- c:\program files\ooVoo
2008-11-06 22:37 . 2008-11-06 22:37 2,560 --a------ c:\windows\_MSRSTRT.EXE
2008-11-06 07:28 . 2008-11-06 07:28 <DIR> d-------- c:\users\JS\AppData\Roaming\Lexmark Productivity Studio
2008-11-06 07:27 . 2008-11-06 07:27 <DIR> d-------- c:\users\All Users\lx_cats
2008-11-06 07:27 . 2008-11-06 07:27 <DIR> d-------- c:\programdata\lx_cats
2008-11-06 07:26 . 2008-11-06 07:26 <DIR> d-------- C:\logs
2008-11-06 07:20 . 2007-02-19 16:00 1,645,320 --a------ c:\windows\System32\gdiplus.dll
2008-11-06 07:19 . 2008-11-06 07:21 <DIR> d-------- c:\program files\Lexmark 3500-4500 Series
2008-11-06 07:18 . 2008-11-06 07:18 <DIR> d-------- C:\lexmark
2008-11-05 12:15 . 2008-11-05 12:15 <DIR> d-------- c:\users\JS\AppData\Roaming\Virtual Mechanics
2008-11-05 12:15 . 2008-11-05 12:15 <DIR> d-------- c:\users\All Users\Virtual Mechanics
2008-11-05 12:15 . 2008-11-05 12:15 <DIR> d-------- c:\programdata\Virtual Mechanics
2008-10-30 21:18 . 2008-10-31 13:49 <DIR> d-------- c:\users\JS\AppData\Roaming\gtk-2.0
2008-10-30 21:15 . 2008-10-30 21:15 <DIR> d-------- c:\users\JS\.thumbnails
2008-10-30 21:13 . 2008-11-11 22:03 <DIR> d-------- c:\users\JS\.gimp-2.6
2008-10-30 21:13 . 2008-10-30 21:13 <DIR> d-------- c:\users\JS\.gegl-0.0
2008-10-30 10:59 . 2008-11-04 20:12 <DIR> d-------- c:\users\JS\AppData\Roaming\FileZilla
2008-10-30 08:21 . 2008-10-30 08:21 <DIR> d-------- c:\users\JS\AppData\Roaming\Hewlett-Packard
2008-10-30 08:19 . 2008-11-20 15:24 <DIR> dr------- c:\users\JS\Videos
2008-10-30 08:19 . 2008-10-30 08:19 <DIR> dr------- c:\users\JS\Searches
2008-10-30 08:19 . 2008-10-30 08:19 <DIR> dr------- c:\users\JS\Saved Games
2008-10-30 08:19 . 2008-10-30 21:48 <DIR> dr------- c:\users\JS\Pictures
2008-10-30 08:19 . 2008-11-11 22:31 <DIR> dr------- c:\users\JS\Music
2008-10-30 08:19 . 2008-10-30 08:19 <DIR> dr------- c:\users\JS\Links
2008-10-30 08:19 . 2008-10-30 08:19 <DIR> dr------- c:\users\JS\Downloads
2008-10-30 08:19 . 2008-11-24 18:34 <DIR> dr------- c:\users\JS\Documents
2008-10-30 08:19 . 2008-10-30 08:19 <DIR> dr------- c:\users\JS\Contacts
2008-10-30 08:19 . 2008-10-30 08:19 <DIR> d-------- c:\users\JS\AppData\Roaming\Symantec
2008-10-30 08:19 . 2006-11-02 07:37 <DIR> d-------- c:\users\JS\AppData\Roaming\Media Center Programs
2008-10-30 08:19 . 2008-10-30 08:19 <DIR> d--h----- c:\users\JS\AppData
2008-10-30 08:19 . 2008-11-13 10:41 <DIR> d-------- c:\users\JS
2008-10-29 19:28 . 2008-10-29 20:00 <DIR> d-------- c:\users\Guest\AppData\Roaming\FileZilla
2008-10-29 19:17 . 2008-10-30 04:38 <DIR> d-------- c:\users\KS\.gimp-2.6
2008-10-29 19:17 . 2008-10-29 19:17 <DIR> d-------- c:\users\KS\.gegl-0.0
2008-10-29 19:12 . 2008-10-31 04:38 <DIR> d-------- c:\users\KS\AppData\Roaming\FileZilla
2008-10-29 19:12 . 2008-10-29 19:12 <DIR> d-------- c:\program files\FileZilla FTP Client
2008-10-29 04:06 . 2008-08-11 22:39 443,392 --a------ c:\windows\System32\win32spl.dll
2008-10-29 04:06 . 2008-08-05 04:49 428,544 --a------ c:\windows\System32\EncDec.dll
2008-10-29 04:06 . 2008-08-05 04:49 293,376 --a------ c:\windows\System32\psisdecd.dll
2008-10-29 04:06 . 2008-08-05 04:48 217,088 --a------ c:\windows\System32\psisrndr.ax
2008-10-29 04:06 . 2008-08-05 04:48 177,664 --a------ c:\windows\System32\mpg2splt.ax
2008-10-29 04:06 . 2008-09-17 23:56 147,456 --a------ c:\windows\System32\Faultrep.dll
2008-10-29 04:06 . 2008-09-17 23:56 125,952 --a------ c:\windows\System32\wersvc.dll
2008-10-29 04:06 . 2008-08-05 04:48 80,896 --a------ c:\windows\System32\MSNP.ax
2008-10-15 04:32 . 2008-09-18 00:09 3,601,464 --a------ c:\windows\System32\ntkrnlpa.exe
2008-10-15 04:32 . 2008-09-18 00:09 3,549,240 --a------ c:\windows\System32\ntoskrnl.exe
2008-10-15 04:32 . 2008-09-17 21:16 2,032,640 --a------ c:\windows\System32\win32k.sys
2008-10-15 04:32 . 2008-10-01 20:32 1,383,424 --a------ c:\windows\System32\mshtml.tlb
2008-10-15 04:32 . 2008-10-01 22:49 827,392 --a------ c:\windows\System32\wininet.dll
2008-10-15 04:32 . 2008-08-26 20:06 288,768 --a------ c:\windows\System32\drivers\srv.sys

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-11-18 01:13 --------- d-----w c:\program files\Common Files\Adobe
2008-11-12 13:18 --------- d-----w c:\programdata\CyberLink
2008-11-12 12:16 --------- d--h--w c:\program files\InstallShield Installation Information
2008-11-10 01:23 --------- d-----w c:\program files\Common Files\Symantec Shared
2008-11-10 01:19 806 ----a-w c:\windows\system32\drivers\SYMEVENT.INF
2008-11-10 01:19 10,635 ----a-w c:\windows\system32\drivers\SYMEVENT.CAT
2008-11-10 01:10 --------- d-----w c:\programdata\Symantec Temporary Files
2008-10-22 21:21 21,248 ----a-w c:\windows\Help\OEM\scripts\HPScript.exe
2008-10-17 11:15 --------- d-----w c:\users\Guest\AppData\Roaming\Move Networks
2008-10-16 09:45 --------- d-----w c:\program files\Windows Mail
2008-10-06 16:51 20,224 ----a-w c:\windows\Help\OEM\scripts\HC_checkMUI.dll
2008-09-30 21:43 1,286,152 ----a-w c:\windows\System32\msxml4.dll
2008-09-04 00:11 54,600 ----a-w C:\npbittorrent.dll
2008-08-21 21:16 11,520 ----a-w c:\windows\Help\OEM\scripts\HCNetworkTest.exe
2008-08-02 03:26 36,864 ----a-w c:\windows\System32\cdd.dll
2008-07-05 13:29 174 --sha-w c:\program files\desktop.ini
2007-11-06 23:04 16,384 --sha-w c:\windows\ServiceProfiles\LocalService\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
2007-11-06 23:04 32,768 --sha-w c:\windows\ServiceProfiles\LocalService\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
2007-11-06 23:04 16,384 --sha-w c:\windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
2007-08-18 16:49 22 --sha-w c:\windows\SMINST\HPCD.sys
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Sidebar"="c:\program files\Windows Sidebar\sidebar.exe" [2008-01-19 1233920]
"swg"="c:\program files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe" [2007-08-18 171448]
"Google Update"="c:\users\JS\AppData\Local\Google\Update\GoogleUpdate.exe" [2008-11-12 133104]
"WMPNSCFG"="c:\program files\Windows Media Player\WMPNSCFG.exe" [2008-01-19 202240]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2008-01-18 1033512]
"WAWifiMessage"="c:\program files\Hewlett-Packard\HP Wireless Assistant\WiFiMsg.exe" [2007-01-10 317128]
"SunJavaUpdateSched"="c:\program files\Java\jre1.6.0_07\bin\jusched.exe" [2008-06-10 144784]
"hpWirelessAssistant"="c:\program files\Hewlett-Packard\HP Wireless Assistant\HPWAMain.exe" [2007-03-01 472776]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2008-02-11 141848]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2008-02-11 166424]
"Persistence"="c:\windows\system32\igfxpers.exe" [2008-02-11 133656]
"Windows Mobile-based device management"="c:\windows\WindowsMobile\wmdcBase.exe" [2007-05-31 648072]
"lxdimon.exe"="c:\program files\Lexmark 3500-4500 Series\lxdimon.exe" [2007-07-16 434864]
"lxdiamon"="c:\program files\Lexmark 3500-4500 Series\lxdiamon.exe" [2007-07-16 25264]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-10-15 39792]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2008-09-06 413696]
"PD0630 STISvc"="P0630Pin.dll" [2005-06-05 c:\windows\System32\P0630Pin.dll]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
"Launcher"="c:\windows\SMINST\launcher.exe" [2006-11-07 44128]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableUIADesktopToggle"= 0 (0x0)

[HKLM\~\startupfolder\C:^ProgramData^Microsoft^Windows^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
path=c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
backup=c:\windows\pss\Adobe Reader Speed Launch.lnk.CommonStartup
backupExtension=.CommonStartup

[HKLM\~\startupfolder\C:^ProgramData^Microsoft^Windows^Start Menu^Programs^Startup^Adobe Reader Synchronizer.lnk]
path=c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\Adobe Reader Synchronizer.lnk
backup=c:\windows\pss\Adobe Reader Synchronizer.lnk.CommonStartup
backupExtension=.CommonStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
--a------ 2008-10-15 01:04 39792 c:\program files\Adobe\Reader 8.0\Reader\reader_sl.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Health Check Scheduler]
--a------ 2007-03-12 13:54 50696 c:\program files\Hewlett-Packard\HP Health Check\HPHC_Scheduler.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Software Update]
--a------ 2005-02-17 01:11 49152 c:\program files\Hp\HP Software Update\hpwuSchd2.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QlbCtrl]
--a------ 2007-02-13 13:38 159744 c:\program files\Hewlett-Packard\HP Quick Launch Buttons\QLBCTRL.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QPService]
--------- 2007-04-23 17:11 176128 c:\program files\Hp\QuickPlay\QPService.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
--a------ 2008-05-20 20:23 185896 c:\program files\Common Files\Real\Update_OB\realsched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"UacDisableNotify"=dword:00000001
"InternetSettingsDisableNotify"=dword:00000001
"AutoUpdateDisableNotify"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\DomainProfile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\FirewallRules]
"{411D0265-523C-4C23-93B2-A686144EE2E7}"= UDP:c:\program files\earthlink totalaccess\TaskPanl.exe:taskpanl
"{A618E181-A524-4E62-8E77-D364DE34850C}"= TCP:c:\program files\earthlink totalaccess\TaskPanl.exe:taskpanl
"{A07CD5B6-9B9D-40AB-9555-43055215DAA3}"= UDP:c:\program files\earthlink totalaccess\TaskPanl.exe:taskpanl
"{A3E61AF1-A002-4E7E-B4BE-F96F7D7A1906}"= TCP:c:\program files\earthlink totalaccess\TaskPanl.exe:taskpanl
"{1CB5E2B2-223D-4192-BDDA-189A900AEFBA}"= UDP:c:\program files\earthlink totalaccess\TaskPanl.exe:taskpanl
"{996EBD35-5809-4CDD-AC96-9EA2610271C5}"= TCP:c:\program files\earthlink totalaccess\TaskPanl.exe:taskpanl
"{737224D1-2A12-465C-81BA-C555BAE5A1FC}"= c:\program files\HP\QuickPlay\QP.exe:Quick Play
"{E078A105-4EC5-43F1-8560-050E50D1EC51}"= c:\program files\HP\QuickPlay\QPService.exe:Quick Play Resident Program
"{F61D5A65-B978-4D5B-9DD1-724B4BD9A252}"= UDP:c:\windows\System32\lxdicoms.exe:Lexmark Communications System
"{CF88FAC5-A32C-4FD1-979C-6DAF7AB77C8B}"= TCP:c:\windows\System32\lxdicoms.exe:Lexmark Communications System
"{77E40052-8BE3-4B65-9F50-177B0B205780}"= UDP:c:\program files\Lexmark 3500-4500 Series\lxdiamon.exe:Lexmark Device Monitor
"{0F2C54C2-FAB6-4DA5-B371-9117BB9956DC}"= TCP:c:\program files\Lexmark 3500-4500 Series\lxdiamon.exe:Lexmark Device Monitor
"{F4B17366-A87E-4462-A690-8AD1DBD5643B}"= UDP:c:\program files\Lexmark 3500-4500 Series\App4R.exe:Lexmark Imaging Studio
"{6DE3FC2D-52B0-425A-A167-A4F197970581}"= TCP:c:\program files\Lexmark 3500-4500 Series\App4R.exe:Lexmark Imaging Studio
"{2121957E-80B1-4AD3-A38D-C99F92B1799B}"= UDP:c:\program files\Lexmark 3500-4500 Series\lxdimon.exe:Device Monitor
"{90917DC5-99AC-4CDD-B1E0-6D316644FE59}"= TCP:c:\program files\Lexmark 3500-4500 Series\lxdimon.exe:Device Monitor
"{F1B815C0-1C77-4D0B-B5BA-E826D4319111}"= UDP:443:ooVoo TCP port 443
"{60A574A7-189A-4F75-B7D0-6A7B5C546B92}"= TCP:443:ooVoo UDP port 443
"{FA96D605-987F-4197-AA85-47A037A24717}"= UDP:37674:ooVoo TCP port 37674
"{D7262A7C-D9BE-414C-8837-EAD1ADBD0466}"= TCP:37674:ooVoo UDP port 37674
"{107F764F-085B-4B6B-B83B-865873C65636}"= TCP:37675:ooVoo UDP port 37675
"{832E8D19-F828-4EFC-9F96-C441E3D1053C}"= UDP:c:\program files\DNA\btdna.exe:DNA (TCP-In)
"{18953004-3F41-49A6-ADCE-B63264E69050}"= TCP:c:\program files\DNA\btdna.exe:DNA (UDP-In)
"TCP Query User{E5E7E400-9B1D-4E3D-8BA1-668FF64C8455}c:\\program files\\lexmark 3500-4500 series\\lxdiamon.exe"= UDP:c:\program files\lexmark 3500-4500 series\lxdiamon.exe:Device Monitor Application
"UDP Query User{C437DDC3-578C-4828-8B99-98865C909978}c:\\program files\\lexmark 3500-4500 series\\lxdiamon.exe"= TCP:c:\program files\lexmark 3500-4500 series\lxdiamon.exe:Device Monitor Application
"TCP Query User{367786BF-EF92-438E-9011-1404F6EF40DD}c:\\program files\\lexmark 3500-4500 series\\lxdimon.exe"= UDP:c:\program files\lexmark 3500-4500 series\lxdimon.exe:Device Monitor
"UDP Query User{3A4A6F21-C652-4A9D-982D-C00F1AC6B64D}c:\\program files\\lexmark 3500-4500 series\\lxdimon.exe"= TCP:c:\program files\lexmark 3500-4500 series\lxdimon.exe:Device Monitor
"{8FFE38E0-A4E9-4DF6-83A4-960A97980C90}"= c:\program files\Norton Internet Security\Norton Internet Security\Engine\16.1.0.33\ccSvcHst.exe:Symantec Service Framework
"TCP Query User{23900943-53EF-4C8C-A067-12F49791DF1E}c:\\program files\\oovoo\\oovoo.exe"= UDP:c:\program files\oovoo\oovoo.exe:ooVoo
"UDP Query User{5ADDDAA4-A029-48AF-AD12-253207BE840A}c:\\program files\\oovoo\\oovoo.exe"= TCP:c:\program files\oovoo\oovoo.exe:ooVoo

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\StandardProfile\AuthorizedApplications\List]
"c:\\Program Files\\EarthLink TotalAccess\\TaskPanl.exe"= c:\program files\EarthLink TotalAccess\TaskPanl.exe:*:Enabled:Earthlink
"c:\\Program Files\\BitTorrent\\bittorrent.exe"= c:\program files\BitTorrent\bittorrent.exe:*:Enabled:BitTorrent

R1 BHDrvx86;Symantec Heuristics Driver;c:\windows\system32\Drivers\NIS\1001000.021\BHDrvx86.sys [2008-11-13 255536]
R1 ccHP;Symantec Hash Provider;c:\windows\system32\Drivers\NIS\1001000.021\ccHPx86.sys [2008-11-13 362544]
R1 IDSVix86;IDSVix86;\??\c:\programdata\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\ipsdefs\20081127.002\IDSvix86.sys [2008-11-29 289840]
R2 lxdi_device;lxdi_device;c:\windows\system32\lxdicoms.exe -service []
R2 Norton Internet Security;Norton Internet Security;"c:\program files\Norton Internet Security\Norton Internet Security\Engine\16.1.0.33\ccSvcHst.exe" /s "Norton Internet Security" /m "c:\program files\Norton Internet Security\Norton Internet Security\Engine\16.1.0.33\diMaster.dll" /prefetch:1 []
R2 SSPORT;SSPORT;\??\c:\windows\system32\Drivers\SSPORT.sys [2008-01-20 5120]
R3 SYMNDISV;SYMNDISV;c:\windows\system32\Drivers\NIS\1001000.021\SYMNDISV.SYS [2008-11-13 40496]
S2 lxdiCATSCustConnectService;lxdiCATSCustConnectService;c:\windows\system32\spool\DRIVERS\W32X86\3\\lxdiserv.exe [2007-06-11 99248]
S3 P0630VID;Creative WebCam Live!;c:\windows\system32\DRIVERS\P0630Vid.sys [2008-11-12 91841]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
bthsvcs REG_MULTI_SZ BthServ
WindowsMobile REG_MULTI_SZ wcescomm rapimgr
LocalServiceRestricted REG_MULTI_SZ WcesComm RapiMgr

*Newly Created Service* - PROCEXP90
.
Contents of the 'Scheduled Tasks' folder

2008-11-30 c:\windows\Tasks\GoogleUpdateTaskUser.job
- c:\users\JS\AppData\Local\Google\Update\GoogleUpdate.exe [2008-11-12 08:30]

2008-11-18 c:\windows\Tasks\Norton Internet Security - Run Full System Scan - KS.job
- c:\program files\Norton Internet Security\Norton AntiVirus\Navw32.exe []
.
- - - - ORPHANS REMOVED - - - -

HKCU-Run-Uniblue RegistryBooster 2009 - c:\program files\uniblue\registrybooster\StartRegistryBooster.exe



**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-11-30 11:56:20
Windows 6.0.6001 Service Pack 1 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'Explorer.exe'(4472)
c:\program files\Hewlett-Packard\HP Advisor\Pillars\Market\MLDeskBand.dll
.
Completion time: 2008-11-30 12:01:32
ComboFix-quarantined-files.txt 2008-11-30 17:01:17

Pre-Run: 67,531,784,192 bytes free
Post-Run: 68,721,147,904 bytes free

275 --- E O F --- 2008-11-26 18:31:34

Thanks you and look forward to your response.

LikeTelevision

Greyknight will be back to answer your other post - when we start a thread we finish it. if for whatever reason we can not, then anothe helper will takeover. replies are often not instant, but should be within 24 hours.

hence, you should await instructions from Greyknight.

unless there are anymore questions about your first machine, i intend to close this as resolved?

andrewuk

andrewuk:

Sorry, was not a comment on the support from you guys...you have both been outstanding. Please consider this thread closed, and I will continue to follow protocol.

Thanks again,

LikeTelevision

Since this issue appears to be resolved ... this Topic has been closed. Glad we could help.

If you're the topic starter, and need this topic reopened, please contact a staff member with the address of the thread.

Everyone else please begin a New Topic.