Solved: Removing Trojan.Gen.2 and ZeroAccess.B

jhw13 · 27-Jun-2012, 07:47 PM #1

Hi,

Recently got word from Norton Security Suite that they've been blocking the two Trojans in the title of this thread. Running a reasonably old HP laptop, Windows Vista, 32-bit.

As far as performance goes, I can tell the laptop is working a bit harder that usual (heating/cooling, load times, disk space usage) but there are no pop-up ads, system shutdowns, etc. as of yet. One issue that has stopped in the last 12-18 hours are the seemingly endless notifications from Norton saying they have either blocked access or stopped emails from being sent using my IP number - the e-mail address destinations look entirely randomized and international in scope and the e-mail titles almost uniformly offer job opportunity scams. I am assuming that is/was a function of the Trojans. Also - ISP sent me an e-mail notifying me of the bot, so I definitely know there's something rather nasty in my computer. Help me get rid of it!

I have followed the directions on the required-reading sticky post in the forum as closely as I am able.

NOTE
As I was writing this post, Norton brought a new threat to my attention - Suspicious Cloud7. Do not like the sound of that either.

I. HijackThis Log

Logfile of Trend Micro HijackThis v2.0.4
Scan saved at 3:59:26 PM, on 6/27/2012
Platform: Windows Vista SP1 (WinNT 6.00.1905)
MSIE: Internet Explorer v7.00 (7.00.6001.18639)
Boot mode: Normal

Running processes:
C:\Program Files\Norton Security Suite\Engine\6.2.1.5\ccSvcHst.exe
C:\Windows\system32\Dwm.exe
C:\Windows\system32\taskeng.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\IDT\WDM\sttray.exe
C:\Program Files\Hewlett-Packard\Media\DVD\DVDAgent.exe
C:\Program Files\Hewlett-Packard\TouchSmart\Media\TSMAgent.exe
C:\Program Files\Hewlett-Packard\TouchSmart\Media\Kernel\CLML\CLMLSvc.exe
C:\Program Files\Hewlett-Packard\HP MediaSmart\SmartMenu.exe
C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\QLBCTRL.exe
C:\Program Files\HP\HP Software Update\hpwuSchd2.exe
C:\Program Files\Hewlett-Packard\HP Wireless Assistant\HPWAMain.exe
C:\Program Files\Comcast\Desktop Doctor\bin\sprtcmd.exe
C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\Program Files\SFT\GuardedID\GIDD.exe
C:\Program Files\Common Files\LightScribe\LightScribeControlPanel.exe
C:\Windows\ehome\ehtray.exe
C:\Program Files\Constant Guard Protection Suite\IDVault.exe
C:\Users\Joe\AppData\Roaming\Dropbox\bin\Dropbox.exe
C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE
C:\Windows\ehome\ehmsas.exe
C:\Windows\system32\wbem\unsecapp.exe
C:\Windows\system32\wuauclt.exe
C:\Program Files\Hewlett-Packard\Shared\hpqToaster.exe
C:\Program Files\Synaptics\SynTP\SynTPHelper.exe
C:\Windows\system32\conime.exe
C:\Users\Joe\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Users\Joe\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Users\Joe\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Users\Joe\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Users\Joe\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Users\Joe\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Users\Joe\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Users\Joe\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Windows\system32\rundll32.exe
C:\Users\Joe\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Users\Joe\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Users\Joe\AppData\Local\Google\Google Talk Plugin\googletalkplugin.exe
C:\Windows\explorer.exe
C:\Users\Joe\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Users\Joe\Desktop\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://ie.redirect.hp.com/svs/rdr?TY...vilion&pf=cnnb
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://xfinity.comcast.net/?cid=cgps06222012
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://ie.redirect.hp.com/svs/rdr?TY...vilion&pf=cnnb
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.comcast.net/
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Windows Internet Explorer provided by Comcast
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O1 - Hosts: ::1 localhost
O2 - BHO: vShare Plugin - {043C5167-00BB-4324-AF7E-62013FAEDACF} - C:\Program Files\vShare\vshare_toolbar.dll
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: XFINITY Toolbar - {4b9bcce8-a70b-402a-a7e1-db96831ee26f} - C:\Program Files\xfin_portal\comcastdx.dll
O2 - BHO: Norton Identity Protection - {602ADB0E-4AFF-4217-8AA1-95DAC4DFA408} - C:\Program Files\Norton Security Suite\Engine\6.2.1.5\coIEPlg.dll
O2 - BHO: Norton Vulnerability Protection - {6D53EC84-6AAE-4787-AEEE-F4628F01010C} - C:\Program Files\Norton Security Suite\Engine\6.2.1.5\IPS\IPSBHO.DLL
O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\Program Files\Microsoft Office\Office12\GrooveShellExtensions.dll
O2 - BHO: Java(tm) Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll
O2 - BHO: SkypeIEPluginBHO - {AE805869-2E5C-4ED4-8F7B-F1F7851A4497} - C:\Program Files\Skype\Toolbars\Internet Explorer\skypeieplugin.dll
O2 - BHO: Constant Guard Protection Suite (COM) - {B84CDBE7-1B46-494B-A188-01D4C52DEB61} - C:\ProgramData\White Sky, Inc\ID Vault\IEBHO1.1.613.0\NativeBHO.dll
O2 - BHO: Updater For XFIN_PORTAL - {bb46be07-13eb-4c49-b0f0-fc78b9ea4983} - C:\Program Files\xfin_portal\auxi\comcastAu.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O3 - Toolbar: vShare Plugin - {043C5167-00BB-4324-AF7E-62013FAEDACF} - C:\Program Files\vShare\vshare_toolbar.dll
O3 - Toolbar: XFINITY Toolbar - {4b9bcce8-a70b-402a-a7e1-db96831ee26f} - C:\Program Files\xfin_portal\comcastdx.dll
O3 - Toolbar: Norton Toolbar - {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - C:\Program Files\Norton Security Suite\Engine\6.2.1.5\coIEPlg.dll
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [SysTrayApp] %ProgramFiles%\IDT\WDM\sttray.exe
O4 - HKLM\..\Run: [DVDAgent] "C:\Program Files\Hewlett-Packard\Media\DVD\DVDAgent.exe"
O4 - HKLM\..\Run: [TSMAgent] "C:\Program Files\Hewlett-Packard\TouchSmart\Media\TSMAgent.exe"
O4 - HKLM\..\Run: [CLMLServer for HP TouchSmart] "C:\Program Files\Hewlett-Packard\TouchSmart\Media\Kernel\CLML\CLMLSvc.exe"
O4 - HKLM\..\Run: [TVAgent] "C:\Program Files\Hewlett-Packard\Media\TV\TVAgent.exe"
O4 - HKLM\..\Run: [UCam_Menu] "C:\Program Files\Hewlett-Packard\Media\Webcam\MUITransfer\MUIStartMenu.exe" "C:\Program Files\Hewlett-Packard\Media\Webcam" update "Software\Hewlett-Packard\Media\Webcam"
O4 - HKLM\..\Run: [SmartMenu] %ProgramFiles%\Hewlett-Packard\HP MediaSmart\SmartMenu.exe
O4 - HKLM\..\Run: [UpdateLBPShortCut] "C:\Program Files\CyberLink\LabelPrint\MUITransfer\MUIStartMenu.exe" "C:\Program Files\CyberLink\LabelPrint" UpdateWithCreateOnce "Software\CyberLink\LabelPrint\2.5"
O4 - HKLM\..\Run: [UpdatePSTShortCut] "C:\Program Files\CyberLink\DVD Suite\MUITransfer\MUIStartMenu.exe" "C:\Program Files\CyberLink\DVD Suite" UpdateWithCreateOnce "Software\CyberLink\PowerStarter"
O4 - HKLM\..\Run: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
O4 - HKLM\..\Run: [QlbCtrl.exe] C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe /Start
O4 - HKLM\..\Run: [UpdateP2GoShortCut] "C:\Program Files\CyberLink\Power2Go\MUITransfer\MUIStartMenu.exe" "C:\Program Files\CyberLink\Power2Go" UpdateWithCreateOnce "SOFTWARE\CyberLink\Power2Go\6.0"
O4 - HKLM\..\Run: [UpdatePDIRShortCut] "C:\Program Files\CyberLink\PowerDirector\MUITransfer\MUIStartMenu.exe" "C:\Program Files\CyberLink\PowerDirector" UpdateWithCreateOnce "SOFTWARE\CyberLink\PowerDirector\7.0"
O4 - HKLM\..\Run: [HP Health Check Scheduler] c:\Program Files\Hewlett-Packard\HP Health Check\HPHC_Scheduler.exe
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\Hp\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [WirelessAssistant] C:\Program Files\Hewlett-Packard\HP Wireless Assistant\HPWAMain.exe
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [ddoctorv2] "C:\Program Files\Comcast\Desktop Doctor\bin\sprtcmd.exe" /P ddoctorv2
O4 - HKLM\..\Run: [GrooveMonitor] "C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [APSDaemon] "C:\Program Files\Common Files\Apple\Apple Application Support\APSDaemon.exe"
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Common Files\Java\Java Update\jusched.exe"
O4 - HKLM\..\Run: [StartCCC] "C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" MSRun
O4 - HKLM\..\Run: [GIDDesktop] C:\Program Files\SFT\GuardedID\gidd.exe /s
O4 - HKCU\..\Run: [LightScribe Control Panel] C:\Program Files\Common Files\LightScribe\LightScribeControlPanel.exe -hidden
O4 - HKCU\..\Run: [igndlm.exe] C:\Program Files\Download Manager\DLM.exe /windowsstart /startifwork
O4 - HKCU\..\Run: [ehTray.exe] C:\Windows\ehome\ehTray.exe
O4 - HKCU\..\Run: [Google Update] "C:\Users\Joe\AppData\Local\Google\Update\GoogleUpdate.exe" /c
O4 - HKCU\..\Run: [Download] "C:\Users\Joe\AppData\Local\SupportSoft\ddoctorv2\Joe\SSGet.exe" 120 "http://pcmctbc.cmc.motive.com/motivedocs/EasySolveInstaller.exe" "EasySolveInstaller.exe"
O4 - HKCU\..\Run: [Regedit32] C:\Windows\system32\regedit.exe
O4 - HKUS\S-1-5-19\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'NETWORK SERVICE')
O4 - Startup: Dropbox.lnk = C:\Users\Joe\AppData\Roaming\Dropbox\bin\Dropbox.exe
O4 - Startup: OneNote 2007 Screen Clipper and Launcher.lnk = C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE
O4 - Global Startup: Constant Guard.lnk = C:\Program Files\Constant Guard Protection Suite\IDVault.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office12\EXCEL.EXE/3000
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~3\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~3\Office12\ONBttnIE.dll
O9 - Extra button: Skype add-on for Internet Explorer - {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - C:\Program Files\Skype\Toolbars\Internet Explorer\skypeieplugin.dll
O9 - Extra 'Tools' menuitem: Skype add-on for Internet Explorer - {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - C:\Program Files\Skype\Toolbars\Internet Explorer\skypeieplugin.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\Office12\REFIEBAR.DLL
O15 - Trusted Zone: *.clonewarsadventures.com
O15 - Trusted Zone: *.freerealms.com
O15 - Trusted Zone: *.soe.com
O15 - Trusted Zone: *.sony.com
O16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} (CDownloadCtrl Object) - http://www.fileplanet.com/fpdlmgr/ca..._2.3.9.113.cab
O16 - DPF: {8100D56A-5661-482C-BEE8-AFECE305D968} (Facebook Photo Uploader 5 Control) - http://upload.facebook.com/controls/...Uploader55.cab
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\Program Files\Microsoft Office\Office12\GrooveSystemServices.dll
O18 - Protocol: skype-ie-addon-data - {91774881-D725-4E58-B298-07617B9B86A8} - C:\Program Files\Skype\Toolbars\Internet Explorer\skypeieplugin.dll
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O18 - Protocol: vsharechrome - {3F3A4B8A-86FC-43A4-BB00-6D7EBE9D4484} - C:\Program Files\vShare\vshare_toolbar.dll
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\Windows\system32\browseui.dll
O23 - Service: Andrea ST Filters Service (AESTFilters) - Andrea Electronics Corporation - C:\Windows\System32\DriverStore\FileRepository\stwrt.inf_c92065b9\aestsrv.e xe
O23 - Service: AMD FUEL Service - Advanced Micro Devices, Inc. - C:\Program Files\ATI Technologies\ATI.ACE\Fuel\Fuel.Service.exe
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
O23 - Service: Ati External Event Utility - ATI Technologies Inc. - C:\Windows\system32\Ati2evxx.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Com4QLBEx - Hewlett-Packard Development Company, L.P. - C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\Com4QLBEx.exe
O23 - Service: GameConsoleService - WildTangent, Inc. - C:\Program Files\HP Games\My HP Game Console\GameConsoleService.exe
O23 - Service: Google Update Service (gupdate) (gupdate) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe
O23 - Service: Google Update Service (gupdatem) (gupdatem) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe
O23 - Service: HP Health Check Service - Hewlett-Packard - c:\Program Files\Hewlett-Packard\HP Health Check\hphc_service.exe
O23 - Service: hpqwmiex - Hewlett-Packard Development Company, L.P. - C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe
O23 - Service: HP Service (hpsrv) - Hewlett-Packard Corporation - C:\Windows\system32\Hpservice.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe
O23 - Service: CGPS Service (IDVaultSvc) - White Sky, Inc. - C:\Program Files\Constant Guard Protection Suite\IDVaultSvc.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: Norton Security Suite (N360) - Symantec Corporation - C:\Program Files\Norton Security Suite\Engine\6.2.1.5\ccSvcHst.exe
O23 - Service: Recovery Service for Windows - Unknown owner - C:\Program Files\SMINST\BLService.exe
O23 - Service: Cyberlink RichVideo Service(CRVS) (RichVideo) - Unknown owner - C:\Program Files\CyberLink\Shared files\RichVideo.exe
O23 - Service: SupportSoft Sprocket Service (ddoctorv2) (sprtsvc_ddoctorv2) - SupportSoft, Inc. - C:\Program Files\Comcast\Desktop Doctor\bin\sprtsvc.exe
O23 - Service: Audio Service (STacSV) - IDT, Inc. - C:\Windows\System32\DriverStore\FileRepository\stwrt.inf_c92065b9\STacSV.ex e
O23 - Service: TV Background Capture Service (TVBCS) (TVCapSvc) - Unknown owner - C:\Program Files\Hewlett-Packard\Media\TV\Kernel\TV\TVCapSvc.exe
O23 - Service: TV Task Scheduler (TVTS) (TVSched) - Unknown owner - C:\Program Files\Hewlett-Packard\Media\TV\Kernel\TV\TVSched.exe

--
End of file - 14983 bytes

II. DDS.txt

.
DDS (Ver_2011-08-26.01) - NTFSx86
Internet Explorer: 7.0.6001.18000 BrowserJavaVersion: 1.6.0_31
Run by Joe at 16:01:09 on 2012-06-27
Microsoft® Windows Vista™ Home Premium 6.0.6001.1.1252.1.1033.18.2812.944 [GMT -7:00]
.
AV: Norton Security Suite *Enabled/Updated* {63DF5164-9100-186D-2187-8DC619EFD8BF}
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
SP: Norton Security Suite *Enabled/Updated* {D8BEB080-B73A-17E3-1B37-B6B462689202}
FW: Norton Security Suite *Enabled* {5BE4D041-DB6F-1935-0AD8-24F3E73C9FC4}
.
============== Running Processes ===============
.
C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\svchost.exe -k rpcss
C:\Windows\system32\Ati2evxx.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\System32\DriverStore\FileRepository\stwrt.inf_c92065b9\STacSV.ex e
C:\Windows\system32\SLsvc.exe
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\Ati2evxx.exe
C:\Windows\system32\Hpservice.exe
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\System32\spoolsv.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Windows\System32\DriverStore\FileRepository\stwrt.inf_c92065b9\aestsrv.e xe
C:\Program Files\ATI Technologies\ATI.ACE\Fuel\Fuel.Service.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\Norton Security Suite\Engine\6.2.1.5\ccSvcHst.exe
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
C:\Program Files\SMINST\BLService.exe
C:\Program Files\CyberLink\Shared files\RichVideo.exe
C:\Program Files\Comcast\Desktop Doctor\bin\sprtsvc.exe
C:\Windows\system32\svchost.exe -k imgsvc
C:\Program Files\Hewlett-Packard\Media\TV\Kernel\TV\TVCapSvc.exe
C:\Program Files\Hewlett-Packard\Media\TV\Kernel\TV\TVSched.exe
C:\Windows\System32\svchost.exe -k WerSvcGroup
C:\Windows\system32\SearchIndexer.exe
C:\Program Files\Constant Guard Protection Suite\IDVaultSvc.exe
C:\Windows\system32\DllHost.exe
c:\Program Files\Hewlett-Packard\HP Health Check\hphc_service.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Program Files\Norton Security Suite\Engine\6.2.1.5\ccSvcHst.exe
C:\Windows\system32\Dwm.exe
C:\Windows\system32\taskeng.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\IDT\WDM\sttray.exe
C:\Program Files\Hewlett-Packard\Media\DVD\DVDAgent.exe
C:\Program Files\Hewlett-Packard\TouchSmart\Media\TSMAgent.exe
C:\Program Files\Hewlett-Packard\TouchSmart\Media\Kernel\CLML\CLMLSvc.exe
C:\Program Files\Hewlett-Packard\HP MediaSmart\SmartMenu.exe
C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\QLBCTRL.exe
C:\Program Files\HP\HP Software Update\hpwuSchd2.exe
C:\Program Files\Hewlett-Packard\HP Wireless Assistant\HPWAMain.exe
C:\Program Files\Comcast\Desktop Doctor\bin\sprtcmd.exe
C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\Program Files\SFT\GuardedID\GIDD.exe
C:\Program Files\Common Files\LightScribe\LightScribeControlPanel.exe
C:\Windows\ehome\ehtray.exe
C:\Program Files\Constant Guard Protection Suite\IDVault.exe
C:\Users\Joe\AppData\Roaming\Dropbox\bin\Dropbox.exe
C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE
C:\Windows\ehome\ehmsas.exe
C:\Windows\system32\wbem\unsecapp.exe
C:\Windows\system32\wuauclt.exe
C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe
C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\Com4QLBEx.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Hewlett-Packard\Shared\hpqToaster.exe
C:\Windows\Microsoft.Net\Framework\v3.0\WPF\PresentationFontCache.exe
C:\Program Files\Synaptics\SynTP\SynTPHelper.exe
C:\Windows\system32\conime.exe
C:\Users\Joe\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Users\Joe\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Users\Joe\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Users\Joe\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Users\Joe\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Users\Joe\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Users\Joe\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Users\Joe\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Windows\system32\rundll32.exe
C:\Users\Joe\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Users\Joe\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Users\Joe\AppData\Local\Google\Google Talk Plugin\googletalkplugin.exe
C:\Windows\explorer.exe
C:\Users\Joe\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\system32\taskeng.exe
C:\Users\Joe\Desktop\HijackThis.exe
C:\Windows\system32\NOTEPAD.EXE
C:\Windows\system32\SearchProtocolHost.exe
C:\Windows\system32\SearchFilterHost.exe
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://xfinity.comcast.net/?cid=cgps06222012
uDefault_Page_URL = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=en_us&c=91&bd=Pavilion&pf=cnnb
uWindow Title = Windows Internet Explorer provided by Comcast
mStart Page = hxxp://www.comcast.net/
mDefault_Page_URL = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=en_us&c=91&bd=Pavilion&pf=cnnb
mWindow Title = Windows Internet Explorer provided by Comcast
uInternet Settings,ProxyOverride = *.local
BHO: vShare Plugin: {043c5167-00bb-4324-af7e-62013faedacf} - c:\program files\vshare\vshare_toolbar.dll
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: XFINITY Toolbar: {4b9bcce8-a70b-402a-a7e1-db96831ee26f} - c:\program files\xfin_portal\comcastdx.dll
BHO: Norton Identity Protection: {602adb0e-4aff-4217-8aa1-95dac4dfa408} - c:\program files\norton security suite\engine\6.2.1.5\coIEPlg.dll
BHO: Norton Vulnerability Protection: {6d53ec84-6aae-4787-aeee-f4628f01010c} - c:\program files\norton security suite\engine\6.2.1.5\ips\IPSBHO.DLL
BHO: Groove GFS Browser Helper: {72853161-30c5-4d22-b7f9-0bbc1d38a37e} - c:\program files\microsoft office\office12\GrooveShellExtensions.dll
BHO: Java(tm) Plug-In SSV Helper: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre6\bin\ssv.dll
BHO: Skype add-on for Internet Explorer: {ae805869-2e5c-4ed4-8f7b-f1f7851a4497} - c:\program files\skype\toolbars\internet explorer\skypeieplugin.dll
BHO: Constant Guard Protection Suite (COM): {b84cdbe7-1b46-494b-a188-01d4c52deb61} - c:\programdata\white sky, inc\id vault\iebho1.1.613.0\NativeBHO.dll
BHO: Updater For XFIN_PORTAL: {bb46be07-13eb-4c49-b0f0-fc78b9ea4983} - c:\program files\xfin_portal\auxi\comcastAu.dll
BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
TB: vShare Plugin: {043c5167-00bb-4324-af7e-62013faedacf} - c:\program files\vshare\vshare_toolbar.dll
TB: XFINITY Toolbar: {4b9bcce8-a70b-402a-a7e1-db96831ee26f} - c:\program files\xfin_portal\comcastdx.dll
TB: Norton Toolbar: {7febefe3-6b19-4349-98d2-ffb09d4b49ca} - c:\program files\norton security suite\engine\6.2.1.5\coIEPlg.dll
TB: {604BC32A-9680-40D1-9AC6-E06B23A1BA4C} - No File
TB: {D4027C7F-154A-4066-A1AD-4243D8127440} - No File
uRun: [LightScribe Control Panel] c:\program files\common files\lightscribe\LightScribeControlPanel.exe -hidden
uRun: [igndlm.exe] c:\program files\download manager\DLM.exe /windowsstart /startifwork
uRun: [ehTray.exe] c:\windows\ehome\ehTray.exe
uRun: [Google Update] "c:\users\joe\appdata\local\google\update\GoogleUpdate.exe" /c
uRun: [Download] "c:\users\joe\appdata\local\supportsoft\ddoctorv2\joe\SSGet.exe" 120 "http://pcmctbc.cmc.motive.com/motivedocs/EasySolveInstaller.exe" "EasySolveInstaller.exe"
uRun: [Regedit32] c:\windows\system32\regedit.exe
mRun: [SynTPEnh] c:\program files\synaptics\syntp\SynTPEnh.exe
mRun: [SysTrayApp] %ProgramFiles%\IDT\WDM\sttray.exe
mRun: [DVDAgent] "c:\program files\hewlett-packard\media\dvd\DVDAgent.exe"
mRun: [TSMAgent] "c:\program files\hewlett-packard\touchsmart\media\TSMAgent.exe"
mRun: [CLMLServer for HP TouchSmart] "c:\program files\hewlett-packard\touchsmart\media\kernel\clml\CLMLSvc.exe"
mRun: [TVAgent] "c:\program files\hewlett-packard\media\tv\TVAgent.exe"
mRun: [UCam_Menu] "c:\program files\hewlett-packard\media\webcam\muitransfer\muistartmenu.exe" "c:\program files\hewlett-packard\media\webcam" update "software\hewlett-packard\media\Webcam"
mRun: [SmartMenu] %ProgramFiles%\Hewlett-Packard\HP MediaSmart\SmartMenu.exe
mRun: [UpdateLBPShortCut] "c:\program files\cyberlink\labelprint\muitransfer\muistartmenu.exe" "c:\program files\cyberlink\labelprint" updatewithcreateonce "software\cyberlink\labelprint\2.5"
mRun: [UpdatePSTShortCut] "c:\program files\cyberlink\dvd suite\muitransfer\muistartmenu.exe" "c:\program files\cyberlink\dvd suite" updatewithcreateonce "software\cyberlink\PowerStarter"
mRun: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
mRun: [QlbCtrl.exe] c:\program files\hewlett-packard\hp quick launch buttons\QlbCtrl.exe /Start
mRun: [UpdateP2GoShortCut] "c:\program files\cyberlink\power2go\muitransfer\muistartmenu.exe" "c:\program files\cyberlink\power2go" updatewithcreateonce "software\cyberlink\power2go\6.0"
mRun: [UpdatePDIRShortCut] "c:\program files\cyberlink\powerdirector\muitransfer\muistartmenu.exe" "c:\program files\cyberlink\powerdirector" updatewithcreateonce "software\cyberlink\powerdirector\7.0"
mRun: [HP Health Check Scheduler] c:\program files\hewlett-packard\hp health check\HPHC_Scheduler.exe
mRun: [HP Software Update] c:\program files\hp\hp software update\HPWuSchd2.exe
mRun: [WirelessAssistant] c:\program files\hewlett-packard\hp wireless assistant\HPWAMain.exe
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
mRun: [ddoctorv2] "c:\program files\comcast\desktop doctor\bin\sprtcmd.exe" /P ddoctorv2
mRun: [<NO NAME>]
mRun: [GrooveMonitor] "c:\program files\microsoft office\office12\GrooveMonitor.exe"
mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
mRun: [APSDaemon] "c:\program files\common files\apple\apple application support\APSDaemon.exe"
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
mRun: [StartCCC] "c:\program files\ati technologies\ati.ace\core-static\CLIStart.exe" MSRun
mRun: [GIDDesktop] c:\program files\sft\guardedid\gidd.exe /s
StartupFolder: c:\users\joe\appdata\roaming\micros~1\windows\startm~1\programs\startup\dro pbox.lnk - c:\users\joe\appdata\roaming\dropbox\bin\Dropbox.exe
StartupFolder: c:\users\joe\appdata\roaming\micros~1\windows\startm~1\programs\startup\one not~1.lnk - c:\program files\microsoft office\office12\ONENOTEM.EXE
StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\consta~1.lnk - c:\program files\constant guard protection suite\IDVault.exe
mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
IE: E&xport to Microsoft Excel - c:\progra~1\micros~3\office12\EXCEL.EXE/3000
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~1\micros~3\office12\ONBttnIE.dll
IE: {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - c:\program files\skype\toolbars\internet explorer\skypeieplugin.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~3\office12\REFIEBAR.DLL
Trusted Zone: clonewarsadventures.com
Trusted Zone: freerealms.com
Trusted Zone: soe.com
Trusted Zone: sony.com
DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} - hxxp://www.fileplanet.com/fpdlmgr/cabs/FPDC_2.3.9.113.cab
DPF: {8100D56A-5661-482C-BEE8-AFECE305D968} - hxxp://upload.facebook.com/controls/2009.07.28_v5.5.8.1/FacebookPhotoUploader55.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_31-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0031-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_31-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_31-windows-i586.cab
TCP: DhcpNameServer = 192.168.1.1
TCP: Interfaces\{186F404A-E29D-4E4E-AC54-3B3A889B538B} : DhcpNameServer = 192.168.1.1
Handler: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - c:\program files\microsoft office\office12\GrooveSystemServices.dll
Handler: skype-ie-addon-data - {91774881-D725-4E58-B298-07617B9B86A8} - c:\program files\skype\toolbars\internet explorer\skypeieplugin.dll
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL
Handler: vsharechrome - {3F3A4B8A-86FC-43A4-BB00-6D7EBE9D4484} - c:\program files\vshare\vshare_toolbar.dll
SEH: Groove GFS Stub Execution Hook: {b5a7f190-dda6-4420-b3ba-52453494e6cd} - c:\program files\microsoft office\office12\GrooveShellExtensions.dll
mASetup: {10880D85-AAD9-4558-ABDC-2AB1552D831F} - "c:\program files\common files\lightscribe\LSRunOnce.exe"
mASetup: {9191979D-821C-4EA8-B021-2DA1D859A7C5}-3Reg - c:\program files\sft\guardedid\gidi.exe /v
.
================= FIREFOX ===================
.
FF - ProfilePath - c:\users\joe\appdata\roaming\mozilla\firefox\profiles\r2qy7d6d.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/
FF - component: c:\program files\mozilla firefox\extensions\{ab2ce124-6272-4b12-94a9-7303c7397bd1}\components\SkypeFfComponent.dll
FF - component: c:\programdata\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\n360_6.0.0.145\ipsffplgn\components\IPSFFPl.dll
FF - component: c:\programdata\white sky, inc\id vault\xpcom3\components\IdVault.XPCOM3.dll
FF - component: c:\users\joe\appdata\roaming\mozilla\firefox\profiles\r2qy7d6d.default\exte nsions\{4b9bcce8-a70b-402a-a7e1-db96831ee26f}\components\dtTransparency.dll
FF - plugin: c:\program files\download manager\npfpdlm.dll
FF - plugin: c:\program files\google\google earth\plugin\npgeplugin.dll
FF - plugin: c:\program files\google\update\1.2.183.29\npGoogleOneClick8.dll
FF - plugin: c:\program files\google\update\1.2.183.39\npGoogleOneClick8.dll
FF - plugin: c:\program files\google\update\1.3.21.111\npGoogleUpdate3.dll
FF - plugin: c:\program files\google\update\1.3.21.57\npGoogleUpdate3.dll
FF - plugin: c:\program files\google\update\1.3.21.65\npGoogleUpdate3.dll
FF - plugin: c:\program files\google\update\1.3.21.69\npGoogleUpdate3.dll
FF - plugin: c:\program files\google\update\1.3.21.79\npGoogleUpdate3.dll
FF - plugin: c:\program files\google\update\1.3.21.99\npGoogleUpdate3.dll
FF - plugin: c:\program files\java\jre6\bin\npdeployJava1.dll
FF - plugin: c:\program files\java\jre6\bin\npjpi160_31.dll
FF - plugin: c:\program files\java\jre6\bin\plugin2\npdeployJava1.dll
FF - plugin: c:\program files\java\jre6\bin\plugin2\npjp2.dll
FF - plugin: c:\users\joe\appdata\local\google\update\1.3.21.111\npGoogleUpdate3.dll
FF - plugin: c:\users\joe\appdata\roaming\mozilla\plugins\npgoogletalk.dll
FF - plugin: c:\users\joe\appdata\roaming\mozilla\plugins\npgtpo3dautoplugin.dll
FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\mozilla firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF - Ext: Skype extension for Firefox: {AB2CE124-6272-4b12-94A9-7303C7397BD1} - c:\program files\mozilla firefox\extensions\{AB2CE124-6272-4b12-94A9-7303C7397BD1}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0018-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0018-ABCDEFFEDCBA}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0027-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0027-ABCDEFFEDCBA}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0031-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0031-ABCDEFFEDCBA}
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\DotNetAssistantExtension
FF - Ext: Norton Vulnerability Protection: {BBDA0591-3099-440a-AA10-41764D9DB4DB} - c:\programdata\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\n360_6.0.0.145\IPSFFPlgn
FF - Ext: XFINITYToolbar: {4b9bcce8-a70b-402a-a7e1-db96831ee26f} - %profile%\extensions\{4b9bcce8-a70b-402a-a7e1-db96831ee26f}
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - %profile%\extensions\{20a82645-c095-46ed-80e3-08825760534b}
.
============= SERVICES / DRIVERS ===============
.
R0 SymDS;Symantec Data Store;c:\windows\system32\drivers\n360\0602010.005\symds.sys [2012-6-26 340088]
R0 SymEFA;Symantec Extended File Attributes;c:\windows\system32\drivers\n360\0602010.005\symefa.sys [2012-6-26 905336]
R1 BHDrvx86;BHDrvx86;c:\programdata\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\n360_6.0.0.145\definitions\bashdefs\20120619.001\BHDrvx86.sys [2012-6-19 821920]
R1 ccSet_N360;Norton Security Suite Settings Manager;c:\windows\system32\drivers\n360\0602010.005\ccsetx86.sys [2012-6-26 132744]
R1 GIDv2;GIDv2;c:\windows\system32\drivers\gidv2.sys [2012-6-22 25232]
R1 IDSVix86;IDSVix86;c:\programdata\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\n360_6.0.0.145\definitions\ipsdefs\20120626.001\IDSvix86.sys [2012-6-26 382624]
R1 SymIRON;Symantec Iron Driver;c:\windows\system32\drivers\n360\0602010.005\ironx86.sys [2012-6-26 149624]
R1 SYMTDIv;Symantec Vista Network Dispatch Driver;c:\windows\system32\drivers\n360\0602010.005\symtdiv.sys [2012-6-26 345208]
R2 {55662437-DA8C-40c0-AADA-2C816A897A49};Power Control [2009/04/25 03:42:21];c:\program files\hewlett-packard\media\dvd\000.fcl [2008-11-28 87536]
R2 AESTFilters;Andrea ST Filters Service;c:\windows\system32\driverstore\filerepository\stwrt.inf_c92065b9\A EstSrv.exe [2009-4-25 77824]
R2 AMD FUEL Service;AMD FUEL Service;c:\program files\ati technologies\ati.ace\fuel\Fuel.Service.exe [2012-4-5 291840]
R2 AODDriver4.1;AODDriver4.1;c:\program files\ati technologies\ati.ace\fuel\i386\aoddriver2.sys [2012-3-5 45184]
R2 hpsrv;HP Service;c:\windows\system32\hpservice.exe [2008-3-18 19456]
R2 IDVaultSvc;CGPS Service;c:\program files\constant guard protection suite\IDVaultSvc.exe [2012-6-13 66160]
R2 N360;Norton Security Suite;c:\program files\norton security suite\engine\6.2.1.5\ccsvchst.exe [2012-6-26 138232]
R2 Recovery Service for Windows;Recovery Service for Windows;c:\program files\sminst\BLService.exe [2009-2-14 365952]
R2 TVCapSvc;TV Background Capture Service (TVBCS);c:\program files\hewlett-packard\media\tv\kernel\tv\TVCapSvc.exe [2008-11-26 296320]
R2 TVSched;TV Task Scheduler (TVTS);c:\program files\hewlett-packard\media\tv\kernel\tv\TVSched.exe [2008-11-26 116096]
R3 amdiox86;AMD IO Driver;c:\windows\system32\drivers\amdiox86.sys [2012-5-16 37944]
R3 Com4QLBEx;Com4QLBEx;c:\program files\hewlett-packard\hp quick launch buttons\Com4QLBEx.exe [2009-2-14 222512]
R3 enecir;ENE CIR Receiver;c:\windows\system32\drivers\enecir.sys [2008-9-4 54784]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\common files\symantec shared\eengine\EraserUtilRebootDrv.sys [2012-6-26 106656]
R3 usbfilter;AMD USB Filter Driver;c:\windows\system32\drivers\usbfilter.sys [2009-4-25 22072]
S2 gupdate;Google Update Service (gupdate);c:\program files\google\update\GoogleUpdate.exe [2010-6-25 136176]
S3 cpudrv;cpudrv;c:\program files\systemrequirementslab\cpudrv.sys [2011-6-2 11336]
S3 gupdatem;Google Update Service (gupdatem);c:\program files\google\update\GoogleUpdate.exe [2010-6-25 136176]
.
=============== Created Last 30 ================
.
2012-06-27 07:43:57 -------- d-----w- c:\users\joe\appdata\local\CrashDumps
2012-06-27 07:17:46 -------- d-----w- c:\users\joe\appdata\local\NPE
2012-06-27 02:56:34 345208 ----a-r- c:\windows\system32\drivers\n360\0602010.005\symtdiv.sys
2012-06-27 02:56:34 318584 ----a-r- c:\windows\system32\drivers\n360\0602010.005\symnets.sys
2012-06-27 02:56:33 905336 ----a-r- c:\windows\system32\drivers\n360\0602010.005\symefa.sys
2012-06-27 02:56:33 574072 ----a-w- c:\windows\system32\drivers\n360\0602010.005\srtsp.sys
2012-06-27 02:56:33 340088 ----a-r- c:\windows\system32\drivers\n360\0602010.005\symds.sys
2012-06-27 02:56:33 32888 ----a-w- c:\windows\system32\drivers\n360\0602010.005\srtspx.sys
2012-06-27 02:56:33 149624 ----a-r- c:\windows\system32\drivers\n360\0602010.005\ironx86.sys
2012-06-27 02:56:33 132744 ----a-r- c:\windows\system32\drivers\n360\0602010.005\ccsetx86.sys
2012-06-27 02:55:46 -------- d-----w- c:\windows\system32\drivers\n360\0602010.005
2012-06-27 02:32:00 141944 ----a-w- c:\windows\system32\drivers\SYMEVENT.SYS
2012-06-27 02:32:00 -------- d-----w- c:\program files\Symantec
2012-06-27 02:32:00 -------- d-----w- c:\program files\common files\Symantec Shared
2012-06-27 02:30:45 -------- d-----w- c:\windows\system32\drivers\N360
2012-06-27 02:30:43 -------- d-----w- c:\program files\Norton Security Suite
2012-06-27 02:30:13 -------- d-----w- c:\program files\NortonInstaller
2012-06-25 06:34:34 -------- d-----w- c:\programdata\Spybot - Search & Destroy
2012-06-25 06:34:34 -------- d-----w- c:\program files\Spybot - Search & Destroy
2012-06-23 01:51:14 -------- d-----w- c:\programdata\IsolatedStorage
2012-06-23 01:51:13 -------- d-----w- c:\users\joe\appdata\local\ID Vault
2012-06-23 01:50:31 8007680 ----a-w- c:\program files\mozilla firefox\Microsoft.mshtml.dll
2012-06-23 01:50:31 1724016 ----a-w- c:\program files\mozilla firefox\IdVaultCore.dll
2012-06-23 01:50:31 138864 ----a-w- c:\program files\mozilla firefox\CommonDotNET.dll
2012-06-23 01:50:31 104048 ----a-w- c:\program files\mozilla firefox\IdVaultCore.XmlSerializers.dll
2012-06-23 01:50:28 -------- d-----w- c:\users\joe\appdata\roaming\ID Vault
2012-06-23 01:50:19 25232 ------w- c:\windows\system32\drivers\gidv2.sys
2012-06-23 01:50:15 -------- d-----w- c:\programdata\GID
2012-06-23 01:50:11 -------- d-----w- c:\program files\SFT
2012-06-23 01:49:35 -------- d-----w- c:\program files\xfin_portal
2012-06-23 01:49:26 -------- d-----w- c:\program files\Constant Guard Protection Suite
2012-06-23 01:49:02 -------- d-----w- c:\programdata\White Sky, Inc
2012-06-22 21:21:37 6762896 ----a-w- c:\programdata\microsoft\windows defender\definition updates\{1272acd0-912d-46f9-b3d1-3ceb6a47a44f}\mpengine.dll
2012-06-22 21:11:37 99176 ----a-w- c:\windows\system32\PresentationHostProxy.dll
2012-06-22 21:11:37 297808 ----a-w- c:\windows\system32\mscoree.dll
2012-06-22 21:11:37 295264 ----a-w- c:\windows\system32\PresentationHost.exe
2012-06-22 21:11:36 49472 ----a-w- c:\windows\system32\netfxperf.dll
2012-06-22 21:11:36 1130824 ----a-w- c:\windows\system32\dfshim.dll
2012-06-22 21:04:27 231936 ----a-w- c:\windows\system32\msshsq.dll
2012-06-22 20:58:57 49152 ----a-w- c:\windows\system32\csrsrv.dll
2012-06-22 20:44:31 276992 ----a-w- c:\windows\system32\schannel.dll
2012-06-21 23:04:27 16856 ----a-w- c:\program files\mozilla firefox\plugin-container.exe
2012-06-21 23:04:24 719832 ----a-w- c:\program files\mozilla firefox\mozcpp19.dll
.
==================== Find3M ====================
.
2012-04-09 02:53:30 472808 ----a-w- c:\windows\system32\deployJava1.dll
2012-04-06 05:34:22 159232 ----a-w- c:\windows\system32\clinfo.exe
2012-04-06 05:34:04 64512 ----a-w- c:\windows\system32\OpenVideo.dll
2012-04-06 05:33:52 56320 ----a-w- c:\windows\system32\OVDecode.dll
2012-04-06 05:32:56 13007872 ----a-w- c:\windows\system32\amdocl.dll
2012-04-06 05:32:04 50176 ----a-w- c:\windows\system32\OpenCL.dll
2012-04-04 23:18:24 30592 ----a-w- c:\windows\help\oem\scripts\PWAlertEnable.exe
.
============= FINISH: 16:03:38.95 ===============

III. Attach.txt

I've attached the Attach.txt file.

IV. Ark.txt

GMER 1.0.15.15641 - http://www.gmer.net
Rootkit quick scan 2012-06-27 16:30:00
Windows 6.0.6001 Service Pack 1 Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-0 WDC_WD3200BEVT-60ZCT1 rev.13.01A13
Running: vo44ybvb.exe; Driver: C:\Users\Joe\AppData\Local\Temp\pgddqpoc.sys

---- Devices - GMER 1.0.15 ----

AttachedDevice \FileSystem\fastfat \Fat FLTMGR.SYS (Microsoft Filesystem Filter Manager/Microsoft Corporation)
AttachedDevice \Driver\tdx \Device\Ip SYMTDIV.SYS (Network Dispatch Driver/Symantec Corporation)
AttachedDevice \Driver\tdx \Device\Tcp SYMTDIV.SYS (Network Dispatch Driver/Symantec Corporation)
AttachedDevice \Driver\tdx \Device\Udp SYMTDIV.SYS (Network Dispatch Driver/Symantec Corporation)
AttachedDevice \Driver\tdx \Device\RawIp SYMTDIV.SYS (Network Dispatch Driver/Symantec Corporation)
AttachedDevice \Driver\kbdclass \Device\KeyboardClass0 Wdf01000.sys (WDF Dynamic/Microsoft Corporation)
AttachedDevice \Driver\kbdclass \Device\KeyboardClass1 Wdf01000.sys (WDF Dynamic/Microsoft Corporation)

---- EOF - GMER 1.0.15 ----

That should do it. I've followed directions as closely as I can, so I hope this helps and does not cause any confusion. Any help to get rid of these security threats is greatly appreciated!

--Joe

flavallee · 27-Jun-2012, 08:25 PM #2

Your computer is definitely infected, so you'll need to wait for a gold/blue shield removal specialist to assist you.

This section is very busy, so be patient.

--------------------------------------------------------

Why hasn't Windows Vista SP1 been upgraded to SP2 - which was released in May 2009?

Have you been installing the important/recommended updates that Microsoft releases on a regular basis?

--------------------------------------------------------

jhw13 · 27-Jun-2012, 11:27 PM #3

I appreciate the heads up. In the meantime, could you possibly direct me to a good database/website where I can educate myself on different forms of malware? A site good for an introduction on how these things work, what they do, different typologies, etc. I figure this is a good learning opportunity. Anything would be appreciated.

-Joe

jeffce · 28-Jun-2012, 08:04 AM #4

Hi,

Please download aswMBR to your desktop.

Right click and Run as Administrator the aswMBR icon to run it.
Click the Scan button to start scan.
If asked whether you would like to update the Avast virus database please do.
When it finishes, press the save log button, save the logfile to your desktop and post its contents in your next reply.

Click the image to enlarge it
----------

flavallee · 28-Jun-2012, 09:45 AM #5

Jeff has jumped in to help you. Follow his instructions from here on. Good luck.

------------------------------------------------------------

jhw13 · 28-Jun-2012, 11:03 PM #6

Hi,

Thanks for taking up my case. Much appreciated.

1. Update avast - check
2. Run scan as Admin - check
3. Post log below - check

aswMBR version 0.9.9.1665 Copyright(c) 2011 AVAST Software
Run date: 2012-06-28 14:37:49
-----------------------------
14:37:49.800 OS Version: Windows 6.0.6001 Service Pack 1
14:37:49.800 Number of processors: 2 586 0x301
14:37:49.800 ComputerName: COMPUTER UserName: Joe
14:37:54.839 Initialize success
14:38:09.690 AVAST engine defs: 12062800
14:38:12.171 Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-0
14:38:12.171 Disk 0 Vendor: WDC_WD3200BEVT-60ZCT1 13.01A13 Size: 305245MB BusType: 3
14:38:12.218 Disk 0 MBR read successfully
14:38:12.264 Disk 0 MBR scan
14:38:12.264 Disk 0 unknown MBR code
14:38:12.280 Disk 0 Partition 1 80 (A) 07 HPFS/NTFS NTFS 293799 MB offset 2048
14:38:12.342 Disk 0 Partition 2 00 07 HPFS/NTFS NTFS 11442 MB offset 601702400
14:38:12.405 Disk 0 scanning sectors +625135616
14:38:12.748 Disk 0 scanning C:\Windows\system32\drivers
14:39:10.771 Service scanning
14:39:44.518 Modules scanning
14:40:22.497 Disk 0 trace - called modules:
14:40:22.524 ntkrnlpa.exe CLASSPNP.SYS disk.sys hpdskflt.sys hal.dll ataport.SYS PCIIDEX.SYS msahci.sys
14:40:22.533 1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0x85c9d468]
14:40:22.544 3 CLASSPNP.SYS[805c5745] -> nt!IofCallDriver -> [0x85c81d48]
14:40:22.552 5 hpdskflt.sys[8adadf05] -> nt!IofCallDriver -> \Device\Ide\IdeDeviceP0T0L0-0[0x85c85ba0]
14:40:26.109 AVAST engine scan C:\Windows
14:41:21.350 AVAST engine scan C:\Windows\system32
14:49:23.584 AVAST engine scan C:\Windows\system32\drivers
14:51:23.037 AVAST engine scan C:\Users\Joe
15:02:15.461 File: C:\Users\Joe\AppData\Local\{ff24043d-55f8-5ce9-a20a-8337d9b4b888}\n **INFECTED** Win32:Susn-AN [Trj]
15:02:15.614 File: C:\Users\Joe\AppData\Local\{ff24043d-55f8-5ce9-a20a-8337d9b4b888}\U\00000001.@ **INFECTED** Win32:Malware-gen
16:29:07.012 AVAST engine scan C:\ProgramData
16:45:21.144 Scan finished successfully
20:00:30.808 Disk 0 MBR has been saved successfully to "C:\Users\Joe\Desktop\MBR.dat"
20:00:30.823 The log file has been saved successfully to "C:\Users\Joe\Desktop\aswMBR1.txt"

There it is. I eagerly await the next step.

-Joe

jeffce · 29-Jun-2012, 07:50 AM #7

Hi,

**WARNING**Unfortunately one or more of the infections I have identified are Backdoor Trojans, IRCBots or other Malware capable of stealing very important information. You need to stop using all Internet Banking sites, change passwords to all sites with sensitive information from a clean computer and phone your bank to inform them that you may be a victim of identify theft. More often than not, we advise users that a full reinstallation of their Operating System is the only way to ensure that their computer will ever be 100% clean again.

Unfortunately I have found what is known as the ZeroAccess rootkit on your system. It is an especially nasty infection that can take quite some time to clean as well as may have damaged your system files itself. As a warning, during the cleaning (if you choose to do so) you may lose internet access with this computer and in the end we may need to reinstall the operating system anyway depending on the extent of the infection.

If you would like to format and reinstall your Operating System please let me know and we can assist you with that.

If you would like to continue with the cleaning, please continue with the following instructions and I will be more than happy to help.

----------

Download Combofix from either of the links below, and save it to your desktop.
Link 1
Link 2

**Note: It is important that it is saved directly to your desktop**
If you get a message saying "Illegal operation attempted on a registry key that has been marked for deletion", please restart your computer.

--------------------------------------------------------------------

IMPORTANT - Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. If you have difficulty properly disabling your protective programs, refer to this link here

--------------------------------------------------------------------

Right-Click and Run as Administrator on ComboFix.exe & follow the prompts.

When finished, it will produce a report for you.
Please post the C:\ComboFix.txt for further review.

jhw13 · 29-Jun-2012, 04:59 PM #8

I've decided to continue with the cleaning process. Let's give that a shot. If it doesn't work, than we'll move to the new OS install. The ComboFix log is pasted below.

ComboFix 12-06-28.03 - Joe 06/29/2012 13:34:32.1.2 - x86
Microsoft® Windows Vista™ Home Premium 6.0.6001.1.1252.1.1033.18.2812.1638 [GMT -7:00]
Running from: c:\users\Joe\Desktop\ComboFix.exe
AV: Norton Security Suite *Disabled/Outdated* {63DF5164-9100-186D-2187-8DC619EFD8BF}
FW: Norton Security Suite *Disabled* {5BE4D041-DB6F-1935-0AD8-24F3E73C9FC4}
SP: Norton Security Suite *Disabled/Outdated* {D8BEB080-B73A-17E3-1B37-B6B462689202}
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\users\Joe\AppData\Local\{ff24043d-55f8-5ce9-a20a-8337d9b4b888}
c:\users\Joe\AppData\Local\{ff24043d-55f8-5ce9-a20a-8337d9b4b888}\@
c:\users\Joe\AppData\Local\{ff24043d-55f8-5ce9-a20a-8337d9b4b888}\n
c:\users\Joe\AppData\Local\{ff24043d-55f8-5ce9-a20a-8337d9b4b888}\U\00000001.@
c:\users\Joe\AppData\Local\{ff24043d-55f8-5ce9-a20a-8337d9b4b888}\U\80000000.@
c:\users\Joe\AppData\Local\{ff24043d-55f8-5ce9-a20a-8337d9b4b888}\U\800000cb.@
c:\users\Joe\AppData\Local\assembly\tmp
.
.
((((((((((((((((((((((((( Files Created from 2012-05-28 to 2012-06-29 )))))))))))))))))))))))))))))))
.
.
2012-06-29 20:46 . 2012-06-29 20:46 -------- d-----w- c:\users\Default\AppData\Local\temp
2012-06-27 07:43 . 2012-06-27 19:55 -------- d-----w- c:\users\Joe\AppData\Local\CrashDumps
2012-06-27 07:17 . 2012-06-27 07:47 -------- d-----w- c:\users\Joe\AppData\Local\NPE
2012-06-27 02:32 . 2012-06-27 02:37 -------- d-----w- c:\program files\Common Files\Symantec Shared
2012-06-27 02:32 . 2012-06-27 02:32 141944 ----a-w- c:\windows\system32\drivers\SYMEVENT.SYS
2012-06-27 02:32 . 2012-06-27 02:32 -------- d-----w- c:\program files\Symantec
2012-06-27 02:30 . 2012-06-27 07:23 -------- d-----w- c:\windows\system32\drivers\N360
2012-06-27 02:30 . 2012-06-27 02:30 -------- d-----w- c:\program files\Norton Security Suite
2012-06-27 02:30 . 2012-06-27 02:30 -------- d-----w- c:\program files\NortonInstaller
2012-06-25 06:34 . 2012-06-25 07:29 -------- d-----w- c:\programdata\Spybot - Search & Destroy
2012-06-25 06:34 . 2012-06-25 06:34 -------- d-----w- c:\program files\Spybot - Search & Destroy
2012-06-23 01:51 . 2012-06-23 01:51 -------- d-----w- c:\programdata\IsolatedStorage
2012-06-23 01:51 . 2012-06-23 01:55 -------- d-----w- c:\users\Joe\AppData\Local\ID Vault
2012-06-23 01:50 . 2012-06-13 21:21 104048 ----a-w- c:\program files\Mozilla Firefox\IdVaultCore.XmlSerializers.dll
2012-06-23 01:50 . 2012-06-13 21:21 1724016 ----a-w- c:\program files\Mozilla Firefox\IdVaultCore.dll
2012-06-23 01:50 . 2012-06-13 21:21 138864 ----a-w- c:\program files\Mozilla Firefox\CommonDotNET.dll
2012-06-23 01:50 . 2012-06-13 21:19 8007680 ----a-w- c:\program files\Mozilla Firefox\Microsoft.mshtml.dll
2012-06-23 01:50 . 2012-06-29 20:33 -------- d-----w- c:\users\Joe\AppData\Roaming\ID Vault
2012-06-23 01:50 . 2011-07-05 17:24 25232 ------w- c:\windows\system32\drivers\gidv2.sys
2012-06-23 01:50 . 2012-06-23 01:50 -------- d-----w- c:\programdata\GID
2012-06-23 01:50 . 2012-06-23 01:50 -------- d-----w- c:\program files\SFT
2012-06-23 01:49 . 2012-06-23 01:49 -------- d-----w- c:\program files\xfin_portal
2012-06-23 01:49 . 2012-06-23 01:50 -------- d-----w- c:\program files\Constant Guard Protection Suite
2012-06-23 01:49 . 2012-06-23 01:49 -------- d-----w- c:\programdata\White Sky, Inc
2012-06-22 21:21 . 2012-06-18 10:14 6762896 ----a-w- c:\programdata\Microsoft\Windows Defender\Definition Updates\{1272ACD0-912D-46F9-B3D1-3CEB6A47A44F}\mpengine.dll
2012-06-22 21:11 . 2009-11-08 17:55 99176 ----a-w- c:\windows\system32\PresentationHostProxy.dll
2012-06-22 21:11 . 2009-11-08 17:55 297808 ----a-w- c:\windows\system32\mscoree.dll
2012-06-22 21:11 . 2009-11-08 17:55 295264 ----a-w- c:\windows\system32\PresentationHost.exe
2012-06-22 21:11 . 2009-11-08 17:55 49472 ----a-w- c:\windows\system32\netfxperf.dll
2012-06-22 21:11 . 2009-11-08 17:55 1130824 ----a-w- c:\windows\system32\dfshim.dll
2012-06-22 21:04 . 2010-09-20 09:25 231936 ----a-w- c:\windows\system32\msshsq.dll
2012-06-22 20:58 . 2011-04-20 14:47 375808 ----a-w- c:\windows\system32\winsrv.dll
2012-06-22 20:44 . 2011-04-29 14:54 276992 ----a-w- c:\windows\system32\schannel.dll
2012-06-21 23:04 . 2012-06-21 23:04 16856 ----a-w- c:\program files\Mozilla Firefox\plugin-container.exe
2012-06-21 23:04 . 2012-06-21 23:04 719832 ----a-w- c:\program files\Mozilla Firefox\mozcpp19.dll
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2012-04-09 02:53 . 2011-10-04 06:02 472808 ----a-w- c:\windows\system32\deployJava1.dll
2012-04-06 05:34 . 2012-04-06 05:34 159232 ----a-w- c:\windows\system32\clinfo.exe
2012-04-06 05:34 . 2012-04-06 05:34 64512 ----a-w- c:\windows\system32\OpenVideo.dll
2012-04-06 05:33 . 2012-04-06 05:33 56320 ----a-w- c:\windows\system32\OVDecode.dll
2012-04-06 05:32 . 2012-04-06 05:32 13007872 ----a-w- c:\windows\system32\amdocl.dll
2012-04-06 05:32 . 2012-04-06 05:32 50176 ----a-w- c:\windows\system32\OpenCL.dll
2012-04-04 23:18 . 2012-05-19 01:50 30592 ----a-w- c:\windows\help\OEM\scripts\PWAlertEnable.exe
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shell iconoverlayidentifiers\DropboxExt1]
@="{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}]
2011-02-18 05:12 94208 ----a-w- c:\users\Joe\AppData\Roaming\Dropbox\bin\DropboxExt.14.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shell iconoverlayidentifiers\DropboxExt2]
@="{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}]
2011-02-18 05:12 94208 ----a-w- c:\users\Joe\AppData\Roaming\Dropbox\bin\DropboxExt.14.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shell iconoverlayidentifiers\DropboxExt3]
@="{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}]
2011-02-18 05:12 94208 ----a-w- c:\users\Joe\AppData\Roaming\Dropbox\bin\DropboxExt.14.dll
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"LightScribe Control Panel"="c:\program files\Common Files\LightScribe\LightScribeControlPanel.exe" [2008-06-09 2363392]
"igndlm.exe"="c:\program files\Download Manager\DLM.exe" [2009-05-15 1103216]
"ehTray.exe"="c:\windows\ehome\ehTray.exe" [2008-01-21 125952]
"Download"="c:\users\Joe\AppData\Local\SupportSoft\ddoctorv2\Joe\SSGet. exe" [2012-01-11 987648]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2008-12-04 1410344]
"SysTrayApp"="c:\program files\IDT\WDM\sttray.exe" [2009-01-08 450663]
"DVDAgent"="c:\program files\Hewlett-Packard\Media\DVD\DVDAgent.exe" [2008-11-29 1148200]
"TSMAgent"="c:\program files\Hewlett-Packard\TouchSmart\Media\TSMAgent.exe" [2008-12-25 1316136]
"CLMLServer for HP TouchSmart"="c:\program files\Hewlett-Packard\TouchSmart\Media\Kernel\CLML\CLMLSvc.exe" [2008-12-25 189736]
"TVAgent"="c:\program files\Hewlett-Packard\Media\TV\TVAgent.exe" [2009-01-21 210216]
"UCam_Menu"="c:\program files\Hewlett-Packard\Media\Webcam\MUITransfer\MUIStartMenu.exe" [2008-11-15 218408]
"SmartMenu"="c:\program files\Hewlett-Packard\HP MediaSmart\SmartMenu.exe" [2008-11-19 914224]
"UpdateLBPShortCut"="c:\program files\CyberLink\LabelPrint\MUITransfer\MUIStartMenu.exe" [2008-06-14 210216]
"UpdatePSTShortCut"="c:\program files\CyberLink\DVD Suite\MUITransfer\MUIStartMenu.exe" [2008-11-26 210216]
"QlbCtrl.exe"="c:\program files\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe" [2008-10-10 206128]
"UpdateP2GoShortCut"="c:\program files\CyberLink\Power2Go\MUITransfer\MUIStartMenu.exe" [2008-10-30 210216]
"UpdatePDIRShortCut"="c:\program files\CyberLink\PowerDirector\MUITransfer\MUIStartMenu.exe" [2008-06-14 210216]
"HP Health Check Scheduler"="c:\program files\Hewlett-Packard\HP Health Check\HPHC_Scheduler.exe" [2008-10-09 75008]
"HP Software Update"="c:\program files\Hp\HP Software Update\HPWuSchd2.exe" [2008-12-08 54576]
"WirelessAssistant"="c:\program files\Hewlett-Packard\HP Wireless Assistant\HPWAMain.exe" [2008-12-08 432432]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2009-02-28 35696]
"ddoctorv2"="c:\program files\Comcast\Desktop Doctor\bin\sprtcmd.exe" [2008-04-24 202560]
"GrooveMonitor"="c:\program files\Microsoft Office\Office12\GrooveMonitor.exe" [2008-10-25 31072]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2010-09-08 421888]
"APSDaemon"="c:\program files\Common Files\Apple\Apple Application Support\APSDaemon.exe" [2012-02-21 59240]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2012-03-27 421736]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2012-01-18 254696]
"StartCCC"="c:\program files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [2012-04-06 641664]
"GIDDesktop"="c:\program files\SFT\GuardedID\gidd.exe" [2011-07-05 395528]
.
c:\users\Joe\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
Dropbox.lnk - c:\users\Joe\AppData\Roaming\Dropbox\bin\Dropbox.exe [2012-5-24 27112840]
OneNote 2007 Screen Clipper and Launcher.lnk - c:\program files\Microsoft Office\Office12\ONENOTEM.EXE [2009-2-26 97680]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\syste m]
"EnableUIADesktopToggle"= 0 (0x0)
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf010 00.sys]
@="Driver"
.
S2 AESTFilters;Andrea ST Filters Service;c:\windows\System32\DriverStore\FileRepository\stwrt.inf_c92065b9\a estsrv.exe [x]
.
.
[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{10880D85-AAD9-4558-ABDC-2AB1552D831F}]
2008-06-09 17:14 451872 ----a-w- c:\program files\Common Files\LightScribe\LSRunOnce.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{9191979D-821C-4EA8-B021-2DA1D859A7C5}-3Reg]
2011-07-05 17:26 435976 ----a-w- c:\program files\SFT\GuardedID\GIDI.exe
.
Contents of the 'Scheduled Tasks' folder
.
2012-06-29 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-06-25 20:17]
.
2012-06-28 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-06-25 20:17]
.
2012-06-27 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-3665953699-1941896604-1241948209-1000Core.job
- c:\users\Joe\AppData\Local\Google\Update\GoogleUpdate.exe [2010-01-03 22:02]
.
2012-06-29 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-3665953699-1941896604-1241948209-1000UA.job
- c:\users\Joe\AppData\Local\Google\Update\GoogleUpdate.exe [2010-01-03 22:02]
.
2012-06-27 c:\windows\Tasks\HPCeeScheduleForJoe.job
- c:\program files\hewlett-packard\sdp\ceement\HPCEE.exe [2009-02-14 19:34]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://xfinity.comcast.net/?cid=cgps06222012
mStart Page = hxxp://www.comcast.net/
mWindow Title = Windows Internet Explorer provided by Comcast
uInternet Settings,ProxyOverride = *.local
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~3\Office12\EXCEL.EXE/3000
Trusted Zone: clonewarsadventures.com
Trusted Zone: freerealms.com
Trusted Zone: soe.com
Trusted Zone: sony.com
TCP: DhcpNameServer = 192.168.1.1
FF - ProfilePath - c:\users\Joe\AppData\Roaming\Mozilla\Firefox\Profiles\r2qy7d6d.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/
FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\Mozilla Firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF - Ext: Skype extension for Firefox: {AB2CE124-6272-4b12-94A9-7303C7397BD1} - c:\program files\Mozilla Firefox\extensions\{AB2CE124-6272-4b12-94A9-7303C7397BD1}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0018-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0018-ABCDEFFEDCBA}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0027-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0027-ABCDEFFEDCBA}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0031-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0031-ABCDEFFEDCBA}
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension
FF - Ext: Norton Vulnerability Protection: {BBDA0591-3099-440a-AA10-41764D9DB4DB} - c:\programdata\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\N360_6.0.0.145\IPSFFPlgn
FF - Ext: XFINITYToolbar: {4b9bcce8-a70b-402a-a7e1-db96831ee26f} - %profile%\extensions\{4b9bcce8-a70b-402a-a7e1-db96831ee26f}
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - %profile%\extensions\{20a82645-c095-46ed-80e3-08825760534b}
.
- - - - ORPHANS REMOVED - - - -
.
WebBrowser-{D4027C7F-154A-4066-A1AD-4243D8127440} - (no file)
HKCU-Run-Regedit32 - c:\windows\system32\regedit.exe
AddRemove-14AF7854-4BCC-4E9C-927A-849E36B82DDF - c:\program files\MULTIFIT visualization tool\uninstall.exe
AddRemove-uTorrent - c:\program files\uTorrent\uTorrent.exe
.
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2012-06-29 13:47
Windows 6.0.6001 Service Pack 1 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
[HKEY_LOCAL_MACHINE\system\ControlSet001\Services\N360]
"ImagePath"="\"c:\program files\Norton Security Suite\Engine\6.2.1.5\ccSvcHst.exe\" /s \"N360\" /m \"c:\program files\Norton Security Suite\Engine\6.2.1.5\diMaster.dll\" /prefetch:1"
.
[HKEY_LOCAL_MACHINE\system\ControlSet001\Services\{55662437-DA8C-40c0-AADA-2C816A897A49}]
"ImagePath"="\??\c:\program files\Hewlett-Packard\Media\DVD\000.fcl"
.
Completion time: 2012-06-29 13:51:54
ComboFix-quarantined-files.txt 2012-06-29 20:51
.
Pre-Run: 204,428,234,752 bytes free
Post-Run: 205,073,031,168 bytes free
.
- - End Of File - - 1D1EB140C454C4748FF68A110DBDDFD1

Great, thanks again. Let me know the next step when you do.

-Joe

jeffce · 29-Jun-2012, 10:59 PM #9

Hi,

Please download SystemLook from one of the links below and save it to your Desktop.
Download Mirror #1
Download Mirror #2

**If you are using a 64bit system please use either of the following links for your download instead:
Link 1
Link 2

Right-click and Run as Administrator SystemLook.exe to run it.
Copy the content within the following codebox into the main textfield:
Code:
```
:filefind
*services.exe
```
Click the Look button to start the scan.
When finished, a notepad window will open with the results of the scan. Please post this log in your next reply.

Note: The log can also be found on your Desktop entitled SystemLook.txt

jhw13 · 30-Jun-2012, 03:22 AM **#10**

Hi,

SystemLook log posted below.

SystemLook 30.07.11 by jpshortstuff
Log created at 00:17 on 30/06/2012 by Joe
Administrator - Elevation successful

========== filefind ==========

Searching for "*services.exe"
C:\Windows\erdnt\cache\services.exe --a---- 279040 bytes [20:49 29/06/2012] [02:24 21/01/2008] 2B336AB6286D6C81FA02CBAB914E3C6C
C:\Windows\System32\services.exe --a---- 279040 bytes [02:24 21/01/2008] [02:24 21/01/2008] 2B336AB6286D6C81FA02CBAB914E3C6C
C:\Windows\winsxs\x86_microsoft-windows-s..s-servicecontroller_31bf3856ad364e35_6.0.6001.18000_none_cf5fc067cd49010a\ser vices.exe --a---- 279040 bytes [02:24 21/01/2008] [02:24 21/01/2008] 2B336AB6286D6C81FA02CBAB914E3C6C

-= EOF =-

Thanks again.

-Joe

jeffce · 30-Jun-2012, 10:04 AM **#11**

Hi,

Please open Notepad (Start -> Run -> type notepad in the Open field -> OK) and copy and paste the text present inside the code box below:

Code:

ClearJavaCache::

DDS::
BHO: vShare Plugin: {043c5167-00bb-4324-af7e-62013faedacf} - c:\program files\vshare\vshare_toolbar.dll
TB: vShare Plugin: {043c5167-00bb-4324-af7e-62013faedacf} - c:\program files\vshare\vshare_toolbar.dll
TB: {604BC32A-9680-40D1-9AC6-E06B23A1BA4C} - No File
TB: {D4027C7F-154A-4066-A1AD-4243D8127440} - No File
uRun: [Regedit32] c:\windows\system32\regedit.exe
Handler: vsharechrome - {3F3A4B8A-86FC-43A4-BB00-6D7EBE9D4484} - c:\program files\vshare\vshare_toolbar.dll
Trusted Zone: clonewarsadventures.com
Trusted Zone: freerealms.com
Trusted Zone: soe.com
Trusted Zone: sony.com

Save this as CFScript.txt and change the "Save as type" to "All Files" and place it on your desktop.
Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before following the steps below. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".
Referring to the screenshot above, drag CFScript.txt into ComboFix.exe.
ComboFix will now run a scan on your system. It may reboot your system when it finishes. This is normal.
When finished, it shall produce a log for you. Copy and paste the contents of the log in your next reply.

CAUTION: Do not mouse-click ComboFix's window while it is running. That may cause it to stall.
----------

jhw13 · 30-Jun-2012, 09:28 PM **#12**

Hello,

Below is the log from the script I ran through ComboFix.

ComboFix 12-06-28.03 - Joe 06/30/2012 17:54:48.2.2 - x86
Microsoft® Windows Vista™ Home Premium 6.0.6001.1.1252.1.1033.18.2812.1497 [GMT -7:00]
Running from: c:\users\Joe\Desktop\ComboFix.exe
Command switches used :: c:\users\Joe\Desktop\CFScript.txt
AV: Norton Security Suite *Disabled/Updated* {63DF5164-9100-186D-2187-8DC619EFD8BF}
FW: Norton Security Suite *Disabled* {5BE4D041-DB6F-1935-0AD8-24F3E73C9FC4}
SP: Norton Security Suite *Disabled/Updated* {D8BEB080-B73A-17E3-1B37-B6B462689202}
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
.
((((((((((((((((((((((((( Files Created from 2012-06-01 to 2012-07-01 )))))))))))))))))))))))))))))))
.
.
2012-07-01 01:04 . 2012-07-01 01:04 -------- d-----w- c:\users\Default\AppData\Local\temp
2012-06-27 07:43 . 2012-07-01 00:47 -------- d-----w- c:\users\Joe\AppData\Local\CrashDumps
2012-06-27 07:17 . 2012-06-27 07:47 -------- d-----w- c:\users\Joe\AppData\Local\NPE
2012-06-27 02:32 . 2012-06-27 02:37 -------- d-----w- c:\program files\Common Files\Symantec Shared
2012-06-27 02:32 . 2012-06-27 02:32 141944 ----a-w- c:\windows\system32\drivers\SYMEVENT.SYS
2012-06-27 02:32 . 2012-06-27 02:32 -------- d-----w- c:\program files\Symantec
2012-06-27 02:30 . 2012-06-27 07:23 -------- d-----w- c:\windows\system32\drivers\N360
2012-06-27 02:30 . 2012-06-27 02:30 -------- d-----w- c:\program files\Norton Security Suite
2012-06-27 02:30 . 2012-06-27 02:30 -------- d-----w- c:\program files\NortonInstaller
2012-06-25 06:34 . 2012-06-25 07:29 -------- d-----w- c:\programdata\Spybot - Search & Destroy
2012-06-25 06:34 . 2012-06-25 06:34 -------- d-----w- c:\program files\Spybot - Search & Destroy
2012-06-23 01:51 . 2012-06-23 01:51 -------- d-----w- c:\programdata\IsolatedStorage
2012-06-23 01:51 . 2012-06-23 01:55 -------- d-----w- c:\users\Joe\AppData\Local\ID Vault
2012-06-23 01:50 . 2012-06-13 21:21 104048 ----a-w- c:\program files\Mozilla Firefox\IdVaultCore.XmlSerializers.dll
2012-06-23 01:50 . 2012-06-13 21:21 1724016 ----a-w- c:\program files\Mozilla Firefox\IdVaultCore.dll
2012-06-23 01:50 . 2012-06-13 21:21 138864 ----a-w- c:\program files\Mozilla Firefox\CommonDotNET.dll
2012-06-23 01:50 . 2012-06-13 21:19 8007680 ----a-w- c:\program files\Mozilla Firefox\Microsoft.mshtml.dll
2012-06-23 01:50 . 2012-07-01 00:52 -------- d-----w- c:\users\Joe\AppData\Roaming\ID Vault
2012-06-23 01:50 . 2011-07-05 17:24 25232 ------w- c:\windows\system32\drivers\gidv2.sys
2012-06-23 01:50 . 2012-06-23 01:50 -------- d-----w- c:\programdata\GID
2012-06-23 01:50 . 2012-06-23 01:50 -------- d-----w- c:\program files\SFT
2012-06-23 01:49 . 2012-06-23 01:49 -------- d-----w- c:\program files\xfin_portal
2012-06-23 01:49 . 2012-06-23 01:50 -------- d-----w- c:\program files\Constant Guard Protection Suite
2012-06-23 01:49 . 2012-06-23 01:49 -------- d-----w- c:\programdata\White Sky, Inc
2012-06-22 21:21 . 2012-06-18 10:14 6762896 ----a-w- c:\programdata\Microsoft\Windows Defender\Definition Updates\{1272ACD0-912D-46F9-B3D1-3CEB6A47A44F}\mpengine.dll
2012-06-22 21:11 . 2009-11-08 17:55 99176 ----a-w- c:\windows\system32\PresentationHostProxy.dll
2012-06-22 21:11 . 2009-11-08 17:55 297808 ----a-w- c:\windows\system32\mscoree.dll
2012-06-22 21:11 . 2009-11-08 17:55 295264 ----a-w- c:\windows\system32\PresentationHost.exe
2012-06-22 21:11 . 2009-11-08 17:55 49472 ----a-w- c:\windows\system32\netfxperf.dll
2012-06-22 21:11 . 2009-11-08 17:55 1130824 ----a-w- c:\windows\system32\dfshim.dll
2012-06-22 21:04 . 2010-09-20 09:25 231936 ----a-w- c:\windows\system32\msshsq.dll
2012-06-22 20:58 . 2011-04-20 14:47 375808 ----a-w- c:\windows\system32\winsrv.dll
2012-06-22 20:44 . 2011-04-29 14:54 276992 ----a-w- c:\windows\system32\schannel.dll
2012-06-21 23:04 . 2012-06-21 23:04 16856 ----a-w- c:\program files\Mozilla Firefox\plugin-container.exe
2012-06-21 23:04 . 2012-06-21 23:04 719832 ----a-w- c:\program files\Mozilla Firefox\mozcpp19.dll
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2012-04-09 02:53 . 2011-10-04 06:02 472808 ----a-w- c:\windows\system32\deployJava1.dll
2012-04-06 05:34 . 2012-04-06 05:34 159232 ----a-w- c:\windows\system32\clinfo.exe
2012-04-06 05:34 . 2012-04-06 05:34 64512 ----a-w- c:\windows\system32\OpenVideo.dll
2012-04-06 05:33 . 2012-04-06 05:33 56320 ----a-w- c:\windows\system32\OVDecode.dll
2012-04-06 05:32 . 2012-04-06 05:32 13007872 ----a-w- c:\windows\system32\amdocl.dll
2012-04-06 05:32 . 2012-04-06 05:32 50176 ----a-w- c:\windows\system32\OpenCL.dll
2012-04-04 23:18 . 2012-05-19 01:50 30592 ----a-w- c:\windows\help\OEM\scripts\PWAlertEnable.exe
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shell iconoverlayidentifiers\DropboxExt1]
@="{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}]
2011-02-18 05:12 94208 ----a-w- c:\users\Joe\AppData\Roaming\Dropbox\bin\DropboxExt.14.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shell iconoverlayidentifiers\DropboxExt2]
@="{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}]
2011-02-18 05:12 94208 ----a-w- c:\users\Joe\AppData\Roaming\Dropbox\bin\DropboxExt.14.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shell iconoverlayidentifiers\DropboxExt3]
@="{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}]
2011-02-18 05:12 94208 ----a-w- c:\users\Joe\AppData\Roaming\Dropbox\bin\DropboxExt.14.dll
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"LightScribe Control Panel"="c:\program files\Common Files\LightScribe\LightScribeControlPanel.exe" [2008-06-09 2363392]
"igndlm.exe"="c:\program files\Download Manager\DLM.exe" [2009-05-15 1103216]
"ehTray.exe"="c:\windows\ehome\ehTray.exe" [2008-01-21 125952]
"Download"="c:\users\Joe\AppData\Local\SupportSoft\ddoctorv2\Joe\SSGet. exe" [2012-01-11 987648]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2008-12-04 1410344]
"SysTrayApp"="c:\program files\IDT\WDM\sttray.exe" [2009-01-08 450663]
"DVDAgent"="c:\program files\Hewlett-Packard\Media\DVD\DVDAgent.exe" [2008-11-29 1148200]
"TSMAgent"="c:\program files\Hewlett-Packard\TouchSmart\Media\TSMAgent.exe" [2008-12-25 1316136]
"CLMLServer for HP TouchSmart"="c:\program files\Hewlett-Packard\TouchSmart\Media\Kernel\CLML\CLMLSvc.exe" [2008-12-25 189736]
"TVAgent"="c:\program files\Hewlett-Packard\Media\TV\TVAgent.exe" [2009-01-21 210216]
"UCam_Menu"="c:\program files\Hewlett-Packard\Media\Webcam\MUITransfer\MUIStartMenu.exe" [2008-11-15 218408]
"SmartMenu"="c:\program files\Hewlett-Packard\HP MediaSmart\SmartMenu.exe" [2008-11-19 914224]
"UpdateLBPShortCut"="c:\program files\CyberLink\LabelPrint\MUITransfer\MUIStartMenu.exe" [2008-06-14 210216]
"UpdatePSTShortCut"="c:\program files\CyberLink\DVD Suite\MUITransfer\MUIStartMenu.exe" [2008-11-26 210216]
"QlbCtrl.exe"="c:\program files\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe" [2008-10-10 206128]
"UpdateP2GoShortCut"="c:\program files\CyberLink\Power2Go\MUITransfer\MUIStartMenu.exe" [2008-10-30 210216]
"UpdatePDIRShortCut"="c:\program files\CyberLink\PowerDirector\MUITransfer\MUIStartMenu.exe" [2008-06-14 210216]
"HP Health Check Scheduler"="c:\program files\Hewlett-Packard\HP Health Check\HPHC_Scheduler.exe" [2008-10-09 75008]
"HP Software Update"="c:\program files\Hp\HP Software Update\HPWuSchd2.exe" [2008-12-08 54576]
"WirelessAssistant"="c:\program files\Hewlett-Packard\HP Wireless Assistant\HPWAMain.exe" [2008-12-08 432432]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2009-02-28 35696]
"ddoctorv2"="c:\program files\Comcast\Desktop Doctor\bin\sprtcmd.exe" [2008-04-24 202560]
"GrooveMonitor"="c:\program files\Microsoft Office\Office12\GrooveMonitor.exe" [2008-10-25 31072]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2010-09-08 421888]
"APSDaemon"="c:\program files\Common Files\Apple\Apple Application Support\APSDaemon.exe" [2012-02-21 59240]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2012-03-27 421736]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2012-01-18 254696]
"StartCCC"="c:\program files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [2012-04-06 641664]
"GIDDesktop"="c:\program files\SFT\GuardedID\gidd.exe" [2011-07-05 395528]
.
c:\users\Joe\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
Dropbox.lnk - c:\users\Joe\AppData\Roaming\Dropbox\bin\Dropbox.exe [2012-5-24 27112840]
OneNote 2007 Screen Clipper and Launcher.lnk - c:\program files\Microsoft Office\Office12\ONENOTEM.EXE [2009-2-26 97680]
.
c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
Constant Guard.lnk - c:\program files\Constant Guard Protection Suite\IDVault.exe [2012-6-13 6534768]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\syste m]
"EnableUIADesktopToggle"= 0 (0x0)
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf010 00.sys]
@="Driver"
.
S2 AESTFilters;Andrea ST Filters Service;c:\windows\System32\DriverStore\FileRepository\stwrt.inf_c92065b9\a estsrv.exe [x]
.
.
--- Other Services/Drivers In Memory ---
.
*Deregistered* - EraserUtilDrv11210
.
[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{10880D85-AAD9-4558-ABDC-2AB1552D831F}]
2008-06-09 17:14 451872 ----a-w- c:\program files\Common Files\LightScribe\LSRunOnce.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{9191979D-821C-4EA8-B021-2DA1D859A7C5}-3Reg]
2011-07-05 17:26 435976 ----a-w- c:\program files\SFT\GuardedID\GIDI.exe
.
Contents of the 'Scheduled Tasks' folder
.
2012-06-29 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-06-25 20:17]
.
2012-07-01 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-06-25 20:17]
.
2012-06-30 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-3665953699-1941896604-1241948209-1000Core.job
- c:\users\Joe\AppData\Local\Google\Update\GoogleUpdate.exe [2010-01-03 22:02]
.
2012-06-30 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-3665953699-1941896604-1241948209-1000UA.job
- c:\users\Joe\AppData\Local\Google\Update\GoogleUpdate.exe [2010-01-03 22:02]
.
2012-06-27 c:\windows\Tasks\HPCeeScheduleForJoe.job
- c:\program files\hewlett-packard\sdp\ceement\HPCEE.exe [2009-02-14 19:34]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://xfinity.comcast.net/?cid=cgps06222012
mStart Page = hxxp://www.comcast.net/
mWindow Title = Windows Internet Explorer provided by Comcast
uInternet Settings,ProxyOverride = *.local
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~3\Office12\EXCEL.EXE/3000
TCP: DhcpNameServer = 192.168.1.1
FF - ProfilePath - c:\users\Joe\AppData\Roaming\Mozilla\Firefox\Profiles\r2qy7d6d.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/
FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\Mozilla Firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF - Ext: Skype extension for Firefox: {AB2CE124-6272-4b12-94A9-7303C7397BD1} - c:\program files\Mozilla Firefox\extensions\{AB2CE124-6272-4b12-94A9-7303C7397BD1}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0018-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0018-ABCDEFFEDCBA}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0027-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0027-ABCDEFFEDCBA}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0031-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0031-ABCDEFFEDCBA}
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension
FF - Ext: Norton Vulnerability Protection: {BBDA0591-3099-440a-AA10-41764D9DB4DB} - c:\programdata\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\N360_6.0.0.145\IPSFFPlgn
FF - Ext: XFINITYToolbar: {4b9bcce8-a70b-402a-a7e1-db96831ee26f} - %profile%\extensions\{4b9bcce8-a70b-402a-a7e1-db96831ee26f}
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - %profile%\extensions\{20a82645-c095-46ed-80e3-08825760534b}
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2012-06-30 18:05
Windows 6.0.6001 Service Pack 1 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
[HKEY_LOCAL_MACHINE\system\ControlSet001\Services\N360]
"ImagePath"="\"c:\program files\Norton Security Suite\Engine\6.2.1.5\ccSvcHst.exe\" /s \"N360\" /m \"c:\program files\Norton Security Suite\Engine\6.2.1.5\diMaster.dll\" /prefetch:1"
.
[HKEY_LOCAL_MACHINE\system\ControlSet001\Services\{55662437-DA8C-40c0-AADA-2C816A897A49}]
"ImagePath"="\??\c:\program files\Hewlett-Packard\Media\DVD\000.fcl"
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'Explorer.exe'(5988)
c:\windows\system32\GIDHook.dll
c:\windows\system32\GIDBIN1.dll
c:\windows\system32\EasyHook32.dll
c:\users\Joe\AppData\Roaming\Dropbox\bin\DropboxExt.14.dll
.
Completion time: 2012-06-30 18:08:56
ComboFix-quarantined-files.txt 2012-07-01 01:08
ComboFix2.txt 2012-06-29 20:51
.
Pre-Run: 208,135,876,608 bytes free
Post-Run: 208,032,440,320 bytes free
.
- - End Of File - - 0EA7C7FA0490F0713A8B0F8EC04EAFF9

Awesome.

-Joe

jeffce · 30-Jun-2012, 09:34 PM **#13**

Hi,

Looking better.

Please download Malwarebytes' Anti-Malware to your desktop.

Right-click and Run as Administrator mbam-setup.exe and follow the prompts to install the program.
At the end, be sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
If an update is found, it will download and install the latest version.
Once the program has loaded, select Perform quick scan, then click Scan as shown below.
When the scan is complete, click OK, then Show Results to view the results.
Be sure that everything is checked, and click Remove Selected.
When completed, a log will open in Notepad. Please save it to a convenient location and post the results.

The log can also be found here:
C:\Documents and Settings\<User name>\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Logs\mbam-log-date (time).txt
----------

Please run a free online scan with the ESET Online Scanner
Note: You will need to use Internet Explorer for this scan

Tick the box next to YES, I accept the Terms of Use
Click Start
When asked, allow the ActiveX control to install
Click Start
Make sure that the options Remove found threats is NOT selected and the option Scan unwanted applications is selected.
Click Scan (This scan can take several hours, so please be patient)
Once the scan is completed, you may close the window
Use Notepad to open the logfile located at C:\Program Files\EsetOnlineScanner\log.txt
Copy and paste that log as a reply to this topic

----------

In your next reply please post the logs made by Malwarebytes and ESET online scanner.

jhw13 · 01-Jul-2012, 08:50 PM **#14**

Alright, got those two scans finished. Below is the MalwareBytes log and the ESET Scan long.

I. MalwareBytes Scan log

Malwarebytes Anti-Malware 1.61.0.1400
www.malwarebytes.org

Database version: v2012.07.01.07

Windows Vista Service Pack 1 x86 NTFS
Internet Explorer 7.0.6001.18000
Joe :: COMPUTER [administrator]

7/1/2012 11:35:53 AM
mbam-log-2012-07-01 (11-35-53).txt

Scan type: Quick scan
Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
Scan options disabled: P2P
Objects scanned: 212825
Time elapsed: 8 minute(s), 36 second(s)

Memory Processes Detected: 0
(No malicious items detected)

Memory Modules Detected: 0
(No malicious items detected)

Registry Keys Detected: 0
(No malicious items detected)

Registry Values Detected: 0
(No malicious items detected)

Registry Data Items Detected: 0
(No malicious items detected)

Folders Detected: 0
(No malicious items detected)

Files Detected: 0
(No malicious items detected)

(end)

II. ESET Scan Log
NOTE: I did not find a log in the Program Files/ESET folder, so I exported the scan results to a text file. Should be the same. If not, let me know and I can dig deeper to get the proper log.

C:\Qoobox\Quarantine\C\Users\Joe\AppData\Local\{ff24043d-55f8-5ce9-a20a-8337d9b4b888}\n.vir Win32/Sirefef.EV trojan
C:\Qoobox\Quarantine\C\Users\Joe\AppData\Local\{ff24043d-55f8-5ce9-a20a-8337d9b4b888}\U\80000000.@.vir a variant of Win32/Sirefef.FA trojan
C:\Qoobox\Quarantine\C\Users\Joe\AppData\Local\{ff24043d-55f8-5ce9-a20a-8337d9b4b888}\U\800000cb.@.vir probably a variant of Win32/Agent.TEO trojan
C:\Users\Joe\AppData\Roaming\65FE5BB0BCB7AE43DEFB65CF6138FB78\enemies-names.txt Win32/Adware.AntimalwareDoctor.AE.Gen application
C:\Users\Joe\Desktop\assorted intellectual interests - recent\Counter-Strike\cstrike\cl_dlls\GameUI.dll Win32/SuspLibLoad.A trojan

END log

Awesome, thanks again. How do you think it's looking, cleanup wise?

-Joe

jeffce · 01-Jul-2012, 08:54 PM **#15**

Hi,

The logs are looking better.

Run the following instructions and then let me know how your system is running.

Please open Notepad (Start -> Run -> type notepad in the Open field -> OK) and copy and paste the text present inside the code box below:

Code:

ClearJavaCache::

File::
C:\Users\Joe\AppData\Roaming\65FE5BB0BCB7AE43DEFB65CF6138FB78\enemies-names.txt	
C:\Users\Joe\Desktop\assorted intellectual interests - recent\Counter-Strike\cstrike\cl_dlls\GameUI.dll

Save this as CFScript.txt and change the "Save as type" to "All Files" and place it on your desktop.
Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before following the steps below. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".
Referring to the screenshot above, drag CFScript.txt into ComboFix.exe.
ComboFix will now run a scan on your system. It may reboot your system when it finishes. This is normal.
When finished, it shall produce a log for you. Copy and paste the contents of the log in your next reply.

CAUTION: Do not mouse-click ComboFix's window while it is running. That may cause it to stall.
----------

Currently Active Users Viewing This Thread: 1 (0 members and 1 guests)

Solved: Removing Trojan.Gen.2 and ZeroAccess.B

Find the solution to your computer problem!

Find the solution to your
computer problem!