Bloodhound exploit 196 problem..

Dell / XPS 410
December 31, 2008 at 19:32:54
Specs: Windows Vista, E6700 4GB
Symantec is very slow and buggy for me...I don't know if that signifies or means anything.but there's generally a delay whenever I click anything in it or attempt to use it, and it'll say (Not responding) from 5s to 2 min.

Anyway on to the main problem. Auto protect always quarantines temp files and says the risk is "Bloodhound.exploit.196". Generally IE is open when this happens and it doesn't matter what pages I'm surfing. (I'm on things like espn.com or computing.net, so I don't think the actual threats are appearing from these websites). I haven't gotten any popups or redirects, but I'll get like 30 quarantined items per day for the past 2-3 weeks. I'm worried something is wrong.

I have HiJackThis Log and will gladly post it upon request.

edited by moderator: HJT Log deleted


See More: Bloodhound exploit 196 problem..

Report •


#1
January 1, 2009 at 08:32:42
Please download Malwarebytes' Anti-Malware from one of these sites:

MalwareBytes1

MalwareBytes2

1. Double Click mbam-setup.exe to install the application.
2. Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
3. If an update is found, it will download and install the latest version.
4. Once the program has loaded, select "Perform Quick Scan", then click Scan. The scan may take some time to finish,so please be patient.
5. When the scan is complete, click OK, then Show Results to view the results.
6. Make sure that everything found is checked, and click Remove Selected.
7. When disinfection is completed, a log will open in Notepad and you may be prompted to Restart. If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process,if asked to restart the computer,please do so immediately.
8. The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
9. Copy&Paste the entire report in your next reply.


Please download and install the latest version of HijackThis v2.0.2:


Download the "HijackThis" Installer from this link:
Hijack This


1. Save " HJTInstall.exe" to your desktop.
2. Double click on HJTInstall.exe to run the program.
3. By default it will install to C:\Program Files\Trend Micro\HijackThis.
4. Accept the license agreement by clicking the "I Accept" button.
5.Click on the "Do a system scan and save a log file" button. It will scan and then ask you to save the log.
6. Click "Save log" to save the log file and then the log will open in Notepad.
7. Click on "Edit > Select All" then click on "Edit > Copy" to copy the entire contents of the log.
8. Paste the log in your next reply.
9. Do NOT have HijackThis fix anything yet! Most of what it finds will be harmless or even required.


Report •

#2
January 2, 2009 at 06:12:02
Malwarebytes' Anti-Malware 1.31
Database version: 1596
Windows 6.0.6001 Service Pack 1

1/2/2009 9:24:38 AM
mbam-log-2009-01-02 (09-24-38).txt

Scan type: Quick Scan
Objects scanned: 75397
Time elapsed: 10 minute(s), 9 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)


Report •

#3
January 2, 2009 at 06:26:19
When I run hijack this it says "For some reason your system denied access to writing on the hosts file...

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 9:25:31 AM, on 1/2/2009
Platform: Windows Vista SP1 (WinNT 6.00.1905)
MSIE: Internet Explorer v7.00 (7.00.6001.18000)
Boot mode: Normal

Running processes:
C:\Windows\system32\taskeng.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\Creative\Sound Blaster X-Fi\Volume Panel\VolPanlu.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
C:\Program Files\Logitech\SetPoint\LBTWiz.exe
C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
C:\Program Files\Winamp\winampa.exe
C:\Windows\System32\Ctxfihlp.exe
C:\Windows\System32\rundll32.exe
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\AIM\aim.exe
C:\Program Files\uTorrent\uTorrent.exe
C:\Program Files\Logitech\SetPoint\SetPoint.exe
C:\Program Files\Windows Media Player\wmpnscfg.exe
C:\Program Files\Common Files\Logishrd\KHAL2\KHALMNPR.EXE
C:\Windows\SYSTEM32\CTXFISPI.EXE
C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
C:\Program Files\Internet Explorer\ieuser.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Windows\system32\Macromed\Flash\FlashUtil10a.exe
C:\Program Files\Winamp\winamp.exe
C:\Windows\explorer.exe
C:\Program Files\K-Lite Codec Pack\Media Player Classic\mplayerc.exe
C:\Windows\System32\mobsync.exe
C:\Program Files\DC++\DCPlusPlus.exe
C:\Windows\system32\NOTEPAD.EXE
C:\Users\user\Desktop\HiJackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?Lin...
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?Lin...
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?Lin...
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?Lin...
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?Lin...
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?Lin...
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
O1 - Hosts: ::1 localhost
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\Program Files\Microsoft Office\Office12\GrooveShellExtensions.dll
O2 - BHO: Java(tm) Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\4.1.805.4472\swg.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
O4 - HKLM\..\Run: [VolPanel] "C:\Program Files\Creative\Sound Blaster X-Fi\Volume Panel\VolPanlu.exe" /r
O4 - HKLM\..\Run: [UpdReg] C:\Windows\UpdReg.EXE
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [googletalk] C:\Program Files\Google\Google Talk\googletalk.exe /autostart
O4 - HKLM\..\Run: [Google Desktop Search] "C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" /startup
O4 - HKLM\..\Run: [Kernel and Hardware Abstraction Layer] KHALMNPR.EXE
O4 - HKLM\..\Run: [Bluetooth Connection Assistant] LBTWIZ.EXE -silent
O4 - HKLM\..\Run: [GrooveMonitor] "C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe"
O4 - HKLM\..\Run: [WinampAgent] "C:\Program Files\Winamp\winampa.exe"
O4 - HKLM\..\Run: [CTxfiHlp] CTXFIHLP.EXE
O4 - HKLM\..\Run: [NvSvc] RUNDLL32.EXE C:\Windows\system32\nvsvc.dll,nvsvcStart
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\Windows\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\Windows\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\RunOnce: [Malwarebytes' Anti-Malware] C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe /install /silent
O4 - HKCU\..\Run: [Sidebar] C:\Program Files\Windows Sidebar\sidebar.exe /autoRun
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [Skype] "C:\Program Files\Skype\\Phone\Skype.exe" /nosplash /minimized
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [uTorrent] "C:\Program Files\uTorrent\uTorrent.exe"
O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe
O4 - Global Startup: Logitech SetPoint.lnk = C:\Program Files\Logitech\SetPoint\SetPoint.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra button: PokerStars - {3AD14F0C-ED16-4e43-B6D8-661B03F6A1EF} - C:\Program Files\PokerStars\PokerStarsUpdate.exe
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O13 - Gopher Prefix:
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://appldnld.apple.com.edgesuite...
O16 - DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} (Facebook Photo Uploader 5) - http://upload.facebook.com/controls...
O16 - DPF: {5C6698D9-7BE4-4122-8EC5-291D84DBD4A0} (Facebook Photo Uploader 4 Control) - http://upload.facebook.com/controls...
O16 - DPF: {67A5F8DC-1A4B-4D66-9F24-A704AD929EEE} (System Requirements Lab) - http://www.nvidia.com/content/Drive...
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/g...
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\Program Files\Microsoft Office\Office12\GrooveSystemServices.dll
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O20 - AppInit_DLLs: C:\PROGRA~1\Google\GOOGLE~4\GOEC62~1.DLL
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Google Desktop Manager 5.7.806.10245 (GoogleDesktopManager-061008-081103) - Google - C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: Logitech Bluetooth Service (LBTServ) - Logitech, Inc. - C:\Program Files\Common Files\Logishrd\Bluetooth\LBTServ.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: NVIDIA Display Driver Service (nvsvc) - NVIDIA Corporation - C:\Windows\system32\nvvsvc.exe
O23 - Service: PostgreSQL Database Server 8.2 (pgsql-8.2) - PostgreSQL Global Development Group - C:\Program Files\PostgreSQL\8.2\bin\pg_ctl.exe
O23 - Service: Serv-U FTP Server (Serv-U) - Rhino Software, Inc. +1(262) 560-9627 - C:\Program Files\RhinoSoft.com\Serv-U\ServUDaemon.exe
O23 - Service: Symantec Management Client (SmcService) - Symantec Corporation - C:\Program Files\Symantec\Symantec Endpoint Protection\Smc.exe
O23 - Service: Symantec Network Access Control (SNAC) - Symantec Corporation - C:\Program Files\Symantec\Symantec Endpoint Protection\SNAC.EXE
O23 - Service: Symantec Endpoint Protection (Symantec AntiVirus) - Symantec Corporation - C:\Program Files\Symantec\Symantec Endpoint Protection\Rtvscan.exe

--
End of file - 9074 bytes


Report •

Related Solutions

#4
January 2, 2009 at 10:19:24
Please download ComboFix to the desktop from one of the following links:

Link1

Link 2

Link 3

Combofix is a powerful tool so follow the instructions exactly or you could damage your computer.

Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with Combofix and remove some of its embedded files which may cause "unpredictable results".
Click on This Link to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.

In your case to run Combofix do the following:
1. Go offline turn off your Nortons antivirus, Windows Defender and any other antispyware that you may have.
2. Run Combofix and save its log.
3. Restart the computer to get the antivirus running again but leave the antispyware programs off until we get the computer cleaned.
4. Post the Combofix log.


Remember to re-enable the protection again afterwards before connecting to the Internet.

Double-click combofix.exe
Follow the prompts.
(Don't click on the window while the program is running or move the mouse, it will cause your system to hang.)
Please post the log it produces.


Report •

#5
January 2, 2009 at 12:15:16
hmm I ran combofix from safe mode...please let me know if that was not ok. Here's hte log

ComboFix 09-01-01.02 - user 2009-01-02 14:59:03.1 - NTFSx86 MINIMAL
Microsoft® Windows Vista™ Ultimate 6.0.6001.1.1252.1.1033.18.3069.2614 [GMT -5:00]
Running from: c:\users\user\Desktop\ComboFix.exe
AV: Symantec Endpoint Protection *On-access scanning disabled* (Updated)
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\users\user\AppData\Local\Temp\tmp1.tmp

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Service_Serv-U


((((((((((((((((((((((((( Files Created from 2008-12-02 to 2009-01-02 )))))))))))))))))))))))))))))))
.

No new files created in this timespan

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-01-02 19:55 --------- d-----w c:\users\user\AppData\Roaming\uTorrent
2009-01-02 16:35 --------- d-----w c:\progra~2\Google Updater
2009-01-02 14:13 --------- d-----w c:\program files\Malwarebytes' Anti-Malware
2009-01-02 14:08 --------- d---a-w c:\program files\Cake Poker
2009-01-01 04:10 --------- d-----w c:\program files\UltimateBet
2009-01-01 03:17 --------- d-----w c:\program files\Java
2009-01-01 03:11 --------- d-----w c:\program files\Common Files\Adobe
2008-12-27 03:41 --------- d-----w c:\program files\Microsoft Silverlight
2008-12-15 00:50 --------- d-----w c:\users\user\AppData\Roaming\Malwarebytes
2008-12-15 00:49 --------- d-----w c:\progra~2\Malwarebytes
2008-12-10 08:13 --------- d-----w c:\program files\Windows Mail
2008-12-10 08:08 --------- d-----w c:\progra~2\Microsoft Help
2008-12-06 20:32 --------- d-----w c:\program files\Full Tilt Poker
2008-12-04 00:59 38,496 ----a-w c:\windows\system32\drivers\mbamswissarmy.sys
2008-12-04 00:59 15,504 ----a-w c:\windows\system32\drivers\mbam.sys
2008-11-30 18:17 --------- d-----w c:\users\user\AppData\Roaming\mIRC
2008-11-30 18:16 --------- d-----w c:\program files\mIRC
2008-11-30 18:10 --------- d-----w c:\program files\CCleaner
2008-11-20 04:21 --------- d-----w c:\progra~2\CheckPoint
2008-11-14 20:32 --------- d-----w c:\program files\Winamp
2008-11-10 10:43 410,984 ----a-w c:\windows\System32\deploytk.dll
2008-11-01 03:44 541,696 ----a-w c:\windows\AppPatch\AcLayers.dll
2008-11-01 03:44 52,736 ----a-w c:\windows\AppPatch\iebrshim.dll
2008-11-01 03:44 460,288 ----a-w c:\windows\AppPatch\AcSpecfc.dll
2008-11-01 03:44 28,672 ----a-w c:\windows\System32\Apphlpdm.dll
2008-11-01 03:44 2,154,496 ----a-w c:\windows\AppPatch\AcGenral.dll
2008-11-01 03:44 173,056 ----a-w c:\windows\AppPatch\AcXtrnal.dll
2008-11-01 01:21 4,240,384 ----a-w c:\windows\System32\GameUXLegacyGDFs.dll
2008-10-29 06:29 2,927,104 ----a-w c:\windows\explorer.exe
2008-10-22 03:57 241,152 ----a-w c:\windows\System32\PortableDeviceApi.dll
2008-10-22 01:22 2,048 ----a-w c:\windows\System32\tzres.dll
2008-10-21 05:25 296,960 ----a-w c:\windows\System32\gdi32.dll
2008-10-21 05:25 1,645,568 ----a-w c:\windows\System32\connect.dll
2008-10-16 21:13 1,809,944 ----a-w c:\windows\System32\wuaueng.dll
2008-10-16 21:12 561,688 ----a-w c:\windows\System32\wuapi.dll
2008-10-16 21:09 51,224 ----a-w c:\windows\System32\wuauclt.exe
2008-10-16 21:09 43,544 ----a-w c:\windows\System32\wups2.dll
2008-10-16 21:08 34,328 ----a-w c:\windows\System32\wups.dll
2008-10-16 20:56 1,524,736 ----a-w c:\windows\System32\wucltux.dll
2008-10-16 20:55 83,456 ----a-w c:\windows\System32\wudriver.dll
2008-10-16 19:08 162,064 ----a-w c:\windows\System32\wuwebv.dll
2008-10-16 18:56 31,232 ----a-w c:\windows\System32\wuapp.exe
2008-10-16 04:47 827,392 ----a-w c:\windows\System32\wininet.dll
2008-06-26 22:26 174 --sha-w c:\program files\desktop.ini
2008-08-12 09:38 122,880 ----a-w c:\program files\mozilla firefox\components\GoogleDesktopMozilla.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Sidebar"="c:\program files\Windows Sidebar\sidebar.exe" [2008-01-19 1233920]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2008-02-07 68856]
"Skype"="c:\program files\Skype\\Phone\Skype.exe" [2008-02-12 21898024]
"AIM"="c:\program files\AIM\aim.exe" [2006-08-01 67112]
"uTorrent"="c:\program files\uTorrent\uTorrent.exe" [2008-10-08 270128]
"WMPNSCFG"="c:\program files\Windows Media Player\WMPNSCFG.exe" [2008-01-19 202240]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"VolPanel"="c:\program files\Creative\Sound Blaster X-Fi\Volume Panel\VolPanlu.exe" [2006-12-06 180224]
"UpdReg"="c:\windows\UpdReg.EXE" [2000-05-11 90112]
"ccApp"="c:\program files\Common Files\Symantec Shared\ccApp.exe" [2007-10-03 115560]
"googletalk"="c:\program files\Google\Google Talk\googletalk.exe" [2007-01-01 3739648]
"Google Desktop Search"="c:\program files\Google\Google Desktop Search\GoogleDesktop.exe" [2008-08-12 29744]
"GrooveMonitor"="c:\program files\Microsoft Office\Office12\GrooveMonitor.exe" [2007-08-24 33648]
"WinampAgent"="c:\program files\Winamp\winampa.exe" [2008-04-01 36352]
"NvSvc"="c:\windows\system32\nvsvc.dll" [2007-11-06 86016]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2007-11-06 8530464]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2007-11-06 81920]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2008-05-27 413696]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-10-15 39792]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2008-11-10 136600]
"Kernel and Hardware Abstraction Layer"="KHALMNPR.EXE" [2008-02-29 c:\windows\KHALMNPR.Exe]
"CTxfiHlp"="CTXFIHLP.EXE" [2008-02-21 c:\windows\System32\Ctxfihlp.exe]

c:\progra~2\MICROS~1\Windows\STARTM~1\Programs\Startup\
Logitech SetPoint.lnk - c:\program files\Logitech\SetPoint\SetPoint.exe [2008-10-15 805392]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableUIADesktopToggle"= 0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=c:\progra~1\Google\GOOGLE~4\GOEC62~1.DLL

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\ccEvtMgr]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\ccSetMgr]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Symantec Antivirus]
@="Service"

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Svc]
"AntiVirusOverride"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\FirewallRules]
"{F1863605-B4B0-4FCB-A3BF-B3588E78AAD6}"= UDP:c:\program files\Symantec\Symantec Endpoint Protection\Smc.exe:SMC Service
"{A5811297-5144-4BDC-9E40-41F64C343DBB}"= TCP:c:\program files\Symantec\Symantec Endpoint Protection\Smc.exe:SMC Service
"{96F16830-3804-43EA-8445-09E3F4E29753}"= UDP:c:\program files\Symantec\Symantec Endpoint Protection\SNAC.EXE:SNAC Service
"{6A611C61-7D0C-49E6-AED8-54BD0B274B85}"= TCP:c:\program files\Symantec\Symantec Endpoint Protection\SNAC.EXE:SNAC Service
"{53EA7797-0557-4589-93DC-800E3A81F522}"= UDP:c:\program files\Common Files\Symantec Shared\ccApp.exe:Symantec Email
"{25C8C01F-D028-461C-B7E7-5D8BEA58E722}"= TCP:c:\program files\Common Files\Symantec Shared\ccApp.exe:Symantec Email
"{331D894E-E042-4CCC-B410-ED3D0B846B03}"= UDP:c:\program files\Google\Google Talk\googletalk.exe:Google Talk
"{E48B02ED-78EF-4D8E-B215-4586579F35B5}"= TCP:c:\program files\Google\Google Talk\googletalk.exe:Google Talk
"TCP Query User{595AD98D-85D4-4712-80D9-2814DBD9829A}c:\\program files\\dc++\\dcplusplus.exe"= UDP:c:\program files\dc++\dcplusplus.exe:DC++
"UDP Query User{051945D4-9AB9-43F2-A4EA-D0AA11998102}c:\\program files\\dc++\\dcplusplus.exe"= TCP:c:\program files\dc++\dcplusplus.exe:DC++
"TCP Query User{1D97FFF9-AF8C-4427-AA79-4BEBE2CBE412}c:\\program files\\aim\\aim.exe"= UDP:c:\program files\aim\aim.exe:AOL Instant Messenger
"UDP Query User{51466A74-B5C4-4819-9947-C1976BCF26B7}c:\\program files\\aim\\aim.exe"= TCP:c:\program files\aim\aim.exe:AOL Instant Messenger
"{667B1420-54EF-4DF6-887B-FC67CE92FFF0}"= TCP:6004|c:\program files\Microsoft Office\Office12\outlook.exe:Microsoft Office Outlook
"{ED6E8000-29FD-45D3-89C4-48C9DA4A2350}"= UDP:c:\program files\Microsoft Office\Office12\GROOVE.EXE:Microsoft Office Groove
"{3D1CE2A6-7CB0-49EB-93C1-A389DC5B412A}"= TCP:c:\program files\Microsoft Office\Office12\GROOVE.EXE:Microsoft Office Groove
"{1BE4CBF9-561B-427B-A63D-B997FEABE07F}"= UDP:c:\program files\Microsoft Office\Office12\ONENOTE.EXE:Microsoft Office OneNote
"{FDC061BA-EA64-4DED-8021-30D48DDF4FDD}"= TCP:c:\program files\Microsoft Office\Office12\ONENOTE.EXE:Microsoft Office OneNote
"TCP Query User{7F1021AD-2C28-4E4F-AACF-5E9386BAA167}c:\\program files\\utorrent\\utorrent.exe"= UDP:c:\program files\utorrent\utorrent.exe:uTorrent
"UDP Query User{7F643E2B-69E9-4D28-B7BA-ECD6993D5BF6}c:\\program files\\utorrent\\utorrent.exe"= TCP:c:\program files\utorrent\utorrent.exe:uTorrent
"{4C9E555F-0446-44BE-9A69-241B6500E3EE}"= UDP:c:\program files\RhinoSoft.com\Serv-U\ServUDaemon.exe:Serv-U FTP Server
"{BE120433-4636-4114-AAF0-2AE28B9DCEA2}"= TCP:c:\program files\RhinoSoft.com\Serv-U\ServUDaemon.exe:Serv-U FTP Server
"TCP Query User{DAEEB136-E0FF-40CD-A3B2-1B5BB4EEF227}c:\\program files\\dc++\\dcplusplus.exe"= UDP:c:\program files\dc++\dcplusplus.exe:DC++
"UDP Query User{BD415AF3-C753-45B9-B0DD-1B171152B6FD}c:\\program files\\dc++\\dcplusplus.exe"= TCP:c:\program files\dc++\dcplusplus.exe:DC++
"TCP Query User{AB1508C4-56C1-493B-A277-76DF994AA03F}c:\\program files\\internet explorer\\iexplore.exe"= UDP:c:\program files\internet explorer\iexplore.exe:Internet Explorer
"UDP Query User{93573373-A240-4813-91C5-C722F56B2C8D}c:\\program files\\internet explorer\\iexplore.exe"= TCP:c:\program files\internet explorer\iexplore.exe:Internet Explorer
"TCP Query User{476AD839-2FA8-4D66-9B45-571C0DC09C37}c:\\program files\\aim\\aim.exe"= UDP:c:\program files\aim\aim.exe:AOL Instant Messenger
"UDP Query User{28F99735-F83A-4A95-85C5-BD1BE16DD369}c:\\program files\\aim\\aim.exe"= TCP:c:\program files\aim\aim.exe:AOL Instant Messenger
"{7087A2A8-5CC6-4F49-94C5-803DAB2EBB12}"= UDP:c:\program files\uTorrent\uTorrent.exe:µTorrent (TCP-In)
"{52ED5CCF-14A1-4E1C-97C6-71346686CD2A}"= TCP:c:\program files\uTorrent\uTorrent.exe:µTorrent (UDP-In)
"TCP Query User{9134A727-FFA5-4361-9E7A-132740601F44}c:\\program files\\internet explorer\\iexplore.exe"= UDP:c:\program files\internet explorer\iexplore.exe:Internet Explorer
"UDP Query User{3951CE8C-45C0-44BB-A10D-67B8E0CC6A5C}c:\\program files\\internet explorer\\iexplore.exe"= TCP:c:\program files\internet explorer\iexplore.exe:Internet Explorer

R2 pgsql-8.2;PostgreSQL Database Server 8.2;"c:\program files\PostgreSQL\8.2\bin\pg_ctl.exe" runservice -w -N "pgsql-8.2" -D "c:\program files\PostgreSQL\8.2\data\" []
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;\??\c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [2008-11-29 99376]
S3 COH_Mon;COH_Mon;\??\c:\windows\system32\Drivers\COH_Mon.sys [2007-10-03 23888]
S3 GoogleDesktopManager-061008-081103;Google Desktop Manager 5.7.806.10245;"c:\program files\Google\Google Desktop Search\GoogleDesktop.exe" [2008-02-07 29744]
.
- - - - ORPHANS REMOVED - - - -

HKLM-Run-Bluetooth Connection Assistant - LBTWIZ.EXE
SafeBoot-Symantec Antvirus


.
------- Supplementary Scan -------
.
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
FF - ProfilePath - c:\users\user\AppData\Roaming\Mozilla\Firefox\Profiles\ekzkmo4d.default\
FF - prefs.js: browser.search.defaulturl - hxxp://www.google.com/search?lr=&ie=UTF-8&oe=UTF-8&q=
FF - prefs.js: browser.search.selectedEngine - Google
FF - component: c:\program files\Mozilla Firefox\components\GoogleDesktopMozilla.dll
FF - plugin: c:\program files\Google\Google Updater\2.4.1368.5602\npCIDetect13.dll
FF - plugin: c:\program files\Microsoft Silverlight\2.0.31005.0\npctrl.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npGoogleGadgetPluginFirefoxWin.dll
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-01-02 15:07:57
Windows 6.0.6001 Service Pack 1 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

HKLM\Software\Microsoft\Windows\CurrentVersion\Run
CTxfiHlp = CTXFIHLP.EXE?

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\.Default\CMI-CreateHive{274AB9BD-5778-42E7-84B9-863B8D8DF87A}\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.htm\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="FirefoxHTML"

[HKEY_USERS\.Default\CMI-CreateHive{274AB9BD-5778-42E7-84B9-863B8D8DF87A}\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.html\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="FirefoxHTML"

[HKEY_USERS\.Default\CMI-CreateHive{274AB9BD-5778-42E7-84B9-863B8D8DF87A}\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.shtml\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="FirefoxHTML"

[HKEY_USERS\.Default\CMI-CreateHive{274AB9BD-5778-42E7-84B9-863B8D8DF87A}\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xht\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="FirefoxHTML"

[HKEY_USERS\.Default\CMI-CreateHive{274AB9BD-5778-42E7-84B9-863B8D8DF87A}\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xhtml\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="FirefoxHTML"
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'lsass.exe'(572)
c:\program files\Symantec\Symantec Endpoint Protection\SnacNp.dll

- - - - - - - > 'Explorer.exe'(1684)
c:\program files\Logitech\SetPoint\IMHook.dll
c:\program files\Logitech\SetPoint\lgscroll.dll
c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
c:\program files\google\googletoolbar1.dll
.
r Running Proce
.
c:\windows\System32\nvvsvc.exe
c:\windows\System32\audiodg.exe
c:\windows\System32\rundll32.exe
c:\program files\Common Files\Logishrd\Bluetooth\LBTServ.exe
c:\program files\Symantec\Symantec Endpoint Protection\Smc.exe
c:\program files\Common Files\Symantec Shared\ccSvcHst.exe
c:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe
c:\program files\PostgreSQL\8.2\bin\pg_ctl.exe
c:\program files\Symantec\Symantec Endpoint Protection\Rtvscan.exe
c:\program files\PostgreSQL\8.2\bin\postgres.exe
c:\program files\PostgreSQL\8.2\bin\postgres.exe
c:\windows\System32\WUDFHost.exe
c:\program files\PostgreSQL\8.2\bin\postgres.exe
c:\program files\PostgreSQL\8.2\bin\postgres.exe
c:\program files\Symantec\Symantec Endpoint Protection\SmcGui.exe
c:\program files\Logitech\SetPoint\LBTWiz.exe
c:\windows\System32\rundll32.exe
c:\program files\Windows Media Player\wmpnetwk.exe
c:\windows\System32\CTxfispi.exe
c:\program files\Common Files\Logishrd\KHAL2\KHALMNPR.exe
c:\windows\System32\wbem\WMIADAP.exe
.
**************************************************************************
.
Completion time: 2009-01-02 15:12:38 - machine was rebooted
ComboFix-quarantined-files.txt 2009-01-02 20:12:23

Pre-Run: The system cannot find message text for message number 0x2379 in the message file for Application.
Post-Run: 159,547,953,152 bytes free

229 --- E O F --- 2009-01-01 22:09:07


Report •

#6
January 2, 2009 at 12:30:49
Ran combofix in normal mode with all other software off, here is the log

ComboFix 09-01-01.02 - user 2009-01-02 15:25:48.1 - NTFSx86
Microsoft® Windows Vista™ Ultimate 6.0.6001.1.1252.1.1033.18.3069.1845 [GMT -5:00]
Running from: c:\users\user\Desktop\ComboFix.exe
AV: Symantec Endpoint Protection *On-access scanning disabled* (Updated)
.

((((((((((((((((((((((((( Files Created from 2008-12-02 to 2009-01-02 )))))))))))))))))))))))))))))))
.

2009-01-02 09:13 . 2009-01-02 09:13 <DIR> d-------- c:\program files\Malwarebytes' Anti-Malware
2009-01-02 09:13 . 2008-12-03 19:59 38,496 --a------ c:\windows\System32\drivers\mbamswissarmy.sys
2009-01-02 09:13 . 2008-12-03 19:59 15,504 --a------ c:\windows\System32\drivers\mbam.sys
2008-12-26 22:41 . 2008-12-26 22:41 <DIR> d-------- c:\program files\Microsoft Silverlight
2008-12-14 19:50 . 2008-12-14 19:50 <DIR> d-------- c:\users\user\AppData\Roaming\Malwarebytes
2008-12-14 19:49 . 2008-12-14 19:49 <DIR> d-------- c:\users\All Users\Malwarebytes
2008-12-14 19:49 . 2008-12-14 19:49 <DIR> d-------- c:\progra~2\Malwarebytes
2008-12-10 03:04 . 2008-10-21 20:22 2,048 --a------ c:\windows\System32\tzres.dll
2008-12-09 18:45 . 2008-10-31 20:21 4,240,384 --a------ c:\windows\System32\GameUXLegacyGDFs.dll
2008-12-09 18:45 . 2008-06-22 20:59 2,868,736 --a------ c:\windows\System32\mf.dll
2008-12-09 18:45 . 2008-06-22 20:59 996,352 --a------ c:\windows\System32\WMNetMgr.dll
2008-12-09 18:45 . 2008-06-22 20:58 94,720 --a------ c:\windows\System32\logagent.exe
2008-12-09 18:45 . 2008-10-31 22:44 28,672 --a------ c:\windows\System32\Apphlpdm.dll
2008-12-09 17:29 . 2008-10-15 23:47 827,392 --a------ c:\windows\System32\wininet.dll
2008-12-09 15:41 . 2008-10-21 00:25 296,960 --a------ c:\windows\System32\gdi32.dll
2008-12-09 14:51 . 2008-10-29 01:29 2,927,104 --a------ c:\windows\explorer.exe

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-01-02 20:23 --------- d-----w c:\users\user\AppData\Roaming\uTorrent
2009-01-02 16:35 --------- d-----w c:\progra~2\Google Updater
2009-01-02 14:08 --------- d---a-w c:\program files\Cake Poker
2009-01-01 04:10 --------- d-----w c:\program files\UltimateBet
2009-01-01 03:17 --------- d-----w c:\program files\Java
2009-01-01 03:11 --------- d-----w c:\program files\Common Files\Adobe
2008-12-10 08:13 --------- d-----w c:\program files\Windows Mail
2008-12-10 08:08 --------- d-----w c:\progra~2\Microsoft Help
2008-12-06 20:32 --------- d-----w c:\program files\Full Tilt Poker
2008-11-30 18:17 --------- d-----w c:\users\user\AppData\Roaming\mIRC
2008-11-30 18:16 --------- d-----w c:\program files\mIRC
2008-11-30 18:10 --------- d-----w c:\program files\CCleaner
2008-11-20 04:21 --------- d-----w c:\progra~2\CheckPoint
2008-11-14 20:32 --------- d-----w c:\program files\Winamp
2008-11-10 10:43 410,984 ----a-w c:\windows\System32\deploytk.dll
2008-11-01 03:44 541,696 ----a-w c:\windows\AppPatch\AcLayers.dll
2008-11-01 03:44 52,736 ----a-w c:\windows\AppPatch\iebrshim.dll
2008-11-01 03:44 460,288 ----a-w c:\windows\AppPatch\AcSpecfc.dll
2008-11-01 03:44 2,154,496 ----a-w c:\windows\AppPatch\AcGenral.dll
2008-11-01 03:44 173,056 ----a-w c:\windows\AppPatch\AcXtrnal.dll
2008-10-22 03:57 241,152 ----a-w c:\windows\System32\PortableDeviceApi.dll
2008-10-21 05:25 1,645,568 ----a-w c:\windows\System32\connect.dll
2008-10-16 21:13 1,809,944 ----a-w c:\windows\System32\wuaueng.dll
2008-10-16 21:12 561,688 ----a-w c:\windows\System32\wuapi.dll
2008-10-16 21:09 51,224 ----a-w c:\windows\System32\wuauclt.exe
2008-10-16 21:09 43,544 ----a-w c:\windows\System32\wups2.dll
2008-10-16 21:08 34,328 ----a-w c:\windows\System32\wups.dll
2008-10-16 20:56 1,524,736 ----a-w c:\windows\System32\wucltux.dll
2008-10-16 20:55 83,456 ----a-w c:\windows\System32\wudriver.dll
2008-10-16 19:08 162,064 ----a-w c:\windows\System32\wuwebv.dll
2008-10-16 18:56 31,232 ----a-w c:\windows\System32\wuapp.exe
2008-06-26 22:26 174 --sha-w c:\program files\desktop.ini
2008-08-12 09:38 122,880 ----a-w c:\program files\mozilla firefox\components\GoogleDesktopMozilla.dll
.

((((((((((((((((((((((((((((( snapshot@2009-01-02_15.11.52.16 )))))))))))))))))))))))))))))))))))))))))
.
+ 2009-01-02 20:06:09 2,048 --sha-w c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.dat
+ 2009-01-02 20:06:09 2,048 --sha-w c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.dat
- 2009-01-02 20:06:42 262,144 --sha-w c:\windows\ServiceProfiles\NetworkService\NTUSER.DAT
+ 2009-01-02 20:08:34 262,144 --sha-w c:\windows\ServiceProfiles\NetworkService\NTUSER.DAT
- 2009-01-02 19:52:26 16,384 --sha-w c:\windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
+ 2009-01-02 20:22:56 16,384 --sha-w c:\windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
- 2009-01-02 19:52:26 32,768 --sha-w c:\windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
+ 2009-01-02 20:22:56 32,768 --sha-w c:\windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
- 2009-01-02 19:52:26 32,768 --sha-w c:\windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
+ 2009-01-02 20:22:56 32,768 --sha-w c:\windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
- 2009-01-02 20:04:05 100,766 ----a-w c:\windows\System32\perfc009.dat
+ 2009-01-02 20:13:11 101,144 ----a-w c:\windows\System32\perfc009.dat
- 2009-01-02 20:04:06 100,766 ----a-w c:\windows\System32\perfc011.dat
+ 2009-01-02 20:13:11 101,144 ----a-w c:\windows\System32\perfc011.dat
- 2009-01-02 20:04:06 594,698 ----a-w c:\windows\System32\perfh009.dat
+ 2009-01-02 20:13:11 595,446 ----a-w c:\windows\System32\perfh009.dat
- 2009-01-02 20:04:06 381,086 ----a-w c:\windows\System32\perfh011.dat
+ 2009-01-02 20:13:11 381,834 ----a-w c:\windows\System32\perfh011.dat
- 2009-01-02 20:04:06 100,598 ----a-w c:\windows\System32\prfc0804.dat
+ 2009-01-02 20:13:11 100,976 ----a-w c:\windows\System32\prfc0804.dat
- 2009-01-02 20:04:06 325,040 ----a-w c:\windows\System32\prfh0804.dat
+ 2009-01-02 20:13:11 325,788 ----a-w c:\windows\System32\prfh0804.dat
- 2009-01-01 03:08:57 9,754 ----a-w c:\windows\System32\WDI\{86432a0b-3c7d-4ddf-a89c-172faa90485d}\S-1-5-21-2272909700-1240342329-3918503542-1000_UserData.bin
+ 2009-01-02 20:08:27 9,906 ----a-w c:\windows\System32\WDI\{86432a0b-3c7d-4ddf-a89c-172faa90485d}\S-1-5-21-2272909700-1240342329-3918503542-1000_UserData.bin
- 2009-01-01 03:08:56 76,084 ----a-w c:\windows\System32\WDI\BootPerformanceDiagnostics_SystemData.bin
+ 2009-01-02 20:08:27 76,262 ----a-w c:\windows\System32\WDI\BootPerformanceDiagnostics_SystemData.bin
- 2009-01-01 03:08:52 37,436 ----a-w c:\windows\System32\WDI\ShutdownPerformanceDiagnostics_SystemData.bin
+ 2009-01-02 20:08:15 37,436 ----a-w c:\windows\System32\WDI\ShutdownPerformanceDiagnostics_SystemData.bin
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Sidebar"="c:\program files\Windows Sidebar\sidebar.exe" [2008-01-19 1233920]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2008-02-07 68856]
"Skype"="c:\program files\Skype\\Phone\Skype.exe" [2008-02-12 21898024]
"AIM"="c:\program files\AIM\aim.exe" [2006-08-01 67112]
"uTorrent"="c:\program files\uTorrent\uTorrent.exe" [2008-10-08 270128]
"WMPNSCFG"="c:\program files\Windows Media Player\WMPNSCFG.exe" [2008-01-19 202240]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"VolPanel"="c:\program files\Creative\Sound Blaster X-Fi\Volume Panel\VolPanlu.exe" [2006-12-06 180224]
"UpdReg"="c:\windows\UpdReg.EXE" [2000-05-11 90112]
"ccApp"="c:\program files\Common Files\Symantec Shared\ccApp.exe" [2007-10-03 115560]
"googletalk"="c:\program files\Google\Google Talk\googletalk.exe" [2007-01-01 3739648]
"Google Desktop Search"="c:\program files\Google\Google Desktop Search\GoogleDesktop.exe" [2008-08-12 29744]
"GrooveMonitor"="c:\program files\Microsoft Office\Office12\GrooveMonitor.exe" [2007-08-24 33648]
"WinampAgent"="c:\program files\Winamp\winampa.exe" [2008-04-01 36352]
"NvSvc"="c:\windows\system32\nvsvc.dll" [2007-11-06 86016]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2007-11-06 8530464]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2007-11-06 81920]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2008-05-27 413696]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-10-15 39792]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2008-11-10 136600]
"Kernel and Hardware Abstraction Layer"="KHALMNPR.EXE" [2008-02-29 c:\windows\KHALMNPR.Exe]
"CTxfiHlp"="CTXFIHLP.EXE" [2008-02-21 c:\windows\System32\Ctxfihlp.exe]

c:\progra~2\MICROS~1\Windows\STARTM~1\Programs\Startup\
Logitech SetPoint.lnk - c:\program files\Logitech\SetPoint\SetPoint.exe [2008-10-15 805392]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableUIADesktopToggle"= 0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=c:\progra~1\Google\GOOGLE~4\GOEC62~1.DLL

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\ccEvtMgr]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\ccSetMgr]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Symantec Antivirus]
@="Service"

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Svc]
"AntiVirusOverride"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\FirewallRules]
"{F1863605-B4B0-4FCB-A3BF-B3588E78AAD6}"= UDP:c:\program files\Symantec\Symantec Endpoint Protection\Smc.exe:SMC Service
"{A5811297-5144-4BDC-9E40-41F64C343DBB}"= TCP:c:\program files\Symantec\Symantec Endpoint Protection\Smc.exe:SMC Service
"{96F16830-3804-43EA-8445-09E3F4E29753}"= UDP:c:\program files\Symantec\Symantec Endpoint Protection\SNAC.EXE:SNAC Service
"{6A611C61-7D0C-49E6-AED8-54BD0B274B85}"= TCP:c:\program files\Symantec\Symantec Endpoint Protection\SNAC.EXE:SNAC Service
"{53EA7797-0557-4589-93DC-800E3A81F522}"= UDP:c:\program files\Common Files\Symantec Shared\ccApp.exe:Symantec Email
"{25C8C01F-D028-461C-B7E7-5D8BEA58E722}"= TCP:c:\program files\Common Files\Symantec Shared\ccApp.exe:Symantec Email
"{331D894E-E042-4CCC-B410-ED3D0B846B03}"= UDP:c:\program files\Google\Google Talk\googletalk.exe:Google Talk
"{E48B02ED-78EF-4D8E-B215-4586579F35B5}"= TCP:c:\program files\Google\Google Talk\googletalk.exe:Google Talk
"TCP Query User{595AD98D-85D4-4712-80D9-2814DBD9829A}c:\\program files\\dc++\\dcplusplus.exe"= UDP:c:\program files\dc++\dcplusplus.exe:DC++
"UDP Query User{051945D4-9AB9-43F2-A4EA-D0AA11998102}c:\\program files\\dc++\\dcplusplus.exe"= TCP:c:\program files\dc++\dcplusplus.exe:DC++
"TCP Query User{1D97FFF9-AF8C-4427-AA79-4BEBE2CBE412}c:\\program files\\aim\\aim.exe"= UDP:c:\program files\aim\aim.exe:AOL Instant Messenger
"UDP Query User{51466A74-B5C4-4819-9947-C1976BCF26B7}c:\\program files\\aim\\aim.exe"= TCP:c:\program files\aim\aim.exe:AOL Instant Messenger
"{667B1420-54EF-4DF6-887B-FC67CE92FFF0}"= TCP:6004|c:\program files\Microsoft Office\Office12\outlook.exe:Microsoft Office Outlook
"{ED6E8000-29FD-45D3-89C4-48C9DA4A2350}"= UDP:c:\program files\Microsoft Office\Office12\GROOVE.EXE:Microsoft Office Groove
"{3D1CE2A6-7CB0-49EB-93C1-A389DC5B412A}"= TCP:c:\program files\Microsoft Office\Office12\GROOVE.EXE:Microsoft Office Groove
"{1BE4CBF9-561B-427B-A63D-B997FEABE07F}"= UDP:c:\program files\Microsoft Office\Office12\ONENOTE.EXE:Microsoft Office OneNote
"{FDC061BA-EA64-4DED-8021-30D48DDF4FDD}"= TCP:c:\program files\Microsoft Office\Office12\ONENOTE.EXE:Microsoft Office OneNote
"TCP Query User{7F1021AD-2C28-4E4F-AACF-5E9386BAA167}c:\\program files\\utorrent\\utorrent.exe"= UDP:c:\program files\utorrent\utorrent.exe:uTorrent
"UDP Query User{7F643E2B-69E9-4D28-B7BA-ECD6993D5BF6}c:\\program files\\utorrent\\utorrent.exe"= TCP:c:\program files\utorrent\utorrent.exe:uTorrent
"{4C9E555F-0446-44BE-9A69-241B6500E3EE}"= UDP:c:\program files\RhinoSoft.com\Serv-U\ServUDaemon.exe:Serv-U FTP Server
"{BE120433-4636-4114-AAF0-2AE28B9DCEA2}"= TCP:c:\program files\RhinoSoft.com\Serv-U\ServUDaemon.exe:Serv-U FTP Server
"TCP Query User{DAEEB136-E0FF-40CD-A3B2-1B5BB4EEF227}c:\\program files\\dc++\\dcplusplus.exe"= UDP:c:\program files\dc++\dcplusplus.exe:DC++
"UDP Query User{BD415AF3-C753-45B9-B0DD-1B171152B6FD}c:\\program files\\dc++\\dcplusplus.exe"= TCP:c:\program files\dc++\dcplusplus.exe:DC++
"TCP Query User{AB1508C4-56C1-493B-A277-76DF994AA03F}c:\\program files\\internet explorer\\iexplore.exe"= UDP:c:\program files\internet explorer\iexplore.exe:Internet Explorer
"UDP Query User{93573373-A240-4813-91C5-C722F56B2C8D}c:\\program files\\internet explorer\\iexplore.exe"= TCP:c:\program files\internet explorer\iexplore.exe:Internet Explorer
"TCP Query User{476AD839-2FA8-4D66-9B45-571C0DC09C37}c:\\program files\\aim\\aim.exe"= UDP:c:\program files\aim\aim.exe:AOL Instant Messenger
"UDP Query User{28F99735-F83A-4A95-85C5-BD1BE16DD369}c:\\program files\\aim\\aim.exe"= TCP:c:\program files\aim\aim.exe:AOL Instant Messenger
"{7087A2A8-5CC6-4F49-94C5-803DAB2EBB12}"= UDP:c:\program files\uTorrent\uTorrent.exe:µTorrent (TCP-In)
"{52ED5CCF-14A1-4E1C-97C6-71346686CD2A}"= TCP:c:\program files\uTorrent\uTorrent.exe:µTorrent (UDP-In)
"TCP Query User{9134A727-FFA5-4361-9E7A-132740601F44}c:\\program files\\internet explorer\\iexplore.exe"= UDP:c:\program files\internet explorer\iexplore.exe:Internet Explorer
"UDP Query User{3951CE8C-45C0-44BB-A10D-67B8E0CC6A5C}c:\\program files\\internet explorer\\iexplore.exe"= TCP:c:\program files\internet explorer\iexplore.exe:Internet Explorer

R2 pgsql-8.2;PostgreSQL Database Server 8.2;"c:\program files\PostgreSQL\8.2\bin\pg_ctl.exe" runservice -w -N "pgsql-8.2" -D "c:\program files\PostgreSQL\8.2\data\" []
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;\??\c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [2008-11-29 99376]
S3 COH_Mon;COH_Mon;\??\c:\windows\system32\Drivers\COH_Mon.sys [2007-10-03 23888]
S3 GoogleDesktopManager-061008-081103;Google Desktop Manager 5.7.806.10245;"c:\program files\Google\Google Desktop Search\GoogleDesktop.exe" [2008-02-07 29744]
.
.
------- Supplementary Scan -------
.
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
FF - ProfilePath - c:\users\user\AppData\Roaming\Mozilla\Firefox\Profiles\ekzkmo4d.default\
FF - prefs.js: browser.search.defaulturl - hxxp://www.google.com/search?lr=&ie=UTF-8&oe=UTF-8&q=
FF - prefs.js: browser.search.selectedEngine - Google
FF - component: c:\program files\Mozilla Firefox\components\GoogleDesktopMozilla.dll
FF - plugin: c:\program files\Google\Google Updater\2.4.1368.5602\npCIDetect13.dll
FF - plugin: c:\program files\Microsoft Silverlight\2.0.31005.0\npctrl.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npGoogleGadgetPluginFirefoxWin.dll
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-01-02 15:27:15
Windows 6.0.6001 Service Pack 1 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

HKLM\Software\Microsoft\Windows\CurrentVersion\Run
CTxfiHlp = CTXFIHLP.EXE?

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'lsass.exe'(572)
c:\program files\Symantec\Symantec Endpoint Protection\SnacNp.dll
.
Completion time: 2009-01-02 15:28:26
ComboFix-quarantined-files.txt 2009-01-02 20:28:06
ComboFix2.txt 2009-01-02 20:12:39

Pre-Run: 158,711,451,648 bytes free
Post-Run: 158,673,551,360 bytes free

206 --- E O F --- 2009-01-01 22:09:07


Report •

#7
January 2, 2009 at 19:56:22
Empty the restore folder. Go to start>control panel>system>system restore tab>check the box beside "turn off system restore>apply (takes a minute)>ok. Go back and uncheck the box to turn system restore back on>apply>ok.


Download ATF Cleaner from this link:
http://www.majorgeeks.com/ATF_Cleaner_d4949.html
Run ATF-Cleaner
Double-click ATF-Cleaner.exe to run the program.
Under Main choose: Select All
Click the Empty Selected button.

Run an online scan with Kaspersky from the following link:
Kaspersky Online Scanner

Note: If you have used this particular scanner before, you MAY HAVE TO UNINSTALL the program through Add/Remove Programs before downloading the new ActiveX component

1. Click Accept, when prompted to download and install the program files and database of malware definitions.
2. Click Run at the Security prompt.
The program will then begin downloading and installing and will also update the database.
Please be patient as this can take several minutes.
3.Once the update is complete, click on My Computer under the green Scan bar to the left to start the scan.
4. Once the scan is complete, it will display if your system has been infected. It does not provide an option to clean/disinfect. We only require a report from it.
5. Do NOT be alarmed by what you see in the report. Many of the finds have likely been quarantined.
6. Click View scan report at the bottom.
7. Click the Save Report As... button.
8. Click the Save as Text button to save the file to your desktop so that you may post it in your next reply.
**Note**

To optimize scanning time and produce a more sensible report for review:
Close any open programs.
Turn off the real-time scanner of all antivirus or antispyware programs while performing the online scan.
Note for Internet Explorer 7 users: If at any time you have trouble viewing the accept button of the license, click on the Zoom tool located at the bottom right of the IE window and set the zoom to 75%. Once the license is accepted, reset to 100%.


Report •


Ask Question