Hi Gringo,
I ran ComboFix. It gave me a message that Symantec was still running even though I'd disabled the protections and warned me I was running at my own risk.
during the first run, it gave me the blue screen of death mid way through. I restarted and tried again, this time successfully.
Here's the Combofix log:
ComboFix 13-05-20.01 - ltioupine 05/21/2013 8:55.2.2 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.3326.2319 [GMT -7:00]
Running from: c:\documents and settings\ltioupine\Desktop\ComboFix.exe
AV: Symantec Endpoint Protection *Enabled/Updated* {FB06448E-52B8-493A-90F3-E43226D3305C}
FW: Symantec Endpoint Protection *Disabled* {BE898FE3-CD0B-4014-85A9-03DB9923DDB6}
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\documents and settings\ltioupine\g2mdlhlpx.exe
c:\documents and settings\ltioupine\Local Settings\Temporary Internet Files\~$nsent_4005.doc
c:\documents and settings\ltioupine\Local Settings\Temporary Internet Files\Consent_4005.doc
c:\documents and settings\ltioupine\Local Settings\Temporary Internet Files\UM_43FD2BF2-6CEF-4138-BA75-249913DF513D.mp3
c:\documents and settings\ltioupine\My Documents\~WRL0001.tmp
c:\documents and settings\ltioupine\My Documents\~WRL0004.tmp
c:\documents and settings\ltioupine\My Documents\~WRL0005.tmp
c:\documents and settings\ltioupine\My Documents\~WRL0841.tmp
c:\documents and settings\ltioupine\My Documents\~WRL2057.tmp
c:\documents and settings\ltioupine\My Documents\~WRL3222.tmp
c:\documents and settings\ltioupine\WINDOWS
c:\program files\Internet Explorer\SET640.tmp
c:\program files\Internet Explorer\SET642.tmp
c:\windows\dasetup.log
c:\windows\system32\_000005_.tmp.dll
c:\windows\system32\drivers\tcpip.copy
c:\windows\system32\SET549.tmp
c:\windows\system32\SET62C.tmp
c:\windows\system32\SET62D.tmp
c:\windows\system32\SET62E.tmp
c:\windows\system32\SET632.tmp
c:\windows\system32\SET633.tmp
c:\windows\system32\SET636.tmp
c:\windows\system32\SET638.tmp
c:\windows\system32\SET639.tmp
c:\windows\system32\SET63B.tmp
c:\windows\system32\URTTemp
c:\windows\system32\URTTemp\fusion.dll
c:\windows\system32\URTTemp\mscoree.dll
c:\windows\system32\URTTemp\mscoree.dll.local
c:\windows\system32\URTTemp\mscorsn.dll
c:\windows\system32\URTTemp\mscorwks.dll
c:\windows\system32\URTTemp\msvcr71.dll
c:\windows\system32\URTTemp\regtlib.exe
c:\windows\wininit.ini
.
.
((((((((((((((((((((((((( Files Created from 2013-04-21 to 2013-05-21 )))))))))))))))))))))))))))))))
.
.
2013-05-21 03:48 . 2013-05-21 03:48 -------- d-----w- c:\windows\ERUNT
2013-05-21 03:48 . 2013-05-21 03:48 -------- d-----w- C:\JRT
2013-05-17 19:26 . 2013-05-17 21:02 -------- d-----w- c:\program files\Repair Access Database Free
2013-05-17 19:25 . 2013-05-17 19:25 0 ----a-w- c:\windows\system32\TempWmicBatchFile.bat
2013-05-15 21:56 . 2013-04-16 22:17 759296 ----a-w- c:\program files\Common Files\Microsoft Shared\VGX\SET63F.tmp
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2013-05-08 09:21 . 2010-09-16 05:21 174056 ----a-w- c:\windows\system32\drivers\wpshelper.sys
2013-04-18 01:05 . 2012-04-16 17:27 691592 ----a-w- c:\windows\system32\FlashPlayerApp.exe
2013-04-18 01:05 . 2011-05-27 17:16 71048 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2013-04-16 22:17 . 2008-04-14 12:42 920064 ----a-w- c:\windows\system32\wininet.dll
2013-04-16 22:17 . 2008-04-14 12:42 1469440 ----a-w- c:\windows\system32\inetcpl.cpl
2013-04-16 22:17 . 2008-04-14 12:41 43520 ----a-w- c:\windows\system32\licmgr10.dll
2013-04-12 23:28 . 2008-04-14 07:07 385024 ----a-w- c:\windows\system32\html.iec
2013-04-10 01:31 . 2008-04-14 08:00 1876352 ----a-w- c:\windows\system32\win32k.sys
2013-03-08 08:36 . 2008-04-14 12:42 293376 ----a-w- c:\windows\system32\winsrv.dll
2013-03-07 01:32 . 2008-04-14 07:54 2149888 ----a-w- c:\windows\system32\ntoskrnl.exe
2013-03-07 00:50 . 2008-04-14 00:01 2028544 ----a-w- c:\windows\system32\ntkrnlpa.exe
2013-03-06 20:47 . 2013-03-06 20:48 342528 ----a-w- c:\windows\system32\RunAsCurrentUser.exe
2013-03-05 02:08 . 2013-03-05 02:08 94112 ----a-w- c:\windows\system32\WindowsAccessBridge.dll
2013-03-05 02:08 . 2008-09-26 21:37 143872 ----a-w- c:\windows\system32\javacpl.cpl
2013-03-05 02:08 . 2012-07-17 20:03 861088 ----a-w- c:\windows\system32\npDeployJava1.dll
2013-03-05 02:08 . 2010-10-05 20:58 782240 ----a-w- c:\windows\system32\deployJava1.dll
2013-02-27 05:31 . 2008-09-26 16:21 36864 ----a-w- c:\windows\system32\tsgqec.dll
2013-02-27 05:31 . 2008-09-26 16:21 131072 ----a-w- c:\windows\system32\aaclient.dll
2013-02-27 05:31 . 2008-09-26 16:21 2691072 ----a-w- c:\windows\system32\mstscax.dll
2010-07-13 16:18 . 2013-05-17 21:20 119808 ----a-w- c:\program files\mozilla firefox\components\GoogleDesktopMozilla.dll
.
.
------- Sigcheck -------
Note: Unsigned files aren't necessarily malware.
.
[-] 2011-09-12 . CBEEBEB899E31EF52B962CB31FC8CA5C . 361600 . . [5.1.2600.5625] . . c:\windows\system32\drivers\tcpip.sys
[7] 2008-06-20 . AD978A1B783B5719720CFF204B666C8E . 361600 . . [5.1.2600.5625] . . c:\windows\$hf_mig$\KB2509553\SP3QFE\tcpip.sys
[7] 2008-06-20 . AD978A1B783B5719720CFF204B666C8E . 361600 . . [5.1.2600.5625] . . c:\windows\$hf_mig$\KB951748\SP3QFE\tcpip.sys
[7] 2008-06-20 . 9AEFA14BD6B182D61E3119FA5F436D3D . 361600 . . [5.1.2600.5625] . . c:\windows\system32\dllcache\tcpip.sys
[7] 2008-04-14 . 93EA8D04EC73A85DB02EB8805988F733 . 361344 . . [5.1.2600.5512] . . c:\windows\$NtUninstallKB951748$\tcpip.sys
.
[-] 2008-09-25 . 362BC5AF8EAF712832C58CC13AE05750 . 1614848 . . [5.1.2600.5512] . . c:\windows\system32\sfcfiles.dll
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt1]
@="{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}]
2012-11-13 23:32 129272 ----a-w- c:\documents and settings\ltioupine\Application Data\Dropbox\bin\DropboxExt.17.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt2]
@="{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}]
2012-11-13 23:32 129272 ----a-w- c:\documents and settings\ltioupine\Application Data\Dropbox\bin\DropboxExt.17.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt3]
@="{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}]
2012-11-13 23:32 129272 ----a-w- c:\documents and settings\ltioupine\Application Data\Dropbox\bin\DropboxExt.17.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt4]
@="{FB314EDC-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314EDC-A251-47B7-93E1-CDD82E34AF8B}]
2012-11-13 23:32 129272 ----a-w- c:\documents and settings\ltioupine\Application Data\Dropbox\bin\DropboxExt.17.dll
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Messenger (Yahoo!)"="c:\progra~1\Yahoo!\Messenger\YahooMessenger.exe" [2010-03-20 5248312]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2012-09-20 39408]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SoundMAXPnP"="c:\program files\Analog Devices\Core\smax4pnp.exe" [2008-07-24 1044480]
"StartCCC"="c:\program files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [2008-01-21 61440]
"Google Desktop Search"="c:\program files\Google\Google Desktop Search\GoogleDesktop.exe" [2010-07-13 30192]
"ccApp"="c:\program files\Common Files\Symantec Shared\ccApp.exe" [2011-02-04 115624]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2011-06-08 37296]
"Adobe Acrobat Speed Launcher"="c:\program files\Adobe\Acrobat 9.0\Acrobat\Acrobat_sl.exe" [2011-06-08 40376]
"Acrobat Assistant 8.0"="c:\program files\Adobe\Acrobat 9.0\Acrobat\Acrotray.exe" [2010-09-23 640440]
"APSDaemon"="c:\program files\Common Files\Apple\Apple Application Support\APSDaemon.exe" [2012-10-12 59280]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2012-10-25 421888]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2012-07-03 252848]
.
c:\documents and settings\ltioupine\Start Menu\Programs\Startup\
Dropbox.lnk - c:\documents and settings\ltioupine\Application Data\Dropbox\bin\Dropbox.exe [2013-3-12 29106336]
.
c:\documents and settings\All Users\Start Menu\Programs\Startup\
Bug Shooting 2.lnk - c:\program files\Bug Shooting 2\BugShooting2.exe [2011-1-31 1895936]
Pidgin.lnk - c:\program files\Pidgin\pidgin.exe [2013-2-12 60216]
VPN Client.lnk - c:\windows\Installer\{14FCFE7C-AB86-428A-9D2E-BFB6F5A7AA6E}\Icon3E5562ED7.ico [2012-9-17 6144]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"consentpromptbehavioradmin"= 0 (0x0)
"MaxGPOScriptWait"= 0 (0x0)
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-2695169584-3817918341-3537416689-20159\Scripts\Logon\0\0]
"Script"=rndlocpa.bat
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-2695169584-3817918341-3537416689-20159\Scripts\Logon\1\0]
"Script"=rndlocpa.bat
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-2695169584-3817918341-3537416689-61952\Scripts\Logon\0\0]
"Script"=rndlocpa.bat
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-2695169584-3817918341-3537416689-61952\Scripts\Logon\1\0]
"Script"=rndlocpa.bat
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\ccEvtMgr]
@="Service"
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\ccSetMgr]
@="Service"
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Symantec Antivirus]
@="Service"
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3389:TCP"= 3389:TCP:@xpsp2res.dll,-22009
.
R0 SFAUDIO;Sonic Focus DSP Driver;c:\windows\system32\drivers\sfaudio.sys [3/9/2009 11:04 AM 24064]
R2 TeamViewer6;TeamViewer 6;c:\program files\TeamViewer\Version6\TeamViewer_Service.exe [12/14/2010 12:31 PM 2228008]
R3 e1kexpress;Intel® PRO/1000 PCI Express Network Connection Driver K;c:\windows\system32\drivers\e1k5132.sys [3/9/2009 11:04 AM 144480]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [9/14/2012 9:50 AM 106656]
S3 COH_Mon;COH_Mon;c:\windows\system32\drivers\COH_Mon.sys [7/12/2010 6:04 PM 23888]
S3 GoogleDesktopManager-051210-111108;Google Desktop Manager 5.9.1005.12335;c:\program files\Google\Google Desktop Search\GoogleDesktop.exe [3/24/2010 12:33 PM 30192]
S3 magaService;Lan Discover Agent;c:\program files\Sygate\SSA\maga\maga.exe --> c:\program files\Sygate\SSA\maga\maga.exe [?]
.
--- Other Services/Drivers In Memory ---
.
*NewlyCreated* - WS2IFSL
*Deregistered* - uphcleanhlp
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
.
Contents of the 'Scheduled Tasks' folder
.
2013-05-21 c:\windows\Tasks\Adobe Flash Player Updater.job
- c:\windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe [2012-04-16 01:05]
.
2013-05-20 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 20:34]
.
2013-05-21 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2012-05-10 06:30]
.
2013-05-21 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2012-05-10 06:30]
.
2013-05-21 c:\windows\Tasks\User_Feed_Synchronization-{3B29D418-85CB-4174-AED6-4BE6085B3DD8}.job
- c:\windows\system32\msfeedssync.exe [2007-08-14 11:31]
.
2013-05-21 c:\windows\Tasks\User_Feed_Synchronization-{616BF532-8A2E-4B44-8384-DD2108B764D8}.job
- c:\windows\system32\msfeedssync.exe [2007-08-14 11:31]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
mStart Page = hxxp://www.google.com
uInternet Settings,ProxyOverride = *.local;<local>
uSearchURL,(Default) = hxxp://www.google.com/search/?q=%s
IE: Append Link Target to Existing PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Append to Existing PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert Link Target to Adobe PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert to Adobe PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIECapture.html
IE: E&xport to Microsoft Excel - c:\progra~1\MIBE46~1\Office12\EXCEL.EXE/3000
IE: {{c95fe080-8f5d-11d2-a20b-00aa003c157a}
Trusted Zone: perfect.com\secure-stage
Trusted Zone: perfect.com\wbm-stage
Trusted Zone: ucop.edu\prod
Trusted Zone: ucsf.edu\d13n1
Trusted Zone: ucsf.edu\peoplesoft
Trusted Zone: ucsf.edu\s2n1
Trusted Zone: ucsf.edu\s3n1
Trusted Zone: ucsf.edu\s5n1
Trusted Zone: perfect.com\secure-stage
Trusted Zone: perfect.com\wbm-stage
Trusted Zone: ucop.edu\prod
Trusted Zone: ucsf.edu\peoplesoft
Trusted Zone: ucsf.edu\s2n1
Trusted Zone: ucsf.edu\s3n1
Trusted Zone: ucsf.edu\s5n1
TCP: DhcpNameServer = 128.218.254.10 128.218.254.40
TCP: Interfaces\{D42D6627-7DD3-4794-B635-A65B95043B29}: NameServer = 64.54.128.37,64.54.128.53
DPF: {00460182-9E5E-11D5-B7C8-B8269041DD68} - hxxps://myaccess.ucsf.edu/imedris/wordwrap.cab
DPF: {41861299-EAB2-4DCC-986C-802AE12AC499} - hxxps://rio.ucsf.edu/ReportServer/Reserved.ReportViewerWebControl.axd?ExecutionID=kv15ot555ry0i0fxghhbuzrw&ControlID=a282698d3c4f4f9897ee2c6a3ca14d50&Culture=127&UICulture=9&ReportStack=1&OpType=PrintCab
DPF: {43A4658A-8BA8-43A9-94BA-E3A22500FB17} - hxxps://chr-hrpp.ucsf.edu/commwrap.cab
DPF: {5A336865-2009-11D4-87C0-0050DACCFBC5} - hxxps://myaccess.ucsf.edu/imedris/IGInterAct40.cab
FF - ProfilePath - c:\documents and settings\ltioupine\Application Data\Mozilla\Firefox\Profiles\bo3afth4.default-1368836151203\
.
- - - - ORPHANS REMOVED - - - -
.
SafeBoot-Symantec Antvirus
.
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer,
http://www.gmer.net
Rootkit scan 2013-05-21 09:04
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil32_11_7_700_169_ActiveX.exe,-101"
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\Elevation]
"Enabled"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\LocalServer32]
@="c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil32_11_7_700_169_ActiveX.exe"
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}]
@Denied: (A 2) (Everyone)
@="IFlashBroker5"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'winlogon.exe'(1788)
c:\windows\system32\Ati2evxx.dll
c:\windows\system32\msv1_0.dll
.
- - - - - - - > 'lsass.exe'(1852)
c:\windows\SYSTEM32\SYSFER.DLL
.
Completion time: 2013-05-21 09:07:41
ComboFix-quarantined-files.txt 2013-05-21 16:07
.
Pre-Run: 180,086,853,632 bytes free
Post-Run: 185,796,243,456 bytes free
.
- - End Of File - - F398E58C55378624D62F2D9DAC5F0AE7