sudden re-boots, Sytem Security Malware,Google redirect, and floppy drives hidden

Unknown

Alright, I hope I do this right and someone can help me with a multi-fanged problem. Many thanks in advance to all who take the time to help me restore my computer to it's former glory and my sanity to some similance of normalcy.

First, several weeks ago my computer was infected with the "System Security" malware/virus and I was successful in removing it in safe mode based largely on information gleaned from Icrontic Forums.

Since then, I have had one recurrance of System Security, and I think I am rid of it. However, all of my Google search results are redirected and it is really getting on my nerves. I cannot find a program that seems to detect the problem and get rid of it.

Third, occasionally I find my computer has re-booted itself on it's own.
This will also happen when running various malware/anti-virus/registry programs including Malwarebytes and Spybot and GMER and CCleaner and Avast. When the computer gets running again I get a report of the computer recovering from a serious error (screen captures atached).

Speaking of Avast, I cannot seem to disable/uninstall the Symantec/Norton that my computer was outfitted with so Avast tells me upon every Startup that certain components of it are in conflict with Norton and are thus disabled.

Finally, when I make an attempt to burn a DVD-R, none of my burning utilities recognize my DVD-R/W drive. I thought that the drive was dying, but realized it reads DVDs fine and when I upgraded ImgBrn the other day it displayed an error that was most informative- it said that there was a rootkit/virus of similar blocking access to the drives via SPTI (screen captures atached).

Here is my most recent Hijackthis log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 21:00:09, on 7/27/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16850)
Boot mode: Normal
Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINNT\Explorer.EXE
C:\WINNT\system32\spoolsv.exe
C:\Program Files\Google\Update\1.2.183.7\GoogleCrashHandler.exe
C:\WINNT\system32\SK9910DM.EXE
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINNT\GWMDMMSG.exe
C:\WINNT\system32\CTHELPER.EXE
C:\Program Files\Microsoft IntelliPoint\point32.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\WINNT\system32\ctfmon.exe
C:\WINNT\System32\NMSSvc.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Norton AntiVirus\AdvTools\NPROTECT.EXE
C:\WINNT\System32\nvsvc32.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\WINNT\system32\wscntfy.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINNT\system32\wuauclt.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\wuauclt.exe
C:\hijackthis\HiJackThis.exe
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,SearchAssistant = about:blank
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = C:\windows\system32\blank.htm
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = C:\windows\system32\blank.htm
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [Hot Key Kbd 9910 Daemon] SK9910DM.EXE
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
O4 - HKLM\..\Run: [GWMDMMSG] GWMDMMSG.exe
O4 - HKLM\..\Run: [GWMDMpi] C:\WINNT\GWMDMpi.exe
O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
O4 - HKLM\..\Run: [UpdReg] C:\WINNT\UpdReg.EXE
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [IntelliPoint] "C:\Program Files\Microsoft IntelliPoint\point32.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [NeroCheck] C:\WINNT\system32\NeroCheck.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINNT\system32\ctfmon.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - C:\Program Files\Microsoft Money\System\mnyviewer.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINNT\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINNT\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O15 - Trusted Zone: *.antimalwareguard.com
O15 - Trusted Zone: *.antimalwareguard.com (HKLM)
O16 - DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} (Facebook Photo Uploader 5 Control) - http://upload.facebook.com/controls/2008.10.10_v5.5.8/FacebookPhotoUploader5.cab
O16 - DPF: {10000000-1000-0000-1000-000000000000} - file://C:\Program Files\Internet Explorer\update.exe
O16 - DPF: {11260943-421B-11D0-8EAC-0000C07D88CF} (iPIX ActiveX Control) - http://www.ipix.com/viewers/ipixx.cab
O16 - DPF: {1F2F4C9E-6F09-47BC-970D-3C54734667FE} (LSSupCtl Class) - http://www.symantec.com/techsupp/asa/LSSupCtl.cab
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52/20021205/qtinstall.info.apple.com/borris/us/win/QuickTimeInstaller.exe
O16 - DPF: {48DD0448-9209-4F81-9F6D-D83562940134} (MySpace Uploader Control) - http://lads.myspace.com/upload/MySpaceUploader1006.cab
O16 - DPF: {4C39376E-FA9D-4349-BACC-D305C1750EF3} (EPUImageControl Class) - http://tools.ebayimg.com/eps/wl/activex/EPUWALControl_v1-0-3-17.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://gfx2.hotmail.com/mail/w2/resources/MSNPUpld.cab
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} - http://207.188.7.150/28750cc0a72b327c8c20/netzip/RdxIE601.cab
O16 - DPF: {739E8D90-2F4C-43AD-A1B8-66C356FCEA35} (RunExeActiveX.RunExe) - hcp://system/RunExeActiveX.CAB
O16 - DPF: {99CDFD87-F97A-42E1-9C13-D18220D90AD1} (StartFirstControl.CheckFirst) - hcp://system/StartFirstControl.CAB
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://zone.msn.com/binFramework/v10/ZIntro.cab34246.cab
O16 - DPF: {CC05BC12-2AA2-4AC7-AC81-0E40F83B1ADF} (Live365Player Class) - http://www.live365.com/players/play365.cab
O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} (ActiveDataInfo Class) - http://www.symantec.com/techsupp/asa/ctrl/SymAData.cab
O16 - DPF: {E855A2D4-987E-4F3B-A51C-64D10A7E2479} (EPSImageControl Class) - http://tools.ebayimg.com/eps/activex/EPSControl_v1-0-3-0.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{7721A874-C578-4DAA-8351-EBE32CCF17F9}: NameServer = 24.217.0.5,24.217.201.67
O20 - AppInit_DLLs: khpcpv.dll nztqlw.dll difjqh.dll tlnete.dll jhgxql.dll tycsow.dll vkgxsy.dll oduheh.dll ,
O20 - Winlogon Notify: awtuuRij - awtuuRij.dll (file missing)
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: Automatic LiveUpdate Scheduler - Unknown owner - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe (file missing)
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Google Update Service (gupdate1c9a45a207d1510) (gupdate1c9a45a207d1510) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe
O23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Intel(R) NMS (NMSSvc) - Intel Corporation - C:\WINNT\System32\NMSSvc.exe
O23 - Service: Norton Unerase Protection (NProtectService) - Symantec Corporation - C:\Program Files\Norton AntiVirus\AdvTools\NPROTECT.EXE
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINNT\System32\nvsvc32.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
--
End of file - 9372 bytes

chiaz

Hey there, welcome.

Let's have you download ComboFix.exe. Please visit this webpage for downloading and instructions for running the tool:

Go here ======> A guide and tutorial on using ComboFix <====== Go here

Please ensure you read this guide carefully and install the Recovery Console first.This applies to XP Pro and XP Home users only.If you have SP3 installed you will need to use the download meant for SP2.

The Windows Recovery Console will allow you to boot up into a special recovery (repair) mode. This allows us to more easily help you should your computer have a problem after an attempted removal of malware. It is a simple procedure that will only take a few moments of your time.

Once installed, you should get a prompt that says:

The Recovery Console was successfully installed.

Please continue as follows:

(1) Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
(2) Click Yes to allow ComboFix to continue scanning for malware.

When the tool is finished, it will produce a report for you.


Please include C:\ComboFix.txt as well as a new HijackThis log for further review, so that we may continue cleansing the system.


Caution: Never run and remove files with Combofix unless supervised by a qualified security analyst who is experienced in the use of Combofix. Misuse can cause serious computer problems.

fishwrangler

Alright here goes...

New Hijackthis log first:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 19:59:06, on 7/30/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16850)
Boot mode: Normal
Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINNT\system32\spoolsv.exe
C:\Program Files\Google\Update\1.2.183.7\GoogleCrashHandler.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINNT\System32\NMSSvc.exe
C:\Program Files\Norton AntiVirus\AdvTools\NPROTECT.EXE
C:\WINNT\System32\nvsvc32.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
C:\WINNT\system32\SK9910DM.EXE
C:\WINNT\GWMDMMSG.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Microsoft IntelliPoint\point32.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\WINNT\system32\ctfmon.exe
C:\WINNT\system32\wscntfy.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\explorer.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\hijackthis\HiJackThis.exe
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,SearchAssistant = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = C:\windows\system32\blank.htm
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = C:\windows\system32\blank.htm
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [Hot Key Kbd 9910 Daemon] SK9910DM.EXE
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
O4 - HKLM\..\Run: [GWMDMMSG] GWMDMMSG.exe
O4 - HKLM\..\Run: [GWMDMpi] C:\WINNT\GWMDMpi.exe
O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
O4 - HKLM\..\Run: [UpdReg] C:\WINNT\UpdReg.EXE
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [IntelliPoint] "C:\Program Files\Microsoft IntelliPoint\point32.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [NeroCheck] C:\WINNT\system32\NeroCheck.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINNT\system32\ctfmon.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - C:\Program Files\Microsoft Money\System\mnyviewer.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINNT\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINNT\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} (Facebook Photo Uploader 5 Control) - http://upload.facebook.com/controls/2008.10.10_v5.5.8/FacebookPhotoUploader5.cab
O16 - DPF: {11260943-421B-11D0-8EAC-0000C07D88CF} (iPIX ActiveX Control) - http://www.ipix.com/viewers/ipixx.cab
O16 - DPF: {1F2F4C9E-6F09-47BC-970D-3C54734667FE} (LSSupCtl Class) - http://www.symantec.com/techsupp/asa/LSSupCtl.cab
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52/20021205/qtinstall.info.apple.com/borris/us/win/QuickTimeInstaller.exe
O16 - DPF: {48DD0448-9209-4F81-9F6D-D83562940134} (MySpace Uploader Control) - http://lads.myspace.com/upload/MySpaceUploader1006.cab
O16 - DPF: {4C39376E-FA9D-4349-BACC-D305C1750EF3} (EPUImageControl Class) - http://tools.ebayimg.com/eps/wl/activex/EPUWALControl_v1-0-3-17.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://gfx2.hotmail.com/mail/w2/resources/MSNPUpld.cab
O16 - DPF: {739E8D90-2F4C-43AD-A1B8-66C356FCEA35} (RunExeActiveX.RunExe) - hcp://system/RunExeActiveX.CAB
O16 - DPF: {99CDFD87-F97A-42E1-9C13-D18220D90AD1} (StartFirstControl.CheckFirst) - hcp://system/StartFirstControl.CAB
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://zone.msn.com/binFramework/v10/ZIntro.cab34246.cab
O16 - DPF: {CC05BC12-2AA2-4AC7-AC81-0E40F83B1ADF} (Live365Player Class) - http://www.live365.com/players/play365.cab
O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} (ActiveDataInfo Class) - http://www.symantec.com/techsupp/asa/ctrl/SymAData.cab
O16 - DPF: {E855A2D4-987E-4F3B-A51C-64D10A7E2479} (EPSImageControl Class) - http://tools.ebayimg.com/eps/activex/EPSControl_v1-0-3-0.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{7721A874-C578-4DAA-8351-EBE32CCF17F9}: NameServer = 24.217.0.5,24.217.201.67
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: Automatic LiveUpdate Scheduler - Unknown owner - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe (file missing)
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Google Update Service (gupdate1c9a45a207d1510) (gupdate1c9a45a207d1510) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe
O23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Intel(R) NMS (NMSSvc) - Intel Corporation - C:\WINNT\System32\NMSSvc.exe
O23 - Service: Norton Unerase Protection (NProtectService) - Symantec Corporation - C:\Program Files\Norton AntiVirus\AdvTools\NPROTECT.EXE
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINNT\System32\nvsvc32.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
--
End of file - 9125 bytes

Now the Combofix log:

ComboFix 09-07-29.04 - Owner 07/30/2009 19:28.1.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.511.198 [GMT -5:00]
Running from: c:\documents and settings\Owner\Desktop\ComboFix.exe
AV: avast! antivirus 4.8.1335 [VPS 090730-0] *On-access scanning disabled* (Updated) {7591DB91-41F0-48A3-B128-1A293FD8233D}
AV: Norton AntiVirus *On-access scanning disabled* (Outdated) {B5510F6F-87E1-47F7-A411-360BC453007C}
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
c:\program files\Toolbar
c:\recycler\NPROTECT
c:\recycler\NPROTECT\NPROTECT.LOG
c:\winnt\Downloaded Program Files\popcaploader.inf
c:\winnt\Downloaded Program Files\RdxIE.dll
c:\winnt\Downloaded Program Files\temp
c:\winnt\file.bat
c:\winnt\Install.txt
c:\winnt\system32\404Fix.exe
c:\winnt\system32\Agent.OMZ.Fix.exe
c:\winnt\system32\comjl.dll
c:\winnt\system32\ctlgn.dll
c:\winnt\system32\Data
c:\winnt\system32\drivers\hjgruigexvobph.sys
c:\winnt\system32\dumphive.exe
c:\winnt\system32\hjgruilog.dat
c:\winnt\system32\hjgruivttlacap.dll
c:\winnt\system32\hjgruixfmxysju.dat
c:\winnt\system32\hjgruiximcuxqq.dll
c:\winnt\system32\hjgruiyxpwiygq.dat
c:\winnt\system32\hlpni.dll
c:\winnt\system32\IEDFix.C.exe
c:\winnt\system32\IEDFix.exe
c:\winnt\system32\mbumurxk.ini
c:\winnt\system32\o4Patch.exe
c:\winnt\system32\pdwhmock.ini
c:\winnt\system32\Process.exe
c:\winnt\system32\SrchSTS.exe
c:\winnt\system32\tmp.reg
c:\winnt\system32\VACFix.exe
c:\winnt\system32\VCCLSID.exe
c:\winnt\system32\WS2Fix.exe
e:\recycled\NPROTECT\NPROTECT.LOG
k:\recycled\NPROTECT\NPROTECT.LOG
c:\winnt\system32\proquota.exe . . . is missing!!
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

---

\Service_hjgruiqbhjxdwj

---

\Service_UACd.sys

---

\Legacy_MSNCACHE

---

\Legacy_SOPIDKC

---

\Legacy_{79007602-0CDB-4405-9DBF-1257BB3226ED}

---

\Legacy_{79007602-0CDB-4405-9DBF-1257BB3226EE}

((((((((((((((((((((((((( Files Created from 2009-06-28 to 2009-07-31 )))))))))))))))))))))))))))))))
.
2009-07-28 02:15 . 2009-07-28 02:15 286208 ----a-w- c:\program files\hwmywopf.exe
2009-07-28 01:49 . 2009-07-28 01:49 286208 ----a-w- c:\program files\orkxj14c.exe
2009-07-28 01:46 . 2009-07-28 01:46 2169915 ----a-w- c:\program files\SetupImgBurn_2.5.0.0.exe
2009-07-28 01:39 . 2003-10-11 06:06 21654229 ----a-w- c:\program files\nero60015.exe
2009-07-26 17:26 . 2009-07-26 17:26

---

d

---

w- C:\The_Red_House_Mystery
2009-07-26 17:25 . 2009-07-26 17:25

---

d

---

w- C:\Comedy-Genius
2009-07-26 17:22 . 2009-07-26 17:22

---

d

---

w- C:\301 Inkjet Tips and Techniques - An Essential Printing Resource for Photographers
2009-07-26 17:19 . 2009-07-26 17:23

---

d

---

w- C:\The Avett Brothers - 2009 - I and Love and You [EP] [320 Transcode]
2009-07-26 16:38 . 2009-07-26 16:38

---

d

---

w- C:\Taste_of_Mexico.pdf
2009-07-26 16:37 . 2009-07-26 18:24

---

d

---

w- C:\Flight of the Conchords NZ Tourism Posters
2009-07-20 02:05 . 2009-07-20 02:05

---

d

---

w- c:\documents and settings\All Users\Application Data\PC Drivers HeadQuarters
2009-07-20 02:05 . 2009-07-20 02:05

---

d

---

w- c:\documents and settings\Owner\Local Settings\Application Data\Downloaded Installations
2009-07-20 01:57 . 2009-07-20 01:58

---

d

---

w- c:\documents and settings\Owner\Application Data\GetRightToGo
2009-07-20 01:44 . 2009-07-20 01:44

---

d

---

w- c:\winnt\system32\NtmsData
2009-07-05 01:11 . 2009-07-05 15:55

---

d

---

w- c:\program files\COMODO
2009-07-05 01:06 . 2009-07-05 01:11 78992656 ----a-w- c:\program files\CIS_Setup_3.10.101801.529_XP_Vista_x32.exe
2009-07-05 01:04 . 2009-02-05 20:06 23152 ----a-w- c:\winnt\system32\drivers\aswRdr.sys
2009-07-05 01:04 . 2009-02-05 20:06 51376 ----a-w- c:\winnt\system32\drivers\aswTdi.sys
2009-07-05 01:04 . 2009-02-05 20:05 26944 ----a-w- c:\winnt\system32\drivers\aavmker4.sys
2009-07-05 01:04 . 2009-02-05 20:04 97480 ----a-w- c:\winnt\system32\AvastSS.scr
2009-07-05 01:03 . 2009-02-05 20:08 93296 ----a-w- c:\winnt\system32\drivers\aswmon.sys
2009-07-05 01:03 . 2009-02-05 20:08 94032 ----a-w- c:\winnt\system32\drivers\aswmon2.sys
2009-07-05 01:03 . 2009-02-05 20:07 114768 ----a-w- c:\winnt\system32\drivers\aswSP.sys
2009-07-05 01:03 . 2009-02-05 20:07 20560 ----a-w- c:\winnt\system32\drivers\aswFsBlk.sys
2009-07-05 01:03 . 2009-02-05 20:11 1256296 ----a-w- c:\winnt\system32\aswBoot.exe
2009-07-05 01:03 . 2009-07-05 01:03

---

d

---

w- c:\program files\Alwil Software
2009-07-05 00:58 . 2009-07-05 00:58 308160 ----a-w- c:\program files\avast_home_setup.exe
2009-07-04 02:16 . 2009-07-04 02:17 3360392 ----a-w- c:\program files\RegistryEasy.exe
2009-07-03 23:43 . 2009-07-04 02:40

---

d

---

w- c:\program files\ccleaner reg backup
2009-07-03 01:03 . 2009-07-03 01:03

---

d

---

w- c:\program files\CCleaner
2009-07-03 01:02 . 2009-07-03 01:02 3252640 ----a-w- c:\program files\ccsetup221.exe
2009-07-02 02:25 . 2009-07-02 03:02

---

d

---

w- C:\Little Village - Studio rehearsals 1992-04-XX
2009-07-02 02:19 . 2009-07-02 04:23

---

d

---

w- C:\Highwaymen - 960604 - Los Angeles, CA
2009-07-02 02:16 . 2009-07-02 02:38

---

d

---

w- C:\Waylon Jennings-Aug02-1975
2009-07-02 02:13 . 2009-07-02 02:19

---

d

---

w- C:\RY Cooder & Nick Lowe_Auditorium_Roma_270609
2009-07-01 12:30 . 2009-07-01 12:46

---

d

---

w- C:\seldomscenejapan85
2009-07-01 12:29 . 2009-07-01 12:32

---

d

---

w- C:\WaylonAbbottHS
2009-07-01 03:20 . 2009-07-01 04:04

---

d

---

w- C:\2002-04-18 House of Blues - New Orleans, LA
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-07-30 00:50 . 2009-03-14 04:04

---

d

---

w- c:\documents and settings\All Users\Application Data\Google Updater
2009-07-28 01:52 . 2008-07-10 02:56

---

d

---

w- c:\documents and settings\Owner\Application Data\uTorrent
2009-07-20 02:13 . 2002-10-17 23:52

---

d--h--w- c:\program files\InstallShield Installation Information
2009-07-13 21:48 . 2009-02-08 06:35

---

d

---

w- c:\program files\Malwarebytes' Anti-Malware
2009-07-13 21:31 . 2004-07-10 01:59

---

d

---

w- c:\program files\Sploof
2009-07-13 21:30 . 2004-06-26 01:29

---

d

---

w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2009-07-13 20:55 . 2009-03-31 13:19 3775176 ----a-w- c:\documents and settings\All Users\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\mbam-setup.exe
2009-07-13 18:36 . 2009-02-08 06:35 38160 ----a-w- c:\winnt\system32\drivers\mbamswissarmy.sys
2009-07-13 18:36 . 2009-02-08 06:35 19096 ----a-w- c:\winnt\system32\drivers\mbam.sys
2009-07-07 00:39 . 2009-07-07 00:39 171629 ----a-w- c:\program files\hjsplit.rar
2009-07-05 16:13 . 2002-10-17 23:57

---

d

---

w- c:\program files\Symantec
2009-07-05 16:13 . 2002-10-17 23:57

---

d

---

w- c:\program files\Common Files\Symantec Shared
2009-06-28 03:59 . 2008-10-21 23:09 120 ----a-w- C:\drmHeader.bin
2009-06-16 14:36 . 1980-01-01 05:00 81920 ----a-w- c:\winnt\system32\fontsub.dll
2009-06-16 14:36 . 1980-01-01 05:00 119808 ----a-w- c:\winnt\system32\t2embed.dll
2009-06-15 12:52 . 2003-09-25 16:01

---

d

---

w- c:\program files\DivX
2009-06-15 12:51 . 2009-04-08 01:48

---

d

---

w- c:\program files\Common Files\DivX Shared
2009-06-15 12:46 . 2009-06-15 12:45 16742799 ----a-w- c:\program files\vlc-0.9.9-win32.exe
2009-06-07 15:02 . 2009-06-07 15:02

---

d

---

w- c:\documents and settings\Owner\Application Data\dBpoweramp
2009-06-07 02:56 . 2009-06-07 02:56 14373 ----a-w- c:\winnt\system32\SpoonUninstall-dBpoweramp Music Converter.dat
2009-06-07 02:55 . 2009-06-07 02:55 5433520 ----a-w- c:\program files\dMC-R13.2-Ref-Trial.exe
2009-06-07 02:55 . 2004-06-06 00:32 5433520 -c--a-w- c:\winnt\system32\SpoonUninstall.exe
2009-06-05 23:12 . 2009-06-05 23:12 9615808 ----a-w- C:\windows-kb890830-v2.10.exe
2009-06-04 01:41 . 2009-06-04 01:41

---

d

---

w- c:\program files\AML Products
2009-06-04 01:41 . 2009-06-04 01:40 2544682 ----a-w- C:\regcleaner.exe
2009-06-03 19:09 . 2003-05-13 15:28 1291264 ----a-w- c:\winnt\system32\quartz.dll
2009-05-07 15:32 . 1980-01-01 05:00 345600 ----a-w- c:\winnt\system32\localspl.dll
2009-04-28 01:16 . 2009-04-28 01:16 9915072 ----a-w- c:\program files\winamp5552_full_emusic-7plus_en-us.exe
2009-03-29 01:06 . 2008-07-15 00:33 43008 --sha-w- c:\program files\Thumbs.db
2009-03-28 01:59 . 2009-03-28 01:25 868352 ----a-w- c:\program files\dboot.exe
2009-03-09 23:25 . 2009-03-09 23:25 14929905 ----a-w- c:\program files\klcodec470f.exe
2008-09-12 02:24 . 2008-09-12 02:24 304957 ----a-w- c:\program files\hjsplit.zip
2008-08-09 01:21 . 2008-08-09 01:21 3748544 ----a-w- c:\program files\ephpod277.exe
2008-07-15 00:36 . 2008-07-15 00:32 454656 ----a-w- c:\program files\putty.exe
2008-07-08 03:42 . 2008-07-08 03:42 9057472 ----a-w- c:\program files\Vuze_3.1.1.0_windows.exe
2008-05-24 02:52 . 2008-05-24 02:52 230996 ----a-w- c:\program files\in_mp4_2.0.zip
2008-02-07 04:02 . 2008-02-07 04:02 2125249 ----a-w- c:\program files\burrrn_package.exe
2008-02-07 03:53 . 2008-01-30 13:58 2461696 ----a-w- c:\program files\Feurio_168_Install_eng.exe
2008-02-02 00:06 . 2008-02-01 14:02 2228534 ----a-w- c:\program files\audacity-win-1.2.6.exe
2008-02-01 14:07 . 2008-02-01 14:04 21016 ----a-w- c:\program files\John Popper - Jono Manson - Paolo Bonfanti 2003.03.15 Chiari ITA.torrent
2007-12-24 14:33 . 2007-12-24 14:33 26531 ----a-w- c:\program files\avettbrothers_2006-08-05_galaxybarn.flac16.torrent
2007-12-24 02:07 . 2007-12-24 02:05 2873585 ----a-w- c:\program files\ptwindows.exe
2007-12-18 03:47 . 2007-12-18 03:47 2428988 ----a-w- c:\program files\eac-0.99pb3.exe
2007-12-18 03:45 . 2007-12-18 03:44 1400322 ----a-w- c:\program files\tralih201143.exe
2007-02-01 23:11 . 2008-09-12 02:25 582 ----a-w- c:\program files\readme.txt
2007-01-16 02:17 . 2007-01-16 02:13 498064 -c--a-w- c:\program files\TA2005_2.exe
2006-08-21 00:10 . 2006-08-21 00:10 4427776 -c--a-w- c:\program files\CJXP33SE.exe
2006-08-21 00:09 . 2006-08-21 00:07 9222144 -c--a-w- c:\program files\CJXP33LE.exe
2006-08-11 04:18 . 2006-08-11 04:18 16092160 -c--a-w- c:\program files\CJB700EN.exe
2006-08-08 23:30 . 2006-08-08 23:30 174517 ----a-w- c:\program files\DRMFree.zip
2006-08-08 23:09 . 2006-08-08 12:25 4196037 -c--a-w- c:\program files\CDRoller630_en.exe
2006-08-08 00:13 . 2006-08-07 23:19 1651938 -c--a-w- c:\program files\install.exe
2004-12-18 03:23 . 2004-12-18 03:23 32029 -c--a-w- c:\program files\u21990.shnf - Hansa Ton Salome Complete.torrent
2004-12-18 03:22 . 2004-12-18 03:22 1123 -c--a-w- c:\program files\Salome The Axtung Beibi Outtakes 3 CD Set 277 110 FLAC (CD1 - Track 10) FIXED.torrent
2004-12-18 02:37 . 2004-12-18 02:37 398456 -c--a-w- c:\program files\incredimail_install.exe
2004-11-11 17:03 . 2008-05-24 02:52 178 ----a-w- c:\program files\free-codecs.txt
2004-08-04 07:56 . 2002-09-03 17:23 69120 -c--a-w- c:\program files\notepad.exe
2003-12-03 23:04 . 2006-05-24 01:09 9189896 -c--a-w- c:\program files\EXCEL.EXE
2003-03-15 11:38 . 2003-03-15 11:38 16141 -c--a-w- c:\program files\mission.htm
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\winnt\system32\ctfmon.exe" [2008-04-14 15360]
"SpybotSD TeaTimer"="c:\program files\Spybot - Search & Destroy\TeaTimer.exe" [2009-03-05 2260480]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="NvQTwk" [X]
"GWMDMpi"="c:\winnt\GWMDMpi.exe" [2002-08-06 53248]
"UpdReg"="c:\winnt\UpdReg.EXE" [2000-05-11 90112]
"Symantec NetDriver Monitor"="c:\progra~1\SYMNET~1\SNDMon.exe" [2005-11-12 100056]
"IntelliPoint"="c:\program files\Microsoft IntelliPoint\point32.exe" [2005-03-23 217088]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2008-11-04 413696]
"avast!"="c:\progra~1\ALWILS~1\Avast4\ashDisp.exe" [2009-02-05 81000]
"NeroCheck"="c:\winnt\system32\NeroCheck.exe" [2001-07-09 155648]
"Hot Key Kbd 9910 Daemon"="SK9910DM.EXE" - c:\winnt\system32\SK9910DM.EXE [2001-01-03 66048]
"GWMDMMSG"="GWMDMMSG.exe" - c:\winnt\GWMDMMSG.exe [2002-08-06 90112]
"CTHelper"="CTHELPER.EXE" - c:\winnt\system32\cthelper.exe [2002-07-02 24576]
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Gamma Loader.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Adobe Gamma Loader.lnk
backup=c:\winnt\pss\Adobe Gamma Loader.lnkCommon Startup
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
backup=c:\winnt\pss\Adobe Reader Speed Launch.lnkCommon Startup
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^InterVideo WinCinema Manager.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\InterVideo WinCinema Manager.lnk
backup=c:\winnt\pss\InterVideo WinCinema Manager.lnkCommon Startup
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^NETGEAR WG111v3 Smart Wizard.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\NETGEAR WG111v3 Smart Wizard.lnk
backup=c:\winnt\pss\NETGEAR WG111v3 Smart Wizard.lnkCommon Startup
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^NkvMon.exe.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\NkvMon.exe.lnk
backup=c:\winnt\pss\NkvMon.exe.lnkCommon Startup
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"SharedAccess"=2 (0x2)
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\FlashFXP\\flashfxp.exe"=
"c:\\Program Files\\SmartFTP\\SmartFTP.exe"=
"c:\\Program Files\\IncrediMail\\bin\\IMApp.exe"=
"c:\\Program Files\\SmartFTP Client 2.0\\SmartFTP.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\uTorrent\\uTorrent.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3389:TCP"= 3389:TCP:@xpsp2res.dll,-22009
"8097:TCP"= 8097:TCP:EarthLink UHP Modem Support
R1 aswSP;avast! Self Protection;c:\winnt\system32\drivers\aswSP.sys [7/4/2009 8:03 PM 114768]
R2 aswFsBlk;aswFsBlk;c:\winnt\system32\drivers\aswFsBlk.sys [7/4/2009 8:03 PM 20560]
R2 NProtectService;Norton Unerase Protection;c:\program files\Norton AntiVirus\AdvTools\NPROTECT.EXE [10/23/2004 6:40 PM 135168]
R2 RioPNP;RioPNP;c:\winnt\system32\drivers\RioPnP.sys [10/17/2002 6:57 PM 6736]
R3 RTL8187B;NETGEAR WG111v3 54Mbps Wireless USB 2.0 Adapter Vista Driver;c:\winnt\system32\drivers\wg111v3.sys [4/23/2007 2:11 PM 224896]
S2 gupdate1c9a45a207d1510;Google Update Service (gupdate1c9a45a207d1510);c:\program files\Google\Update\GoogleUpdate.exe [3/13/2009 11:05 PM 133104]
S3 BW2NDIS5;BW2NDIS5;c:\winnt\system32\Drivers\BW2NDIS5.sys --> c:\winnt\system32\Drivers\BW2NDIS5.sys [?]
S3 PCDRDRV;Pcdr Helper Driver;\??\c:\atf\Qctest\PCDoc\PCDRDRV.sys --> c:\atf\Qctest\PCDoc\PCDRDRV.sys [?]
S3 psa64s;psa64s;c:\winnt\system32\DRIVERS\psa64s.sys --> c:\winnt\system32\DRIVERS\psa64s.sys [?]
S3 psa64u;Nike psa[64 Player Control Driver;c:\winnt\system32\Drivers\psa64u.sys --> c:\winnt\system32\Drivers\psa64u.sys [?]
--- Other Services/Drivers In Memory ---
*NewlyCreated* - NMSCFG
*NewlyCreated* - NMSSVC
*Deregistered* - IPVNMon
.
Contents of the 'Scheduled Tasks' folder
2009-07-31 c:\winnt\Tasks\Google Software Updater.job
- c:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe [2009-03-14 15:15]
2009-07-31 c:\winnt\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-03-14 04:05]
2009-07-30 c:\winnt\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-03-14 04:05]
2008-10-01 c:\winnt\Tasks\Norton AntiVirus - Scan my computer - Owner.job
- c:\progra~1\NORTON~1\NAVW32.EXE [2003-08-17 23:22]
2009-07-25 c:\winnt\Tasks\Norton AntiVirus - Scan my computer.job
- c:\progra~1\NORTON~1\Navw32.exe [2003-08-17 23:22]
2009-07-30 c:\winnt\Tasks\User_Feed_Synchronization-{B5F2318B-E9C3-4BB4-B69B-0D2F8FB19461}.job
- c:\winnt\system32\msfeedssync.exe [2007-08-14 00:36]
.
- - - - ORPHANS REMOVED - - - -
HKCU-Run-Microsoft Works Update Detection - c:\program files\Microsoft Works\WkDetect.exe
Notify-awtuuRij - awtuuRij.dll

.

---

Supplementary Scan

---

.
uStart Page = hxxp://www.google.com/
uLocal Page = c:\windows\system32\blank.htm
mLocal Page = c:\windows\system32\blank.htm
uInternet Connection Wizard,ShellNext = iexplore
uInternet Settings,ProxyOverride = *.local
IE:
TCP: {7721A874-C578-4DAA-8351-EBE32CCF17F9} = 24.217.0.5,24.217.201.67
DPF: DirectAnimation Java Classes - file://c:\winnt\Java\classes\dajava.cab
DPF: Microsoft XML Parser for Java - file://c:\winnt\Java\classes\xmldso.cab
.
**************************************************************************
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-07-30 19:44
Windows 5.1.2600 Service Pack 3 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
.

---

LOCKED REGISTRY KEYS

---

[HKEY_USERS\S-1-5-21-3904617073-2370721046-3515399985-1003\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{F539E2CA-BF82-2841-D8D2-1D2CE6A7356C}*]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)
"iaohbnejbophmjgkgo"=hex:6a,61,6b,64,67,6e,67,61,64,6d,6a,6f,62,65,69,70,6d,67,
62,6e,00,00
"haegofaiofbfjgjl"=hex:69,61,6b,64,6f,68,63,6c,68,6a,68,63,6a,66,63,66,62,65,
00,00
.

---

Other Running Processes

---

.
c:\program files\Common Files\Symantec Shared\CCSETMGR.EXE
c:\program files\Lavasoft\Ad-Aware\aawservice.exe
c:\program files\Alwil Software\Avast4\aswUpdSv.exe
c:\program files\Alwil Software\Avast4\ashServ.exe
c:\program files\Google\Update\1.2.183.7\GoogleCrashHandler.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\winnt\system32\NMSSvc.Exe
c:\winnt\system32\nvsvc32.exe
c:\program files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
c:\winnt\system32\wdfmgr.exe
c:\program files\Common Files\Symantec Shared\Security Center\SymWSC.exe
c:\program files\Alwil Software\Avast4\ashMaiSv.exe
c:\program files\Alwil Software\Avast4\ashWebSv.exe
c:\winnt\system32\wscntfy.exe
.
**************************************************************************
.
Completion time: 2009-07-31 19:55 - machine was rebooted
ComboFix-quarantined-files.txt 2009-07-31 00:55
Pre-Run: 2,364,993,536 bytes free
Post-Run: 2,383,732,736 bytes free
WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINNT
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINNT="Microsoft Windows XP Home Edition" /fastdetect /NoExecute=OptIn
Current=1 Default=1 Failed=4 LastKnownGood=5 Sets=1,2,3,4,5
306 --- E O F --- 2009-07-28 03:08

chiaz

s

fishwrangler

First the ComboFix report:

ComboFix 09-07-29.04 - Owner 08/04/2009 22:24.2.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.511.288 [GMT -5:00]
Running from: c:\documents and settings\Owner\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Owner\Desktop\CFScript.txt
AV: avast! antivirus 4.8.1335 [VPS 090804-1] *On-access scanning disabled* (Updated) {7591DB91-41F0-48A3-B128-1A293FD8233D}
AV: Norton AntiVirus *On-access scanning disabled* (Outdated) {B5510F6F-87E1-47F7-A411-360BC453007C}
FILE ::
"c:\program files\dboot.exe"
"c:\program files\hwmywopf.exe"
"c:\program files\orkxj14c.exe"
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
c:\program files\dboot.exe
c:\program files\hwmywopf.exe
c:\program files\orkxj14c.exe
e:\recycled\NPROTECT\NPROTECT.LOG
J:\Autorun.inf
j:\recycled\NPROTECT\NPROTECT.LOG
k:\recycled\NPROTECT\NPROTECT.LOG
c:\recycler\NPROTECT . . . . failed to delete
c:\recycler\NPROTECT\NPROTECT.LOG . . . . failed to delete
e:\recycled\NPROTECT\NPROTECT.LOG . . . . failed to delete
j:\recycled\NPROTECT\NPROTECT.LOG . . . . failed to delete
k:\recycled\NPROTECT\NPROTECT.LOG . . . . failed to delete
c:\winnt\system32\proquota.exe . . . is missing!!
.
((((((((((((((((((((((((( Files Created from 2009-07-05 to 2009-08-05 )))))))))))))))))))))))))))))))
.
2009-07-28 01:46 . 2009-07-28 01:46 2169915 ----a-w- c:\program files\SetupImgBurn_2.5.0.0.exe
2009-07-28 01:39 . 2003-10-11 06:06 21654229 ----a-w- c:\program files\nero60015.exe
2009-07-26 17:22 . 2009-07-26 17:22

---

d

---

w- C:\301 Inkjet Tips and Techniques - An Essential Printing Resource for Photographers
2009-07-26 16:38 . 2009-07-26 16:38

---

d

---

w- C:\Taste_of_Mexico.pdf
2009-07-26 16:37 . 2009-07-26 18:24

---

d

---

w- C:\Flight of the Conchords NZ Tourism Posters
2009-07-20 02:05 . 2009-07-20 02:05

---

d

---

w- c:\documents and settings\All Users\Application Data\PC Drivers HeadQuarters
2009-07-20 02:05 . 2009-07-20 02:05

---

d

---

w- c:\documents and settings\Owner\Local Settings\Application Data\Downloaded Installations
2009-07-20 01:57 . 2009-07-20 01:58

---

d

---

w- c:\documents and settings\Owner\Application Data\GetRightToGo
2009-07-20 01:44 . 2009-07-20 01:44

---

d

---

w- c:\winnt\system32\NtmsData
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-08-05 03:16 . 2008-07-10 02:56

---

d

---

w- c:\documents and settings\Owner\Application Data\uTorrent
2009-08-04 05:55 . 2009-03-14 04:04

---

d

---

w- c:\documents and settings\All Users\Application Data\Google Updater
2009-07-20 02:13 . 2002-10-17 23:52

---

d--h--w- c:\program files\InstallShield Installation Information
2009-07-13 21:48 . 2009-02-08 06:35

---

d

---

w- c:\program files\Malwarebytes' Anti-Malware
2009-07-13 21:31 . 2004-07-10 01:59

---

d

---

w- c:\program files\Sploof
2009-07-13 21:30 . 2004-06-26 01:29

---

d

---

w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2009-07-13 20:55 . 2009-03-31 13:19 3775176 ----a-w- c:\documents and settings\All Users\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\mbam-setup.exe
2009-07-13 18:36 . 2009-02-08 06:35 38160 ----a-w- c:\winnt\system32\drivers\mbamswissarmy.sys
2009-07-13 18:36 . 2009-02-08 06:35 19096 ----a-w- c:\winnt\system32\drivers\mbam.sys
2009-07-07 00:39 . 2009-07-07 00:39 171629 ----a-w- c:\program files\hjsplit.rar
2009-07-05 16:13 . 2002-10-17 23:57

---

d

---

w- c:\program files\Symantec
2009-07-05 16:13 . 2002-10-17 23:57

---

d

---

w- c:\program files\Common Files\Symantec Shared
2009-07-05 15:55 . 2009-07-05 01:11

---

d

---

w- c:\program files\COMODO
2009-07-05 01:11 . 2009-07-05 01:06 78992656 ----a-w- c:\program files\CIS_Setup_3.10.101801.529_XP_Vista_x32.exe
2009-07-05 01:03 . 2009-07-05 01:03

---

d

---

w- c:\program files\Alwil Software
2009-07-05 00:58 . 2009-07-05 00:58 308160 ----a-w- c:\program files\avast_home_setup.exe
2009-07-04 02:40 . 2009-07-03 23:43

---

d

---

w- c:\program files\ccleaner reg backup
2009-07-04 02:17 . 2009-07-04 02:16 3360392 ----a-w- c:\program files\RegistryEasy.exe
2009-07-03 01:03 . 2009-07-03 01:03

---

d

---

w- c:\program files\CCleaner
2009-07-03 01:02 . 2009-07-03 01:02 3252640 ----a-w- c:\program files\ccsetup221.exe
2009-06-28 03:59 . 2008-10-21 23:09 120 ----a-w- C:\drmHeader.bin
2009-06-16 14:36 . 1980-01-01 05:00 81920 ----a-w- c:\winnt\system32\fontsub.dll
2009-06-16 14:36 . 1980-01-01 05:00 119808 ----a-w- c:\winnt\system32\t2embed.dll
2009-06-15 12:52 . 2003-09-25 16:01

---

d

---

w- c:\program files\DivX
2009-06-15 12:51 . 2009-04-08 01:48

---

d

---

w- c:\program files\Common Files\DivX Shared
2009-06-15 12:46 . 2009-06-15 12:45 16742799 ----a-w- c:\program files\vlc-0.9.9-win32.exe
2009-06-07 15:02 . 2009-06-07 15:02

---

d

---

w- c:\documents and settings\Owner\Application Data\dBpoweramp
2009-06-07 02:56 . 2009-06-07 02:56 14373 ----a-w- c:\winnt\system32\SpoonUninstall-dBpoweramp Music Converter.dat
2009-06-07 02:55 . 2009-06-07 02:55 5433520 ----a-w- c:\program files\dMC-R13.2-Ref-Trial.exe
2009-06-07 02:55 . 2004-06-06 00:32 5433520 -c--a-w- c:\winnt\system32\SpoonUninstall.exe
2009-06-05 23:12 . 2009-06-05 23:12 9615808 ----a-w- C:\windows-kb890830-v2.10.exe
2009-06-04 01:41 . 2009-06-04 01:40 2544682 ----a-w- C:\regcleaner.exe
2009-06-03 19:09 . 2003-05-13 15:28 1291264 ----a-w- c:\winnt\system32\quartz.dll
2009-05-07 15:32 . 1980-01-01 05:00 345600 ----a-w- c:\winnt\system32\localspl.dll
2009-04-28 01:16 . 2009-04-28 01:16 9915072 ----a-w- c:\program files\winamp5552_full_emusic-7plus_en-us.exe
2009-03-29 01:06 . 2008-07-15 00:33 43008 --sha-w- c:\program files\Thumbs.db
2009-03-09 23:25 . 2009-03-09 23:25 14929905 ----a-w- c:\program files\klcodec470f.exe
2008-09-12 02:24 . 2008-09-12 02:24 304957 ----a-w- c:\program files\hjsplit.zip
2008-08-09 01:21 . 2008-08-09 01:21 3748544 ----a-w- c:\program files\ephpod277.exe
2008-07-15 00:36 . 2008-07-15 00:32 454656 ----a-w- c:\program files\putty.exe
2008-07-08 03:42 . 2008-07-08 03:42 9057472 ----a-w- c:\program files\Vuze_3.1.1.0_windows.exe
2008-05-24 02:52 . 2008-05-24 02:52 230996 ----a-w- c:\program files\in_mp4_2.0.zip
2008-02-07 04:02 . 2008-02-07 04:02 2125249 ----a-w- c:\program files\burrrn_package.exe
2008-02-07 03:53 . 2008-01-30 13:58 2461696 ----a-w- c:\program files\Feurio_168_Install_eng.exe
2008-02-02 00:06 . 2008-02-01 14:02 2228534 ----a-w- c:\program files\audacity-win-1.2.6.exe
2008-02-01 14:07 . 2008-02-01 14:04 21016 ----a-w- c:\program files\John Popper - Jono Manson - Paolo Bonfanti 2003.03.15 Chiari ITA.torrent
2007-12-24 14:33 . 2007-12-24 14:33 26531 ----a-w- c:\program files\avettbrothers_2006-08-05_galaxybarn.flac16.torrent
2007-12-24 02:07 . 2007-12-24 02:05 2873585 ----a-w- c:\program files\ptwindows.exe
2007-12-18 03:47 . 2007-12-18 03:47 2428988 ----a-w- c:\program files\eac-0.99pb3.exe
2007-12-18 03:45 . 2007-12-18 03:44 1400322 ----a-w- c:\program files\tralih201143.exe
2007-02-01 23:11 . 2008-09-12 02:25 582 ----a-w- c:\program files\readme.txt
2007-01-16 02:17 . 2007-01-16 02:13 498064 -c--a-w- c:\program files\TA2005_2.exe
2006-08-21 00:10 . 2006-08-21 00:10 4427776 -c--a-w- c:\program files\CJXP33SE.exe
2006-08-21 00:09 . 2006-08-21 00:07 9222144 -c--a-w- c:\program files\CJXP33LE.exe
2006-08-11 04:18 . 2006-08-11 04:18 16092160 -c--a-w- c:\program files\CJB700EN.exe
2006-08-08 23:30 . 2006-08-08 23:30 174517 ----a-w- c:\program files\DRMFree.zip
2006-08-08 23:09 . 2006-08-08 12:25 4196037 -c--a-w- c:\program files\CDRoller630_en.exe
2006-08-08 00:13 . 2006-08-07 23:19 1651938 -c--a-w- c:\program files\install.exe
2004-12-18 03:23 . 2004-12-18 03:23 32029 -c--a-w- c:\program files\u21990.shnf - Hansa Ton Salome Complete.torrent
2004-12-18 03:22 . 2004-12-18 03:22 1123 -c--a-w- c:\program files\Salome The Axtung Beibi Outtakes 3 CD Set 277 110 FLAC (CD1 - Track 10) FIXED.torrent
2004-12-18 02:37 . 2004-12-18 02:37 398456 -c--a-w- c:\program files\incredimail_install.exe
2004-11-11 17:03 . 2008-05-24 02:52 178 ----a-w- c:\program files\free-codecs.txt
2004-08-04 07:56 . 2002-09-03 17:23 69120 -c--a-w- c:\program files\notepad.exe
2003-12-03 23:04 . 2006-05-24 01:09 9189896 -c--a-w- c:\program files\EXCEL.EXE
2003-03-15 11:38 . 2003-03-15 11:38 16141 -c--a-w- c:\program files\mission.htm
.
((((((((((((((((((((((((((((( [EMAIL="SnapShot@2009-07-31_00.44.40"]SnapShot@2009-07-31_00.44.40[/EMAIL] )))))))))))))))))))))))))))))))))))))))))
.
- 2009-07-31 00:27 . 2009-07-31 00:27 16384 c:\winnt\Temp\Perflib_Perfdata_5a8.dat
+ 2009-08-05 03:38 . 2009-08-05 03:38 16384 c:\winnt\Temp\Perflib_Perfdata_5a8.dat
+ 2009-08-05 00:37 . 2009-08-05 00:37 16384 c:\winnt\Temp\Perflib_Perfdata_5a4.dat
+ 1980-01-01 05:00 . 2009-07-31 00:48 56946 c:\winnt\system32\perfc009.dat
- 1980-01-01 05:00 . 2009-07-20 02:05 56946 c:\winnt\system32\perfc009.dat
+ 1980-01-01 05:00 . 2009-07-31 00:48 387418 c:\winnt\system32\perfh009.dat
- 1980-01-01 05:00 . 2009-07-20 02:05 387418 c:\winnt\system32\perfh009.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\winnt\system32\ctfmon.exe" [2008-04-14 15360]
"SpybotSD TeaTimer"="c:\program files\Spybot - Search & Destroy\TeaTimer.exe" [2009-03-05 2260480]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="NvQTwk" [X]
"GWMDMpi"="c:\winnt\GWMDMpi.exe" [2002-08-06 53248]
"UpdReg"="c:\winnt\UpdReg.EXE" [2000-05-11 90112]
"Symantec NetDriver Monitor"="c:\progra~1\SYMNET~1\SNDMon.exe" [2005-11-12 100056]
"IntelliPoint"="c:\program files\Microsoft IntelliPoint\point32.exe" [2005-03-23 217088]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2008-11-04 413696]
"avast!"="c:\progra~1\ALWILS~1\Avast4\ashDisp.exe" [2009-02-05 81000]
"NeroCheck"="c:\winnt\system32\NeroCheck.exe" [2001-07-09 155648]
"Hot Key Kbd 9910 Daemon"="SK9910DM.EXE" - c:\winnt\system32\SK9910DM.EXE [2001-01-03 66048]
"GWMDMMSG"="GWMDMMSG.exe" - c:\winnt\GWMDMMSG.exe [2002-08-06 90112]
"CTHelper"="CTHELPER.EXE" - c:\winnt\system32\cthelper.exe [2002-07-02 24576]
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Gamma Loader.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Adobe Gamma Loader.lnk
backup=c:\winnt\pss\Adobe Gamma Loader.lnkCommon Startup
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
backup=c:\winnt\pss\Adobe Reader Speed Launch.lnkCommon Startup
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^InterVideo WinCinema Manager.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\InterVideo WinCinema Manager.lnk
backup=c:\winnt\pss\InterVideo WinCinema Manager.lnkCommon Startup
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^NETGEAR WG111v3 Smart Wizard.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\NETGEAR WG111v3 Smart Wizard.lnk
backup=c:\winnt\pss\NETGEAR WG111v3 Smart Wizard.lnkCommon Startup
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^NkvMon.exe.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\NkvMon.exe.lnk
backup=c:\winnt\pss\NkvMon.exe.lnkCommon Startup
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"SharedAccess"=2 (0x2)
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\FlashFXP\\flashfxp.exe"=
"c:\\Program Files\\SmartFTP\\SmartFTP.exe"=
"c:\\Program Files\\IncrediMail\\bin\\IMApp.exe"=
"c:\\Program Files\\SmartFTP Client 2.0\\SmartFTP.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\uTorrent\\uTorrent.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3389:TCP"= 3389:TCP:@xpsp2res.dll,-22009
"8097:TCP"= 8097:TCP:EarthLink UHP Modem Support
R1 aswSP;avast! Self Protection;c:\winnt\system32\drivers\aswSP.sys [7/4/2009 8:03 PM 114768]
R2 aswFsBlk;aswFsBlk;c:\winnt\system32\drivers\aswFsBlk.sys [7/4/2009 8:03 PM 20560]
R2 NProtectService;Norton Unerase Protection;c:\program files\Norton AntiVirus\AdvTools\NPROTECT.EXE [10/23/2004 6:40 PM 135168]
R2 RioPNP;RioPNP;c:\winnt\system32\drivers\RioPnP.sys [10/17/2002 6:57 PM 6736]
R3 RTL8187B;NETGEAR WG111v3 54Mbps Wireless USB 2.0 Adapter Vista Driver;c:\winnt\system32\drivers\wg111v3.sys [4/23/2007 2:11 PM 224896]
S2 gupdate1c9a45a207d1510;Google Update Service (gupdate1c9a45a207d1510);c:\program files\Google\Update\GoogleUpdate.exe [3/13/2009 11:05 PM 133104]
S3 BW2NDIS5;BW2NDIS5;c:\winnt\system32\Drivers\BW2NDIS5.sys --> c:\winnt\system32\Drivers\BW2NDIS5.sys [?]
S3 PCDRDRV;Pcdr Helper Driver;\??\c:\atf\Qctest\PCDoc\PCDRDRV.sys --> c:\atf\Qctest\PCDoc\PCDRDRV.sys [?]
S3 psa64s;psa64s;c:\winnt\system32\DRIVERS\psa64s.sys --> c:\winnt\system32\DRIVERS\psa64s.sys [?]
S3 psa64u;Nike psa[64 Player Control Driver;c:\winnt\system32\Drivers\psa64u.sys --> c:\winnt\system32\Drivers\psa64u.sys [?]
--- Other Services/Drivers In Memory ---
*NewlyCreated* - NMSCFG
*NewlyCreated* - NMSSVC
*Deregistered* - IPVNMon
.
Contents of the 'Scheduled Tasks' folder
2009-08-05 c:\winnt\Tasks\Google Software Updater.job
- c:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe [2009-03-14 15:15]
2009-08-05 c:\winnt\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-03-14 04:05]
2009-08-05 c:\winnt\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-03-14 04:05]
2008-10-01 c:\winnt\Tasks\Norton AntiVirus - Scan my computer - Owner.job
- c:\progra~1\NORTON~1\NAVW32.EXE [2003-08-17 23:22]
2009-08-03 c:\winnt\Tasks\Norton AntiVirus - Scan my computer.job
- c:\progra~1\NORTON~1\Navw32.exe [2003-08-17 23:22]
2009-08-05 c:\winnt\Tasks\User_Feed_Synchronization-{B5F2318B-E9C3-4BB4-B69B-0D2F8FB19461}.job
- c:\winnt\system32\msfeedssync.exe [2007-08-14 00:36]
.
.

---

Supplementary Scan

---

.
uStart Page = hxxp://www.google.com/
uLocal Page = c:\windows\system32\blank.htm
mLocal Page = c:\windows\system32\blank.htm
uInternet Connection Wizard,ShellNext = iexplore
uInternet Settings,ProxyOverride = *.local
IE:
TCP: {7721A874-C578-4DAA-8351-EBE32CCF17F9} = 24.217.0.5,24.217.201.67
DPF: DirectAnimation Java Classes - [URL]file://c:\winnt\Java\classes\dajava.cab[/URL]
DPF: Microsoft XML Parser for Java - [URL]file://c:\winnt\Java\classes\xmldso.cab[/URL]
DPF: {10000000-1000-0000-1000-000000000000}
DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71}
.
**************************************************************************
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-08-04 22:39
Windows 5.1.2600 Service Pack 3 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
.

---

Other Running Processes

---

.
c:\program files\Common Files\Symantec Shared\CCSETMGR.EXE
c:\program files\Lavasoft\Ad-Aware\aawservice.exe
c:\program files\Alwil Software\Avast4\aswUpdSv.exe
c:\program files\Alwil Software\Avast4\ashServ.exe
c:\program files\Google\Update\1.2.183.7\GoogleCrashHandler.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\winnt\system32\NMSSvc.Exe
c:\winnt\system32\nvsvc32.exe
c:\program files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
c:\winnt\system32\wdfmgr.exe
c:\program files\Common Files\Symantec Shared\Security Center\SymWSC.exe
c:\winnt\system32\wscntfy.exe
.
**************************************************************************
.
Completion time: 2009-08-05 22:50 - machine was rebooted
ComboFix-quarantined-files.txt 2009-08-05 03:50
ComboFix2.txt 2009-07-31 00:55
Pre-Run: 162,336,768 bytes free
Post-Run: 151,666,688 bytes free
Current=1 Default=1 Failed=4 LastKnownGood=5 Sets=1,2,3,4,5
250 --- E O F --- 2009-07-28 03:08


Now the Jotti reports (excel, then notepad):

Jotti's malware scan
Filename: EXCEL.EXE
Status: Scan finished. 0 out of 21 scanners reported malware.
Scan taken on: Wed 5 Aug 2009 05:19:18 (CET) Permalink

---

Additional info
File size: 9189896 bytes
Filetype: PE32 executable for MS Windows (GUI) Intel 80386 32-bit
MD5: 41e923a8efc4bcd742931ac2c9571dc3
SHA1: 775fd0f5fc8b6e3aeaa6f1418aa75b3a218ee669



Scanners
2009-08-04 Found nothing 2009-08-05 Found nothing
2009-08-05 Found nothing 2009-08-05 Found nothing
2009-08-04 Found nothing 2009-08-05 Found nothing
2009-08-04 Found nothing 2009-08-04 Found nothing
2009-08-04 Found nothing 2009-08-04 Found nothing
2009-08-05 Found nothing 2009-08-04 Found nothing
2009-08-05 Found nothing 2009-08-04 Found nothing
2009-08-05 Found nothing 2009-08-05 Found nothing
2009-08-05 Found nothing 2009-08-04 Found nothing
2009-08-04 Found nothing 2009-08-04 Found nothing
2009-08-04 Found nothing

Jotti's malware scan
This file has been scanned before. The results for this previous scan are listed below.

---

Filename: notepad.exe
Status: Scan finished. 0 out of 21 scanners reported malware.
Scan taken on: Mon 20 Jul 2009 09:16:41 (CET) Permalink

---

Additional info
File size: 69120 bytes
Filetype: PE32 executable for MS Windows (GUI) Intel 80386 32-bit
MD5: 388b8fbc36a8558587afc90fb23a3b99
SHA1: ed55ad0a7078651857bd8fc0eedd8b07f94594cc



Scanners
2009-07-19 Found nothing 2009-07-20 Found nothing
2009-07-20 Found nothing 2009-07-20 Found nothing
2009-07-19 Found nothing 2009-07-20 Found nothing
2009-07-19 Found nothing 2009-07-19 Found nothing
2009-07-20 Found nothing 2009-07-17 Found nothing
2009-07-20 Found nothing 2009-07-19 Found nothing
2009-07-19 Found nothing 2009-07-20 Found nothing
2009-07-20 Found nothing 2009-07-20 Found nothing
2009-07-19 Found nothing 2009-07-18 Found nothing
2009-07-19 Found nothing 2009-07-19 Found nothing
2009-07-19 Found nothing

chiaz

Please download SystemLook from one of the links below and save it to your Desktop.
Download Mirror #1
Download Mirror #2

• Double-click SystemLook.exe to run it.
• Copy the content of the following codebox into the main textfield:

  :filefind
  proquota.exe
  

• Click the Look button to start the scan.
• When finished, a notepad window will open with the results of the scan. Please post this log in your next reply later.

Note: The log can also be found on your Desktop entitled SystemLook.txt

=============================================

Next go HERE to run Panda ActiveScan 2.0

• Click the big green Scan now button
• If it wants to install an ActiveX component allow it
• It will start downloading the files it requires for the scan (Note: It may take a couple of minutes)
• Once the scan is completed, please hit the notepad icon next to the text Export to:
• Save it to a convenient location such as your Desktop
• Post the contents of the ActiveScan.txt in your next reply, along with SystemLook.txt.

fishwrangler

SystemLook v1.0 by jpshortstuff (22.05.09)
Log created at 22:04 on 05/08/2009 by Owner (Administrator - Elevation successful)
========== filefind ==========
Searching for "proquota.exe"
C:\WINNT\$NtServicePackUninstall$\proquota.exe

---

c 50176 bytes [11:57 04/09/2008] [07:56 04/08/2004] 4D9D45A4370E0C2AD00C362B7118E2A4
C:\WINNT\ServicePackFiles\i386\proquota.exe

---

50176 bytes [07:56 04/08/2004] [00:12 14/04/2008] F6465A2EEF75468988A4FCF124148FA8
-=End Of File=-

---

;***********************************************************************************************************************************************************************************
ANALYSIS: 2009-08-06 07:12:09
PROTECTIONS: 2
MALWARE: 61
SUSPECTS: 0
;***********************************************************************************************************************************************************************************
PROTECTIONS
Description Version Active Updated
;===================================================================================================================================================================================
avast! antivirus 4.8.1335 [VPS 090805-1] 4.8.1335 No Yes
Norton AntiVirus 2004 No No
;===================================================================================================================================================================================
MALWARE
Id Description Type Active Severity Disinfectable Disinfected Location
;===================================================================================================================================================================================
00018331 adware/gator Adware No 0 Yes No c:\gatorpatch.log
00029408 Adware/Lop Adware No 0 Yes No C:\WINNT\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\RDUXQ9CR\lop[2].htm
00040415 adware/wintools Adware No 0 Yes No hkey_local_machine\software\microsoft\windows\currentversion\installer\userdata\aui
00046591 Exploit/ByteVerify HackTools No 0 Yes No C:\Documents and Settings\Owner\.jpi_cache\jar\1.0\archive.jar-487b52a0-4a5fa4af.zip[BlackBox.class]
00046592 Exploit/ByteVerify HackTools No 0 Yes No C:\Documents and Settings\Owner\.jpi_cache\jar\1.0\archive.jar-487b52a0-4a5fa4af.zip[Dummy.class]
00116714 Adware/Startpage.JU Adware No 0 Yes No C:\Documents and Settings\Owner\.jpi_cache\jar\1.0\archive.jar-487b52a0-4a5fa4af.zip[Beyond.class]
00117989 Exploit/ByteVerify HackTools No 0 Yes No C:\Documents and Settings\Owner\.jpi_cache\jar\1.0\archive.jar-487b52a0-4a5fa4af.zip[VBUG.class]
00139059 Cookie/Traffic Marketplace TrackingCookie No 0 Yes No C:\Documents and Settings\Owner\Cookies\owner@trafficmp[2].txt
00139060 Cookie/Casalemedia TrackingCookie No 0 Yes No C:\Documents and Settings\Owner\Cookies\owner@casalemedia[1].txt
00139061 Cookie/Doubleclick TrackingCookie No 0 Yes No C:\Documents and Settings\Guest\Cookies\guest@doubleclick[1].txt
00139061 Cookie/Doubleclick TrackingCookie No 0 Yes No C:\Documents and Settings\Owner\Cookies\owner@doubleclick[2].txt
00139061 Cookie/Doubleclick TrackingCookie No 0 Yes No C:\Documents and Settings\Owner\Cookies\owner@doubleclick[3].txt
00139064 Cookie/Atlas DMT TrackingCookie No 0 Yes No C:\Documents and Settings\Owner\Cookies\owner@atdmt[2].txt
00139064 Cookie/Atlas DMT TrackingCookie No 0 Yes No C:\Documents and Settings\Guest\Cookies\guest@atdmt[2].txt
00145405 Cookie/RealMedia TrackingCookie No 0 Yes No C:\Documents and Settings\Owner\Cookies\owner@247realmedia[2].txt
00145457 Cookie/FastClick TrackingCookie No 0 Yes No C:\Documents and Settings\Owner\Cookies\owner@fastclick[1].txt
00145731 Cookie/Tribalfusion TrackingCookie No 0 Yes No C:\Documents and Settings\Owner\Cookies\owner@tribalfusion[2].txt
00145738 Cookie/Mediaplex TrackingCookie No 0 Yes No C:\Documents and Settings\Guest\Cookies\guest@mediaplex[1].txt
00145738 Cookie/Mediaplex TrackingCookie No 0 Yes No C:\Documents and Settings\Owner\Cookies\owner@mediaplex[2].txt
00147806 Cookie/7search TrackingCookie No 0 Yes No C:\Documents and Settings\Owner\Cookies\owner@7search[2].txt
00149116 Cookie/Ccbill TrackingCookie No 0 Yes No C:\Documents and Settings\Owner\Cookies\owner@ccbill[1].txt
00167642 Cookie/Com.com TrackingCookie No 0 Yes No C:\Documents and Settings\Owner\Cookies\owner@com[1].txt
00167647 Cookie/Yadro TrackingCookie No 0 Yes No C:\Documents and Settings\Owner\Cookies\owner@yadro[1].txt
00167753 Cookie/Statcounter TrackingCookie No 0 Yes No C:\Documents and Settings\Owner\Cookies\owner@statcounter[2].txt
00167760 Cookie/Hitslink TrackingCookie No 0 Yes No C:\Documents and Settings\Owner\Cookies\owner@counter.hitslink[1].txt
00167763 Cookie/Sextracker TrackingCookie No 0 Yes No C:\Documents and Settings\Owner\Cookies\owner@counter1.sextracker[2].txt
00167770 Cookie/Sextracker TrackingCookie No 0 Yes No C:\Documents and Settings\Owner\Cookies\owner@counter15.sextracker[1].txt
00167795 Cookie/Cd Freaks TrackingCookie No 0 Yes No C:\Documents and Settings\Owner\Cookies\owner@club.cdfreaks[2].txt
00168048 Cookie/Overture TrackingCookie No 0 Yes No C:\Documents and Settings\Owner\Cookies\owner@perf.overture[1].txt
00168056 Cookie/YieldManager TrackingCookie No 0 Yes No C:\Documents and Settings\Owner\Cookies\owner@ad.yieldmanager[2].txt
00168058 Cookie/Sextracker TrackingCookie No 0 Yes No C:\Documents and Settings\Owner\Cookies\owner@counter4.sextracker[2].txt
00168061 Cookie/Apmebf TrackingCookie No 0 Yes No C:\Documents and Settings\Guest\Cookies\guest@apmebf[1].txt
00168076 Cookie/BurstNet TrackingCookie No 0 Yes No C:\Documents and Settings\Owner\Cookies\owner@burstnet[2].txt
00168090 Cookie/Serving-sys TrackingCookie No 0 Yes No C:\Documents and Settings\Owner\Cookies\owner@serving-sys[2].txt
00168093 Cookie/Serving-sys TrackingCookie No 0 Yes No C:\Documents and Settings\Owner\Cookies\owner@bs.serving-sys[1].txt
00168097 Cookie/BurstBeacon TrackingCookie No 0 Yes No C:\Documents and Settings\Owner\Cookies\owner@www.burstbeacon[2].txt
00168105 Cookie/Cd Freaks TrackingCookie No 0 Yes No C:\Documents and Settings\Owner\Cookies\owner@cdfreaks[2].txt
00168109 Cookie/Adtech TrackingCookie No 0 Yes No C:\Documents and Settings\Owner\Cookies\owner@adtech[1].txt
00168116 Cookie/Comclick TrackingCookie No 0 Yes No C:\Documents and Settings\Owner\Cookies\owner@fl01.ct2.comclick[2].txt
00169190 Cookie/Advertising TrackingCookie No 0 Yes No C:\Documents and Settings\Guest\Cookies\guest@advertising[1].txt
00169190 Cookie/Advertising TrackingCookie No 0 Yes No C:\Documents and Settings\Owner\Cookies\owner@advertising[2].txt
00169286 Cookie/Sextracker TrackingCookie No 0 Yes No C:\Documents and Settings\Owner\Cookies\owner@sextracker[1].txt
00170495 Cookie/PointRoll TrackingCookie No 0 Yes No C:\Documents and Settings\Owner\Cookies\owner@ads.pointroll[1].txt
00170554 Cookie/Overture TrackingCookie No 0 Yes No C:\Documents and Settings\Owner\Cookies\owner@overture[2].txt
00170556 Cookie/RealMedia TrackingCookie No 0 Yes No C:\Documents and Settings\Owner\Cookies\owner@realmedia[1].txt
00170559 Cookie/Com.com TrackingCookie No 0 Yes No C:\Documents and Settings\Owner\Cookies\owner@uol.com[1].txt
00171982 Cookie/QuestionMarket TrackingCookie No 0 Yes No C:\Documents and Settings\Owner\Cookies\owner@questionmarket[2].txt
00172064 Bck/Agent.E Virus/Trojan No 0 Yes No C:\WINNT\system32\hlpaddn.dll
00172221 Cookie/Zedo TrackingCookie No 0 Yes No C:\Documents and Settings\Owner\Cookies\owner@zedo[2].txt
00180246 Cookie/XXXCounter TrackingCookie No 0 Yes No C:\Documents and Settings\Owner\Cookies\owner@xxxcounter[2].txt
00187950 Cookie/bravenetA TrackingCookie No 0 Yes No C:\Documents and Settings\Owner\Cookies\owner@bravenet[1].txt
00191644 Cookie/adultfriendfinder TrackingCookie No 0 Yes No C:\Documents and Settings\Owner\Cookies\owner@adultfriendfinder[1].txt
00194327 Cookie/Go TrackingCookie No 0 Yes No C:\Documents and Settings\Owner\Cookies\owner@go[2].txt
00207338 Cookie/Target TrackingCookie No 0 Yes No C:\Documents and Settings\Owner\Cookies\owner@target[1].txt
00234587 Adware/WinAD Adware No 0 Yes No C:\Program Files\incredimail_install.exe
00260701 adware/vog Adware No 1 Yes No c:\program files\internet explorer\update.exe
00262020 Cookie/Atwola TrackingCookie No 0 Yes No C:\Documents and Settings\Guest\Cookies\guest@atwola[1].txt
00293517 Cookie/AdDynamix TrackingCookie No 0 Yes No C:\Documents and Settings\Owner\Cookies\owner@ads.addynamix[1].txt
00325961 Adware/EasySearch Adware No 0 Yes No C:\WINNT\system32\authz.exe
00447834 Adware/Lop Adware No 0 Yes No C:\Program Files\Norton AntiVirus\Quarantine\11E0743F
00447834 Adware/Lop Adware No 0 Yes No C:\Program Files\Norton AntiVirus\Quarantine\11E31E3B
00447834 Adware/Lop Adware No 0 Yes No C:\Program Files\Norton AntiVirus\Quarantine\186A61CB
00447834 Adware/Lop Adware No 0 Yes No C:\Program Files\Norton AntiVirus\Quarantine\19190F10
00447834 Adware/Lop Adware No 0 Yes No C:\Program Files\Norton AntiVirus\Quarantine\1EFC70A4
00447834 Adware/Lop Adware No 0 Yes No C:\Program Files\Norton AntiVirus\Quarantine\04FE0FE4
00447834 Adware/Lop Adware No 0 Yes No C:\Program Files\Norton AntiVirus\Quarantine\04E74CD0
00447834 Adware/Lop Adware No 0 Yes No C:\Program Files\Norton AntiVirus\Quarantine\237643D4
00447834 Adware/Lop Adware No 0 Yes No C:\Program Files\Norton AntiVirus\Quarantine\23796DD0
00447834 Adware/Lop Adware No 0 Yes No C:\Program Files\Norton AntiVirus\Quarantine\2CAA5871.exe
00447834 Adware/Lop Adware No 0 Yes No C:\Program Files\Norton AntiVirus\Quarantine\34AB02A3
00447834 Adware/Lop Adware No 0 Yes No C:\Program Files\Norton AntiVirus\Quarantine\34B2569C
00447834 Adware/Lop Adware No 0 Yes No C:\Program Files\Norton AntiVirus\Quarantine\373F5CDC
00447834 Adware/Lop Adware No 0 Yes No C:\Program Files\Norton AntiVirus\Quarantine\3BB6008D
00447834 Adware/Lop Adware No 0 Yes No C:\Program Files\Norton AntiVirus\Quarantine\3C3E3CE7
00447834 Adware/Lop Adware No 0 Yes No C:\Program Files\Norton AntiVirus\Quarantine\3D473619
00447834 Adware/Lop Adware No 0 Yes No C:\Program Files\Norton AntiVirus\Quarantine\3F1F6ED0
00447834 Adware/Lop Adware No 0 Yes No C:\Program Files\Norton AntiVirus\Quarantine\23285393
00447834 Adware/Lop Adware No 0 Yes No C:\Program Files\Norton AntiVirus\Quarantine\42C86CEE
00447834 Adware/Lop Adware No 0 Yes No C:\Program Files\Norton AntiVirus\Quarantine\5F896C32
00447834 Adware/Lop Adware No 0 Yes No C:\Program Files\Norton AntiVirus\Quarantine\66080B5B.exe
00447834 Adware/Lop Adware No 0 Yes No C:\Program Files\Norton AntiVirus\Quarantine\67026FA3
00447834 Adware/Lop Adware No 0 Yes No C:\Program Files\Norton AntiVirus\Quarantine\670619A0
00447834 Adware/Lop Adware No 0 Yes No C:\Program Files\Norton AntiVirus\Quarantine\6709439C
00447834 Adware/Lop Adware No 0 Yes No C:\Program Files\Norton AntiVirus\Quarantine\670C6D99
00447834 Adware/Lop Adware No 0 Yes No C:\Program Files\Norton AntiVirus\Quarantine\670F1795
00447834 Adware/Lop Adware No 0 Yes No C:\Program Files\Norton AntiVirus\Quarantine\68D20075
00447834 Adware/Lop Adware No 0 Yes No C:\Program Files\Norton AntiVirus\Quarantine\6C937950
00447834 Adware/Lop Adware No 0 Yes No C:\Program Files\Norton AntiVirus\Quarantine\6D1D3EB0
00447834 Adware/Lop Adware No 0 Yes No C:\Program Files\Norton AntiVirus\Quarantine\6D2068AC
00447834 Adware/Lop Adware No 0 Yes No C:\Program Files\Norton AntiVirus\Quarantine\6D2312A9
00447834 Adware/Lop Adware No 0 Yes No C:\Program Files\Norton AntiVirus\Quarantine\6D273CA5
00447834 Adware/Lop Adware No 0 Yes No C:\Program Files\Norton AntiVirus\Quarantine\79873E84
00447834 Adware/Lop Adware No 0 Yes No C:\Program Files\Norton AntiVirus\Quarantine\7D325C32
00447834 Adware/Lop Adware No 0 Yes No C:\Program Files\Norton AntiVirus\Quarantine\7ECB71C6
00447834 Adware/Lop Adware No 0 Yes No C:\Program Files\Norton AntiVirus\Quarantine\7F643AA7
00447834 Adware/Lop Adware No 0 Yes No C:\Program Files\Norton AntiVirus\Quarantine\41410261
00484705 Application/IEDefender HackTools No 0 Yes No C:\Documents and Settings\Owner\Desktop\SmitfraudFix\IEDFix.C.exe
00484705 Application/IEDefender HackTools No 0 Yes No C:\Qoobox\Quarantine\C\WINNT\system32\IEDFix.C.exe.vir
00921467 Generic Malware Virus/Trojan No 0 Yes No C:\Documents and Settings\Owner\Desktop\SmitfraudFix\404Fix.exe
00921467 Generic Malware Virus/Trojan No 0 Yes No C:\Qoobox\Quarantine\C\WINNT\system32\404Fix.exe.vir
01797982 Trj/Zlob.KH Virus/Trojan No 1 Yes No C:\WINNT\Installer\343b42a9.msi
02175515 Generic Trojan Virus/Trojan No 0 Yes No C:\Qoobox\Quarantine\C\WINNT\system32\drivers\hjgruigexvobph.sys.vir
02239686 Generic Trojan Virus/Trojan No 0 Yes No C:\Qoobox\Quarantine\C\WINNT\system32\hjgruivttlacap.dll.vir
02444111 Trj/Alureon.AW Virus/Trojan No 0 Yes No C:\Qoobox\Quarantine\C\WINNT\system32\hjgruiximcuxqq.dll.vir
;===================================================================================================================================================================================
SUSPECTS
Sent Location
;===================================================================================================================================================================================
;===================================================================================================================================================================================
VULNERABILITIES
Id Severity Description
;===================================================================================================================================================================================
;===================================================================================================================================================================================

chiaz

First, navigate to the following folder:
C:\WINNT\ServicePackFiles\i386\

Locate for this file: proquota.exe

Then copy and paste it into this folder:
c:\winnt\system32\

========================================================

Next,
1. Delete CFScript.txt from your Desktop.
2. Close any open browsers.
2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

Open *notepad* and copy/paste the text in the quotebox below into it:

File::
c:\gatorpatch.log
C:\WINNT\system32\authz.exe
C:\WINNT\Installer\343b42a9.msi

Registry::
[-hkey_local_machine\software\microsoft\windows\currentversion\installer\userdata\aui]

Save this as CFScript.txt, in the same location as ComboFix.exe which is on the Desktop.




Refering to the picture above, drag CFScript.txt into ComboFix.exe


When finished, it shall produce a log for you at C:\ComboFix.txt

Please copy and paste the ComboFix.txt in your next reply, along with a new Panda ActiveScan log.

*Note:
Do not mouseclick combofix's window whilst it's running. That may cause it to stall. Altering this script in any way could damage your computer.*

fishwrangler

ComboFix 09-08-07.07 - Owner 08/07/2009 21:49.3.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.511.241 [GMT -5:00]
Running from: c:\documents and settings\Owner\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Owner\Desktop\CFScript.txt
AV: avast! antivirus 4.8.1335 [VPS 090807-0] *On-access scanning disabled* (Updated) {7591DB91-41F0-48A3-B128-1A293FD8233D}
AV: Norton AntiVirus *On-access scanning disabled* (Outdated) {B5510F6F-87E1-47F7-A411-360BC453007C}
FILE ::
"c:\gatorpatch.log"
"c:\winnt\Installer\343b42a9.msi"
"c:\winnt\system32\authz.exe"
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
c:\documents and settings\Owner\Start Menu\Programs\Ace WINScreen .lnk
c:\gatorpatch.log
c:\recycler\NPROTECT
c:\winnt\Installer\343b42a9.msi
c:\winnt\system32\authz.exe
.
((((((((((((((((((((((((( Files Created from 2009-07-08 to 2009-08-08 )))))))))))))))))))))))))))))))
.
2009-08-08 02:38 . 2008-04-14 00:12 50176 ----a-w- c:\winnt\system32\proquota.exe
2009-08-08 02:38 . 2008-04-14 00:12 50176 ----a-w- c:\winnt\system32\dllcache\proquota.exe
2009-08-06 13:09 . 2009-08-06 13:10

---

d

---

w- C:\RayCh_ModernSndsCountryWestMus Folder
2009-08-06 13:09 . 2009-08-06 13:09

---

d

---

w- C:\Little Village - Studio rehearsals 1992-04-XX
2009-08-06 13:07 . 2009-08-06 13:08

---

d

---

w- C:\Highwaymen - 960604 - Los Angeles, CA
2009-08-06 03:10 . 2008-06-19 22:24 28544 ----a-w- c:\winnt\system32\drivers\pavboot.sys
2009-08-06 03:10 . 2009-08-06 03:10

---

d

---

w- c:\program files\Panda Security
2009-08-06 03:09 . 2009-08-06 03:09

---

d

---

w- c:\winnt\LastGood
2009-07-28 01:46 . 2009-07-28 01:46 2169915 ----a-w- c:\program files\SetupImgBurn_2.5.0.0.exe
2009-07-28 01:39 . 2003-10-11 06:06 21654229 ----a-w- c:\program files\nero60015.exe
2009-07-20 02:05 . 2009-07-20 02:05

---

d

---

w- c:\documents and settings\All Users\Application Data\PC Drivers HeadQuarters
2009-07-20 02:05 . 2009-07-20 02:05

---

d

---

w- c:\documents and settings\Owner\Local Settings\Application Data\Downloaded Installations
2009-07-20 01:57 . 2009-07-20 01:58

---

d

---

w- c:\documents and settings\Owner\Application Data\GetRightToGo
2009-07-20 01:44 . 2009-07-20 01:44

---

d

---

w- c:\winnt\system32\NtmsData
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-08-08 02:43 . 2008-07-10 02:56

---

d

---

w- c:\documents and settings\Owner\Application Data\uTorrent
2009-08-07 08:58 . 2009-03-14 04:04

---

d

---

w- c:\documents and settings\All Users\Application Data\Google Updater
2009-07-20 02:13 . 2002-10-17 23:52

---

d--h--w- c:\program files\InstallShield Installation Information
2009-07-13 21:48 . 2009-02-08 06:35

---

d

---

w- c:\program files\Malwarebytes' Anti-Malware
2009-07-13 21:31 . 2004-07-10 01:59

---

d

---

w- c:\program files\Sploof
2009-07-13 21:30 . 2004-06-26 01:29

---

d

---

w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2009-07-13 20:55 . 2009-03-31 13:19 3775176 ----a-w- c:\documents and settings\All Users\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\mbam-setup.exe
2009-07-13 18:36 . 2009-02-08 06:35 38160 ----a-w- c:\winnt\system32\drivers\mbamswissarmy.sys
2009-07-13 18:36 . 2009-02-08 06:35 19096 ----a-w- c:\winnt\system32\drivers\mbam.sys
2009-07-07 00:39 . 2009-07-07 00:39 171629 ----a-w- c:\program files\hjsplit.rar
2009-07-05 16:13 . 2002-10-17 23:57

---

d

---

w- c:\program files\Symantec
2009-07-05 16:13 . 2002-10-17 23:57

---

d

---

w- c:\program files\Common Files\Symantec Shared
2009-07-05 15:55 . 2009-07-05 01:11

---

d

---

w- c:\program files\COMODO
2009-07-05 01:11 . 2009-07-05 01:06 78992656 ----a-w- c:\program files\CIS_Setup_3.10.101801.529_XP_Vista_x32.exe
2009-07-05 01:03 . 2009-07-05 01:03

---

d

---

w- c:\program files\Alwil Software
2009-07-05 00:58 . 2009-07-05 00:58 308160 ----a-w- c:\program files\avast_home_setup.exe
2009-07-04 02:40 . 2009-07-03 23:43

---

d

---

w- c:\program files\ccleaner reg backup
2009-07-04 02:17 . 2009-07-04 02:16 3360392 ----a-w- c:\program files\RegistryEasy.exe
2009-07-03 01:03 . 2009-07-03 01:03

---

d

---

w- c:\program files\CCleaner
2009-07-03 01:02 . 2009-07-03 01:02 3252640 ----a-w- c:\program files\ccsetup221.exe
2009-06-28 03:59 . 2008-10-21 23:09 120 ----a-w- C:\drmHeader.bin
2009-06-16 14:36 . 1980-01-01 05:00 81920 ----a-w- c:\winnt\system32\fontsub.dll
2009-06-16 14:36 . 1980-01-01 05:00 119808 ----a-w- c:\winnt\system32\t2embed.dll
2009-06-15 12:52 . 2003-09-25 16:01

---

d

---

w- c:\program files\DivX
2009-06-15 12:51 . 2009-04-08 01:48

---

d

---

w- c:\program files\Common Files\DivX Shared
2009-06-15 12:46 . 2009-06-15 12:45 16742799 ----a-w- c:\program files\vlc-0.9.9-win32.exe
2009-06-07 02:56 . 2009-06-07 02:56 14373 ----a-w- c:\winnt\system32\SpoonUninstall-dBpoweramp Music Converter.dat
2009-06-07 02:55 . 2009-06-07 02:55 5433520 ----a-w- c:\program files\dMC-R13.2-Ref-Trial.exe
2009-06-07 02:55 . 2004-06-06 00:32 5433520 -c--a-w- c:\winnt\system32\SpoonUninstall.exe
2009-06-05 23:12 . 2009-06-05 23:12 9615808 ----a-w- C:\windows-kb890830-v2.10.exe
2009-06-04 01:41 . 2009-06-04 01:40 2544682 ----a-w- C:\regcleaner.exe
2009-06-03 19:09 . 2003-05-13 15:28 1291264 ----a-w- c:\winnt\system32\quartz.dll
2009-04-28 01:16 . 2009-04-28 01:16 9915072 ----a-w- c:\program files\winamp5552_full_emusic-7plus_en-us.exe
2009-03-29 01:06 . 2008-07-15 00:33 43008 --sha-w- c:\program files\Thumbs.db
2009-03-09 23:25 . 2009-03-09 23:25 14929905 ----a-w- c:\program files\klcodec470f.exe
2008-09-12 02:24 . 2008-09-12 02:24 304957 ----a-w- c:\program files\hjsplit.zip
2008-08-09 01:21 . 2008-08-09 01:21 3748544 ----a-w- c:\program files\ephpod277.exe
2008-07-15 00:36 . 2008-07-15 00:32 454656 ----a-w- c:\program files\putty.exe
2008-07-08 03:42 . 2008-07-08 03:42 9057472 ----a-w- c:\program files\Vuze_3.1.1.0_windows.exe
2008-05-24 02:52 . 2008-05-24 02:52 230996 ----a-w- c:\program files\in_mp4_2.0.zip
2008-02-07 04:02 . 2008-02-07 04:02 2125249 ----a-w- c:\program files\burrrn_package.exe
2008-02-07 03:53 . 2008-01-30 13:58 2461696 ----a-w- c:\program files\Feurio_168_Install_eng.exe
2008-02-02 00:06 . 2008-02-01 14:02 2228534 ----a-w- c:\program files\audacity-win-1.2.6.exe
2008-02-01 14:07 . 2008-02-01 14:04 21016 ----a-w- c:\program files\John Popper - Jono Manson - Paolo Bonfanti 2003.03.15 Chiari ITA.torrent
2007-12-24 14:33 . 2007-12-24 14:33 26531 ----a-w- c:\program files\avettbrothers_2006-08-05_galaxybarn.flac16.torrent
2007-12-24 02:07 . 2007-12-24 02:05 2873585 ----a-w- c:\program files\ptwindows.exe
2007-12-18 03:47 . 2007-12-18 03:47 2428988 ----a-w- c:\program files\eac-0.99pb3.exe
2007-12-18 03:45 . 2007-12-18 03:44 1400322 ----a-w- c:\program files\tralih201143.exe
2007-02-01 23:11 . 2008-09-12 02:25 582 ----a-w- c:\program files\readme.txt
2007-01-16 02:17 . 2007-01-16 02:13 498064 -c--a-w- c:\program files\TA2005_2.exe
2006-08-21 00:10 . 2006-08-21 00:10 4427776 -c--a-w- c:\program files\CJXP33SE.exe
2006-08-21 00:09 . 2006-08-21 00:07 9222144 -c--a-w- c:\program files\CJXP33LE.exe
2006-08-11 04:18 . 2006-08-11 04:18 16092160 -c--a-w- c:\program files\CJB700EN.exe
2006-08-08 23:30 . 2006-08-08 23:30 174517 ----a-w- c:\program files\DRMFree.zip
2006-08-08 23:09 . 2006-08-08 12:25 4196037 -c--a-w- c:\program files\CDRoller630_en.exe
2006-08-08 00:13 . 2006-08-07 23:19 1651938 -c--a-w- c:\program files\install.exe
2004-12-18 03:23 . 2004-12-18 03:23 32029 -c--a-w- c:\program files\u21990.shnf - Hansa Ton Salome Complete.torrent
2004-12-18 03:22 . 2004-12-18 03:22 1123 -c--a-w- c:\program files\Salome The Axtung Beibi Outtakes 3 CD Set 277 110 FLAC (CD1 - Track 10) FIXED.torrent
2004-12-18 02:37 . 2004-12-18 02:37 398456 -c--a-w- c:\program files\incredimail_install.exe
2004-11-11 17:03 . 2008-05-24 02:52 178 ----a-w- c:\program files\free-codecs.txt
2004-08-04 07:56 . 2002-09-03 17:23 69120 -c--a-w- c:\program files\notepad.exe
2003-12-03 23:04 . 2006-05-24 01:09 9189896 -c--a-w- c:\program files\EXCEL.EXE
2003-03-15 11:38 . 2003-03-15 11:38 16141 -c--a-w- c:\program files\mission.htm
.
((((((((((((((((((((((((((((( SnapShot@2009-07-31_00.44.40 )))))))))))))))))))))))))))))))))))))))))
.
- 2009-07-31 00:27 . 2009-07-31 00:27 16384 c:\winnt\Temp\Perflib_Perfdata_5a8.dat
+ 2009-08-05 03:38 . 2009-08-05 03:38 16384 c:\winnt\Temp\Perflib_Perfdata_5a8.dat
+ 1980-01-01 05:00 . 2009-07-31 00:48 56946 c:\winnt\system32\perfc009.dat
- 1980-01-01 05:00 . 2009-07-20 02:05 56946 c:\winnt\system32\perfc009.dat
+ 1980-01-01 05:00 . 2009-07-31 00:48 387418 c:\winnt\system32\perfh009.dat
- 1980-01-01 05:00 . 2009-07-20 02:05 387418 c:\winnt\system32\perfh009.dat
+ 2009-04-17 13:59 . 2009-04-17 13:59 128256 c:\winnt\Downloaded Program Files\as2stubie.dll
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SpybotSD TeaTimer"="c:\program files\Spybot - Search & Destroy\TeaTimer.exe" [2009-03-05 2260480]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="NvQTwk" [X]
"GWMDMpi"="c:\winnt\GWMDMpi.exe" [2002-08-06 53248]
"UpdReg"="c:\winnt\UpdReg.EXE" [2000-05-11 90112]
"Symantec NetDriver Monitor"="c:\progra~1\SYMNET~1\SNDMon.exe" [2005-11-12 100056]
"IntelliPoint"="c:\program files\Microsoft IntelliPoint\point32.exe" [2005-03-23 217088]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2008-11-04 413696]
"avast!"="c:\progra~1\ALWILS~1\Avast4\ashDisp.exe" [2009-02-05 81000]
"NeroCheck"="c:\winnt\system32\NeroCheck.exe" [2001-07-09 155648]
"Hot Key Kbd 9910 Daemon"="SK9910DM.EXE" - c:\winnt\system32\SK9910DM.EXE [2001-01-03 66048]
"GWMDMMSG"="GWMDMMSG.exe" - c:\winnt\GWMDMMSG.exe [2002-08-06 90112]
"CTHelper"="CTHELPER.EXE" - c:\winnt\system32\cthelper.exe [2002-07-02 24576]
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Gamma Loader.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Adobe Gamma Loader.lnk
backup=c:\winnt\pss\Adobe Gamma Loader.lnkCommon Startup
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
backup=c:\winnt\pss\Adobe Reader Speed Launch.lnkCommon Startup
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^InterVideo WinCinema Manager.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\InterVideo WinCinema Manager.lnk
backup=c:\winnt\pss\InterVideo WinCinema Manager.lnkCommon Startup
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^NETGEAR WG111v3 Smart Wizard.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\NETGEAR WG111v3 Smart Wizard.lnk
backup=c:\winnt\pss\NETGEAR WG111v3 Smart Wizard.lnkCommon Startup
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^NkvMon.exe.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\NkvMon.exe.lnk
backup=c:\winnt\pss\NkvMon.exe.lnkCommon Startup
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"SharedAccess"=2 (0x2)
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\FlashFXP\\flashfxp.exe"=
"c:\\Program Files\\SmartFTP\\SmartFTP.exe"=
"c:\\Program Files\\IncrediMail\\bin\\IMApp.exe"=
"c:\\Program Files\\SmartFTP Client 2.0\\SmartFTP.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\uTorrent\\uTorrent.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3389:TCP"= 3389:TCP:@xpsp2res.dll,-22009
"8097:TCP"= 8097:TCP:EarthLink UHP Modem Support
R1 aswSP;avast! Self Protection;c:\winnt\system32\drivers\aswSP.sys [7/4/2009 8:03 PM 114768]
R2 aswFsBlk;aswFsBlk;c:\winnt\system32\drivers\aswFsBlk.sys [7/4/2009 8:03 PM 20560]
R2 RioPNP;RioPNP;c:\winnt\system32\drivers\RioPnP.sys [10/17/2002 6:57 PM 6736]
R3 RTL8187B;NETGEAR WG111v3 54Mbps Wireless USB 2.0 Adapter Vista Driver;c:\winnt\system32\drivers\wg111v3.sys [4/23/2007 2:11 PM 224896]
S2 gupdate1c9a45a207d1510;Google Update Service (gupdate1c9a45a207d1510);c:\program files\Google\Update\GoogleUpdate.exe [3/13/2009 11:05 PM 133104]
S2 NProtectService;Norton Unerase Protection;c:\program files\Norton AntiVirus\AdvTools\NPROTECT.EXE [10/23/2004 6:40 PM 135168]
S3 BW2NDIS5;BW2NDIS5;c:\winnt\system32\Drivers\BW2NDIS5.sys --> c:\winnt\system32\Drivers\BW2NDIS5.sys [?]
S3 PCDRDRV;Pcdr Helper Driver;\??\c:\atf\Qctest\PCDoc\PCDRDRV.sys --> c:\atf\Qctest\PCDoc\PCDRDRV.sys [?]
S3 psa64s;psa64s;c:\winnt\system32\DRIVERS\psa64s.sys --> c:\winnt\system32\DRIVERS\psa64s.sys [?]
S3 psa64u;Nike psa[64 Player Control Driver;c:\winnt\system32\Drivers\psa64u.sys --> c:\winnt\system32\Drivers\psa64u.sys [?]
--- Other Services/Drivers In Memory ---
*NewlyCreated* - NMSCFG
*NewlyCreated* - NMSSVC
*Deregistered* - IPVNMon
.
Contents of the 'Scheduled Tasks' folder
2009-08-07 c:\winnt\Tasks\Google Software Updater.job
- c:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe [2009-03-14 15:15]
2009-08-07 c:\winnt\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-03-14 04:05]
2009-08-08 c:\winnt\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-03-14 04:05]
2008-10-01 c:\winnt\Tasks\Norton AntiVirus - Scan my computer - Owner.job
- c:\progra~1\NORTON~1\NAVW32.EXE [2003-08-17 23:22]
2009-08-08 c:\winnt\Tasks\Norton AntiVirus - Scan my computer.job
- c:\progra~1\NORTON~1\Navw32.exe [2003-08-17 23:22]
2009-08-07 c:\winnt\Tasks\User_Feed_Synchronization-{B5F2318B-E9C3-4BB4-B69B-0D2F8FB19461}.job
- c:\winnt\system32\msfeedssync.exe [2007-08-14 00:36]
.
.

---

Supplementary Scan

---

.
uStart Page = hxxp://www.google.com/
uLocal Page = c:\windows\system32\blank.htm
mLocal Page = c:\windows\system32\blank.htm
uInternet Connection Wizard,ShellNext = iexplore
uInternet Settings,ProxyOverride = *.local
IE:
TCP: {7721A874-C578-4DAA-8351-EBE32CCF17F9} = 24.217.0.5,24.217.201.67
DPF: DirectAnimation Java Classes - file://c:\winnt\Java\classes\dajava.cab
DPF: Microsoft XML Parser for Java - file://c:\winnt\Java\classes\xmldso.cab
.
**************************************************************************
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-08-07 22:00
Windows 5.1.2600 Service Pack 3 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
.

---

LOCKED REGISTRY KEYS

---

[HKEY_USERS\S-1-5-21-3904617073-2370721046-3515399985-1003\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{F539E2CA-BF82-2841-D8D2-1D2CE6A7356C}*]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)
"iaohbnejbophmjgkgo"=hex:6a,61,6b,64,67,6e,67,61,64,6d,6a,6f,62,65,69,70,6d,67,
62,6e,00,00
"haegofaiofbfjgjl"=hex:69,61,6b,64,6f,68,63,6c,68,6a,68,63,6a,66,63,66,62,65,
00,00
.
Completion time: 2009-08-08 22:06
ComboFix-quarantined-files.txt 2009-08-08 03:06
ComboFix2.txt 2009-08-05 03:50
ComboFix3.txt 2009-07-31 00:55
Pre-Run: 2,261,114,880 bytes free
Post-Run: 2,516,484,096 bytes free
Current=1 Default=1 Failed=4 LastKnownGood=5 Sets=1,2,3,4,5
235 --- E O F --- 2009-07-28 03:08


Now the Panda Scan:

;***********************************************************************************************************************************************************************************
ANALYSIS: 2009-08-08 08:45:25
PROTECTIONS: 2
MALWARE: 62
SUSPECTS: 1
;***********************************************************************************************************************************************************************************
PROTECTIONS
Description Version Active Updated
;===================================================================================================================================================================================
avast! antivirus 4.8.1335 [VPS 090807-0] 4.8.1335 No Yes
Norton AntiVirus 2004 No No
;===================================================================================================================================================================================
MALWARE
Id Description Type Active Severity Disinfectable Disinfected Location
;===================================================================================================================================================================================
00029408 Adware/Lop Adware No 0 Yes No C:\WINNT\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\RDUXQ9CR\lop[2].htm
00041558 exploit/mhtredir.gen HackTools No 0 Yes No HKEY_LOCAL_MACHINE\Software\Microsoft\Code Store Database\Distribution Units\{10000000-1000-0000-1000-000000000000}
00046591 Exploit/ByteVerify HackTools No 0 Yes No C:\Documents and Settings\Owner\.jpi_cache\jar\1.0\archive.jar-487b52a0-4a5fa4af.zip[BlackBox.class]
00046592 Exploit/ByteVerify HackTools No 0 Yes No C:\Documents and Settings\Owner\.jpi_cache\jar\1.0\archive.jar-487b52a0-4a5fa4af.zip[Dummy.class]
00116714 Adware/Startpage.JU Adware No 0 Yes No C:\Documents and Settings\Owner\.jpi_cache\jar\1.0\archive.jar-487b52a0-4a5fa4af.zip[Beyond.class]
00117989 Exploit/ByteVerify HackTools No 0 Yes No C:\Documents and Settings\Owner\.jpi_cache\jar\1.0\archive.jar-487b52a0-4a5fa4af.zip[VBUG.class]
00139059 Cookie/Traffic Marketplace TrackingCookie No 0 Yes No C:\Documents and Settings\Owner\Cookies\owner@trafficmp[2].txt
00139060 Cookie/Casalemedia TrackingCookie No 0 Yes No C:\Documents and Settings\Owner\Cookies\owner@casalemedia[1].txt
00139061 Cookie/Doubleclick TrackingCookie No 0 Yes No C:\Documents and Settings\Owner\Cookies\owner@doubleclick[3].txt
00139061 Cookie/Doubleclick TrackingCookie No 0 Yes No C:\Documents and Settings\Guest\Cookies\guest@doubleclick[1].txt
00139061 Cookie/Doubleclick TrackingCookie No 0 Yes No C:\Documents and Settings\Owner\Cookies\owner@doubleclick[2].txt
00139064 Cookie/Atlas DMT TrackingCookie No 0 Yes No C:\Documents and Settings\Owner\Cookies\owner@atdmt[2].txt
00139064 Cookie/Atlas DMT TrackingCookie No 0 Yes No C:\Documents and Settings\Guest\Cookies\guest@atdmt[2].txt
00145405 Cookie/RealMedia TrackingCookie No 0 Yes No C:\Documents and Settings\Owner\Cookies\owner@247realmedia[2].txt
00145457 Cookie/FastClick TrackingCookie No 0 Yes No C:\Documents and Settings\Owner\Cookies\owner@fastclick[1].txt
00145731 Cookie/Tribalfusion TrackingCookie No 0 Yes No C:\Documents and Settings\Owner\Cookies\owner@tribalfusion[2].txt
00145738 Cookie/Mediaplex TrackingCookie No 0 Yes No C:\Documents and Settings\Guest\Cookies\guest@mediaplex[1].txt
00145738 Cookie/Mediaplex TrackingCookie No 0 Yes No C:\Documents and Settings\Owner\Cookies\owner@mediaplex[2].txt
00145881 Cookie/NewMedia TrackingCookie No 0 Yes No C:\Documents and Settings\Owner\Cookies\owner@anm.co[1].txt
00147806 Cookie/7search TrackingCookie No 0 Yes No C:\Documents and Settings\Owner\Cookies\owner@7search[2].txt
00149116 Cookie/Ccbill TrackingCookie No 0 Yes No C:\Documents and Settings\Owner\Cookies\owner@ccbill[1].txt
00167642 Cookie/Com.com TrackingCookie No 0 Yes No C:\Documents and Settings\Owner\Cookies\owner@com[1].txt
00167647 Cookie/Yadro TrackingCookie No 0 Yes No C:\Documents and Settings\Owner\Cookies\owner@yadro[1].txt
00167744 Cookie/GoStats TrackingCookie No 0 Yes No C:\Documents and Settings\Owner\Cookies\owner@gostats[1].txt
00167753 Cookie/Statcounter TrackingCookie No 0 Yes No C:\Documents and Settings\Owner\Cookies\owner@statcounter[2].txt
00167760 Cookie/Hitslink TrackingCookie No 0 Yes No C:\Documents and Settings\Owner\Cookies\owner@counter.hitslink[1].txt
00167763 Cookie/Sextracker TrackingCookie No 0 Yes No C:\Documents and Settings\Owner\Cookies\owner@counter1.sextracker[2].txt
00167770 Cookie/Sextracker TrackingCookie No 0 Yes No C:\Documents and Settings\Owner\Cookies\owner@counter15.sextracker[1].txt
00167795 Cookie/Cd Freaks TrackingCookie No 0 Yes No C:\Documents and Settings\Owner\Cookies\owner@club.cdfreaks[2].txt
00168048 Cookie/Overture TrackingCookie No 0 Yes No C:\Documents and Settings\Owner\Cookies\owner@perf.overture[1].txt
00168056 Cookie/YieldManager TrackingCookie No 0 Yes No C:\Documents and Settings\Owner\Cookies\owner@ad.yieldmanager[1].txt
00168058 Cookie/Sextracker TrackingCookie No 0 Yes No C:\Documents and Settings\Owner\Cookies\owner@counter4.sextracker[2].txt
00168061 Cookie/Apmebf TrackingCookie No 0 Yes No C:\Documents and Settings\Guest\Cookies\guest@apmebf[1].txt
00168076 Cookie/BurstNet TrackingCookie No 0 Yes No C:\Documents and Settings\Owner\Cookies\owner@burstnet[2].txt
00168090 Cookie/Serving-sys TrackingCookie No 0 Yes No C:\Documents and Settings\Owner\Cookies\owner@serving-sys[2].txt
00168093 Cookie/Serving-sys TrackingCookie No 0 Yes No C:\Documents and Settings\Owner\Cookies\owner@bs.serving-sys[2].txt
00168097 Cookie/BurstBeacon TrackingCookie No 0 Yes No C:\Documents and Settings\Owner\Cookies\owner@www.burstbeacon[2].txt
00168105 Cookie/Cd Freaks TrackingCookie No 0 Yes No C:\Documents and Settings\Owner\Cookies\owner@cdfreaks[2].txt
00168109 Cookie/Adtech TrackingCookie No 0 Yes No C:\Documents and Settings\Owner\Cookies\owner@adtech[1].txt
00168116 Cookie/Comclick TrackingCookie No 0 Yes No C:\Documents and Settings\Owner\Cookies\owner@fl01.ct2.comclick[2].txt
00169190 Cookie/Advertising TrackingCookie No 0 Yes No C:\Documents and Settings\Guest\Cookies\guest@advertising[1].txt
00169190 Cookie/Advertising TrackingCookie No 0 Yes No C:\Documents and Settings\Owner\Cookies\owner@advertising[2].txt
00169286 Cookie/Sextracker TrackingCookie No 0 Yes No C:\Documents and Settings\Owner\Cookies\owner@sextracker[1].txt
00170495 Cookie/PointRoll TrackingCookie No 0 Yes No C:\Documents and Settings\Owner\Cookies\owner@ads.pointroll[1].txt
00170554 Cookie/Overture TrackingCookie No 0 Yes No C:\Documents and Settings\Owner\Cookies\owner@overture[2].txt
00170556 Cookie/RealMedia TrackingCookie No 0 Yes No C:\Documents and Settings\Owner\Cookies\owner@realmedia[2].txt
00170559 Cookie/Com.com TrackingCookie No 0 Yes No C:\Documents and Settings\Owner\Cookies\owner@uol.com[1].txt
00171982 Cookie/QuestionMarket TrackingCookie No 0 Yes No C:\Documents and Settings\Owner\Cookies\owner@questionmarket[2].txt
00172064 Bck/Agent.E Virus/Trojan No 0 Yes No C:\WINNT\system32\hlpaddn.dll
00172221 Cookie/Zedo TrackingCookie No 0 Yes No C:\Documents and Settings\Owner\Cookies\owner@zedo[1].txt
00180246 Cookie/XXXCounter TrackingCookie No 0 Yes No C:\Documents and Settings\Owner\Cookies\owner@xxxcounter[2].txt
00187950 Cookie/bravenetA TrackingCookie No 0 Yes No C:\Documents and Settings\Owner\Cookies\owner@bravenet[1].txt
00191644 Cookie/adultfriendfinder TrackingCookie No 0 Yes No C:\Documents and Settings\Owner\Cookies\owner@adultfriendfinder[1].txt
00194327 Cookie/Go TrackingCookie No 0 Yes No C:\Documents and Settings\Owner\Cookies\owner@go[2].txt
00207338 Cookie/Target TrackingCookie No 0 Yes No C:\Documents and Settings\Owner\Cookies\owner@target[1].txt
00234587 Adware/WinAD Adware No 0 Yes No C:\Program Files\incredimail_install.exe
00260701 adware/vog Adware No 1 Yes No c:\program files\internet explorer\update.exe
00262020 Cookie/Atwola TrackingCookie No 0 Yes No C:\Documents and Settings\Guest\Cookies\guest@atwola[1].txt
00293517 Cookie/AdDynamix TrackingCookie No 0 Yes No C:\Documents and Settings\Owner\Cookies\owner@ads.addynamix[1].txt
00325961 Adware/EasySearch Adware No 0 Yes No C:\Qoobox\Quarantine\C\WINNT\system32\authz.exe.vir
00447834 Adware/Lop Adware No 0 Yes No C:\Program Files\Norton AntiVirus\Quarantine\04FE0FE4
00447834 Adware/Lop Adware No 0 Yes No C:\Program Files\Norton AntiVirus\Quarantine\11E0743F
00447834 Adware/Lop Adware No 0 Yes No C:\Program Files\Norton AntiVirus\Quarantine\11E31E3B
00447834 Adware/Lop Adware No 0 Yes No C:\Program Files\Norton AntiVirus\Quarantine\186A61CB
00447834 Adware/Lop Adware No 0 Yes No C:\Program Files\Norton AntiVirus\Quarantine\19190F10
00447834 Adware/Lop Adware No 0 Yes No C:\Program Files\Norton AntiVirus\Quarantine\1EFC70A4
00447834 Adware/Lop Adware No 0 Yes No C:\Program Files\Norton AntiVirus\Quarantine\23285393
00447834 Adware/Lop Adware No 0 Yes No C:\Program Files\Norton AntiVirus\Quarantine\237643D4
00447834 Adware/Lop Adware No 0 Yes No C:\Program Files\Norton AntiVirus\Quarantine\23796DD0
00447834 Adware/Lop Adware No 0 Yes No C:\Program Files\Norton AntiVirus\Quarantine\2CAA5871.exe
00447834 Adware/Lop Adware No 0 Yes No C:\Program Files\Norton AntiVirus\Quarantine\34AB02A3
00447834 Adware/Lop Adware No 0 Yes No C:\Program Files\Norton AntiVirus\Quarantine\34B2569C
00447834 Adware/Lop Adware No 0 Yes No C:\Program Files\Norton AntiVirus\Quarantine\373F5CDC
00447834 Adware/Lop Adware No 0 Yes No C:\Program Files\Norton AntiVirus\Quarantine\3BB6008D
00447834 Adware/Lop Adware No 0 Yes No C:\Program Files\Norton AntiVirus\Quarantine\3C3E3CE7
00447834 Adware/Lop Adware No 0 Yes No C:\Program Files\Norton AntiVirus\Quarantine\3D473619
00447834 Adware/Lop Adware No 0 Yes No C:\Program Files\Norton AntiVirus\Quarantine\3F1F6ED0
00447834 Adware/Lop Adware No 0 Yes No C:\Program Files\Norton AntiVirus\Quarantine\04E74CD0
00447834 Adware/Lop Adware No 0 Yes No C:\Program Files\Norton AntiVirus\Quarantine\42C86CEE
00447834 Adware/Lop Adware No 0 Yes No C:\Program Files\Norton AntiVirus\Quarantine\5F896C32
00447834 Adware/Lop Adware No 0 Yes No C:\Program Files\Norton AntiVirus\Quarantine\66080B5B.exe
00447834 Adware/Lop Adware No 0 Yes No C:\Program Files\Norton AntiVirus\Quarantine\41410261
00447834 Adware/Lop Adware No 0 Yes No C:\Program Files\Norton AntiVirus\Quarantine\670619A0
00447834 Adware/Lop Adware No 0 Yes No C:\Program Files\Norton AntiVirus\Quarantine\6709439C
00447834 Adware/Lop Adware No 0 Yes No C:\Program Files\Norton AntiVirus\Quarantine\670C6D99
00447834 Adware/Lop Adware No 0 Yes No C:\Program Files\Norton AntiVirus\Quarantine\670F1795
00447834 Adware/Lop Adware No 0 Yes No C:\Program Files\Norton AntiVirus\Quarantine\68D20075
00447834 Adware/Lop Adware No 0 Yes No C:\Program Files\Norton AntiVirus\Quarantine\6C937950
00447834 Adware/Lop Adware No 0 Yes No C:\Program Files\Norton AntiVirus\Quarantine\6D1D3EB0
00447834 Adware/Lop Adware No 0 Yes No C:\Program Files\Norton AntiVirus\Quarantine\6D2068AC
00447834 Adware/Lop Adware No 0 Yes No C:\Program Files\Norton AntiVirus\Quarantine\6D2312A9
00447834 Adware/Lop Adware No 0 Yes No C:\Program Files\Norton AntiVirus\Quarantine\6D273CA5
00447834 Adware/Lop Adware No 0 Yes No C:\Program Files\Norton AntiVirus\Quarantine\79873E84
00447834 Adware/Lop Adware No 0 Yes No C:\Program Files\Norton AntiVirus\Quarantine\7D325C32
00447834 Adware/Lop Adware No 0 Yes No C:\Program Files\Norton AntiVirus\Quarantine\7ECB71C6
00447834 Adware/Lop Adware No 0 Yes No C:\Program Files\Norton AntiVirus\Quarantine\7F643AA7
00447834 Adware/Lop Adware No 0 Yes No C:\Program Files\Norton AntiVirus\Quarantine\67026FA3
00484705 Application/IEDefender HackTools No 0 Yes No C:\Qoobox\Quarantine\C\WINNT\system32\IEDFix.C.exe.vir
00484705 Application/IEDefender HackTools No 0 Yes No C:\Documents and Settings\Owner\Desktop\SmitfraudFix\IEDFix.C.exe
00921467 Generic Malware Virus/Trojan No 0 Yes No C:\Documents and Settings\Owner\Desktop\SmitfraudFix\404Fix.exe
00921467 Generic Malware Virus/Trojan No 0 Yes No C:\Qoobox\Quarantine\C\WINNT\system32\404Fix.exe.vir
01797982 Trj/Zlob.KH Virus/Trojan No 1 Yes No C:\Qoobox\Quarantine\C\WINNT\Installer\343b42a9.msi.vir
02175515 Generic Trojan Virus/Trojan No 0 Yes No C:\Qoobox\Quarantine\C\WINNT\system32\drivers\hjgruigexvobph.sys.vir
02239686 Generic Trojan Virus/Trojan No 0 Yes No C:\Qoobox\Quarantine\C\WINNT\system32\hjgruivttlacap.dll.vir
02444111 Trj/Alureon.AW Virus/Trojan No 0 Yes No C:\Qoobox\Quarantine\C\WINNT\system32\hjgruiximcuxqq.dll.vir
;===================================================================================================================================================================================
SUSPECTS
Sent Location Å’Ã’
;===================================================================================================================================================================================
No C:\WINNT\Downloaded Program Files\Play365.dll Å’Ã’
;===================================================================================================================================================================================
VULNERABILITIES
Id Severity Description Å’Ã’
;===================================================================================================================================================================================
;===================================================================================================================================================================================

chiaz

Please run CCleaner.

The following should be selected by default, if not, please select:


Then please click and choose

Please uncheck

Then go back to and click to run it.

================================================

• Next click Start » Run » type: Notepad » OK
• Copy (Ctrl+C) and paste (Ctrl+V) the following text inside the quote box below (starting with REGEDIT4) to Notepad.
  

  REGEDIT4
  
  [HKEY_LOCAL_MACHINE\Software\Microsoft\Code Store Database\Distribution Units\{10000000-1000-0000-1000-000000000000}]
  

• Make sure there are no black spaces before REGEDIT4 and there should be one blank line at the end.
• Click File at the top and then choose Save As.
• Change Save As Type to All Files.
• Name it FixME.reg and save it on your desktop.
• Its icon should look like this :
• Double click FixME.reg. It will ask you if you want to merge it to the registry, click Yes.

=================================================

Now let's have you download and run the Norton Removal tool. Follow the instructions here:
http://service1.symantec.com/SUPPORT/tsgeninfo.nsf/docid/2007080716270339?Open&docid=2005033108162039&nsf=tsgeninfo.nsf&view=docid

==================================================


Finally, run one final scan with Panda ActiveScan and post the new log in your reply. Also how's your PC running now?

fishwrangler

The Computer is working great these days. No sudden restarts, no google re-directs, and Thank you so much for all of your help.

Although I'm no expert on issues such as the ones I have been having, could you impart to me some idea of what you were looking for in the logs of these scans, what you found, or just generally what the problems were? I'd love not to find myself in this sort of situation again.

And once more-- Thank you for all of your time and assistance.

;***********************************************************************************************************************************************************************************
ANALYSIS: 2009-08-10 07:13:17
PROTECTIONS: 1
MALWARE: 22
SUSPECTS: 1
;***********************************************************************************************************************************************************************************
PROTECTIONS
Description Version Active Updated
;===================================================================================================================================================================================
avast! antivirus 4.8.1335 [VPS 090808-0] 4.8.1335 Yes Yes
;===================================================================================================================================================================================
MALWARE
Id Description Type Active Severity Disinfectable Disinfected Location
;===================================================================================================================================================================================
00029408 Adware/Lop Adware No 0 Yes No C:\WINNT\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\RDUXQ9CR\lop[2].htm
00041558 exploit/mhtredir.gen HackTools No 0 Yes No HKEY_LOCAL_MACHINE\Software\Microsoft\Code Store Database\Distribution Units\{10000000-1000-0000-1000-000000000000}
00046591 Exploit/ByteVerify HackTools No 0 Yes No C:\Documents and Settings\Owner\.jpi_cache\jar\1.0\archive.jar-487b52a0-4a5fa4af.zip[BlackBox.class]
00046592 Exploit/ByteVerify HackTools No 0 Yes No C:\Documents and Settings\Owner\.jpi_cache\jar\1.0\archive.jar-487b52a0-4a5fa4af.zip[Dummy.class]
00116714 Adware/Startpage.JU Adware No 0 Yes No C:\Documents and Settings\Owner\.jpi_cache\jar\1.0\archive.jar-487b52a0-4a5fa4af.zip[Beyond.class]
00117989 Exploit/ByteVerify HackTools No 0 Yes No C:\Documents and Settings\Owner\.jpi_cache\jar\1.0\archive.jar-487b52a0-4a5fa4af.zip[VBUG.class]
00139061 Cookie/Doubleclick TrackingCookie No 0 Yes No C:\Documents and Settings\Guest\Cookies\guest@doubleclick[1].txt
00139064 Cookie/Atlas DMT TrackingCookie No 0 Yes No C:\Documents and Settings\Guest\Cookies\guest@atdmt[2].txt
00145738 Cookie/Mediaplex TrackingCookie No 0 Yes No C:\Documents and Settings\Guest\Cookies\guest@mediaplex[1].txt
00168061 Cookie/Apmebf TrackingCookie No 0 Yes No C:\Documents and Settings\Guest\Cookies\guest@apmebf[1].txt
00169190 Cookie/Advertising TrackingCookie No 0 Yes No C:\Documents and Settings\Guest\Cookies\guest@advertising[1].txt
00172064 Bck/Agent.E Virus/Trojan No 0 Yes No C:\WINNT\system32\hlpaddn.dll
00234587 Adware/WinAD Adware No 0 Yes No C:\Program Files\incredimail_install.exe
00260701 adware/vog Adware No 1 Yes No c:\program files\internet explorer\update.exe
00262020 Cookie/Atwola TrackingCookie No 0 Yes No C:\Documents and Settings\Guest\Cookies\guest@atwola[1].txt
00325961 Adware/EasySearch Adware No 0 Yes No C:\Qoobox\Quarantine\C\WINNT\system32\authz.exe.vir
00484705 Application/IEDefender HackTools No 0 Yes No C:\Qoobox\Quarantine\C\WINNT\system32\IEDFix.C.exe.vir
00484705 Application/IEDefender HackTools No 0 Yes No C:\Documents and Settings\Owner\Desktop\SmitfraudFix\IEDFix.C.exe
00921467 Generic Malware Virus/Trojan No 0 Yes No C:\Qoobox\Quarantine\C\WINNT\system32\404Fix.exe.vir
00921467 Generic Malware Virus/Trojan No 0 Yes No C:\Documents and Settings\Owner\Desktop\SmitfraudFix\404Fix.exe
01797982 Trj/Zlob.KH Virus/Trojan No 1 Yes No C:\Qoobox\Quarantine\C\WINNT\Installer\343b42a9.msi.vir
02175515 Generic Trojan Virus/Trojan No 0 Yes No C:\Qoobox\Quarantine\C\WINNT\system32\drivers\hjgruigexvobph.sys.vir
02239686 Generic Trojan Virus/Trojan No 0 Yes No C:\Qoobox\Quarantine\C\WINNT\system32\hjgruivttlacap.dll.vir
02444111 Trj/Alureon.AW Virus/Trojan No 0 Yes No C:\Qoobox\Quarantine\C\WINNT\system32\hjgruiximcuxqq.dll.vir
;===================================================================================================================================================================================
SUSPECTS
Sent Location _+
;===================================================================================================================================================================================
No C:\WINNT\Downloaded Program Files\Play365.dll _+
;===================================================================================================================================================================================
VULNERABILITIES
Id Severity Description _+
;===================================================================================================================================================================================
;===================================================================================================================================================================================

chiaz

Now,
1. Delete CFScript.txt from your PC first.
2. Next, close any open browsers.
2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

Open *notepad* and copy/paste the text in the quotebox below into it:

File::
C:\WINNT\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\RDUXQ9CR\lop[2].htm
C:\WINNT\system32\hlpaddn.dll

Save this as CFScript.txt, in the same location as ComboFix.exe which is on the Desktop.




Refering to the picture above, drag CFScript.txt into ComboFix.exe


When finished, it shall produce a log for you at C:\ComboFix.txt

Please copy and paste the ComboFix.txt in your next reply please.

==========================================

Now we will clear the Java cache folder.

From the Start button, click Settings > Control Panel
In the Control Panel, open the "Java Plug-in Control Panel"
Select the Cache Tab
Click the Clear button inside the Cache Tab, which will clear your JRE cache directory.

===============================================

Go to Jotti/VirusTotal once again, and upload the following files for analysis:
C:\WINNT\Downloaded Program Files\Play365.dll
c:\program files\internet explorer\update.exe

Post the results in your reply.

===============================================

Although I'm no expert on issues such as the ones I have been having, could you impart to me some idea of what you were looking for in the logs of these scans, what you found, or just generally what the problems were? I'd love not to find myself in this sort of situation again.

I don't know how to express this well, but there are schools online which train volunteer helpers like those you see here to help victims of malware. If you are interested, shoot me a pm and I will give you more information. There is no charge, nor is there any time limit for the training; you can even join up simply to discover more about what we do.

And don't forget to post back the ComboFix and Jotti/VirusTotal results.

chiaz

Whilst we appreciate that you may be busy, it has been several days since we heard from you. This topic is now closed.

Infections can change and fresh instructions will now need to be given. If you wish to reopen your topic, please send a Private Message (PM) to Trogan with a link to your thread.

If you are not the user who started this thread, you must start your own Thread instead