1. Computer problem? Tech Support Guy is completely free -- paid for by advertisers and donations. Click here to join today! If you're new to Tech Support Guy, we highly recommend that you visit our Guide for New Members.

Removing Trojan.Gen.2 and ZeroAccess.B

Discussion in 'Virus & Other Malware Removal' started by jhw13, Jun 27, 2012.

Thread Status:
Not open for further replies.
Advertisement
  1. jhw13

    jhw13 Thread Starter

    Joined:
    Jun 27, 2012
    Messages:
    9
    Hi,

    Recently got word from Norton Security Suite that they've been blocking the two Trojans in the title of this thread. Running a reasonably old HP laptop, Windows Vista, 32-bit.

    As far as performance goes, I can tell the laptop is working a bit harder that usual (heating/cooling, load times, disk space usage) but there are no pop-up ads, system shutdowns, etc. as of yet. One issue that has stopped in the last 12-18 hours are the seemingly endless notifications from Norton saying they have either blocked access or stopped emails from being sent using my IP number - the e-mail address destinations look entirely randomized and international in scope and the e-mail titles almost uniformly offer job opportunity scams. I am assuming that is/was a function of the Trojans. Also - ISP sent me an e-mail notifying me of the bot, so I definitely know there's something rather nasty in my computer. Help me get rid of it!

    I have followed the directions on the required-reading sticky post in the forum as closely as I am able.

    NOTE
    As I was writing this post, Norton brought a new threat to my attention - Suspicious Cloud7. Do not like the sound of that either.

    I. HijackThis Log

    Logfile of Trend Micro HijackThis v2.0.4
    Scan saved at 3:59:26 PM, on 6/27/2012
    Platform: Windows Vista SP1 (WinNT 6.00.1905)
    MSIE: Internet Explorer v7.00 (7.00.6001.18639)
    Boot mode: Normal

    Running processes:
    C:\Program Files\Norton Security Suite\Engine\6.2.1.5\ccSvcHst.exe
    C:\Windows\system32\Dwm.exe
    C:\Windows\system32\taskeng.exe
    C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
    C:\Program Files\IDT\WDM\sttray.exe
    C:\Program Files\Hewlett-Packard\Media\DVD\DVDAgent.exe
    C:\Program Files\Hewlett-Packard\TouchSmart\Media\TSMAgent.exe
    C:\Program Files\Hewlett-Packard\TouchSmart\Media\Kernel\CLML\CLMLSvc.exe
    C:\Program Files\Hewlett-Packard\HP MediaSmart\SmartMenu.exe
    C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\QLBCTRL.exe
    C:\Program Files\HP\HP Software Update\hpwuSchd2.exe
    C:\Program Files\Hewlett-Packard\HP Wireless Assistant\HPWAMain.exe
    C:\Program Files\Comcast\Desktop Doctor\bin\sprtcmd.exe
    C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
    C:\Program Files\iTunes\iTunesHelper.exe
    C:\Program Files\Common Files\Java\Java Update\jusched.exe
    C:\Program Files\SFT\GuardedID\GIDD.exe
    C:\Program Files\Common Files\LightScribe\LightScribeControlPanel.exe
    C:\Windows\ehome\ehtray.exe
    C:\Program Files\Constant Guard Protection Suite\IDVault.exe
    C:\Users\Joe\AppData\Roaming\Dropbox\bin\Dropbox.exe
    C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE
    C:\Windows\ehome\ehmsas.exe
    C:\Windows\system32\wbem\unsecapp.exe
    C:\Windows\system32\wuauclt.exe
    C:\Program Files\Hewlett-Packard\Shared\hpqToaster.exe
    C:\Program Files\Synaptics\SynTP\SynTPHelper.exe
    C:\Windows\system32\conime.exe
    C:\Users\Joe\AppData\Local\Google\Chrome\Application\chrome.exe
    C:\Users\Joe\AppData\Local\Google\Chrome\Application\chrome.exe
    C:\Users\Joe\AppData\Local\Google\Chrome\Application\chrome.exe
    C:\Users\Joe\AppData\Local\Google\Chrome\Application\chrome.exe
    C:\Users\Joe\AppData\Local\Google\Chrome\Application\chrome.exe
    C:\Users\Joe\AppData\Local\Google\Chrome\Application\chrome.exe
    C:\Users\Joe\AppData\Local\Google\Chrome\Application\chrome.exe
    C:\Users\Joe\AppData\Local\Google\Chrome\Application\chrome.exe
    C:\Windows\system32\rundll32.exe
    C:\Users\Joe\AppData\Local\Google\Chrome\Application\chrome.exe
    C:\Users\Joe\AppData\Local\Google\Chrome\Application\chrome.exe
    C:\Users\Joe\AppData\Local\Google\Google Talk Plugin\googletalkplugin.exe
    C:\Windows\explorer.exe
    C:\Users\Joe\AppData\Local\Google\Chrome\Application\chrome.exe
    C:\Users\Joe\Desktop\HijackThis.exe

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=en_us&c=91&bd=Pavilion&pf=cnnb
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://xfinity.comcast.net/?cid=cgps06222012
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=en_us&c=91&bd=Pavilion&pf=cnnb
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.comcast.net/
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Windows Internet Explorer provided by Comcast
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
    R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
    O1 - Hosts: ::1 localhost
    O2 - BHO: vShare Plugin - {043C5167-00BB-4324-AF7E-62013FAEDACF} - C:\Program Files\vShare\vshare_toolbar.dll
    O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
    O2 - BHO: XFINITY Toolbar - {4b9bcce8-a70b-402a-a7e1-db96831ee26f} - C:\Program Files\xfin_portal\comcastdx.dll
    O2 - BHO: Norton Identity Protection - {602ADB0E-4AFF-4217-8AA1-95DAC4DFA408} - C:\Program Files\Norton Security Suite\Engine\6.2.1.5\coIEPlg.dll
    O2 - BHO: Norton Vulnerability Protection - {6D53EC84-6AAE-4787-AEEE-F4628F01010C} - C:\Program Files\Norton Security Suite\Engine\6.2.1.5\IPS\IPSBHO.DLL
    O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\Program Files\Microsoft Office\Office12\GrooveShellExtensions.dll
    O2 - BHO: Java(tm) Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll
    O2 - BHO: SkypeIEPluginBHO - {AE805869-2E5C-4ED4-8F7B-F1F7851A4497} - C:\Program Files\Skype\Toolbars\Internet Explorer\skypeieplugin.dll
    O2 - BHO: Constant Guard Protection Suite (COM) - {B84CDBE7-1B46-494B-A188-01D4C52DEB61} - C:\ProgramData\White Sky, Inc\ID Vault\IEBHO1.1.613.0\NativeBHO.dll
    O2 - BHO: Updater For XFIN_PORTAL - {bb46be07-13eb-4c49-b0f0-fc78b9ea4983} - C:\Program Files\xfin_portal\auxi\comcastAu.dll
    O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
    O3 - Toolbar: vShare Plugin - {043C5167-00BB-4324-AF7E-62013FAEDACF} - C:\Program Files\vShare\vshare_toolbar.dll
    O3 - Toolbar: XFINITY Toolbar - {4b9bcce8-a70b-402a-a7e1-db96831ee26f} - C:\Program Files\xfin_portal\comcastdx.dll
    O3 - Toolbar: Norton Toolbar - {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - C:\Program Files\Norton Security Suite\Engine\6.2.1.5\coIEPlg.dll
    O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
    O4 - HKLM\..\Run: [SysTrayApp] %ProgramFiles%\IDT\WDM\sttray.exe
    O4 - HKLM\..\Run: [DVDAgent] "C:\Program Files\Hewlett-Packard\Media\DVD\DVDAgent.exe"
    O4 - HKLM\..\Run: [TSMAgent] "C:\Program Files\Hewlett-Packard\TouchSmart\Media\TSMAgent.exe"
    O4 - HKLM\..\Run: [CLMLServer for HP TouchSmart] "C:\Program Files\Hewlett-Packard\TouchSmart\Media\Kernel\CLML\CLMLSvc.exe"
    O4 - HKLM\..\Run: [TVAgent] "C:\Program Files\Hewlett-Packard\Media\TV\TVAgent.exe"
    O4 - HKLM\..\Run: [UCam_Menu] "C:\Program Files\Hewlett-Packard\Media\Webcam\MUITransfer\MUIStartMenu.exe" "C:\Program Files\Hewlett-Packard\Media\Webcam" update "Software\Hewlett-Packard\Media\Webcam"
    O4 - HKLM\..\Run: [SmartMenu] %ProgramFiles%\Hewlett-Packard\HP MediaSmart\SmartMenu.exe
    O4 - HKLM\..\Run: [UpdateLBPShortCut] "C:\Program Files\CyberLink\LabelPrint\MUITransfer\MUIStartMenu.exe" "C:\Program Files\CyberLink\LabelPrint" UpdateWithCreateOnce "Software\CyberLink\LabelPrint\2.5"
    O4 - HKLM\..\Run: [UpdatePSTShortCut] "C:\Program Files\CyberLink\DVD Suite\MUITransfer\MUIStartMenu.exe" "C:\Program Files\CyberLink\DVD Suite" UpdateWithCreateOnce "Software\CyberLink\PowerStarter"
    O4 - HKLM\..\Run: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
    O4 - HKLM\..\Run: [QlbCtrl.exe] C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe /Start
    O4 - HKLM\..\Run: [UpdateP2GoShortCut] "C:\Program Files\CyberLink\Power2Go\MUITransfer\MUIStartMenu.exe" "C:\Program Files\CyberLink\Power2Go" UpdateWithCreateOnce "SOFTWARE\CyberLink\Power2Go\6.0"
    O4 - HKLM\..\Run: [UpdatePDIRShortCut] "C:\Program Files\CyberLink\PowerDirector\MUITransfer\MUIStartMenu.exe" "C:\Program Files\CyberLink\PowerDirector" UpdateWithCreateOnce "SOFTWARE\CyberLink\PowerDirector\7.0"
    O4 - HKLM\..\Run: [HP Health Check Scheduler] c:\Program Files\Hewlett-Packard\HP Health Check\HPHC_Scheduler.exe
    O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\Hp\HP Software Update\HPWuSchd2.exe
    O4 - HKLM\..\Run: [WirelessAssistant] C:\Program Files\Hewlett-Packard\HP Wireless Assistant\HPWAMain.exe
    O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
    O4 - HKLM\..\Run: [ddoctorv2] "C:\Program Files\Comcast\Desktop Doctor\bin\sprtcmd.exe" /P ddoctorv2
    O4 - HKLM\..\Run: [GrooveMonitor] "C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe"
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
    O4 - HKLM\..\Run: [APSDaemon] "C:\Program Files\Common Files\Apple\Apple Application Support\APSDaemon.exe"
    O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
    O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Common Files\Java\Java Update\jusched.exe"
    O4 - HKLM\..\Run: [StartCCC] "C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" MSRun
    O4 - HKLM\..\Run: [GIDDesktop] C:\Program Files\SFT\GuardedID\gidd.exe /s
    O4 - HKCU\..\Run: [LightScribe Control Panel] C:\Program Files\Common Files\LightScribe\LightScribeControlPanel.exe -hidden
    O4 - HKCU\..\Run: [igndlm.exe] C:\Program Files\Download Manager\DLM.exe /windowsstart /startifwork
    O4 - HKCU\..\Run: [ehTray.exe] C:\Windows\ehome\ehTray.exe
    O4 - HKCU\..\Run: [Google Update] "C:\Users\Joe\AppData\Local\Google\Update\GoogleUpdate.exe" /c
    O4 - HKCU\..\Run: [Download] "C:\Users\Joe\AppData\Local\SupportSoft\ddoctorv2\Joe\SSGet.exe" 120 "http://pcmctbc.cmc.motive.com/motivedocs/EasySolveInstaller.exe" "EasySolveInstaller.exe"
    O4 - HKCU\..\Run: [Regedit32] C:\Windows\system32\regedit.exe
    O4 - HKUS\S-1-5-19\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'LOCAL SERVICE')
    O4 - HKUS\S-1-5-19\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter (User 'LOCAL SERVICE')
    O4 - HKUS\S-1-5-20\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'NETWORK SERVICE')
    O4 - Startup: Dropbox.lnk = C:\Users\Joe\AppData\Roaming\Dropbox\bin\Dropbox.exe
    O4 - Startup: OneNote 2007 Screen Clipper and Launcher.lnk = C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE
    O4 - Global Startup: Constant Guard.lnk = C:\Program Files\Constant Guard Protection Suite\IDVault.exe
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office12\EXCEL.EXE/3000
    O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~3\Office12\ONBttnIE.dll
    O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~3\Office12\ONBttnIE.dll
    O9 - Extra button: Skype add-on for Internet Explorer - {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - C:\Program Files\Skype\Toolbars\Internet Explorer\skypeieplugin.dll
    O9 - Extra 'Tools' menuitem: Skype add-on for Internet Explorer - {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - C:\Program Files\Skype\Toolbars\Internet Explorer\skypeieplugin.dll
    O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\Office12\REFIEBAR.DLL
    O15 - Trusted Zone: *.clonewarsadventures.com
    O15 - Trusted Zone: *.freerealms.com
    O15 - Trusted Zone: *.soe.com
    O15 - Trusted Zone: *.sony.com
    O16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} (CDownloadCtrl Object) - http://www.fileplanet.com/fpdlmgr/cabs/FPDC_2.3.9.113.cab
    O16 - DPF: {8100D56A-5661-482C-BEE8-AFECE305D968} (Facebook Photo Uploader 5 Control) - http://upload.facebook.com/controls/2009.07.28_v5.5.8.1/FacebookPhotoUploader55.cab
    O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\Program Files\Microsoft Office\Office12\GrooveSystemServices.dll
    O18 - Protocol: skype-ie-addon-data - {91774881-D725-4E58-B298-07617B9B86A8} - C:\Program Files\Skype\Toolbars\Internet Explorer\skypeieplugin.dll
    O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
    O18 - Protocol: vsharechrome - {3F3A4B8A-86FC-43A4-BB00-6D7EBE9D4484} - C:\Program Files\vShare\vshare_toolbar.dll
    O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\Windows\system32\browseui.dll
    O23 - Service: Andrea ST Filters Service (AESTFilters) - Andrea Electronics Corporation - C:\Windows\System32\DriverStore\FileRepository\stwrt.inf_c92065b9\aestsrv.exe
    O23 - Service: AMD FUEL Service - Advanced Micro Devices, Inc. - C:\Program Files\ATI Technologies\ATI.ACE\Fuel\Fuel.Service.exe
    O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
    O23 - Service: Ati External Event Utility - ATI Technologies Inc. - C:\Windows\system32\Ati2evxx.exe
    O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
    O23 - Service: Com4QLBEx - Hewlett-Packard Development Company, L.P. - C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\Com4QLBEx.exe
    O23 - Service: GameConsoleService - WildTangent, Inc. - C:\Program Files\HP Games\My HP Game Console\GameConsoleService.exe
    O23 - Service: Google Update Service (gupdate) (gupdate) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe
    O23 - Service: Google Update Service (gupdatem) (gupdatem) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe
    O23 - Service: HP Health Check Service - Hewlett-Packard - c:\Program Files\Hewlett-Packard\HP Health Check\hphc_service.exe
    O23 - Service: hpqwmiex - Hewlett-Packard Development Company, L.P. - C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe
    O23 - Service: HP Service (hpsrv) - Hewlett-Packard Corporation - C:\Windows\system32\Hpservice.exe
    O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe
    O23 - Service: CGPS Service (IDVaultSvc) - White Sky, Inc. - C:\Program Files\Constant Guard Protection Suite\IDVaultSvc.exe
    O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
    O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
    O23 - Service: Norton Security Suite (N360) - Symantec Corporation - C:\Program Files\Norton Security Suite\Engine\6.2.1.5\ccSvcHst.exe
    O23 - Service: Recovery Service for Windows - Unknown owner - C:\Program Files\SMINST\BLService.exe
    O23 - Service: Cyberlink RichVideo Service(CRVS) (RichVideo) - Unknown owner - C:\Program Files\CyberLink\Shared files\RichVideo.exe
    O23 - Service: SupportSoft Sprocket Service (ddoctorv2) (sprtsvc_ddoctorv2) - SupportSoft, Inc. - C:\Program Files\Comcast\Desktop Doctor\bin\sprtsvc.exe
    O23 - Service: Audio Service (STacSV) - IDT, Inc. - C:\Windows\System32\DriverStore\FileRepository\stwrt.inf_c92065b9\STacSV.exe
    O23 - Service: TV Background Capture Service (TVBCS) (TVCapSvc) - Unknown owner - C:\Program Files\Hewlett-Packard\Media\TV\Kernel\TV\TVCapSvc.exe
    O23 - Service: TV Task Scheduler (TVTS) (TVSched) - Unknown owner - C:\Program Files\Hewlett-Packard\Media\TV\Kernel\TV\TVSched.exe

    --
    End of file - 14983 bytes

    II. DDS.txt

    .
    DDS (Ver_2011-08-26.01) - NTFSx86
    Internet Explorer: 7.0.6001.18000 BrowserJavaVersion: 1.6.0_31
    Run by Joe at 16:01:09 on 2012-06-27
    Microsoft® Windows Vista™ Home Premium 6.0.6001.1.1252.1.1033.18.2812.944 [GMT -7:00]
    .
    AV: Norton Security Suite *Enabled/Updated* {63DF5164-9100-186D-2187-8DC619EFD8BF}
    SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
    SP: Norton Security Suite *Enabled/Updated* {D8BEB080-B73A-17E3-1B37-B6B462689202}
    FW: Norton Security Suite *Enabled* {5BE4D041-DB6F-1935-0AD8-24F3E73C9FC4}
    .
    ============== Running Processes ===============
    .
    C:\Windows\system32\wininit.exe
    C:\Windows\system32\lsm.exe
    C:\Windows\system32\svchost.exe -k DcomLaunch
    C:\Windows\system32\svchost.exe -k rpcss
    C:\Windows\system32\Ati2evxx.exe
    C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
    C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
    C:\Windows\system32\svchost.exe -k netsvcs
    C:\Windows\System32\DriverStore\FileRepository\stwrt.inf_c92065b9\STacSV.exe
    C:\Windows\system32\SLsvc.exe
    C:\Windows\system32\svchost.exe -k LocalService
    C:\Windows\system32\Ati2evxx.exe
    C:\Windows\system32\Hpservice.exe
    C:\Windows\system32\svchost.exe -k NetworkService
    C:\Windows\System32\spoolsv.exe
    C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
    C:\Windows\System32\DriverStore\FileRepository\stwrt.inf_c92065b9\aestsrv.exe
    C:\Program Files\ATI Technologies\ATI.ACE\Fuel\Fuel.Service.exe
    C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
    C:\Program Files\Bonjour\mDNSResponder.exe
    C:\Program Files\Common Files\LightScribe\LSSrvc.exe
    C:\Program Files\Norton Security Suite\Engine\6.2.1.5\ccSvcHst.exe
    C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
    C:\Program Files\SMINST\BLService.exe
    C:\Program Files\CyberLink\Shared files\RichVideo.exe
    C:\Program Files\Comcast\Desktop Doctor\bin\sprtsvc.exe
    C:\Windows\system32\svchost.exe -k imgsvc
    C:\Program Files\Hewlett-Packard\Media\TV\Kernel\TV\TVCapSvc.exe
    C:\Program Files\Hewlett-Packard\Media\TV\Kernel\TV\TVSched.exe
    C:\Windows\System32\svchost.exe -k WerSvcGroup
    C:\Windows\system32\SearchIndexer.exe
    C:\Program Files\Constant Guard Protection Suite\IDVaultSvc.exe
    C:\Windows\system32\DllHost.exe
    c:\Program Files\Hewlett-Packard\HP Health Check\hphc_service.exe
    C:\Windows\system32\wbem\wmiprvse.exe
    C:\Program Files\Norton Security Suite\Engine\6.2.1.5\ccSvcHst.exe
    C:\Windows\system32\Dwm.exe
    C:\Windows\system32\taskeng.exe
    C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
    C:\Program Files\IDT\WDM\sttray.exe
    C:\Program Files\Hewlett-Packard\Media\DVD\DVDAgent.exe
    C:\Program Files\Hewlett-Packard\TouchSmart\Media\TSMAgent.exe
    C:\Program Files\Hewlett-Packard\TouchSmart\Media\Kernel\CLML\CLMLSvc.exe
    C:\Program Files\Hewlett-Packard\HP MediaSmart\SmartMenu.exe
    C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\QLBCTRL.exe
    C:\Program Files\HP\HP Software Update\hpwuSchd2.exe
    C:\Program Files\Hewlett-Packard\HP Wireless Assistant\HPWAMain.exe
    C:\Program Files\Comcast\Desktop Doctor\bin\sprtcmd.exe
    C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
    C:\Program Files\iTunes\iTunesHelper.exe
    C:\Program Files\Common Files\Java\Java Update\jusched.exe
    C:\Program Files\SFT\GuardedID\GIDD.exe
    C:\Program Files\Common Files\LightScribe\LightScribeControlPanel.exe
    C:\Windows\ehome\ehtray.exe
    C:\Program Files\Constant Guard Protection Suite\IDVault.exe
    C:\Users\Joe\AppData\Roaming\Dropbox\bin\Dropbox.exe
    C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE
    C:\Windows\ehome\ehmsas.exe
    C:\Windows\system32\wbem\unsecapp.exe
    C:\Windows\system32\wuauclt.exe
    C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe
    C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\Com4QLBEx.exe
    C:\Program Files\iPod\bin\iPodService.exe
    C:\Program Files\Hewlett-Packard\Shared\hpqToaster.exe
    C:\Windows\Microsoft.Net\Framework\v3.0\WPF\PresentationFontCache.exe
    C:\Program Files\Synaptics\SynTP\SynTPHelper.exe
    C:\Windows\system32\conime.exe
    C:\Users\Joe\AppData\Local\Google\Chrome\Application\chrome.exe
    C:\Users\Joe\AppData\Local\Google\Chrome\Application\chrome.exe
    C:\Users\Joe\AppData\Local\Google\Chrome\Application\chrome.exe
    C:\Users\Joe\AppData\Local\Google\Chrome\Application\chrome.exe
    C:\Users\Joe\AppData\Local\Google\Chrome\Application\chrome.exe
    C:\Users\Joe\AppData\Local\Google\Chrome\Application\chrome.exe
    C:\Users\Joe\AppData\Local\Google\Chrome\Application\chrome.exe
    C:\Users\Joe\AppData\Local\Google\Chrome\Application\chrome.exe
    C:\Windows\system32\rundll32.exe
    C:\Users\Joe\AppData\Local\Google\Chrome\Application\chrome.exe
    C:\Users\Joe\AppData\Local\Google\Chrome\Application\chrome.exe
    C:\Users\Joe\AppData\Local\Google\Google Talk Plugin\googletalkplugin.exe
    C:\Windows\explorer.exe
    C:\Users\Joe\AppData\Local\Google\Chrome\Application\chrome.exe
    C:\Windows\system32\wbem\wmiprvse.exe
    C:\Windows\system32\taskeng.exe
    C:\Users\Joe\Desktop\HijackThis.exe
    C:\Windows\system32\NOTEPAD.EXE
    C:\Windows\system32\SearchProtocolHost.exe
    C:\Windows\system32\SearchFilterHost.exe
    .
    ============== Pseudo HJT Report ===============
    .
    uStart Page = hxxp://xfinity.comcast.net/?cid=cgps06222012
    uDefault_Page_URL = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=en_us&c=91&bd=Pavilion&pf=cnnb
    uWindow Title = Windows Internet Explorer provided by Comcast
    mStart Page = hxxp://www.comcast.net/
    mDefault_Page_URL = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=en_us&c=91&bd=Pavilion&pf=cnnb
    mWindow Title = Windows Internet Explorer provided by Comcast
    uInternet Settings,ProxyOverride = *.local
    BHO: vShare Plugin: {043c5167-00bb-4324-af7e-62013faedacf} - c:\program files\vshare\vshare_toolbar.dll
    BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
    BHO: XFINITY Toolbar: {4b9bcce8-a70b-402a-a7e1-db96831ee26f} - c:\program files\xfin_portal\comcastdx.dll
    BHO: Norton Identity Protection: {602adb0e-4aff-4217-8aa1-95dac4dfa408} - c:\program files\norton security suite\engine\6.2.1.5\coIEPlg.dll
    BHO: Norton Vulnerability Protection: {6d53ec84-6aae-4787-aeee-f4628f01010c} - c:\program files\norton security suite\engine\6.2.1.5\ips\IPSBHO.DLL
    BHO: Groove GFS Browser Helper: {72853161-30c5-4d22-b7f9-0bbc1d38a37e} - c:\program files\microsoft office\office12\GrooveShellExtensions.dll
    BHO: Java(tm) Plug-In SSV Helper: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre6\bin\ssv.dll
    BHO: Skype add-on for Internet Explorer: {ae805869-2e5c-4ed4-8f7b-f1f7851a4497} - c:\program files\skype\toolbars\internet explorer\skypeieplugin.dll
    BHO: Constant Guard Protection Suite (COM): {b84cdbe7-1b46-494b-a188-01d4c52deb61} - c:\programdata\white sky, inc\id vault\iebho1.1.613.0\NativeBHO.dll
    BHO: Updater For XFIN_PORTAL: {bb46be07-13eb-4c49-b0f0-fc78b9ea4983} - c:\program files\xfin_portal\auxi\comcastAu.dll
    BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
    TB: vShare Plugin: {043c5167-00bb-4324-af7e-62013faedacf} - c:\program files\vshare\vshare_toolbar.dll
    TB: XFINITY Toolbar: {4b9bcce8-a70b-402a-a7e1-db96831ee26f} - c:\program files\xfin_portal\comcastdx.dll
    TB: Norton Toolbar: {7febefe3-6b19-4349-98d2-ffb09d4b49ca} - c:\program files\norton security suite\engine\6.2.1.5\coIEPlg.dll
    TB: {604BC32A-9680-40D1-9AC6-E06B23A1BA4C} - No File
    TB: {D4027C7F-154A-4066-A1AD-4243D8127440} - No File
    uRun: [LightScribe Control Panel] c:\program files\common files\lightscribe\LightScribeControlPanel.exe -hidden
    uRun: [igndlm.exe] c:\program files\download manager\DLM.exe /windowsstart /startifwork
    uRun: [ehTray.exe] c:\windows\ehome\ehTray.exe
    uRun: [Google Update] "c:\users\joe\appdata\local\google\update\GoogleUpdate.exe" /c
    uRun: [Download] "c:\users\joe\appdata\local\supportsoft\ddoctorv2\joe\SSGet.exe" 120 "http://pcmctbc.cmc.motive.com/motivedocs/EasySolveInstaller.exe" "EasySolveInstaller.exe"
    uRun: [Regedit32] c:\windows\system32\regedit.exe
    mRun: [SynTPEnh] c:\program files\synaptics\syntp\SynTPEnh.exe
    mRun: [SysTrayApp] %ProgramFiles%\IDT\WDM\sttray.exe
    mRun: [DVDAgent] "c:\program files\hewlett-packard\media\dvd\DVDAgent.exe"
    mRun: [TSMAgent] "c:\program files\hewlett-packard\touchsmart\media\TSMAgent.exe"
    mRun: [CLMLServer for HP TouchSmart] "c:\program files\hewlett-packard\touchsmart\media\kernel\clml\CLMLSvc.exe"
    mRun: [TVAgent] "c:\program files\hewlett-packard\media\tv\TVAgent.exe"
    mRun: [UCam_Menu] "c:\program files\hewlett-packard\media\webcam\muitransfer\muistartmenu.exe" "c:\program files\hewlett-packard\media\webcam" update "software\hewlett-packard\media\Webcam"
    mRun: [SmartMenu] %ProgramFiles%\Hewlett-Packard\HP MediaSmart\SmartMenu.exe
    mRun: [UpdateLBPShortCut] "c:\program files\cyberlink\labelprint\muitransfer\muistartmenu.exe" "c:\program files\cyberlink\labelprint" updatewithcreateonce "software\cyberlink\labelprint\2.5"
    mRun: [UpdatePSTShortCut] "c:\program files\cyberlink\dvd suite\muitransfer\muistartmenu.exe" "c:\program files\cyberlink\dvd suite" updatewithcreateonce "software\cyberlink\PowerStarter"
    mRun: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
    mRun: [QlbCtrl.exe] c:\program files\hewlett-packard\hp quick launch buttons\QlbCtrl.exe /Start
    mRun: [UpdateP2GoShortCut] "c:\program files\cyberlink\power2go\muitransfer\muistartmenu.exe" "c:\program files\cyberlink\power2go" updatewithcreateonce "software\cyberlink\power2go\6.0"
    mRun: [UpdatePDIRShortCut] "c:\program files\cyberlink\powerdirector\muitransfer\muistartmenu.exe" "c:\program files\cyberlink\powerdirector" updatewithcreateonce "software\cyberlink\powerdirector\7.0"
    mRun: [HP Health Check Scheduler] c:\program files\hewlett-packard\hp health check\HPHC_Scheduler.exe
    mRun: [HP Software Update] c:\program files\hp\hp software update\HPWuSchd2.exe
    mRun: [WirelessAssistant] c:\program files\hewlett-packard\hp wireless assistant\HPWAMain.exe
    mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
    mRun: [ddoctorv2] "c:\program files\comcast\desktop doctor\bin\sprtcmd.exe" /P ddoctorv2
    mRun: [<NO NAME>]
    mRun: [GrooveMonitor] "c:\program files\microsoft office\office12\GrooveMonitor.exe"
    mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
    mRun: [APSDaemon] "c:\program files\common files\apple\apple application support\APSDaemon.exe"
    mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
    mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
    mRun: [StartCCC] "c:\program files\ati technologies\ati.ace\core-static\CLIStart.exe" MSRun
    mRun: [GIDDesktop] c:\program files\sft\guardedid\gidd.exe /s
    StartupFolder: c:\users\joe\appdata\roaming\micros~1\windows\startm~1\programs\startup\dropbox.lnk - c:\users\joe\appdata\roaming\dropbox\bin\Dropbox.exe
    StartupFolder: c:\users\joe\appdata\roaming\micros~1\windows\startm~1\programs\startup\onenot~1.lnk - c:\program files\microsoft office\office12\ONENOTEM.EXE
    StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\consta~1.lnk - c:\program files\constant guard protection suite\IDVault.exe
    mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
    IE: E&xport to Microsoft Excel - c:\progra~1\micros~3\office12\EXCEL.EXE/3000
    IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~1\micros~3\office12\ONBttnIE.dll
    IE: {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - c:\program files\skype\toolbars\internet explorer\skypeieplugin.dll
    IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~3\office12\REFIEBAR.DLL
    Trusted Zone: clonewarsadventures.com
    Trusted Zone: freerealms.com
    Trusted Zone: soe.com
    Trusted Zone: sony.com
    DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} - hxxp://www.fileplanet.com/fpdlmgr/cabs/FPDC_2.3.9.113.cab
    DPF: {8100D56A-5661-482C-BEE8-AFECE305D968} - hxxp://upload.facebook.com/controls/2009.07.28_v5.5.8.1/FacebookPhotoUploader55.cab
    DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_31-windows-i586.cab
    DPF: {CAFEEFAC-0016-0000-0031-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_31-windows-i586.cab
    DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_31-windows-i586.cab
    TCP: DhcpNameServer = 192.168.1.1
    TCP: Interfaces\{186F404A-E29D-4E4E-AC54-3B3A889B538B} : DhcpNameServer = 192.168.1.1
    Handler: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - c:\program files\microsoft office\office12\GrooveSystemServices.dll
    Handler: skype-ie-addon-data - {91774881-D725-4E58-B298-07617B9B86A8} - c:\program files\skype\toolbars\internet explorer\skypeieplugin.dll
    Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL
    Handler: vsharechrome - {3F3A4B8A-86FC-43A4-BB00-6D7EBE9D4484} - c:\program files\vshare\vshare_toolbar.dll
    SEH: Groove GFS Stub Execution Hook: {b5a7f190-dda6-4420-b3ba-52453494e6cd} - c:\program files\microsoft office\office12\GrooveShellExtensions.dll
    mASetup: {10880D85-AAD9-4558-ABDC-2AB1552D831F} - "c:\program files\common files\lightscribe\LSRunOnce.exe"
    mASetup: {9191979D-821C-4EA8-B021-2DA1D859A7C5}-3Reg - c:\program files\sft\guardedid\gidi.exe /v
    .
    ================= FIREFOX ===================
    .
    FF - ProfilePath - c:\users\joe\appdata\roaming\mozilla\firefox\profiles\r2qy7d6d.default\
    FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/
    FF - component: c:\program files\mozilla firefox\extensions\{ab2ce124-6272-4b12-94a9-7303c7397bd1}\components\SkypeFfComponent.dll
    FF - component: c:\programdata\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\n360_6.0.0.145\ipsffplgn\components\IPSFFPl.dll
    FF - component: c:\programdata\white sky, inc\id vault\xpcom3\components\IdVault.XPCOM3.dll
    FF - component: c:\users\joe\appdata\roaming\mozilla\firefox\profiles\r2qy7d6d.default\extensions\{4b9bcce8-a70b-402a-a7e1-db96831ee26f}\components\dtTransparency.dll
    FF - plugin: c:\program files\download manager\npfpdlm.dll
    FF - plugin: c:\program files\google\google earth\plugin\npgeplugin.dll
    FF - plugin: c:\program files\google\update\1.2.183.29\npGoogleOneClick8.dll
    FF - plugin: c:\program files\google\update\1.2.183.39\npGoogleOneClick8.dll
    FF - plugin: c:\program files\google\update\1.3.21.111\npGoogleUpdate3.dll
    FF - plugin: c:\program files\google\update\1.3.21.57\npGoogleUpdate3.dll
    FF - plugin: c:\program files\google\update\1.3.21.65\npGoogleUpdate3.dll
    FF - plugin: c:\program files\google\update\1.3.21.69\npGoogleUpdate3.dll
    FF - plugin: c:\program files\google\update\1.3.21.79\npGoogleUpdate3.dll
    FF - plugin: c:\program files\google\update\1.3.21.99\npGoogleUpdate3.dll
    FF - plugin: c:\program files\java\jre6\bin\npdeployJava1.dll
    FF - plugin: c:\program files\java\jre6\bin\npjpi160_31.dll
    FF - plugin: c:\program files\java\jre6\bin\plugin2\npdeployJava1.dll
    FF - plugin: c:\program files\java\jre6\bin\plugin2\npjp2.dll
    FF - plugin: c:\users\joe\appdata\local\google\update\1.3.21.111\npGoogleUpdate3.dll
    FF - plugin: c:\users\joe\appdata\roaming\mozilla\plugins\npgoogletalk.dll
    FF - plugin: c:\users\joe\appdata\roaming\mozilla\plugins\npgtpo3dautoplugin.dll
    FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\mozilla firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
    FF - Ext: Skype extension for Firefox: {AB2CE124-6272-4b12-94A9-7303C7397BD1} - c:\program files\mozilla firefox\extensions\{AB2CE124-6272-4b12-94A9-7303C7397BD1}
    FF - Ext: Java Console: {CAFEEFAC-0016-0000-0018-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0018-ABCDEFFEDCBA}
    FF - Ext: Java Console: {CAFEEFAC-0016-0000-0027-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0027-ABCDEFFEDCBA}
    FF - Ext: Java Console: {CAFEEFAC-0016-0000-0031-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0031-ABCDEFFEDCBA}
    FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\DotNetAssistantExtension
    FF - Ext: Norton Vulnerability Protection: {BBDA0591-3099-440a-AA10-41764D9DB4DB} - c:\programdata\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\n360_6.0.0.145\IPSFFPlgn
    FF - Ext: XFINITYToolbar: {4b9bcce8-a70b-402a-a7e1-db96831ee26f} - %profile%\extensions\{4b9bcce8-a70b-402a-a7e1-db96831ee26f}
    FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - %profile%\extensions\{20a82645-c095-46ed-80e3-08825760534b}
    .
    ============= SERVICES / DRIVERS ===============
    .
    R0 SymDS;Symantec Data Store;c:\windows\system32\drivers\n360\0602010.005\symds.sys [2012-6-26 340088]
    R0 SymEFA;Symantec Extended File Attributes;c:\windows\system32\drivers\n360\0602010.005\symefa.sys [2012-6-26 905336]
    R1 BHDrvx86;BHDrvx86;c:\programdata\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\n360_6.0.0.145\definitions\bashdefs\20120619.001\BHDrvx86.sys [2012-6-19 821920]
    R1 ccSet_N360;Norton Security Suite Settings Manager;c:\windows\system32\drivers\n360\0602010.005\ccsetx86.sys [2012-6-26 132744]
    R1 GIDv2;GIDv2;c:\windows\system32\drivers\gidv2.sys [2012-6-22 25232]
    R1 IDSVix86;IDSVix86;c:\programdata\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\n360_6.0.0.145\definitions\ipsdefs\20120626.001\IDSvix86.sys [2012-6-26 382624]
    R1 SymIRON;Symantec Iron Driver;c:\windows\system32\drivers\n360\0602010.005\ironx86.sys [2012-6-26 149624]
    R1 SYMTDIv;Symantec Vista Network Dispatch Driver;c:\windows\system32\drivers\n360\0602010.005\symtdiv.sys [2012-6-26 345208]
    R2 {55662437-DA8C-40c0-AADA-2C816A897A49};Power Control [2009/04/25 03:42:21];c:\program files\hewlett-packard\media\dvd\000.fcl [2008-11-28 87536]
    R2 AESTFilters;Andrea ST Filters Service;c:\windows\system32\driverstore\filerepository\stwrt.inf_c92065b9\AEstSrv.exe [2009-4-25 77824]
    R2 AMD FUEL Service;AMD FUEL Service;c:\program files\ati technologies\ati.ace\fuel\Fuel.Service.exe [2012-4-5 291840]
    R2 AODDriver4.1;AODDriver4.1;c:\program files\ati technologies\ati.ace\fuel\i386\aoddriver2.sys [2012-3-5 45184]
    R2 hpsrv;HP Service;c:\windows\system32\hpservice.exe [2008-3-18 19456]
    R2 IDVaultSvc;CGPS Service;c:\program files\constant guard protection suite\IDVaultSvc.exe [2012-6-13 66160]
    R2 N360;Norton Security Suite;c:\program files\norton security suite\engine\6.2.1.5\ccsvchst.exe [2012-6-26 138232]
    R2 Recovery Service for Windows;Recovery Service for Windows;c:\program files\sminst\BLService.exe [2009-2-14 365952]
    R2 TVCapSvc;TV Background Capture Service (TVBCS);c:\program files\hewlett-packard\media\tv\kernel\tv\TVCapSvc.exe [2008-11-26 296320]
    R2 TVSched;TV Task Scheduler (TVTS);c:\program files\hewlett-packard\media\tv\kernel\tv\TVSched.exe [2008-11-26 116096]
    R3 amdiox86;AMD IO Driver;c:\windows\system32\drivers\amdiox86.sys [2012-5-16 37944]
    R3 Com4QLBEx;Com4QLBEx;c:\program files\hewlett-packard\hp quick launch buttons\Com4QLBEx.exe [2009-2-14 222512]
    R3 enecir;ENE CIR Receiver;c:\windows\system32\drivers\enecir.sys [2008-9-4 54784]
    R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\common files\symantec shared\eengine\EraserUtilRebootDrv.sys [2012-6-26 106656]
    R3 usbfilter;AMD USB Filter Driver;c:\windows\system32\drivers\usbfilter.sys [2009-4-25 22072]
    S2 gupdate;Google Update Service (gupdate);c:\program files\google\update\GoogleUpdate.exe [2010-6-25 136176]
    S3 cpudrv;cpudrv;c:\program files\systemrequirementslab\cpudrv.sys [2011-6-2 11336]
    S3 gupdatem;Google Update Service (gupdatem);c:\program files\google\update\GoogleUpdate.exe [2010-6-25 136176]
    .
    =============== Created Last 30 ================
    .
    2012-06-27 07:43:57 -------- d-----w- c:\users\joe\appdata\local\CrashDumps
    2012-06-27 07:17:46 -------- d-----w- c:\users\joe\appdata\local\NPE
    2012-06-27 02:56:34 345208 ----a-r- c:\windows\system32\drivers\n360\0602010.005\symtdiv.sys
    2012-06-27 02:56:34 318584 ----a-r- c:\windows\system32\drivers\n360\0602010.005\symnets.sys
    2012-06-27 02:56:33 905336 ----a-r- c:\windows\system32\drivers\n360\0602010.005\symefa.sys
    2012-06-27 02:56:33 574072 ----a-w- c:\windows\system32\drivers\n360\0602010.005\srtsp.sys
    2012-06-27 02:56:33 340088 ----a-r- c:\windows\system32\drivers\n360\0602010.005\symds.sys
    2012-06-27 02:56:33 32888 ----a-w- c:\windows\system32\drivers\n360\0602010.005\srtspx.sys
    2012-06-27 02:56:33 149624 ----a-r- c:\windows\system32\drivers\n360\0602010.005\ironx86.sys
    2012-06-27 02:56:33 132744 ----a-r- c:\windows\system32\drivers\n360\0602010.005\ccsetx86.sys
    2012-06-27 02:55:46 -------- d-----w- c:\windows\system32\drivers\n360\0602010.005
    2012-06-27 02:32:00 141944 ----a-w- c:\windows\system32\drivers\SYMEVENT.SYS
    2012-06-27 02:32:00 -------- d-----w- c:\program files\Symantec
    2012-06-27 02:32:00 -------- d-----w- c:\program files\common files\Symantec Shared
    2012-06-27 02:30:45 -------- d-----w- c:\windows\system32\drivers\N360
    2012-06-27 02:30:43 -------- d-----w- c:\program files\Norton Security Suite
    2012-06-27 02:30:13 -------- d-----w- c:\program files\NortonInstaller
    2012-06-25 06:34:34 -------- d-----w- c:\programdata\Spybot - Search & Destroy
    2012-06-25 06:34:34 -------- d-----w- c:\program files\Spybot - Search & Destroy
    2012-06-23 01:51:14 -------- d-----w- c:\programdata\IsolatedStorage
    2012-06-23 01:51:13 -------- d-----w- c:\users\joe\appdata\local\ID Vault
    2012-06-23 01:50:31 8007680 ----a-w- c:\program files\mozilla firefox\Microsoft.mshtml.dll
    2012-06-23 01:50:31 1724016 ----a-w- c:\program files\mozilla firefox\IdVaultCore.dll
    2012-06-23 01:50:31 138864 ----a-w- c:\program files\mozilla firefox\CommonDotNET.dll
    2012-06-23 01:50:31 104048 ----a-w- c:\program files\mozilla firefox\IdVaultCore.XmlSerializers.dll
    2012-06-23 01:50:28 -------- d-----w- c:\users\joe\appdata\roaming\ID Vault
    2012-06-23 01:50:19 25232 ------w- c:\windows\system32\drivers\gidv2.sys
    2012-06-23 01:50:15 -------- d-----w- c:\programdata\GID
    2012-06-23 01:50:11 -------- d-----w- c:\program files\SFT
    2012-06-23 01:49:35 -------- d-----w- c:\program files\xfin_portal
    2012-06-23 01:49:26 -------- d-----w- c:\program files\Constant Guard Protection Suite
    2012-06-23 01:49:02 -------- d-----w- c:\programdata\White Sky, Inc
    2012-06-22 21:21:37 6762896 ----a-w- c:\programdata\microsoft\windows defender\definition updates\{1272acd0-912d-46f9-b3d1-3ceb6a47a44f}\mpengine.dll
    2012-06-22 21:11:37 99176 ----a-w- c:\windows\system32\PresentationHostProxy.dll
    2012-06-22 21:11:37 297808 ----a-w- c:\windows\system32\mscoree.dll
    2012-06-22 21:11:37 295264 ----a-w- c:\windows\system32\PresentationHost.exe
    2012-06-22 21:11:36 49472 ----a-w- c:\windows\system32\netfxperf.dll
    2012-06-22 21:11:36 1130824 ----a-w- c:\windows\system32\dfshim.dll
    2012-06-22 21:04:27 231936 ----a-w- c:\windows\system32\msshsq.dll
    2012-06-22 20:58:57 49152 ----a-w- c:\windows\system32\csrsrv.dll
    2012-06-22 20:44:31 276992 ----a-w- c:\windows\system32\schannel.dll
    2012-06-21 23:04:27 16856 ----a-w- c:\program files\mozilla firefox\plugin-container.exe
    2012-06-21 23:04:24 719832 ----a-w- c:\program files\mozilla firefox\mozcpp19.dll
    .
    ==================== Find3M ====================
    .
    2012-04-09 02:53:30 472808 ----a-w- c:\windows\system32\deployJava1.dll
    2012-04-06 05:34:22 159232 ----a-w- c:\windows\system32\clinfo.exe
    2012-04-06 05:34:04 64512 ----a-w- c:\windows\system32\OpenVideo.dll
    2012-04-06 05:33:52 56320 ----a-w- c:\windows\system32\OVDecode.dll
    2012-04-06 05:32:56 13007872 ----a-w- c:\windows\system32\amdocl.dll
    2012-04-06 05:32:04 50176 ----a-w- c:\windows\system32\OpenCL.dll
    2012-04-04 23:18:24 30592 ----a-w- c:\windows\help\oem\scripts\PWAlertEnable.exe
    .
    ============= FINISH: 16:03:38.95 ===============


    III. Attach.txt

    I've attached the Attach.txt file.


    IV. Ark.txt

    GMER 1.0.15.15641 - http://www.gmer.net
    Rootkit quick scan 2012-06-27 16:30:00
    Windows 6.0.6001 Service Pack 1 Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-0 WDC_WD3200BEVT-60ZCT1 rev.13.01A13
    Running: vo44ybvb.exe; Driver: C:\Users\Joe\AppData\Local\Temp\pgddqpoc.sys


    ---- Devices - GMER 1.0.15 ----

    AttachedDevice \FileSystem\fastfat \Fat FLTMGR.SYS (Microsoft Filesystem Filter Manager/Microsoft Corporation)
    AttachedDevice \Driver\tdx \Device\Ip SYMTDIV.SYS (Network Dispatch Driver/Symantec Corporation)
    AttachedDevice \Driver\tdx \Device\Tcp SYMTDIV.SYS (Network Dispatch Driver/Symantec Corporation)
    AttachedDevice \Driver\tdx \Device\Udp SYMTDIV.SYS (Network Dispatch Driver/Symantec Corporation)
    AttachedDevice \Driver\tdx \Device\RawIp SYMTDIV.SYS (Network Dispatch Driver/Symantec Corporation)
    AttachedDevice \Driver\kbdclass \Device\KeyboardClass0 Wdf01000.sys (WDF Dynamic/Microsoft Corporation)
    AttachedDevice \Driver\kbdclass \Device\KeyboardClass1 Wdf01000.sys (WDF Dynamic/Microsoft Corporation)

    ---- EOF - GMER 1.0.15 ----


    That should do it. I've followed directions as closely as I can, so I hope this helps and does not cause any confusion. Any help to get rid of these security threats is greatly appreciated!

    --Joe
     

    Attached Files:

  2. flavallee

    flavallee Frank Trusted Advisor

    Joined:
    May 12, 2002
    Messages:
    63,586
    Your computer is definitely infected, so you'll need to wait for a gold/blue shield removal specialist to assist you.

    This section is very busy, so be patient.

    --------------------------------------------------------

    Why hasn't Windows Vista SP1 been upgraded to SP2 - which was released in May 2009?

    Have you been installing the important/recommended updates that Microsoft releases on a regular basis?

    --------------------------------------------------------
     
  3. jhw13

    jhw13 Thread Starter

    Joined:
    Jun 27, 2012
    Messages:
    9
    I appreciate the heads up. In the meantime, could you possibly direct me to a good database/website where I can educate myself on different forms of malware? A site good for an introduction on how these things work, what they do, different typologies, etc. I figure this is a good learning opportunity. Anything would be appreciated.

    -Joe
     
  4. jeffce

    jeffce Malware Specialist

    Joined:
    May 10, 2011
    Messages:
    1,727
    Hi,

    Please download aswMBR to your desktop.

    • Right click and Run as Administrator the aswMBR icon to run it.
    • Click the Scan button to start scan.
    • If asked whether you would like to update the Avast virus database please do.
    • When it finishes, press the save log button, save the logfile to your desktop and post its contents in your next reply.

    [​IMG]
    Click the image to enlarge it
    ----------
     
  5. flavallee

    flavallee Frank Trusted Advisor

    Joined:
    May 12, 2002
    Messages:
    63,586
    Jeff has jumped in to help you. Follow his instructions from here on. Good luck. (y)

    ------------------------------------------------------------
     
  6. jhw13

    jhw13 Thread Starter

    Joined:
    Jun 27, 2012
    Messages:
    9
    Hi,

    Thanks for taking up my case. Much appreciated.

    1. Update avast - check
    2. Run scan as Admin - check
    3. Post log below - check


    aswMBR version 0.9.9.1665 Copyright(c) 2011 AVAST Software
    Run date: 2012-06-28 14:37:49
    -----------------------------
    14:37:49.800 OS Version: Windows 6.0.6001 Service Pack 1
    14:37:49.800 Number of processors: 2 586 0x301
    14:37:49.800 ComputerName: COMPUTER UserName: Joe
    14:37:54.839 Initialize success
    14:38:09.690 AVAST engine defs: 12062800
    14:38:12.171 Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-0
    14:38:12.171 Disk 0 Vendor: WDC_WD3200BEVT-60ZCT1 13.01A13 Size: 305245MB BusType: 3
    14:38:12.218 Disk 0 MBR read successfully
    14:38:12.264 Disk 0 MBR scan
    14:38:12.264 Disk 0 unknown MBR code
    14:38:12.280 Disk 0 Partition 1 80 (A) 07 HPFS/NTFS NTFS 293799 MB offset 2048
    14:38:12.342 Disk 0 Partition 2 00 07 HPFS/NTFS NTFS 11442 MB offset 601702400
    14:38:12.405 Disk 0 scanning sectors +625135616
    14:38:12.748 Disk 0 scanning C:\Windows\system32\drivers
    14:39:10.771 Service scanning
    14:39:44.518 Modules scanning
    14:40:22.497 Disk 0 trace - called modules:
    14:40:22.524 ntkrnlpa.exe CLASSPNP.SYS disk.sys hpdskflt.sys hal.dll ataport.SYS PCIIDEX.SYS msahci.sys
    14:40:22.533 1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0x85c9d468]
    14:40:22.544 3 CLASSPNP.SYS[805c5745] -> nt!IofCallDriver -> [0x85c81d48]
    14:40:22.552 5 hpdskflt.sys[8adadf05] -> nt!IofCallDriver -> \Device\Ide\IdeDeviceP0T0L0-0[0x85c85ba0]
    14:40:26.109 AVAST engine scan C:\Windows
    14:41:21.350 AVAST engine scan C:\Windows\system32
    14:49:23.584 AVAST engine scan C:\Windows\system32\drivers
    14:51:23.037 AVAST engine scan C:\Users\Joe
    15:02:15.461 File: C:\Users\Joe\AppData\Local\{ff24043d-55f8-5ce9-a20a-8337d9b4b888}\n **INFECTED** Win32:Susn-AN [Trj]
    15:02:15.614 File: C:\Users\Joe\AppData\Local\{ff24043d-55f8-5ce9-a20a-8337d9b4b888}\U\00000001.@ **INFECTED** Win32:Malware-gen
    16:29:07.012 AVAST engine scan C:\ProgramData
    16:45:21.144 Scan finished successfully
    20:00:30.808 Disk 0 MBR has been saved successfully to "C:\Users\Joe\Desktop\MBR.dat"
    20:00:30.823 The log file has been saved successfully to "C:\Users\Joe\Desktop\aswMBR1.txt"

    There it is. I eagerly await the next step.

    -Joe
     
  7. jeffce

    jeffce Malware Specialist

    Joined:
    May 10, 2011
    Messages:
    1,727
    Hi,

    **WARNING**Unfortunately one or more of the infections I have identified are Backdoor Trojans, IRCBots or other Malware capable of stealing very important information. You need to stop using all Internet Banking sites, change passwords to all sites with sensitive information from a clean computer and phone your bank to inform them that you may be a victim of identify theft. More often than not, we advise users that a full reinstallation of their Operating System is the only way to ensure that their computer will ever be 100% clean again.

    Unfortunately I have found what is known as the ZeroAccess rootkit on your system. It is an especially nasty infection that can take quite some time to clean as well as may have damaged your system files itself. As a warning, during the cleaning (if you choose to do so) you may lose internet access with this computer and in the end we may need to reinstall the operating system anyway depending on the extent of the infection.

    If you would like to format and reinstall your Operating System please let me know and we can assist you with that.

    If you would like to continue with the cleaning, please continue with the following instructions and I will be more than happy to help. :)
    ----------

    Download Combofix from either of the links below, and save it to your desktop.
    Link 1
    Link 2

    **Note: It is important that it is saved directly to your desktop**
    If you get a message saying "Illegal operation attempted on a registry key that has been marked for deletion", please restart your computer.


    --------------------------------------------------------------------

    IMPORTANT - Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. If you have difficulty properly disabling your protective programs, refer to this link here

    --------------------------------------------------------------------

    Right-Click and Run as Administrator on ComboFix.exe & follow the prompts.
    • When finished, it will produce a report for you.
    • Please post the C:\ComboFix.txt for further review.
     
  8. jhw13

    jhw13 Thread Starter

    Joined:
    Jun 27, 2012
    Messages:
    9
    I've decided to continue with the cleaning process. Let's give that a shot. If it doesn't work, than we'll move to the new OS install. The ComboFix log is pasted below.

    ComboFix 12-06-28.03 - Joe 06/29/2012 13:34:32.1.2 - x86
    Microsoft® Windows Vista™ Home Premium 6.0.6001.1.1252.1.1033.18.2812.1638 [GMT -7:00]
    Running from: c:\users\Joe\Desktop\ComboFix.exe
    AV: Norton Security Suite *Disabled/Outdated* {63DF5164-9100-186D-2187-8DC619EFD8BF}
    FW: Norton Security Suite *Disabled* {5BE4D041-DB6F-1935-0AD8-24F3E73C9FC4}
    SP: Norton Security Suite *Disabled/Outdated* {D8BEB080-B73A-17E3-1B37-B6B462689202}
    SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
    .
    .
    ((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    c:\users\Joe\AppData\Local\{ff24043d-55f8-5ce9-a20a-8337d9b4b888}
    c:\users\Joe\AppData\Local\{ff24043d-55f8-5ce9-a20a-8337d9b4b888}\@
    c:\users\Joe\AppData\Local\{ff24043d-55f8-5ce9-a20a-8337d9b4b888}\n
    c:\users\Joe\AppData\Local\{ff24043d-55f8-5ce9-a20a-8337d9b4b888}\U\00000001.@
    c:\users\Joe\AppData\Local\{ff24043d-55f8-5ce9-a20a-8337d9b4b888}\U\80000000.@
    c:\users\Joe\AppData\Local\{ff24043d-55f8-5ce9-a20a-8337d9b4b888}\U\800000cb.@
    c:\users\Joe\AppData\Local\assembly\tmp
    .
    .
    ((((((((((((((((((((((((( Files Created from 2012-05-28 to 2012-06-29 )))))))))))))))))))))))))))))))
    .
    .
    2012-06-29 20:46 . 2012-06-29 20:46 -------- d-----w- c:\users\Default\AppData\Local\temp
    2012-06-27 07:43 . 2012-06-27 19:55 -------- d-----w- c:\users\Joe\AppData\Local\CrashDumps
    2012-06-27 07:17 . 2012-06-27 07:47 -------- d-----w- c:\users\Joe\AppData\Local\NPE
    2012-06-27 02:32 . 2012-06-27 02:37 -------- d-----w- c:\program files\Common Files\Symantec Shared
    2012-06-27 02:32 . 2012-06-27 02:32 141944 ----a-w- c:\windows\system32\drivers\SYMEVENT.SYS
    2012-06-27 02:32 . 2012-06-27 02:32 -------- d-----w- c:\program files\Symantec
    2012-06-27 02:30 . 2012-06-27 07:23 -------- d-----w- c:\windows\system32\drivers\N360
    2012-06-27 02:30 . 2012-06-27 02:30 -------- d-----w- c:\program files\Norton Security Suite
    2012-06-27 02:30 . 2012-06-27 02:30 -------- d-----w- c:\program files\NortonInstaller
    2012-06-25 06:34 . 2012-06-25 07:29 -------- d-----w- c:\programdata\Spybot - Search & Destroy
    2012-06-25 06:34 . 2012-06-25 06:34 -------- d-----w- c:\program files\Spybot - Search & Destroy
    2012-06-23 01:51 . 2012-06-23 01:51 -------- d-----w- c:\programdata\IsolatedStorage
    2012-06-23 01:51 . 2012-06-23 01:55 -------- d-----w- c:\users\Joe\AppData\Local\ID Vault
    2012-06-23 01:50 . 2012-06-13 21:21 104048 ----a-w- c:\program files\Mozilla Firefox\IdVaultCore.XmlSerializers.dll
    2012-06-23 01:50 . 2012-06-13 21:21 1724016 ----a-w- c:\program files\Mozilla Firefox\IdVaultCore.dll
    2012-06-23 01:50 . 2012-06-13 21:21 138864 ----a-w- c:\program files\Mozilla Firefox\CommonDotNET.dll
    2012-06-23 01:50 . 2012-06-13 21:19 8007680 ----a-w- c:\program files\Mozilla Firefox\Microsoft.mshtml.dll
    2012-06-23 01:50 . 2012-06-29 20:33 -------- d-----w- c:\users\Joe\AppData\Roaming\ID Vault
    2012-06-23 01:50 . 2011-07-05 17:24 25232 ------w- c:\windows\system32\drivers\gidv2.sys
    2012-06-23 01:50 . 2012-06-23 01:50 -------- d-----w- c:\programdata\GID
    2012-06-23 01:50 . 2012-06-23 01:50 -------- d-----w- c:\program files\SFT
    2012-06-23 01:49 . 2012-06-23 01:49 -------- d-----w- c:\program files\xfin_portal
    2012-06-23 01:49 . 2012-06-23 01:50 -------- d-----w- c:\program files\Constant Guard Protection Suite
    2012-06-23 01:49 . 2012-06-23 01:49 -------- d-----w- c:\programdata\White Sky, Inc
    2012-06-22 21:21 . 2012-06-18 10:14 6762896 ----a-w- c:\programdata\Microsoft\Windows Defender\Definition Updates\{1272ACD0-912D-46F9-B3D1-3CEB6A47A44F}\mpengine.dll
    2012-06-22 21:11 . 2009-11-08 17:55 99176 ----a-w- c:\windows\system32\PresentationHostProxy.dll
    2012-06-22 21:11 . 2009-11-08 17:55 297808 ----a-w- c:\windows\system32\mscoree.dll
    2012-06-22 21:11 . 2009-11-08 17:55 295264 ----a-w- c:\windows\system32\PresentationHost.exe
    2012-06-22 21:11 . 2009-11-08 17:55 49472 ----a-w- c:\windows\system32\netfxperf.dll
    2012-06-22 21:11 . 2009-11-08 17:55 1130824 ----a-w- c:\windows\system32\dfshim.dll
    2012-06-22 21:04 . 2010-09-20 09:25 231936 ----a-w- c:\windows\system32\msshsq.dll
    2012-06-22 20:58 . 2011-04-20 14:47 375808 ----a-w- c:\windows\system32\winsrv.dll
    2012-06-22 20:44 . 2011-04-29 14:54 276992 ----a-w- c:\windows\system32\schannel.dll
    2012-06-21 23:04 . 2012-06-21 23:04 16856 ----a-w- c:\program files\Mozilla Firefox\plugin-container.exe
    2012-06-21 23:04 . 2012-06-21 23:04 719832 ----a-w- c:\program files\Mozilla Firefox\mozcpp19.dll
    .
    .
    .
    (((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    2012-04-09 02:53 . 2011-10-04 06:02 472808 ----a-w- c:\windows\system32\deployJava1.dll
    2012-04-06 05:34 . 2012-04-06 05:34 159232 ----a-w- c:\windows\system32\clinfo.exe
    2012-04-06 05:34 . 2012-04-06 05:34 64512 ----a-w- c:\windows\system32\OpenVideo.dll
    2012-04-06 05:33 . 2012-04-06 05:33 56320 ----a-w- c:\windows\system32\OVDecode.dll
    2012-04-06 05:32 . 2012-04-06 05:32 13007872 ----a-w- c:\windows\system32\amdocl.dll
    2012-04-06 05:32 . 2012-04-06 05:32 50176 ----a-w- c:\windows\system32\OpenCL.dll
    2012-04-04 23:18 . 2012-05-19 01:50 30592 ----a-w- c:\windows\help\OEM\scripts\PWAlertEnable.exe
    .
    .
    ((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    *Note* empty entries & legit default entries are not shown
    REGEDIT4
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt1]
    @="{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}"
    [HKEY_CLASSES_ROOT\CLSID\{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}]
    2011-02-18 05:12 94208 ----a-w- c:\users\Joe\AppData\Roaming\Dropbox\bin\DropboxExt.14.dll
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt2]
    @="{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}"
    [HKEY_CLASSES_ROOT\CLSID\{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}]
    2011-02-18 05:12 94208 ----a-w- c:\users\Joe\AppData\Roaming\Dropbox\bin\DropboxExt.14.dll
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt3]
    @="{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}"
    [HKEY_CLASSES_ROOT\CLSID\{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}]
    2011-02-18 05:12 94208 ----a-w- c:\users\Joe\AppData\Roaming\Dropbox\bin\DropboxExt.14.dll
    .
    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "LightScribe Control Panel"="c:\program files\Common Files\LightScribe\LightScribeControlPanel.exe" [2008-06-09 2363392]
    "igndlm.exe"="c:\program files\Download Manager\DLM.exe" [2009-05-15 1103216]
    "ehTray.exe"="c:\windows\ehome\ehTray.exe" [2008-01-21 125952]
    "Download"="c:\users\Joe\AppData\Local\SupportSoft\ddoctorv2\Joe\SSGet.exe" [2012-01-11 987648]
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2008-12-04 1410344]
    "SysTrayApp"="c:\program files\IDT\WDM\sttray.exe" [2009-01-08 450663]
    "DVDAgent"="c:\program files\Hewlett-Packard\Media\DVD\DVDAgent.exe" [2008-11-29 1148200]
    "TSMAgent"="c:\program files\Hewlett-Packard\TouchSmart\Media\TSMAgent.exe" [2008-12-25 1316136]
    "CLMLServer for HP TouchSmart"="c:\program files\Hewlett-Packard\TouchSmart\Media\Kernel\CLML\CLMLSvc.exe" [2008-12-25 189736]
    "TVAgent"="c:\program files\Hewlett-Packard\Media\TV\TVAgent.exe" [2009-01-21 210216]
    "UCam_Menu"="c:\program files\Hewlett-Packard\Media\Webcam\MUITransfer\MUIStartMenu.exe" [2008-11-15 218408]
    "SmartMenu"="c:\program files\Hewlett-Packard\HP MediaSmart\SmartMenu.exe" [2008-11-19 914224]
    "UpdateLBPShortCut"="c:\program files\CyberLink\LabelPrint\MUITransfer\MUIStartMenu.exe" [2008-06-14 210216]
    "UpdatePSTShortCut"="c:\program files\CyberLink\DVD Suite\MUITransfer\MUIStartMenu.exe" [2008-11-26 210216]
    "QlbCtrl.exe"="c:\program files\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe" [2008-10-10 206128]
    "UpdateP2GoShortCut"="c:\program files\CyberLink\Power2Go\MUITransfer\MUIStartMenu.exe" [2008-10-30 210216]
    "UpdatePDIRShortCut"="c:\program files\CyberLink\PowerDirector\MUITransfer\MUIStartMenu.exe" [2008-06-14 210216]
    "HP Health Check Scheduler"="c:\program files\Hewlett-Packard\HP Health Check\HPHC_Scheduler.exe" [2008-10-09 75008]
    "HP Software Update"="c:\program files\Hp\HP Software Update\HPWuSchd2.exe" [2008-12-08 54576]
    "WirelessAssistant"="c:\program files\Hewlett-Packard\HP Wireless Assistant\HPWAMain.exe" [2008-12-08 432432]
    "Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2009-02-28 35696]
    "ddoctorv2"="c:\program files\Comcast\Desktop Doctor\bin\sprtcmd.exe" [2008-04-24 202560]
    "GrooveMonitor"="c:\program files\Microsoft Office\Office12\GrooveMonitor.exe" [2008-10-25 31072]
    "QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2010-09-08 421888]
    "APSDaemon"="c:\program files\Common Files\Apple\Apple Application Support\APSDaemon.exe" [2012-02-21 59240]
    "iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2012-03-27 421736]
    "SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2012-01-18 254696]
    "StartCCC"="c:\program files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [2012-04-06 641664]
    "GIDDesktop"="c:\program files\SFT\GuardedID\gidd.exe" [2011-07-05 395528]
    .
    c:\users\Joe\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
    Dropbox.lnk - c:\users\Joe\AppData\Roaming\Dropbox\bin\Dropbox.exe [2012-5-24 27112840]
    OneNote 2007 Screen Clipper and Launcher.lnk - c:\program files\Microsoft Office\Office12\ONENOTEM.EXE [2009-2-26 97680]
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
    "EnableUIADesktopToggle"= 0 (0x0)
    .
    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
    @="Driver"
    .
    S2 AESTFilters;Andrea ST Filters Service;c:\windows\System32\DriverStore\FileRepository\stwrt.inf_c92065b9\aestsrv.exe [x]
    .
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{10880D85-AAD9-4558-ABDC-2AB1552D831F}]
    2008-06-09 17:14 451872 ----a-w- c:\program files\Common Files\LightScribe\LSRunOnce.exe
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{9191979D-821C-4EA8-B021-2DA1D859A7C5}-3Reg]
    2011-07-05 17:26 435976 ----a-w- c:\program files\SFT\GuardedID\GIDI.exe
    .
    Contents of the 'Scheduled Tasks' folder
    .
    2012-06-29 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
    - c:\program files\Google\Update\GoogleUpdate.exe [2010-06-25 20:17]
    .
    2012-06-28 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
    - c:\program files\Google\Update\GoogleUpdate.exe [2010-06-25 20:17]
    .
    2012-06-27 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-3665953699-1941896604-1241948209-1000Core.job
    - c:\users\Joe\AppData\Local\Google\Update\GoogleUpdate.exe [2010-01-03 22:02]
    .
    2012-06-29 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-3665953699-1941896604-1241948209-1000UA.job
    - c:\users\Joe\AppData\Local\Google\Update\GoogleUpdate.exe [2010-01-03 22:02]
    .
    2012-06-27 c:\windows\Tasks\HPCeeScheduleForJoe.job
    - c:\program files\hewlett-packard\sdp\ceement\HPCEE.exe [2009-02-14 19:34]
    .
    .
    ------- Supplementary Scan -------
    .
    uStart Page = hxxp://xfinity.comcast.net/?cid=cgps06222012
    mStart Page = hxxp://www.comcast.net/
    mWindow Title = Windows Internet Explorer provided by Comcast
    uInternet Settings,ProxyOverride = *.local
    IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~3\Office12\EXCEL.EXE/3000
    Trusted Zone: clonewarsadventures.com
    Trusted Zone: freerealms.com
    Trusted Zone: soe.com
    Trusted Zone: sony.com
    TCP: DhcpNameServer = 192.168.1.1
    FF - ProfilePath - c:\users\Joe\AppData\Roaming\Mozilla\Firefox\Profiles\r2qy7d6d.default\
    FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/
    FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\Mozilla Firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
    FF - Ext: Skype extension for Firefox: {AB2CE124-6272-4b12-94A9-7303C7397BD1} - c:\program files\Mozilla Firefox\extensions\{AB2CE124-6272-4b12-94A9-7303C7397BD1}
    FF - Ext: Java Console: {CAFEEFAC-0016-0000-0018-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0018-ABCDEFFEDCBA}
    FF - Ext: Java Console: {CAFEEFAC-0016-0000-0027-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0027-ABCDEFFEDCBA}
    FF - Ext: Java Console: {CAFEEFAC-0016-0000-0031-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0031-ABCDEFFEDCBA}
    FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension
    FF - Ext: Norton Vulnerability Protection: {BBDA0591-3099-440a-AA10-41764D9DB4DB} - c:\programdata\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\N360_6.0.0.145\IPSFFPlgn
    FF - Ext: XFINITYToolbar: {4b9bcce8-a70b-402a-a7e1-db96831ee26f} - %profile%\extensions\{4b9bcce8-a70b-402a-a7e1-db96831ee26f}
    FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - %profile%\extensions\{20a82645-c095-46ed-80e3-08825760534b}
    .
    - - - - ORPHANS REMOVED - - - -
    .
    WebBrowser-{D4027C7F-154A-4066-A1AD-4243D8127440} - (no file)
    HKCU-Run-Regedit32 - c:\windows\system32\regedit.exe
    AddRemove-14AF7854-4BCC-4E9C-927A-849E36B82DDF - c:\program files\MULTIFIT visualization tool\uninstall.exe
    AddRemove-uTorrent - c:\program files\uTorrent\uTorrent.exe
    .
    .
    .
    **************************************************************************
    .
    catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
    Rootkit scan 2012-06-29 13:47
    Windows 6.0.6001 Service Pack 1 NTFS
    .
    scanning hidden processes ...
    .
    scanning hidden autostart entries ...
    .
    scanning hidden files ...
    .
    scan completed successfully
    hidden files: 0
    .
    **************************************************************************
    .
    [HKEY_LOCAL_MACHINE\system\ControlSet001\Services\N360]
    "ImagePath"="\"c:\program files\Norton Security Suite\Engine\6.2.1.5\ccSvcHst.exe\" /s \"N360\" /m \"c:\program files\Norton Security Suite\Engine\6.2.1.5\diMaster.dll\" /prefetch:1"
    .
    [HKEY_LOCAL_MACHINE\system\ControlSet001\Services\{55662437-DA8C-40c0-AADA-2C816A897A49}]
    "ImagePath"="\??\c:\program files\Hewlett-Packard\Media\DVD\000.fcl"
    .
    Completion time: 2012-06-29 13:51:54
    ComboFix-quarantined-files.txt 2012-06-29 20:51
    .
    Pre-Run: 204,428,234,752 bytes free
    Post-Run: 205,073,031,168 bytes free
    .
    - - End Of File - - 1D1EB140C454C4748FF68A110DBDDFD1


    Great, thanks again. Let me know the next step when you do.

    -Joe
     
  9. jeffce

    jeffce Malware Specialist

    Joined:
    May 10, 2011
    Messages:
    1,727
    Hi,

    Please download SystemLook from one of the links below and save it to your Desktop.
    Download Mirror #1
    Download Mirror #2


    **If you are using a 64bit system please use either of the following links for your download instead:
    Link 1
    Link 2

    • Right-click and Run as Administrator SystemLook.exe to run it.
    • Copy the content within the following codebox into the main textfield:
      Code:
      :filefind
      *services.exe
      
    • Click the Look button to start the scan.
    • When finished, a notepad window will open with the results of the scan. Please post this log in your next reply.
    Note: The log can also be found on your Desktop entitled SystemLook.txt
     
  10. jhw13

    jhw13 Thread Starter

    Joined:
    Jun 27, 2012
    Messages:
    9
    Hi,

    SystemLook log posted below.

    SystemLook 30.07.11 by jpshortstuff
    Log created at 00:17 on 30/06/2012 by Joe
    Administrator - Elevation successful

    ========== filefind ==========

    Searching for "*services.exe"
    C:\Windows\erdnt\cache\services.exe --a---- 279040 bytes [20:49 29/06/2012] [02:24 21/01/2008] 2B336AB6286D6C81FA02CBAB914E3C6C
    C:\Windows\System32\services.exe --a---- 279040 bytes [02:24 21/01/2008] [02:24 21/01/2008] 2B336AB6286D6C81FA02CBAB914E3C6C
    C:\Windows\winsxs\x86_microsoft-windows-s..s-servicecontroller_31bf3856ad364e35_6.0.6001.18000_none_cf5fc067cd49010a\services.exe --a---- 279040 bytes [02:24 21/01/2008] [02:24 21/01/2008] 2B336AB6286D6C81FA02CBAB914E3C6C

    -= EOF =-

    Thanks again.

    -Joe
     
  11. jeffce

    jeffce Malware Specialist

    Joined:
    May 10, 2011
    Messages:
    1,727
    Hi,
    • Please open Notepad (Start -> Run -> type notepad in the Open field -> OK) and copy and paste the text present inside the code box below:
      Code:
      ClearJavaCache::
      
      DDS::
      BHO: vShare Plugin: {043c5167-00bb-4324-af7e-62013faedacf} - c:\program files\vshare\vshare_toolbar.dll
      TB: vShare Plugin: {043c5167-00bb-4324-af7e-62013faedacf} - c:\program files\vshare\vshare_toolbar.dll
      TB: {604BC32A-9680-40D1-9AC6-E06B23A1BA4C} - No File
      TB: {D4027C7F-154A-4066-A1AD-4243D8127440} - No File
      uRun: [Regedit32] c:\windows\system32\regedit.exe
      Handler: vsharechrome - {3F3A4B8A-86FC-43A4-BB00-6D7EBE9D4484} - c:\program files\vshare\vshare_toolbar.dll
      Trusted Zone: clonewarsadventures.com
      Trusted Zone: freerealms.com
      Trusted Zone: soe.com
      Trusted Zone: sony.com
      
    • Save this as CFScript.txt and change the "Save as type" to "All Files" and place it on your desktop.

      [​IMG]
    • Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before following the steps below. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".
    • Referring to the screenshot above, drag CFScript.txt into ComboFix.exe.
    • ComboFix will now run a scan on your system. It may reboot your system when it finishes. This is normal.
    • When finished, it shall produce a log for you. Copy and paste the contents of the log in your next reply.
    CAUTION: Do not mouse-click ComboFix's window while it is running. That may cause it to stall.
    ----------
     
  12. jhw13

    jhw13 Thread Starter

    Joined:
    Jun 27, 2012
    Messages:
    9
    Hello,

    Below is the log from the script I ran through ComboFix.


    ComboFix 12-06-28.03 - Joe 06/30/2012 17:54:48.2.2 - x86
    Microsoft® Windows Vista™ Home Premium 6.0.6001.1.1252.1.1033.18.2812.1497 [GMT -7:00]
    Running from: c:\users\Joe\Desktop\ComboFix.exe
    Command switches used :: c:\users\Joe\Desktop\CFScript.txt
    AV: Norton Security Suite *Disabled/Updated* {63DF5164-9100-186D-2187-8DC619EFD8BF}
    FW: Norton Security Suite *Disabled* {5BE4D041-DB6F-1935-0AD8-24F3E73C9FC4}
    SP: Norton Security Suite *Disabled/Updated* {D8BEB080-B73A-17E3-1B37-B6B462689202}
    SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
    .
    .
    ((((((((((((((((((((((((( Files Created from 2012-06-01 to 2012-07-01 )))))))))))))))))))))))))))))))
    .
    .
    2012-07-01 01:04 . 2012-07-01 01:04 -------- d-----w- c:\users\Default\AppData\Local\temp
    2012-06-27 07:43 . 2012-07-01 00:47 -------- d-----w- c:\users\Joe\AppData\Local\CrashDumps
    2012-06-27 07:17 . 2012-06-27 07:47 -------- d-----w- c:\users\Joe\AppData\Local\NPE
    2012-06-27 02:32 . 2012-06-27 02:37 -------- d-----w- c:\program files\Common Files\Symantec Shared
    2012-06-27 02:32 . 2012-06-27 02:32 141944 ----a-w- c:\windows\system32\drivers\SYMEVENT.SYS
    2012-06-27 02:32 . 2012-06-27 02:32 -------- d-----w- c:\program files\Symantec
    2012-06-27 02:30 . 2012-06-27 07:23 -------- d-----w- c:\windows\system32\drivers\N360
    2012-06-27 02:30 . 2012-06-27 02:30 -------- d-----w- c:\program files\Norton Security Suite
    2012-06-27 02:30 . 2012-06-27 02:30 -------- d-----w- c:\program files\NortonInstaller
    2012-06-25 06:34 . 2012-06-25 07:29 -------- d-----w- c:\programdata\Spybot - Search & Destroy
    2012-06-25 06:34 . 2012-06-25 06:34 -------- d-----w- c:\program files\Spybot - Search & Destroy
    2012-06-23 01:51 . 2012-06-23 01:51 -------- d-----w- c:\programdata\IsolatedStorage
    2012-06-23 01:51 . 2012-06-23 01:55 -------- d-----w- c:\users\Joe\AppData\Local\ID Vault
    2012-06-23 01:50 . 2012-06-13 21:21 104048 ----a-w- c:\program files\Mozilla Firefox\IdVaultCore.XmlSerializers.dll
    2012-06-23 01:50 . 2012-06-13 21:21 1724016 ----a-w- c:\program files\Mozilla Firefox\IdVaultCore.dll
    2012-06-23 01:50 . 2012-06-13 21:21 138864 ----a-w- c:\program files\Mozilla Firefox\CommonDotNET.dll
    2012-06-23 01:50 . 2012-06-13 21:19 8007680 ----a-w- c:\program files\Mozilla Firefox\Microsoft.mshtml.dll
    2012-06-23 01:50 . 2012-07-01 00:52 -------- d-----w- c:\users\Joe\AppData\Roaming\ID Vault
    2012-06-23 01:50 . 2011-07-05 17:24 25232 ------w- c:\windows\system32\drivers\gidv2.sys
    2012-06-23 01:50 . 2012-06-23 01:50 -------- d-----w- c:\programdata\GID
    2012-06-23 01:50 . 2012-06-23 01:50 -------- d-----w- c:\program files\SFT
    2012-06-23 01:49 . 2012-06-23 01:49 -------- d-----w- c:\program files\xfin_portal
    2012-06-23 01:49 . 2012-06-23 01:50 -------- d-----w- c:\program files\Constant Guard Protection Suite
    2012-06-23 01:49 . 2012-06-23 01:49 -------- d-----w- c:\programdata\White Sky, Inc
    2012-06-22 21:21 . 2012-06-18 10:14 6762896 ----a-w- c:\programdata\Microsoft\Windows Defender\Definition Updates\{1272ACD0-912D-46F9-B3D1-3CEB6A47A44F}\mpengine.dll
    2012-06-22 21:11 . 2009-11-08 17:55 99176 ----a-w- c:\windows\system32\PresentationHostProxy.dll
    2012-06-22 21:11 . 2009-11-08 17:55 297808 ----a-w- c:\windows\system32\mscoree.dll
    2012-06-22 21:11 . 2009-11-08 17:55 295264 ----a-w- c:\windows\system32\PresentationHost.exe
    2012-06-22 21:11 . 2009-11-08 17:55 49472 ----a-w- c:\windows\system32\netfxperf.dll
    2012-06-22 21:11 . 2009-11-08 17:55 1130824 ----a-w- c:\windows\system32\dfshim.dll
    2012-06-22 21:04 . 2010-09-20 09:25 231936 ----a-w- c:\windows\system32\msshsq.dll
    2012-06-22 20:58 . 2011-04-20 14:47 375808 ----a-w- c:\windows\system32\winsrv.dll
    2012-06-22 20:44 . 2011-04-29 14:54 276992 ----a-w- c:\windows\system32\schannel.dll
    2012-06-21 23:04 . 2012-06-21 23:04 16856 ----a-w- c:\program files\Mozilla Firefox\plugin-container.exe
    2012-06-21 23:04 . 2012-06-21 23:04 719832 ----a-w- c:\program files\Mozilla Firefox\mozcpp19.dll
    .
    .
    .
    (((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    2012-04-09 02:53 . 2011-10-04 06:02 472808 ----a-w- c:\windows\system32\deployJava1.dll
    2012-04-06 05:34 . 2012-04-06 05:34 159232 ----a-w- c:\windows\system32\clinfo.exe
    2012-04-06 05:34 . 2012-04-06 05:34 64512 ----a-w- c:\windows\system32\OpenVideo.dll
    2012-04-06 05:33 . 2012-04-06 05:33 56320 ----a-w- c:\windows\system32\OVDecode.dll
    2012-04-06 05:32 . 2012-04-06 05:32 13007872 ----a-w- c:\windows\system32\amdocl.dll
    2012-04-06 05:32 . 2012-04-06 05:32 50176 ----a-w- c:\windows\system32\OpenCL.dll
    2012-04-04 23:18 . 2012-05-19 01:50 30592 ----a-w- c:\windows\help\OEM\scripts\PWAlertEnable.exe
    .
    .
    ((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    *Note* empty entries & legit default entries are not shown
    REGEDIT4
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt1]
    @="{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}"
    [HKEY_CLASSES_ROOT\CLSID\{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}]
    2011-02-18 05:12 94208 ----a-w- c:\users\Joe\AppData\Roaming\Dropbox\bin\DropboxExt.14.dll
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt2]
    @="{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}"
    [HKEY_CLASSES_ROOT\CLSID\{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}]
    2011-02-18 05:12 94208 ----a-w- c:\users\Joe\AppData\Roaming\Dropbox\bin\DropboxExt.14.dll
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt3]
    @="{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}"
    [HKEY_CLASSES_ROOT\CLSID\{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}]
    2011-02-18 05:12 94208 ----a-w- c:\users\Joe\AppData\Roaming\Dropbox\bin\DropboxExt.14.dll
    .
    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "LightScribe Control Panel"="c:\program files\Common Files\LightScribe\LightScribeControlPanel.exe" [2008-06-09 2363392]
    "igndlm.exe"="c:\program files\Download Manager\DLM.exe" [2009-05-15 1103216]
    "ehTray.exe"="c:\windows\ehome\ehTray.exe" [2008-01-21 125952]
    "Download"="c:\users\Joe\AppData\Local\SupportSoft\ddoctorv2\Joe\SSGet.exe" [2012-01-11 987648]
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2008-12-04 1410344]
    "SysTrayApp"="c:\program files\IDT\WDM\sttray.exe" [2009-01-08 450663]
    "DVDAgent"="c:\program files\Hewlett-Packard\Media\DVD\DVDAgent.exe" [2008-11-29 1148200]
    "TSMAgent"="c:\program files\Hewlett-Packard\TouchSmart\Media\TSMAgent.exe" [2008-12-25 1316136]
    "CLMLServer for HP TouchSmart"="c:\program files\Hewlett-Packard\TouchSmart\Media\Kernel\CLML\CLMLSvc.exe" [2008-12-25 189736]
    "TVAgent"="c:\program files\Hewlett-Packard\Media\TV\TVAgent.exe" [2009-01-21 210216]
    "UCam_Menu"="c:\program files\Hewlett-Packard\Media\Webcam\MUITransfer\MUIStartMenu.exe" [2008-11-15 218408]
    "SmartMenu"="c:\program files\Hewlett-Packard\HP MediaSmart\SmartMenu.exe" [2008-11-19 914224]
    "UpdateLBPShortCut"="c:\program files\CyberLink\LabelPrint\MUITransfer\MUIStartMenu.exe" [2008-06-14 210216]
    "UpdatePSTShortCut"="c:\program files\CyberLink\DVD Suite\MUITransfer\MUIStartMenu.exe" [2008-11-26 210216]
    "QlbCtrl.exe"="c:\program files\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe" [2008-10-10 206128]
    "UpdateP2GoShortCut"="c:\program files\CyberLink\Power2Go\MUITransfer\MUIStartMenu.exe" [2008-10-30 210216]
    "UpdatePDIRShortCut"="c:\program files\CyberLink\PowerDirector\MUITransfer\MUIStartMenu.exe" [2008-06-14 210216]
    "HP Health Check Scheduler"="c:\program files\Hewlett-Packard\HP Health Check\HPHC_Scheduler.exe" [2008-10-09 75008]
    "HP Software Update"="c:\program files\Hp\HP Software Update\HPWuSchd2.exe" [2008-12-08 54576]
    "WirelessAssistant"="c:\program files\Hewlett-Packard\HP Wireless Assistant\HPWAMain.exe" [2008-12-08 432432]
    "Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2009-02-28 35696]
    "ddoctorv2"="c:\program files\Comcast\Desktop Doctor\bin\sprtcmd.exe" [2008-04-24 202560]
    "GrooveMonitor"="c:\program files\Microsoft Office\Office12\GrooveMonitor.exe" [2008-10-25 31072]
    "QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2010-09-08 421888]
    "APSDaemon"="c:\program files\Common Files\Apple\Apple Application Support\APSDaemon.exe" [2012-02-21 59240]
    "iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2012-03-27 421736]
    "SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2012-01-18 254696]
    "StartCCC"="c:\program files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [2012-04-06 641664]
    "GIDDesktop"="c:\program files\SFT\GuardedID\gidd.exe" [2011-07-05 395528]
    .
    c:\users\Joe\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
    Dropbox.lnk - c:\users\Joe\AppData\Roaming\Dropbox\bin\Dropbox.exe [2012-5-24 27112840]
    OneNote 2007 Screen Clipper and Launcher.lnk - c:\program files\Microsoft Office\Office12\ONENOTEM.EXE [2009-2-26 97680]
    .
    c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
    Constant Guard.lnk - c:\program files\Constant Guard Protection Suite\IDVault.exe [2012-6-13 6534768]
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
    "EnableUIADesktopToggle"= 0 (0x0)
    .
    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
    @="Driver"
    .
    S2 AESTFilters;Andrea ST Filters Service;c:\windows\System32\DriverStore\FileRepository\stwrt.inf_c92065b9\aestsrv.exe [x]
    .
    .
    --- Other Services/Drivers In Memory ---
    .
    *Deregistered* - EraserUtilDrv11210
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{10880D85-AAD9-4558-ABDC-2AB1552D831F}]
    2008-06-09 17:14 451872 ----a-w- c:\program files\Common Files\LightScribe\LSRunOnce.exe
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{9191979D-821C-4EA8-B021-2DA1D859A7C5}-3Reg]
    2011-07-05 17:26 435976 ----a-w- c:\program files\SFT\GuardedID\GIDI.exe
    .
    Contents of the 'Scheduled Tasks' folder
    .
    2012-06-29 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
    - c:\program files\Google\Update\GoogleUpdate.exe [2010-06-25 20:17]
    .
    2012-07-01 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
    - c:\program files\Google\Update\GoogleUpdate.exe [2010-06-25 20:17]
    .
    2012-06-30 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-3665953699-1941896604-1241948209-1000Core.job
    - c:\users\Joe\AppData\Local\Google\Update\GoogleUpdate.exe [2010-01-03 22:02]
    .
    2012-06-30 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-3665953699-1941896604-1241948209-1000UA.job
    - c:\users\Joe\AppData\Local\Google\Update\GoogleUpdate.exe [2010-01-03 22:02]
    .
    2012-06-27 c:\windows\Tasks\HPCeeScheduleForJoe.job
    - c:\program files\hewlett-packard\sdp\ceement\HPCEE.exe [2009-02-14 19:34]
    .
    .
    ------- Supplementary Scan -------
    .
    uStart Page = hxxp://xfinity.comcast.net/?cid=cgps06222012
    mStart Page = hxxp://www.comcast.net/
    mWindow Title = Windows Internet Explorer provided by Comcast
    uInternet Settings,ProxyOverride = *.local
    IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~3\Office12\EXCEL.EXE/3000
    TCP: DhcpNameServer = 192.168.1.1
    FF - ProfilePath - c:\users\Joe\AppData\Roaming\Mozilla\Firefox\Profiles\r2qy7d6d.default\
    FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/
    FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\Mozilla Firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
    FF - Ext: Skype extension for Firefox: {AB2CE124-6272-4b12-94A9-7303C7397BD1} - c:\program files\Mozilla Firefox\extensions\{AB2CE124-6272-4b12-94A9-7303C7397BD1}
    FF - Ext: Java Console: {CAFEEFAC-0016-0000-0018-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0018-ABCDEFFEDCBA}
    FF - Ext: Java Console: {CAFEEFAC-0016-0000-0027-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0027-ABCDEFFEDCBA}
    FF - Ext: Java Console: {CAFEEFAC-0016-0000-0031-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0031-ABCDEFFEDCBA}
    FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension
    FF - Ext: Norton Vulnerability Protection: {BBDA0591-3099-440a-AA10-41764D9DB4DB} - c:\programdata\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\N360_6.0.0.145\IPSFFPlgn
    FF - Ext: XFINITYToolbar: {4b9bcce8-a70b-402a-a7e1-db96831ee26f} - %profile%\extensions\{4b9bcce8-a70b-402a-a7e1-db96831ee26f}
    FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - %profile%\extensions\{20a82645-c095-46ed-80e3-08825760534b}
    .
    .
    **************************************************************************
    .
    catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
    Rootkit scan 2012-06-30 18:05
    Windows 6.0.6001 Service Pack 1 NTFS
    .
    scanning hidden processes ...
    .
    scanning hidden autostart entries ...
    .
    scanning hidden files ...
    .
    scan completed successfully
    hidden files: 0
    .
    **************************************************************************
    .
    [HKEY_LOCAL_MACHINE\system\ControlSet001\Services\N360]
    "ImagePath"="\"c:\program files\Norton Security Suite\Engine\6.2.1.5\ccSvcHst.exe\" /s \"N360\" /m \"c:\program files\Norton Security Suite\Engine\6.2.1.5\diMaster.dll\" /prefetch:1"
    .
    [HKEY_LOCAL_MACHINE\system\ControlSet001\Services\{55662437-DA8C-40c0-AADA-2C816A897A49}]
    "ImagePath"="\??\c:\program files\Hewlett-Packard\Media\DVD\000.fcl"
    .
    --------------------- DLLs Loaded Under Running Processes ---------------------
    .
    - - - - - - - > 'Explorer.exe'(5988)
    c:\windows\system32\GIDHook.dll
    c:\windows\system32\GIDBIN1.dll
    c:\windows\system32\EasyHook32.dll
    c:\users\Joe\AppData\Roaming\Dropbox\bin\DropboxExt.14.dll
    .
    Completion time: 2012-06-30 18:08:56
    ComboFix-quarantined-files.txt 2012-07-01 01:08
    ComboFix2.txt 2012-06-29 20:51
    .
    Pre-Run: 208,135,876,608 bytes free
    Post-Run: 208,032,440,320 bytes free
    .
    - - End Of File - - 0EA7C7FA0490F0713A8B0F8EC04EAFF9


    Awesome.

    -Joe
     
  13. jeffce

    jeffce Malware Specialist

    Joined:
    May 10, 2011
    Messages:
    1,727
    Hi,

    Looking better.

    Please download Malwarebytes' Anti-Malware to your desktop.

    • Right-click and Run as Administrator mbam-setup.exe and follow the prompts to install the program.
    • At the end, be sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
    • If an update is found, it will download and install the latest version.
    • Once the program has loaded, select Perform quick scan, then click Scan as shown below.

      [​IMG]
    • When the scan is complete, click OK, then Show Results to view the results.
    • Be sure that everything is checked, and click Remove Selected.
    • When completed, a log will open in Notepad. Please save it to a convenient location and post the results.


    The log can also be found here:
    C:\Documents and Settings\<User name>\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Logs\mbam-log-date (time).txt
    ----------

    Please run a free online scan with the ESET Online Scanner
    Note: You will need to use Internet Explorer for this scan
    • Tick the box next to YES, I accept the Terms of Use
    • Click Start
    • When asked, allow the ActiveX control to install
    • Click Start
    • Make sure that the options Remove found threats is NOT selected and the option Scan unwanted applications is selected.
    • Click Scan (This scan can take several hours, so please be patient)
    • Once the scan is completed, you may close the window
    • Use Notepad to open the logfile located at C:\Program Files\EsetOnlineScanner\log.txt
    • Copy and paste that log as a reply to this topic
    ----------

    In your next reply please post the logs made by Malwarebytes and ESET online scanner. :)
     
  14. jhw13

    jhw13 Thread Starter

    Joined:
    Jun 27, 2012
    Messages:
    9
    Alright, got those two scans finished. Below is the MalwareBytes log and the ESET Scan long.

    I. MalwareBytes Scan log

    Malwarebytes Anti-Malware 1.61.0.1400
    www.malwarebytes.org

    Database version: v2012.07.01.07

    Windows Vista Service Pack 1 x86 NTFS
    Internet Explorer 7.0.6001.18000
    Joe :: COMPUTER [administrator]

    7/1/2012 11:35:53 AM
    mbam-log-2012-07-01 (11-35-53).txt

    Scan type: Quick scan
    Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
    Scan options disabled: P2P
    Objects scanned: 212825
    Time elapsed: 8 minute(s), 36 second(s)

    Memory Processes Detected: 0
    (No malicious items detected)

    Memory Modules Detected: 0
    (No malicious items detected)

    Registry Keys Detected: 0
    (No malicious items detected)

    Registry Values Detected: 0
    (No malicious items detected)

    Registry Data Items Detected: 0
    (No malicious items detected)

    Folders Detected: 0
    (No malicious items detected)

    Files Detected: 0
    (No malicious items detected)

    (end)


    II. ESET Scan Log
    NOTE: I did not find a log in the Program Files/ESET folder, so I exported the scan results to a text file. Should be the same. If not, let me know and I can dig deeper to get the proper log.


    C:\Qoobox\Quarantine\C\Users\Joe\AppData\Local\{ff24043d-55f8-5ce9-a20a-8337d9b4b888}\n.vir Win32/Sirefef.EV trojan
    C:\Qoobox\Quarantine\C\Users\Joe\AppData\Local\{ff24043d-55f8-5ce9-a20a-8337d9b4b888}\U\80000000.@.vir a variant of Win32/Sirefef.FA trojan
    C:\Qoobox\Quarantine\C\Users\Joe\AppData\Local\{ff24043d-55f8-5ce9-a20a-8337d9b4b888}\U\800000cb.@.vir probably a variant of Win32/Agent.TEO trojan
    C:\Users\Joe\AppData\Roaming\65FE5BB0BCB7AE43DEFB65CF6138FB78\enemies-names.txt Win32/Adware.AntimalwareDoctor.AE.Gen application
    C:\Users\Joe\Desktop\assorted intellectual interests - recent\Counter-Strike\cstrike\cl_dlls\GameUI.dll Win32/SuspLibLoad.A trojan

    END log


    Awesome, thanks again. How do you think it's looking, cleanup wise?

    -Joe
     
  15. jeffce

    jeffce Malware Specialist

    Joined:
    May 10, 2011
    Messages:
    1,727
    Hi,

    The logs are looking better. :) Run the following instructions and then let me know how your system is running.

    • Please open Notepad (Start -> Run -> type notepad in the Open field -> OK) and copy and paste the text present inside the code box below:
      Code:
      ClearJavaCache::
      
      File::
      C:\Users\Joe\AppData\Roaming\65FE5BB0BCB7AE43DEFB65CF6138FB78\enemies-names.txt	
      C:\Users\Joe\Desktop\assorted intellectual interests - recent\Counter-Strike\cstrike\cl_dlls\GameUI.dll
      
    • Save this as CFScript.txt and change the "Save as type" to "All Files" and place it on your desktop.

      [​IMG]
    • Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before following the steps below. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".
    • Referring to the screenshot above, drag CFScript.txt into ComboFix.exe.
    • ComboFix will now run a scan on your system. It may reboot your system when it finishes. This is normal.
    • When finished, it shall produce a log for you. Copy and paste the contents of the log in your next reply.
    CAUTION: Do not mouse-click ComboFix's window while it is running. That may cause it to stall.
    ----------
     
  16. Sponsor

As Seen On
As Seen On...

Welcome to Tech Support Guy!

Are you looking for the solution to your computer problem? Join our site today to ask your question. This site is completely free -- paid for by advertisers and donations.

If you're not already familiar with forums, watch our Welcome Guide to get started.

Join over 733,556 other people just like you!

Loading...
Thread Status:
Not open for further replies.

Short URL to this thread: https://techguy.org/1058844